1.

Getting Started
Table of Contents ......................................................................................... Chapter 1 Product Overview ........................................................................ 1.1 Product Overview.............................................................................. 1.2 Function Features ............................................................................. Chapter 2 Logging in Ethernet Switch .......................................................... 2.1 Set up Configuration Environment via the Console Port ................... 2.2 Set up Configuration Environment through Telnet ............................ 2.2.1 Connect PC to Ethernet Switch through Telnet ........................ 2.2.2 Telnet Ethernet Switch through Ethernet Switch ...................... 2.3 Set up Configuration Environment through a Dial-up the Modem .... Chapter 3 Command Line Interface ............................................................. 3.1 Command Line Interface ................................................................... 3.2 Command Line View ......................................................................... 3.3 Feature and Functions of Command Line ......................................... 3.3.1 Online Help of Command Line ................................................. 3.3.2 Displaying Characteristics of Command Line ........................... 3.3.3 History Command of Command Line ....................................... 3.3.4 Common Command Line Error Messages ............................... 3.3.5 Editing Characteristics of Command Line ................................ Chapter 4 User Interface Configuration ........................................................ 4.1 User Interface Overview ................................................................... 4.2 User Interface Configuration ............................................................. 4.2.1 Enter User Interface View......................................................... 4.2.1 Configure the User Interface-supported Protocol ..................... 4.2.2 Configure the Attributes of AUX (Console) Port ....................... 4.2.3 Configure the Terminal Attributes ............................................. 4.2.4 Manage Users .......................................................................... 4.2.5 Configure Redirection ............................................................... 4.3 Display and Debug User Interface .................................................... i 1-1 1-1 1-2 2-1 2-1 2-3 2-3 2-5 2-6 3-1 3-1 3-1 3-6 3-6 3-7 3-7 3-8 3-8 4-1 4-1 4-2 4-2 4-2 4-3 4-4 4-6 4-9 4-10

2. Port
Table of Contents ......................................................................................... Chapter 1 Ethernet Port Configuration ......................................................... 1.1 Ethernet Port Overview ..................................................................... 1.2 Ethernet Port Configuration .............................................................. 1.2.1 Enter Ethernet port view ........................................................... 1.2.2 Enable/Disable Ethernet Port ................................................... 1.2.3 Set Description Character String for Ethernet Port ................... 1.2.4 Set Duplex Attribute of the Ethernet Port ................................. i 1-1 1-1 1-2 1-2 1-3 1-3 1-3

1.2.5 Set Speed on the Ethernet Port................................................ 1.2.6 Set Cable Type for the Ethernet Port ....................................... 1.2.7 Enable/Disable Flow Control for Ethernet Port ......................... 1.2.8 Set Ethernet Port Broadcast Suppression Ratio ...................... 1.2.9 Set link type for Ethernet port ................................................... 1.2.10 Add the Ethernet port to Specified VLANs ............................. 1.2.11 Set the Default VLAN ID for the Ethernet Port ....................... 1.2.12 Set the VLAN VPN Feature .................................................... 1.2.13 Set loopback detection for the Ethernet port .......................... 1.2.14 Set the Time Interval of Calculating Port Statistics Information ......................................................................................... 1.3 Display and Debug Ethernet Port ..................................................... 1.4 Ethernet Port Configuration Example ............................................... 1.5 Ethernet Port Troubleshooting .......................................................... Chapter 2 Link Aggregation Configuration ................................................... 2.1 Link Aggregation Overview ............................................................... 2.2 Link Aggregation Configuration......................................................... 2.2.1 Aggregate Ethernet Ports ......................................................... 2.3 Display and Debug Link Aggregation................................................ 2.4 Link Aggregation Configuration Example.......................................... 2.5 Ethernet Link Aggregation Troubleshooting ......................................

1-4 1-5 1-5 1-6 1-6 1-7 1-7 1-8 1-9 1-10 1-10 1-11 1-11 2-1 2-1 2-1 2-1 2-2 2-2 2-3

3. VLAN
Table of Contents ......................................................................................... Chapter 1 VLAN Configuration ..................................................................... 1.1 VLAN Overview................................................................................. 1.2 Configure VLAN ................................................................................ 1.2.1 Enable/Disable VLAN Feature .................................................. 1.2.2 Create/Delete a VLAN .............................................................. 1.2.3 Add Ethernet Ports to a VLAN .................................................. 1.2.4 Set/Delete VLAN or VLAN interface Description Character String ................................................................................................. 1.2.5 Specify/Remove VLAN Interface .............................................. 1.2.6 Assign/Delete IP Address and Mask for/of a VLAN Interface... 1.2.7 Shut down/Enable VLAN Interface ........................................... 1.3 Display and Debug VLAN ................................................................. 1.4 VLAN Configuration Example ........................................................... Chapter 2 Isolate-User-Vlan Configuration .................................................. 2.1 Isolate-user-vlan Overview ............................................................... 2.2 Configure isolate-user-vlan ............................................................... 2.2.1 Configure isolate-user-vlan ....................................................... i 1-1 1-1 1-1 1-1 1-2 1-2 1-3 1-3 1-3 1-4 1-4 1-4 2-1 2-1 2-1 2-1

2.2.2 Configure Secondary VLAN ..................................................... 2.2.3 Configure to Map isolate-user-vlan to Secondary VLAN .......... 2.3 Display and Debug isolate-user-vlan ................................................ 2.4 isolate-user-vlan Configuration Example .......................................... Chapter 3 GARP/GVRP Configuration ......................................................... 3.1 Configure GARP ............................................................................... 3.1.1 GARP Overview ....................................................................... 3.1.2 Set GARP Timer ....................................................................... 3.1.3 Display and Debug GARP ........................................................ 3.2 Configure GVRP ............................................................................... 3.2.1 GVRP Overview ....................................................................... 3.2.2 Enable/Disable Global GVRP ................................................... 3.2.3 Enable/Disable Port GVRP ....................................................... 3.2.4 Set GVRP Registration Type .................................................... 3.2.5 Display and Debug GVRP ........................................................ 3.2.6 GVRP Configuration Example ..................................................

2-2 2-2 2-3 2-3 3-1 3-1 3-1 3-2 3-3 3-3 3-3 3-4 3-4 3-4 3-5 3-5

4. Network Protocol
Table of Contents ......................................................................................... Chapter 1 IP Address Configuration ............................................................. 1.1 IP Address Overview ........................................................................ 1.1.1 IP Address Classification and Indications................................. 1.1.2 Subnet and Mask ...................................................................... 1.2 Configure IP Address ........................................................................ 1.2.1 Configure Hostname and Host IP Address ............................... 1.2.2 Configure IP Address of the VLAN Interface ............................ 1.3 Display and debug IP Address .......................................................... 1.4 IP Address Configuration Example ................................................... 1.5 Troubleshoot IP Address Configuration ............................................ Chapter 2 ARP Configuration ....................................................................... 2.1 Introduction to ARP ........................................................................... 2.2 Configure ARP .................................................................................. 2.2.1 Manually Add/Delete Static ARP Mapping Entries ................... 2.2.2 Configure ARP Timed Probing Function .................................. 2.2.3 Configure the Dynamic ARP Aging Timer ................................ 2.2.4 Configure ARP Source Address Suppression .......................... 2.3 Display and debug ARP .................................................................... Chapter 3 DHCP Relay Configuration .......................................................... 3.1 Brief Introduction to DHCP Relay ..................................................... 3.2 Configure DHCP Relay ..................................................................... 3.2.1 Configure IP Address of a DHCP Server .................................. i 1-1 1-1 1-1 1-2 1-3 1-3 1-4 1-4 1-4 1-5 2-1 2-1 2-2 2-2 2-2 2-3 2-3 2-4 3-1 3-1 3-2 3-2

3.2.2 Configure Corresponding DHCP Server Group of the VLAN Interface............................................................................................. 3.2.3 Configure the Address Table Entry .......................................... 3.2.4 Enable/Disable DHCP security features ................................... 3.2.5 Enable/Disable DHCP pseudo-server detection ....................... 3.3 Display and debug DHCP Relay ....................................................... 3.4 DHCP Relay Configuration Example ................................................ 3.5 Troubleshoot DHCP Relay Configuration ......................................... Chapter 4 DHCP Configuration .................................................................... 4.1 DHCP Overview ................................................................................ 4.1.1 DHCP Fundamentals ................................................................ 4.1.2 DHCP Relay ............................................................................. 4.2 DHCP Public Configuration............................................................... 4.2.1 Enable/Disable the DHCP Service ........................................... 4.2.2 Define DHCP Message Handling Method ................................ 4.2.3 Enable/Disable Pseudo-DHCP Server Detection ..................... 4.3 DHCP Server Configuration .............................................................. 4.3.1 Create Global DHCP Address Pool .......................................... 4.3.2 Configure Address Allocation Method for a DHCP Address Pool ................................................................................................... 4.3.3 Configure IP Addresses Forbidden in Automatic Allocation ..... 4.3.4 Configure IP Address Lease Duration for a DHCP Address Pool ................................................................................................... 4.3.5 Configure DHCP Client Domain Name ..................................... 4.3.6 Configure DNS Server Addresses for DHCP Clients ............... 4.3.7 Configure NetBIOS Server Addresses for DHCP Clients ......... 4.3.8 Define NetBIOS Node Type of DHCP Clients .......................... 4.3.9 Configure a DHCP Option ........................................................ 4.3.10 Configure IP Addresses of Egress Gateways for DHCP clients ................................................................................................ 4.3.11 Configure the Ping Mechanism on DHCP Server ................... 4.4 DHCP Relay Configuration ............................................................... 4.4.1 Configure the DHCP Servers to Which the Received Packets Are Relayed ......................................................................... 4.4.2 Distribute Load among DHCP Servers ..................................... 4.4.3 Release Client IP Address through DHCP Relay ..................... 4.4.4 Configure Address Map Entry for Security Check .................... 4.4.5 Enable/Disable DHCP Security Feature on VLAN Interface .... 4.5 Display and Debug DHCP ................................................................ 4.6 DHCP Configuration Example .......................................................... 4.6.1 DHCP Server Configuration Example ...................................... 4.6.2 DHCP Relay Configuration Example ........................................

3-3 3-3 3-4 3-4 3-5 3-5 3-6 4-1 4-1 4-1 4-4 4-4 4-5 4-5 4-6 4-6 4-7 4-8 4-9 4-10 4-11 4-12 4-13 4-14 4-15 4-16 4-17 4-18 4-18 4-19 4-19 4-19 4-20 4-20 4-21 4-21 4-23

4.7 DHCP Troubleshooting ..................................................................... Chapter 5 Access Management Configuration............................................. 5.1 Access Management Overview ........................................................ 5.2 Configure Access Management ........................................................ 5.2.1 Enable Access Management Function ..................................... 5.2.2 Configure the Access IP Address Pool Based on the Physical Port ...................................................................................... 5.2.3 Configure Layer 2 Isolation between Ports ............................... 5.2.4 Configure Port, IP Address and MAC Address Binding............ 5.2.5 Enable/Disable Access Management Trap .............................. 5.3 Display and debug Access Management.......................................... 5.4 Access Management Configuration Example ................................... Chapter 6 IP Performance Configuration ..................................................... 6.1 IP Performance Configuration ........................................................... 6.1.1 Configure TCP Attributes .......................................................... 6.2 Display and debug IP Performance .................................................. 6.3 Troubleshoot IP Performance ...........................................................

4-24 5-1 5-1 5-2 5-2 5-3 5-3 5-3 5-4 5-5 5-5 6-1 6-1 6-1 6-2 6-2

5. Routing Protocol
Table of Contents ......................................................................................... Chapter 1 IP Routing Protocol Overview...................................................... 1.1 Introduction to IP Route and Routing Table ...................................... 1.1.1 IP Route and Route Segment................................................... 1.1.2 Route Selection through the Routing Table.............................. 1.2 Routing Management Policy ............................................................. 1.2.1 Routing protocols and the preferences of the corresponding routes ................................................................................................. 1.2.2 Support Load Sharing and Route Backup ................................ 1.2.3 Routes Shared between Routing Protocols.............................. Chapter 2 Static Route Configuration ........................................................... 2.1 Introduction to Static Route............................................................... 2.1.1 Attributes and Functions of Static Route .................................. 2.1.2 Default Route ............................................................................ 2.2 Static Route Configuration ................................................................ 2.2.1 Configure a static route ............................................................ 2.2.2 Configure a default route .......................................................... 2.2.3 Configure the default preference of static routes ...................... 2.3 Display and Debug Static Route ....................................................... 2.4 Typical Static Route Configuration Example ..................................... 2.5 Static Route Fault Diagnosis and Troubleshooting ........................... Chapter 3 RIP Configuration ........................................................................ i 1-1 1-1 1-1 1-2 1-4 1-4 1-4 1-5 2-1 2-1 2-1 2-1 2-2 2-2 2-3 2-3 2-3 2-4 2-5 3-1

3.1 Brief Introduction to RIP .................................................................... 3.2 RIP Configuration.............................................................................. 3.2.1 Enable RIP and Enter RIP view................................................ 3.2.2 Enable RIP Interface ................................................................ 3.2.3 Configure Unicast of the Message ........................................... 3.2.4 Specify RIP Version of the Interface ......................................... 3.2.5 Configure RIP-1 zero field check of the interface packet ......... 3.2.6 Specify the operating state of the interface .............................. 3.2.7 Disable host route..................................................................... 3.2.8 RIP-2 Route Aggregation Function ........................................... 3.2.9 Set RIP-2 Packet Authentication .............................................. 3.2.10 Configure Split Horizon ........................................................... 3.2.11 Configure RIP to Import Routes of Other Protocols ............... 3.2.12 Configure Default Cost for the Imported Route ...................... 3.2.13 Set the RIP Preference ........................................................... 3.2.14 Set Additional Routing Metric ................................................. 3.2.15 Configure Route Filtering ........................................................ 3.3 Display and Debug RIP..................................................................... 3.4 Typical RIP Configuration Example .................................................. 3.4.1 Networking requirements .......................................................... 3.4.2 Networking diagram.................................................................. 3.4.3 Configuration procedure ........................................................... 3.5 RIP Fault Diagnosis and Troubleshooting ........................................ Chapter 4 OSPF Configuration .................................................................... 4.1 OSPF Overview ................................................................................ 4.1.1 Introduction to OSPF ................................................................ 4.1.2 Process of OSPF Route Calculation ........................................ 4.1.3 OSPF Packets .......................................................................... 4.1.4 Basic Concepts Related to OSPF ............................................ 4.2 OSPF Configuration .......................................................................... 4.2.1 Enable OSPF and Enter OSPF View ....................................... 4.2.2 Enter OSPF Area view ............................................................. 4.2.3 Specify interface ....................................................................... 4.2.4 Configure Router ID.................................................................. 4.2.5 Configure the Network Type on the OSPF Interface ................ 4.2.6 Configure the Cost for Sending Packets on an Interface ......... 4.2.7 Set the Interface Priority for DR Election .................................. 4.2.8 Set the Peer.............................................................................. 4.2.9 Set the Interval of Hello Packet Transmission .......................... 4.2.10 Set a dead timer for the neighboring routers .......................... 4.2.11 Configure an Interval required for sending LSU packets ........

3-1 3-2 3-3 3-3 3-3 3-4 3-4 3-5 3-6 3-6 3-6 3-7 3-7 3-8 3-8 3-9 3-9 3-10 3-10 3-10 3-11 3-11 3-12 4-1 4-1 4-1 4-1 4-2 4-3 4-4 4-5 4-5 4-6 4-6 4-7 4-8 4-8 4-9 4-10 4-10 4-11

4.2.12 Set an Interval for LSA Retransmission between Neighboring Routers .......................................................................... 4.2.13 Set a Shortest Path First (SPF) Calculation Interval for OSPF ................................................................................................. 4.2.14 Configure STUB Area of OSPF .............................................. 4.2.15 Configure NSSA of OSPF ...................................................... 4.2.16 Configure the Route Summarization of OSPF Area ............... 4.2.17 Configure Summarization of Imported Routes by OSPF ........ 4.2.18 Configure OSPF Virtual Link .................................................. 4.2.19 Configure the OSPF Area to Support Packet Authentication .................................................................................... 4.2.20 Configure OSPF Packet Authentication ................................. 4.2.21 Configure OSPF to import Routes of Other Protocols ............ 4.2.22 Configure Parameters for OSPF to Import External Routes... 4.2.23 Configure OSPF to Import the Default Route ......................... 4.2.24 Set OSPF Route Preference .................................................. 4.2.25 Configure OSPF Route Filtering ............................................. 4.2.26 Configure to Fill the MTU Field When an Interface Transmits DD Packets ....................................................................... 4.2.27 Disable the Interface to Send OSPF Packets ......................... 4.2.28 Reset the OSPF Process ....................................................... 4.3 Display and Debug OSPF ................................................................. 4.4 Typical OSPF Configuration Example .............................................. 4.4.1 Configuring DR Election Based on OSPF Priority .................... 4.4.2 Configuring OSPF Virtual Link .................................................. 4.4.3 OSPF Fault Diagnosis and Troubleshooting ............................ Chapter 5 BGP Configuration ....................................................................... 5.1 Brief Introduction to BGP .................................................................. 5.2 BGP Configuration ............................................................................ 5.2.1 Enable BGP .............................................................................. 5.2.2 Configure Networks for BGP Distribution ................................. 5.2.3 Configure BGP Peer (Group) ................................................... 5.2.4 Configure BGP Timer ............................................................... 5.2.5 Configure the local preference ................................................. 5.2.6 Configure MED for AS .............................................................. 5.2.7 Comparing the MED Routing Metrics from the Peers in Different ASs ..................................................................................... 5.2.8 Configure BGP Community ...................................................... 5.2.9 Configure BGP Route Summarization ...................................... 5.2.10 Configure BGP Route Reflector ............................................. 5.2.11 Configure BGP AS Confederation Attribute ............................ 5.2.12 Configure BGP route dampening ...........................................

4-11 4-12 4-12 4-13 4-14 4-15 4-16 4-17 4-17 4-18 4-19 4-19 4-20 4-20 4-21 4-21 4-22 4-22 4-23 4-23 4-25 4-27 5-1 5-1 5-2 5-3 5-3 5-3 5-10 5-10 5-11 5-11 5-12 5-12 5-13 5-15 5-17

5.2.13 Configure the repeating time of local AS ................................ 5.2.14 Configure the Redistribution of BGP and IGP ........................ 5.2.15 Define ACL, AS Path List, and Route-policy .......................... 5.2.16 Configure BGP Route Filtering ............................................... 5.2.17 Clear BGP Connection ........................................................... 5.3 Display and Debug BGP ................................................................... 5.4 Typical BGP Configuration Example ................................................. 5.4.1 Configure BGP AS Confederation Attribute.............................. 5.4.2 Configure BGP Route Reflector ............................................... 5.4.3 Configure BGP Routing ............................................................ 5.5 Fault Diagnosis and BGP Troubleshooting ....................................... Chapter 6 IP Routing Policy Configuration ................................................... 6.1 Brief Introduction to IP Routing Policy .............................................. 6.2 IP Routing Policy Configuration ........................................................ 6.2.1 Define a route-policy ................................................................. 6.2.2 Define If-match clauses for a Route-policy ............................... 6.2.3 Define apply clauses for a Route-policy ................................... 6.2.4 Importing Routing Information Discovered by Other Routing Protocols ............................................................................................ 6.2.5 Define ip-Prefix ......................................................................... 6.2.6 Configure Route Filtering .......................................................... 6.3 Display and Debug the Routing Policy .............................................. 6.4 Typical IP Routing Policy Configuration Example ............................. 6.4.1 Configure to Filter the Received Routing Information............... 6.5 Routing Policy Fault Diagnosis and Troubleshooting ....................... Chapter 7 Route Capacity Configuration...................................................... 7.1 Route Capacity Configuration Overview ........................................... 7.1.1 Introduction ............................................................................... 7.1.2 Route Capacity Limitation Implemented by S3500 Ethernet Switch ................................................................................................ 7.2 Route Capacity Configuration ........................................................... 7.2.1 Set the Lower Limit of the Ethernet switch Memory ................. 7.2.2 Set the Safety Value of the Ethernet switch Memory ............... 7.2.3 Set the Lower Limit and the Safety Value Simultaneously ....... 7.2.4 Disable the Ethernet switch to Recover the Disconnected Routing Protocol Automatically .......................................................... 7.2.5 Enable the Ethernet switch to Recover the Disconnected Routing Protocol Automatically .......................................................... 7.3 Display and Debug Route Capacity ..................................................

5-17 5-18 5-18 5-19 5-20 5-20 5-21 5-21 5-23 5-26 5-29 6-1 6-1 6-3 6-3 6-4 6-5 6-6 6-6 6-7 6-8 6-8 6-8 6-10 7-1 7-1 7-1 7-1 7-2 7-2 7-2 7-3 7-4 7-4 7-4

6. Multicast
Table of Contents ......................................................................................... i

Chapter 1 IP Multicast Overview .................................................................. 1.1 IP Multicast Overview ....................................................................... 1.2 Multicast Addresses .......................................................................... 1.2.1 IP Multicast Addresses ............................................................. 1.2.2 Ethernet Multicast MAC Addresses .......................................... 1.3 IP Multicast Protocols ....................................................................... 1.3.1 Internet Group Management Protocol ...................................... 1.3.2 Multicast Routing Protocol ........................................................ 1.4 IP Multicast Packet Forwarding ........................................................ 1.5 Application of Multicast ..................................................................... Chapter 2 GMRP Configuration ................................................................... 2.1 GMRP Overview ............................................................................... 2.2 Configure GMRP ............................................................................... 2.2.1 Enable/Disable GMRP Globally................................................ 2.2.2 Enable/Disable GMRP on the Port ........................................... 2.3 Display and debug GMRP ................................................................ 2.4 GMRP Configuration Example .......................................................... Chapter 3 IGMP Snooping Configuration ..................................................... 3.1 IGMP Snooping Overview ................................................................. 3.1.1 IGMP Snooping Principle ......................................................... 3.1.2 Implement IGMP Snooping ...................................................... 3.2 Configure IGMP Snooping ................................................................ 3.2.1 Enable/Disable IGMP Snooping ............................................... 3.2.2 Configure Router Port Aging Time ........................................... 3.2.3 Configure Maximum Response Time ....................................... 3.2.4 Configure Aging Time of Multicast Group Member .................. 3.3 Display and debug IGMP Snooping .................................................. 3.4 IGMP Snooping Configuration Example ........................................... 3.4.1 Enable IGMP Snooping ............................................................ 3.5 Troubleshoot IGMP Snooping ........................................................... Chapter 4 Common Multicast Configuration ................................................ 4.1 Introduction to Common Multicast Configuration .............................. 4.2 Common Multicast Configuration ...................................................... 4.2.1 Enable Multicast ....................................................................... 4.3 Display and Debug Common Multicast Configuration ...................... Chapter 5 IGMP Configuration ..................................................................... 5.1 IGMP Overview ................................................................................. 5.2 IGMP Configuration .......................................................................... 5.2.1 Enable Multicast ....................................................................... 5.2.2 Configure the IGMP Version ..................................................... 5.2.3 Configure a Router to Join Specified Multicast Group ..............

1-1 1-1 1-2 1-2 1-4 1-4 1-4 1-5 1-6 1-6 2-1 2-1 2-1 2-1 2-2 2-2 2-2 3-1 3-1 3-1 3-3 3-5 3-5 3-6 3-6 3-6 3-7 3-7 3-7 3-8 4-1 4-1 4-1 4-1 4-1 5-1 5-1 5-2 5-2 5-3 5-3

5.2.4 Limit Multicast Groups An Interface Can Access ..................... 5.2.5 Configure the Interval to Send IGMP Query Message ............. 5.2.6 Configure the Present Time of IGMP Querier .......................... 5.2.7 Configure Maximum Response Time for IGMP Query Message ............................................................................................ 5.3 Display and Debug IGMP ................................................................. Chapter 6 PIM-DM Configuration ................................................................. 6.1 PIM-DM Configuration ...................................................................... 6.1.1 Enable Multicast ....................................................................... 6.1.2 Enable PIM-DM ........................................................................ 6.1.3 Configure the Interface Hello Message Interval ....................... 6.2 Display and Debug PIM-DM ............................................................. 6.3 PIM-DM Configuration Example ....................................................... Chapter 7 PIM-SM Configuration ................................................................. 7.1 PIM-SM Overview ............................................................................. 7.1.1 Introduction to PIM-SM ............................................................. 7.1.2 PIM-SM Operating Principle ..................................................... 7.1.3 Preparations before Configuring PIM-SM................................. 7.2 PIM-SM Configuration ....................................................................... 7.2.1 Enable Multicast ....................................................................... 7.2.2 Enable PIM-SM ........................................................................ 7.2.3 Configure the Interface Hello Message Interval ....................... 7.2.4 Configure the PIM-SM Domain Border ..................................... 7.2.5 Enter PIM View ......................................................................... 7.2.6 Configure Candidate-BSRs ...................................................... 7.2.7 Configure Candidate-RPs......................................................... 7.2.8 Configure Static RP .................................................................. 7.2.9 Configure RP to Filter the Register Messages Sent by DR ...... 7.2.10 Set the Threshold of Switchover from the RPT to the SPT .... 7.3 Display and Debug PIM-SM .............................................................. 7.4 PIM-SM Configuration Example ........................................................

5-4 5-4 5-4 5-5 5-5 6-1 6-2 6-3 6-3 6-3 6-4 6-4 7-1 7-1 7-1 7-1 7-2 7-3 7-4 7-4 7-4 7-5 7-5 7-5 7-6 7-7 7-7 7-8 7-8 7-9

7. QoS/ACL
Table of Contents ......................................................................................... Chapter 1 ACL Configuration ....................................................................... 1.1 Brief Introduction to ACL ................................................................... 1.1.1 ACL Overview........................................................................... 1.1.2 ACL Supported by Ethernet Switch .......................................... 1.2 Configure ACL of S3526 Series Ethernet Switches .......................... 1.2.1 Configure Time-Range ............................................................. 1.2.2 Define ACL ............................................................................... i 1-1 1-1 1-1 1-3 1-4 1-4 1-5

1.2.3 Activate ACL ............................................................................. 1.2.4 Display and Debug ACL ........................................................... 1.3 Configure ACL of S3526E and S3526C ............................................ 1.3.1 Configure Time-Range ............................................................. 1.3.2 Define ACL ............................................................................... 1.3.3 Activate ACL ............................................................................. 1.3.4 Display and Debug ACL ........................................................... 1.4 Configure ACL of S3552 Series Ethernet Switches .......................... 1.4.1 Configure Time-Range ............................................................. 1.4.2 Define ACL ............................................................................... 1.4.3 Activate ACL ............................................................................. 1.4.4 Display and Debug ACL ........................................................... 1.5 ACL Configuration Example of S3526 Series Switches .................... 1.5.1 Advanced ACL Configuration Example .................................... 1.5.2 Basic ACL Configuration Example ........................................... 1.5.3 Link ACL Configuration Example .............................................. 1.6 ACL Configuration Example of S3526E and S3526C ....................... 1.6.1 Advanced ACL Configuration Example .................................... 1.6.2 Basic ACL Configuration Example ........................................... 1.6.3 Link ACL Configuration Example .............................................. 1.6.4 User-defined ACL Configuration Example ................................ Chapter 2 QoS configuration ........................................................................ 2.1 QoS Overview ................................................................................... 2.1.1 Traffic ........................................................................................ 2.1.2 Traffic Classification ................................................................. 2.1.3 Packet Filter.............................................................................. 2.1.4 Traffic Policing .......................................................................... 2.1.5 Port traffic limit .......................................................................... 2.1.6 Redirection ............................................................................... 2.1.7 Traffic Priority ........................................................................... 2.1.8 Queue Scheduling .................................................................... 2.1.9 Traffic Mirroring ........................................................................ 2.1.10 Traffic Counting ...................................................................... 2.2 Configure QoS of S3526 Series Switches ........................................ 2.2.1 Set the Port Priority .................................................................. 2.2.2 Configure Trust Packet Priority ................................................. 2.2.3 Configure Priority Marking ........................................................ 2.2.4 Configure Queue Scheduling ................................................... 2.2.5 Configure Traffic Mirroring ........................................................ 2.2.6 Configure Traffic Statistics ........................................................ 2.2.7 Display and Debug QoS ...........................................................

1-7 1-9 1-9 1-10 1-10 1-14 1-14 1-15 1-15 1-16 1-18 1-18 1-19 1-19 1-20 1-21 1-22 1-22 1-24 1-25 1-26 2-1 2-1 2-1 2-1 2-2 2-2 2-2 2-2 2-2 2-2 2-4 2-4 2-4 2-7 2-7 2-8 2-8 2-10 2-10 2-11

2.3 Configure QoS of S3526E and S3526C ........................................... 2.3.1 Set the Port Priority .................................................................. 2.3.2 Configure Trust Packet Priority ................................................. 2.3.3 Traffic Policing .......................................................................... 2.3.4 Port Traffic limit ......................................................................... 2.3.5 Configure Packet Redirection ................................................... 2.3.6 Configure Priority Marking ........................................................ 2.3.7 Configure Queue Scheduling ................................................... 2.3.8 Configure Traffic Mirroring ........................................................ 2.3.9 Configure Traffic Statistics ........................................................ 2.3.10 Display and Debug QoS ......................................................... 2.4 QoS Configuration for S3552 Series Ethernet Switches ................... 2.4.2 Configure Service Group Allocation Rule ................................. 2.4.3 Configure Traffic Policing ......................................................... 2.4.4 Configure Traffic Shaping ......................................................... 2.4.5 Configure Priority Remark ........................................................ 2.4.6 Configure Traffic Redirection .................................................... 2.4.7 Configure Queue Scheduling ................................................... 2.4.8 Configure Congestion Avoidance ............................................. 2.4.9 Configure Traffic Mirroring ........................................................ 2.4.10 Configure Port Mirroring ......................................................... 2.4.11 Configure Traffic Statistic ....................................................... 2.4.12 Display and Debug QoS ......................................................... 2.5 QoS Configuration Example of S3526 Series Switches ................... 2.5.1 Traffic Mirroring Configuration Example ................................... 2.6 QoS Configuration Example of S3526E and S3526C ....................... 2.6.1 Traffic Policing and Interface Rate Restraint Configuration Example............................................................................................. 2.6.2 Traffic Mirroring Configuration Example ................................... 2.7 QoS Configuration Example of S3552 Series Switches ................... 2.7.1 Traffic Policing Configuration Example ..................................... 2.7.2 Bi-directional Traffic Limit to Packets on Designated VLAN Configuration Example ...................................................................... 2.7.3 Bi-directional Traffic Limit to Packets at Designated Port Configuration Example ...................................................................... 2.7.4 Priority Marking Configuration Example ................................... Chapter 3 Logon User ACL Control Configuration ....................................... 3.1 Overview ........................................................................................... 3.2 Configure ACL Control over the TELNET User ................................ 3.2.1 Define ACL ............................................................................... 3.2.2 Call ACL to Control TELNET User ...........................................

2-11 2-12 2-12 2-12 2-13 2-13 2-14 2-15 2-17 2-17 2-18 2-18 2-19 2-20 2-22 2-23 2-24 2-25 2-26 2-27 2-28 2-29 2-30 2-31 2-31 2-32 2-32 2-34 2-35 2-35 2-36 2-38 2-39 3-1 3-1 3-1 3-1 3-2

3.2.3 Configuration Example ............................................................. 3.3 Configure ACL Control over the SNMP Users .................................. 3.3.1 Define an ACL .......................................................................... 3.3.2 Call ACL to Control SNMP User ............................................... 3.3.3 Configuration Example ............................................................. 3.4 Configure ACL Control over the HTTP Users ................................... 3.4.1 Define an ACL .......................................................................... 3.4.2 Call ACL to Control HTTP User ................................................ 3.4.3 Configuration Example .............................................................

3-2 3-3 3-4 3-4 3-5 3-6 3-6 3-6 3-7

8. Integrated management
Table of Contents ......................................................................................... Chapter 1 Stack Function Configuration ...................................................... 1.1 Stack Function Overview .................................................................. 1.2 Configure Stack Function.................................................................. 1.2.1 Configure IP Address Pool for the Stack .................................. 1.2.2 Enable/Disable a Stack ............................................................ 1.2.3 Switch to a Slave Switch view to Perform the Configuration .... 1.3 Display and Debug Stack Function ................................................... 1.4 Stack Function Configuration Example ............................................. Chapter 2 HGMP V2 Configuration .............................................................. 2.1 HGMP V2 Overview .......................................................................... 2.1.1 Overview ................................................................................... 2.1.2 Role of Switch........................................................................... 2.1.3 Functions .................................................................................. 2.2 Configure NDP .................................................................................. 2.2.1 NDP Overview .......................................................................... 2.2.2 Enable/Disable System NDP .................................................... 2.2.3 Enable/Disable Port NDP ......................................................... 2.2.4 Set NDP Holdtime .................................................................... 2.2.5 Set NDP Timer ......................................................................... 2.2.6 Display and Debug NDP ........................................................... 2.3 Configure NTDP ................................................................................ 2.3.1 NTDP Overview ........................................................................ 2.3.2 Enable/Disable System NTDP .................................................. 2.3.3 Enable/Disable Port NTDP ....................................................... 2.3.4 Set Hop Number for Topology Collection ................................. 2.3.5 Set hop-delay and port-delay for Collected Device to Forward Topology Collection Request. ............................................. 2.3.6 Set Topology Collection Interval ............................................... 2.3.7 Start manually Topology Information Collection ....................... i 1-1 1-1 1-1 1-1 1-2 1-2 1-3 1-3 2-1 2-1 2-1 2-1 2-3 2-4 2-4 2-5 2-5 2-6 2-6 2-6 2-7 2-7 2-8 2-8 2-9 2-9 2-10 2-10

2.3.8 Display and Debug NTDP ........................................................ 2.4 Configure Cluster .............................................................................. 2.4.1 Cluster Overview ...................................................................... 2.4.2 Enable/Disable Cluster Function .............................................. 2.4.3 Enter cluster view ..................................................................... 2.4.4 Configure Cluster IP Address Pool ........................................... 2.4.5 Name Administrator device and Cluster ................................... 2.4.6 Add/Delete a Cluster Member device ....................................... 2.4.7 Set up a Cluster Automatically. ................................................ 2.4.8 Set Cluster Holdtime ................................................................. 2.4.9 Set Cluster Timer to Specify the Handshaking Message Interval ............................................................................................... 2.4.10 Configure Remote Control over the Member device .............. 2.4.11 Configure the Cluster Server and Network Management and Log Hosts ................................................................................... 2.4.12 Member Accessing ................................................................. 2.4.13 Display and Debug Cluster ..................................................... 2.5 HGMP V2 Configuration Example ....................................................

2-11 2-11 2-11 2-12 2-12 2-13 2-13 2-14 2-14 2-15 2-15 2-16 2-17 2-17 2-18 2-18

9. STP
Table of Contents ......................................................................................... Chapter 1 RSTP Configuration..................................................................... 1.1 STP Overview ................................................................................... 1.1.1 Function of STP ........................................................................ 1.1.2 Implement STP ......................................................................... 1.1.3 Implement RSTP on Ethernet Switch ....................................... 1.2 Configure RSTP ................................................................................ 1.2.1 Enable/Disable RSTP on a Switch ........................................... 1.2.2 Enable/Disable RSTP on a Port ............................................... 1.2.3 Configure RSTP Operating Mode............................................. 1.2.4 Set Priority of a Specified Bridge .............................................. 1.2.5 Specify the Switch as Primary or Secondary Root Switch ....... 1.2.6 Set Forward Delay of a Specified Bridge .................................. 1.2.7 Set Hello Time of the Specified Bridge ..................................... 1.2.8 Set Max Age of the Specified Bridge ........................................ 1.2.9 Set Timeout Factor of the Bridge .............................................. 1.2.10 Set the Maximum Transmission Speed of the Specified Port .................................................................................................... 1.2.11 Set Specified Port to be an EdgePort ..................................... 1.2.12 Set Path Cost of the Specified Port ........................................ 1.2.13 Set the Priority of a Specified Port.......................................... i 1-1 1-1 1-1 1-1 1-7 1-7 1-8 1-8 1-9 1-9 1-10 1-11 1-12 1-12 1-13 1-13 1-14 1-14 1-15

1.2.14 Configure a Specified Port to be Connected to Point-to-Point Link ............................................................................. 1.2.15 Set mCheck of the Specified Port ........................................... 1.2.16 Configure the Switch Security Function .................................. 1.3 Display and Debug RSTP ................................................................. 1.4 RSTP Configuration Example ........................................................... Chapter 2 MSTP Region-configuration ........................................................ 2.1 MSTP Overview ................................................................................ 2.1.1 MSTP Concepts ....................................................................... 2.1.2 MSTP Principles ....................................................................... 2.2 Configure MSTP ............................................................................... 2.2.1 Configure the MST Region for a Switch ................................... 2.2.2 Specify the Switch as Primary or Secondary Root Switch ....... 2.2.3 Configure the MSTP Running Mode ......................................... 2.2.4 Configure the Bridge Priority for a Switch................................. 2.2.5 Configure the Max Hops in an MST Region ............................. 2.2.6 Configure the Switching Network Diameter .............................. 2.2.7 Configure the Time Parameters of a Switch ............................. 2.2.8 Configure the Max Transmission Speed on a Port ................... 2.2.9 Configure a Port as an Edge Port............................................. 2.2.10 Configure the Path Cost of a Port ........................................... 2.2.11 Configure the Priority of a Port ............................................... 2.2.12 Configure the Port (not) to Connect with the Point-to-Point Link .................................................................................................... 2.2.13 Configure the mCheck Variable of a Port ............................... 2.2.14 Configure the Switch Security Function .................................. 2.2.15 Enable MSTP on the Device .................................................. 2.2.16 Enable/Disable MSTP on a Port ............................................. 2.3 Display and Debug MSTP .................................................................

1-15 1-16 1-17 1-18 1-18 2-1 2-1 2-1 2-4 2-10 2-11 2-12 2-14 2-14 2-15 2-16 2-16 2-18 2-19 2-20 2-21 2-22 2-23 2-24 2-25 2-26 2-26

10. Security
Table of Contents ......................................................................................... Chapter 1 802.1x Configuration ................................................................... 1.1 802.1x Overview ............................................................................... 1.1.1 802.1x Standard Overview ....................................................... 1.1.2 802.1x System Architecture...................................................... 1.1.3 802.1x Authentication Process ................................................. 1.1.4 Implement 802.1x on Ethernet Switch ...................................... 1.2 Configure 802.1x ............................................................................... 1.2.1 Enable/Disable 802.1x .............................................................. 1.2.2 Set the Port Access Control Mode. .......................................... i 1-1 1-1 1-1 1-1 1-2 1-3 1-3 1-4 1-4

1.2.3 Set Port Access Control Method .............................................. 1.2.4 Check the Users that Log on the Switch via Proxy ................... 1.2.5 Set Supplicant Number on a Port ............................................. 1.2.6 Set to Enable DHCP to Launch Authentication ........................ 1.2.7 Configure Authentication Method for 802.1x User .................... 1.2.8 Set the Maximum times of authentication request message retransmission ................................................................................... 1.2.9 Set the handshake period of 802.1x ......................................... 1.2.10 Configure Timers .................................................................... 1.2.11 Enable/Disable quiet-period Timer ......................................... 1.3 Display and Debug 802.1x ................................................................ 1.4 802.1x Configuration Example .......................................................... Chapter 2 AAA and RADIUS Protocol Configuration ................................... 2.1 AAA and RADIUS Protocol Overview ............................................... 2.1.1 AAA Overview .......................................................................... 2.1.2 RADIUS Protocol Overview ...................................................... 2.1.3 Implement AAA/RADIUS on Ethernet Switch ........................... 2.2 Configure AAA .................................................................................. 2.2.1 Create/Delete ISP Domain ....................................................... 2.2.2 Configure Relevant Attributes of ISP Domain .......................... 2.2.3 Create a Local User.................................................................. 2.2.4 Set Attributes of Local User ...................................................... 2.2.5 Disconnect a User by Force ..................................................... 2.3 Configure RADIUS Protocol .............................................................. 2.3.1 Create/Delete a RADIUS server Group .................................... 2.3.2 Set IP Address and Port Number of RADIUS Server ............... 2.3.3 Set RADIUS Packet Encryption Key ........................................ 2.3.4 Set Response Timeout Timer of RADIUS Server..................... 2.3.5 Set Retransmission Times of RADIUS Request Packet ........... 2.3.6 Set a Real-time Accounting Interval ......................................... 2.3.7 Set Maximum Times of Real-time Accounting Request Failing to be Responded .................................................................... 2.3.8 Enable/Disable Stopping Accounting Request Buffer .............. 2.3.9 Set the Maximum Retransmitting Times of Stopping Accounting Request .......................................................................... 2.3.10 Set the Supported Type of RADIUS Server ........................... 2.3.11 Set RADIUS Server State ....................................................... 2.3.12 Set Username Format Transmitted to RADIUS Server .......... 2.3.13 Set the Unit of Data Flow that Transmitted to RADIUS Server ................................................................................................ 2.3.14 Configure Local RADIUS Server Group ................................. 2.4 Display and Debug AAA and RADIUS Protocol ................................

1-5 1-5 1-6 1-6 1-6 1-7 1-7 1-8 1-9 1-9 1-9 2-1 2-1 2-1 2-1 2-2 2-3 2-3 2-4 2-5 2-5 2-6 2-7 2-7 2-8 2-9 2-10 2-10 2-10 2-11 2-12 2-12 2-13 2-13 2-14 2-14 2-15 2-15

2.5 AAA and RADIUS Protocol Configuration Examples ........................ 2.5.1 Configuring FTP/Telnet User Authentication at Remote RADIUS Server ................................................................................. 2.5.2 Configuring FTP/Telnet User Authentication at Local RADIUS Server ................................................................................. 2.6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting ... Chapter 3 HABP Configuration .................................................................... 3.1 HABP Overview ................................................................................ 3.2 HABP configuration........................................................................... 3.2.1 Configuring HABP Server ......................................................... 3.2.2 Configuring HABP Client .......................................................... 3.3 Displaying and Debugging HABP Attribute ....................................... Chapter 4 System-guard Configuration ........................................................ 4.1 System-guard Overview .................................................................... 4.2 System-guard Configuration ............................................................. 4.2.1 Enable system-guard function .................................................. 4.2.2 Set the max detection count of the affected hosts .................... 4.2.3 Set parameters of address learning ......................................... 4.3 Display and Debug System-guard ....................................................

2-16 2-16 2-18 2-18 3-1 3-1 3-1 3-1 3-2 3-2 4-1 4-1 4-1 4-1 4-2 4-2 4-3

11. Reliability
Table of Contents ......................................................................................... Chapter 1 VRRP Configuration .................................................................... 1.1 VRRP Overview ................................................................................ 1.2 Configure VRRP ............................................................................... 1.2.1 Enable/disable the Function to Ping the Virtual IP Address ..... 1.2.2 Set Correspondence between Virtual IP Address and MAC Address ............................................................................................. 1.2.3 Add/Delete a Virtual IP Address ............................................... 1.2.4 Configure the priority of switches in the virtual router. .............. 1.2.5 Configure Preemption and Delay for a Switch within a Virtual Router ..................................................................................... 1.2.6 Configure Authentication Type and Authentication Key ........... 1.2.7 Configure VRRP Timer ............................................................. 1.2.8 Configure Switch to Track a Specified Interface ....................... 1.3 Display and Debug VRRP ................................................................. 1.4 VRRP Configuration Example ........................................................... 1.4.1 VRRP Single Virtual Router Example....................................... 1.4.2 VRRP Tracking Interface Example ........................................... 1.4.3 Multiple Virtual Routers Example ............................................. 1.5 Troubleshoot VRRP .......................................................................... i 1-1 1-1 1-2 1-3 1-3 1-4 1-5 1-5 1-6 1-7 1-7 1-8 1-8 1-8 1-10 1-11 1-12

12. System Management
Table of Contents ......................................................................................... Chapter 1 File System Management ............................................................ 1.1 File System ....................................................................................... 1.1.1 File System Overview ............................................................... 1.1.2 Directory Operation .................................................................. 1.1.3 File Operation ........................................................................... 1.1.4 Storage Device Operation ........................................................ 1.1.5 Set the Prompt Mode of the File System .................................. 1.2 Configure File Management .............................................................. 1.2.1 Configure File Management Overview ..................................... 1.2.2 Display the Current-configuration and Saved-configuration of Ethernet Switch ............................................................................. 1.2.3 Save the Current-configuration ................................................. 1.2.4 Erase Configuration Files from Flash Memory ......................... 1.3 FTP ................................................................................................... 1.3.1 FTP Overview ........................................................................... 1.3.2 Enable/Disable FTP Server ...................................................... 1.3.3 Configure the FTP Server Authentication and Authorization .... 1.3.4 Configure the Running Parameters of FTP Server ................... 1.3.5 Display and Debug FTP Server ................................................ 1.3.6 Introduction to FTP Client ......................................................... 1.3.7 FTP client configuration example ............................................. 1.3.8 FTP server configuration example ............................................ 1.4 TFTP ................................................................................................. 1.4.1 TFTP Overview ......................................................................... 1.4.2 Configure the File Transmission Mode ..................................... 1.4.3 Download Files by means of TFTP .......................................... 1.4.4 Upload Files by means of TFTP ............................................... 1.4.5 TFTP Client Configuration Example ......................................... Chapter 2 MAC Address Table Management .............................................. 2.1 MAC Address Table Management Overview .................................... 2.2 MAC Address Table Configuration ................................................... 2.2.1 Set MAC Address Table Entries ............................................... 2.2.2 Set MAC Address Aging Time .................................................. 2.2.3 Set the Max Count of MAC Address Learned by a Port ........... 2.3 Display and Debug MAC Address Table .......................................... 2.4 MAC Address Table Management Configuration Example .............. Chapter 3 Device management .................................................................... 3.1 Device Management Overview ......................................................... i 1-1 1-1 1-1 1-1 1-1 1-2 1-2 1-3 1-3 1-3 1-4 1-4 1-5 1-5 1-6 1-6 1-7 1-7 1-8 1-8 1-10 1-11 1-11 1-12 1-12 1-12 1-13 2-1 2-1 2-2 2-2 2-2 2-3 2-4 2-4 3-1 3-1

3.2 Device Management Configuration................................................... 3.2.1 Reboot Ethernet Switch ............................................................ 3.2.2 Designate the APP Adopted When Booting the Ethernet Switch Next Time ............................................................................... 3.2.3 Upgrade BootROM ................................................................... 3.3 Display and Debug Device Management Configuration ................... Chapter 4 System Maintenance and Debugging.......................................... 4.1 Basic System Configuration .............................................................. 4.1.1 Set Name for Switch ................................................................. 4.1.2 Set the System Clock ............................................................... 4.1.3 Set the Time Zone .................................................................... 4.1.4 Set the Summer Time............................................................... 4.2 Display the State and Information of the System .............................. 4.3 System Debugging ............................................................................ 4.3.1 Enable/Disable the Terminal Debugging .................................. 4.3.2 Display Diagnostic Information ................................................. 4.4 Testing Tools for Network Connection .............................................. 4.5 Logging Function .............................................................................. 4.5.1 Introduction to Info-center......................................................... 4.5.2 Info-center Configuration .......................................................... 4.5.3 Sending the Configuration Information to Loghost ................... 4.5.4 Sending the Configuration Information to Console terminal ..... 4.5.5 Sending the Configuration Information to Telnet Terminal or Dumb Terminal .................................................................................. 4.5.6 Sending the Configuration Information to Log Buffer ............... 4.5.7 Sending the Configuration Information to Trap Buffer .............. 4.5.8 Sending the Configuration Information to SNMP Network Management ...................................................................................... 4.5.9 Turn on/off the Information Synchronization Switch in Fabric ................................................................................................. 4.5.10 Displaying and Debugging Info-center ................................... 4.5.11 Configuration examples of sending log to Unix loghost .......... 4.5.12 Configuration examples of sending log to Linux loghost ........ 4.5.13 Configuration examples of sending log to console terminal ... Chapter 5 SNMP Configuration .................................................................... 5.1 SNMP Overview ................................................................................ 5.2 SNMP Versions and Supported MIB ................................................. 5.3 Configure SNMP ............................................................................... 5.3.1 Set Community Name .............................................................. 5.3.2 Set the Method of Identifying and Contacting the Administrator ..................................................................................... 5.3.3 Enable/Disable SNMP Agent to Send Trap ..............................

3-1 3-1 3-1 3-2 3-2 4-1 4-1 4-1 4-1 4-1 4-2 4-2 4-3 4-3 4-4 4-4 4-5 4-5 4-8 4-11 4-13 4-15 4-18 4-20 4-21 4-23 4-24 4-24 4-26 4-29 5-1 5-1 5-1 5-2 5-3 5-3 5-4

5.3.4 Set the Destination Address of Trap ......................................... 5.3.5 Set Lifetime of Trap Message................................................... 5.3.6 Set SysLocation........................................................................ 5.3.7 Set SNMP Version .................................................................... 5.3.8 Set the Engine ID of a Local or Remote Device ....................... 5.3.9 Set/Delete an SNMP Group ..................................................... 5.3.10 Set the Source Address of Trap ............................................. 5.3.11 Add/Delete a User to/from an SNMP Group........................... 5.3.12 Create/Update View Information or Deleting a View .............. 5.3.13 Set the Size of SNMP Packet Sent/Received by an Agent .... 5.3.14 Disable SNMP Agent .............................................................. 5.4 Display and Debug SNMP ................................................................ 5.5 SNMP Configuration Example .......................................................... Chapter 6 RMON Configuration ................................................................... 6.1 RMON Overview ............................................................................... 6.2 Configure RMON .............................................................................. 6.2.1 Add/Delete an Entry to/from the Alarm Table ........................... 6.2.2 Add/Delete an Entry to/from the Event Table ........................... 6.2.3 Add/Delete an Entry to/from the History Control Table ............ 6.2.4 Add/Delete an Entry to/from the Extended RMON Alarm Table .................................................................................................. 6.2.5 Add/Delete an Entry to/from the Statistics Table ...................... 6.3 Display and Debug RMON ................................................................ 6.4 RMON Configuration Example .......................................................... Chapter 7 NTP Configuration ....................................................................... 7.1 Brief Introduction to NTP ................................................................... 7.1.1 NTP Functions .......................................................................... 7.1.2 Basic Operating Principle of NTP ............................................. 7.2 NTP Configuration ............................................................................ 7.2.1 Configure NTP Operating Mode ............................................... 7.2.2 Configure NTP ID Authentication ............................................. 7.2.3 Set NTP Authentication Key ..................................................... 7.2.4 Set Specified Key as Reliable .................................................. 7.2.5 Designate an Interface to Transmit NTP Message ................... 7.2.6 Set NTP Master Clock .............................................................. 7.2.7 Enable/Disable an Interface to Receive NTP Message............ 7.2.8 Set Authority to Access a Local Ethernet Switch ...................... 7.2.9 Set Maximum Local Sessions .................................................. 7.3 NTP Display and Debugging ............................................................. 7.4 Typical NTP Configuration Example ................................................. Chapter 8 SSH Terminal Services ...............................................................

5-4 5-4 5-5 5-5 5-5 5-6 5-6 5-6 5-7 5-7 5-7 5-8 5-8 6-1 6-1 6-2 6-2 6-2 6-3 6-3 6-3 6-4 6-4 7-1 7-1 7-1 7-1 7-2 7-3 7-6 7-6 7-7 7-7 7-7 7-8 7-8 7-9 7-9 7-9 8-1

8.1 SSH Terminal Services ..................................................................... 8.1.1 SSH Overview .......................................................................... 8.1.2 Configuring SSH Server ........................................................... 8.1.3 Configuring SSH Client ............................................................. 8.1.4 Displaying and Debugging SSH ............................................... 8.1.5 SSH Configuration Example .....................................................

8-1 8-1 8-3 8-6 8-10 8-11

13. Appendix
Table of Contents ......................................................................................... Appendix A Acronyms .................................................................................. i A-1

HUAWEI
1. Getting Started 2. Port 3. VLAN 4. Network Protocol 5. Routing Protocol 6. Multicast 7. QoS/ACL 8. Integrated Management 9. STP 10. Security 11. Reliability 12. System Management 13. Appendix

Quidway S3500 Series Ethernet Switches Operation Manual VRP3.10

Quidway S3500 Series Ethernet Switches Operation Manual
Manual Version Product Version BOM T2-081666-20040712-C-1.03 VRP3.10 31160966

Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. If you purchase the products from the sales agent of Huawei Technologies Co., Ltd., please contact our sales agent. If you purchase the products from Huawei Technologies Co., Ltd. directly, Please feel free to contact our local office, customer care center or company headquarters.

Huawei Technologies Co., Ltd.
Address: Administration Building, Huawei Technologies Co., Ltd., Bantian, Longgang District, Shenzhen, P. R. China Postal Code: 518129 Website: http://www.huawei.com

Copyright © 2004 Huawei Technologies Co., Ltd.

All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks

, HUAWEI, C&C08, EAST8000, HONET,

, ViewPoint, INtess, ETS, DMC,

TELLIN, InfoLink, Netkey, Quidway, SYNLOCK, Radium, M900/M1800, TELESIGHT, Quidview, Musa, Airbridge, Tellwin, Inmedia, VRP, DOPRA, iTELLIN, HUAWEI OptiX, C&C08 iNET, NETENGINE, OptiX, iSite, U-SYS, iMUSE, OpenEye, Lansway, SmartAX, infoX, TopEng are trademarks of Huawei Technologies Co., Ltd. All other trademarks mentioned in this manual are the property of their respective holders.

Notice
The information in this manual is subject to change without notice. Every effort has been made in the preparation of this manual to ensure accuracy of the contents, but all statements, information, and recommendations in this manual do not constitute the warranty of any kind, express or implied.

About This Manual
Release Notes
The product version that corresponds to the manual is VRP3.10.

Related Manuals
The following manuals provide more information about the Quidway S3500 Series Ethernet Switches. Manual Quidway S3528 Series Ethernet Switches Installation Manual Quidway S3552F Ethernet Switch Installation Manual Quidway S3526 Ethernet Switch Installation Manual Quidway S3526E Ethernet Switch Installation Manual Quidway S3526 FM/FS Ethernet Switches Installation Manual Quidway S3552 Ethernet Switch Installation Manual Quidway S3526C/S3526E FM/S3526E FS Ethernet Switches Installation Manual Quidway S3500 Series Ethernet Switches Command Manual Content It provides information for the system installation. It provides information for the system installation. It provides information for the system installation. It provides information for the system installation. It provides information for the system installation. It provides information for the system installation.

It provides information for the system installation.

It is used for assisting the users in using various commands.

Organization
Quidway S3500 Series Ethernet Switches Operation Manual consists of the following parts: Getting Started This module introduces how to access the Ethernet Switch. Port

This module introduces Ethernet port and link aggregation configuration. VLAN This module introduces VLAN, isolate-user-vlan, GARP, and GVRP configuration. Network Protocol This module introduces network protocol configuration, including IP address, ARP, DHCP, access management and IP performance configuration. Routing Protocol This module introduces routing protocol configuration, including static route, RIP, OSPF, BGP and routing policy configuration. Multicast This module introduces GMRP, IGMP Snooping, IGMP, PIM-DM and PIM-SM configuration. QoS/ACL This module introduces QoS/ACL configuration. Integrated Management This module introduces integrated configuration. STP This module introduces STP configuration. Security This module introduces 802.1X, AAA & RADIUS, HABP and system-guard configuration. Reliability This module introduces VRRP configuration. System Management This module introduces system management and maintenance of Ethernet Switch, including file system management, system maintenance and network management configuration. Appendix

Intended Audience
The manual is intended for the following readers: Network engineers Network administrators Customers who are familiar with network fundamentals

Conventions

The manual uses the following conventions:

I. General conventions
Convention Arial Arial Narrow Boldface Courier New Description Normal paragraphs are in Arial. Warnings, Cautions, Notes and Tips are in Arial Narrow. Headings are in Boldface. Terminal Display is in Courier New.

II. Command conventions
Convention Boldface italic [] { x | y | ... } [ x | y | ... ] { x | y | ... } * [ x | y | ... ] * Description The keywords of a command line are in Boldface. Command arguments are in italic. Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated by vertical bars. One is selected. Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected.

III. GUI conventions
Convention <> [] / Description Button names are inside angle brackets. For example, click the <OK> button. Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window. Multi-level menus are separated by forward slashes. For example, [File/Create/Folder].

IV. Keyboard operation
Format <Key> <Key1+Key2> <Key1, Key2> Description Press the key with the key name inside angle brackets. For example, <Enter>, <Tab>, <Backspace>, or <A>. Press the keys concurrently. For example, <Ctrl+Alt+A> means the three keys should be pressed concurrently. Press the keys in turn. For example, <Alt, A> means the two keys should be pressed in turn.

V. Mouse operation
Action Click Double Click Drag Description Press the left button or right button quickly (left button by default). Press the left button twice continuously and quickly. Press and hold the left button and drag it to a certain position.

VI. Symbols
Eye-catching symbols are also used in the manual to highlight the points worthy of special attention during the operation. They are defined as follows:

Caution, Warning: Means reader be extremely careful during the operation. Note: Means a complementary description.

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

1. Getting Started

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 Product Overview ........................................................................................................ 1-1 1.1 Product Overview............................................................................................................... 1-1 1.2 Function Features .............................................................................................................. 1-2 Chapter 2 Logging in Ethernet Switch ........................................................................................ 2-1 2.1 Set up Configuration Environment via the Console Port ................................................... 2-1 2.2 Set up Configuration Environment through Telnet ............................................................ 2-3 2.2.1 Connect PC to Ethernet Switch through Telnet ...................................................... 2-3 2.2.2 Telnet Ethernet Switch through Ethernet Switch .................................................... 2-5 2.3 Set up Configuration Environment through a Dial-up the Modem..................................... 2-6 Chapter 3 Command Line Interface............................................................................................. 3-1 3.1 Command Line Interface ................................................................................................... 3-1 3.2 Command Line View.......................................................................................................... 3-1 3.3 Feature and Functions of Command Line ......................................................................... 3-6 3.3.1 Online Help of Command Line ................................................................................ 3-6 3.3.2 Displaying Characteristics of Command Line ......................................................... 3-7 3.3.3 History Command of Command Line ...................................................................... 3-7 3.3.4 Common Command Line Error Messages.............................................................. 3-8 3.3.5 Editing Characteristics of Command Line............................................................... 3-8 Chapter 4 User Interface Configuration ...................................................................................... 4-1 4.1 User Interface Overview .................................................................................................... 4-1 4.2 User Interface Configuration.............................................................................................. 4-2 4.2.1 Enter User Interface View ....................................................................................... 4-2 4.2.1 Configure the User Interface-supported Protocol ................................................... 4-2 4.2.2 Configure the Attributes of AUX (Console) Port...................................................... 4-3 4.2.3 Configure the Terminal Attributes ........................................................................... 4-4 4.2.4 Manage Users ......................................................................................................... 4-6 4.2.5 Configure Redirection ............................................................................................. 4-9 4.3 Display and Debug User Interface................................................................................... 4-10

i

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 1 Product Overview

Chapter 1 Product Overview
1.1 Product Overview
With the rapid development of the Internet, requirements for high speed broadband communication cannot be satisfied by the traditional low-speed services, such as telephone, fax, telegraph, etc. High speed systems are required to carry out the broadband services, including high-speed Internet access, video telephone, Video on Demand (VOD), etc. The users also require the higher-speed Internet access. In such a background, as a method of broadband access, Ethernet gains much attention on the market for its low cost, high speed and ease of use. Accordingly, Huawei Technologies Co. Ltd. (hereafter referred to as Huawei) launches the Quidway Series Ethernet Switches to meet the fast growing demand for broadband network development. Quidway S3500 Series Ethernet Switches, the L2/L3 Ethernet switches are independently developed by Huawei to provide the wire speed L2/L3 switching and IP routing functions. The series include the following main types of switches: S3526 Ethernet switch S3526 FS Ethernet switch S3526 FM Ethernet switch S3526E Ethernet switch S3526C Ethernet switch S3552G Ethernet switch S3552P Ethernet switch S3528G Ethernet switch S3528P Ethernet switch S3552F Ethernet switch S3526/S3526E/S3526C Ethernet Switches provide 24 fixed 10/100Base-TX Ethernet ports, one Console port and 2 extension module slots. The only difference between S3526 FS and S3526 FM Ethernet switches is the fixed optical port attribute. S3526 FS Ethernet switch provides 12 100M single-mode optical ports, while S3526 FM Ethernet switch provides 12 100M multi-mode optical ports. Each of them provides 4 extension module slots and 1 Console port. S3552G Ethernet Switch provides 48 fixed 10/100Base-TX Ethernet ports, one Console port and four GBIC interface modules. S3552P Ethernet Switch provides 48 fixed 10/100Base-TX Ethernet ports, one Console port and four SFP interface modules.

1-1

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 1 Product Overview

S3528G Ethernet Switch provides 24 fixed 10/100Base-TX Ethernet ports, one Console port and four GBIC interface modules. S3528P Ethernet Switch provides 24 fixed 10/100Base-TX Ethernet ports, one Console port and four SFP interface modules. S3552F Ethernet Switch provides 6 100M module slots, one Console port and four GBIC interface modules. Quidway S3500 Series Ethernet Switches support the following services: Broadband access to the Internet Enterprise and campus networking Provide multicast service and multicast routing and support multicast audio and video services. Hereinafter Quidway S3500 Series Ethernet switches are referred to as S3500 series Ethernet switches.

1.2 Function Features
Table 1-1 Function features
Features VLAN Description Supports VLAN compliant with IEEE 802.1Q Standard Supports port-based VLAN Supports GARP VLAN Registration Protocol (GVRP) S3526/S3526 FS/S3526 FM/S3526E/S3526C supports Spanning Tree Protocol (STP) / Rapid Spanning Tree Protocol (RSTP), compliant with IEEE 802.1D/IEEE802.1w Standard S3552G/S3552P/S3528G/S3528P/S3552F supports Spanning Tree Protocol (STP) / Multiple Spanning Tree Protocol (MSTP), compliant with IEEE 802.1D/IEEE 802.1s Standard Supports IEEE 802.3x flow control (full-duplex) Supports back-pressure based flow control (half-duplex) Supports Broadcast Suppression Supports GARP Multicast Registration Protocol (GMRP) Supports Internet Group Management Protocol (IGMP) Snooping (Only S3552G/S3552P/S3528G/S3528P/S3552F support ) Supports Internet Group Management Protocol (IGMP) Supports Protocol-Independent Multicast-Dense Mode (PIM-DM) Supports Protocol-Independent Multicast-Sparse Mode (PIM-SM) Supports the static route Supports Routing Information Protocol (RIP) V1/v2 Supports Open Shortest Path First (OSPF) Supports Border Gateway Protocol (BGP) Supports Dynamic Host Configuration Protocol (DHCP) Relay Supports DHCP Server (Only S3552G/S3552P/S3528G/S3528P/S3552F support ) Supports link aggregation Supports the mirror based on the traffic classification Supports port mirror (Only S3552G/S3552P/S3528G/S3528P/S3552F support ) Supports Multi-level user management and password protect Supports 802.1X authentication Supports Packet filtering

STP protocol

Flow control Broadcast Suppression

Multicast

IP routing DHCP Link aggregation Mirror Security features

1-2

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches Features Reliability Description

Chapter 1 Product Overview

Quality of Service (QoS)

Management and Maintenance

Loading and update

Supports Virtual Redundancy Routing Protocol (VRRP) Supports traffic classification Supports bandwidth control Supports priority Supports queues of different priority on the port Queue scheduling: supports Strict Priority Queuing (SP), Weighted Round Robin (WRR), Delay bounded WRR (Only S3526E/S3526C supports Delay bounded WRR) Supports command line interface configuration Supports configuration via Console port Supports remote configuration via Telnet or SSH Supports configuration through dialing the Modem Supports SNMP management (Supports Quidview NMS and RMON MIB Group 1, 2, 3 and 9) Supports system log Supports level alarms Supports Huawei Group Management Protocol (HGMP) V2 Supports output of the debugging information Supports PING and Tracert Supports the remote maintenance via Telnet or Modem or SSH Supports to load and upgrade software via XModem protocol Supports to load and upgrade software via File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP)

1-3

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 2 Logging in Ethernet Switch

Chapter 2 Logging in Ethernet Switch
2.1 Set up Configuration Environment via the Console Port
Step 1: As shown in the figure below, to set up the local configuration environment, connect the serial port of a PC (or a terminal) to the Console port of the Ethernet switch with the Console cable.

RS-232 Serial port

Console port Console cable

Figure 2-1 Set up the local configuration environment via the Console port Step 2: Run terminal emulator (such as Terminal on Windows 3X or the Hyper Terminal on Windows 9X) on the Computer. Set the terminal communication parameters as follows: Set the baud rate to 9600, databit to 8, parity check to none, stopbit to 1, flow control to none and select the terminal type as VT100.

Figure 2-2 Set up new connection

2-1

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 2 Logging in Ethernet Switch

Figure 2-3 Configure the port for connection

Figure 2-4 Set communication parameters Step 3: The Ethernet switch is powered on. Display self-test information of the Ethernet switch and prompt you to press Enter to show the command line prompt such as <Quidway>.

2-2

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 2 Logging in Ethernet Switch

Step 4: Input a command to configure the Ethernet switch or view the operation state. Input a “?” for an immediate help. For details of specific commands, refer to the following chapters.

2.2 Set up Configuration Environment through Telnet
2.2.1 Connect PC to Ethernet Switch through Telnet
After you have correctly configured IP address of a VLAN interface for an Ethernet Switch via Console port (using ip address command in VLAN interface view), and added the port (that connects to a terminal) to this VLAN (using port command in VLAN view), you can telnet this Ethernet switch and configure it. Step 1: Authenticate the Telnet user via the Console port before the user logs in by Telnet.

Note: By default, the password is required for authenticating the Telnet user to log in the Ethernet switch. If a user logs in via the Telnet without password, he will see the prompt “password required, but none set.”.

<Quidway> system-view
Enter system view , return user view with Ctrl+Z.

[Quidway] user-interface vty 0 [Quidway-ui-vty0] set authentication password simple xxxx (xxxx is the preset login password of Telnet user) Step 2: To set up the configuration environment, connect the Ethernet port of the PC to that of the Ethernet switch via the LAN.

2-3

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches
Workstation

Chapter 2 Logging in Ethernet Switch

Ethernet port Ethernet

Serv er

Workstation PC ( for configuring the switch via Telnet )

Figure 2-5 Set up configuration environment through telnet Step 3: Run Telnet on the PC and input the IP address of the VLAN connected to the PC port.

Figure 2-6 Run Telnet Step 4: The terminal displays “User Access Verification” and prompts the user to input the logon password. After you input the correct password, it displays the command line prompt (such as <Quidway>). If the prompt “Too many users!” appears, it indicates that too many users are connected to the Ethernet through the Telnet at this moment. In this case, please reconnect later. At most 5 Telnet users are allowed to log on to the Quidway series Ethernet Switches simultaneously. Step 5: Use the corresponding commands to configure the Ethernet switch or to monitor the running state. Enter “?” to get the immediate help. For details of specific commands, refer to the following chapters.

Note: 1) When configuring the Ethernet switch via Telnet, do not modify the IP address of it unless necessary, for the modification might cut the Telnet connection. 2) By default, when a Telnet user logs in, he can access the commands at Level 0.

2-4

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 2 Logging in Ethernet Switch

2.2.2 Telnet Ethernet Switch through Ethernet Switch
After a user has logged into a switch, he or she can configure another switch through the switch via Telnet. The local switch serves as Telnet client and the peer switch serves as Telnet server. If the ports connecting these two switches are in a same local network, their IP addresses must be configured in the same network segment. Otherwise, the two switches must establish a route that can reach each other. As shown in the figure below, after you telnet to an Ethernet switch, you can run telnet command to log in and configure another Ethernet switch.

PC

Telnet Client

Telnet Server

Figure 2-7 Provide Telnet Client service Step 1: Authenticate the Telnet user via the Console port on the Telnet Server (Ethernet switch) before login.

Note: By default, the password is required for authenticating the Telnet user to log in the Ethernet switch. If a user logs in via the Telnet without password, he will see the prompt “password required, but none set.”.

<Quidway> system-view
Enter system view , return user view with Ctrl+Z.

[Quidway] user-interface vty 0 [Quidway-ui-vty0] set authentication password simple xxxx (xxxx is the preset login password of Telnet user) Step 2: The user logs in the Telnet Client (Ethernet switch). For the login process, refer to the section describing “Telnet PC to Ethernet Switch”. Step 3: Perform the following operations on the Telnet Client: <Quidway> telnet xxxx (xxxx can be the hostname or IP address of the Telnet Server. If it is the hostname, the switch shall have the static resolution function.)

2-5

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 2 Logging in Ethernet Switch

Step 4: Enter the preset login password and you will see the prompt such <Quidway>. If the prompt “Too many users!” appears, it indicates that too many users are connected to the Ethernet through the Telnet at this moment. In this case, please connect later. Step 5: Use the corresponding commands to configure the Ethernet switch or view it running state. Enter “?” to get the immediate help. For details of specific commands, refer to the following chapters.

2.3 Set up Configuration Environment through a Dial-up the Modem
Step 1: Authenticate the Modem user via the Console port of the Ethernet switch before he logs in the switch through a dial-up Modem.

Note: By default, the password is required for authenticating the Modem user to log in the Ethernet switch. If a user logs in via the Modem without password, he will see the prompt “password required, but none set.”.

<Quidway> system-view
Enter system view , return user view with Ctrl+Z.

[Quidway] user-interface aux 0 [Quidway-ui-aux0] set authentication password simple xxxx (xxxx is the preset login password of the Modem user.) Step 2: Perform the following configurations on the Modem that is directly connected to the Ethernet switch. (You are not required to configure the Modem connected to the terminal.)
AT&F ATS0=1 AT&D ----------------------- Reset Modem factory settings -----------------Set auto response (ring once) ----------------------- Ignore DTR signal ------ Disable flow control

AT&K0 ----------------AT&R1

----------------------- Ignore RTS signal ------- Force DSR to be high-level -------- Bar the modem to send command response

AT&S0 ---------------ATEQ1&W ---------------

or execution result and save the configurations

After the configuration, key in the AT&V command to verify the Modem settings.

2-6

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 2 Logging in Ethernet Switch

Note: 1) The Modem configuration commands and outputs may be different according to different Modems. For details, refer to the User Manual of the Modem. 2) It is recommended that the transmission rate on the Console port must lower than that of Modem, otherwise packets may be lost.

Step 3: As shown in the figure below, to set up the remote configuration environment, connect the Modems to a PC (or a terminal) serial port and the Ethernet switch Console port respectively.
Modem serial port line

Telephone line

Modem

PSTN

Modem Console port Remote tel: 82882285

Figure 2-8 Set up remote configuration environment Step 4: Dial for connection to the switch, using the terminal emulator and Modem on the remote end. The number dialed shall be the telephone number of the Modem connected to the Ethernet switch. See the two figures below.

2-7

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 2 Logging in Ethernet Switch

Figure 2-9 Set the dialed number

Figure 2-10 Dial on the remote PC Step 5: Enter the preset login password on the remote terminal emulator and wait for the prompt such as <Quidway>. Then you can configure and manage the Ethernet switch. Enter “?” to get the immediate help. For details of specific commands, refer to the following chapters.

Note: By default, when a Modem user logs in, he can access the commands at Level 0.

2-8

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 3 Command Line Interface

Chapter 3 Command Line Interface
3.1 Command Line Interface
Quidway series Ethernet Switches provide a series of configuration commands and command line interfaces for configuring and managing the Ethernet switch. The command line interface has the following characteristics: Local configuration via the Console port. Local or remote configuration via Telnet or SSH. Remote configuration through a dial-up Modem to log in the Ethernet switch. Hierarchy command protection to avoid the unauthorized users accessing Ethernet switch. Enter a “?” to get immediate online help. Provide network testing commands, such as Tracert and Ping, to fast troubleshoot the network. Provide various detailed debugging information to help with network troubleshooting. Log in and manage other Ethernet switch directly, using the Telnet command. Provide FTP service for the users to upload and download files. Provide the function similar to Doskey to execute a history command. The command line interpreter searches for target not fully matching the keywords. It is ok for you to key in the whole keyword or part of it, as long as it is unique and not ambiguous.

3.2 Command Line View
Quidway series Ethernet Switches provide hierarchy protection for the command lines to avoid unauthorized user accessing illegally. Commands are classified into four levels, namely visit level, monitoring level, configuration level and management level. They are introduced as follows: Visit level: Commands of this level involve command of network diagnosis tool (such as ping and tracert), command of switch between different language environments of user interface (language-mode) and telnet command etc. The operation of saving configuration file is not allowed on this level of commands. Monitoring level: Commands of this level, including the display command and the debugging command, are used to system maintenance, service fault diagnosis, etc. The operation of saving configuration file is not allowed on this level of commands.
3-1

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 3 Command Line Interface

Configuration level: Service configuration commands, including routing command and commands on each network layer, are used to provide direct network service to the user. Management level: They are commands that influence basis operation of the system and system support module, which plays a support role on service. Commands of this level involve file system commands, FTP commands, TFTP commands, XModem downloading commands, user management commands, and level setting commands. At the same time, login users are classified into four levels that correspond to the four command levels respectively. After users of different levels log in, they can only use commands at the levels that are equal to or lower than its own level. In order to prevent unauthorized users from illegal intrusion, user will be identified when switching from a lower level to a higher level with super [ level ] command. User ID authentication is performed when users at lower level switch to users at higher level. In other words, user password of the higher level is needed (Suppose the user has set the super password [ level level ] { simple | cipher } password.) For the sake of confidentiality, on the screen the user cannot see the password that he entered. Only when correct password is input for three times, can the user switch to the higher level. Otherwise, the original user level will remain unchanged. Different command views are implemented according to different requirements. They are related to one another. For example, after logging in the Ethernet switch, you will enter user view, in which you can only use some basic functions such as displaying the running state and statistics information. In user view, key in system-view to enter system view, in which you can key in different configuration commands and enter the corresponding views. The command line provides the following views:

Note: For User-defined ACL view, only S3526E and S3526C switches support in S3500 series switches. For MST region view, DHCP address pool view, Conform-level view, and WRED index view, only S3552G/S3552P/S3528G/S3528P/S3552F switches support in S3500 series switches.

User view System view Ethernet Port view VLAN view VLAN interface view Local-user view
3-2

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 3 Command Line Interface

User interface view FTP Client view Cluster view MST region view RSA public key view RSA key code view DHCP address pool view PIM view RIP view OSPF view OSPF area view BGP view Route policy view Basic ACL view Advanced ACL view Layer-2 ACL view User-defined ACL view Conform-level view WRED index view RADIUS server group view ISP domain view The relation diagram of the views as follows.

3-3

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 3 Command Line Interface

Ethernet port view MST region view Conform-level view WRED index view RSA public key view RSA key code view User interface view VLAN view VLAN interface view RIP view OSPF view BGP view Route policy view User view System view Basic ACL view Advanced ACL view Layer-2 ACL view User-defined ACL view

OSPF area view

FTP client view

Local-user view

Cluster view

PIM view RADIUS server group view ISP domain view DHCP address pool view

Figure 3-1 The relation diagram of the views The following table describes the function features of different views and the ways to enter or quit. Table 3-1 Function feature of command view
Command view User view System view Function Show the basic information about operation and statistics Configure system parameters <Quidway> [Quidway] [Quidway-Ethernet0/1] Ethernet Port view Configure Ethernet port parameters [Quidway-GigabitEthernet1/1] VLAN view Configure VLAN parameters [Quidway-Vlan1] Prompt Command to enter Command to exit

quit Enter right after connecting the disconnects to switch the switch quit or return Key in system-view in user returns to user view view 100M Ethernet port view Key in interface ethernet 0/1 in system view quit returns to GigabitEthernet port view system view Key in interface gigabitethernet 1/1 in system view quit returns to Key in vlan 1 in system view system view

3-4

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches Command view VLAN interface view Local-user view User interface view FTP Client view Cluster view MST region view RSA public key view RSA key code view DHCP address pool view PIM view RIP view OSPF view OSPF area view BGP view Route policy view Basic ACL view Advanced ACL view Layer-2 ACL view User-defined ACL view Conform-level view Function Configure IP interface parameters for a VLAN or a VLAN aggregation Configure local user parameters Configure user interface parameters Configure FTP Client parameters Configure Cluster parameters Configure MST region parameters Prompt [Quidway-Vlan-interface1] [Quidway-luser-user1] [Quidway-ui0] [ftp] [Quidway-cluster] [Quidway-mst-region]

Chapter 3 Command Line Interface Command to enter Key in interface vlan-interface 1 in system view Key in local-user user1 in system view Key in user-interface 0 in system view Command to exit quit returns to system view

Configure RSA public key [Quidway-rsa-public-key] of SSH user Edit RSA public key of SSH user Configure DHCP address pool parameters Configure PIM parameters Configure RIP parameters Configure OSPF parameters Configure OSPF area parameters Configure BGP parameters Configure route policy parameters Define the rule of basic ACL Define the rule of advanced ACL Define the rule of layer-2 ACL Define the rule of user-defined ACL Configure the "DSCP + Conform-level Service group" mapping table and "Local-precedence + Conform-level 802.1p priority" mapping table Configure WRED parameters Configure radius parameters Configure ISP domain parameters [Quidway-rsa-key-code] [Quidway-dhcp-0] [Quidway-PIM] [Quidway-rip] [Quidway-ospf] [Quidway-ospf-0.0.0.1] [Quidway-bgp] [Quidway-route-policy] [Quidway-acl- basic-2000] [Quidway-acl-adv-3000] [Quidway-acl-link-4000] [Quidway-acl-user-5000]

quit returns to system view quit returns to system view quit returns to Key in ftp in user view user view quit returns to Key in cluster in system view system view Key in stp quit returns to region-configuration in system view system view peer-public-k Key in rsa peer-public-key ey end returns quidway003 in system view to system view public-key-co Key in public-key-code begin de end returns in RSA public key view to RSA public key view Key in dhcp server ip-pool 0 quit returns to in system view system view quit returns to Key in pim in system view system view quit returns to Key in rip in system view system view quit returns to Key in ospf in system view system view quit returns to Key in area 1 in OSPF view OSPF view quit returns to Key in bgp 100 in system view system view Key in route-policy policy1 quit returns to permit node 10 in system system view view Key in acl number 2000 in quit returns to system view system view Key in acl number 3000 in quit returns to system view system view Key in acl number 4000 in quit returns to system view system view Key in acl number 5000 in quit returns to system view system view Key in qos conform-level 0 in quit returns to system view system view quit returns to system view Key in radius scheme 1 in quit returns to system view system view Key in domain huawei163.net quit returns to in system view system view

[Quidway-conform-level-0]

WRED index view RADIUS server group view ISP domain view

[Quidway-wred-0] [Quidway-radius-1] [Quidway-isp-huawei163.net]

Key in wred 0 in system view

3-5

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 3 Command Line Interface

3.3 Feature and Functions of Command Line
3.3.1 Online Help of Command Line
The command line interface provides the following online help modes. Full help Partial help You can get the help information through these online help commands, which are described as follows. 1) Input “?” in any view to get all the commands in it and corresponding descriptions.

<Quidway> ?
User view commands: language-mode ping quit super telnet tracert Specify the language environment Ping function Exit from current command view Privilege specified user priority level Establish one TELNET connection Trace route function

2)

Input a command with a “?” separated by a space. If this position is for keywords, all the keywords and the corresponding brief descriptions will be listed.

<Quidway> language-mode ?
chinese english Chinese environment English environment

3)

Input a command with a “?” separated by a space. If this position is for parameters, all the parameters and their brief descriptions will be listed.

[Quidway] garp timer leaveall ?
INTEGER<65-32765> Value of timer in centiseconds (LeaveAllTime > (LeaveTime [On all ports])) Time must be multiple of 5 centiseconds

[Quidway] garp timer leaveall 300 ?
<cr>

<cr> indicates no parameter in this position. The next command line repeats the command, you can press <Enter> to execute it directly. 4) Input a character string with a “?”, then all the commands with this character string as their initials will be listed. <Quidway>p?
ping

3-6

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 3 Command Line Interface

5)

Input a command with a character string and “?”, then all the key words with this character string as their initials in the command will be listed.

<Quidway> display ver?
version

6)

Input the first letters of a keyword of a command and press <Tab> key. If no other keywords are headed by this letters, then this unique keyword will be displayed automatically.

7)

To switch to the Chinese display for the above information, perform the language-mode command.

3.3.2 Displaying Characteristics of Command Line
Command line interface provides the following display characteristics: For users’ convenience, the instruction and help information can be displayed in both English and Chinese. For the information to be displayed exceeding one screen, pausing function is provided. In this case, users can have three choices, as shown in the table below. Table 3-2 Functions of displaying
Key or Command Press <Ctrl+C> when the display pauses Enter a space when the display pauses Press <Enter> when the display pauses Function Stop displaying and executing command. Continue to display the next screen of information. Continue to display the next line of information.

3.3.3 History Command of Command Line
Command line interface provides the function similar to that of DosKey. The commands entered by users can be automatically saved by the command line interface and you can invoke and execute them at any time later. History command buffer is defaulted as 10. That is, the command line interface can store 10 history commands for each user. The operations are shown in the table below. Table 3-3 Retrieve history command
Operation Display history command Retrieve the previous history command Retrieve the next history command Key display history-command Up cursor key <↑> or <Ctrl+P> Down cursor key <↓> or <Ctrl+N> Result Display history command by user inputting Retrieve the previous history command, if there is any. Retrieve the next history command, if there is any.

3-7

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 3 Command Line Interface

Note: Cursor keys can be used to retrieve the history commands in Windows 3.X Terminal and Telnet. However, in Windows 9X HyperTerminal, the cursor keys ↑ and ↓ do not work, because Windows 9X HyperTerminal defines the two keys differently. In this case, use the combination keys <Ctrl+P> and <Ctrl+N> instead for the same purpose.

3.3.4 Common Command Line Error Messages
All the input commands by users can be correctly executed, if they have passed the grammar check. Otherwise, error messages will be reported to users. The common error messages are listed in the following table. Table 3-4 Common command line error messages
Error messages Unrecognized command Incomplete command Too many parameters Ambiguous command Causes Cannot find the command. Cannot find the keyword. Wrong parameter type. The value of the parameter exceeds the range. The input command is incomplete. Enter too many parameters. The parameters entered are not specific.

3.3.5 Editing Characteristics of Command Line
Command line interface provides the basic command editing function and supports to edit multiple lines. A command cannot longer than 256 characters. See the table below. Table 3-5 Editing functions
Key Common keys Backspace Leftwards cursor key <←> or <Ctrl+B> Rightwards cursor key <→> or <Ctrl+F> Up cursor key <↑> or <Ctrl+P> Down cursor key <↓> or <Ctrl+N> <Tab> Function Insert from the cursor position and the cursor moves to the right, if the edition buffer still has free space. Delete the character preceding the cursor and the cursor moves backward. Move the cursor a character backward Move the cursor a character forward Retrieve the history command. Press <Tab> after typing the incomplete key word and the system will execute the partial help: If the key word matching the typed one is unique, the system will replace the typed one with the complete key word and display it in a new line; if there is not a matched key word or the matched key word is not unique, the system will do no modification but display the originally typed word in a new line.

3-8

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 4 User Interface Configuration

Chapter 4 User Interface Configuration
4.1 User Interface Overview
User interface configuration is another way provided by the Ethernet switch to configure and manage the port data. S3500 Series Ethernet Switches support the following configuration methods: Local configuration via the Console port Local and remote configuration through Telnet or SSH on Ethernet port Remote configuration through dial with modem via the Console port. According to the above-mentioned configuration methods, there are two types of user interfaces: AUX user interface AUX user interface is used to log in the Ethernet switch via the Console port. An Ethernet switch can only have one AUX user interface. VTY user interface VTY user interface is used to telnet the Ethernet switch. An Ethernet switch can have up to five VTY user interface.

Note: For Quidway series Ethernet Switches, AUX port and Console port are the same one. There is only the type of AUX user interface.

User interface is numbered in the following two ways: absolute number and relative number. 1) Absolute number, following the rules below. AUX user interface is numbered as the first interface designated as user interface 0. VTY is numbered after AUX user interface. The absolute number of the first VTY is incremented by 1 than the AUX user interface number. 2) Relative number, represented by “+ number” assigned to each type of user interface. It follows the rules below: Number of AUX user interface: AUX 0.

4-1

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 4 User Interface Configuration

Number of VTY: The first VTY interface is designated as VTY 0, the second one is designated as VTY 1, and so on.

4.2 User Interface Configuration
User interface configuration includes: Enter user interface view Configure the user interface-supported protocol Configure the Attributes of AUX (Console) Port Configure the Terminal Attributes Manage users Configure redirection

4.2.1 Enter User Interface View
The following command is used for entering a user interface view. You can enter a single user interface view or multi user interface view to configure one or more user interfaces respectively. Perform the following configuration in system view. Table 4-1 Enter user interface view
Operation Enter a single user interface view or multi user interface views Command user-interface [ type ] first-number [ last-number ]

4.2.1 Configure the User Interface-supported Protocol
The following command is used for setting the supported protocol by the current user interface. You can log in switch only through the supported protocol. The configuration becomes effective when you log in again. Perform the following configurations in user interface (VTY user interface only) view. Table 4-2 Configure the user interface-supported protocol
Operation Configure the user interface-supported protocol Command protocol inbound { all | ssh | telnet }

By default, the user interface only supports Telnet protocol.

4-2

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 4 User Interface Configuration

Caution: 1) If Telnet protocol is specified, to ensure a successful login via the Telnet, you must configure the password by default. 2) If SSH protocol is specified, to ensure a successful login, you must configure the local or remote authentication of username and password using the authentication-mode scheme command. The protocol inbound ssh configuration fails if you configure authentication-mode password and authentication-mode none. When you configure SSH protocol successfully for the user interface, then you cannot configure authentication-mode password and authentication-mode none any more.

4.2.2 Configure the Attributes of AUX (Console) Port
The following commands can be used for configuring the attributes of the AUX (Console) port, including speed, flow control, parity, stop bit and data bit. Perform the following configurations in user interface (AUX user interface only) view.

I. Configure the transmission speed on AUX (Console) port
Table 4-3 Configure the transmission speed on AUX (Console) port
Operation Configure the transmission speed on AUX (Console) port Restore the default transmission speed on AUX (Console) port Command speed speed-value undo speed

By default, the transmission speed on AUX (Console) port is 9600bps.

II. Configure the flow control on AUX (Console) port
Table 4-4 Configure the flow control on AUX (Console) port
Operation Configure the flow control on AUX (Console) port Restore the default flow control mode on AUX (Console) port undo flow-control Command flow-control { hardware | none | software }

By default, the flow control on the AUX (Console) port is none, that is, no flow control will be performed.

4-3

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 4 User Interface Configuration

III. Configure parity on the AUX (Console) port
Table 4-5 Configure parity on the AUX (Console) port
Operation Configure parity mode on the AUX (Console) port Restore the default parity mode Command parity { even | mark | none | odd | space } undo parity

By default, the parity on the AUX (Console) port is none, that is, no parity bit.

IV. Configure the stop bit of AUX (Console) port
Table 4-6 Configure the stop bit of AUX (Console) port
Operation Configure the stop bit of AUX (Console) port Restore the default stop bit of AUX (Console) port stopbits { 1 | 1.5 | 2 } undo stopbits Command

By default, AUX (Console) port supports 1 stop bit.

V. Configure the data bit of AUX (Console) port
Table 4-7 Configure the data bit of AUX (Console) port
Operation Configure the data bit of AUX (Console) port Restore the default data bit of AUX (Console) port databits {| 7 | 8 } undo databits Command

By default, AUX (Console) port supports 8 data bits.

4.2.3 Configure the Terminal Attributes
The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring terminal screen length and history command buffer size. Perform the following configuration in user interface view. Perform lock command in user view.

I. Enable/Disable terminal service
After the terminal service is disabled on a user interface, you cannot log in to the Ethernet switch through the user interface. However, the user logged in through the user interface before disabling the terminal service can continue his operation. After

4-4

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 4 User Interface Configuration

such user logs out, he cannot log in again. In this case, a user can log in to the switch through the user interface only when the terminal service is enabled again. Table 4-8 Enable/disable terminal service
Operation Enable terminal service Disable terminal service shell undo shell Command

By default, terminal service is enabled on all the user interfaces. Note the following points: For the sake of security, the undo shell command can only be used on the user interfaces other than AUX user interface. You cannot use this command on the user interface via which you log in. You will be asked to confirm before using undo shell on any legal user interface.

II. Configure idle-timeout
Table 4-9 Configure idle-timeout
Operation Configure idle-timeout Restore the default idle-timeout Command idle-timeout minutes [ seconds ] undo idle-timeout

By default, idle-timeout is enabled and set to 10 minutes on all the user interfaces. That is, the user interface will be disconnected automatically after 10 minutes without any operation. idle-timeout 0 means disabling idle-timeout.

III. Lock user interface
This configuration is to lock the current user interface and prompt the user to enter the password. This makes it impossible for others to operate in the interface after the user leaves. Table 4-10 Lock user interface
Operation Lock user interface lock Command

4-5

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 4 User Interface Configuration

IV. Set the screen length
If a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more conveniently. Table 4-11 Set the screen length
Operation Set the screen length Restore the default screen length Command screen-length screen-length undo screen-length

By default, the terminal screen length is 24 lines. screen-length 0 indicates to disable screen display separation function.

V. Set the history command buffer size
Table 4-12 Set the history command buffer size
Operation Set the history command buffer size Restore the default history command buffer size Command history-command max-size value undo history-command max-size

By default, the size of the history command buffer is 10, that is, 10 history commands can be saved.

4.2.4 Manage Users
The management of users includes the setting of user logon authentication method, level of command which a user can use after logging on, level of command which a user can use after logging on from the specifically user interface, and command level.

I. Configure authentication method
The following command is used for configuring the user login authentication method to deny the access of an unauthorized user. Perform the following configuration in user interface view. Table 4-13 Configure authentication method
Operation Configure the authentication method Configure no authentication Command authentication-mode { password | scheme } authentication-mode none

4-6

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 4 User Interface Configuration

By default, terminal authentication is not required for users log in via the Console port, whereas the password is required for authenticating the Modem and Telnet users when they log in. 1) Perform local password authentication to the user interface

Using authentication-mode password command, you can perform local password authentication. That is, you need use the command below to configure a login password in order to login successfully. Perform the following configuration in user interface view. Table 4-14 Configure the local authentication password
Operation Configure the local authentication password Remove the local authentication password Command set authentication password { cipher | simple }password undo set authentication password

# Configure for password authentication when a user logs in through a VTY 0 user interface and set the password to huawei. [Quidway] user-interface vty 0 [Quidway-ui-vty0] authentication-mode password [Quidway-ui-vty0] set authentication password simple huawei 2) Perform local or remote authentication of username and password to the user interface Using authentication-mode scheme command, you can perform local or remote authentication of username and password. The type of the authentication depends on your configuration. For detailed information, see “Security” section. In the following example, local username and password authentication are configured. # Perform username and password authentication when a user logs in through VTY 0 user interface and set the username and password to zbr and huawei respectively. [Quidway-ui-vty0] authentication-mode scheme [Quidway-ui-vty0] quit [Quidway] local-user zbr [Quidway-luser-zbr] password simple huawei [Quidway-luser-zbr] service-type telnet 3) No authentication

[Quidway-ui-vty0] authentication-mode none

4-7

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 4 User Interface Configuration

Note: By default, the password is required for authenticating the Modem and Telnet users when they log in. If the password has not been set, when a user logs in, he will see the prompt “password required, but none set.”. If the authentication-mode none command is used, the Modem and Telnet users will not be required to input password.

II. Set command level used after a user logging in
The following command is used for setting the command level used after a user logging in. Perform the following configuration in local-user view. Table 4-15 Set command level used after a user logging in
Operation Set command level used after a user logging in Restore the default command level used after a user logging in Command service-type { ssh [ level level | telnet [ level level ] ] | telnet [ level level | ssh [ level level ] ] } undo service-type { ssh [ level | telnet [ level ] ] | telnet [ level | ssh [ level ] ] }

By default, the specified logon user can access the commands at Level 1.

III. Set command level used after a user logs in from a user interface
You can use the following command to set the command level after a user logs in from a specific user interface, so that a user is able to execute the commands at such command level. Perform the following configuration in user interface view. Table 4-16 Set command level used after a user logging in from a user interface
Operation Set command level used after a user logging in from a user interface Restore the default command level used after a user logging in from a user interface Command user privilege level level undo user privilege level

By default, a user can access the commands at Level 3 after logging in through the AUX user interface, and the commands at Level 0 after logging in through the VTY user interface.

4-8

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 4 User Interface Configuration

Note: When a user logs in the switch, the command level that it can access depends on two points. One is the command level that the user itself can access, the other is the set command level of this user interface. If the two levels are different, the former will be taken. For example, the command level of VTY 0 user interface is 1, however, you have the right to access commands of level 3; if you log in from VTY 0 user interface, you can access commands of level 3 and lower.

IV. Set command priority
The following command is used for setting the priority of a specified command in a certain view. The command levels include visit, monitoring, configuration, and management, which are identified with 0 through 3 respectively. An administrator assigns authorities as per user requirements. Perform the following configuration in system view. Table 4-17 Set command priority
Operation Set the command priority in a specified view. Restore the default command level in a specified view. Command command-privilege level level view view command Undo command-privilege view view command

Note: Please do not change the command level at will for it may cause inconvenience of maintenance and operation.

4.2.5 Configure Redirection
I. send command
The following command can be used for sending messages between user interfaces. Perform the following configuration in user view. Table 4-18 Configure to send messages between different user interfaces.
Operation Configure to send messages between different user interfaces. Command send { all | number | type number }

4-9

Operation Manual - Getting Started Quidway S3500 Series Ethernet Switches

Chapter 4 User Interface Configuration

II. auto-execute command
The following command is used to automatically run a command after you log in. After a command is configured to be run automatically, it will be automatically executed when you log in again. This command is usually used to automatically execute telnet command on the terminal, which will connect the user to a designated device automatically. Perform the following configuration in user interface view. Table 4-19 Configure to automatically run the command
Operation Configure to automatically run the command Configure not to automatically run the command Command auto-execute command text undo auto-execute command

Note the following points: After executing this command, the user interface can no longer be used to carry out the routine configurations for the local system. Use this command with caution. Make sure that you will be able to log in the system in some other way and cancel the configuration, before you use the auto-execute command command and save the configuration. # Telnet 10.110.100.1 after the user logs in through VTY0 automatically. [Quidway-ui-vty0] auto-execute command telnet 10.110.100.1 When a user logs on via VTY 0, the system will run telnet 10.110.100.1 automatically.

4.3 Display and Debug User Interface
After the above configuration, execute display command in any view to display the running of the user interface configuration, and to verify the effect of the configuration. Execute free command in user view to clear a specified user interface. Table 4-20 Display and debug user interface
Operation Clear a specified user interface Display the user application information of the user interface Display the physical attributes and some configurations of the user interface display users [ all ] display user-interface [ type number ] [ number ] Command free user-interface [ type ] number

4-10

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

2. Port

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 Ethernet Port Configuration ....................................................................................... 1-1 1.1 Ethernet Port Overview...................................................................................................... 1-1 1.2 Ethernet Port Configuration ............................................................................................... 1-2 1.2.1 Enter Ethernet port view.......................................................................................... 1-2 1.2.2 Enable/Disable Ethernet Port.................................................................................. 1-3 1.2.3 Set Description Character String for Ethernet Port ................................................. 1-3 1.2.4 Set Duplex Attribute of the Ethernet Port................................................................ 1-3 1.2.5 Set Speed on the Ethernet Port .............................................................................. 1-4 1.2.6 Set Cable Type for the Ethernet Port...................................................................... 1-5 1.2.7 Enable/Disable Flow Control for Ethernet Port ....................................................... 1-5 1.2.8 Set Ethernet Port Broadcast Suppression Ratio..................................................... 1-6 1.2.9 Set link type for Ethernet port.................................................................................. 1-6 1.2.10 Add the Ethernet port to Specified VLANs............................................................ 1-7 1.2.11 Set the Default VLAN ID for the Ethernet Port...................................................... 1-7 1.2.12 Set the VLAN VPN Feature................................................................................... 1-8 1.2.13 Set loopback detection for the Ethernet port......................................................... 1-9 1.2.14 Set the Time Interval of Calculating Port Statistics Information.......................... 1-10 1.3 Display and Debug Ethernet Port .................................................................................... 1-10 1.4 Ethernet Port Configuration Example .............................................................................. 1-11 1.5 Ethernet Port Troubleshooting......................................................................................... 1-11 Chapter 2 Link Aggregation Configuration ................................................................................ 2-1 2.1 Link Aggregation Overview................................................................................................ 2-1 2.2 Link Aggregation Configuration ......................................................................................... 2-1 2.2.1 Aggregate Ethernet Ports........................................................................................ 2-1 2.3 Display and Debug Link Aggregation ................................................................................ 2-2 2.4 Link Aggregation Configuration Example .......................................................................... 2-2 2.5 Ethernet Link Aggregation Troubleshooting ...................................................................... 2-3

i

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

Chapter 1 Ethernet Port Configuration
1.1 Ethernet Port Overview
S3526 Ethernet Switch provides 24 fixed 10/100Base-T Ethernet ports and two extended module slots and supports 1000Base-SX module, 1000Base-LX module, 1000Base-T module, 1000Base-ZX module, 1000Base-LX GL module and stack module. S3526E/S3526C Ethernet Switch provides 24 fixed 10/100Base-T Ethernet ports and two extended module slots and supports 100Base-FX multi-mode module, 100Base-FX single-mode module, 1000Base-SX module, 1000Base-LX module, 1000Base-T module, 1000Base-ZX module, 1000Base-LX GL module and stack module. The only difference between S3526 FS and S3526 FM Ethernet Switches is the fixed optical ports with the different attributes they provide: S3526 FS Ethernet Switches provide 12 100M single-mode optical ports, while S3526 FM Ethernet Switches provide 12 100M multi-mode optical ports. Each of them also provides four extended module slots. The two extended module slots in the front panel support 6-port 10/100Base-T module, 6-port 100Base-FX single-mode module, and 6-port 100Base-FX multi-mode module. The two extended module slots in the rear panel support 1000Base-SX, 1000Base-LX, 1000Base-T, 1000Base-ZX, 1000Base-LX GL module and stack module. S3552G Ethernet Switch provides 48 fixed 10/100Base-TX Ethernet ports and four GBIC interface modules. S3552P Ethernet Switch provides 48 fixed 10/100Base-TX Ethernet ports and four SFP interface modules. S3528G Ethernet Switch provides 24 fixed 10/100Base-TX Ethernet ports and four GBIC interface modules. S3528P Ethernet Switch provides 24 fixed 10/100Base-TX Ethernet ports and four SFP interface modules. S3552F Ethernet Switch provides 6 module slots and four GBIC interface modules. The six slots on the front panel support 8-port 100Base-FX multi-mode modules, 8-port 100Base-FX single-mode modules and 8-port 10/100Base-T modules. The four GBIC module slots can accommodate GBIC gigabit modules. The Ethernet ports of S3500 Series Ethernet Switches have the following features:
1-1

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

10/100Base-TX Ethernet ports support MDI/MDI-X auto-sensing and can work in half-/full-duplex and auto-negotiation modes. They can auto-negotiate and auto-select the optimal operating mode and speed with the peers, thereby streamlining the system configuration and management. 100Base-FX single-mode/multi-mode Ethernet port operates in 100M full duplex mode. The duplex mode can be configured as full (full duplex) or auto (auto-negotiation), and the speed can be set to 100 (100Mbps) and auto (auto-negotiation). For Gigabit Ethernet port, the duplex mode can be configured as full (full duplex) or auto (auto-negotiation), and the speed can be set to 1000 (1000Mbps) and auto (auto-negotiation). For Gigabit Ethernet port of S3552G/S3552P/S3528G/S3528P/S3552F, the duplex mode can be configured as full (full duplex) or auto (auto-negotiation) or half (half duplex), and the speed can only be set to 1000 (1000Mbps), which need not configuring. 1000Base-T Ethernet ports of S3526E/S3526C Ethernet switches can operate in 1000M full-duplex, 100M half-duplex/ full-duplex, and 10M half-duplex/full-duplex modes. The configurations of these Ethernet ports are basically the same, which will be described in the following sections.

1.2 Ethernet Port Configuration
Ethernet port configuration includes: Enter Ethernet port view Enable/Disable Ethernet port Set description character string for Ethernet port Set duplex attribute for Ethernet port Set speed for Ethernet port Set cable type for the Ethernet port Enable/Disable flow control for Ethernet port Set Ethernet port broadcast suppression ratio Set link type for Ethernet port Add the Ethernet port to specified VLANs Set the default VLAN ID for the Ethernet port Set the VLAN VPN Feature (S3552G/S3552P/S3528G/ S3528P/S3552F Ethernet Switches support) Set loopback detection for the Ethernet port (S3526/S3526 FS/S3526 FM/ S3526E/S3526C Ethernet Switches support) Set the time interval of calculating port statistics information

1.2.1 Enter Ethernet port view
Before configuring the Ethernet port, enter Ethernet port view first.
1-2

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

Perform the following configuration in system view. Table 1-1 Enter Ethernet port view
Operation Enter Ethernet port view Command interface { interface_type interface_num | interface_name }

1.2.2 Enable/Disable Ethernet Port
The following command can be used for disabling or enabling the port. After configuring the related parameters and protocol of the port, you can use the following command to enable the port. If you do not want a port to forward data any more, use the command to disable it. Perform the following configuration in Ethernet port view. Table 1-2 Enable/Disable an Ethernet port
Operation Disable an Ethernet port Enable an Ethernet port shutdown undo shutdown Command

By default, the port is enabled.

1.2.3 Set Description Character String for Ethernet Port
To distinguish the Ethernet ports, you can use the following command to make some necessary descriptions. Perform the following configuration in Ethernet port view. Table 1-3 Set description character string for Ethernet port
Operation Set description character string for Ethernet port. Delete the description character string of Ethernet. description text undo description Command

By default, the port description is a null character string.

1.2.4 Set Duplex Attribute of the Ethernet Port
To configure a port to send and receive data packets at the same time, set it to full-duplex. To configure a port to either send or receive data packets at a time, set it to

1-3

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

half-duplex. If the port has been set to auto-negotiation mode, the local and peer ports will automatically negotiate about the duplex mode. Perform the following configuration in Ethernet port view. Table 1-4 Set duplex attribute for Ethernet port
Operation Set duplex attribute for Ethernet port. Restore the default duplex attribute of Ethernet port. Command duplex { auto | full | half } undo duplex

Note that, the 100M electrical Ethernet port supports full duplex, half duplex and auto-negotiation, which can be set as per the requirements. 100M optical Ethernet port supports full duplex and can be configured to operate in full (full duplex) or auto (auto-negotiation) mode. Gigabit Ethernet port can be configured as full (full duplex) or auto (auto-negotiation). (1) For Gigabit Ethernet port of S3552G/S3552P/S3528G/S3528P/S3552F, the duplex mode can also be configured as half (half duplex). (2) 1000Base-T Ethernet ports of S3526E/S3526C Ethernet switches can operate in full-/half-duplex or auto-negotiation mode. However, if the speed has been set to 1000Mbps, the duplex mode can only be set to full (full-duplex) or auto (auto-negotiation). The port defaults the auto (auto-negotiation) mode.

1.2.5 Set Speed on the Ethernet Port
You can use the following command to set the speed on the Ethernet port. If the speed is set to auto-negotiation mode, the local and peer ports will automatically negotiate about the port speed. Perform the following configuration in Ethernet port view. Table 1-5 Set speed on Ethernet port
Operation Set 100M Ethernet port speed Set Gigabit Ethernet port speed Restore the default speed on Ethernet port Command speed { 10 | 100 | auto } speed { 10 | 100 | 1000 | auto } undo speed

Note that, the 100M electrical Ethernet port supports 10Mbps, 100Mbps and auto-negotiation, which can be set as per the requirements. 100M optical Ethernet port supports 100Mbps can be configured to operate at a speed of 100 (100Mbps) and auto (auto-negotiation.)

1-4

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

Gigabit Ethernet port can be set to 1000 (1000Mbps) and auto (auto-negotiation). (1) For Gigabit Ethernet port of S3552G/S3552P/S3528G/S3528P/S3552F, the speed can only be set to 1000 (1000Mbps), which need not configuring. (2) 1000Base-T Ethernet ports of S3526E/S3526C Ethernet switches support 10Mbps, 100Mbps, and 1000Mbps, which can be selected per your requirements. However, if the duplex mode has been set to half-duplex, the speed cannot be set to 1000Mbps. By default, the speed of the port is in auto mode.

1.2.6 Set Cable Type for the Ethernet Port
The Ethernet port supports the straight-through and cross-over network cables. The following command can be used for configuring the cable type. Perform the following configuration in Ethernet port view. Table 1-6 Set the type of the cable connected to the Ethernet port
Operation Set the type of the cable connected to the Ethernet port. Restore the default type of the cable connected to the Ethernet port. Command mdi { across | auto | normal } undo mdi

Note that, the settings only take effect on 10/100Base-T and 1000Base-T ports. By default, the cable type is auto (auto-recognized).That is, the system can automatically recognize the type of cable connecting to the port.

1.2.7 Enable/Disable Flow Control for Ethernet Port
After enabling flow control in both the local and the peer switch, if congestion occurs in the local switch, the switch will inform its peer to pause packet sending. Once the peer switch receives this message, it will pause packet sending, and vice versa. In this way, packet loss is reduced effectively. The flow control function of the Ethernet port can be enabled or disabled through the following command. Perform the following configuration in Ethernet port view. Table 1-7 Enable/Disable Flow Control for Ethernet Port
Operation Enable Ethernet port flow control Disable Ethernet port flow control flow-control undo flow-control Command

By default, Ethernet port flow control is disabled.

1-5

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

1.2.8 Set Ethernet Port Broadcast Suppression Ratio
You can use the following commands to restrict the broadcast traffic. Once the broadcast traffic exceeds the value set by the user, the system will maintain an appropriate broadcast packet ratio by discarding the overflow traffic, so as to suppress broadcast storm, avoid suggestion and ensure the normal service. The parameter is taken the maximum wire speed ratio of the broadcast traffic allowed on the port. The smaller the ratio is, the smaller the broadcast traffic is allowed. If the ratio is 100%, it means not to perform broadcast storm suppression on the port. Perform the following configuration in Ethernet port view. Table 1-8 Set Ethernet port broadcast suppression ratio
Operation Set Ethernet port broadcast suppression ratio Restore the default Ethernet port broadcast suppression ratio Command broadcast-suppression pct undo broadcast-suppression

By default, 100% broadcast traffic is allowed to pass through, that is, no broadcast suppression will be performed.

1.2.9 Set link type for Ethernet port
Ethernet port can operate in three different link types, access, hybrid, and trunk types. The access port carries one VLAN only, used for connecting to the user’s computer. The trunk port can belong to more than one VLAN and receive/send the packets on multiple VLANs, used for connection between the switches. The hybrid port can also carry more than one VLAN and receive/send the packets on multiple VLANs, used for connecting both the switches and user’s computers. The difference between the hybrid port and the trunk port is that the hybrid port allows the packets from multiple VLANs to be sent without tags, but the trunk port only allows the packets from the default VLAN to be sent without tags. Perform the following configuration in Ethernet port view. Table 1-9 Set link type for Ethernet port
Operation Configure the port as access port Configure the port as hybrid port Configure the port as trunk port Restore the default link type, that is, the access port. port link-type access port link-type hybrid port link-type trunk undo port link-type Command

You can configure three types of ports concurrently on the same switch, but you cannot switch between trunk port and hybrid port. You must turn it first into access port and
1-6

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

then set it as other type. For example, you cannot configure a trunk port directly as hybrid port, but first set it as access port and then as hybrid port. By default, the port is access port.

1.2.10 Add the Ethernet port to Specified VLANs
The following commands are used for adding an Ethernet port to a specified VLAN. The access port can only be added to one VLAN, while the hybrid and trunk ports can be added to multiple VLANs. Perform the following configuration in Ethernet port view. Table 1-10 Add the Ethernet port to specified VLANs
Operation Add the current access port to a specified VLAN Add the current hybrid port to specified VLANs Add the current trunk port to specified VLANs Remove the current access port from to a specified VLAN. Remove the current hybrid port from to specified VLANs. Remove the current trunk port from specified VLANs. Command port access vlan vlan_id port hybrid vlan vlan_id_list { tagged | untagged } port trunk permit vlan { vlan_id_list | all } undo port access vlan undo port hybrid vlan vlan_id_list undo port trunk permit vlan { vlan_id_list | all }

Note that the access port shall be added to an existing VLAN other than VLAN 1. The VLAN to which Hybrid port is added must have been existed. The one to which Trunk port is added cannot be VLAN 1. After adding the Ethernet port to specified VLANs, the local port can forward packets of these VLANs. The hybrid and trunk ports can be added to multiple VLANs, thereby implementing the VLAN intercommunication between peers. For the hybrid port, you can configure to tag some VLAN packets, based on which the packets can be processed differently.

1.2.11 Set the Default VLAN ID for the Ethernet Port
Since the access port can only be included in one VLAN only, its default VLAN is the one to which it belongs. The hybrid port and the trunk port can be included in several VLANs, it is necessary to configure the default VLAN ID. If the default VLAN ID has been configured, the packets without VLAN Tag will be forwarded to the port that belongs to the default VLAN. When sending the packets with VLAN Tag, if the VLAN ID of the packet is identical to the default VLAN ID of the port, the system will remove VLAN Tag before sending this packet. Perform the following configuration in Ethernet port view.

1-7

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

Table 1-11 Set the default VLAN ID for the Ethernet port
Operation Set the default VLAN ID for the hybrid port. Set the default VLAN ID for the trunk port Restore the default VLAN ID of the hybrid port to the default value Restore the default VLAN ID of the trunk port to the default value Command port hybrid pvid vlan vlan_id port trunk pvid vlan vlan_id undo port hybrid pvid undo port trunk pvid

Note that: The Trunk port and isolate-user-vlan cannot be configured simultaneously, while the hybrid port and isolate-user-vlan can be thus configured. However, if the default VLAN has been mapped in isolate-user-vlan, you cannot modify the default VLAN ID until the mapping relationship has been removed. To guarantee the proper packet transmission, the default VLAN ID of local hybrid port or Trunk port should be identical with that of the hybrid port or Trunk port on the peer switch. By default, the VLAN of hybrid port and trunk port is VLAN 1 and that of the access port is the VLAN to which it belongs.

1.2.12 Set the VLAN VPN Feature
VLAN Tag consists of 12 bits (defined by IEEE802.1Q), so Ethernet Switches can support up to 4k VLANs. In networking, especially in MAN (Metropolitan Area Network), a large numbers of VLANs are required to segment users. In this case, 4k VLANs are not enough. VLAN VPN feature can provide duplex VLAN Tags to a packet, i.e. mark the packet with another VLAN Tag besides the original one, thus to provide 4k x 4k VLANs to meet user’s demands. At the same time, VLAN VPN feature provides the following functions: Using the original VLAN Tag to differentiate users and services, and using the new VLAN Tag to load service and VPN users. Through VLAN VPN configuration, Ethernet Switches can meet the requirement of MAN. If VLAN VPN is enabled on a port, all the packets (no matter whether it carries a VLAN Tag or not) will be given a new Tag that specifies the default VLAN of this port. Therefore, the packets that have had a VLAN Tag get two Tags, and the packets that have not had a VLAN Tag get one. Perform the following configuration in Ethernet port view.

1-8

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

Table 1-12 Set the VLAN VPN feature
Operation Enable the VLAN VPN feature Disable the VLAN VPN feature vlan-vpn enable undo vlan-vpn Command

By default, the port VLAN VPN is disabled. Note that if anyone of GVRP, GMRP, STP, 802.1x, NTDP and NDP has been enabled on a port, VLAN VPN cannot be enabled on it. S3552G/S3552P/S3528G/S3528P/S3552F configuration in S3500 series switches. Ethernet Switches support this

1.2.13 Set loopback detection for the Ethernet port
The following commands are used for enabling the port loopback detection and setting detection interval for the external loopback condition of each port. If there is a loopback port found, the switch will put it under control. Perform the following configuration in corresponding view. Table 1-13 Set loopback detection for the Ethernet port
Operation Enable loopback detection on the port (System view/Ethernet port view) Disable loopback detection on the port (System view/Ethernet port view) Enable the loopback controlled function of the trunk and hybrid ports (System view/Ethernet port view) Disable the loopback controlled function of the trunk and hybrid ports (System view/Ethernet port view) Set the external loopback detection interval of the port (System view) Restore the default external loopback detection interval of the port (System view) Configure that the system performs loopback detection to all VLANs on Trunk and Hybrid ports (Ethernet port view) Configure that the system only performs loopback detection to the default VLANs on the port (Ethernet port view) Command loopback-detection enable undo loopback-detection enable loopback-detection control enable undo loopback-detection control enable loopback-detection interval-time time undo loopback-detection interval-time loopback-detection per-vlan enable undo loopback-detection per-vlan enable

By default, the port loopback detection is enabled and the detection interval is 30 seconds. The loopback detection controlled function on Trunk or Hybrid port is enabled. The system performs loopback detection to all VLANs on Trunk and Hybrid ports. Note that S3526/S3526 FS/S3526 FM/S3526E/S3526C Ethernet Switches support this configuration in S3500 series switches.

1-9

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

1.2.14 Set the Time Interval of Calculating Port Statistics Information
The following commands are used for configuring a time interval. When calculating port statistics information, the switch calculates the average port speed during the time interval. Perform the following configuration in Ethernet port view. Table 1-14 Set the time interval of calculating port statistics information
Operation Set the time interval of calculating port statistics information Restore the default time interval of calculating port statistics information Command flow-interval interval undo flow-interval

By default, the time interval of calculating port statistics information is 300 seconds.

1.3 Display and Debug Ethernet Port
After the above configuration, execute display command in any view to display the running of the Ethernet port configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics information of the port. Execute loopback command in Ethernet port view to check whether the Ethernet port works normally. In the process of the loopback test, the port cannot forward the packets. The loop test will finish automatically after being executed for a while. Table 1-15 Display and debug Ethernet port
Operation Configure to perform loopback test on the Ethernet port Display all the information of the port Display hybrid port or trunk port Display the state of loopback detection on the port Clear the statistics information of the port Command loopback { external | internal } display interface { interface_type | interface_type interface_num | interface_name } display port { hybrid | trunk } display loopback-detection reset counters interface [ interface_type | interface_type interface_num | interface_name ]

Note that the loopback test cannot be performed on the port disabled by the shutdown command. During the loopback test, the system will disable speed, duplex, mdi and shutdown operation on the port. Some ports do not support the loopback test. If performing this command in these ports, you will see the system prompt. S3526/S3526 FS/S3526 FM/S3526E/S3526C Ethernet Switches support display loopback-detection command in S3500 series switches.

1-10

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

1.4 Ethernet Port Configuration Example
I. Networking requirements
Ethernet Switch (Switch A) is connected to the peer (Switch B) via the trunk port Ethernet0/18. The following example configures the default VLAN ID for the trunk port and verifies the port trunk pvid vlan command. As a typical application of the port trunk pvid vlan command, the trunk port will transmit the packets without tag to the default VLAN.

II. Networking diagram

Switch A

Switch B

Figure 1-1 Configure the default VLAN for a trunk port

III. Configuration procedure
The following configurations are used for Switch A. Please configure Switch B in the similar way. # Enter the Ethernet port view of Ethernet0/18. [Quidway] interface ethernet0/18 # Set the Ethernet0/18 as a trunk port and allows VLAN 2, 6 through 50, and 100 to pass through. [Quidway-Ethernet0/18] port link-type trunk [Quidway-Ethernet0/18] port trunk permit vlan 2 6 to 50 100 # Create the VLAN 100. [Quidway] vlan 100 # Configure the default VLAN ID of Ethernet0/18 as 100. [Quidway-Ethernet0/18] port trunk pvid vlan 100

1.5 Ethernet Port Troubleshooting
Fault: Default VLAN ID configuration failed. Troubleshooting: Take the following steps.

1-11

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 1 Ethernet Port Configuration

Execute the display interface or display port command to check if the port is a trunk port or a hybrid port. If it is neither of them, configure it as a trunk port or a hybrid port. Then configure the default VLAN ID.

1-12

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 2 Link Aggregation Configuration

Chapter 2 Link Aggregation Configuration
2.1 Link Aggregation Overview
An S3526 Ethernet Switch supports at most four aggregated groups, with each group containing a maximum of eight fixed ports or two extended ports. The starting port of an aggregated group can only be Ethernet0/1, Ethernet0/9, Ethernet0/17 or Gigabitethernet1/1 and the port numbers in a group must be consecutive. An S3526E/S3526C Ethernet Switch supports at most six aggregated groups, with each group containing a maximum of eight fixed ports or two extended ports. The port numbers in a group must be consecutive, but no special restrictions on the starting port. An S3526 FM/S3526 FS Ethernet Switch supports at most four aggregated groups, with each group containing a maximum of eight ports. The starting port of an aggregated group can only be Ethernet0/1, Ethernet0/9, Ethernet1/5 or Gigabitethernet3/1, and the port numbers in a group and on the same slot must be consecutive. If a group contains the ports on two slots, those on the same slots and slot numbers must be consecutive, and the starting port must be the first port on the second slot. An S3552G/S3552P/S3528G/S3528P/S3552F Ethernet Switch supports at most six aggregated 100M-port groups or one 1000M-port group, with each group containing a maximum of eight 100M ports or four 1000M ports. The port numbers in a group must be consecutive, but no special restrictions on the starting port. In a link aggregation group, the port with the smallest number serves as the master port, and the others serve as member ports. In one link aggregation group, the link type of the master port and the member ports must be identical. That is, the master port and the member ports should be in Trunk mode together, or be in Access mode together.

2.2 Link Aggregation Configuration
Link aggregation configuration includes: Aggregate Ethernet ports

2.2.1 Aggregate Ethernet Ports
The following command can be used for aggregating Ethernet ports or removing a configured link aggregation.

2-1

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 2 Link Aggregation Configuration

Perform the following configuration in system view. Table 2-1 Aggregating Ethernet ports
Operation Aggregate Ethernet ports Remove a configured link aggregation Command link-aggregation port_num1 to port_num2 { both | ingress } undo link-aggregation { master_port_num | all }

Note that the Ethernet ports to be aggregated can not work in auto-negotiation mode and must work in the same mode, which can be 10M_FULL (10Mbps speed, full duplex), 100M_FULL (100Mbps speed, full duplex), or 1000M_FULL (1000Mbps speed, full duplex), otherwise, they cannot be aggregated.

2.3 Display and Debug Link Aggregation
After the above configuration, execute display command in any view to display the running of the link aggregation configuration, and to verify the effect of the configuration. Table 2-2 Display the information of the link aggregation
Operation Display the information of the link aggregation Command display link-aggregation [ master_port_num ]

2.4 Link Aggregation Configuration Example
I. Networking requirements
The following example uses the link aggregation commands to aggregate several ports and implement the outgoing/incoming payload balance among all the member ports. The link aggregation is typically used for Trunk ports. Since the Trunk port allows frames from several VLANs to pass through, the heavy traffic needs balancing among all the ports. Ethernet Switch (Switch A) is connected to the Ethernet Switch (Switch B) in the upstream via the aggregation of three ports, Ethernet0/1 through Ethernet0/3.

2-2

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 2 Link Aggregation Configuration

II. Networking diagram
Switch B Link aggregation

Switch A

Switch C

Figure 2-1 Configure link aggregation

III. Configuration procedure
The following configurations are used for Switch A, please configure Switch B in the similar way to activate aggregation. # Aggregate Ethernet0/1 through Ethernet0/3. [Quidway] link-aggregation ethernet0/1 to ethernet0/3 both # Display the information of the link aggregation. [Quidway] display link-aggregation ethernet0/1
Master port: Ethernet0/1 Other sub-ports: Ethernet0/2 Ethernet0/3 Mode: both

2.5 Ethernet Link Aggregation Troubleshooting
Fault: You might see the prompt of configuration failure when configuring link aggregation. Troubleshooting:

I. For S3526/S3526 FM/S3526 FS Ethernet Switches, take the following steps
Check the input parameter and see whether the starting number of Ethernet port is smaller than the end number. If yes, take the next step. Check the input parameter and see whether the first number is correct. If yes, take the next step. Check whether the Ethernet ports that are in the configured range belong to any other existing link aggregations. If not, take the next step.
2-3

Operation Manual - Port Quidway S3500 Series Ethernet Switches

Chapter 2 Link Aggregation Configuration

Check whether the ports to be aggregated operate in the same speed and full duplex mode. If yes, take the next step. Check if there are no more than eight ports in one group. If correct, configure the link aggregation again.

II. For S3526E/S3526C/S3552G/S3552P/S3528G/S3528P/S3552F Ethernet Switches, take the following steps
Check the input parameter and see whether the starting number of Ethernet port is smaller than the end number. If yes, take the next step. Check whether the Ethernet ports that are in the configured range belong to any other existing link aggregations. If not, take the next step. Check whether the ports to be aggregated operate in the same speed and full duplex mode. If yes, take the next step. Check if there are no more than eight ports in one group. If correct, configure the link aggregation again.

2-4

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

3. VLAN

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 VLAN Configuration .................................................................................................... 1-1 1.1 VLAN Overview.................................................................................................................. 1-1 1.2 Configure VLAN ................................................................................................................. 1-1 1.2.1 Enable/Disable VLAN Feature ................................................................................ 1-1 1.2.2 Create/Delete a VLAN............................................................................................. 1-2 1.2.3 Add Ethernet Ports to a VLAN ................................................................................ 1-2 1.2.4 Set/Delete VLAN or VLAN interface Description Character String ......................... 1-3 1.2.5 Specify/Remove VLAN Interface............................................................................. 1-3 1.2.6 Assign/Delete IP Address and Mask for/of a VLAN Interface................................. 1-3 1.2.7 Shut down/Enable VLAN Interface.......................................................................... 1-4 1.3 Display and Debug VLAN .................................................................................................. 1-4 1.4 VLAN Configuration Example ............................................................................................ 1-4 Chapter 2 Isolate-User-Vlan Configuration................................................................................. 2-1 2.1 Isolate-user-vlan Overview ................................................................................................ 2-1 2.2 Configure isolate-user-vlan................................................................................................ 2-1 2.2.1 Configure isolate-user-vlan ..................................................................................... 2-1 2.2.2 Configure Secondary VLAN .................................................................................... 2-2 2.2.3 Configure to Map isolate-user-vlan to Secondary VLAN ........................................ 2-2 2.3 Display and Debug isolate-user-vlan ................................................................................. 2-3 2.4 isolate-user-vlan Configuration Example........................................................................... 2-3 Chapter 3 GARP/GVRP Configuration......................................................................................... 3-1 3.1 Configure GARP ................................................................................................................ 3-1 3.1.1 GARP Overview ...................................................................................................... 3-1 3.1.2 Set GARP Timer...................................................................................................... 3-2 3.1.3 Display and Debug GARP....................................................................................... 3-3 3.2 Configure GVRP ................................................................................................................ 3-3 3.2.1 GVRP Overview ...................................................................................................... 3-3 3.2.2 Enable/Disable Global GVRP ................................................................................. 3-4 3.2.3 Enable/Disable Port GVRP ..................................................................................... 3-4 3.2.4 Set GVRP Registration Type .................................................................................. 3-4 3.2.5 Display and Debug GVRP....................................................................................... 3-5 3.2.6 GVRP Configuration Example................................................................................. 3-5

i

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 1 VLAN Configuration

Chapter 1 VLAN Configuration
1.1 VLAN Overview
Virtual Local Area Network (VLAN) groups the devices of a LAN logically but not physically into segments to implement the virtual workgroups. IEEE issued the IEEE 802.1Q in 1999, which was intended to standardize VLAN implementation solutions. Through VLAN technology, network managers can logically divide the physical LAN into different broadcast domains. Every VLAN contains a group of workstations with the same demands. The workstations of a VLAN do not have to belong to the same physical LAN segment. With VLAN technology, the broadcast and unicast traffic within a VLAN will not be forwarded to other VLANs, therefore, it is very helpful in controlling network traffic, saving device investment, simplifying network management and improving security.

1.2 Configure VLAN
To configure a VLAN, first create a VLAN according to the requirements. Main VLAN configuration includes: Enable/Disable VLAN feature (S3526E/S3526C switches support in S3500 series switches) Create/Delete a VLAN Add Ethernet ports to a VLAN Set/Delete VLAN or VLAN interface description character string Specify/Remove VLAN interface Assign/Delete IP Address and Mask for/of a VLAN Interface Shut down/Enable VLAN Interface

1.2.1 Enable/Disable VLAN Feature
After the VLAN feature is disabled, the packets will be transmitted according to MAC address but not adding VLAN Tag, thereby disabling the function of VLAN isolation. You still may configure IP address of the default management VLAN interface 1, thereby performing remote management such as Telnet and web management. You can use the following command to enable or disable the VLAN feature on a device. Perform the following configuration in system view.

1-1

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 1 VLAN Configuration

Table 1-1 Enable/Disable VLAN feature
Operation Enable/Disable VLAN feature Command vlan { enable | disable }

By default, VLAN feature is enabled on the switch. Note that you will see error prompt when creating VLAN after VLAN feature is disabled. S3526E/S3526C switches support the configuration in S3500 series switches.

1.2.2 Create/Delete a VLAN
You can use the following command to create/delete a VLAN. Perform the following configurations in system view. Table 1-2 Create/Delete a VLAN
Operation Create a VLAN and enter the VLAN view Delete the specified VLAN Command vlan vlan_id undo vlan { vlan_id [ to vlan_id ] | all }

If the VLAN to be created exists, enter the VLAN view directly. Otherwise, create the VLAN first, and then enter the VLAN view. vlan_id specifies the VLAN ID. Note that the default VLAN, namely VLAN 1, cannot be deleted.

1.2.3 Add Ethernet Ports to a VLAN
You can use the following command to add the Ethernet ports to a VLAN. Perform the following configuration in VLAN view. Table 1-3 Add Ethernet ports to a VLAN
Operation Add Ethernet ports to a VLAN Remove Ethernet ports from a VLAN port interface_list undo port interface_list Command

By default, the system adds all the ports to a default VLAN, whose ID is 1. Note that you can add/delete trunk port and hybrid port to/from VLAN by port and undo port commands in Ethernet port view, but not in VLAN view.

1-2

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 1 VLAN Configuration

1.2.4 Set/Delete VLAN or VLAN interface Description Character String
You can use the following command to set/delete VLAN or VLAN interface description character string. Perform the following configuration in VLAN or VLAN interface view. Table 1-4 Set/Delete VLAN or VLAN interface description character string
Operation Set the description character string for VLAN or VLAN interface Restore the default description of current VLAN or VLAN interface Command description string undo description

By default, VLAN description character string is VLAN ID of the VLAN, e.g. VLAN 0001. VLAN interface description character string is the VLAN interface name, e.g. Vlan-interface1 Interface.

1.2.5 Specify/Remove VLAN Interface
You can use the following command to specify/remove the VLAN interface. Perform the following configurations in system view. Table 1-5 Specify/Remove VLAN interface
Operation Create a new VLAN interface and enter VLAN interface view Remove the specified VLAN interface Command interface vlan-interface vlan_id undo interface vlan-interface vlan_id

Create a VLAN first before create an interface for it. For this configuration task, vlan_id takes the VLAN ID.

1.2.6 Assign/Delete IP Address and Mask for/of a VLAN Interface
To implement the network layer function on a VLAN interface, VLAN interface should be set the IP address and mask. You can use the following command to set or delete the IP address and mask for the VLAN interface. Generally, it is enough to configure one IP address for an interface. You can also configure 10 IP addresses for an interface, so that it can be connected to several subnets. Among these IP addresses, one is the primary IP address and all others are secondary. Perform the following configuration in VLAN interface view.

1-3

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 1 VLAN Configuration

Table 1-6 Assign/Delete IP address and mask for/of a VLAN interface
Operation Assign the IP address and mask for a VLAN interface Delete the IP address and mask of a VLAN interface Command ip address ip-address net-mask [ sub ] undo ip address [ ip-address net-mask [ sub ] ]

1.2.7 Shut down/Enable VLAN Interface
You can use the following command to shut down/enable VLAN interface. Perform the following configuration in VLAN interface view. Table 1-7 Shut down/Enable VLAN interface
Operation Shut down the VLAN interface Enabling the VLAN interface shutdown undo shutdown Command

The operation of shutting down or enabling the VLAN interface has no effect on the UP/DOWN status of the Ethernet ports on the local VLAN. By default, when all the Ethernet ports belonging to a VLAN are in DOWN status, this VLAN interface is also DOWN, i.e. this VLAN interface is shut down. When there is one or more Ethernet ports in UP status, this VLAN interface is also UP, i.e. this VLAN interface is enabled.

1.3 Display and Debug VLAN
After the above configuration, execute display command in any view to display the running of the VLAN configuration, and to verify the effect of the configuration. Table 1-8 Display and debug VLAN
Operation Display the related information about VLAN interface Display the related information about VLAN Command display interface vlan-interface [ vlan_id ] display vlan[ vlan_id | all | static | dynamic ]

1.4 VLAN Configuration Example
I. Networking requirements
Create VLAN2 and VLAN3. Add Ethernet port 0/1 and Ethernet port 0/2 to VLAN2 and add Ethernet 0/3 and Ethernet 0/4 to VLAN3.

1-4

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 1 VLAN Configuration

II. Networking diagram
Switch

E0/1

E0/2

E0/3

E0/4

VLAN2

VLAN3

Figure 1-1 VLAN configuration example

III. Configuration procedure
# Create VLAN 2 and enters its view. [Quidway] vlan 2 # Add Ethernet 0/1 and Ethernet 0/2 to VLAN2. [Quidway-vlan2] port ethernet 0/1 to ethernet 0/2 # Create VLAN 3 and enters its view. [Quidway-vlan2] vlan 3 # Add Ethernet 0/3 and Ethernet 0/4 to VLAN3. [Quidway-vlan3] port ethernet0/3 to ethernet 0/4

1-5

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 2 Isolate-User-Vlan Configuration

Chapter 2 Isolate-User-Vlan Configuration
2.1 Isolate-user-vlan Overview
Isolate-user-vlan is a new feature of the Ethernet Switches launched by Huawei Technologies Co., Ltd., through which can save the VLAN source. isolate-user-vlan adopts the Layer-2 VLAN architecture. (On an Ethernet Switch configure the isolate-user-vlan and Secondary VLAN.) An isolate-user-vlan corresponds to several Secondary VLANs. The isolate-user-vlan includes all the ports and Uplink ports of the corresponding Secondary VLANs. In this way, a upstream switch only needs recognizing the isolate-user-vlan of the downstream switch and ignores those Secondary VLANs, thereby streamlining the configuration and saving the VLAN source. You can use isolate-user-vlan to implement the isolation of the Layer-2 packets through assigning a Secondary VLAN for each user, which only includes the ports and the Uplink ports connected to the user. You can put the ports connected to different users into one Secondary VLAN to implement the Layer-2 packet intercommunication.

2.2 Configure isolate-user-vlan
Isolate-user-vlan configuration includes: Configure isolate-user-vlan Configure secondary VLAN Configure to map isolate-user-vlan to secondary VLAN The tasks above are required to be configured once you enable the isolate-user-vlan.

2.2.1 Configure isolate-user-vlan
You can use the following commands to create an isolate-user-vlan for an Ethernet switch and add new ports to it. Create a VLAN in system view, configure it as an isolate-user-vlan and add new ports to it in VLAN view.

2-1

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 2 Isolate-User-Vlan Configuration

Table 2-1 Configure isolate-user-vlan
Operation Create a VLAN Configure the VLAN as isolate-user-vlan Cancel the configuration of VLAN as isolate-user-vlan Add new ports to isolate-user-vlan Command vlan vlan-id isolate-user-vlan enable undo isolate-user-vlan enable port interface-list

An Ethernet switch can have several isolate-user-vlans, each of which can include more than one port. isolate-user-vlan cannot be configured together with the Trunk port. That is to say, you cannot configure a Trunk port on the Ethernet switch already configured with the isolate-user-vlan, and vise versa. In addition, the Uplink port has to be added into the isolate-user-vlan.

2.2.2 Configure Secondary VLAN
You can use the following commands to create a Secondary VLAN and add new ports to it. Create a secondary VLAN in system view and add new ports to it in VLAN view. Table 2-2 Configure Secondary VLAN
Operation Create a Secondary VLAN Add new ports to the Secondary VLAN vlan vlan-id port interface-list Command

You can add more than one port (other than Uplink ports) to a Secondary VLAN.

2.2.3 Configure to Map isolate-user-vlan to Secondary VLAN
You can use the following command to configure the isolate-user-vlan to map the Secondary VLAN. Perform the following configurations in system view. Table 2-3 Configure to map isolate-user-vlan to secondary VLAN
Operation Configure to map isolate-user-vlan to secondary VLAN Cancel to map isolate-user-vlan to secondary VLAN Command isolate-user-vlan isolate-user-vlan_num secondary secondary_vlan_numlist [ to secondary_vlan_numlist ] undo isolate-user-vlan isolate-user-vlan_num [ secondary secondary_vlan_numlist [ to secondary_vlan_numlist ]

2-2

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 2 Isolate-User-Vlan Configuration

Note that, before you execute this command, the isolate-user-vlan and Secondary VLAN shall have ports. You can map an isolate-user-vlan to no more than 30 Secondary VLANs. After the mapping relationship is configured, the system does not allow you to add/remove any ports to/from the isolate-user-vlan or Secondary VLAN or remove a VLAN. You can perform these operations after removing the mapping relationship. Without the specified secondary secondary_vlan_numlist parameter, the undo isolate-user-vlan command will remove the mapping relationship between the specified isolate-user-vlan and all the Secondary VLANs. Otherwise the relationship between the specified isolate-user-vlan and the specified Secondary VLAN will be removed.

2.3 Display and Debug isolate-user-vlan
After the above configuration, execute display command in any view to display the running of the isolate-user-vlan configuration, and to verify the effect of the configuration. Table 2-4 Display and debug isolate-user-vlan
Operation Display the mapping relationship between the isolate-user-vlan and Secondary VLAN Command display isolate-user-vlan [ isolate-user-vlan_num ]

2.4 isolate-user-vlan Configuration Example
I. Networking requirements
Switch A is connected to Switch B and Switch C in the downstream. The VLAN5 carried by Switch B is the isolate-user-vlan, including the Uplink Ethernet1/1 and two Secondary VLANs, VLAN2 and VLAN3. VLAN3 includes Ethernet0/1 and VLAN2 includes Ethernet0/2. The VLAN6 carried by Switch C is the isolate-user-vlan including the Uplink Ethernet1/1 and two Secondary VLAN, VLAN3 and VLAN4. VLAN3 includes Ethernet0/3 and VLAN4 includes Ethernet0/4. Seen from the Switch A, either Switch B or Switch C carries one VLAN, VLAN 5 and VLAN 6 respectively.

2-3

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 2 Isolate-User-Vlan Configuration

II. Networking diagram
Switch A vlan 5 vlan 6

E1/1

E1/1

Switch B
E0/1 vlan 3 E0/2 vlan 2 E0/3 vlan 3 E0/4 vlan 4

Switch C

Figure 2-1 isolate-user-vlan configuration example

III. Configuration procedure
Hereafter only listed the configuration procedure of the Switch B and Switch C. Configure Switch B: # Configure isolate-user-vlan [Quidway] vlan 5 [Quidway-vlan5] isolate-user-vlan enable [Quidway-vlan5] port ethernet1/1 # Configure Secondary VLAN [Quidway-vlan5] vlan 3 [Quidway-vlan3] port ethernet0/1 [Quidway-vlan3] vlan 2 [Quidway-vlan2] port ethernet0/2 # Configure the isolate-user-vlan to Map the Secondary VLAN [Quidway-vlan2] quit [Quidway] isolate-user-vlan 5 secondary 2 to 3 Configure Switch C: # Configure isolate-user-vlan [Quidway] vlan 6

2-4

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 2 Isolate-User-Vlan Configuration

[Quidway-vlan6] isolate-user-vlan enable [Quidway-vlan6] port ethernet1/1 # Configure Secondary VLAN [Quidway-vlan6] vlan 3 [Quidway-vlan3] port ethernet0/3 [Quidway-vlan3] vlan 4 [Quidway-vlan4] port ethernet0/4 # Configure the isolate-user-vlan to Map the Secondary VLAN [Quidway-vlan4] quit [Quidway] isolate-user-vlan 6 secondary 3 to 4

2-5

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 3 GARP/GVRP Configuration

Chapter 3 GARP/GVRP Configuration
3.1 Configure GARP
3.1.1 GARP Overview
Generic Attribute Registration Protocol (GARP) offers a mechanism that is used by the members in the same switching network to distribute, propagate and register such information as VLAN and multicast addresses. GARP dose not exist in a switch as an entity. A GARP participant is called GARP application. The main GARP applications at present are GVRP and GMRP. GVRP is described in the GVRP Configuration section and GMRP will be described in Multicast Configuration. When a GARP participant is on a port of the switch, each port corresponds to a GARP participant. Through GARP mechanism, the configuration information on one GARP member will be advertised rapidly in the whole switching network. GARP member can be a terminal workstation or bridge. A GARP member can notify other members to register or remove its attribute information by sending declarations or withdrawal declarations. It can also register or remove the attribute information of other GARP members according to the received declarations/withdrawal declarations. GARP members exchange information through sending messages. There mainly are 3 types of GARP messages including Join, Leave, and LeaveAll. When a GARP participant wants to register its attribute information on other switches, it will send Join message outward. When it wants to remove some attribute values from other switches, it will send Leave message. LeaveAll timer will be started at the same time when each GARP participant is enabled and LeaveAll message will be sent upon timeout. Join message and Leave message cooperate to ensure the logout and the re-registration of a message. Through exchanging messages, all the attribute information to be registered can be propagated to all the switches in the same switching network. The destination MAC addresses of the packets of the GARP participants are specific multicast MAC addresses. A GARP-supporting switch will classify the packets received from the GARP participants and process them with corresponding GARP applications (GVRP or GMRP). GARP and GMRP are described in details in the IEEE 802.1p standard (which has been added to the IEEE802.1D standard). Quidway Series Ethernet Switches fully support the GARP compliant with the IEEE standards.
3-1

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 3 GARP/GVRP Configuration

Main GARP configuration includes: Set GARP timer

Note: 1) The value of GARP timer will be used in all the GARP applications, including GVRP and GMRP, running in one switching network. 2) In one switching network, the GARP timers on all the switching devices should be set to the same value. Otherwise, GARP application cannot work normally.

3.1.2 Set GARP Timer
GARP timers include Hold timer, Join timer, Leave timer and LeaveAll timer. The GARP participant sends Join Message regularly when Join timer timeouts so that other GARP participants can register its attribute values. When the GARP participant wants to remove some attribute values, it will send Leave Message outward. The GARP participant receiving the information will start the Leave timer. If Join Message is not received again before the Leave timer expires, the GARP attribute values will be removed LeaveAll timer will be started as soon as the GARP participant is enabled. LeaveAll message will be sent upon timeout so that other GARP participants will remove all the attribute values of this participant. Then, Leaveall timer is restarted and a new cycle begins. When the switch receives some GARP registration information, it will not send Join Message immediately. Instead, it will enable a hold timer and send the Join Message outward upon timeout of the hold timer. In this way, all the VLAN registration information received within the time specified by the Hold timer can be sent in one frame so as to save the bandwidth resource. Configure Hold timer, Join timer and Leave timer in Ethernet port view. Configure LeaveAll timer in system view. Table 3-1 Set GARP timer
Operation Set GARP Hold timer, Join timer and Leave timer Set GARP LeaveAll timer Restore the default GARP Hold timer, Join timer and Leave timer settings Restore the default GARP LeaveAll timer settings. Command garp timer { hold | join | leave } timer_value garp timer leaveall timer_value undo garp timer { hold | join | leave } undo garp timer leaveall

3-2

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 3 GARP/GVRP Configuration

Note that, the value of Join timer should be no less than the doubled value of Hold timer, and the value of Leave timer should be greater than the doubled value of Join timer and smaller than the Leaveall timer value. Otherwise, the system will prompt message of error. By default, Hold timer is 10 centiseconds, Join timer is 20 centiseconds, Leave timer is 60 centiseconds, and LeaveAll timer is 1000 centiseconds.

3.1.3 Display and Debug GARP
After the above configuration, execute display command in any view to display the running of GARP configuration, and to verify the effect of the configuration. Execute reset command in user view to reset the configuration of GARP. Execute debugging command in user view to debug the configuration of GARP. Table 3-2 Display and debug GARP
Operation Display GARP statistics information Display GARP timer Clear GARP statistics information Enable GARP event debugging Disable GARP event debugging Command display garp statistics [ interface interface-list ] display garp timer [ interface interface-list ] reset garp statistics [ interface interface-list ] debugging garp event undo debugging garp event

3.2 Configure GVRP
3.2.1 GVRP Overview
GARP VLAN Registration Protocol (GVRP) is a GARP application. Based on GARP operating mechanism, GVRP provides maintenance of the dynamic VLAN registration information in the switch and propagates the information to other switches. All the GVRP-supporting switches can receive VLAN registration information from other switches and dynamically update the local VLAN registration information including the active members and through which port those members can be reached. All the GVRP-supporting switches can propagate their local VLAN registration information to other switches so that the VLAN information can be consistent on all GVRP-supporting devices in one switching network. The VLAN registration information propagated by GVRP includes both the local static registration information configured manually and the dynamic registration information from other switches. GVRP is described in details in the IEEE 802.1Q standard. Quidway Series Ethernet Switches fully support the GARP compliant with the IEEE standards. Main GVRP configuration includes:

3-3

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 3 GARP/GVRP Configuration

Enable/Disable global GVRP Enable/Disable port GVRP Set GVRP registration type In the above-mentioned configuration tasks, GVRP should be enabled globally before it is enabled on the port. Configuration of GVRP registration type can only take effect after the port GVRP is enabled. Besides, GVRP must be configured on the Trunk port.

3.2.2 Enable/Disable Global GVRP
You can use the following command to enable/disable global GVRP. Perform the following configurations in system view. Table 3-3 Enable/Disable global GVRP
Operation Enable global GVRP Disable global GVRP gvrp undo gvrp Command

By default, global GVRP is disabled.

3.2.3 Enable/Disable Port GVRP
You can use the following command to enable/disable the GVRP on a port. Perform the following configurations in Ethernet port view. Table 3-4 Enable/Disable port GVRP
Operation Enable port GVRP Disable port GVRP gvrp undo gvrp Command

GVRP should be enabled globally before it is enabled on the port. The GVRP can only be enabled/disabled on Trunk port. By default, port GVRP is disabled.

3.2.4 Set GVRP Registration Type
The GVRP registration types include Normal, Fixed and Forbidden (see IEEE 802.1Q). When an Ethernet port is set to be in Normal registration mode, the dynamic and manual creation, registration and logout of VLAN are allowed on this port.

3-4

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 3 GARP/GVRP Configuration

When one Trunk port is set as fixed, the system will add the port to the VLAN if a static VLAN is created on the switch and the Trunk port allows the VLAN passing. GVRP will also add this VLAN item to the local GVRP database, one link table for GVRP maintenance. However, GVRP cannot learn dynamic VLAN through this port. The learned dynamic VLAN from other ports of the local switch will not be able to send statements to outside through this port. When an Ethernet port is set to be in Forbidden registration mode, all the VLANs except VLAN1 will be logged out and no other VLANs can be created and registered on this port. Perform the following configurations in Ethernet port view. Table 3-5 Set GVRP registration type
Operation Set GVRP registration type Restore the default GVRP registration type Command gvrp registration { normal | fixed | forbidden } undo gvrp registration

By default, GVRP registration type is normal.

3.2.5 Display and Debug GVRP
After the above configuration, execute display command in any view to display the running of GVRP configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug the configuration of GVRP. Table 3-6 Display and debug GVRP
Operation Display GVRP statistics information Display GVRP global status information Enable GVRP packet or event debugging Disable GVRP packet or event debugging Command display gvrp statistics [ interface interface-list ] display gvrp status debugging gvrp { packet | event} undo debugging gvrp { packet | event }

3.2.6 GVRP Configuration Example
I. Networking requirements
To dynamically register and update VLAN information among switches, GVRP needs to be enabled on the switches.

3-5

Operation Manual - VLAN Quidway S3500 Series Ethernet Switches

Chapter 3 GARP/GVRP Configuration

II. Networking diagram
E0/10 Sw itch A E0/11 Sw itch B

Figure 3-1 GVRP configuration example

III. Configuration procedure
Configure Switch A: # Enable GVRP globally. [Quidway] gvrp # Set Ethernet0/10 as a Trunk port and allows all the VLANs to pass through. [Quidway] interface ethernet0/10 [Quidway-Ethernet0/10] port link-type trunk [Quidway-Ethernet0/10] port trunk permit vlan all # Enable GVRP on the Trunk port. [Quidway-Ethernet0/10] gvrp Configure Switch B: # Enable GVRP globally. [Quidway] gvrp # Set Ethernet0/11 as a Trunk port and allows all the VLANs to pass through. [Quidway] interface ethernet0/11 [Quidway-Ethernet0/11] port link-type trunk [Quidway-Ethernet0/11] port trunk permit vlan all # Enable GVRP on the Trunk port. [Quidway-Ethernet0/11] gvrp

3-6

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

4. Network Protocol

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 IP Address Configuration ........................................................................................... 1-1 1.1 IP Address Overview ......................................................................................................... 1-1 1.1.1 IP Address Classification and Indications ............................................................... 1-1 1.1.2 Subnet and Mask .................................................................................................... 1-2 1.2 Configure IP Address......................................................................................................... 1-3 1.2.1 Configure Hostname and Host IP Address ............................................................. 1-3 1.2.2 Configure IP Address of the VLAN Interface .......................................................... 1-4 1.3 Display and debug IP Address .......................................................................................... 1-4 1.4 IP Address Configuration Example.................................................................................... 1-4 1.5 Troubleshoot IP Address Configuration............................................................................. 1-5 Chapter 2 ARP Configuration....................................................................................................... 2-1 2.1 Introduction to ARP............................................................................................................ 2-1 2.2 Configure ARP ................................................................................................................... 2-2 2.2.1 Manually Add/Delete Static ARP Mapping Entries ................................................. 2-2 2.2.2 Configure ARP Timed Probing Function................................................................. 2-2 2.2.3 Configure the Dynamic ARP Aging Timer............................................................... 2-3 2.2.4 Configure ARP Source Address Suppression ........................................................ 2-3 2.3 Display and debug ARP..................................................................................................... 2-4 Chapter 3 DHCP Relay Configuration ......................................................................................... 3-1 3.1 Brief Introduction to DHCP Relay ...................................................................................... 3-1 3.2 Configure DHCP Relay...................................................................................................... 3-2 3.2.1 Configure IP Address of a DHCP Server ................................................................ 3-2 3.2.2 Configure Corresponding DHCP Server Group of the VLAN Interface .................. 3-3 3.2.3 Configure the Address Table Entry ......................................................................... 3-3 3.2.4 Enable/Disable DHCP security features ................................................................. 3-4 3.2.5 Enable/Disable DHCP pseudo-server detection ..................................................... 3-4 3.3 Display and debug DHCP Relay........................................................................................ 3-5 3.4 DHCP Relay Configuration Example ................................................................................. 3-5 3.5 Troubleshoot DHCP Relay Configuration.......................................................................... 3-6 Chapter 4 DHCP Configuration .................................................................................................... 4-1 4.1 DHCP Overview................................................................................................................. 4-1 4.1.1 DHCP Fundamentals .............................................................................................. 4-1 4.1.2 DHCP Relay ............................................................................................................ 4-4 4.2 DHCP Public Configuration ............................................................................................... 4-4 4.2.1 Enable/Disable the DHCP Service.......................................................................... 4-5 4.2.2 Define DHCP Message Handling Method............................................................... 4-5

i

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Table of Contents

4.2.3 Enable/Disable Pseudo-DHCP Server Detection ................................................... 4-6 4.3 DHCP Server Configuration............................................................................................... 4-6 4.3.1 Create Global DHCP Address Pool ........................................................................ 4-7 4.3.2 Configure Address Allocation Method for a DHCP Address Pool........................... 4-8 4.3.3 Configure IP Addresses Forbidden in Automatic Allocation ................................... 4-9 4.3.4 Configure IP Address Lease Duration for a DHCP Address Pool ........................ 4-10 4.3.5 Configure DHCP Client Domain Name ................................................................. 4-11 4.3.6 Configure DNS Server Addresses for DHCP Clients............................................ 4-12 4.3.7 Configure NetBIOS Server Addresses for DHCP Clients ..................................... 4-13 4.3.8 Define NetBIOS Node Type of DHCP Clients....................................................... 4-14 4.3.9 Configure a DHCP Option..................................................................................... 4-15 4.3.10 Configure IP Addresses of Egress Gateways for DHCP clients ......................... 4-16 4.3.11 Configure the Ping Mechanism on DHCP Server ............................................... 4-17 4.4 DHCP Relay Configuration .............................................................................................. 4-18 4.4.1 Configure the DHCP Servers to Which the Received Packets Are Relayed ........ 4-18 4.4.2 Distribute Load among DHCP Servers ................................................................. 4-19 4.4.3 Release Client IP Address through DHCP Relay ................................................. 4-19 4.4.4 Configure Address Map Entry for Security Check ................................................ 4-19 4.4.5 Enable/Disable DHCP Security Feature on VLAN Interface................................. 4-20 4.5 Display and Debug DHCP ............................................................................................... 4-20 4.6 DHCP Configuration Example ......................................................................................... 4-21 4.6.1 DHCP Server Configuration Example ................................................................... 4-21 4.6.2 DHCP Relay Configuration Example .................................................................... 4-23 4.7 DHCP Troubleshooting.................................................................................................... 4-24 Chapter 5 Access Management Configuration .......................................................................... 5-1 5.1 Access Management Overview ......................................................................................... 5-1 5.2 Configure Access Management......................................................................................... 5-2 5.2.1 Enable Access Management Function ................................................................... 5-2 5.2.2 Configure the Access IP Address Pool Based on the Physical Port....................... 5-3 5.2.3 Configure Layer 2 Isolation between Ports ............................................................. 5-3 5.2.4 Configure Port, IP Address and MAC Address Binding .......................................... 5-3 5.2.5 Enable/Disable Access Management Trap............................................................. 5-4 5.3 Display and debug Access Management .......................................................................... 5-5 5.4 Access Management Configuration Example.................................................................... 5-5 Chapter 6 IP Performance Configuration.................................................................................... 6-1 6.1 IP Performance Configuration ........................................................................................... 6-1 6.1.1 Configure TCP Attributes ........................................................................................ 6-1 6.2 Display and debug IP Performance ................................................................................... 6-2 6.3 Troubleshoot IP Performance............................................................................................ 6-2

ii

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 1 IP Address Configuration

Chapter 1 IP Address Configuration
1.1 IP Address Overview
1.1.1 IP Address Classification and Indications
IP address is a 32-bit address allocated to the devices which access into the Internet. It consists of two fields: net-id field and host-id field. There are five types of IP address. See the following figure.

0

1

2

3

4

5

6

7

8

9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Class A

0

net-id

host-id

Class B

1 0

net-id

host-id

Class C

1 1 0

net-id

host-id

Class D

1 1 1 0

Multicast address

Class E

1 1 1 1 0

Reserved address

Figure 1-1 Five classes of IP address Where, Class A, Class B and Class C are unicast addresses, while Class D addresses are multicast ones and class E addresses are reserved for special applications in future. The first three types are commonly used. The IP address is in dotted decimal format. Each IP address contains 4 integers in dotted decimal notation. Each integer corresponds to one byte, e.g.10.110.50.101. When using IP addresses, it should also be noted that some of them are reserved for special uses, and are seldom used. The IP addresses you can use are listed in the following table.

1-1

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 1 IP Address Configuration

Table 1-1 IP address classes and ranges
Network class Address range IP network range Note Host ID with all the digits being 0 indicates that the IP address is the network address, and is used for network routing. Host ID with all the digits being 1 indicates the broadcast address, i.e. broadcast to all hosts on the network. IP address 0.0.0.0 is used for the host that is not put into use after starting up. The IP address with network number as 0 indicates the current network and its network can be cited by the router without knowing its network number. Network ID with the format of 127.X.Y.Z is reserved for self-loop test and the packets sent to this address will not be output to the line. The packets are processed internally and regarded as input packets. Host ID with all the digits being 0 indicates that the IP address is the network address, and is used for network routing. Host ID with all the digits being 1 indicates the broadcast address, i.e. broadcast to all hosts on the network. Host ID with all the digits being 0 indicates that the IP address is the network address, and is used for network routing. Host ID with all the digits being 1 indicates the broadcast address, i.e. broadcast to all hosts on the network. Addresses of class D are multicast addresses. The addresses are reserved for future use. 255.255.255.255 is used as LAN broadcast address.

A

0.0.0.0 to 127.255.255.2 55

1.0.0.0 to 126.0.0.0

B

128.0.0.0 to 191.255.255.2 55

128.0.0.0 191.254.0.0

to

C

192.0.0.0 to 223.255.255.2 55 224.0.0.0 to 239.255.255.2 55 240.0.0.0 to 255.255.255.2 54 255.255.255.2 55

192.0.0.0 223.255.254.0

to

D E Other addresses

None None 255.255.255.255

1.1.2 Subnet and Mask
Nowadays, with rapid development of the Internet, IP addresses are depleting very fast. The traditional IP address allocation method wastes IP addresses greatly. In order to make full use of the available IP addresses, the concept of mask and subnet is proposed. A mask is a 32-bit number corresponding to an IP address. The number consists of 1s and 0s. Principally, these 1s and 0s can be combined randomly. However, the first consecutive bits are set to 1s when designing the mask. The mask divides the IP address into two parts: subnet address and host address. The bits 1s in the address and the mask indicate the subnet address and the other bits indicate the host address. If there is no sub-net division, then its sub-net mask is the default value and the length of "1" indicates the net-id length. Therefore, for IP addresses of classes A, B and C, the

1-2

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 1 IP Address Configuration

default values of corresponding sub-net mask are 255.0.0.0, 255.255.0.0 and 255.255.255.0 respectively. The mask can be used to divide a Class A network containing more than 16,000,000 hosts or a Class B network containing more than 60,000 hosts into multiple small networks. Each small network is called a subnet. For example, for the Class B network address 202.38.0.0, the mask 255.255.224.0 can be used to divide the network into 8 subnets: 202.38.0.0, 202.38.32.0, 202.38.64.0, 202.38.96.0, 202.38.128.0, 202.38.160.0, 202.38.192.0 and 202.38.224.0 (Refer to the following figure). Each subnet can contain more than 8000 hosts.
C lass B 202.38.0.0 S tan dard m ask 255.255.0.0

11001010, 00100110,

000

00000, 00000000

11111111, 11111111,

000

00000, 00000000

S ubn et m ask 11111111, 11111111, 255.255.224.0 S ubnet address:
000 001 010 011 100 101 110 111 Subnet Subnet Subnet Subnet Subnet Subnet Subnet Subnet address: address: address: address: address: address: address: address: 202.38. 0. 202.38. 32. 202.38. 64. 202.38. 96. 202.38.128. 202.38.160. 202.38.192. 202.38.224. 0 0 0 0 0 0 0 0

111
S ubnet num ber

00000, 00000000
H ost num ber

Figure 1-2 Subnet division of IP address

1.2 Configure IP Address
The IP address configuration includes: Configure Hostname and Host IP Address Configure IP Address of the VLAN Interface

1.2.1 Configure Hostname and Host IP Address
Perform the following configuration in System view. Table 1-2 Configure the host name and the corresponding IP address
Operation Configure the hostname and the corresponding IP address Delete the hostname and the corresponding IP address Command ip host hostname ip-address undo ip host hostname [ ip-address ]

1-3

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 1 IP Address Configuration

By default, there is no host name associated to any host IP address.

1.2.2 Configure IP Address of the VLAN Interface
You can configure an IP address for every VLAN interface of the Ethernet Switch. Generally, it is enough to configure one IP address for an interface. You can also configure 10 IP addresses for an interface at most, so that it can be connected to several subnets. Among these IP addresses, one is the primary IP address and all others are secondary. Perform the following configuration in VLAN interface view. Table 1-3 Configure IP address for a VLAN interface
Operation Configure IP address for a VLAN interface Delete the IP address of a VLAN interface Command ip address ip-address net-mask [ sub ] undo ip address [ ip-address net-mask [ sub ] ]

By default, the IP address of a VLAN interface is null.

1.3 Display and debug IP Address
After the above configuration, execute display command in any view to display the IP addresses configured on interfaces of the network device, and to verify the effect of the configuration. Table 1-4 Display and debug IP address
Operation Display all hosts on the network and the corresponding IP addresses Display the configurations of each interface display ip host display ip interface vlan-interface vlan-id Command

1.4 IP Address Configuration Example
I. Networking requirements
Configure the IP address as 129.2.2.1 and sub-net mask as 255.255.255.0 for the VLAN interface 1 of the Ethernet Switch.

1-4

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 1 IP Address Configuration

II. Networking diagram
Switch

Console cable

PC

Figure 1-3 IP address configuration networking

III. Configuration procedure
# Enter VLAN interface 1. [Quidway] interface vlan 1 # Configure the IP address for VLAN interface 1. [Quidway-vlan-interface1] ip address 129.2.2.1 255.255.255.0

1.5 Troubleshoot IP Address Configuration
Fault 1: The Ethernet Switch cannot ping through a certain host in the LAN. Troubleshooting can be performed as follows: Check the configuration of the Ethernet Switch. Use display arp command to view the ARP entry table that the Switch maintains. Troubleshooting: First check which VLAN includes the port of the switch used to connect to the host. Check whether the VLAN has been configured with the VLAN interface. Then check whether the IP address of the VLAN interface and the host are on the same network segment. If the configuration is correct, enable the ARP debugging on the switch, and check whether the switch can correctly send and receive ARP packets. If it can only send but cannot receive the ARP packets, possibly errors occur on the Ethernet physical layer.

1-5

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 2 ARP Configuration

Chapter 2 ARP Configuration
2.1 Introduction to ARP
I. Necessity of ARP
An IP address cannot be directly used for communication between network devices because network devices can only identify MAC addresses. An IP address is only an address of a host in the network layer. To send the data packets transmitted through the network layer to the destination host, physical address of the host is required. So the IP address must be resolved into a physical address.

II. ARP implementation procedure
When two hosts on the Ethernet communicate, they must know the MAC addresses of each other. Every host will maintain the IP-MAC address translation table, which is known as ARP mapping table. A series of maps between IP addresses and MAC addresses of other hosts which were recently used to communicate with the local host are stored in the ARP mapping table. When a dynamic ARP mapping entry is not in use for a specified period of time, the host will remove it from the ARP mapping table so as to save the memory space and shorten the interval for switch to search ARP mapping table. Suppose there are two hosts on the same network segment: Host A and Host B. The IP address of Host A is IP_A and the IP address of Host B is IP_B. Host A will transmit messages to Host B. Host A checks its own ARP mapping table first to make sure whether there are corresponding ARP entries of IP_B in the table. If the corresponding MAC address is detected, Host A will use the MAC address in the ARP mapping table to encapsulate the IP packet in frame and send it to Host B. If the corresponding MAC address is not detected, Host A will store the IP packet in the queue waiting for transmission, and broadcast it throughout the Ethernet. The ARP request packet contains the IP address of Host B and IP address and MAC address of Host A. Since the ARP request packet is broadcast, all hosts on the network segment can receive the request. However, only the requested host (i.e., Host B) needs to process the request. Host B will first store the IP address and the MAC address of the request sender (Host A) in the ARP request packet in its own ARP mapping table. Then Host B will generate an ARP reply packet into which, it will add MAC address of Host B, and then send it to Host A. The reply packet will be directly sent to Host A in stead of being broadcast. Receiving the reply packet, Host A will extract the IP address and the corresponding

2-1

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 2 ARP Configuration

MAC address of Host B and add them to its own ARP mapping table. Then Host A will send Host B all the packets standing in the queue. Normally, dynamic ARP executes and automatically searches for the resolution from the IP address to the Ethernet MAC address without the administrator.

2.2 Configure ARP
The ARP mapping table can be maintained dynamically or manually. Usually, the manually configured mapping from the IP addresses to the MAC addresses is known as static ARP. The user can display, add or delete the entries in the ARP mapping table through relevant manual maintenance commands. The static ARP configuration includes: Manually Add/delete static ARP Mapping Entries Configure ARP timed probing function (S3526/S3526 FM/S3526 FS support) Configure the dynamic ARP aging timer Configure ARP Source Address Suppression

2.2.1 Manually Add/Delete Static ARP Mapping Entries
Perform the following configuration in System view. Table 2-1 Manually add/delete static ARP mapping Entries
Operation Manually add a static ARP mapping entry Manually delete a static ARP mapping entry Command arp static ip-address mac-address [ vlan-id { interface_type interface_num | interface_name } ] undo arp ip-address

Static ARP map entry will be always valid as long as Ethernet switch works normally. But if the VLAN corresponding ARP mapping entry is deleted, the ARP mapping entry will be also deleted. The valid period of dynamic ARP map entries will last only 20 minutes by default. The parameter vlan-id must be the ID of a VLAN that has been created by the user, and the Ethernet port specified behind this parameter must belong to the VLAN. By default, the ARP mapping table is empty and the address mapping is obtained through dynamic ARP.

2.2.2 Configure ARP Timed Probing Function
After an Ethernet switch is configured with the IP addresses requiring ARP timed probing, it will send ARP Request packets to probe these IP addresses without being

2-2

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 2 ARP Configuration

requested for the purpose of maintaining the latest IP-MAC address maps. Thus, the normal communications between devices can be ensured. Perform the following configuration in VLAN interface view. Table 2-2 Configure ARP timed probing function
Operation Configure IP addresses requiring ARP timed probing Remove the IP addresses requiring ARP timed probing Configure a probing interval Restore the default ARP probing interval Command arp probe ip ip-address undo arp probe ip [ ip-address ] arp timer probe time undo arp timer probe

By default, no IP addresses requiring ARP timed probing, and the probing interval is set to five seconds. In S3500 Series Ethernet Switches, only S3526/S3526 FM/S3526 FS supports this configuration.

2.2.3 Configure the Dynamic ARP Aging Timer
For purpose of flexible configuration, the system provides the following commands to assign dynamic ARP aging period. When the system learns a dynamic ARP entry, its aging period is based on the current value configured. Perform the following configuration in system view. Table 2-3 Configure the dynamic ARP aging timer
Operation Configure the dynamic ARP aging timer restore the default dynamic ARP aging time Command arp timer aging aging-time undo arp timer aging

By default, the aging time of dynamic ARP aging timer is 20 minutes.

2.2.4 Configure ARP Source Address Suppression
ARP Source Address Suppression allows the Ethernet switch to suppress malicious ARP requests from the host. If a host of a certain source IP address sends a large amount of different ARP requests during a 5-second interval, the system will discard the ARP requests that exceed the limit. After the interval, the switch will come back to process the ARP request from this source IP address. Perform the following configuration in the system view.

2-3

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 2 ARP Configuration

Table 2-4 Configure ARP Source Address Suppression
Operation Enable ARP source address suppression Disable ARP source address suppression Configure the number of source IP addresses to be suppressed Restore the number of source IP addresses to default Configure the maximum number of ARP requests within 5-second interval Restore the maximum number of ARP requests within 5 seconds to default Command arp source-suppression enable undo arp source-suppression enable arp source-suppression cache cache-value undo arp source-suppression cache arp source-suppression limit limit-value undo arp source-suppression limit

By default, ARP source-suppression is not enabled. The default number of source IP addresses to be depressed is 16, and the number of ARP requests within the 5-second interval is 10.

2.3 Display and debug ARP
After the above configuration, execute display command in any view to display the running of the ARP configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug ARP configuration. Execute reset command in user view to clear ARP mapping table. Table 2-5 Display and debug ARP
Operation Display ARP mapping table Display the ARP timed probing information Display the current setting of the dynamic ARP map aging timer Display ARP source suppression information Reset ARP mapping table Enable ARP information debugging Disable ARP information debugging Command display arp [ static | dynamic | ip-address ] display arp probe [ interface vlan-interface vlan-id ] display arp timer aging display arp source-suppression reset arp [ dynamic | static | interface { interface_type interface_num | interface_name } ] debugging arp packet undo debugging arp packet

Note that display arp probe [ interface vlan-interface vlan-id ] command is supported by S3526/S3526 FM/S3526 FS switches.

2-4

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 DHCP Relay Configuration

Chapter 3 DHCP Relay Configuration

Note: This chapter only applies to S3500 series switches except S3552G, S3552P, S3528G, S3528P and S3552F.

3.1 Brief Introduction to DHCP Relay
With the extension of network and improving of network complexity, network configuration is becoming more and more complex. Dynamic Host Configuration Protocol (DHCP) is issued to ease user’s fast accessing and exiting the network and improve utilization of the IP addresses in places where computers should be often moved (e.g., portable computer or wireless network is used) or the host number exceeds the number of IP addresses which can be allocated. DHCP works in Client/Server mode. With this protocol, the DHCP Client can dynamically request configuration information and the DHCP Server can configure the information for the Client conveniently. In the early days, the DHCP was only suitable for the case, when the DHCP Client and DHCP Server locate on the same subnet, and could not work across the network segments. If the early DHCP is used to dynamically configure the host, each subnet should be equipped with a DHCP Server, which is obviously uneconomical. The introduction of DHCP relay solves this difficulty. The DHCP relay serves as relay between the DHCP Client and the DHCP Server located on different subnets. The DHCP packets can be relayed to the destination DHCP Server (or Client) across network segments. Thereby, the DHCP clients on different networks can use the same DHCP Server. This is economical and convenient for centralized management.

3-1

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches
DHCP client DHCP client

Chapter 3 DHCP Relay Configuration

Ethernet Switch ( DHCP Relay)

Internet

DHCP client

DHCP client

DHCP Server

Figure 3-1 DHCP Relay typical application DHCP Relay work on this principle: In the startup and DHCP initialization, DHCP Client advertises configuration request messages to the local network. If there is a DHCP Server in the local network, you can initiate DHCP configuration directly, with DHCP Relay unnecessary. Otherwise, when a device with DHCP Relay enabled which is connected with the local network receives the messages, it will make necessary processing and forward them to the designated DHCP Server on other network. DHCP Server makes configurations according to the information from DHCP Client and sends the configuration result via DHCP Relay back to DHCP Client. In practice, several times of interaction behaviors may be required in the dynamic configuration of DHCP Client.

3.2 Configure DHCP Relay
DHCP relay configuration includes: Configure IP Address of a DHCP Server Configure Corresponding DHCP Server Group of the VLAN Interface Configure the Address Table Entry Enable/Disable DHCP security features Enable/Disable DHCP pseudo-server detection

3.2.1 Configure IP Address of a DHCP Server
Perform the following configuration in System view.

3-2

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 DHCP Relay Configuration

Table 3-1 Configure/Delete the IP address of the DHCP Server
Operation Configure the IP address of the DHCP Server Remove all the IP addresses of the DHCP Server (namely, set the IP addresses of the primary and secondary DHCP Servers to 0) Command dhcp-server groupNo ip ipaddress1 [ ipaddress2 ] undo dhcp-server groupNo

Note that the backup DHCP Server IP address cannot be configured independently, instead, it has to be configured together with the master DHCP Server IP address. By default, the corresponding IP address of the DHCP Server is not configured. That is, The DHCP Server address must be configured before DHCP relay can be used.

3.2.2 Configure Corresponding DHCP Server Group of the VLAN Interface
Perform the following configuration in VLAN interface view. Table 3-2 Configure/Delete the corresponding DHCP Server group of VLAN interface
Operation Configure Corresponding DHCP Server Group of the VLAN Interface Delete the corresponding DHCP Server group of the VLAN interface Command dhcp-server groupNo undo dhcp-server

When associating a VLAN interface to a new DHCP Server group, you can configure the association without disassociating it from the previous group. By default, no VLAN interface corresponds to any DHCP Server group.

3.2.3 Configure the Address Table Entry
To make the valid user with fixed IP address in the VLAN configured with DHCP Relay pass the address validity check of DHCP security feature, you must add a static address entry which indicates the correspondence between an IP address and an MAC address. If another illegal user configures a static IP address which is in conflict with the fixed IP address of a valid user, the switch with DHCP Relay function enabled can identify the valid user and reject the illegal user's request for binding the IP address with the MAC address. Perform the following configuration in System view.

3-3

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 DHCP Relay Configuration

Table 3-3 Configure/Delete the address table entry
Operation Add an entry to the address table Delete an entry from the address table Command dhcp-security static ip_address mac_address undo dhcp-security ip_address

3.2.4 Enable/Disable DHCP security features
Enable DHCP security features will start address check on VLAN interface while disable DHCP security features will cancel address check. Perform the following configuration in VLAN interface view. Table 3-4 Enable/Disable DHCP security features on VLAN interface
Operation Enable DHCP security features Disable DHCP security features on VLAN interface Command address-check enable address-check disable

By default, the switch disables DHCP security features function.

3.2.5 Enable/Disable DHCP pseudo-server detection
Suppose there is a DHCP server placed on a network without permission. When there is a user request for an IP address, the DHCP server will interact with the DHCP client, leading the user to get a wrong IP address. In this case, the user will be unable to access the network. Such a DHCP server is called DHCP pseudo-server. After a DHCP pseudo-server detection-enabled, switch will record the information of the DHCP servers such as their IP addresses so that the administrator can discover the DHCP pseudo-servers. Perform the following configuration in system view. Table 3-5 Enable/Disable DHCP pseudo-server detection
Operation Enable DHCP pseudo-server detection Disable DHCP pseudo-server detection Command dhcp-server detect undo dhcp-server detect

By default, DHCP pseudo-server detection is disabled.

3-4

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 DHCP Relay Configuration

3.3 Display and debug DHCP Relay
After the above configuration, execute display command in any view to display the running of the DHCP Relay configuration, and to verify the effect of the configuration.
Execute debugging command in user view to debug DHCP Relay configuration.

Table 3-6 Display and debug DHCP Relay
Operation Display the information about the DHCP Server group Display the information about the DHCP Server group corresponding to the VLAN interface. Enable the DHCP relay debugging Disable the DHCP relay debugging Display the address information of all the legal clients of the DHCP Server group. Command display dhcp-server groupNo display dhcp-server interface vlan-interface vlan-id debugging dhcp-relay undo debugging dhcp-relay display dhcp-security [ ip_address ]

3.4 DHCP Relay Configuration Example
I. Networking requirements
The segment address for DHCP Client is 10.110.0.0, which is connected to a port in the VLAN2 on the switch. The IP address of DHCP Server is 202.38.1.2. The DHCP packets should be forwarded via the switch with DHCP Relay enabled. DHCP Client can get IP address and other configuration information from DHCP Server.

II. Networking diagram
DHCP client DHCP client

10.110.0.0 Ethernet 10.110.1.1 Internet Switch ( DHCP Relay ) 202.38.1.1

DHCP Server 202.38.1.2

Ethernet 202.38.0.0

Figure 3-2 Networking diagram of configuring DHCP relay

III. Configuration procedure
# Configure the group number of DHCP Server as 1 and the IP address as 202.38.1.2. [Quidway] dhcp-server 1 ip 202.38.1.2
3-5

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 DHCP Relay Configuration

# Associate the VLAN interface 2 with DHCP Server group 1. [Quidway] interface vlan 2 [Quidway-Vlan-interface2] dhcp-server 1 # Configure the IP address of the VLAN interface 2, which must be in the same segment as DCHP Client. [Quidway-Vlan-interface2] ip address 10.110.1.1 255.255.0.0 To allocate IP address successfully for DHCP Client, you need to make necessary configuration on DHCP Server, which varies, depending on device type.

3.5 Troubleshoot DHCP Relay Configuration
Fault 1: The user cannot apply for IP address dynamically. Troubleshoot: Perform the following procedures: Firstly, use the display dhcp-server groupNo command to check if the IP address of the corresponding DHCP Server has been configured. Secondly, use the display vlan and display ip commands to check if the VLAN and the corresponding interface IP address have been configured. Then make sure to ping the configured DHCP Server to ensure that the link is connected. Ping the IP address of the VLAN interface of the switch to which the DHCP user is connected from the DHCP Server to make sure that the DHCP Server can correctly find the route of the network segment the user is on. If the ping execution fails, check if the default gateway of the DHCP Server has been configured as the address of the VLAN interface that it locates on. If there is no problem found in the last two steps, use the display dhcp-server groupNo command to view what packet has been received. If you only see the Discover packet and there is no response packet, it means the DHCP Server has not sent the message to the Ethernet Switch. In this case, you shall check if the DHCP Server has been configured properly. If the numbers of request and response packets are normal, enable the debugging dhcp-relay in User view and then use the terminal debugging command output the debugging information to the console. In this way, you can view the detailed information of all DHCP packets on the console during applying for the IP address, thereby conveniently locating the problem.

3-6

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Chapter 4 DHCP Configuration

Note: This chapter only applies to S3552G, S3552P, S3528G, S3528P and S3552F in S3500 series switches.

4.1 DHCP Overview
4.1.1 DHCP Fundamentals
This is a world where networks are ever-growing with configurations getting complex, computers (such as laptop computers and wireless networks) are often moved, and the available IP addresses are far from adequate for the ever-increasing number of computers. In such a background dynamic host configuration protocol (DHCP) was introduced. DHCP operates in Client/Server model, where the DHCP client dynamically requests the DHCP server for configuration information and the DHCP server returns the configuration information (an IP address for example) based on the adopted policy. A typical DHCP application network usually comprises a DHCP server and multiple clients such as PCs and laptop computers (see the following figure):
DHCP Client DHCP Client

DHCP Server LAN

DHCP Client

DHCP Client

Figure 4-1 Typical networking application of DHCP Server

I. Allocating IP addresses using DHCP
1) IP address allocation policy

4-1

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

The time duration for a client to occupy an IP address depends on the type of the client. A server tends to use a fixed IP address for a long time, some hosts perhaps need to use some dynamic IP addresses for a long period too, but some individuals may only need temporarily assigned IP addresses for a short period of time. Commensurate with these demands, DHCP servers provide three types of IP address allocation policy: Manual allocation, with which fixed IP addresses are assigned to a small amount of special hosts such as World Wide Web (WWW) servers. Automatic allocation, with which fixed IP addresses are assigned to some hosts connected to the network for the first time and these hosts are allowed to use the addresses for a long period of time. Dynamic allocation, with which some addresses are “leased” to clients. Upon the expiration of the leases, the clients need to request again. In fact, the addresses assigned to most clients are dynamic addresses. 2) IP address allocation order DHCP server selects an IP address for a client in the following order: The IP address bound with the MAC address of the client in the address pool of the DHCP server. The client's previous IP address, that is, the address requested in the Requested IP Addr Option carried in the DHCP_Discover message sent by the client. A new address allocated from the DHCP server's pool of available addresses. This address is the one found first in the address pool. If the DHCP server does not find an available address, it looks up the expired leased IP addresses and then conflicting IP addresses to find a valid one for assignment. If the attempt fails, the server reports error. 3) Following are address pools that a DHCP server may have: Global address pool: it has significance within the scope of the switch and can be created using the dhcp server ip-pool command in system view. VLAN interface address pool: it has significance only at the VLAN interface where it is created using the dhcp select interface command in VLAN interface view after a valid unicast IP address is assigned to the VLAN interface. Its address range is the network segment connected to the VLAN interface.

II. Interacting between DHCP client and server
In order to obtain a valid dynamic IP address, a DHCP client should exchange different information with the server in several stages, which are different in the following three situations: 1) The first login of DHCP client

In this case, the DHCP client undergoes four stages in order to set up a connection with a DHCP server.

4-2

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Discover stage where the DHCP client looks for a DHCP server. In this stage, the client broadcasts a DHCP_Discover message on the network and only DHCP servers respond to it. Offer stage where DHCP servers offer IP addresses. Upon the receipt of the DHCP_Discover message from the client, each DHCP server sends a DHCP_Offer message carrying an unassigned IP address selected from its IP address pool and other settings to the client. Selecting stage where the DHCP client picks one IP address out of all the offers. If several DHCP servers return DHCP_Offer messages, the client accepts only the one reaching first. Then, it broadcasts to all the DHCP servers a DHCP_Request message containing the IP address for which it will request the selected DHCP server. Acknowledgement stage where the selected DHCP server acknowledges the offered IP address. In response to the received DHCP_Request message, the DHCP server sends a DHCP_ACK message carrying the provided IP address and other settings to the client. Then the DHCP client binds its TCP/IP protocol components to its MAC address. Except for the selected DHCP server, all other DHCP servers can allocate their offered IP addresses to other requesting clients. 2) The non-first login of DHCP client

If it is not the first time for the DHCP client to log into the network, it undergoes the following stages in order to set up a connection with a DHCP server. When the DHCP client logs into the network again after the first successful login, it only needs to broadcast a DHCP_Request message containing the IP address assigned to it the last time instead of sending a DHCP_Discover message. Upon the receipt of the DHCP_Request message, the DHCP server sends back a DHCP_ACK message allowing the client to use the requested address if it is still available. If the IP address is not available because it has been assigned for example, the DHCP server returns a DHCP_NAK message. Upon the receipt of the message, the client sends a DHCP_Discover message requesting a new IP address. 3) IP address lease renewal DHCP server takes back the dynamic IP address allocated to a DHCP client when the lease expires. If the DHCP client still wants to use this address, it must renew the IP address lease. In practice, when half of the address lease period passes, the DHCP client by default automatically sends a DHCP_Request message to renew the lease. If the current IP address is still valid, the DHCP server sends back a DHCP_ACK message notifying the DHCP client that it has extended the IP address lease.

4-3

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

4.1.2 DHCP Relay
In the early days, the DHCP was only suitable for the case, when the DHCP Client and DHCP Server locate on the same subnet, and could not work across the network segments. If the early DHCP is used to dynamically configure the host, each subnet should be equipped with a DHCP Server, which is obviously uneconomical. The introduction of DHCP relay solves this difficulty. The DHCP relay serves as relay between the DHCP Client and the DHCP Server located on different subnets. The DHCP packets can be relayed to the destination DHCP Server (or Client) across network segments. Thereby, the DHCP clients on different networks can use the same DHCP Server. This is economical and convenient for centralized management.
DHCP client DHCP client

Ethernet Switch ( DHCP Relay)

Internet

DHCP client

DHCP client

DHCP Server

Figure 4-2 DHCP Relay typical application DHCP Relay work on this principle: In the startup and DHCP initialization, DHCP Client advertises configuration request messages to the local network. If there is a DHCP Server in the local network, you can initiate DHCP configuration directly, with DHCP Relay unnecessary. Otherwise, when a device with DHCP Relay enabled which is connected with the local network receives the messages, it will make necessary processing and forward them to the designated DHCP Server on other network. DHCP Server makes configurations according to the information from DHCP Client and sends the configuration result via DHCP Relay back to DHCP Client. In practice, several times of interaction behaviors may be required in the dynamic configuration of DHCP Client.

4.2 DHCP Public Configuration
DHCP public configurations refer to those configurations suitable for both DHCP server and DHCP Relay. The configuration includes:

4-4

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Enable/Disable the DHCP service Define DHCP message handling method Enable/Disable Pseudo-DHCP server detection

4.2.1 Enable/Disable the DHCP Service
Before you can configure a DHCP server or DHCP relay, you must enable the DHCP service. Only after the service is enabled can other DHCP configurations take effect. Perform the following configuration in the system view. Table 4-1 Enable/Disable the DHCP service
Operation Enable the DHCP service Disable the DHCP service dhcp enable undo dhcp enable Command

By default, the DHCP service is enabled.

4.2.2 Define DHCP Message Handling Method
The switch handles the received DHCP messages destined to it based on the configured DHCP message handling method. Perform the following configuration in VLAN interface view to define how to handle DHCP messages on the current VLAN interface. Table 4-2 Define DHCP message handling method on the current VLAN interface
Operation Send DHCP messages to the local DHCP server where addresses are to be allocated from a global address pool Send DHCP messages to the local DHCP server where addresses are to be allocated from the appropriate VLAN interface address pool Relay DHCP messages to an external DHCP server for address allocation Restore the DHCP message handling method to the default Command dhcp select global dhcp select interface dhcp select relay undo dhcp select

Perform the following configuration in system view to define how to handle DHCP messages on multiple VLAN interfaces.

4-5

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Table 4-3 Configure a DHCP message handling method on multiple VLAN interfaces
Operation Send DHCP messages to the local DHCP server where addresses are to be allocated from a global address pool Send DHCP messages to the local DHCP server where addresses are to be allocated from the appropriate VLAN interface address pool Relay DHCP messages to an external DHCP server for address allocation Restore the DHCP message handling method to the default Command dhcp select global { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all } dhcp select interface { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all } dhcp select relay { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all } undo dhcp select { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

DHCP handling method defaults to global, meaning DHCP messages are sent to the local DHCP server where addresses are to be allocated from a global address pool.

4.2.3 Enable/Disable Pseudo-DHCP Server Detection
On a network, pseudo-DHCP server refers to an unauthorized DHCP server. Such a server can communicate with a client requesting for IP address and allocate an incorrect IP address to the client, thus preventing it from accessing the network. With the function of pseudo-DHCP server detection enabled, the switch can record DHCP server information such as IP address, thus allowing administrators discover and deal with pseudo-DHCP servers. Perform the following configuration in system view. Table 4-4 Enable/Disable pseudo-DHCP server detection
Operation Enable pseudo-DHCP server detection Disable pseudo-DHCP server detection Command dhcp server detect undo dhcp server detect

By default, pseudo-DHCP server detection is disabled.

4.3 DHCP Server Configuration
DHCP server configuration includes: Create DHCP global address pool Configure address allocation method for a DHCP address pool Configure IP addresses forbidden in automatic allocation Configure IP address lease duration for a DHCP address pool Configure domain name for DHCP clients

4-6

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Specify DNS server addresses for DHCP clients Specify NetBIOS server addresses for DHCP clients Configure NetBIOS node type of DHCP clients Configure a DHCP option Configure IP addresses of egress gateways for DHCP clients Configure the ping mechanism on DHCP server

Note: For the sake of convenience, you are allowed to configure some DHCP configuration options specific to global DHCP address pools, the DHCP address pool on the current VLAN interface, and DHCP address pools on multiple specified VLAN interfaces. Such configuration include configuring IP address lease duration for a DHCP address pool, specifying domain name for DHCP clients, specifying DNS server for DHCP clients, specifying NetBIOS server for DHCP clients, configuring the NetBIOS node type of DHCP clients, and configuring DHCP user-defined options.

4.3.1 Create Global DHCP Address Pool
A DHCP server allocates IP addresses from its address pools. After receiving a DHCP request from a DHCP client, the DHCP server selects an appropriate address pool according to the configuration, picks out a free IP address, and sends it back along with other related parameters (address lease for example). A DHCP server can have multiple address pools and at present support up to 128 global address pools. Address pools on DHCP servers are in tree structure, with the natural segment address as root, subnet addresses as branches, and manually bound client addresses as leaf nodes. Such a tree structure allows configuration inheritance, meaning subnets inherit configurations of their natural segments and clients inherit configurations of subnets. Thus, when configuring some public parameters, domain name for example, you can just configure them on natural segments or subnets. You can view the structure of address pools using the display dhcp server tree command. The address pools at the same level are displayed in the order in which they are configured. When configuring a DHCP global address pool, you can directly access the view of the address pool if it has existed; if not, you should create the DHCP address pool first before you can access the address pool view. Perform the following configuration in system view.

4-7

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Table 4-5 Create global DHCP address pool
Operation Create a DHCP address pool and/or access the DHCP address pool view Delete a DHCP address pool Command dhcp server ip-pool pool-name undo dhcp server ip-pool pool-name

By default, no DHCP global address pool is created. Note that the VLAN interface address pool for a VLAN interface is created by the system after you assign a unicast address to the VLAN interface and in the VLAN interface view specify to allocate addresses from VLAN interface address pools by using the dhcp select interface command.

4.3.2 Configure Address Allocation Method for a DHCP Address Pool
You can select static address binding or dynamic address allocation as needed. For a global DHCP address pool, you can only configure either method. For the address pool on a VLAN interface, however, you can use both except that the address range of the pool is the IP address segment connected to the VLAN interface when dynamic allocation applies. Dynamic address allocation requires an address range for allocation whereas static address bindings can be regarded as a special DHCP address pool containing only the bindings.

I. Configure static address binding for a global DHCP address pool
Some DHCP clients may require fixed IP addresses, that is, IP addresses bound with their MAC address. When such a DHCP client requests for an IP address, the DHCP server looks up the maintained IP-MAC address bindings and allocate to the client the IP address bound with its MAC address. At present, each global DHCP address pool supports only one IP-MAC address binding. Perform the following configuration in DHCP address pool view. Table 4-6 Configure a static address binding for the global DHCP address pool
Operation Specify an IP address for the static binding Delete the IP address in the static binding Specify a client MAC address for the static binding Delete the client MAC address in the static binding Command static-bind ip-address ip-address [ mask netmask ] undo static-bind ip-address static-bind mac-address mac-address undo static-bind mac-address

By default, no static address binding is configured for any global DHCP address pool.

4-8

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Note: The static-bind ip-address command must be used along with the static-bind mac-address command. If you use the command repeatedly, the new configuration will overwrite the previous one.

II. Configure static address binding for a VLAN interface address pool
Perform the following configuration in VLAN interface view. Each VLAN interface address pool supports multiple IP-MAC address bindings. Table 4-7 Configure static address binding for the VLAN interface address pool
Operation Configure a static address binding in the current VLAN interface address pool Delete the static address binding in the current VLAN interface address pool Command dhcp server static-bind ip-address ip-address mac-address mac-address undo dhcp server static-bind { ip-address ip-address | mac-address mac-address }

By default, no static address binding is configured for any VLAN interface address pool.

III. Configure dynamic address allocation
To dynamically allocate addresses to clients (including permanent and temporary leases) using an address pool, you should assign an address range to the pool. Perform the following configuration in DHCP address pool view. Table 4-8 Configure an IP address range for dynamic allocation
Operation Configure an IP address range for dynamic allocation. Delete the IP address range for dynamic allocation. Command network ip-address [ mask netmask ] undo network

By default, no IP address range is configured for dynamic allocation. Each DHCP address pool can have only one network segment. If an address pool has already had a segment, the new one configured using the network command replaces the old one.

4.3.3 Configure IP Addresses Forbidden in Automatic Allocation
In configuring address allocation by the DHCP server, you should exclude those IP addresses in use such as IP addresses of gateway and FTP server to avoid address conflict resulted from allocating one IP address to two hosts.

4-9

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Perform the following configuration in system view. Table 4-9 Configure IP addresses forbidden in automatic allocation
Operation Command dhcp server forbidden-ip low-ip-address [ high-ip-address ] undo dhcp server [ high-ip-address ] forbidden-ip low-ip-address

Configure IP addresses forbidden in automatic allocation Cancel the configuration of IP addresses forbidden in automatic allocation

By default, all addresses in a DHCP address pool participate in automatic allocation. Using this command repeatedly, you can exclude multiple IP address ranges from automatic allocation.

4.3.4 Configure IP Address Lease Duration for a DHCP Address Pool
A DHCP server can assign different lease duration to an address pool, but this duration applies to all the addresses in this address pool.

I. Configure lease duration for a global DHCP address pool
Perform the following configuration in DHCP address pool view. Table 4-10 Configure IP address lease duration for the global DHCP address pool
Operation Configure IP address lease duration for the global DHCP address pool Restore the IP address lease duration of the DHCP address pool to the default Command expired { day day [ hour hour [ minute minute ] ] | unlimited } undo expired

II. Configure lease duration for the DHCP address pool on a VLAN interface
Perform the following configuration in VLAN interface view. Table 4-11 Configure IP address lease duration for the DHCP address pool on the current interface
Operation Configure IP address lease duration for the DHCP address pool on the current VLAN interface Restore the IP address lease duration for the DHCP address pool on the current interface to the default Command dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } undo dhcp server expired

III. Configure lease duration for multiple VLAN interface DHCP address pools
Perform the following configuration in system view.
4-10

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Table 4-12 Configure IP address lease duration for multiple VLAN interface DHCP address pools
Operation Configure IP address lease duration for multiple VLAN interface DHCP address pools Restore the IP address lease duration of DHCP address pools on multiple VLAN interfaces to the default Command dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all } undo dhcp server expired { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

By default, an IP address lease can last one day disregarding the address pool is global or on an VLAN interface.

4.3.5 Configure DHCP Client Domain Name
On a DHCP server, you can associate a client domain name with each address pool.

I. Configure client domain name in a global DHCP address pool
Perform the following configuration in DHCP address pool view. Table 4-13 Configure client domain name in the global DHCP address pool
Operation Configure client domain name in the global DHCP address pool Delete the domain name configuration of the global DHCP address pool Command domain-name domain-name undo domain-name

II. Configure client domain name in the DHCP address pool on the current VLAN interface
Perform the following configuration in VLAN interface view. Table 4-14 Configure client domain name in the DHCP address pool on the current VLAN interface
Operation Configure domain name to be allocated to the clients using the DHCP address pool on the current VLAN interface Delete the domain name configuration of the DHCP address pool on the current VLAN interface Command dhcp server domain-name domain-name undo dhcp server domain-name

III. Configure client domain name in multiple VLAN interface DHCP address pools
Perform the following configuration in system view.

4-11

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Table 4-15 Configure client domain name in multiple VLAN interface DHCP address pools
Operation Configure domain name to be allocated to the clients using the DHCP address pools on multiple VLAN interfaces Delete the domain name configuration of the DHCP address pools on multiple VLAN interfaces Command dhcp server domain-name domain-name { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all } undo dhcp server domain-name domain-name { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

By default, no DHCP client domain name is configured in any global or VLAN interface address pool. If you configure domain name for multiple times, the latest domain name replaces the previous one.

4.3.6 Configure DNS Server Addresses for DHCP Clients
Internet access of a host using domain name involves a domain name system (DNS) to resolve domain name to IP address. To ensure that the host can successfully access the Internet, the DHCP server should specify a DNS server address for the client as well when allocating IP address to it. So far, each DHCP address pool can have up to eight DNS server addresses.

I. Configure DNS server addresses in a global DHCP address pool
Perform the following configuration in DHCP address pool view. Table 4-16 Assign DNS server addresses to the global DHCP address pool
Operation Assign DNS server addresses to the global DHCP address pool Remove one or all DNS server addresses from the global DHCP address pool Command dns-list ip-address [ ip-address ] undo dns-list { ip-address | all }

II. Configure DNS server addresses in the VLAN current interface DHCP address pool
Perform the following configuration in VLAN interface view. Table 4-17 Assign DNS IP addresses to the DHCP address pool on the VLAN current interface
Operation Assign DNS server addresses to the DHCP address pool on the current VLAN interface Remove one or all DNS server addresses from the DHCP address pool on the current VLAN interface Command dhcp server dns-list ip-address [ ip-address ] undo dhcp server dns-list { ip-address | all }

4-12

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

III. Configure DNS server addresses in multiple VLAN interface DHCP address pools
Perform the following configuration in system view. Table 4-18 Configure DNS server addresses in DHCP address pools on multiple VLAN interfaces
Operation Assign DNS server addresses to DHCP address pools on multiple VLAN interfaces Remove one or all DNS server addresses from DHCP address pools on multiple VLAN interfaces Command dhcp server dns-list ip-address [ ip-address ] { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all } undo dhcp server dns-list { ip-address | all } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

By default, no DNS server address is assigned to any global or VLAN interface address pool. If you configure DNS server list for multiple times, the latest DNS server list replaces the previous one.

4.3.7 Configure NetBIOS Server Addresses for DHCP Clients
For a client running a Microsoft operating system, Windows Internet Naming Service (WINS) server can resolve its hostname to IP address if the client communicates through the NetBIOS protocol. Therefore, the setting of WINS is required on most clients installed with Windows. Each DHCP address pool by far can contain up to eight NetBIOS server addresses.

I. Configure NetBIOS server addresses in a global DHCP address pool
Perform the following configuration in DHCP address pool view. Table 4-19 Configure NetBIOS server addresses in the global DHCP address pool
Operation Configure NetBIOS server addresses in the global DHCP address pool Remove one or all NetBIOS server addresses from the global DHCP address pool Command nbns-list ip-address [ ip-address ] undo nbns-list { ip-address | all }

II. Configure NetBIOS server addresses in the DHCP address pool on the current VLAN interface
Perform the following configuration in VLAN interface view.

4-13

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Table 4-20 Configure NetBIOS server addresses in the DHCP address pool on the current VLAN interface
Operation Configure NetBIOS server addresses in the DHCP address pool on the current VLAN interface Remove one or all NetBIOS server addresses from the DHCP address pool on the current VLAN interface Command dhcp server nbns-list ip-address [ ip-address ] undo dhcp server nbns-list { ip-address | all }

III. Configure NetBIOS server addresses in multiple VLAN interface DHCP address pools
Perform the following configuration in system view. Table 4-21 Configure NetBIOS server addresses in multiple VLAN interface DHCP address pools
Operation Configure NetBIOS server addresses in DHCP address pools on multiple VLAN interfaces Remove one or all NetBIOS server addresses from DHCP address pools on multiple VLAN interfaces Command dhcp server nbns-list ip-address [ ip-address ] { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all } undo dhcp server nbns-list { ip-address | all } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

By default, no NetBIOS server address is assigned to any global or VLAN interface address pool. If you configure NetBIOS server list for multiple times, the latest DNS server list replaces the previous one.

4.3.8 Define NetBIOS Node Type of DHCP Clients
When a DHCP client uses the NetBIOS protocol to communicate over Wide Area Network (WAN), its hostname must be mapped to an IP address. In terms of map establishment mode, NetBIOS nodes fall into the following four categories: b-nodes, where “b” stands for broadcast. Such nodes get mapped through broadcast. p-nodes, where “p” stands for peer-to-peer. Such nodes get mapped by communicating with the NetBIOS server. m-nodes, where “m” stands for mixed. Such nodes are p-nodes with the broadcast feature. h-nodes, where “h” stands for hybrid. Such nodes are b-nodes with the peer-to-peer communication mechanism.

I. Configure NetBIOS node type of clients in a global DHCP address pool
Perform the following configuration in DHCP address pool view.

4-14

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Table 4-22 Configure NetBIOS node type of clients in the global DHCP address pool
Operation Configure NetBIOS node type of clients in the global DHCP address pool Delete the NetBIOS node type configuration of clients in the global DHCP address pool Command netbios-type { b-node | h-node | m-node | p-node } undo netbios-type { b-node | h-node | m-node | p-node }

II. Configure NetBIOS node type of clients in the DHCP address pool on the current VLAN interface
Perform the following configuration in VLAN interface view. Table 4-23 Configure NetBIOS node type of clients in the DHCP address pool on the current VLAN interface
Operation Configure NetBIOS node type of clients in the DHCP address pool on the current VLAN interface Delete the configuration of the NetBIOS node type of clients in the DHCP address pool on the current VLAN interface Command dhcp server netbios-type { b-node | h-node | m-node | p-node } undo dhcp server netbios-type { b-node | h-node | m-node | p-node }

III. Configure NetBIOS node type of clients in multiple VLAN interface DHCP address pools
Perform the following configuration in system view. Table 4-24 Configure NetBIOS node type of clients in DHCP address pools on multiple VLAN interfaces
Operation Configure NetBIOS node type of clients in DHCP address pools on multiple VLAN interfaces Delete the configuration of NetBIOS node type of clients in DHCP address pools on multiple VLAN interfaces Command dhcp server netbios-type { b-node | h-node | m-node | p-node } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all } undo dhcp server netbios-type { b-node | h-node | m-node | p-node } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

For both global and VLAN interface address pools, NetBIOS node type of clients defaults to h-node.

4.3.9 Configure a DHCP Option
New configurable DHCP options may emerge as the result of DHCP development. You can support these options by manually adding them into the attribute list maintained by the DHCP server.

4-15

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

I. Configure a DHCP option for a global DHCP address pool
Perform the following configuration in DHCP address pool view. Table 4-25 Configure a DHCP option for the global DHCP address pool
Operation Configure a DHCP option for the global DHCP address pool Delete a DHCP option of the global DHCP address pool Command option code { ascii ascii-string | hex hex-string | ip-address ip-address [ ip-address ] } undo option code

II. Configure a DHCP option for the DHCP address pool on the current VLAN interface
Perform the following configuration in VLAN interface view. Table 4-26 Configure a DHCP option for the DHCP address pool on the current VLAN interface
Operation Configure a DHCP option in the DHCP address pool on the current VAN interface Delete a DHCP option of the DHCP address pool on the current VLAN interface Command dhcp server option code { ascii ascii-string | hex hex-string | ip-address ip-address [ ip-address ] } undo dhcp server option code

III. Configure a DHCP option for DHCP address pools on multiple VLAN interfaces
Perform the following configuration in system view. Table 4-27 Configure a DHCP option for DHCP address pools on multiple VLAN interfaces
Operation Configure a DHCP option for DHCP address pools on multiple VLAN interfaces Delete a DHCP option of DHCP address pool on multiple VLAN interfaces Command dhcp server option code { ascii ascii-string | hex hex-string | ip-address ip-address [ ip-address ] } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all } undo dhcp server option code { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

If you configure a DHCP option for multiple times, the latest one replaces the previous one.

4.3.10 Configure IP Addresses of Egress Gateways for DHCP clients
When a DHCP client accesses a server or host beyond the local network segment, its data must be forwarded by its egress gateway. By far, each DHCP address pool can contain up to eight egress gateway addresses.

4-16

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Perform the following configuration in DHCP address pool view. Table 4-28 Configure a list of egress gateway addresses for DHCP clients
Operation Configure IP addresses of egress gateways for DHCP clients Remove IP address of one or all egress gateways for clients Command gateway-list ip-address [ ip-address ] undo gateway-list { ip-address | all }

By default, no egress gateway of DHCP clients is configured. If egress gateway list is configured for multiple times, the latest one replaces the previous one.

4.3.11 Configure the Ping Mechanism on DHCP Server
To prevent IP address conflict, the DHCP server checks whether an address is available before allocating it to a client. The server pings this address and waits for a response in the specified time duration. If receiving no response when the duration times out, the server continues its ping attempt. If receiving no response yet after the allowed number of ping attempts, the server regards that no device on the local segment is using the IP address and thus ensures that this IP address to be allocated is unique. Perform the following configuration in system view. Table 4-29 Configure the ping mechanism on DHCP server
Operation Configure the maximum number of ping packets that the DHCP server can send Restore the default maximum number of ping packets that the DHCP server can send Configure the time limit for the DHCP server to receive a ping response Restore the default time limit for the DHCP server to receive a ping response Command dhcp server ping packets number undo dhcp server ping packets dhcp server ping timeout milliseconds undo dhcp server ping timeout

By default, the DHCP server can send up to two ping packets and wait 500 milliseconds for the response. DHCP servers check for address conflict by sending ping packets whereas DHCP clients by sending ARP packets.

4-17

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

4.4 DHCP Relay Configuration
DHCP Relay configuration includes: Configure the DHCP servers to which the received packets are relayed Distribute load among DHCP servers Release client IP addresses through DHCP Relay Configure address map entry for security check Enable/Disable the DHCP security feature on VLAN interface

4.4.1 Configure the DHCP Servers to Which the Received Packets Are Relayed
To use the DHCP Relay function on a specified VLAN interface, you need to configure DHCP server addresses to which the DHCP packets received on the interface can be relayed. Each VLAN interface can provide the relay service for up to 20 DHCP servers.

I. Configure DHCP server address to which the current VLAN interface relays packets
Perform the following configuration in VLAN interface view. Table 4-30 Configure DHCP server address to which the current VLAN interface relays packets
Operation Configure DHCP server address to which the current VLAN interface relays packets Remove one or all the DHCP server addresses to which the current VLAN interface relays packets Command ip relay address ip-address undo ip relay address { ip-address | all }

II. Configure DHCP server address to which the specified multiple VLAN interfaces relays packets
Perform the following configuration in system view. Table 4-31 Configure DHCP server address to which the specified multiple VLAN interfaces relays packets
Operation Configure DHCP server address to which the specified multiple VLAN interfaces relays packets Remove one or all the DHCP server addresses to which the specified multiple VLAN interfaces relay packets Command ip relay address ip-address { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all } undo ip relay address { ip-address | all } { interface vlan-interface vlan_id [ to vlan-interface vlan_id ] | all }

4-18

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

4.4.2 Distribute Load among DHCP Servers
When multiple DHCP servers are configured corresponding to a DHCP Relay, it can distribute among them the requests from DHCP clients by means of polling, thus distributing the load. Perform the following configuration in system view. Table 4-32 Distribute the load among DHCP servers
Operation Distribute the load among DHCP servers. Disable load sharing among DHCP servers. Command ip relay address cycle undo ip relay address cycle

By default, DHCP servers do not share the load and all the requests from DHCP clients are to be handled by the DHCP server configured first.

4.4.3 Release Client IP Address through DHCP Relay
Sometimes you may need to manually release the IP address allocated to a client through the DHCP Relay. Perform the following configuration in VLAN interface view or system view. Table 4-33 Release client IP address by the DHCP Relay
Operation Request the DHCP server for releasing a client IP address dhcp relay [ server-ip ] Command release client-ip mac-address

If no DHCP server is specified, the release request is sent to all DHCP servers in system view but in VLAN interface view only to the DHCP servers of the current VLAN interface.

4.4.4 Configure Address Map Entry for Security Check
To make the valid user with fixed IP address in the VLAN configured with DHCP Relay pass the address validity check of DHCP security feature, you must add a static address entry which indicates the correspondence between an IP address and an MAC address. If another illegal user configures a static IP address which is in conflict with the fixed IP address of a valid user, the switch with DHCP Relay function enabled can identify the valid user and reject the illegal user's request for binding the IP address with the MAC address.
4-19

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

Perform the following configuration in system view. Table 4-34 Configure Address Map Entry for Security Check
Operation Add an address map entry for security check Delete an address map entry for security check Command dhcp relay security ip_address mac_address static undo dhcp relay security ip_address

4.4.5 Enable/Disable DHCP Security Feature on VLAN Interface
Enable DHCP security features will enable address check on VLAN interface while disable DHCP security features will cancel address check. Perform the following configuration in VLAN interface view. Table 4-35 Enable/Disable the DHCP security feature on the VLAN interface
Operation Enable the DHCP security feature on the VLAN interface Disable the DHCP security feature on the VLAN interface Command dhcp relay security address-check enable dhcp relay security address-check disable

By default, the switch disables DHCP security features function.

4.5 Display and Debug DHCP
After the above configuration, execute display command in any view to display the running of the DHCP configuration, and to verify the effect of the configuration. Execute reset command to reset DHCP related information and debugging command to debug DHCP. Table 4-36 Display and debug DHCP
Operation View available addresses in DHCP address pools View information of DHCP address conflicts View expired leases in DHCP address pools View address bindings in DHCP address pools View statistics about DHCP server View tree structure of DHCP address pools View DHCP relay information View address configurations on VLAN interfaces for DCHP relay Command display dhcp server free-ip display dhcp server conflict { all | ip ip-address } display dhcp server expired { ip ip-address | pool [ pool-name ] | interface [ vlan-interface vlan_id ] | all } display dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ vlan-interface vlan_id ] | all } display dhcp server statistics display dhcp server tree { pool [ pool-name ] | interface [ vlan-interface vlan_id ] | all } display dhcp relay statistics display dhcp relay address [ interface vlan-interface vlan_id | all ]

4-20

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches Operation View secure address map information in DHCP relay Clear address bindings Clear statistics about address conflicts Clear statistics related to DHCP servers Clear statistics related to DHCP relay Disable/Enable DHCP server debugging Disable/Enable DHCP relay debugging

Chapter 4 DHCP Configuration Command display dhcprelay-security [ ip-address ] reset dhcp server ip-in-use{ all | interface [ vlan-interface vlan_id ] | ip ip-address | pool [ pool-name ] } reset dhcp server conflict { ip ip-address | all } reset dhcp server statistics reset dhcp relay statistics [ undo ] debugging dhcp server { all | error | event | packet } [ undo ] debugging dhcp relay { error | event | packet [ client mac mac-address ] }

4.6 DHCP Configuration Example
4.6.1 DHCP Server Configuration Example
There are two types of networking for DHCP: one is that a DHCP server and its clients are on the same subnet and can directly interact; the other is that the DHCP server and its clients are on different subnets and thus must allocate/obtain IP addresses through a DHCP Relay. Despite such differences, DHCP is configured in the same way.

I. Networking requirement
DHCP Server dynamically allocates IP addresses to the DHCP clients on the same subnet. The address pool segment 10.1.1.0/24 is divided into two sub-segments: 10.1.1.0/25 and 10.1.1.128/25. The addresses of the two VLAN interfaces on DHCP Server are 10.1.1.1/25 and 10.1.1.129/25. In the segment 10.1.1.0/25, addresses can be leased for up to 10 days and 12 hours, domain name is domain.com, DNS address is 10.1.1.2, no NetBIOS is configured, and the egress gateway address is 10.1.1.126. In the segment 10.1.1.128/25, addresses can be leased for up to 5 days, domain name is domain.com, DNS address is 10.1.1.2, NetBIOS address is 10.1.1.4, and egress gateway address is 10.1.1.254.

4-21

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

II. Networking diagram

NetBIOS Server

Client

Client

Client

LAN Switch A DHCP Server

LAN Switch B

DNS Server

Client

Client

Client

Figure 4-3 DHCP Server and clients on the same subnet

III. Configuration procedure
# Enable the DHCP service. [Quidway] dhcp enable # Configure IP addresses forbidden in automatic address allocation (including addresses of DNS server, NetBIOS server and egress gateway) [Quidway] dhcp server forbidden-ip 10.1.1.2 [Quidway] dhcp server forbidden-ip 10.1.1.4 [Quidway] dhcp server forbidden-ip 10.1.1.254 # Configure public attributes of DHCP address pool 0 (including address pool range, domain name, and DNS address) [Quidway] dhcp server ip-pool 0 [Quidway-dhcp-0] network 10.1.1.0 mask 255.255.255.0 [Quidway-dhcp-0] domain-name domain.com [Quidway-dhcp-0] dns-list 10.1.1.2 # Configure attributes for DHCP address pool 1 (address pool range, egress gateway address, and address lease) [Quidway] dhcp server ip-pool 1 [Quidway-dhcp-1] network 10.1.1.0 mask 255.255.255.128 [Quidway-dhcp-1] gateway-list 10.1.1.126 [Quidway-dhcp-1] expired day 10 hour 12

4-22

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

# Configure attributes of DHCP address pool 2 (address pool range, egress gateway address, NetBIOS address, and address lease). [Quidway] dhcp server ip-pool 2 [Quidway-dhcp-2] network 10.10.1.128 mask 255.255.255.128 [Quidway-dhcp-2] expired day 5 [Quidway-dhcp-2] nbns-list 10.1.1.4 [Quidway-dhcp-2] gateway-list 10.1.1.254

4.6.2 DHCP Relay Configuration Example
I. Networking requirement
The segment address for DHCP Client is 10.110.0.0, which is connected to a port in the VLAN2 on the switch. The IP address of DHCP Server is 202.38.1.2. The DHCP packets should be forwarded via the switch with DHCP Relay enabled. DHCP Client can get IP address and other configuration information from DHCP Server. Configure an IP address pool on the DHCP Server and assign the network segment 10.110.0.0 to the pool for allocating IP addresses to the DHCP clients on this segment. In addition, configure a route for the DHCP Server to reach the segment 10.110.0.0.

II. Networking diagram
DHCP client DHCP client

10.110.0.0 Ethernet 10.110.1.1 Internet Switch ( DHCP Relay ) 202.38.1.1

DHCP Server 202.38.1.2

Ethernet 202.38.0.0

Figure 4-4 Networking application of DHCP relay

III. Configuration procedure
Configure DHCP Relay: # Enable the DHCP service. [Quidway] dhcp enable
4-23

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

# Enable DHCP Relay to relay DHCP messages to an external DHCP server for address allocation. [Quidway] interface vlan 2 [Quidway-Vlan-interface2] dhcp select relay # Assign to VLAN interface 2 an IP address in the same network segment where the DHCP clients reside. [Quidway-Vlan-interface2] ip address 10.110.1.1 255.255.0.0 # Configure on VLAN interface 2 the DHCP server address to which DHCP messages are to be relayed. [Quidway-Vlan-interface2] ip relay-address 202.38.1.2 To enable the DHCP clients to obtain IP addresses from the DHCP server, you still need to make more configurations on the DHCP server. These configurations vary by DHCP server device and are beyond the scope of this manual.

4.7 DHCP Troubleshooting
I. DHCP server
Fault: Dynamic IP address conflict presented at a client. Troubleshooting: Check for the host using the IP address by pinging the address at relatively long intervals for several times; If such a host exists, forbid the IP address in automatic allocation by using the dhcp server forbidden-ip command. At the client, you can release the current dynamic IP address by executing the ipconfig/release_all command in DOS or [winipcfg/Release] in GUI, and then request a new one by executing the ipconfig/renew_all command or [winipcfg/Update].

II. DHCP relay
Fault: DHCP clients could not obtain configuration information. Troubleshooting: Check that: An address pool with the network segment where DHCP clients reside is available on the DHCP server; Routes are available on both the DHCP Relay-enabled network device (switch for example) and the DHCP server for them to reach each other.
4-24

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 DHCP Configuration

The correct IP relay address is configured on the VLAN interface connected to the network segment where the DHCP clients reside and no conflict presents due to the existence of multiple IP relay addresses.

4-25

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 Access Management Configuration

Chapter 5 Access Management Configuration

Note: S3526/S3526 FM/S3526 FS/S3526E/S3526C switches support the chapter in S3500 series switches.

5.1 Access Management Overview
One of the typical Ethernet access networking scenario is that the users access external network through the Ethernet switches. In this case, the external network is connected to the Ethernet switch. The Ethernet switch connects to the Hubs, each of which centralizes several PCs. The following figure illustrates the networking scenario.

External network

Port

Ethernet Switch
Port 1

Port 2

...

Port n

HUB_1

HUB_2

HUB_m

......
PC1_1 PC1_1 PC1_a PC2_1 PC2_2

......
PC2_b PCn_1 PCn_2

......
PCn_x

Organization 1

Organization 2

Organization n

...

Figure 5-1 Typical Ethernet access networking scenario If not-so-many users are connected to the switch, the ports allocated to different enterprises need to belong to the same VLAN in the light of cost. Every enterprise is allocated to the fixed IP address range simultaneously. Only those IP addresses in the fixed IP address range can be accessed to external networks from the port. Different enterprises should be isolated considering security. All these requirements can be achieved with the access management function by the Ethernet switches, specifically,
5-1

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 Access Management Configuration

binding a port with IP addresses and L2 isolation between ports. See Figure 5-1Typical Ethernet access networking scenario. In the figure, organization 1 and organization 2 belong to the same VLAN, which are connected to the external networks via an Ethernet switch. The IP addresses 202.10.20.1 ~ 202.10.20.20 are allocated to organization 1, that is, they are bound to the port 1. On the PCs with IP addresses in this range can be connected to external networks. The IP addresses 202.10.20.21 ~ 202.10.20.50 are allocated to organization 2, or bound to the port 2. Isolation measure is required, because otherwise the PCs in two organizations may interwork with each other. The L2 isolation function at the switch port can ensure two ports do not receive the packets from the other port, so that only those PCs in the same organization can communicate with each other.

5.2 Configure Access Management
Access management configuration includes: Enable access management function Configure the access IP address pool based on the physical port Configure Layer 2 isolation between ports Configure port, IP address and MAC address binding (S3526E/S3526C switches support) Enable/Disable access management trap

5.2.1 Enable Access Management Function
You can use the following command to enable access management function. Only after the access management function is enabled will the access management features (IP and port binding and Layer 2 port isolation) take effect. Perform the following configuration in System view.

Table 5-1 Enable/Disable access management function
Operation Enable access management function Disable access management function am enable undo am enable Command

By default, the system disables the access management function.

5-2

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 Access Management Configuration

5.2.2 Configure the Access IP Address Pool Based on the Physical Port
You can use the following command to set the IP address pool for access management on a port. The packet whose source IP address is in the specified pool is allowed to be forwarded on Layer 3 via the port of the switch. Perform the following configuration in Ethernet interface view.

Table 5-2 Configure the access IP address pool based on the physical port
Operation Configure the access management IP address pool based on the physical port Cancel part or all of the IP addresses in the access management IP address pool of the port Command am ip-pool address-list undo am ip-pool { all | address-list }

By default, the IP address pools for access control on the port are null and all the packets are permitted through. Note that if the IP address pool to be configured contains the IP addresses configured in the static ARP at other ports, then the system prompts you to delete the static ARP to make the later binding effective.

5.2.3 Configure Layer 2 Isolation between Ports
You can use the following command to set Layer 2 isolation on a port so as to prevent the packets from being forwarded on Layer 2 between the specified port and some other ports (group). Perform the following configuration in Ethernet interface view.

Table 5-3 Configure Layer 2 isolation between ports
Operation Configure Layer 2 isolation between ports Cancel Layer 2 isolation between ports Command am isolate interface-list undo am isolate interface-list

By default, the isolation port pool is null and the packets are allowed to be forwarded between the specified port and all other ports on Layer 2.

5.2.4 Configure Port, IP Address and MAC Address Binding
Perform the following actions to bind the port, IP address and MAC address. The system supports the following binding combination: Port+IP, Port+MAC, Port+IP+MAC, and IP+MAC.

5-3

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 Access Management Configuration

Port+IP binding: binding the packet’s receiving port and its source IP address. The specified port will only allow the packet with specified IP address to pass; meanwhile the packet with specified IP address can only pass through the specified port. Port+MAC binding: binding the packet’s receiving port and its source MAC address. The specified port will only allow the packet with specified MAC address to pass; meanwhile the packet with specified MAC address can only pass through the specified port. Port+IP+MAC binding: binding the packet’s receiving port, source IP address and source MAC address. The specified port will only allow the packet with specified IP and MAC address to pass. The packet with specified IP address can only pass through the specified port. Likewise, the packet with specified MAC address can only pass from the specified port. IP+MAC binding: binding the packet’s source IP address and its source MAC address. If the packet’s source IP address and its specified IP is the same, then the packet is relayed only when its source MAC address is the specified MAC address. Likewise, if the packet’s source MAC is the same as the specified MAC address, then the packet is relayed only when its source IP address is the same as the specified IP address. Perform the following configuration in the system view.

Table 5-4 Binding Port, IP Address and MAC Address
Operation bind port, IP address and MAC address Command am user-bind { interface { interface-name | interface-type interface-num } { mac-addr mac | ip-addr ip }* | mac-addr mac { interface { interface-name | interface-type interface-num } | ip-addr ip }* | ip-addr ip { interface { interface-name | interface-type interface-num } | mac-addr mac }* } undo am user-bind { interface { interface-name | interface-type interface-num } { mac-addr mac | ip-addr ip }* | mac-addr mac { interface { interface-name | interface-type interface-num } | ip-addr ip }* | ip-addr ip { interface { interface-name | interface-type interface-num } | mac-addr mac }* }

Remove the binding of port, IP address and MAC address binding

Note that: One MAC address or one IP address cannot be bound more than once. The maximum binding number is 128. Do not perform “Port+IP+MAC” and “Port+IP” on the same port. S3526E/S3526C switches support this configuration in S3500 series switches.

5.2.5 Enable/Disable Access Management Trap
You can use the following command to enable/disable access management trap. Perform the following configuration in System view.
5-4

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 Access Management Configuration

Table 5-5 Enable/Disable access management trap
Operation Enable access management trap Disable access management trap am trap enable undo am trap enable Command

By default, the access management trap is disabled.

5.3 Display and debug Access Management
After the above configuration, execute display command in any view to display the current configurations of access management on the ports, and to verify the effect of the configuration.

Table 5-6 Display current configuration of access management
Operation Display current configuration of access management Display Port, IP address and MAC address binding Command display am [ interface-list ] display am user-bind [ interface { interface-name | interface-type interface-num } | mac-addr mac | ip-addr ip ]

Note that S3526E/S3526C switches support display am user-bind command in S3500 series switches.

5.4 Access Management Configuration Example
I. Networking requirements
Organization 1 is connected to the port 1 of the switch, and organization 2 to the port 2. The ports 1 and 2 belong to the same VLAN. The IP addresses ranging 202.10.20.1~202.10.20.20 can be accessed from the port 1 and those ranging 202.10.20.21~202.10.20.50 from the port 2. Organization 1 and organization 2 cannot communicate with each other.

II. Networking diagram
See Figure 5-1.

III. Configuration procedure
# Enable access management globally. [Quidway] am enable # Configures the IP address pool for access management on port 1.
5-5

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 Access Management Configuration

[Quidway-Ethernet0/1] am ip-pool 202.10.20.1 20 # Configures Layer 2 isolation between port 1 and port 2. [Quidway-Ethernet0/1] am isolate ethernet0/2 # Configures the IP address pool for access management on port 2 [Quidway-Ethernet0/2] am ip-pool 202.10.20.21 30

5-6

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Performance Configuration

Chapter 6 IP Performance Configuration
6.1 IP Performance Configuration
IP performance configuration includes: Configure TCP attributes

6.1.1 Configure TCP Attributes
TCP attributes that can be configured include: synwait timer: When sending the syn packets, TCP starts the synwait timer. If response packets are not received before synwait timeout, the TCP connection will be terminated. The timeout of synwait timer ranges 2 to 600 seconds and it is 75 seconds by default. finwait timer: When the TCP connection state turns from FIN_WAIT_1 to FIN_WAIT_2, finwait timer will be started. If FIN packets are not received before finwait timer timeout, the TCP connection will be terminated. Finwait timer ranges 76 to 3600 seconds. By default, finwait timer is 675 seconds. The receiving/sending buffer size of connection-oriented Socket is in the range from 1 to 32K bytes and is 4K bytes by default. Perform the following configuration in System view. Table 6-1 Configure TCP attributes
Operation Configure synwait timer time for TCP connection establishment Restore synwait timer time for TCP connection establishment to default value Configure FIN_WAIT_2 timer time of TCP Restore FIN_WAIT_2 timer time of TCP to default value Configure the Socket receiving/sending buffer size of TCP Restore the socket receiving/sending buffer size of TCP to default value Command tcp timer syn-timeout time-value undo tcp timer syn-timeout tcp timer fin-timeout time-value undo tcp timer fin-timeout tcp window window-size undo tcp window

By default, the TCP finwait timer is 675 seconds, the synwait timer is 75 seconds, and the receiving/sending buffer size of connection-oriented Socket is 4K bytes.

6-1

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Performance Configuration

6.2 Display and debug IP Performance
After the above configuration, execute display command in any view to display the running of the IP Performance configuration, and to verify the effect of the configuration. Execute reset command in user view to clear IP and TCP statistics information. Table 6-2 Display and debug IP performance
Operation Display TCP connection state Display TCP connection statistics data Display IP statistics information Display ICMP statistics information Display socket interface information of current system Display the summary of the Forwarding Information Base Reset IP statistics information Reset TCP statistics information Command display tcp status display tcp statistics display ip statistics display icmp statistics display ip socket [ socktype sock-type ] [ task-id socket-id ] display fib reset ip statistics reset tcp statistics

6.3 Troubleshoot IP Performance
Fault: IP layer protocol works normally but TCP and UDP cannot work normally. In the event of such a fault, you can enable the corresponding debugging information output to view the debugging information. Use the terminal debugging command to output the debugging information to the console. Use the command debugging udp packet to enable the UDP debugging to trace the UDP packet. The following are the UDP packet formats:
UDP output packet: Source IP address:202.38.160.1 Source port:1024 Destination IP Address 202.38.160.1 Destination port: 4296

Use the debugging tcp packet command to enable the TCP debugging to trace the TCP packets. Operations include: [Quidway] terminal debugging <Quidway> debugging tcp packet Then the TCP packets received or sent can be checked in real time. Specific packet formats include:
6-2

Operation Manual - Network Protocol Quidway S3500 Series Ethernet Switches
TCP output packet: Source IP address:202.38.160.1 Source port:1024 Destination IP Address 202.38.160.1 Destination port: 4296 Sequence number :4185089 Ack number: 0 Flag :SYN

Chapter 6 IP Performance Configuration

Packet length :60 Data offset: 10

6-3

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

5. Routing Protocol

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 IP Routing Protocol Overview .................................................................................... 1-1 1.1 Introduction to IP Route and Routing Table ...................................................................... 1-1 1.1.1 IP Route and Route Segment ................................................................................. 1-1 1.1.2 Route Selection through the Routing Table ............................................................ 1-2 1.2 Routing Management Policy.............................................................................................. 1-4 1.2.1 Routing protocols and the preferences of the corresponding routes ...................... 1-4 1.2.2 Support Load Sharing and Route Backup .............................................................. 1-4 1.2.3 Routes Shared between Routing Protocols ............................................................ 1-5 Chapter 2 Static Route Configuration ......................................................................................... 2-1 2.1 Introduction to Static Route ............................................................................................... 2-1 2.1.1 Attributes and Functions of Static Route................................................................. 2-1 2.1.2 Default Route .......................................................................................................... 2-1 2.2 Static Route Configuration................................................................................................. 2-2 2.2.1 Configure a static route ........................................................................................... 2-2 2.2.2 Configure a default route......................................................................................... 2-3 2.2.3 Configure the default preference of static routes .................................................... 2-3 2.3 Display and Debug Static Route........................................................................................ 2-3 2.4 Typical Static Route Configuration Example ..................................................................... 2-4 2.5 Static Route Fault Diagnosis and Troubleshooting ........................................................... 2-5 Chapter 3 RIP Configuration ........................................................................................................ 3-1 3.1 Brief Introduction to RIP..................................................................................................... 3-1 3.2 RIP Configuration............................................................................................................... 3-2 3.2.1 Enable RIP and Enter RIP view .............................................................................. 3-3 3.2.2 Enable RIP Interface ............................................................................................... 3-3 3.2.3 Configure Unicast of the Message .......................................................................... 3-3 3.2.4 Specify RIP Version of the Interface ....................................................................... 3-4 3.2.5 Configure RIP-1 zero field check of the interface packet........................................ 3-4 3.2.6 Specify the operating state of the interface............................................................. 3-5 3.2.7 Disable host route ................................................................................................... 3-6 3.2.8 RIP-2 Route Aggregation Function ......................................................................... 3-6 3.2.9 Set RIP-2 Packet Authentication............................................................................. 3-6 3.2.10 Configure Split Horizon ......................................................................................... 3-7 3.2.11 Configure RIP to Import Routes of Other Protocols.............................................. 3-7 3.2.12 Configure Default Cost for the Imported Route..................................................... 3-8 3.2.13 Set the RIP Preference ......................................................................................... 3-8 3.2.14 Set Additional Routing Metric................................................................................ 3-9 3.2.15 Configure Route Filtering ...................................................................................... 3-9
i

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Table of Contents

3.3 Display and Debug RIP ................................................................................................... 3-10 3.4 Typical RIP Configuration Example ................................................................................. 3-10 3.4.1 Networking requirements ...................................................................................... 3-10 3.4.2 Networking diagram .............................................................................................. 3-11 3.4.3 Configuration procedure........................................................................................ 3-11 3.5 RIP Fault Diagnosis and Troubleshooting ....................................................................... 3-12 Chapter 4 OSPF Configuration .................................................................................................... 4-1 4.1 OSPF Overview ................................................................................................................. 4-1 4.1.1 Introduction to OSPF............................................................................................... 4-1 4.1.2 Process of OSPF Route Calculation ....................................................................... 4-1 4.1.3 OSPF Packets......................................................................................................... 4-2 4.1.4 Basic Concepts Related to OSPF ........................................................................... 4-3 4.2 OSPF Configuration........................................................................................................... 4-4 4.2.1 Enable OSPF and Enter OSPF View...................................................................... 4-5 4.2.2 Enter OSPF Area view ............................................................................................ 4-5 4.2.3 Specify interface...................................................................................................... 4-6 4.2.4 Configure Router ID ................................................................................................ 4-6 4.2.5 Configure the Network Type on the OSPF Interface .............................................. 4-7 4.2.6 Configure the Cost for Sending Packets on an Interface........................................ 4-8 4.2.7 Set the Interface Priority for DR Election ................................................................ 4-8 4.2.8 Set the Peer ............................................................................................................ 4-9 4.2.9 Set the Interval of Hello Packet Transmission ...................................................... 4-10 4.2.10 Set a dead timer for the neighboring routers ...................................................... 4-10 4.2.11 Configure an Interval required for sending LSU packets .................................... 4-11 4.2.12 Set an Interval for LSA Retransmission between Neighboring Routers ............. 4-11 4.2.13 Set a Shortest Path First (SPF) Calculation Interval for OSPF........................... 4-12 4.2.14 Configure STUB Area of OSPF........................................................................... 4-12 4.2.15 Configure NSSA of OSPF ................................................................................... 4-13 4.2.16 Configure the Route Summarization of OSPF Area ........................................... 4-14 4.2.17 Configure Summarization of Imported Routes by OSPF .................................... 4-15 4.2.18 Configure OSPF Virtual Link ............................................................................... 4-16 4.2.19 Configure the OSPF Area to Support Packet Authentication ............................. 4-17 4.2.20 Configure OSPF Packet Authentication.............................................................. 4-17 4.2.21 Configure OSPF to import Routes of Other Protocols ........................................ 4-18 4.2.22 Configure Parameters for OSPF to Import External Routes............................... 4-19 4.2.23 Configure OSPF to Import the Default Route ..................................................... 4-19 4.2.24 Set OSPF Route Preference............................................................................... 4-20 4.2.25 Configure OSPF Route Filtering ......................................................................... 4-20 4.2.26 Configure to Fill the MTU Field When an Interface Transmits DD Packets........ 4-21 4.2.27 Disable the Interface to Send OSPF Packets ..................................................... 4-21 4.2.28 Reset the OSPF Process .................................................................................... 4-22 4.3 Display and Debug OSPF................................................................................................ 4-22

ii

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Table of Contents

4.4 Typical OSPF Configuration Example ............................................................................. 4-23 4.4.1 Configuring DR Election Based on OSPF Priority ................................................ 4-23 4.4.2 Configuring OSPF Virtual Link .............................................................................. 4-25 4.4.3 OSPF Fault Diagnosis and Troubleshooting......................................................... 4-27 Chapter 5 BGP Configuration ...................................................................................................... 5-1 5.1 Brief Introduction to BGP ................................................................................................... 5-1 5.2 BGP Configuration ............................................................................................................. 5-2 5.2.1 Enable BGP............................................................................................................. 5-3 5.2.2 Configure Networks for BGP Distribution................................................................ 5-3 5.2.3 Configure BGP Peer (Group) .................................................................................. 5-3 5.2.4 Configure BGP Timer............................................................................................ 5-10 5.2.5 Configure the local preference .............................................................................. 5-10 5.2.6 Configure MED for AS........................................................................................... 5-11 5.2.7 Comparing the MED Routing Metrics from the Peers in Different ASs................. 5-11 5.2.8 Configure BGP Community................................................................................... 5-12 5.2.9 Configure BGP Route Summarization .................................................................. 5-12 5.2.10 Configure BGP Route Reflector .......................................................................... 5-13 5.2.11 Configure BGP AS Confederation Attribute ........................................................ 5-15 5.2.12 Configure BGP route dampening ........................................................................ 5-17 5.2.13 Configure the repeating time of local AS ............................................................ 5-17 5.2.14 Configure the Redistribution of BGP and IGP..................................................... 5-18 5.2.15 Define ACL, AS Path List, and Route-policy....................................................... 5-18 5.2.16 Configure BGP Route Filtering............................................................................ 5-19 5.2.17 Clear BGP Connection........................................................................................ 5-20 5.3 Display and Debug BGP.................................................................................................. 5-20 5.4 Typical BGP Configuration Example ............................................................................... 5-21 5.4.1 Configure BGP AS Confederation Attribute .......................................................... 5-21 5.4.2 Configure BGP Route Reflector ............................................................................ 5-23 5.4.3 Configure BGP Routing......................................................................................... 5-26 5.5 Fault Diagnosis and BGP Troubleshooting ..................................................................... 5-29 Chapter 6 IP Routing Policy Configuration ................................................................................ 6-1 6.1 Brief Introduction to IP Routing Policy ............................................................................... 6-1 6.2 IP Routing Policy Configuration ......................................................................................... 6-3 6.2.1 Define a route-policy ............................................................................................... 6-3 6.2.2 Define If-match clauses for a Route-policy ............................................................. 6-4 6.2.3 Define apply clauses for a Route-policy.................................................................. 6-5 6.2.4 Importing Routing Information Discovered by Other Routing Protocols ................. 6-6 6.2.5 Define ip-Prefix........................................................................................................ 6-6 6.2.6 Configure Route Filtering ........................................................................................ 6-7 6.3 Display and Debug the Routing Policy .............................................................................. 6-8 6.4 Typical IP Routing Policy Configuration Example ............................................................. 6-8 6.4.1 Configure to Filter the Received Routing Information ............................................. 6-8
iii

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Table of Contents

6.5 Routing Policy Fault Diagnosis and Troubleshooting ...................................................... 6-10 Chapter 7 Route Capacity Configuration .................................................................................... 7-1 7.1 Route Capacity Configuration Overview............................................................................ 7-1 7.1.1 Introduction.............................................................................................................. 7-1 7.1.2 Route Capacity Limitation Implemented by S3500 Ethernet Switch....................... 7-1 7.2 Route Capacity Configuration............................................................................................ 7-2 7.2.1 Set the Lower Limit of the Ethernet switch Memory................................................ 7-2 7.2.2 Set the Safety Value of the Ethernet switch Memory.............................................. 7-2 7.2.3 Set the Lower Limit and the Safety Value Simultaneously ..................................... 7-3 7.2.4 Disable the Ethernet switch to Recover the Disconnected Routing Protocol Automatically .................................................................................................................... 7-4 7.2.5 Enable the Ethernet switch to Recover the Disconnected Routing Protocol Automatically .................................................................................................................... 7-4 7.3 Display and Debug Route Capacity................................................................................... 7-4

iv

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 1 IP Routing Protocol Overview

Chapter 1 IP Routing Protocol Overview

Note: When an Ethernet switch runs a routing protocol, it can perform the router functions. Router that is referred to in the following and its icon represent a generalized router or an Ethernet switch running routing protocols. To improve readability, this will not be described in the other parts of the manual.

1.1 Introduction to IP Route and Routing Table
1.1.1 IP Route and Route Segment
Routers are implemented for route selection in the Internet. A router works in the following way: It selects an appropriate path (through a network) according to the destination address of its received packet and forwards the packet to the next router. It works in this way hop by hop and the last router in the path is responsible for submitting the packet to the destination host to complete the IP packet forwarding and the routing across network segments. In a network, the router regards a path for sending a packet as a logical route unit, and calls it a Hop. For example, in the figure below, a packet sent from Host A to Host C, a packet should go through 2 routers and the packet is transmitted through two hops and router segments. Therefore, when a node is connected to another node through a network, there is a hop between these two nodes and these two nodes are deemed as adjacent in the Internet. In the same principle, the adjacent routers refer to two routers connected to the same network. The number of route segments between a router and hosts in the same network counted as zero. In the following figure, the bold arrows represent the hops. A router can be connected to any physical link that constitutes a route segment for routing packets via the network.

1-1

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 1 IP Routing Protocol Overview

A A Route segment

R

R

R R C B R

Figure 1-1 About hop As the networks may have different sizes, the segment lengths connected between two different pairs of routers are also different. The number of route segments multiplies a weighted coefficient can serve as a weighted measurement for the actual length of the signal transmission path. If a router in a network is regarded as a node and a route segment in the Internet is regarded as a link, message routing in the Internet works in a similar way as the message routing in a conventional network. Message routed through the shortest route may not always be the optimal way route. For example, routing through 3 LAN route segments may be much faster than that through 2 WAN route segments.

1.1.2 Route Selection through the Routing Table
The key for a router to forward packets is the routing table. Each router saves a routing table in its memory, and each entry of this table specifies the physical port of the router through which the packet is sent to a subnet or a host. Therefore, it can reach the next router in via a particular path or reach a destination host via directly connected network. A routing table has the following key entries: Destination address: It is used to identify the destination IP address or the destination network of IP packet, which is 32 bits in length. Network mask: It is made up of several consecutive "1"s, which can be expressed either in the dotted decimal format or by the number of the consecutive "1" s in the mask. Combining with the destination address, it is used to identify the network address of the destination host or router. If the destination address is ANDed with the network mask, you will get the address of the network segment where the

1-2

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 1 IP Routing Protocol Overview

destination host or router is located. For example, if the destination address is 129.102.8.10, the address of the network where the host or the router with the mask 255.255.0.0 is located will be 129.102.0.0. Output interface: It indicates an interface through which an IP packet should be forwarded. Next hop address: Indicates the next router that an IP packet will pass through. Priority added to the IP routing table for a route: There may be different next hops to the same destination. These routes may be discovered by different routing protocols, or they can just be the static routes configured manually. The one with the highest priority (the smallest numerical value) will be selected as the current optimal route. According to different destinations, the routes can be divided into the following: Subnet route: The destination is a subnet. Host route: The destination is a host In addition, according to whether the network of the destination host is directly connected to the router, there are the following types of routes: Direct route: The router is directly connected to the network where the destination locates. Indirect route: The router is not directly connected to the network where the destination locates. In order to limit the size oft the routing table, an option is available to set a default route. All the packets that fail to find the suitable entry will be forwarded through this default route. In a complicated Internet as shown in the following figure, the number in each network is the network address. The router R8 is connected with three networks, so it has three IP addresses and three physical ports, and its routing table is shown in the diagram below:
16.0.0.2 15.0.0.2 15.0.0.0 R6 16.0.0.2 13.0.0.2 R5 13.0.0.3 16.0.0.3 16.0.0.0 R7 10.0.0.2 10.0.0.0

The routing table of router R8
Destination host location 10.0.0.0 11.0.0.0 12.0.0.0 13.0.0.0 14.0.0.0 15.0.0.0 16.0.0.0 Forwarding router Directly Directly 11.0.0.2 Directly 13.0.0.2 10.0.0.2 10.0.0.2 Port passed 2 1 1 3 3 2 2

2 10.0.0.1 15.0.0.1 3 R8 13.0.0.0 R2 1 14.0.0.2 13.0.0.4 11.0.0.1 11.0.0.0 13.0.0.1 14.0.0.0 R3 14.0.0.1 R1 12.0.0.2 12.0.0.0 11.0.0.2 R4 12.0.0.1

12.0.0.3

Figure 1-2 The routing table
1-3

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 1 IP Routing Protocol Overview

1.2 Routing Management Policy
The Quidway S3500 Series Ethernet Switches support the configuration of a series of dynamic routing protocols such as RIP, OSPF and BGP, as well as the static routes. The static routes configured by the user are managed together with the dynamic routes as detected by the routing protocol. The static routes and the routes learned or configured by different routing protocols can also be shared with each other.

1.2.1 Routing protocols and the preferences of the corresponding routes
Different routing protocols (as well as the static configuration) may generate different routes to the same destination, but not all these routes are optimal. In fact, at a certain moment, only one routing protocol can determine a current route to a specific destination. Thus, each of these routing protocols (including the static configuration) is set a preference, and when there are multiple routing information sources, the route discovered by the routing protocol with the highest preference will become the current route. Routing protocols and the default preferences (the smaller the value, the higher the preference is) of the routes learned by them are shown in the following table. Table 1-1 Routing protocols and the default preferences for the routes learned by them
Routing protocol or route type DIRECT OSPF STATIC RIP OSPF ASE OSPF NSSA IBGP EBGP UNKNOWN 0 10 60 100 150 150 256 256 255 The preference of the corresponding route

In the table, 0 indicates a direct route. 255 indicates any route from unreliable source. Except for direct routing and BGP (IBGP and EBGP), the preferences of various dynamic routing protocols can be manually configured to meet the user requirements. In addition, the preferences for individual static routes can be different.

1.2.2 Support Load Sharing and Route Backup
Load sharing: Support multi-route mode, permitting to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached via multiple different paths, whose precedences are equal. When there is no route that can reach the same destination with a higher precedence, the multiple routes will be adopted by IP, which will forward the packets to the destination via these paths so as to implement load sharing.
1-4

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 1 IP Routing Protocol Overview

Route backup: Support route backup. When main route is in failure, the system will automatically switch to a backup route to improve the network reliability. In order to achieve route backup, the user can configure multiple routes to the same destination according to actual situation. One of the routes has the highest precedence and is called as main route. The other routes have descending precedences and are called as backup routes. Normally, the router sends data via main route. When the line is in failure, the main route will hide itself and the router will choose one from the left routes as a backup route whose precedence is higher than others’ to send data. In this way, the switchover from the main route to the backup route is realized. When the main route recovers, the router will restore it and re-select route. As the main route has the highest precedence, the router will choose the main route to send data. This process is the automatic switchover from the backup route to the main route. For the same destination, a specified routing protocol may find multiple different routes. If the routing protocol has the highest precedence among all active routing protocols, these multiple routes will be regarded as currently valid routes. Thus, load sharing of IP traffic is ensured in terms of routing protocols. Among S3500 Series Ethernet Switches, only S3552, S3528 Series and S3552F support load-sharing. Each of them supports four routes to implement this function.

1.2.3 Routes Shared between Routing Protocols
As the algorithms of various routing protocols are different, different protocols may generate different routes, thus bringing about the problem of how to resolve the differences when different routes are generated by different routing protocols. The Quidway S3500 Series Ethernet Switches can import the information of another routing protocol. Each protocol has its own route redistribution mechanism. For details, please refer to the description about "Importing an External Route" in the operation manual of the corresponding routing protocol.

1-5

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 2 Static Route Configuration

Chapter 2 Static Route Configuration
2.1 Introduction to Static Route
2.1.1 Attributes and Functions of Static Route
A static route is a special route. You can set up an interconnecting network with the static route configuration. The problem for such configuration is when a fault occurs to the network, the static route cannot change automatically to steer away from the node causing the fault, if without the help of an administrator. In a relatively simple network, you only need to configure the static routes to make the router work normally. The proper configuration and usage of the static route can improve the network performance and ensure the bandwidth of the important applications. All the following routes are static routes: Reachable route: A normal route is of this type. That is, the IP packet is sent to the next hop via the route marked by the destination. It is a common type of static routes. Unreachable route: When a static route to a destination has the "reject" attribute, all the IP packets to this destination will be discarded, and the originating host will be informed destination unreachable. Blackhole route: When a static route to a destination is of the "blackhole" attribute, all the IP packets to this destination will be discarded, and the originating host will not be informed. The attributes "reject" and "blackhole" are usually used to control the range of reachable destinations of this router, and help troubleshooting the network.

2.1.2 Default Route
A default route is a static route, too. A default route is a route used only when no suitable routing table entry is matched and when no proper route is found, the default route is used. In a routing table, the default route is in the form of the route to the network 0.0.0.0 (with the mask 0.0.0.0). You can see whether it has been set via the output of the command display ip routing-table. If the destination address of a packet fails in matching any entry of the routing table, the router will select the default route to forward this packet. If there is no default route and the destination address of the packet fails in matching any entry in the routing table, this packet will be discarded, and
2-1

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 2 Static Route Configuration

an Internet Control Message Protocol (ICMP) packet will be sent to the originating host to inform that the destination host or network is unreachable. Default route is very useful in the networks. Suppose that there is a typical network, which consists of hundreds of routers. In that network, far from less bandwidth would be consumed if you put all kinds of dynamic routing protocols into use without configuring a default route. Using the default route could provide an appropriate bandwidth, even not achieving a high bandwidth, for communications between large numbers of users.

2.2 Static Route Configuration
Static Route Configuration includes: Configure a static route Configure a default route Configure the default preference of static routes

2.2.1 Configure a static route
Perform the following configurations in system view. Table 2-1 Configure a static route
Operation Add a static route Delete a static route Command ip route-static ip-address { mask | mask-length } { null null-interface-number | gateway-address } [ preference value ] [ reject | blackhole ] undo ip route-static ip-address {mask | mask-length } [ null null-interface-number | gateway-address ] [ preference value ]

The parameters are explained as follows: IP address and mask The IP address and mask are in a dotted decimal format. As "1"s in the 32-bit mask is required to be consecutive, the dotted decimal mask can also be replaced by the mask-length (which refers to the digits of the consecutive "1"s in the mask). Next hop address and NULL interface When configuring a static route, you can specify the gateway-address to decide the next hop address, depending on the actual conditions. In fact, for all the routing items, the next hop address must be specified. When IP layer transmits a packet, it will first search the matching route in the routing table according to the destination address of the packet. Only when the next hop address of the route is specified can the link layer find the corresponding link layer address, and then forward the packet according to this address.

2-2

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 2 Static Route Configuration

The packets sent to NULL interface, a kind of virtual interface, will be discarded at once. This can decrease the system load. Preference For different configurations of preference-value, you can flexibly apply the routing management policy. Other parameters The attributes reject and blackhole respectively indicate the unreachable route and the blackhole route.

2.2.2 Configure a default route
Perform the following configurations in system view. Table 2-2 Configure a default route
Operation Configure a default route Delete a default route Command ip route-static 0.0.0.0 { 0.0.0.0 | 0 } { null null-interface-number | gateway-address } [ preference value ] [ reject | blackhole ] undo ip route-static 0.0.0.0 { 0.0.0.0 | 0 } [ null null-interface-number | gateway-address ] [ preference value ]

The meanings of parameters in the command are the same as those of the static route.

2.2.3 Configure the default preference of static routes
The default-preference will be the preference of the static route if its preference is not specified when configured. You can change the default preference value of the static routes to be configured by using the following command. Perform the following configurations in system view. Table 2-3 Configure the default preference of static routes
Operation Configure the default preference value of static routes Command ip route-static default-preference default-preference-value

By default, its value is 60.

2.3 Display and Debug Static Route
After the above configuration, execute display command in any view to display the running of the Static Route configuration, and to verify the effect of the configuration.

2-3

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 2 Static Route Configuration

Table 2-4 Display and debug the routing table
Operation View routing table summary View routing table details View the detailed information of a specific route View the route information in the specified address range view the route filtered through specified basic access control list (ACL) view the route information that through specified ip prefix list View the routing information found by the specified protocol View the tree routing table view the integrated routing information Command display ip routing-table display ip routing-table verbose display ip routing-table ip_address [ mask ] [ longer-match ] [ verbose ] display ip routing-table ip_address1 mask1 ip_address2 mask2 [ verbose ] display ip routing-table acl { acl-number | acl-name } [ verbose ] display ip routing-table ip-prefix ip-prefix-number [ verbose ] display ip routing-table protocol protocol [ inactive | verbose ] display ip routing-table radix display ip routing-table statistics

2.4 Typical Static Route Configuration Example
I. Networking requirements
As shown in the figure below, the masks of all the IP addresses in the figure are 255.255.255.0. It is required that all the hosts or S3500 series Ethernet Switches can be interconnected in pairs by configuring static routes.

II. Networking diagram

A

Host 1.1.5.1

1.1.5.2/24 1.1.2.2/24 Switch C 1.1.2.1/24 1.1.1.2/24 1.1.3.2/24 1.1.4.1/24 1.1.3.1/24

Switch A

Switch B

C

B

Host 1.1.1.1

Host 1.1.4.2

Figure 2-1 Networking diagram of the static route configuration example

III. Configuration procedure
# Configure the static route for Ethernet Switch A

2-4

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 2 Static Route Configuration

[Switch A] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [Switch A] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [Switch A] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # Configure the static route for Ethernet Switch B [Switch B] ip route-static 1.1.2.0 255.255.255.0 1.1.3.1 [Switch B] ip route-static 1.1.5.0 255.255.255.0 1.1.3.1 [Switch B] ip route-static 1.1.1.0 255.255.255.0 1.1.3.1 # Configure the static route for Ethernet Switch C [Switch C] ip route-static 1.1.1.0 255.255.255.0 1.1.2.1 [Switch C] ip route-static 1.1.4.0 255.255.255.0 1.1.3.2 # Configure the default gateway of the Host A to be 1.1.1.2 # Configure the default gateway of the Host B to be 1.1.5.2 # Configure the default gateway of the Host C to be 1.1.4.1 By then, all the hosts or Ethernet Switches in the figure can be interconnected in pairs.

2.5 Static Route Fault Diagnosis and Troubleshooting
Fault: The S3500 Ethernet Switch is not configured with the dynamic routing protocol and both the physical status and the link layer protocol status of the interface is UP, but the IP packets cannot be forwarded normally. Troubleshooting: Use the display ip routing-table protocol static command to view whether the corresponding static route is correctly configured. Use the display ip routing-table command to view whether the corresponding route is valid.

2-5

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

Chapter 3 RIP Configuration
3.1 Brief Introduction to RIP
Routing Information Protocol (RIP) is a relatively simple dynamic routing protocol, but it has a wide application. RIP is a kind of Distance-Vector (D-V) algorithm-based protocol and exchanges routing information via UDP packets. It employs Hop Count to measure the distance to the destination host, which is called Routing Cost. In RIP, the hop count from a router to its directly connected network is 0, and that to a network which can be reached through another router is 1, and so on. To restrict the time to converge, RIP prescribes that the cost value is an integer ranging 0 and 15. The hop count equal to or exceeding 16 is defined as infinite, that is to say, the destination network or the host is unreachable. RIP sends routing refreshing message every 30 seconds. If no routing refreshing message is received from one network neighbor in 180 seconds, RIP will tag all routes of the network neighbor to be unreachable. If no routing refreshing message is received from one network neighbor in 300 seconds, RIP will finally remove the routes of the network neighbor from the routing table. To improve the performances and avoid route loop, RIP supports Split Horizon, Poison Reverse and allows importing the routes discovered by other routing protocols. Each router running RIP manages a route database, which contains routing entries to all the reachable destinations in the network. These routing entries contain the following information: Destination address: IP address of a host or network. Next hop address: The address of the next router that an IP packet will pass through for reaching the destination. Output interface: The interface through which the IP packet should be forwarded. Cost: The cost for the router to reach the destination, which should be an integer in the range of 0 to 16. Timer: Duration from the last time that the routing entry is modified till now. The timer is reset to 0 whenever a routing entry is modified. Route tag: Discriminate whether the route is generated by an interior routing protocol or by an exterior routing protocol. The whole process of RIP startup and running can be described as follows: 1) If RIP is enabled on a router for the first time, the router will broadcast or multicast the request packet to the adjacent routers. Upon receiving the request packet, the adjacent routers (on which, RIP should have been enabled) respond to the
3-1

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

request by returning the response packets containing information of their local routing tables. 2) 3) After receiving the response packets, the router, which has sent the request, will modify its own routing table. At the same time, RIP broadcasts its routing table to the adjacent routers every 30 seconds. The adjacent routers will maintain their own routing table after receiving the packets and will select an optimal route, and then advertise the modification information to their respective adjacent network so as to make the updated route globally known. Furthermore, RIP uses the timeout mechanism to handle the out-timed routes so as to ensure the real-timeliness and validity of the routes. With these mechanisms, RIP, an interior routing protocol, enables the router to learn the routing information of the whole network. RIP has become one of the actual standards of transmitting router and host routes by far. It can be used in most of the campus networks and the regional networks that are simple yet extensive. For larger and more complicated networks, RIP is not recommended.

3.2 RIP Configuration
In the configuration tasks, only after RIP is enabled can other functional features be configured. But the configuration of the interface related functional features is not restricted by the limit of whether RIP has been enabled. It should be noted that after RIP is disabled, the interface related features also become invalid. The RIP configuration includes: Enable RIP and Enter RIP view Enable RIP Interface Configure Unicast of the Message Specify RIP Version of the Interface Configure zero field check of the interface packet Specify the operating state of the interface Disable host route Route Aggregation Function Set RIP Packet Authentication Configure Split Horizon Configure RIP to Import Routes of Other Protocols Configure Default Cost for the Imported Route Set the RIP Preference Set Additional Routing Cost Configure Route Filtering

3-2

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

3.2.1 Enable RIP and Enter RIP view
Perform the following configurations in system view. Table 3-1 Enable RIP and Enter RIP View
Operation Enable RIP and enter the RIP view Disable RIP rip undo rip Command

By default, RIP is not enabled.

3.2.2 Enable RIP Interface
To flexibly control RIP operation, you can specify the interface and configure the network where it is located to the RIP network, so that these interfaces can send and receive RIP packets. Perform the following configurations in RIP view. Table 3-2 Enable RIP Interface
Operation Enable RIP on the specified network interface Disable RIP on the specified network interface Command network network-address undo network network-address

Note that after the RIP task is enabled, you should also specify its operating network segment, for RIP only operates on the interface on the specified network. For an interface that is not on the specified network, RIP does not receive or send routes on it, nor forwards its interface route, as if this interface does not exist at all. network-address is the address of the enabled or disabled network, and it can also be configured as the IP network address of respective interfaces. When a command network is used for an address, the effect is to enable the interface of the network with this address. For example, for network 129.102.1.1, you can see network 129.102.0.0 either using display current-configuration or using display rip command. By default, RIP is disabled on all the interfaces after it is started up.

3.2.3 Configure Unicast of the Message
RIP is a broadcast protocol. It exchanges routing information with non-broadcasting networks in unicast mode.

3-3

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

Please perform the following configuration in the RIP view. Table 3-3 Configure unicast of the message
Operation Configure unicast of the message Cancel unicast of the message Command peer ip-address undo peer ip-address

By default, RIP does not send any message to any unicast address. Usually, this command is not recommended, because the opposite side does not need to receive two same messages at a time. It should be noted that peer should also be restricted by rip work, rip output, rip input and network.

3.2.4 Specify RIP Version of the Interface
RIP has two versions, RIP-1 and RIP-2. You can specify the version of the RIP packet processed by the interface. RIP-1 broadcasts the packets. RIP-2 can transmit packets by both broadcast and multicast. By default, multicast is adopted for transmitting packets. In RIP-2, the multicast address is 224.0.0.9. The advantage of transmitting packets in the multicast mode is that the hosts not operating RIP in the same network can avoid receiving RIP broadcast packets. In addition, this mode can also make the hosts running RIP-1 avoid incorrectly receiving and processing the routes with subnet mask in RIP-2. When an interface is running RIP-2 broadcast, the RIP-1 packets can also be received. Perform the following configuration in VLAN interface view: Table 3-4 Specify RIP Version of the Interface
Operation Specify the interface version as RIP-1 Specify the interface version as RIP-2 Restore the default RIP version running on the interface Command rip version 1 rip version 2 [ broadcast | multicast ] undo rip version

By default, the interface receives and sends the RIP-1 packets. It will transmit packets in multicast mode by default when the interface RIP version is set to RIP-2.

3.2.5 Configure RIP-1 zero field check of the interface packet
According to the RFC1058, some fields in the RIP-1 packet must be 0, and they are called zero fields. Therefore, when an interface version is set as RIP-1, the zero field check should be performed on the packet. But if the value in the zero filed is not zero,

3-4

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

processing will be refused. As there is no zero fields in the RIP-2 packet, this configuration is invalid for RIP-2. Perform the following configurations in RIP view. Table 3-5 Configure zero field check of the interface packet
Operation Configure zero field check on the RIP-1 packet Disable zero field check on the RIP-1 packet checkzero undo checkzero Command

By default, RIP-1 performs zero field check on the packet.

3.2.6 Specify the operating state of the interface
In the VLAN interface view, you can specify the operating state of RIP on the interface. For example, whether RIP operates on the interface, namely, whether RIP update packets are sent and received on the interface. In addition, whether an interface sends or receives RIP update packets can be specified separately. Perform the following configuration in VLAN interface view: Table 3-6 Specify the operating state of the interface
Operation Enable the interface to run RIP Disable the interface to run RIP Enable the interface to receive RIP update packet Disable the interface to receive RIP update packet Enable the interface to send RIP update packet Disable the interface to send RIP update packet rip work undo rip work rip input undo rip input rip output undo rip output Command

The undo rip work command and the undo network command have similar but not all the same functions. Neither of the two commands configures interface receiving or sending RIP route. But in the undo rip work status, other interfaces still forward the route of the interface applying this command, while in the undo network status, other interface will no more forward the route of the interface applying this command, and it seems that this interface has been removed. In addition, rip work is functionally equivalent to both rip input and rip output commands. By default, all interfaces except loopback interfaces both receive and transmit RIP update packets.

3-5

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

3.2.7 Disable host route
In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources. Routers can be configured to reject host routes by using undo host-route command. Perform the following configurations in RIP view. Table 3-7 Disable host route
Operation Enable receiving host route Disable receiving host route host-route undo host-route Command

By default, the router receives the host route.

3.2.8 RIP-2 Route Aggregation Function
The so-called route aggregation means that different subnet routes in the same natural network can be aggregated into one natural mask route for transmission when they are sent to the outside (i.e. other network). Route aggregation can be performed to reduce the routing traffic on the network as well as to reduce the size of the routing table. RIP-1 only sends the route with natural mask, that is, it always sends routes in the route aggregation form. RIP-2 supports subnet mask and classless interdomain routing. To advertise all the subnet routes, the route aggregation function of RIP-2 can be disabled. Perform the following configurations in RIP view. Table 3-8 Route Aggregation Function
Operation Activate the automatic aggregation function of RIP-2 Disable the automatic aggregation function of RIP-2 summary undo summary Command

By default, RIP-2 automatic route summarization is enabled.

3.2.9 Set RIP-2 Packet Authentication
RIP-1 does not support packet authentication. But when the interface operates RIP-2, the packet authentication can be configured. RIP-2 supports two authentication modes: Simple authentication and MD5 authentication. MD5 authentication uses two packet formats: One follows RFC1723

3-6

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

(RIP Version 2 Carrying Additional Information) and another one follows the RFC2082 (RIP-2 MD5 Authentication). The simple authentication does not ensure security. The authentication key not encrypted is sent together with the packet, so the simple authentication cannot be applied to the case with high security requirements. Perform the following configuration in VLAN interface view: Table 3-9 Set RIP-2 Packet Authentication
Operation Configure RIP-2 simple authentication key Configure RIP-2 MD5 authentication key Configure RIP-2 MD5 authentication identifier Set the packet format type of RIP-2 MD5 authentication Cancel authentication of RIP-2 packet Command rip authentication-mode simple password-string rip authentication-mode md5 key-string password-string rip authentication-mode md5 key-id key-id rip authentication-mode md5 type { nonstandard | usual } undo rip authentication-mode

MD5 authentication is taken by default. If MD5 authentication type is not set, the nonstandard packet format type following RFC2082 will be taken.

3.2.10 Configure Split Horizon
Split horizon means that the route received via an interface will not be sent via this interface again. The split horizon is necessary for reducing routing loop. But in some special cases, split horizon must be disabled so as to get correct advertising at the cost of efficiency. Disabling the split horizon has no effect on the p2p connected links but is applicable on the Ethernet. Perform the following configuration in VLAN interface view: Table 3-10 Configure Split Horizon
Operation Enable split horizon Disable split horizon rip split-horizon undo rip split-horizon Command

By default, split horizon of the interface is enabled.

3.2.11 Configure RIP to Import Routes of Other Protocols
RIP allows users to import the route information of other protocols into the routing table. RIP can import the routes of Direct, Static, OSPF and BGP, etc. Perform the following configurations in RIP view.

3-7

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

Table 3-11 Configure RIP to import Routes of Other Protocols
Operation Configure RIP to import routes of other protocols Cancel the imported routing information of other protocols Command import-route protocol [ cost value | route-policy route-policy-name ]* undo import-route protocol

By default, RIP does not import the route information of other protocol.

3.2.12 Configure Default Cost for the Imported Route
When using the import-route command to import the routes of other protocols, you can specify the cost of them. If you do not specify the cost of the imported route, RIP will set it to the default cost, specified by the default cost parameter. Perform the following configurations in RIP view. Table 3-12 Configure default cost for the imported route
Operation Configure default cost for the imported route Restore the default cost of the imported route. default cost value undo default cost Command

By default, the cost value for the RIP imported route is 1.

3.2.13 Set the RIP Preference
Each kind of routing protocol has its own preference, by which the routing policy will select the optimal one from the routes of different protocols. The greater the preference value is, the lower the preference becomes. The preference of RIP can be set manually. Perform the following configurations in RIP view. Table 3-13 Set the RIP Preference
Operation Set the RIP Preference Restore the default value of RIP preference preference value undo preference Command

By default, the preference of RIP is 100.

3-8

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

3.2.14 Set Additional Routing Metric
Additional routing metric is the input or output routing metric added to an RIP route. It does not change the metric value of the route in the routing table, but adds a specified metric value when the interface receives or sends a route. Perform the following configuration in VLAN interface view: Table 3-14 Set additional routing metric
Operation Set the additional routing metric of the route when the interface receives an RIP packet Disable the additional routing metric of the route when the interface receives an RIP packet Set the additional routing metric of the route when the interface sends an RIP packet Disable the additional routing metric of the route when the interface sends an RIP packet Command rip metricin value undo rip metricin ip metricout value undo rip metricout

By default, the additional routing metric added to the route when RIP sends the packet is 1. The additional routing metric when RIP receives the packet is 0 by default.

3.2.15 Configure Route Filtering
The router provides the route filtering function. You can configure the filter policy rules through specifying the ACL and ip-prefix for route redistribution and distribution. Besides, to import a route, the RIP packet of a specific router can also be received by designating a neighbor router. Perform the following configurations in RIP view.

I. Configure filtering the route received by RIP
Table 3-15 Configure RIP to filter the received routes
Operation Configure filtering the received routing information distributed by the specified address Cancel filtering the received routing information distributed by the specified address Configure filtering the received global routing information Cancel filtering the received global routing information Command filter-policy gateway ip-prefix-name import undo filter-policy gateway ip-prefix-name import filter-policy {acl-number | ip-prefix ip-prefix-name } import undo filter-policy { acl-number | ip-prefix ip-prefix-name } import

3-9

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

II. Configure filtering the route distributed by RIP
Table 3-16 Configure RIP to filter the distributed routes
Operation Configure RIP to filter the distributed routing information Cancel the RIP filtering of the routing information Command filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ] undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ]

By default, RIP will not filter the received and distributed routing information.

3.3 Display and Debug RIP
After the above configuration, execute display command in any view to display the running of the RIP configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug the RIP module. Execute reset command in RIP view to reset the system configuration parameters of RIP. Table 3-17 Display and debug RIP
Operation Display the current RIP running state and configuration information. Enable the RIP debugging information Disable the RIP debugging information Enable the debugging of RIP receiving packet. Disable the debugging of RIP receiving packet Enable the debugging of RIP sending packet. Disable the debugging of RIP sending packet Restore to the default setting of RIP display rip debugging rip packet undo debugging rip packet debugging rip receive undo debugging rip receive debugging rip send undo debugging rip send reset Command

3.4 Typical RIP Configuration Example
3.4.1 Networking requirements
As shown in the following figure, the S3500 Ethernet Switch C connects to the subnet 117.102.0.0 through the Ethernet port. The Ethernet ports of S3500 Ethernet Switch A and Switch B are respectively connected to the network 155.10.1.0 and 196.38.165.0. Switch C, Switch A and Switch B are connected via Ethernet 110.11.2.0. Correctly configure RIP to ensure that Switch C, Switch A and Switch B can interconnect.

3-10

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

3.4.2 Networking diagram

Interface address: 155.10.1.1/24

Network address: 155.10.1.0/24

SwitchA Ethernet Interface address: 110.11.2.1/24 Network address: 110.11.2.2/24 SwitchC Interface address: 117.102.0.1/16 Network address: 117.102.0.0/16 Interface address: 196.38.165.1/24 Network address: 196.38.165.0/24 SwitchB

Figure 3-1 RIP configuration networking

3.4.3 Configuration procedure

Note: The following configuration only shows the operations related to RIP. Before performing the following configuration, please make sure the Ethernet link layer can work normally.

1)

Configure Switch A:

# Configure RIP [Switch A] rip [Switch A-rip] network 110.11.2.0 [Switch A-rip] network 155.10.1.0 2) Configure Switch B:

# Configure RIP [Switch B] rip [Switch B-rip] network 196.38.165.0 [Switch B-rip] network 110.11.2.0
3-11

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 3 RIP Configuration

3)

Configure Switch C:

# Configure RIP [Switch C] rip [Switch C-rip] network 117.102.0.0 [Switch C-rip] network 110.11.2.0

3.5 RIP Fault Diagnosis and Troubleshooting
Fault: The S3500 Ethernet Switch cannot receive the update packets when the physical connection to the peer routing device is normal. Troubleshooting: RIP does not operate on the corresponding interface (for example, the undo rip work command is executed) or this interface is not enabled through the network command. The peer routing device is configured to be in the multicast mode (for example, the rip version 2 multicast command is executed) but the multicast mode has not been configured on the corresponding interface of the local Ethernet Switch.

3-12

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

Chapter 4 OSPF Configuration
4.1 OSPF Overview
4.1.1 Introduction to OSPF
Open Shortest Path First (OSPF) is an Interior Gateway Protocol based on the link state developed by IETF. At present, OSPF version 2 (RFC2328) is used, which is available with the following features: Applicable scope: It can support networks in various sizes and can support several hundred routers at maximum. Fast convergence: It can transmit the update packets instantly after the network topology changes so that the change is synchronized in the AS. Loop-free: Since the OSPF calculates routes with the shortest path tree algorithm according to the collected link states, it is guaranteed that no loop routes will be generated from the algorithm itself. Area partition: It allows the network of AS to be divided into different areas for the convenience of management so that the routing information transmitted between the areas is abstracted further, hence to reduce the network bandwidth consumption. Equal-cost multi-route: Support multiple equal-cost routes to a destination. Routing hierarchy: OSPF has a four-level routing hierarchy. It prioritizes the routes to be intra-area, inter-area, external type-1, and external type-2 routes. Authentication: It supports the interface-based packet authentication so as to guarantee the security of the route calculation. Multicast transmission: Support multicast address to receive and send packets.

4.1.2 Process of OSPF Route Calculation
The routing calculation process of the OSPF protocol is as follows: Each OSPF-capable router maintains a Link State Database (LSDB), which describes the topology of the whole AS. According to the network topology around itself, each router generates a Link State Advertisement (LSA). The routers on the network transmit the LSAs among them by transmitting the protocol packets to each others. Thus, each router receives the LSAs of other routers and all these LSAs compose its LSDB. LSA describes the network topology around a router, so the LSDB describes the network topology of the whole network. Routers can easily transform the LSDB to

4-1

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

a weighted directed graph, which actually reflects the topology architecture of the whole network. Obviously, all the routers get a graph exactly the same. A router uses the SPF algorithm to calculate the shortest path tree with itself as the root, which shows the routes to the nodes in the autonomous system. The external routing information is leave node. A router, which advertises the routes, also tags them and records the additional information of the autonomous system. Obviously, the Routing tables obtained by different routers are different. Furthermore, suppose that the routers are directly connected without other in-between routing devices in a broadcast network. To enable the individual routers to broadcast the information of their local statuses to the whole AS, any two routers in the environment should establish adjacency between them. In this case, however, the changes that any router takes will result in multiple transmissions, which are not only unnecessary but also waste the precious bandwidth resources. To solve this problem, “Designated Router” (DR) is defined in the OSPF. Thus, all the routers only send information to the DR for broadcasting the network link states in the network. Thereby, the number of router adjacent relations on the multi-access network is reduced. OSPF supports interface-based packet authentication to guarantee the security of route calculation. Also, it transmits and receives packets by IP multicast.

4.1.3 OSPF Packets
OSPF uses five types of packets: Hello Packet: It is the commonest packet, which is periodically sent by a router to its neighbor. It contains the values of some timers, DR, BDR and the known neighbor. Database Description (DD) Packet: When two routers synchronize their databases, they use the DD packets to describe their own LSDBs, including the digest of each LSA. The digest refers to the HEAD of an LSA, which can be used to uniquely identify the LSA. Such reduces the traffic size transmitted between the routers, since the HEAD of a LSA only occupies a small portion of the overall LSA traffic. With the HEAD, the peer router can judge whether it already has had the LSA. Link State Request (LSR) Packet: After exchanging the DD packets, the two routers know which LSAs of the peer routers are lacked in the local LSDBs. In this case, they will send LSR packets requesting for the needed LSAs to the peers. The packets contain the digests of the needed LSAs. Link State Update (LSU) Packet: The packet is used to transmit the needed LSAs to the peer router. It contains a collection of multiple LSAs (complete contents).

4-2

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

Link State Acknowledgment (LSAck) Packet The packet is used for acknowledging the received LSU packets. It contains the HEAD(s) of LSA(s) requiring acknowledgement.

4.1.4 Basic Concepts Related to OSPF
I. Router ID
To run OSPF, a router must have a router ID. If no ID is configured, the system will automatically select an IP address from the IP addresses of the current interface as the Router ID.

II. DR and BDR
Designated Router (DR) Suppose there is a broadcast network environment, in which, the routers are directly connected without other in-between routing devices. To enable the individual routers to broadcast the information of their local statuses to the whole AS, all routers in the environment should establish adjacency. In this case, however, the changes that any router takes will result in multiple transmissions, which is not only unnecessary but also wastes the precious bandwidth resources. In order to solve the problem, OSPF defines the "Designated Router" (DR). All the routers only need to transmit information to the DR for broadcasting the network link states. Which router can be the DR in its segment is not manually specified. Instead, DR is elected by all the routers in the segment. Backup Designated Router (BDR) If the DR fails for some faults, a new DR must be elected and synchronized with the other routers on the segment. This process will take a relatively long time, during which, the route calculation is incorrect. To shorten the process, BDR is brought forth in OSPF. In fact, BDR is a backup for DR. DR and BDR are elected in the meantime. The adjacencies are also established between the BDR and all the routers on the segment, and routing information is also exchanged between them. After the existing DR fails, the BDR will become a DR immediately.

III. Area
The network size grows increasingly larger. If all the routers on a huge network are running OSPF, the large number of routers will result in an enormous LSDB, which will consume an enormous storage space, complicate the SPF algorithm, and add the CPU load as well. Furthermore, as a network grows larger, the topology becomes more likely to take changes. Hence, the network will always in “turbulence”, and a great deal of OSPF packets will be generated and transmitted in the network. This will lower the

4-3

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

network bandwidth utility. In addition, each change will cause all the routes on the network to recompute the route. OSPF solves the above problem by partition an AS into different areas. Areas logically group the routers. The borders of areas are formed by routers. Thus, some routers may belong to different areas. A router connects the backbone area and a non-backbone area is called Area Border Router (ABR). An ABR can connect to the backbone area physically or logically.

IV. Backbone area and virtual link
Backbone Area After the area division of OSPF, not all the areas are equal. In which, an area is different from all the other areas. Its area-id is 0 and it is usually called the backbone area. Virtual link Since all the areas should be connected logically, virtual link is adopted so that the physically separated areas can still maintain the logic connectivity.

V. Route summary
AS is divided into different areas that are interconnected via OSPF ABRs. The routing information between areas can be reduced through route summary. Thus, the size of routing table can be reduced and the calculation speed of the router can be improved. After finding an intra-area route of an area, the ABR will look up the routing table and encapsulate each OSPF route into an LSA and send it outside the area.

4.2 OSPF Configuration
In various configurations, you must first enable OSPF, specify the interface and area ID before configuring other functions. But the configuration of the functions related to the interface is not restricted by whether the OSPF is enabled or not. It should be noted that after OSPF is disabled, the OSPF-related interface parameters also become invalid. OSPF configuration includes: Enable OSPF and Enter the OSPF View Enter OSPF Area View Specify Interface Configure Router ID Configure the Network Type on an OSPF Interface Configure the Cost for Sending Packets on an Interface Set the Interface Priority for DR Election Set the peer Set the Interval of Hello Packet Transmission

4-4

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

Set a dead timer for the neighboring routers Configure an Interval required for sending LSU packets Set an Interval for LSA Retransmission between Neighboring Routers Set a Shortest Path First (SPF) Calculation Interval for OSPF Configure STUB Area of OSPF Configure NSSA of OSPF Configure the Route Summarization of OSPF Area Configure OSPF Area Route Summary Configure OSPF Virtual Link Configure Summarization of Imported Routes by OSPF Configure the OSPF Area to Support Packet Authentication Configure OSPF Packet Authentication Configure OSPF to import Routes of Other Protocols Configure Parameters for OSPF to Import External Routes Configure OSPF to Import the Default Route Set OSPF Route Preference Configure OSPF Route Filtering Configure to Fill the MTU Field When an Interface Transmits DD Packets Disable the Interface to Send OSPF Packets Reset the OSPF Process

4.2.1 Enable OSPF and Enter OSPF View
Perform the following configurations in system view. Table 4-1 Enable OSPF process
Operation Enable OSPF process Disable the OSPF process ospf undo ospf Command

By default, OSPF is not enabled.

4.2.2 Enter OSPF Area view
Perform the following configurations in OSPF view. Table 4-2 Enter OSPF Area view
Operation Enter OSPF Area view delete a designated OSPF area area area-id undo area area-id Command

area-id: ID of the OSPF area, which can be a decimal integer or in IP address format.
4-5

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

4.2.3 Specify interface
OSPF further divides the AS into different areas. An area logically groups the routers. Some routers belong to different areas (such routers are called ABRs), but one segment can only belong to an area. In other words, you must specify each OSPF interface to belong to a particular area identified by area ID. The areas transfer routing information between them via the ABRs. In addition, parameters of all the routers in the same area should be identical. Therefore, when configuring the routers in the same area, please note that most configurations should be based upon the area. Wrong configuration may disable the neighboring routers to transmit information between them, and even lead to congestion or self-loop of the routing information. Perform the following configuration in OSPF Area view. Table 4-3 Specify interface
Operation Specify interface to run OSPF Disable OSPF on the interface. Command network ip-address ip-mask undo network ip-address ip-mask

You must specify the segment to which the OSPF will be applied after enabling the OSPF tasks.

4.2.4 Configure Router ID
Router ID is a 32-bit unsigned integer that uniquely identifies a router within an AS. Router ID can be configured manually. If Router ID is not configured, the system will select the IP address of an interface automatically. When you do that manually, you must guarantee that the IDs of any two routers in the AS are unique. A common undertaking is to set the router ID to be the IP address of an interface on the router. Perform the following configurations in system view. Table 4-4 Configure router ID
Operation Configure Router ID Remove the router ID router id router-id undo router id Command

To ensure stability of OSPF, the user should determine the division of router IDs and manually configure them when implementing network planning.

4-6

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

4.2.5 Configure the Network Type on the OSPF Interface
The route calculation of OSPF is based upon the topology of the adjacent network of the local router. Each router describes the topology of its adjacent network and transmits it to all the other routers. OSPF divides networks into four types by link layer protocol: Broadcast: If Ethernet or FDDI is adopted, OSPF defaults the network type to broadcast. Non-Broadcast Multi-access (nbma): If Frame Relay, ATM, HDLC or X.25 is adopted, OSPF defaults the network type to NBMA. Point-to-Multipoint (p2mp): OSPF will not default the network type of any link layer protocol to p2mp. The general undertaking is to change a partially connected NBMA network to p2mp network if the NBMA network is not fully connected. Point-to-point (p2p): If PPP, LAPB or POS is adopted, OSPF defaults the network type to p2p. NBMA means that a network is non-broadcast and multi-accessible. ATM is a typical example for it. The user can configure the polling interval to specify the interval of sending polling hello packets before the adjacency of the neighboring routers is formed. Configure the interface type to nonbroadcast on a broadcast network without multi-access capability. Configure the interface type to p2mp if not all the routers are directly accessible on an NBMA network. Change the interface type to p2p if the router has only one peer on the NBMA network. The differences between NBMA and p2mp are listed below: In OSPF, NBMA refers to the networks that are fully connected, non-broadcast and multi-accessible. However, p2mp network is not required to be fully connected. DR and BDR are required on a NBMA network but not on p2mp network. NBMA is the default network type. For example, if ATM is adopted as the link layer protocol, OSPF defaults the network type on the interface to NBMA, regardless of whether the network is fully connected. P2mp is not the default network type. No link layer protocols will be regarded as p2mp. You must change the network type to p2mp by force. The commonest undertaking is to change a partially connected NBMA network to a p2mp network. NBMA forwards packets by unicast and requires to configure neighbors manually. P2mp forward packets by multicast. Perform the following configuration in VLAN interface view:

4-7

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

Table 4-5 Configure a Network Type on the Interface That Starts OSPF Protocol
Operation Configure network type on the interface Command ospf network-type { broadcast | nbma | p2mp | p2p }

After the interface has been configured with a new network type, the original network type of the interface is removed automatically.

4.2.6 Configure the Cost for Sending Packets on an Interface
The user can control the network traffic by configuring different message sending costs for different interfaces. Otherwise, OSPF will automatically calculate the cost according to the baud rate on the current interface. Perform the following configuration in VLAN interface view: Table 4-6 Configure the cost for sending packets on Interface
Operation Configure the cost for sending packets on Interface Restore the default cost for packet transmission on the Interface Command ospf cost value undo ospf cost

4.2.7 Set the Interface Priority for DR Election
The priority of the router interface determines the qualification of the interface in DR election, and the router of higher priority will be considered first if there is a collision in the election. DR is not designated manually; instead, it is elected by all the routers on the segment. Routers with the priorities > 0 in the network are eligible “candidates”. Among all the routers self-declared to be the DR, the one with the highest priority will be elected. If two routers have the same priority, the one with the highest router ID will be elected as the DR. Votes are the hello packets. Each router writes the expected DR in the packet and sends it to all the other routers on the segment. If two routers attached to the same segment concurrently declare themselves to be the DR, choose the one with higher priority. If the priorities are the same, choose the one with greater router ID. If the priority of a router is 0, it will not be elected as DR or BDR. If DR fails due to some faults, the routers on the network must elect a new DR and synchronize with the new DR. The process will take a relatively long time, during which, the route calculation is incorrect. In order to speed up this process, OSPF puts forward the concept of BDR. In fact, BDR is a backup for DR. DR and BDR are elected in the meantime. The adjacencies are also established between the BDR and all the routers on the segment, and routing information is also exchanged between them. When the

4-8

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

DR fails, the BDR will become the DR instantly. Since no re-election is needed and the adjacencies have already been established, the process is very short. But in this case, a new BDR should be elected. Although it will also take a quite long period of time, it will not exert any influence upon the route calculation. But please note: The DR on the network is not necessarily the router with the highest priority. Likewise, the BDR is not necessarily the router with the second highest priority. If a new router is added after DR and BDR election, it is impossible for the router to become the DR even if it has the highest priority. DR is based on the router interface in a certain segment. Maybe a router is a DR on one interface, but can be a BDR or DROther on the other interface. DR election is only required for the broadcast or NBMA interfaces. For the p2p or p2mp interfaces, DR election is not required. Perform the following configuration in VLAN interface view: Table 4-7 Set the Interface Priority for DR Election
Operation Configure the interface with a priority for DR election Restore the default interface priority Command ospf dr-priority priority_num undo ospf dr-priority

By default, the priority of the Interface is 1 in the DR election. The value can be taken from 0 to 255.

4.2.8 Set the Peer
For a NBMA network, some special configurations are required. Since an NBMA interface on the network cannot discover the adjacent router through broadcasting the Hello packets, you must manually specify an IP address for the adjacent router for the interface, and whether the adjacent router is eligible for election. This can be done by configuring the peer ip-address command. If dr-priority-number is not specified, the adjacent router will be regarded as ineligible. Perform the following configuration in OSPF view. Table 4-8 Configure the peer
Operation Configure a peer for the NBMA interface. Remove the configured peer for the NBMA interface Command peer ip-address [ dr-priority dr-priority-number ] undo peer ip-address

By default, the preference for the neighbor of NBMA interface is 1.

4-9

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

4.2.9 Set the Interval of Hello Packet Transmission
Hello packets are a kind of most frequently used packets, which are periodically sent to the adjacent router for discovering and maintaining the adjacency, and for electing DR and BDR. The user can set the hello timer. According to RFC2328, the consistency of hello intervals between network neighbors should be kept. The hello interval value is in inverse proportion to the route convergence rate and network load. Perform the following configuration in VLAN interface view: Table 4-9 Set the Interval of Hello Packet Transmission
Operation Set the hello interval of the interface Restore the default hello of the interface Set the poll interval on the NBMA interface Restore the default poll interval Command ospf timer hello seconds undo ospf timer hello ospf timer poll seconds undo ospf timer poll

By default, p2p and broadcast interfaces send Hello packets every 10 seconds, and p2mp and nbma interfaces send the packets every 30 seconds.

4.2.10 Set a dead timer for the neighboring routers
The dead timer of neighboring routers refers to the interval in which a router will regard the neighboring router as dead if no Hello packet is received from it. The user can set a dead timer for the neighboring routers. Perform the following configuration in VLAN interface view: Table 4-10 Set a dead timer for the neighboring routers
Operation Configure a dead timer for the neighboring routers Restore the default dead interval of the neighboring routers Command ospf timer dead seconds undo ospf timer dead

By default, the dead interval for the neighboring routers of p2p or broadcast interfaces is 40 seconds and that for the neighboring routers of p2mp or nbma interface is 120 seconds. Note that both hello and dead timer will restore to the default values after the user modify the network type.

4-10

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

4.2.11 Configure an Interval required for sending LSU packets
Trans-delay seconds should be added to the aging time of the LSA in an LSU packet. Setting the parameter like this mainly considers the time duration that the interface requires for transmitting the packet. The user can configure the interval of sending LSU message. Obviously, more attention should be paid on this item over low speed network. Perform the following configuration in VLAN interface view: Table 4-11 Configure an Interval required for sending LSU packets
Operation Configure an interval for sending LSU packets Restore the default interval of sending LSU packets Command ospf trans-delay seconds undo ospf trans-delay

By default, the LSU packets are transmitted per second.

4.2.12 Set an Interval for LSA Retransmission between Neighboring Routers
If a router transmits an LSA (Link State Advertisements) to the peer, it requires the acknowledgement packet from the peer. If it does not receive the acknowledgement packet within the retransmit, it will retransmit this LSA to the neighbor. The value of retransmit is user-configurable. Perform the following configuration in VLAN interface view: Table 4-12 Set an Interval for LSA Retransmission between Neighboring Routers
Operation Configure the interval of LSA retransmission for the neighboring routers Restore the default LSA retransmission interval for the neighboring routers Command ospf timer retransmit interval undo ospf timer retransmit

By default, the interval for neighboring routers to retransmit LSAs is five seconds. The value of interval should be bigger than the interval in which a packet can be transmitted and returned between two routers. Note that you should not set the LSA retransmission interval too small. Otherwise, unnecessary retransmission will be caused.

4-11

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

4.2.13 Set a Shortest Path First (SPF) Calculation Interval for OSPF
Whenever the LSDB of OSPF takes changes, the shortest path requires recalculation. Calculating the shortest path upon change will consume enormous resources as well as affect the operation efficiency of the router. Adjusting the SPF calculation interval, however, can restrain the resource consumption due to frequent network changes. Perform the following configuration in OSPF view. Table 4-13 Set the SPF calculation interval
Operation Set the SPF calculation interval Restore the SPF calculation interval Command spf-schedule-interval seconds undo spf-schedule-interval seconds

By default, the interval of SPF recalculation is 5 seconds.

4.2.14 Configure STUB Area of OSPF
STUB areas are some special LSA areas, in which the ABRs do not propagate the learned external routes of the AS. In these areas, the routing table sizes of routers and the routing traffic are significantly reduced. The STUB area is an optional configuration attribute, but not every area conforms to the configuration condition. Generally, STUB areas, located at the AS boundaries, are those non-backbone areas with only one ABR. Even if this area has multiple ABRs, no virtual links are established between these ABRs. To ensure that the routes to the destinations outside the AS are still reachable, the ABR in this area will generate a default route (0.0.0.0) and advertise it to the non-ABR routers in the area. Please pay attention to the following items when configuring a STUB area: The backbone area cannot be configured to be the STUB area and the virtual link cannot pass through the STUB area. If you want to configure an area to be the STUB area, then all the routers in this area should be configured with this attribute. No ASBR can exist in a STUB area. In other words, the external routes of the AS cannot be propagated in the STUB area. Perform the following configuration in OSPF Area view.

4-12

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

Table 4-14 Configure STUB area of OSPF
Operation Configure an area to be the STUB area Remove the configured STUB area Configure the cost of the default route transmitted by OSPF to the STUB area Remove the cost of the default route to the STUB area Command stub [ no-summary ] undo stub default-cost value undo default-cost

By default, the STUB area is not configured, and the cost of the default route to the STUB area is 1.

4.2.15 Configure NSSA of OSPF
NSSA areas are areas that can import external routing by itself and advertise in the autonomous system, not accepting external routing generated by other area in the autonomous system. Actually NSSA area is one deformation of Stub area, which can conditionally import AS external routing. A new area-NSSA Area and a new LSA-NSSA LSA (or called Type-7 LSA) are added in the RFC1587 OSPF NSSA Option. NSSA and Stub area are similar in many ways. Neither of them generates or imports AS-External-LSA (namely Type-5 LSA), and both of them can generate and import Type-7 LSA. Type-7 LSA is generated by ASBR of NSSA area, which can only advertise in NSSA area. When Type-7 LSA reaches ABR of NSSA, ABR will select whether to transform Type-7 LSA into AS-External-LSA so as to advertise to other areas. For example, in the networking below, the AS running OSPF comprises three areas: Area 1, Area 2 and Area 0. Among them, Area 0 is the backbone area. Also, there are other two ASs respectively running RIP. Area 1 is defined as an NSSA. After RIP routes of the Area 1 are propagated to the NSSA ASBR, the NSSA ASBR will generate type-7 LSAs which will be propagated in Area 1. When the type-7 LSAs reach the NSSA ABR, the NSSA ABR will transform it into type-5 LSA, which will be propagated to Area 0 and Area 2. On the other hand, RIP routes of the AS running RIP will be transformed into type-5 LSAs that will be propagated in the OSPF AS. However, the type-5 LSAs will not reach Area 1 because Area 1 is an NSSA. NSSAs and STUB areas have the same approach in this aspect. Similar to a STUB area, the NSSA cannot be configured with virtual links.

4-13

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches
RIP

Chapter 4 OSPF Configuration

NSSA ABR area 1 NSSA NSSA ASBR

area 2

area 0

RIP

Figure 4-1 NSSA area Perform the following configuration in OSPF Area view. Table 4-15 Configure NSSA of OSPF
Operation Configure an area to be the NSSA area Cancel the configured NSSA Configure the default cost value of the route to the NSSA Restore the default cost value of the route to the NSSA area Command nssa [ default-route-advertise ] [ no-import-route ] [ no-summary ] undo nssa default-cost cost undo default-cost

All the routers connected to the NSSA should use the nssa command to configure the area with the NSSA attribute. The keyword default-route-advertise is used to generate the default type-7 LSAs. The default type-7 LSA route will be generated on the ABR, even though no default route 0.0.0.0 is in the routing table. On an ASBR, however, the default type-7 LSA route can be generated only if the default route 0.0.0.0 is in the routing table. Executing the keyword no-import-route on the ASBR will prevent the external routes that OSPF imported through the import-route command from advertising to the NSSA. Generally, if an NSSA router is both ASBR and ABR, this argument will be used. The keyword default-cost is used on the ABR attached to the NSSA. Using this command, you can configure the default route cost on the ABR to NSSA. By default, the NSSA is not configured, and the cost of the default route to the NSSA is 1.

4.2.16 Configure the Route Summarization of OSPF Area
Route summary means that ABR can aggregate information of the routes of the same prefix and advertise only one route to other areas. An area can be configured with multiple aggregate segments, thereby OSPF can summarize them. When the ABR transmits routing information to other areas, it will generate Sum_net_Lsa (type-3 LSA)
4-14

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

per network. If some continuous networks exist in this area, you can use the abr-summary command to summarize these segments into one segment. Thus, the ABR only needs to send an aggregate LSA, and all the LSAs in the range of the aggregate segment specified by the command will not be transmitted separately. Once the aggregate segment of a certain network is added to the area, all the internal routes of the IP addresses in the range of the aggregate segment will no longer be separately broadcast to other areas. Only the route summary of the whole aggregate network will be advertised. But if the range of the segment is restricted by the keyword "not-advertise", the route summary of this segment will not be advertised. This segment is represented by IP address and mask. Route summarization can take effect only when it is configured on ABRs. Perform the following configuration in OSPF Area view. Table 4-16 Configure the route summarization of OSPF area
Operation Configure the Route Summarization of OSPF Area Cancel route summarization of OSPF Area Command abr-summary ip-address mask [ advertise | not-advertise ] undo abr-summary ip-address mask

By default, the inter-area routes will not be summarized.

4.2.17 Configure Summarization of Imported Routes by OSPF
OSPF of Quidway S3500 Series Ethernet Switches support route summarization of imported routes. Perform the following configurations in OSPF view. Table 4-17 configure summarization of imported routes by OSPF
Operation configure summarization of imported routes by OSPF Remove summarization of routes imported into OSPF Command asbr-summary ip-address mask [ not-advertise | tag value ] undo asbr-summary ip-address mask

By default, summarization of imported routes is disabled. After the summarization of imported routes is configured, if the local router is an autonomous system border router (ASBR), this command summarizes the imported Type-5 LSAs in the summary address range. When NSSA is configured, this command will also summarize the imported Type-7 LSA in the summary address range.

4-15

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

If the local router works as an area border router (ABR) and a router in the NSSA, this command summarizes Type-5 LSAs transformed from Type-7 LSAs. If the router is not the router in the NSSA, the summarization is disabled.

4.2.18 Configure OSPF Virtual Link
According to RFC2328, after the area division of OSPF, not all the areas are equal. In which, an area is different from all the other areas. Its area-id is 0.0.0.0 and it is usually called the backbone Area. The OSPF routes between non-backbone areas are updated with the help of the backbone area. OSPF stipulates that all the non-backbone areas should maintain the connectivity with the backbone area. That is, at least one interface on the ABR should fall into the area 0.0.0.0. If an area does not have a direct physical link with the backbone area 0.0.0.0, a virtual link must be created. If the physical connectivity cannot be ensured due to the network topology restriction, a virtual link can satisfy this requirement. The virtual link refers to a logic channel set up through the area of a non-backbone internal route between two ABRs. Both ends of the logic channel should be ABRs and the connection can take effect only when both ends are configured. The virtual link is identified by the ID of the remote router. The area, which provides the ends of the virtual link with a non-backbone area internal route, is called the transit area. The ID of the transit area should be specified when making configuration. The virtual link is activated after the route passing through the transit area is calculated, which is equivalent to a p2p connection between two ends. Therefore, similar to the physical interfaces, you can also configure various interface parameters on this link, such as hello timer. The "logic channel" means that the multiple routers running OSPF between two ABRs only take the role of packet forwarding (the destination addresses of the protocol packets are not these routers, so these packets are transparent for them and the routers forward them as common IP packets). The routing information is directly transmitted between the two ABRs. The routing information herein refers to the type-3 LSAs generated by the ABRs, for which the synchronization mode of the routers in the area will not be changed. Perform the following configuration in OSPF Area view. Table 4-18 Configure OSPF Virtual Link
Operation Create and configure a virtual link Remove the created virtual link Command vlink-peer router-id [ hello seconds | retransmit seconds | trans-delay seconds | dead seconds | simple password | md5 keyid key ]* undo vlink-peer router-id

4-16

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

area-id and router-id have no default value. By default, hello timer is 10 seconds, retransmit 5 seconds, trans-delay 1 second, and the dead 40 seconds.

4.2.19 Configure the OSPF Area to Support Packet Authentication
All the routers in one area must use the same authentication mode (no authentication, simple text authentication or MD5 cipher text authentication). If the mode of supporting authentication is configured, all routers on the same segment must use the same authentication key. To configure a simple text authentication key, use the ospf authentication-mode simple command. And, use the ospf authentication-mode md5 command to configure the MD5 cipher text authentication key if the area is configured to support MD5 cipher text authentication mode. Perform the following configuration in OSPF Area view. Table 4-19 Configure the OSPF Area to Support Packet Authentication
Operation Configure the area to support authentication type Cancel the configured authentication key Command authentication-mode [ simple | md5 ] undo authentication-mode

By default, the area does not support packet authentication.

4.2.20 Configure OSPF Packet Authentication
OSPF supports simple authentication or MD5 authentication between neighboring routers. Perform the following configuration in VLAN interface view: Table 4-20 Configure OSPF Packet Authentication
Operation Specify a password for OSPF simple text authentication Cancel simple authentication on the interface Specify the key-id and key for OSPF MD5 authentication Disable the interface to use MD5 authentication Command ospf authentication-mode simple password undo ospf authentication-mode simple ospf authentication-mode md5 key_id key undo ospf authentication-mode md5

By default, the interface is not configured with either simple authentication or MD5 authentication.

4-17

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

4.2.21 Configure OSPF to import Routes of Other Protocols
The dynamic routing protocols on the router can share the routing information. As far as OSPF is concerned, the routes discovered by other routing protocols are always processed as the external routes of AS. In the import-route commands, you can specify the route cost type, cost value and tag to overwrite the default route receipt parameters (refer to “Configure Parameters for OSPF to import External Routes”). The OSPF uses the following four types of routes (in priority): Intra-area route Inter-area route External route type 1 External route type 2 Intra-area and inter-area routes describe the internal AS topology whereas the external routes describes how to select the route to the destinations beyond the AS. The external routes type-1 refer to the imported IGP routes (such as static route and RIP). Since these routes are more reliable, the calculated cost of the external routes is the same as the cost of routes within the AS. Also, such route cost and the route cost of the OSPF itself are comparable. That is, cost to reach the external route type 1 = cost to reach the corresponding ASBR from the local router + cost to reach the destination address of the route from the ASBR The external routes type-2 refer to the imported EGP routes. Since these routes have lower credibility, OSPF assumes that the cost spent from the ASBR to reach the destinations beyond the AS is greatly higher than that spent from within the AS to the ASBR. So in route cost calculation, the former is mainly considered, that is, the cost spent to reach the external route type 2 = cost spent to the destination address of the route from the ASBR. If the two values are equal, then the cost of the router to the corresponding ASBR will be considered. Perform the following configuration in OSPF view. Table 4-21 Configure OSPF to Import Routes of Other Protocols
Operation Configure OSPF to import routes of other protocols Cancel importing routing information of other protocols Command import-route protocol [ cost value | type value | tag value | route-policy route-policy-name ]* undo import-route protocol

By default, OSPF will not import the routing information of other protocols. protocol specifies a source routing protocol that can be imported. By far, it can be Direct, Static, RIP, or BGP.

4-18

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

4.2.22 Configure Parameters for OSPF to Import External Routes
When the OSPF imports the routing information discovered by other routing protocols in the autonomous system, some additional parameters need configuring, such as default route cost and default tag of route distribution, etc. Route ID can be used to identify the protocol-related information. For example, OSPF can use it to identify the AS number when receiving BGP. Perform the following configuration in OSPF view. Table 4-22 Configure Parameters for OSPF to Import External Routes
Operation Configure the minimum interval for OSPF to import the external routes Restore the default value of the minimum interval for OSPF to import the external routes Configure the upper limit to the routes that OSPF import each time Restore the default upper limit to the external routes that can be imported at a time Configure the default cost for the OSPF to import external routes Restore the default cost for the OSPF to import external routes Configure the default tag for the OSPF to import external routes Restore the default tag for the OSPF to import external routes Configure the default type of external routes that OSPF will import Restore the default type of the external routes imported by OSPF Command default interval seconds undo default interval default limit routes undo default limit default cost value undo default cost default tag tag undo default tag default type { 1 | 2 } undo default type

By default, no default cost and tag are available when importing external routes, and the type of imported route is type-2. The interval of importing the external route is 1 second. The upper limit to the external routes imported is 1000 per second.

4.2.23 Configure OSPF to Import the Default Route
The import-route command cannot be used to import the default route. Using the command as follows, you can import the default route into the routing table. Perform the following configuration in OSPF view. Table 4-23 Configure OSPF to Import the Default Route
Operation Import the default route to OSPF Remove the imported default route Command default-route-advertise [ always | cost value | type type-value | route-policy route-policy-name ]* undo default-route-advertise [ always | cost | type | route-policy ]*

By default, OSPF does not import the default route.

4-19

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

4.2.24 Set OSPF Route Preference
Since maybe multiple dynamic routing protocols are run on one router concurrently, the problem of route sharing and selection between various routing protocols occurs. The system sets a priority for each routing protocol, which will be used in tie-breaking in the case that different protocols discover the same route. Perform the following configuration in OSPF view. Table 4-24 Set OSPF Route Preference
Operation Configure a priority for OSPF for comparing with the other routing protocols Restore the default protocol priority Command preference [ ase ] preference undo preference [ ase ]

By default, the OSPF preference is 10, and the imported external routing protocol is 150.

4.2.25 Configure OSPF Route Filtering
Perform the following configuration in OSPF view.

I. Configure OSPF to filter the imported external routes
Table 4-25 Enable OSPF to filter the imported routes
Operation Disable to filter the imported global routing information Cancel to filter the imported global routing information Command filter-policy { acl-number | ip-prefix ip-prefix-name | gateway prefix-list- name } import undo filter-policy { acl-number | ip-prefix ip-prefix-name | gateway prefix- list-name } import

II. Configure filtering the routes distributed by OSPF
Table 4-26 Enable OSPF to filter the distributed routes
Operation Enable OSPF to filter the distributed routes Disable OSPF to filter the distributed routes Command filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing- process ] undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing- process ]

By default, OSPF will not filter the imported and distributed routing information. For detailed description, please refer to the "Configure Route Filtering" part in " IP Routing Policy Configuration ".
4-20

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

4.2.26 Configure to Fill the MTU Field When an Interface Transmits DD Packets
OSPF-running routers use the DD (Database Description) packets to describe their own LSDBs when synchronizing the databases. You can manually specify an interface to fill in the MTU field in a DD packet when it transmits the packet. The MTU should be set to the real MTU on the interface. Perform the following configuration in VLAN interface view: Table 4-27 Configure Whether the MTU Field will be Filled in when an Interface Transmits DD Packets
Operation Enable an interface to fill in the MTU field when transmitting DD packets Disable the interface to fill MTU when transmitting DD packets Command ospf mtu-enable undo ospf mtu-enable

By default, the interface does not fill in the MTU field when transmitting DD packets. In other words, MTU in the DD packets is 0.

4.2.27 Disable the Interface to Send OSPF Packets
To prevent OSPF routing information from being acquired by the routers on a certain network, use the silent-interface command to disable the interface to transmit OSPF packets. Perform the following configuration in OSPF view. Table 4-28 Disable the interface to send OSPF packets
Operation Disable the interface to send OSPF packets Enable the interface to send OSPF packets Command silent-interface silent-interface-type silent-interface-number undo silent-interface silent-interface-type silent-interface-number

By default, all the interfaces are allowed to transmit and receive OSPF packets. After an OSPF interface is set to be in silent status, the interface can still advertise its direct route. However, the OSPF hello packets of the interface will be blocked, and no neighboring relationship can be established on the interface. Thereby, the capability for OSPF to adapt to the networking can be enhanced, which will hence reduce the consumption of system resources.

4-21

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

4.2.28 Reset the OSPF Process
If the undo ospf command is executed on a router and then the ospf command is used to restart the OSPF process, the previous OSPF configuration will lose. With the reset ospf all command, you can restart the OSPF process without losing the previous OSPF configuration. Perform the following configuration in user view. Table 4-29 Reset the OSPF process
Operation Reset the OSPF process reset ospf all Command

Resetting the OSPF process can immediately clear the invalid LSAs, make the modified Router ID effective or re-elect the DR and BDR.

4.3 Display and Debug OSPF
After the above configuration, execute display command in any view to display the running of the OSPF configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug the OSPF module. Table 4-30 Display and debug OSPF
Operation Display the brief information of the OSPF routing process Display OSPF statistics Display LSDB information of OSPF Display OSPF peer information Display OSPF next hop information Display OSPF routing table Display OSPF virtual links Display OSPF request list Display OSPF retransmission list Display the information of OSPF ABR and ASBR Display the summary information of OSPF imported route Display OSPF interface information Display OSPF errors display ospf brief display ospf cumulative display ospf [ area-id ] lsdb [ brief | [ asbr | ase | network | nssa | router | summary ] [ ip-address ] [ originate-router ip-address | self-originate ] ] display ospf peer [ brief ] display ospf nexthop display ospf routing display ospf vlink display ospf request-queue display ospf retrans-queue display ospf abr-asbr display ospf asbr-summary [ ip-address mask ] display ospf interface display ospf error Command

4-22

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

4.4 Typical OSPF Configuration Example
4.4.1 Configuring DR Election Based on OSPF Priority
I. Networking requirements
Four S3500 series Ethernet Switches, Switch A, Switch B, Switch C and Switch D, which can perform the router functions and run OSPF, are located on the same segment, as shown in the following figure. Correctly make the configuration to enable Switch A and Switch C to be DR and BDR respectively. The priority of Switch A is 100, which is the highest on the network, so it is elected as the DR. Switch C has the second highest priority, so it is elected as the BDR. The priority of Switch B is 0, which means that it cannot be elected as the DR. And Switch D does not have a priority, which takes 1 by default.

II. Networking diagram
Switch A DR 196.1.1.1/24 196.1.1.4/24 1.1.1.1 Switch D 4.4.4.4

196.1.1.2/24

196.1.1.3/24 BDR

Switch B

2.2.2.2

Switch C

3.3.3.3

Figure 4-2 Networking for configuring DR election based on OSPF priority

III. Configuration procedure
# Configure Switch A: [Switch A] interface Vlan-interface 1 [Switch A-Vlan-interface1] ip address 196.1.1.1 255.255.255.0 [Switch A-Vlan-interface1] ospf dr-priority 100 [Switch A] router id 1.1.1.1 [Switch A] ospf [Switch A-ospf] area 0 [Switch A-ospf-area-0.0.0.0] network 196.1.1.0 0.0.0.255
4-23

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

# Configure Switch B: [Switch B] interface Vlan-interface 1 [Switch B-Vlan-interface1] ip address 196.1.1.2 255.255.255.0 [Switch B-Vlan-interface1] ospf dr-priority 0 [Switch B] router id 2.2.2.2 [Switch B] ospf [Switch B-ospf] area 0 [Switch B-ospf-area-0.0.0.0] network 196.1.1.0 0.0.0.255 # Configure Switch C: [Switch C] interface Vlan-interface 1 [Switch C-Vlan-interface1] ip address 196.1.1.3 255.255.255.0 [Switch C-Vlan-interface1] ospf dr-priority 2 [Switch C] router id 3.3.3.3 [Switch C] ospf [Switch C-ospf] area 0 [Switch C-ospf-area-0.0.0.0] network 196.1.1.0 0.0.0.255 # Configure Switch D: [Switch D] interface Vlan-interface 1 [Switch D-Vlan-interface1] ip address 196.1.1.4 255.255.255.0 [Switch D] router id 4.4.4.4 [Switch D] ospf [Switch D-ospf] area 0 [Switch D-ospf-area-0.0.0.0] network 196.1.1.0 0.0.0.255 On Switch A, run display ospf peer to display the OSPF peers. Please note that Switch A has three peers. The state of each peer is full, which means that adjacency is set up between Switch A and each peer. Switch A and Switch C should set up adjacencies with all the routers on the network so that they can serve as the DR and BDR on the network respectively. Switch A is DR, while Switch C is BDR on the network. And all the other neighbors are DR others (which means that they are neither DRs nor BDRs).

4-24

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

# Modify the priority of Switch B to 200: [Switch B-Vlan-interface2000] ospf dr-priority 200 In Switch A, execute display ospf peer to show its OSPF neighbors. Please note the priority of Switch B has been modified to 200, but it is still not the DR. Only when the current DR is offline, will the DR be changed. Shut down Switch A, and run display ospf peer command on Switch D to display its neighbors. Please note the original BDR (Switch C) becomes the DR, and Switch B is BDR now. If all Ethernet Switches on the network are removed and added back again, Switch B will be elected as the DR (with the priority of 200), and Switch A becomes the BDR (with a priority of 100). To switch off and restart all of the switches will bring about a new round of DR/BDR selection.

4.4.2 Configuring OSPF Virtual Link
I. Networking requirements
In the following figure, Area 2 and Area 0 are not directly connected. Area 1 is required to be taken as transit area for connecting Area 2 and Area 0. Correctly configure a virtual link between Switch B and Switch C in Area 1.

II. Networking diagram
Switch A 1.1.1.1

Area 0 196.1.1.2/24

196.1.1.1/24

Switch B 2.2.2.2 Area 1 Virtual Link

197.1.1.2/24 197.1.1.1/24 152.1.1.1/24 Switch C 3.3.3.3 Area 2

Figure 4-3 OSPF virtual link configuration networking

III. Configuration procedure
# Configure Switch A:

4-25

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

[Switch A] interface Vlan-interface 1 [Switch A-Vlan-interface1] ip address 196.1.1.1 255.255.255.0 [Switch A] router id 1.1.1.1 [Switch A] ospf [Switch A-ospf] area 0 [Switch A-ospf-area-0.0.0.0] network 196.1.1.0 0.0.0.255 # Configure Switch B: [Switch B] interface vlan-interface 7 [Switch B-Vlan-interface7] ip address 196.1.1.2 255.255.255.0 [Switch B] interface vlan-interface 8 [Switch B-Vlan-interface8] ip address 197.1.1.2 255.255.255.0 [Switch B] router id 2.2.2.2 [Switch B] ospf [Switch B-ospf] area 0 [Switch B-ospf-area-0.0.0.0] network 196.1.1.0 0.0.0.255 [Switch B-ospf-area-0.0.0.0] quit [Switch B-ospf] area 1 [Switch B-ospf-area-0.0.0.1] network 197.1.1.0 0.0.0.255 [Switch B-ospf-area-0.0.0.1] vlink-peer 3.3.3.3 # Configure Switch C: [Switch C] interface Vlan-interface 1 [Switch C-Vlan-interface1] ip address 152.1.1.1 255.255.255.0 [Switch C] interface Vlan-interface 2 [Switch C-Vlan-interface2] ip address 197.1.1.1 255.255.255.0 [Switch C] router id 3.3.3.3 [Switch C] ospf [Switch C-ospf] area 1 [Switch C-ospf-area-0.0.0.1] network 197.1.1.0 0.0.0.255

4-26

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

[Switch C-ospf-area-0.0.0.1] vlink-peer 2.2.2.2 [Switch C-ospf-area-0.0.0.1] quit [Switch C-ospf] area 2 [Switch C-ospf-area-0.0.0.2] network 152.1.1.0 0.0.0.255

4.4.3 OSPF Fault Diagnosis and Troubleshooting
Fault 1: OSPF has been configured in accordance with the above-mentioned steps, but OSPF on the router cannot run normally. Troubleshooting: Please check according to the following procedure. Troubleshooting locally: Check whether the protocol between two directly connected routers is in normal operation. The normal sign is the peer state machine between the two routers reaches the FULL state. (Note: On a broadcast or NBMA network, if the interfaces for two routers are in DROther state, the peer state machine for the two routers are in 2-way state, instead of FULL state. The peer state machine between DR/BDR and all the other routers is in FULL state. Execute the display ospf peer command to view peers. Execute the display ospf interface command to view OSPF information in the interface. Check whether the physical connections and the lower level protocol operate normally. You can execute the ping command to test. If the local router cannot ping the peer router, it indicates that faults have occurred to the physical link and the lower level protocol. If the physical link and the lower layer protocol are normal, please check the OSPF parameters configured on the interface. The parameters should be the same parameters configured on the router adjacent to the interface. The same area ID should be used, and the networks and the masks should also be consistent. (The p2p or virtually linked segment can have different segments and masks.) Ensure that the dead timer on the same interface is at least four times the value of the hello timer. If the network type is NBMA, the peer must be manually specified, using the peer ip-address command. If the network type is broadcast or NBMA, there must be at least one interface with a priority greater than zero. If an area is set as the STUB area, to which the routers are connected. The area on these routers must be also set as the STUB area. The same interface type should be adopted for the neighboring routers. If more than two areas are configured, at least one area should be configured as the backbone area (that is to say, the area ID is 0). Ensure the backbone area to connect with all the areas.
4-27

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 4 OSPF Configuration

The virtual links cannot pass through the STUB area. Troubleshooting globally: If OSPF cannot discover the remote routes yet in the case that the above steps are correctly performed, proceed to check the following configurations. If more than two areas are configured on a router, at least one area should be configured as the backbone area. As shown in the following figure: RTA and RTD are configured to belong to only one area, whereas RTB (area0 and area1) and RTC (area1 and area 2) are configured to belong to two areas. In which, RTB also belongs to area0, which is compliant with the requirement. However, none of the areas to which RTC belongs is area0. Therefore, a virtual link should be set up between RTC and RTB. Ensure that area2 and area0 (backbone area) is connected.

RTA

area0

RTB

area1

RTC

area2

RTD

Figure 4-4 OSPF areas The backbone area (area 0) cannot be configured as the STUB area and the virtual link cannot pass through the STUB area. That is, if a virtual link has been set up between RTB and RTC, neither area1 nor area0 can be configured as a stub area. In the above figure, only area 2 can be configured as stub area. Routers in the STUB area cannot redistribute the external routes. Backbone area must guarantee the connectivity of all nodes.

4-28

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

Chapter 5 BGP Configuration
5.1 Brief Introduction to BGP
Border Gateway Protocol (BGP) is an inter-autonomous system (AS) dynamic route discovery protocol. Three early versions of BGP are RFC1105 (BGP-1), RFC1163 (BGP-2) and RFC1267 (BGP-3). The presently used version is RFC1771 (BGP-4) that is applied to distributed structures and supports Classless Inter-Domain Routing (CIDR). Besides, it is also used to implement policies configured by users. Actually, BGP-4 is becoming the actual external routing protocol standard of Internet, which is frequently used between ISPs. The characteristics of BGP are as follows: BGP is an external routing protocol. Different from such internal routing protocols as OSPF and RIP, it focuses on route propagation control and selection of best routes other than discovery and calculation of routes. Eliminating route loop completely by adding AS path information to BGP routes. Using TCP as transport layer protocol so as to enhance reliability of the protocol. BGP-4 supports CIDR, which is an important improvement to BGP-3. CIDR addresses IP addresses in an entirely new way, that is, it does not divide networks into Class A, Class B and Class C. For example, an invalid Class C network address 192.213.0.0 (255.255.0.0) can be expressed as 192.213.0.0/16 in CIDR mode, which is a valid super network. Here /16 means that the subnet mask is composed of the first 16 bits from the left. The introduction of CIDR simplifies route aggregation. Actually, route aggregation is the process of aggregating several different routes, which turns advertisement processes of several routes to the advertisement of single route so as to simplify the routing table. When routes are updated, BGP only transmits incremental routes, which greatly reduces bandwidth occupation by route propagation and can be applied to propagation of great amount of routing information on Internet. In consideration of management and security, users desire to perform control over outgoing and incoming routing information of each AS. BGP-4 provides abundant route policies to implement flexible filtering and selecting of routes, which can be extended easily to support new developments of the network. BGP, as an upper-layer protocol, runs on a special router. On the first startup of the BGP system, the BGP router exchanges routing information with its peers by transmitting the complete BGP routing table, after that only update messages are

5-1

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

exchanged. In the operating of the system, keep-alive messages are received and transmitted to check the correctness of the connections between various neighbors. The router transmitting BGP messages is called a BGP speaker, which receives and generates new routing information continuously and advertises the information to the other BGP speakers. When a BGP speaker receives a new route advertisement from another AS, it will advertise the route, if the route is better than the current route that has been learned or is a new route, to all the other BGP speakers in the AS. A BGP speaker calls other BGP speakers that exchange information with it peers and multiple related peers compose a peer group. BGP runs on a router in any of the following modes: IBGP (Internal BGP) EBGP (External BGP) The BGP is called IBGP when it runs in an AS and is called EBGP when it runs among different ASs. Running of BGP is driven by messages of the following four types: open message update message notification message keep-alive message The open message is the first message sent after the creation of a connection, which is used to create the connection relation between BGP peers. The notification message is used to notify errors. The keep-alive message is used to check the validity of a connection. The update message is the most important information in BGP system, which is used to exchange routing information between peers. It is composed of up to three parts that are unreachable route, path attributes and network layer reachability information (NLRI).

5.2 BGP Configuration
The BGP configuration includes: Enable BGP Configure Networks for BGP Distribution Configure BGP Peer (Group) Configure BGP Timer Configure the local preference Configure MED for AS Compare MED values from different AS neighbors Configure BGP Community Configure the BGP Route Aggregation

5-2

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

Configure BGP Route Reflector Configure AS confederation attributes Configure BGP route dampening Configure the Redistribution of BGP and IGP Configure BGP Route Filtering Define ACL, AS path list and route map Clear BGP Connection

5.2.1 Enable BGP
To enable BGP, local AS number should be specified. After the enabling of BGP, local router listens to BGP connection requests sent by adjacent routers. To make the local router send BGP connection requests to adjacent routers, refer to the configuration of the peer command. When BGP is disabled, all established BGP connections will be disconnected. Perform the following configurations in system view. Table 5-1 Enable/Disable BGP
Operation Enable BGP and enter the BGP view Disable BGP Command bgp as-number undo bgp [ as-number ]

By default, BGP is not enabled.

5.2.2 Configure Networks for BGP Distribution
Perform the following configurations in BGP view. Table 5-2 Configure Networks for BGP Distribution
Operation Configure the local network route Remove the local network route Command network ip-address address-mask [ route-policy route-policy-name ] undo network ip-address address-mask [ route-policy route-policy-name ]

By default, no network is configured for BGP distribution.

5.2.3 Configure BGP Peer (Group)
BGP speakers exchanging BGP packets compose BGP peers. To configure multiple peers to use same route update policy, users may distribute them to a BGP peer group to facilitate the configuration.

5-3

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

In the case of any change in the configuration of the group, configuration of each group member changes accordingly. Users may, however, configure certain attributes for certain member by designating its IP address so that the member is not affected by the group’s configuration in terms of these attributes. Perform the following configurations in BGP view.

I. Configure AS number
To configure a BGP peer (group) as the neighbor of local router, the AS to which the peer (group) belongs should be specified first. Exchange of routing information between two ends is disabled until the peer ends and AS to which the peer ends belong are specified. Table 5-3 Configure AS number
Operation Configure the AS number of the peer (group) delete the AS number of peer (group). Command peer { peer-address | group-name } as-number as-number undo peer { peer-address | group-name } as-number as-number

If the AS numbers specified by the as-number and bgp commands are the same, the configured neighbor is an internal neighbor, otherwise it is an external neighbor. If this command is not used to configure the AS number for a peer group, each peer to be added to the peer group should have its AS number pre-configured. If the AS number is configured for a peer group, all peers to be added to the group should be configured (if configured) the same AS numbers with the peer group.

II. Create a peer group and add a member
By default, IBGP peers will be added into a default peer group that is invisible. The configuration of route update policy for each IBGP peer is only effective for the other IBGP peers in the same group. If the router is not a route reflector, all IBGP peers are grouped into the same group, otherwise all route reflector clients are grouped into a group and all non-clients are grouped into another group. Members of EBGP peer group must be located on the same network segment, or it is possible for some EBGP peers to discard the route update messages sent by the local router. IBGP peers and EBGP peers cannot be added to the same group.

5-4

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

Table 5-4 Create a peer group and add a member
Operation Create a peer group Delete a specified peer group Create a peer in the peer group Delete a peer from the peer group Reset connections of all members in the peer group (in user view) Command group group-name undo group group-name peer peer-address group group-name undo peer peer-address group group-name reset bgp group group-name

III. Configure description of a peer (group)
Description of a peer (group) can be configured to facilitate learning the characteristics of the peer. Table 5-5 Configure description of a peer (group)
Operation Configure description of a peer (group) Delete description of a peer (group) Command peer { peer-address | group-name } description description-line undo peer { peer-address | group-name } description

By default, no BGP peer (group) description is set.

IV. Configure to Permit Connections with EBGP Peers (groups) on Indirectly Connected Networks
Generally, EBGP peers must be connected physically. Otherwise the command below can be used to perform the configuration in order to make them communicate with each other normally. Table 5-6 Configure to permit connections with EBGP peers (groups) on indirectly connected networks
Operation Configure to permit connections with EBGP peers (groups) on indirectly connected networks Configure to permit connections with EBGP peers (groups) on directly connected network only. Command peer { peer-address | group-name } ebgp-max-hop [ ttl ] undo peer { peer-address | group-name } ebgp-max-hop [ ttl ]

By default, only the connections with EBGP peers (groups) on directly connected networks are permitted. ttl refers to time-to-live in the range of 1 to 255 with the default value as 64.

5-5

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

V. Configure timer of peer (group)
The peer timer command is used to configure timers of BGP peer (group), including the keep-alive message interval and the hold timer. The preference of this command is higher than the timer command that is used to configure timers for the whole BGP peers. Table 5-7 Configure timer of peer (group)
Operation Configure keep-alive message interval and hold timer of peer (group) Restore the default value of keep-alive message interval and hold timer of a peer (group) Command peer { group-name | peer-address } timer keep-alive keepalive-interval hold holdtime-interval} undo peer { group-name | peer-address } timer

By default, the keep-alive message is sent every 60 seconds and the value of the hold timer is 180 seconds.

VI. Configure the interval at which route update messages are sent by a peer (group)
Table 5-8 Configure the interval at which route update messages are sent by a peer (group)
Operation Configure the route update message interval of a peer (group) Restore the default route update message interval of a peer (group) Command peer { peer-address | group-name } route-update-interval seconds undo peer { peer-address | group-name } route-update-interval

By default, the intervals at which route update messages are sent by an IBGP and EBGP peer (group) are 5 seconds and 30 seconds respectively.

VII. Configure to send the community attributes to a peer (group)
Table 5-9 Configure to send the community attributes to a peer (group)
Operation Configure to send the community attributes to a peer (group) Configure not to send the community attributes to a peer (group) Command peer { peer-address | group-name } advertise-community undo peer { peer-address | group-name } advertise-community

5-6

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

VIII. Configure a peer (group) to be a client of a route reflector
Generally, this command is not configured for peer groups because IBGP neighbors are in the default group. Instead the peer peer-address reflect-client command, which is used to configure the peer address, can be set as the clients of a route reflector. Table 5-10 Configure a peer (group) to be a client of a route reflector
Operation Configure a peer (group) to be a client of a route reflector Cancel the configuration of making the peer (group) as the client of the BGP route reflector Command peer { peer-address | group-name } reflect-client undo peer { peer-address | group-name } reflect-client

For detailed information on route reflector, refer to “Configure Route Reflector” section of this manual.

IX. Configure to send default route to a peer (group)
Table 5-11 Configure to send default route to a peer (group)
Operation Configure to send default route to a peer (group) Configure not to send default route to a peer (group) Command peer { peer-address | group-name } default-route-advertise undo peer { peer-address | group-name } default-route-advertise

By default, local router does not send default route to any peer (group).The local router will send a default route with the next hop as itself to the peer unconditionally, even if there is no default route in BGP routing table.

X. Configure itself as the next hop in advertising route
A BGP router can specify itself as the next hop while advertising route to a peer (group). Table 5-12 Configure itself as the next hop in advertising route
Operation Configure itself as the next hop in advertising route Disable the specification of itself as the next hop in advertising route Command peer { peer-address | group-name } next-hop-local undo peer { peer-address | group-name } next-hop-local

By default, local router does not specify itself as the next hop while advertising route to a peer (group).

5-7

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

XI. Configure route map for a peer (group)
By configuring the route map for a peer (group), the routes coming from the peer (group) or advertised to the peer (group) can be controlled. The route map of advertised routes configured for each member of a peer group must be same with that of the peer group but their route maps of coming routes may be different. Table 5-13 Configure route map for a peer (group)
Operation Configure route map for a peer (group) Remove the route map policy of a peer (group) Command peer { peer-address | group-name } route-policy route-policy-name { import | export } undo peer { peer-address | group-name } route-policy policy-name { import | export }

By default, no route map is applied on peer (group).

XII. Configure route filtering policy based on IP ACL for a peer (group)
Table 5-14 Configure route filtering policy based on IP ACL for a peer (group)
Operation Configure route filtering policy based on IP ACL for a peer (group) Remove the route filtering policy based on IP ACL of a peer (group) Command peer { peer-address | group-name } filter-policy acl-number { import | export } undo peer { peer-address | group-name } filter-policy acl-number { import | export }

By default, route filtering based on IP ACL for a peer (group) is disabled.

XIII. Configure route filtering policy based on AS path list for a peer (group)
Table 5-15 Configure route filtering policy based on AS path list for a peer (group)
Operation Configure route filtering policy based on AS path list for a peer (group) Remove the route filtering policy based on AS path list of a peer (group) Command peer { peer-address | group-name } as-path-acl acl-number { import | export } undo peer { peer-address | group-name } as-path-acl acl-number { import | export }

By default, route filtering based on AS path list for a peer (group) is disabled.

5-8

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

XIV. Configure route filtering policy based on address prefix list for a peer (group)
Table 5-16 Configure route filtering policy based on address prefix list for a peer (group)
Operation Configure route filtering policy based on address prefix list for a peer (group) Remove the route filtering policy based on address prefix list of a peer (group) Command peer { peer-address | group-name } ip-prefix prefixname { import | export } undo peer { peer-address | group-name } ip-prefix prefixname { import | export }

By default, route filtering based on address prefix list for a peer (group) is disabled.

XV. Remove private AS numbers while transmitting BGP update messages
Generally, the AS numbers (public AS numbers or private AS numbers) are included in the AS paths while transmitting BGP update messages. This command is used to configure certain outbound routers to ignore the private AS numbers while transmitting update messages. Table 5-17 Remove private AS numbers while transmitting BGP update messages
Operation Remove private AS numbers while transmitting BGP update messages Include private AS numbers while transmitting BGP update messages Command peer { peer-address | group-name } public-as-only undo peer { peer-address | group-name } public-as-only

By default, the private AS numbers are included while transmitting BGP update messages.

XVI. Specify the source interface of a route update packet
Generally, the system specified the source interface of a route update packet. When the interface fails to work, in order to keep the TCP connection valid, the interior BGP session can be configured to specify the source interface. This command is usually used the Loopback interface. Table 5-18 specify the source interface of a route update packet
Operation specify the source interface of a route update packet Use the best source interface Command peer { peer-address | group-name } connect-interface interface-type interface-name undo peer { peer-address | group-name } connect-interface interface-type interface-name

By default, BGP carries out TCP connection with the optimal source interface.
5-9

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

XVII. Enable/disable a peer/peer group
The BGP speakers do not exchange routing information with the disable peer or peer group. Perform the following configurations in BGP view. Table 5-19 Enable/disable a peer/peer group
Operation Enable a peer/peer group disable a peer/peer group Command peer { group-name | peer-address } enable undo peer { group-name | peer-address } enable

By default, a peer or peer group is enabled.

5.2.4 Configure BGP Timer
When receiving an OPEN message to set up a BGP connection, a BGP speaker needs to calculate a hold timer. The smaller between its own Hold time and the one received in the message will be selected as the negotiated Hold Timer. Then, BGP will send a KeepAlive message and set a KeepAlive timer. If the negotiation result is 0, no keepalive Message will be transmitted and whether the hold-time has timed out will not be cared. Perform the following configurations in BGP view. Table 5-20 Configure BGP Timer
Operation Configure BGP Timer Restore the default value of the timer Command peer { group-name | peer-address } timer keep-alive keepalive-interval hold holdtime-interval undo peer { group-name | peer-address } timer

By default, the interval of sending keepalive packet is 60 seconds. The interval of sending holdtime packet is 180 seconds.

5.2.5 Configure the local preference
Different local preferences can be configured to affect the BGP routing. When a router running BGP gets routes with the same destination address but different next hops through different internal peers, it will select the route of the highest local preference. Perform the following configurations in BGP view.

5-10

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

Table 5-21 Configure the local preference
Operation Configure the local preference Restore the default local preference Command default local-preference value undo default local-preference

The local preference is transmitted only when the IBGP peers exchange the update packets and it will not be transmitted beyond the local AS. By default, the local preference is 100.

5.2.6 Configure MED for AS
Multi-Exit Discriminators (MED) attribute is the external metric for a route. It is exchanged between ASs. However, it will not be transmitted beyond an AS once it is imported into the AS. AS uses the local preference to select the route to the outside and MED to determine the optimum route for entering the AS. When a router running BGP gets routes with the same destination address but different next hops through different external peers, it will select the route of the smallest MED as the optimum route, provided that all the other conditions are the same. Perform the following configurations in BGP view. Table 5-22 Configure an MED metric for the system
Operation Configure an MED metric for the system Restore the default MED metric of the system Command default med med-value undo default med

The router configured above only compares the route MED metrics of different EBGP peers in the same AS. Using the compare-different-as-med command, you can compare the route MED metrics of the peers in different ASs. By default, MED metric is 0.

5.2.7 Comparing the MED Routing Metrics from the Peers in Different ASs
It is used to select the best route. The route with smaller MED value will be selected. Perform the following configurations in BGP view.

5-11

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

Table 5-23 Comparing the MED Routing Metrics from the Peers in Different ASs
Operation Comparing the MED Routing Metrics from the Peers in Different ASs Configure not to compare the MED routing metrics from the peers in different ASs Command compare-different-as-med undo compare-different-as-med

By default, MED comparison is not allowed among the routes from the neighbors in different ASs. It is not recommended to use this configuration unless you can make sure that the ASs adopt the same IGP and routing method.

5.2.8 Configure BGP Community
Community attributes are optional and transitive. Some community attributes are globally recognized, which are called standard community attributes, whereas some are for special purposes which are called extended community attributes. You may define not only the standard community but also the extended community attributes. Community-list is used to identify a community, which falls into standard community-list and extended community-list. In addition, a route can have more than one community attributes. In a route, the speaker of multiple community attributes can act according to one, several or all the attributes. Router can choose to change the community attribute or leave it unchanged before transmitting the route to its peers. Perform the following configurations in system view. Table 5-24 Configure community
Operation Configure a standard community list Configure an extended community list Remove the configured community list Command ip community-list standard-community-list-number { permit | deny } { aa:nn | internet | no-export-subconfed | no-advertise | no-export } ip community-list extended-community-list-number { permit | deny } as-regular-expression undo ip community-list { standard-community-list-number | extended-community-list-number }

By default, no BGP community is configured.

5.2.9 Configure BGP Route Summarization
The CIDR supports route summarization. There are two modes of BGP route summarization: summary automatic and aggregate. The summary automatic is the summary of the BGP subnet routes. After the configuration of the summary automatic,
5-12

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

the BGP will not be able to receive subnets imported by the IGP; the aggregate is the aggregation of the BGP local routes. A series of parameters can be configured in the aggregate. In general, the preference of the aggregation is higher than that of the summarization. Please perform the following configuration in the BGP view: Table 5-25 Configure BGP route summarization
Operation Configure the summary automatic function of the subnet routes Cancel the summary automatic function of the subnet routes Configure local route aggregation function Cancel local route aggregation function summary automatic undo summary automatic aggregate address mask [ as-set | attribute-policy route-policy-name | detail-suppressed | origin-policy route-policy-name | suppress-policy route-policy-name ]* undo aggregate address mask [ as-set | attribute-policy route-policy-name | detail-suppressed | origin-policy route-policy-name | suppress-policy route-policy-name ]* Command

By default, the BGP will not perform local route aggregation.

5.2.10 Configure BGP Route Reflector
To ensure the interconnection between IBGP peers, it is necessary to establish fully connected network. In some networks, there are large numbers of IBGP peers, and the internal BGP network becomes very large, consequently the costs to establish fully meshed network are very large. Thus, it is required to utilize new peer technology. The basic idea of route reflector conception is to specify a centralized router as the focus of the internal session. Multiple BGP routers can peer one central point, and then multiple route reflectors will peer again. Route reflector is the centralized point of other routers, and other routers are called the clients. The client is the peer of the route reflector and switching the routing information with it. The route reflector will reflect the information in order among the clients. In the following figure, Router A receives an update packet from the external peer and transmits it to Router C. Router C is a route reflector with two peer clients: Router A and Router B. Router C reflects the update packet from client Router A to client Router B. Under such configuration, the peer session between Router A and Router B is actually eliminated because the route reflector will transfer the BGP information to Router B.

5-13

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches
Router C Route reflector Route reflected

Chapter 5 BGP Configuration

Route updated

Router

EBGP

Router A

Router B

EBGP

Figure 5-1 The route reflector diagram The reflector is the router that can complete the route reflection function. The route reflector regards the IBGP peers as client and non-client. All peers that do not belong to such cluster in the autonomous system are the non-clients. The designation of route reflector and the addition of the client peer are implemented with the command peer reflect-client. The client peer shall not establish peer-relationship with IBGP outside the relevant cluster. The non-client peer and the route reflector, as well as one non-client peer and the other non-client peer, forms a fully meshed network because they follow the basic principles of IBGP fully meshed network. The route reflection function is only completed on route reflector, and all client peers and non-client peers are routine BGP peers. The client peers are client peers just because the route reflector lists them as client peers.

I. Configure the route reflection between clients
Perform the following configurations in BGP view. Table 5-26 Configure the route reflection between clients
Operation Enable route reflection between clients Disable route reflection between clients Command reflect between-clients undo reflect between-clients

By default, the reflection between clients is disabled.

II. Configure the cluster ID
Generally, there is only one route reflector in a cluster. Perform the following configurations in BGP view.

5-14

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

Table 5-27 Configure the Cluster_ID of the route reflector
Operation Configure the Cluster_ID of the route reflector Canceling the Cluster_ID of the route reflector Command reflector cluster-id { cluster-id | address } undo reflector cluster-id

By default, the router ID of the route reflector is used as the cluster ID.

III. Two kinds of measures to avoid looping inside AS
As route reflector is imported, it is possible that path looping will be generated in AS. Path update packets already left the cluster may attempt to return to the cluster. The conventional AS path method can’t detect the internal AS looping, because the path update packet hasn’t left AS. Upon configuring route reflector, BGP provides the following measures to avoid internal AS looping: 1) Configure the Originator_ID of the route reflector

The Originator_ID is established by route reflector. The originator will drop the update packet returning to the originator should it be improper configuration. The parameter is not necessarily configured, and it will automatically function upon enabling BGP. 2) Configure the Cluster_ID of the route reflector

5.2.11 Configure BGP AS Confederation Attribute
Confederation provides the method to handle the booming IBGP network connections inside AS. It divides the AS into multiple sub-AS, in each of which all IBGP peers are fully connected, and are connected with other sub-AS of the confederation. The shortcomings of confederation: it is required that the route be re-configured upon switching from non-confederation to confederation solution, and that the logic topology be basically changed. Furthermore, the path selected via confederation may not be the best path if there is no manually-set BGP policy.

I. Configure confederation_ID
In the eye of the BGP speakers that are not included in the confederation, multiple sub-ASs that belong to the same confederation are a whole. The external network does not need to know the status of internal sub-ASs, and the confederation ID is the AS number identifying the confederation as a whole. Perform the following configurations in BGP view.

5-15

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

Table 5-28 Configure confederation_ID
Operation Configure confederation_ID Canceling confederation_ID Command confederation id as-number undo confederation id

By default, the confederation_ID is not configured.

II. Configure sub-AS belonging to the confederation
Configure confederation_ID first, and then configure the sub-AS belonging to the confederation. One confederation includes up to 32 sub-AS. The as-number used upon configuring sub-AS belonging to the confederation is valid within the confederation. Perform the following configurations in BGP view. Table 5-29 Configure sub-AS belonging to the confederation
Operation Configure a confederation consisting of which sub-ASs Cancel the specified sub-AS in the confederation Command confederation peer-as as-number-1 [ ... as-number-n ] undo confederation peer-as [ as-number-1 ] [ ...as-number-n ]

By default, no autonomous system is configured as a member of the confederation.

III. Configure the autonomous system confederation nonstandard
If it is necessary to perform the interconnection with the devices whose implementation mechanism is different from that of RFC1965, you must configure all the routers in the confederation. Perform the following configurations in BGP view. Table 5-30 Configure AS confederation attribute compatible with nonstandard
Operation Configure AS confederation attribute compatible with nonstandard router Cancel AS confederation attribute compatible with nonstandard router Command confederation nonstandard undo confederation nonstandard

By default, the configured confederation is consistent with RFC1965.

5-16

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

5.2.12 Configure BGP route dampening
The main possible reason for unstable route is the intermittent disappearance and re-emergence of the route that formerly existed in the routing table, and this situation is called the flapping. When the flapping occurs, update packet will be propagated on the network repeatedly, which will occupy much bandwidth and much processing time of the router. We have to find measures to avoid it. The technology controlling unstable route is called route dampening. The dampening divides the route into the stable route and unstable route, the latter of which shall be suppressed (not to be advertised). The history performance of the route is the basis to evaluate the future stability. When the route flapping occurs, penalty will be given, and when the penalty reaches a specific threshold, the route will be suppressed. With time going, the penalty value will decrease according to power function, and when it decreases to certain specific threshold, the route suppression will be eliminated and the route will be re-advertised. Perform the following configurations in BGP view. Table 5-31 Configure BGP route dampening
Operation Configure BGP route dampening Clear route attenuation information and eliminating the suppression of the route Cancel BGP route dampening Command dampening [ half-life-reachable half-life-unreachable reuse suppress ceiling ] [ route-policy route-policy-name ] reset dampening [ network-address [ mask ] ] undo dampening

By default, route dampening is disabled. It must be noted that the parameters in the command are dependent on one another. If one parameter is configured, other parameters must be specified.

5.2.13 Configure the repeating time of local AS
Using peer allow-as-loop command, the repeating time of local AS can be configured. Perform the following configurations in BGP view. Table 5-32 configure the repeating time of as-path
Operation configure the repeating time of local AS remove the repeating time of local AS Command peer { group-name | peer-address } allow-as-loop [ number ] undo peer { group-name | peer-address } allow-as-loop

5-17

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

5.2.14 Configure the Redistribution of BGP and IGP
BGP can transmit the internal network information of local AS to other AS. To reach such objective, the network information about the internal system learned by the local router via IGP routing protocol can be transmitted. Perform the following configurations in BGP view. Table 5-33 Importing IGP routing information
Operation Configure BGP to import routes of IGP protocol Configure BGP not to import routes of IGP protocol Command import-route protocol [ process-id ] [ med med ] [ route-policy route-policy-name ] undo import-route protocol

By default, BGP does not import the route information of other protocol. The specified and imported source route protocols can be direct, static, rip, ospf, ospf-ase, and ospf-nssa. For detailed description of routing information, refer to “Importing other Protocol Route” in “Configure Route Policy”.

5.2.15 Define ACL, AS Path List, and Route-policy
This section describes the configuration of ACL, AS path list, and Route-policy.

I. Define the ACL
Refer to “Define ACL” in QoS/ACL Operation Manual and Command Manual.

II. Define the AS path list
The routing information packet of the BGP includes an autonomous system path domain. The as path-list can be used to match with the autonomous system path domain of the BGP routing information so as to filter the routing information, which does not conform to the requirements. For the same list number, the user can define multiple pieces of as path-list, i.e. a list number stands for a group of as path ACLs. Each AS path list is identified with digit. Please perform the following configurations in the system view:

5-18

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

Table 5-34 Define the AS path list
Operation Define the AS path list Delete the specified AS list Command ip as-path-acl acl-number { permit | deny } as-regular-expression undo ip as-path-acl acl-number

By default, no AS path list is defined. During the matching, the relationship of “OR” is available between the members (acl-number) of the ACLs, i.e., when the routing information passes through one piece of this group of lists, it means that the routing information has been filtered by this group of as-path lists identified with this list number.

III. Define route-policy
Refer to the “Define a route-policy” part of the “IP Routing Policy Configuration”.

IV. Define match principle
Refer to the “Define if-match clauses for a Route-policy” part in the “IP Routing Policy Configuration”.

V. Define evaluation rules
Refer to the “Define apply clauses for a Route-policy” part in the “IP Routing Policy Configuration”.

5.2.16 Configure BGP Route Filtering
I. Configure BGP to filter the received route information
Perform the following configurations in BGP view. The routes received by the BGP can be filtered, and only those routes that meet the certain conditions will be received by the BGP. Table 5-35 Configure imported route filtering
Operation Configure received route filtering Cancel the received route filtering Command filter-policy { acl-number | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import undo filter-policy { acl-number | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import

For details, please refer to the “Configure Route Filtering” part in the “Routing Policy”.

5-19

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

II. Configure to filter the routes distributed by the BGP
The routes distributed by the BGP can be filtered, and only those routes, which meet the certain conditions, will be distributed by the BGP. Please perform the following configuration in the BGP view: Table 5-36 Configure to filter the routes distributed by the BGP
Operation Configure to filter the routes distributed by the BGP Cancel the filtering of the routes distributed by the BGP Command filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-process ] undo filter-policy acl-number | ip-prefix ip-prefix-name } export [ routing-process ]

By default, the BGP will not filter the received and distributed routes. For details, please refer to the “Configure Route Filtering” part in the “Routing Policy”.

5.2.17 Clear BGP Connection
After the user changes BGP policy or protocol configuration, they must cut off the current connection so as to enable the new configuration. Perform the following configuration in user view. Table 5-37 Clear BGP connection
Operation Clear the connection between BGP and the specified peers Clear all connections of BGP Clear the connections between the BGP and all the members of a group Command reset bgp peer-address [ flap-info ] reset bgp all reset bgp group group-name

5.3 Display and Debug BGP
After the above configuration, execute display command in any view to display the running of the BGP configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of the configuration. Execute debugging command in user view to debug the configuration. Execute reset command in user view to reset the statistic information of BGP.

5-20

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

Table 5-38 Display and debug BGP
Operation Display the routing information of the BGP Display filtered AS path information in the BGP Display CIDR routes Display the routing information of the specified BGP community Display the routing information allowed by the specified BGP community list Display BGP dampened paths Display the routing information the specified BGP peer advertised or received Display the routes matching with the specified access-list Display route flapping statistics information View routes with different source ASs Display neighbors information Display the routing information that has been configured Display AS path information Display peer group information Display the information on BGP routes which is mapped to a certain regular expression Display configured route-policy information Enable information debugging of all BGP packets Enable BGP event debugging Enable BGP Keepalive debugging Enable BGP Open debugging Enable BGP packet debugging Enable BGP Update packet debugging Enable BGP Update packet debugging Reset BGP flap information Command display bgp routing-table [ ip-address ] display ip as-path-acl acl-number display bgp routing-table cidr display bgp routing-table community [ aa:nn | no-export-subconfed | no-advertise | no-export ] [ whole-match ] display bgp routing-table community-list community-list-number [ whole-match ] display bgp routing-table dampening display bgp routing-table peer peer-address { advertised | received } [ network-address [ mask ] | statistic ] display bgp routing-table as-path-acl acl-number display bgp routing-table flap-info [ { regular-expression as-regular-expression } | { as-path-acl acl-number } | { network-address [ mask [ longer-match ] ] } ] display bgp routing-table different-origin-as display bgp peer peer-address verbose display bgp peer [ verbose ] display bgp network display bgp paths as-regular-expression display bgp group [ group-name ] display bgp routing-table regular-expression as-regular-expression display route-policy [ policy-name ] debugging bgp all debugging bgp event debugging bgp keepalive [ receive | send ] [ verbose ] debugging bgp open [ receive | send ] [ verbose ] debugging bgp packet [ receive | send ] [ verbose ] debugging bgp route-refresh [ receive | send ] [ verbose ] debugging bgp update [ receive | send ] [ verbose ] reset bgp flap-info [ regular-expression as-regular-expression | as-path-acl acl-number | network-address [ mask ] } ]

5.4 Typical BGP Configuration Example
5.4.1 Configure BGP AS Confederation Attribute
I. Networking requirements
Divide the following AS 100 into three sub-AS: 1001, 1002, and 1003, and configure EBGP, confederation EBGP, and IBGP.

5-21

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

II. Networking diagram

AS100 AS1001
172.68.10.1

Switch A

AS1002

Switch B
172.68.10.2

Ethernet 172.68.10.3 172.68.1.1 156.10.1.1

Switch C

172.68.1.2

AS1003

Switch D

156.10.1.2

Switch E

AS200

Figure 5-2 Networking diagram of configuring AS confederation

III. Configuration procedure
# Configure Switch A: [Switch A] bgp 1001 [Switch A-bgp] confederation id 100 [Switch A-bgp] confederation peer-as 1002 1003 [Switch A-bgp] peer 172.68.10.2 as-number 1002 [Switch A-bgp] peer 172.68.10.3 as-number 1003 # Configure Switch B: [Switch B] bgp 1002 [Switch B-bgp] confederation id 100 [Switch B-bgp] confederation peer-as 1001 1003 [Switch B-bgp] peer 172.68.10.1 as-number 1001 [Switch B-bgp] peer 172.68.10.3 as-number 1003 # Configure Switch C:

5-22

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

[Switch C] bgp 1003 [Switch C-bgp] confederation id 100 [Switch C-bgp] confederation peer-as 1001 1002 [Switch C-bgp] peer 172.68.10.1 as-number 1001 [Switch C-bgp] peer 172.68.10.2 as-number 1002 [Switch C-bgp] peer 156.10.1.2 as-number 200 [Switch C-bgp] peer 172.68.1.2 as-number 1003

5.4.2 Configure BGP Route Reflector
I. Networking requirements
Switch B receives an update packet passing EBGP and transmits it to Switch C. Switch C is a reflector with two clients: Switch B and Switch D. When Switch C receives a route update from Switch B, it will transmit such information to Switch D. It is required to establish an IBGP connection between Switch B and Switch D, because Switch C reflects information to Switch D.

II. Networking diagram

Network 1.0.0.0 VLAN 100 1.1.1.1/8 VLAN 2 192.1.1.1/24 EBGP

VLAN 3 193.1.1.1/24 Switch C AS200 IBGP VLAN 3 193.1.1.2/24

Route reflector VLAN 4 194.1.1.1/24 IBGP

VLAN 4 194.1.1.2/24

Switch A
AS100

VLAN 2 192.1.1.2/24 Client

Switch B

Switch D
Client

Figure 5-3 Networking diagram of configuring BGP route reflector

III. Configuration procedure
1) Configure Switch A:

[Switch A] interface vlan-interface 2 [Switch A-Vlan-interface2] ip address 192.1.1.1 255.255.255.0 [Switch A] bgp 100

5-23

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

[Switch A-bgp] network 1.0.0.0 255.0.0.0 [Switch A-bgp] peer 192.1.1.2 as-number 200 2) Configure Switch B:

# Configure VLAN 2: [Switch B] interface Vlan-interface 2 [Switch B-Vlan-interface2] ip address 192.1.1.2 255.255.255.0 # Configure VLAN 3: [Switch B] interface Vlan-interface 3 [Switch B-Vlan-interface3] ip address 193.1.1.2 255.255.255.0 [Switch B] ospf [Switch B-ospf] area 0 [Switch B-ospf-area-0.0.0.0] network 193.1.1.0 0.0.0.255 # Configure peers. [Switch B] bgp 200 [Switch B-bgp] peer 192.1.1.1 as-number 100 [Switch B-bgp] peer 193.1.1.1 as-number 200 3) Configure Switch C:

# Configure VLAN 3: [Switch C] interface Vlan-interface 3 [Switch C-Vlan-interface3] ip address 193.1.1.1 255.255.255.0 # Configure VLAN 4: [Switch C] interface vlan-Interface 4 [Switch C-Vlan-interface4] ip address 194.1.1.1 255.255.255.0 [Switch C] ospf [Switch C-ospf] area 0 [Switch C-ospf-area-0.0.0.0] network 194.1.1.0 0.0.0.255 # Configure BGP peers and route reflector. [Switch C] bgp 200 [Switch C-bgp] peer 193.1.1.2 as-number 200

5-24

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

[Switch C-bgp] peer 193.1.1.2 reflect-client [Switch C-bgp] peer 194.1.1.2 as-number 200 [Switch C-bgp] peer 194.1.1.2 reflect-client 4) Configure Switch D:

# Configure VLAN 4: [Switch D] interface vlan-interface 4 [Switch D-Vlan-interface4] ip address 194.1.1.2 255.255.255.0 [Switch D] ospf [Switch D-ospf] area 0 [Switch D-ospf-area-0.0.0.0] network 194.1.1.0 0.0.0.255 # Configure BGP peers [Switch D] bgp 200 [Switch D-bgp] peer 194.1.1.1 as-number 200 Using display bgp routing-table command, you can view BGP routing table on Switch B. Note: Switch B has known the existence of network 1.0.0.0. <Switch B> display bgp routing-table
Flags: # - valid, D - damped, I - internal, Dest/Mask *> 1.0.0.0/8 Pref ^ - best, H - history, S – aggregate suppressed Next-Hop 192.1.1.1 Med 0 Local-Pref Origin IGP As-Path 100

Using display bgp routing-table command ,you can view the BGP routing table on Switch D. Note: Switch D also knows the existence of network 1.0.0.0. <Switch D> display bgp routing-table
Flags: # - valid, D - damped, I - internal, Dest/Mask *> 1.0.0.0/8 Pref ^ - best, H - history, S – aggregate suppressed Next-Hop 192.1.1.1 Med 0 Local-Pref Origin IGP As-Path 100

5-25

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

5.4.3 Configure BGP Routing
I. Networking requirements
This example illustrates how the administrators manage the routing via BGP attributes. All Ethernet switches are configured with BGP, and IGP in AS 200 utilizes OSPF. Switch A is in AS 100, and acts as Switch B of AS 200 and BGP neighbor of Switch C. Both Switch B and Switch C operates IBGP to Switch D. Switch D is also in AS 200.

II. Networking diagram

2.2.2.2 VLAN 2 192.1.1.2/24 VLAN 2 192.1.1.1/24

To network 2.0.0.0
VLAN 4 194.1.1.2/24

AS200

Switch B
EBGP EBGP IBGP IBGP

1.1.1.1

Switch A

VLAN 4 194.1.1.1/24

Switch D
VLAN 5 195.1.1.1/24

4.4.4.4

To network 1.0.0.0 AS100

VLAN 3 193.1.1.1/24

Switch C
VLAN 3 193.1.1.2/24 VLAN 5 195.1.1.2/24 3.3.3.3

To network 3.0.0.0

To network 4.0.0.0

Figure 5-4 Networking diagram of configuring BGP routing

III. Configuration procedure
1) Configure Switch A:

[Switch A] interface Vlan-interface 2 [Switch A-Vlan-interface2] ip address 192.1.1.1 255.255.255.0 [Switch A] interface Vlan-interface 3 [Switch A-Vlan-interface3] ip address 193.1.1.1 255.255.255.0 # Enable BGP. [Switch A] bgp 100 # Specify the network that BGP sends to. [Switch A-bgp] network 1.0.0.0 # Configure the peers. [Switch A-bgp] peer 192.1.1.2 as-number 200

5-26

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

[Switch A-bgp] peer 193.1.1.2 as-number 200 # Configure the MED attribute of Switch A. Add an ACL on Switch A, enable network 1.0.0.0. [Switch A] acl number 2000 [Switch A-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 Define two route policies, one is called apply_med_50 and the other is called apply_med_100. The first MED attribute with the route policy as network 1.0.0.0 is set as 50, while the MED attribute of the second is 100. [Switch A] route-policy apply_med_50 permit node 10 [Switch A-route-policy] if-match acl 2000 [Switch A-route-policy] apply cost 50 [Switch A-route-policy] quit [Switch A] route-policy apply_med_100 permit node 10 [Switch A-route-policy] if-match acl 2000 [Switch A-route-policy] apply cost 100 [Switch A-route-policy] quit Apply route policy set_med_50 to egress route update of Switch C (193.1.1.2), and apply route policy set_med_100 on the egress route of Switch B (192.1.1.2) [Switch A] bgp 100 [Switch A-bgp] peer 193.1.1.2 route-policy apply_med_50 export [Switch A-bgp] peer 192.1.1.2 route-policy apply_med_100 export 2) Configure Switch B:

[Switch B] interface vlan-interface 2 [Switch B-Vlan-interface2] ip address 192.1.1.2 255.255.255.0 [Switch B] interface vlan-interface 4 [Switch B-Vlan-interface4] ip address 194.1.1.2 255.255.255.0 [Switch B] ospf [Switch B-ospf] area 0 [Switch B-ospf-area-0.0.0.0] network 194.1.1.0 0.0.0.255 [Switch B-ospf-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [Switch B] bgp 200
5-27

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

[Switch B-bgp] undo synchronization [Switch B-bgp] peer 192.1.1.1 as-number 100 [Switch B-bgp] peer 194.1.1.1 as-number 200 3) Configure Switch C:

[Switch C] interface Vlan-interface 3 [Switch C-Vlan-interface3] ip address 193.1.1.2 255.255.255.0 [Switch C] interface vlan-interface 5 [Switch C-Vlan-interface5] ip address 195.1.1.2 255.255.255.0 [Switch C] ospf [Switch C-ospf] area 0 [Switch C-ospf-area-0.0.0.0] network 193.1.1.0 0.0.0.255 [Switch C-ospf-area-0.0.0.0] network 195.1.1.0 0.0.0.255 [Switch C] bgp 200 [Switch C-bgp] peer 193.1.1.1 as-number 100 [Switch C-bgp] peer 195.1.1.1 as-number 200 4) Configure Switch D:

[Switch D] interface vlan-interface 4 [Switch D-Vlan-interface4] ip address 194.1.1.1 255.255.255.0 [Switch D] interface vlan-interface 5 [Switch D-Vlan-interface5] ip address 195.1.1.1 255.255.255.0 [Switch D] ospf [Switch D-ospf] area 0 [Switch D-ospf-area-0.0.0.0] network 194.1.1.0 0.0.0.255 [Switch D-ospf-area-0.0.0.0] network 195.1.1.0 0.0.0.255 [Switch D-ospf-area-0.0.0.0] network 4.0.0.0 0.255.255.255 [Switch D] bgp 200 [Switch D-bgp] peer 195.1.1.2 as-number 200 [Switch D-bgp] peer 194.1.1.2 as-number 200

5-28

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

To enable the configuration, all BGP neighbors will be reset using reset bgp all command. After above configuration, due to the fact that the MED attribute of route 1.0.0.0 discovered by Switch C is less than that of Switch B, Switch D will first select the route 1.0.0.0 from Switch C. If the MED attribute of Switch A is not configured, the local preference on Switch C is configured as follows: # Configure the local preference attribute of Switch C Add ACL 2000 on Switch C and permit network 1.0.0.0 [Switch C] acl number 2000 [Switch C-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 Define the route policy with the name of localpref, of those, the local preference matching ACL 2000 is set as 200, and that of not matching is set as 100. [Switch C] route-policy localpref permit node 10 [Switch C-route-policy] if-match acl 2000 [Switch C-route-policy] apply local-preference 200 [Switch C-route-policy] route-policy localpref permit node 20 [Switch C-route-policy] apply local-preference 100 [Switch C-route-policy] quit Apply such route policy to the BGP neighbor 193.1.1.1 (Switch A) [Switch C] bgp 200 [Switch C-bgp] peer 193.1.1.1 route-policy localpref import By then, due to the fact that the Local preference attribute value (200)of the route 1.0.0.0 learned by Switch C is more than that of Switch B(Switch B is not configured with local Preference attribute, 100 by default), Switch D will also first select the route 1.0.0.0 from Switch C.

5.5 Fault Diagnosis and BGP Troubleshooting
Fault 1: The neighborhood cannot be established (The Established state cannot be entered). Troubleshooting: The establishment of BGP neighborhood needs the router able to establish TCP connection through port 179 and exchange Open packets correctly. Perform the check according to the following steps:

5-29

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 5 BGP Configuration

Check whether the configuration of the neighbor's AS number is correct. Check whether the neighbor's IP address is correct. If using the Loopback interface, check whether the connect-source loopback has been configured. By default, the router uses the optimal local interface to establish the TCP connection, not using the loopback interface. If it is the EBGP neighbor not directly connected, check whether the peer ebgp-max-hop has been configured. Use the ping command to check whether the TCP connection is normal. Since one router may have several interfaces able to reach the peer, the extended ping -a ip-address command should be used to specify the source IP address sending ping packet. If the Ping operation fails, use display ip routing-table command to check if there is available route in the routing table to the neighbor. If the Ping operation succeeds, check if there is an ACL denying TCP port 179.If the ACL is configured, cancel the denying of port 179. Fault 2: BGP route cannot be advertised correctly after importing route of IGP with the command network. Troubleshooting: Route imported by command network should be same as a route in current routing table, which should include destination segment and mask. Route covering large network segment cannot be imported. For example, route 10.1.1.0/24 can be imported, while 10.0.0.0/8 may cause error.

5-30

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Routing Policy Configuration

Chapter 6 IP Routing Policy Configuration
6.1 Brief Introduction to IP Routing Policy
When a router distributes or receives routing information, it possibly needs to implement some policies to filter the routing information, so as to receive or distribute the routing information which can meet the specified condition only. A routing protocol, e.g. RIP, maybe need import the routing information discovered by other protocols to enrich its routing knowledge. While importing the routing information, it possibly only needs import the information meeting the conditions and set some special attributes to make them meet its requirement. For implementing the routing policy, you need define a set of matching rules by specifying the characteristics of the routing information to be filtered. You can set the rules based on such attributes like destination address and source address of the information. The matching rules can be set in advance and then used in the routing policy to advertise, receive and import the route information. In Quidway S3500 Series Ethernet Switches, five kinds of filters, Route-policy, acl, as-path, community-list, and ip-prefix, are provided to be called by the routing protocols. The following sections introduce these filters respectively.

I. Route-policy
Route map is used for matching some attributes in given routing information and the attributes of the information will be set if the conditions are satisfied. A route map can comprise multiple nodes. Each node is a unit for match testing, and the nodes will be matched in a sequence-number-based order on the basis of. Each node comprises a set of if-match and apply clauses. The if-match clauses define the matching rules and the matching objects are some attributes of routing information. The relationship of if-match clauses for a node is “AND”. As a result, a match can be found unless all the matching conditions specified by the if-match clauses are satisfied. The apply clause specifies the actions performed after the node match test, concerning the attribute settings of the route information. The relationships of different nodes in a route-policy are “OR”. As a result, the system will examine the nodes in the route-policy in sequence. Once the route is permitted by a node in the route-policy, it will pass the matching test of the route-policy without entering the test of the next node.

6-1

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Routing Policy Configuration

II. acl
The access control list (ACL) used by routing policy can be divided into three types: advanced ACL, basic ACL and interface ACL. For routing information filtering, the basic ACL is generally used. When the user defines the ACL, he will define the range of an IP address or subnet to the destination network segment address or the next-hop address of the routing information. If an advanced ACL is used, perform the matching operation by the specified source address range. For the configuration related to acl, refer to the QoS/ACL Operation Manual and Command Manual contained in the security section of this manual.

III. ip-prefix
The function of the ip-prefix is similar to that of the acl, but it is more flexible and easy for the users to understand. When the ip-prefix is applied to the routing information filtering, its matching objects are the destination address information domain of the routing information, and furthermore, in the ip-prefix, the users can specify the gateway options and specify it to receive only the routing information distributed by some certain routers. An ip-prefix is identified by the ip-prefix name. Each ip-prefix can include multiple list items, and each list item can independently specify the match range of the network prefix forms and is identified with an index-number. The index-number designates the matching check sequence in the ip-prefix. During the matching, the router checks list items identified by the sequence-number in the ascending order. Once a single list item meets the condition, it means that it has passed the ip-prefix filtering and will not enter the testing of the next list item.

IV. as-path list
The as-path list is only used in the BGP. The routing information packet of the BGP includes an autonomous system path domain (During the process of routing information exchanging of the BGP, the autonomous system paths the routing information has passed through will be recorded in this domain). Targeting at the AS path domain, the as-path specifies the match condition. The definition of the as-path has already been implemented in the BGP configuration. For the related configurations, please refer to the ip as-path-acl command in the BGP Configuration.

6-2

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Routing Policy Configuration

V. Community-list
The community-list is only used in the BGP. The routing information packet of the BGP includes a community attribute domain to identify a community. Targeting at the community attribute, the community-list specifies the match condition. The definition of the community-list has already been implemented in the BGP configuration. For the relevant configurations, please refer to the ip community-list command in the BGP Configuration.

6.2 IP Routing Policy Configuration
The routing policy configuration includes: Define a route-policy Define if-match clauses for a Route-policy Define apply clauses for a Route-policy Import the routes of other protocols Define ip-prefix Configure Route Filtering

6.2.1 Define a route-policy
A route-policy can comprise multiple nodes. Each node is a unit for matching operation. The nodes will be tested against by node-number. Perform the following configurations in system view. Table 6-1 Define a route-policy
Operation Enter Route policy view Remove the specified route-policy Command route-policy route-policy-name { permit | deny } node { node-number } undo route-policy route-policy-name [ permit | deny | node node-number ]

The argument permit specifies the matching mode for a defined node in the route-policy to be in permit mode. If a route satisfies all the if-match clauses of the node, it will pass the filtering of the node, and the apply clauses for the node will be executed without taking the test of the next node. If not, however, the route should take the test of the next node. The deny argument specifies the matching mode for a defined node in the route-policy to be in deny mode. In this mode, the apply clauses will not be executed. If a route satisfies all the if-match clauses of the node, it will be denied by the node and will not

6-3

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Routing Policy Configuration

take the test of the next node. If not, however, the route will take the test of the next node. The nodes have the “OR” relationship. In other words, the router will test the route against the nodes in the route-policy in sequence, once a node is matched, the route-policy filtering will be passed. By default, the Route-policy is not defined. Note: if multiple nodes are defined in a route-policy, at least one of them should be in permit mode. Apply the route-policy to filter routing information. If the routing information does not match any node, the routing information will be denied by the route-policy. If all the nodes in the route-policy are in deny mode, all routing information will be denied by the route-policy.

6.2.2 Define If-match clauses for a Route-policy
The if-match clauses define the matching rules. That is, the filtering conditions that the routing information should satisfy for passing the route-policy. The matching objects are some attributes of routing information. Perform the following configurations in Route policy view. Table 6-2 Define if-match conditions
Operation Match the AS path domain of the BGP routing information Cancel the matched AS path domain of the BGP routing information Match the community attribute of the BGP routing information Cancel the matched community attribute of the BGP routing information Match the destination address of the routing information Cancel the matched destination address of the routing information Match the next-hop interface of the routing information Cancel the matched next-hop interface of the routing information Match the next-hop of the routing information Cancel the matched next-hop of the routing information Match the routing cost of the routing information Cancel the matched routing cost of the routing information Match the tag domain of the OSPF routing information Cancel the tag domain of the matched OSPF routing information Command if-match as-path acl-number undo if-match as-path if-match community { standard-community-number [ exact-match ] | extended-community-number } undo if-match community if-match { acl acl-number | ip-prefix ip-prefix-name } undo if-match [ acl acl-number | ip-prefix ip-prefix-name ] if-match interface [ interface-type interface-number ] undo if-match interface if-match ip next-hop { acl acl-number | ip-prefix ip-prefix-name } undo if-match ip next-hop [ip-prefix ip-prefix-name ] if-match cost cost undo if-match cost if-match tag value undo if-match tag

By default, no matching will be performed.

6-4

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Routing Policy Configuration

But please note: The if-match clauses for a node in the route-policy have the relationship of “AND” for matching. That is, the route must satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed. If no if-match clauses are specified, all the routes will pass the filtering on the node.

6.2.3 Define apply clauses for a Route-policy
The apply clauses specify actions, which are the configuration commands executed after a route satisfies the filtering conditions specified by the if-match clauses. Thereby, some attributes of the route can be modified. Perform the following configurations in Route policy view. Table 6-3 Define apply clauses
Operation Add the specified AS number before the as-path series of the BGP routing information Cancel the specified AS number added before the as-path series of the BGP routing information Set the community attribute in the BGP routing information Cancel the set community attribute in the BGP routing information Set the next-hop address of the routing information Cancel the next-hop address of the routing information Set the local preference of the BGP routing information Cancel the local preference of the BGP routing information Set the routing cost of the routing information Cancel the routing cost of the routing information set the cost type of the routing information remove the setting of the cost type Set the route origin of the BGP routing information Cancel the route origin of the BGP routing information Set the tag domain of the OSPF routing information Cancel the tag domain of the OSPF routing information Command apply as-path as-number-1 [ as-number-3 ... ] ] undo apply as-path apply community { [ { aa:nn | no-export-subconfed | no-advertise | no-export ]... } | [ additive | none ] undo apply community apply ip next-hop { ip-address [ ip-address ] | acl acl-number } undo apply ip next-hop [ ip-address [ ip-address ] | acl acl-number ] apply local-preference localpref undo apply local-preference apply cost value undo apply cost apply cost-type [ internal | external ] undo apply cost-type apply origin { igp | egp as-number | incomplete } undo apply origin apply tag value undo apply tag [ as-number-2

By default, perform no settings. Please note that if the routing information meets the match conditions specified in the Route-policy and also notifies the MED value configured with apply cost-type internal when notifying the IGP route to the EBGP peers, then this value will be regarded as the MED value of the IGP route. The preference configured with the apply cost-type internal is lower than that configured with the apply cost command, but higher than that configured with the default med command.
6-5

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Routing Policy Configuration

6.2.4 Importing Routing Information Discovered by Other Routing Protocols
A routing protocol can import the routes discovered by other routing protocols to enrich its route information. And the Route-policy can be used for route information filtering to implement the purposeful redistribution. If the destination routing protocol importing the routes cannot directly reference the route costs of the source routing protocol, you should satisfy the requirement of the protocol by specifying a route cost for the imported route. Perform the following configuration in routing protocol view. Table 6-4 Configure to import the routes of other protocols
Operation Set to import routes of other protocols Cancel the setting for importing routes of other protocols Command import-route protocol [ med med | cost cost ] [ tag value ] [ type 1 | 2 ] [ route-policy route-policy-name ] undo import-route protocol

By default, the routes discovered by other protocols will not be distributed.

Note: In different routing protocol views, the parameter options are different. For details, respectively refer to the import-route command in different protocols.

6.2.5 Define ip-Prefix
A prefix-list is identified by the ip-prefix name. Each ip-prefix can include multiple items, and each item can independently specify the matching range of the network prefix forms. The index-number specifies the matching sequence in the prefix-list. Perform the following configurations in system view. Table 6-5 Define Prefix-list
Operation Define Prefix-list Remove Prefix-list Command ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } network len [ greater-equal greater-equal ] [ less-equal less-equal ] undo ip ip-prefix ip-prefix-name [ index index-number | permit | deny ]

6-6

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Routing Policy Configuration

During the matching, the router checks list items identified by the index-number in the ascending order. If only one list item meets the condition, it means that it has passed the ip-prefix filtering (will not enter the testing of the next list item). Please note that if more than one ip-prefix item are defined, then the match mode of at least one list item should be the permit mode. The list items of the deny mode can be firstly defined to rapidly filter the routing information not satisfying the requirement, but if all the items are in the deny mode, no route will pass the ip-prefix filtering. You can define an item of permit 0.0.0.0/0 greater-equal 0 less-equal 32 after the multiple list items in the deny mode so as to let all the other routes pass.

6.2.6 Configure Route Filtering
I. Configure to filter the received routes
Perform the following configuration in routing protocol view. Define a policy to filter the routing information not satisfying the conditions while receiving routes with the help of an ACL or address prefix-list. gateway specifies that only the update packets from a particular neighboring router will be received. Table 6-6 Configure to filter the received route
Operation Configure to filter the received routing information distributed by the specified address Cancel the filtering of the received routing information distributed by the specified address Configure to filter the received global routing information Cancel the filtering of the received global routing information Command filter-policy gateway ip-prefix-name import undo filter-policy gateway ip-prefix-name import filter-policy { acl-number | ip-prefix ip-prefix-name } [ gateway ] import undo filter-policy { acl-number | ip-prefix ip-prefix-name } [ gateway ] import

II. Configure to filter the distributed routes
Define a policy concerning route distribution to filter the routing information not satisfying the conditions while distributing routes with the help of an ACL or address ip-prefix. Perform the following configuration in routing protocol view. Table 6-7 Configure to filter the distributed routes
Operation Configure to filter the routes distributed by the protocol Cancel the filtering of the routes distributed by the protocol Command filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-process ] undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-process ]

6-7

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Routing Policy Configuration

By far, the route policy supports importing the routes discovered by the following protocols into the routing table: direct: The hop (or host) to which the local interface is directly connected. static: Static Route Configuration rip: Route discovered by RIP ospf: Route discovered by OSPF ospf-ase: External route discovered by OSPF ospf-nssa: NSSA route discovered by OSPF bgp: Route acquired by BGP If routing-process is BGP, you should also specify the process number or AS number accordingly. By default, the filtering of the received and distributed routes will not be performed.

6.3 Display and Debug the Routing Policy
After the above configuration, execute display command in any view to display the running of the routing policy configuration, and to verify the effect of the configuration. Table 6-8 Display and debug the route policy
Operation Display the routing policy Display the path information of the AS filter in BGP Display the address prefix list information Command display route-policy [ route-policy-name ] display ip as-path-acl [ acl-number ] display ip ip-prefix [ ip-prefix-name ]

6.4 Typical IP Routing Policy Configuration Example
6.4.1 Configure to Filter the Received Routing Information
I. Networking requirements
Switch A communicates with Switch B, running OSPF protocol. Import three static routes through enabling the OSPF protocol on the Switch A. The route filtering rules can be configured on Switch B to make the received three static routes partially visible and partially shielded. It means that routes in the network segments 20.0.0.0 and 40.0.0.0 are visible while those in the network segment 30.0.0.0 are shielded.

6-8

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Routing Policy Configuration

II. Networking diagram
static 20.0.0.1/8 30.0.0.1/8 40.0.0.1/8

area 0 1.1.1.1 2.2.2.2

Sw itch A

Sw itch B

Figure 6-1 Filtering the received routing information

III. Configuration procedure
Configure Switch A: # Configure the IP address of VLAN interface. [Switch A] interface vlan-interface 100 [Switch A-Vlan-interface100] ip address 10.0.0.1 255.0.0.0 [Switch A] interface vlan-interface 200 [Switch A-Vlan-interface200] ip address 12.0.0.1 255.0.0.0 # Configure three static routes. [Switch A] ip route-static 20.0.0.1 255.255.255.255 12.0.0.1 [Switch A] ip route-static 30.0.0.1 255.255.255.255 12.0.0.1 [Switch A] ip route-static 40.0.0.1 255.255.255.255 12.0.0.1 # Enable OSPF protocol and specifies the number of the area to which the interface belongs. [Switch A] router id 1.1.1.1 [Switch A] ospf [Switch A-ospf] area 0 [Switch A-ospf-area-0.0.0.0] network 10.0.0.0 0.0.0.255 # Import the static routes [Switch A-ospf] import-route static Configure Switch B: # Configure the IP address of VLAN interface. [Switch B] interface vlan-interface 100

6-9

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 6 IP Routing Policy Configuration

[Switch B-Vlan-interface100] ip address 10.0.0.2 255.0.0.0 # Configure the access control list. [Switch B] acl number 2000 [Switch B-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255 [Switch B-acl-basic-2000] rule permit source any # Enable OSPF protocol and specifies the number of the area to which the interface belongs. [Switch B] router id 2.2.2.2 [Switch B] ospf [Switch B-ospf] area 0 [Switch B-ospf-area-0.0.0.0] network 10.0.0.0 0.0.0.255 # Configure OSPF to filter the external routes received. [Switch B-ospf] filter-policy 2000 import

6.5 Routing Policy Fault Diagnosis and Troubleshooting
Fault 1: Routing information filtering cannot be implemented in normal operation of the routing protocol Please check for the following faults: The if-match mode of at least one node of the Route-policy should be the permit mode. When a Route-policy is used for the routing information filtering, if a piece of routing information does not pass the filtering of any node, then it means that the route information does not pass the filtering of the Route-policy. When all the nodes of the Route-policy are in the deny mode, then all the routing information cannot pass the filtering of the Route-policy. The if-match mode of at least one list item of the ip-prefix should be the permit mode. The list items of the deny mode can be firstly defined to rapidly filter the routing information not satisfying the requirement, but if all the items are in the deny mode, any routes will not pass the ip-prefix filtering. You can define an item of permit 0.0.0.0/0 less-equal 32 after the multiple list items in the deny mode so as to let all the other routes pass the filtering (If less-equal 32 is not specified, only the default route will be matched).

6-10

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 7 Route Capacity Configuration

Chapter 7 Route Capacity Configuration
7.1 Route Capacity Configuration Overview
7.1.1 Introduction
In practical networking applications, there is always a large number of routes in the routing table especially OSPF routes and BGP routes. The routing information is usually stored in the memory of the Ethernet switch. When the size of the routing table increases, the total memory of the Ethernet switch will not change (unless the hardware is upgraded but upgrading cannot be guaranteed to solve all problems). In order to solve such problem, Quidway S3500 Series Ethernet Switches provide a mechanism to control the size of the routing table: Monitor the free memory in the system to determine whether to add new routes to the routing table and whether to keep connection with a routing protocol.

Note: It should be noted that the default value meets the requirements normally. The user is not recommended to modify the configuration to avoid improper configuration to avoid reducing of stability and availability of the system.

7.1.2 Route Capacity Limitation Implemented by S3500 Ethernet Switch
Usually, the huge size of the routing table is caused by BGP routes and OSPF routes. Therefore, the route capacity limitation of S3500 Series Ethernet Switches is only effective to these two types of routes and has no impact on static routes and other dynamic routing protocols. When the free memory of a Ethernet switch reduces to the lower limit value, the system will disconnect BGP and OSPF and remove corresponding routes from the routing table so that the memory occupied is released. The system checks the free memory periodically. When the free memory is detected to restore to the safety value, BGP and OSPF connection will be restored.

7-1

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 7 Route Capacity Configuration

7.2 Route Capacity Configuration
Route capacity configuration includes: Set the lower limit of the Ethernet switch memory Set the safety value of the Ethernet switch memory Set the lower limit and the safety value of the Ethernet switch memory simultaneously Restore the lower limit and the safety value of the Ethernet switch memory to the default value Disable the Ethernet switch to recover the disconnected routing protocol automatically Enable the Ethernet switch to recover the disconnected routing protocol automatically

7.2.1 Set the Lower Limit of the Ethernet switch Memory
When the Ethernet switch memory is equal to or lower than the lower limit, BGP and OSPF will be disconnected. Perform the following configurations in system view. Table 7-1 Set the lower limit of the Ethernet switch memory
Operation Set the lower limit of the Ethernet switch memory memory limit value Command

By default, the lower limit of the Ethernet switch memory is 2Mbytes, that is, when the available memory is less than 2Mbytes, BGP and OSPF will be disconnected and BGP routes and OSPF routes will be removed from the routing table. The lower limit value set for the memory must be smaller than the safety value.

7.2.2 Set the Safety Value of the Ethernet switch Memory
When the free memory value reduces to the safety value but does not reach the lower limit value yet, the display memory limit command can be used to see that the Ethernet switch is in an exigent state. If memory automatic restoration is enabled, when the free memory of the Ethernet switch exceeds the safety value, the disconnected BGP and OSPF will be restored. Perform the following configurations in system view.

7-2

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 7 Route Capacity Configuration

Table 7-2 Set the safety value of the Ethernet switch memory
Operation Set the safety value of the Ethernet switch memory memory safety value Command

By default, the safety value of the Ethernet switch memory is 4Mbytes. The safety value of the Ethernet switch memory must be larger than the lower limit value.

7.2.3 Set the Lower Limit and the Safety Value Simultaneously
When you need to modify both the lower limit and the safety value of the Ethernet switch memory, you can (and are recommended to) simultaneously modify the two configurations. You can also restore the lower limit and the safety value of the Ethernet switch memory to the default value at the same time if it is necessary. Perform the following configuration in the system view. Table 7-3 Set the lower limit and the safety value of the Ethernet switch memory simultaneously
Operation Set the lower limit and the safety value of the Ethernet switch memory simultaneously Restore the lower limit and the safety value of the Ethernet switch memory to the default value Command memory { safety safety-value | limit limit-value }* undo memory [ safety | limit ]

The default values of the lower limit and the safety value of the Ethernet switch memory are 2Mbytes and 4Mbytes respectively. Please be noted that the safety-value must be more than the limit-value during the configuration.

Note: It should be noted that the safety-value must be more than the limit-value during the configuration.

7-3

Operation Manual - Routing Protocol Quidway S3500 Series Ethernet Switches

Chapter 7 Route Capacity Configuration

7.2.4 Disable the Ethernet switch to Recover the Disconnected Routing Protocol Automatically
If memory automatic restoration function of a Ethernet switch is disabled, connection of routing protocols will not be restored even if the free memory restores to the safety value. Therefore, this configuration should be performed cautiously. Perform the following configurations in system view. Table 7-4 Disable the Ethernet switch to recover the disconnected routing protocol automatically
Operation Disable memory automatic restoration function of a Ethernet switch Command memory auto-establish disable

By default, memory automatic restoration function of a Ethernet switch is enabled.

7.2.5 Enable the Ethernet switch to Recover the Disconnected Routing Protocol Automatically
Perform the following configurations in system view. Table 7-5 Enable the Ethernet switch to recover the disconnected routing protocol automatically
Operation Enable memory automatic restoration function Command memory auto-establish enable

By default, memory automatic restoration function is enabled.

7.3 Display and Debug Route Capacity
After the above configuration, execute display command in any view to display the running of the Route capacity configuration. Table 7-6 Display and debug route capacity
Operation Display the route capacity related memory setting and state information Command display memory limit

7-4

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

6. Multicast

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 IP Multicast Overview.................................................................................................. 1-1 1.1 IP Multicast Overview ........................................................................................................ 1-1 1.2 Multicast Addresses........................................................................................................... 1-2 1.2.1 IP Multicast Addresses............................................................................................ 1-2 1.2.2 Ethernet Multicast MAC Addresses ........................................................................ 1-4 1.3 IP Multicast Protocols ........................................................................................................ 1-4 1.3.1 Internet Group Management Protocol..................................................................... 1-4 1.3.2 Multicast Routing Protocol ...................................................................................... 1-5 1.4 IP Multicast Packet Forwarding ......................................................................................... 1-6 1.5 Application of Multicast ...................................................................................................... 1-6 Chapter 2 GMRP Configuration ................................................................................................... 2-1 2.1 GMRP Overview ................................................................................................................ 2-1 2.2 Configure GMRP................................................................................................................ 2-1 2.2.1 Enable/Disable GMRP Globally .............................................................................. 2-1 2.2.2 Enable/Disable GMRP on the Port.......................................................................... 2-2 2.3 Display and debug GMRP ................................................................................................. 2-2 2.4 GMRP Configuration Example........................................................................................... 2-2 Chapter 3 IGMP Snooping Configuration ................................................................................... 3-1 3.1 IGMP Snooping Overview ................................................................................................. 3-1 3.1.1 IGMP Snooping Principle ........................................................................................ 3-1 3.1.2 Implement IGMP Snooping ..................................................................................... 3-3 3.2 Configure IGMP Snooping................................................................................................. 3-5 3.2.1 Enable/Disable IGMP Snooping.............................................................................. 3-5 3.2.2 Configure Router Port Aging Time .......................................................................... 3-6 3.2.3 Configure Maximum Response Time...................................................................... 3-6 3.2.4 Configure Aging Time of Multicast Group Member................................................. 3-6 3.3 Display and debug IGMP Snooping................................................................................... 3-7 3.4 IGMP Snooping Configuration Example............................................................................ 3-7 3.4.1 Enable IGMP Snooping........................................................................................... 3-7 3.5 Troubleshoot IGMP Snooping ........................................................................................... 3-8 Chapter 4 Common Multicast Configuration.............................................................................. 4-1 4.1 Introduction to Common Multicast Configuration............................................................... 4-1 4.2 Common Multicast Configuration....................................................................................... 4-1 4.2.1 Enable Multicast ...................................................................................................... 4-1 4.3 Display and Debug Common Multicast Configuration ....................................................... 4-1

i

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Table of Contents

Chapter 5 IGMP Configuration ..................................................................................................... 5-1 5.1 IGMP Overview.................................................................................................................. 5-1 5.2 IGMP Configuration ........................................................................................................... 5-2 5.2.1 Enable Multicast ...................................................................................................... 5-2 5.2.2 Configure the IGMP Version ................................................................................... 5-3 5.2.3 Configure a Router to Join Specified Multicast Group ............................................ 5-3 5.2.4 Limit Multicast Groups An Interface Can Access.................................................... 5-4 5.2.5 Configure the Interval to Send IGMP Query Message............................................ 5-4 5.2.6 Configure the Present Time of IGMP Querier......................................................... 5-4 5.2.7 Configure Maximum Response Time for IGMP Query Message............................ 5-5 5.3 Display and Debug IGMP .................................................................................................. 5-5 Chapter 6 PIM-DM Configuration ................................................................................................. 6-1 6.1 PIM-DM Configuration ....................................................................................................... 6-2 6.1.1 Enable Multicast ...................................................................................................... 6-3 6.1.2 Enable PIM-DM ....................................................................................................... 6-3 6.1.3 Configure the Interface Hello Message Interval...................................................... 6-3 6.2 Display and Debug PIM-DM .............................................................................................. 6-4 6.3 PIM-DM Configuration Example ........................................................................................ 6-4 Chapter 7 PIM-SM Configuration ................................................................................................. 7-1 7.1 PIM-SM Overview .............................................................................................................. 7-1 7.1.1 Introduction to PIM-SM ........................................................................................... 7-1 7.1.2 PIM-SM Operating Principle.................................................................................... 7-1 7.1.3 Preparations before Configuring PIM-SM ............................................................... 7-2 7.2 PIM-SM Configuration ....................................................................................................... 7-3 7.2.1 Enable Multicast ...................................................................................................... 7-4 7.2.2 Enable PIM-SM ....................................................................................................... 7-4 7.2.3 Configure the Interface Hello Message Interval...................................................... 7-4 7.2.4 Configure the PIM-SM Domain Border ................................................................... 7-5 7.2.5 Enter PIM View........................................................................................................ 7-5 7.2.6 Configure Candidate-BSRs..................................................................................... 7-5 7.2.7 Configure Candidate-RPs ....................................................................................... 7-6 7.2.8 Configure Static RP................................................................................................. 7-7 7.2.9 Configure RP to Filter the Register Messages Sent by DR .................................... 7-7 7.2.10 Set the Threshold of Switchover from the RPT to the SPT .................................. 7-8 7.3 Display and Debug PIM-SM .............................................................................................. 7-8 7.4 PIM-SM Configuration Example ........................................................................................ 7-9

ii

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 1 IP Multicast Overview

Chapter 1 IP Multicast Overview

Note: When an Ethernet switch runs a multicast protocol, it can perform the router functions. Router that is referred to in the following represents a generalized router or an Ethernet switch running multicast protocols. To improve readability, this will not be described in the other parts of the manual.

1.1 IP Multicast Overview
Various transmission methods can be used when the destination of the information (including data, voice and video) is the minority part of users on the network. The unicast mode can be used, i.e., you should establish an independent data transmission path for each user. Or the broadcast mode can be used, i.e., you should send the information to all users on the network. No matter whether the users need the information, they will receive it from the broadcast. For example, if the same information is required by 200 users on the network, the traditional solution is to send the information 200 times respectively in unicast mode so that these users can receive the data they need. In the broadcast mode, the data is broadcast over the entire network. Users who need the data can get it directly on the network. Both of the methods greatly waste the precious bandwidth resources. In addition, the broadcast mode cannot ensure security and secrecy of the information. Emergence of the IP multicast technology solves the problem in time. The multicast source sends the information only once. Multicast routing protocols establish tree-type routing for multicast packets. The information being sent will be replicated and distributed at the cross as far as possible (see Figure 1-1). Therefore, the information can be correctly sent to each user who needs it with high efficiency.

1-1

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 1 IP Multicast Overview

Unicast
Receiver

Receiver Server Receiver

Receiver

Server

Receiver

Multicast

Receiver

Figure 1-1 Comparison between the unicast and multicast transmission It should be noted that a multicast source does not necessarily belong to a multicast group. It only sends data to the multicast group and it is not necessarily a receiver. Multiple sources can send packets to a multicast group simultaneously. A router that does not support multicast may exist on the network. A multicast router can encapsulate the multicast packets in unicast IP packets with tunneling and send them to the neighboring multicast router. The neighboring multicast router will remove the unicast IP header and continue the multicast transmission. This avoids the network architecture from changing greatly. Multicast advantages: Enhanced efficiency: Reduce network traffic and relieve server and CPU loads. Optimized performance: Decrease traffic redundancy. Distributed applications: Make multipoint applications possible.

1.2 Multicast Addresses
1.2.1 IP Multicast Addresses
The destination addresses of multicast packets use Class D IP addresses ranging from 224.0.0.0 to 239.255.255.255. Class D addresses cannot appear in the source IP address fields of IP packets. During unicast data transmission, a packet is transmitted along a path from the source address to the destination address with the "hop-by-hop" principle on the IP network. However, in environments of IP multicast, a packet has more than one destination

1-2

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 1 IP Multicast Overview

address, i.e., a group of addresses. All the information receivers join a group. Once a receiver joins the group, data flowing to the group is sent to the receiver immediately. All members in the group can receive the packets. Membership of a multicast group is dynamic, that is, hosts can join and leave groups at any time. A multicast group can be either permanent or temporary. Part of addresses in the multicast group is allocated by the official, known as the permanent multicast group. IP addresses of a permanent group keep unchanged but the members in the group can change. The number of members in a permanent multicast group can be random or even 0. Those IP multicast addresses that are not reserved for permanent multicast groups can be used by temporary groups. Ranges and meanings of Class D addresses are shown in Table 1-1. Table 1-1 Ranges and meanings of Class D addresses
Class D address range 224.0.0.0∼224.0.0.255 224.0.1.0∼238.255.255.255 239.0.0.0∼239.255.255.255 Meaning Reserved multicast addresses (addresses of permanent groups). Address 224.0.0.0 is reserved. The other addresses can be used by routing protocols. Multicast addresses available for users (addresses of temporary groups). They are valid in the entire network. Multicast addresses for local management. They are valid only in the specified local range.

Reserved multicast addresses that are commonly used are shown in the following table: Table 1-2 Reserved multicast address list
Class D address 224.0.0.0 224.0.0.1 224.0.0.2 224.0.0.3 224.0.0.4 224.0.0.5 224.0.0.6 224.0.0.7 224.0.0.8 224.0.0.9 224.0.0.10 224.0.0.11 224.0.0.12 224.0.0.13 224.0.0.14 224.0.0.15 224.0.0.16 224.0.0.17 224.0.0.18 …… Meaning Base Address (Reserved) Addresses of all hosts Addresses of all multicast routers Unassigned DVMRP routers OSPF routers OSPF DR (designated router) ST routers ST hosts RIP-2 routers IGRP routers Mobile agents DHCP server/Relay agent All PIM routers RSVP encapsulation All CBT routers Designated SBM All SBMS VRRP ……

1-3

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 1 IP Multicast Overview

1.2.2 Ethernet Multicast MAC Addresses
When unicast IP packets are transmitted on the Ethernet, the destination MAC address is the MAC address of the receiver. However, when multicast packets are transmitted, the destination is no longer a specific receiver but a group with unspecific members. Therefore, the multicast MAC address should be used. Multicast MAC addresses are correspondent to multicast IP addresses. IANA (Internet Assigned Number Authority) stipulates that higher 24 bits of the multicast MAC address are 0x01005e and the lower 23 bits of the MAC address is the lower 23 bits of the multicast IP address.
32 bits IP address

XXXX XXX X XXXXXXXX XXXXX X X X 111 0 XX XX 5 bits not mapped Lower 23 bits directly mapped

48 bits MAC address

XXXXX X X X

XXXXX X X X

XXXX XXX X

XXXXXXXX

XXXXXX XX

XXXX X XX X

Figure 1-2 Mapping between the multicast IP address and the Ethernet MAC address Because only 23 bits of the last 28 bits in the IP multicast address are mapped into the MAC address, 32 IP multicast addresses are mapped into the same MAC address.

1.3 IP Multicast Protocols
Multicast involves the multicast group management protocol and multicast routing protocol. At present, the multicast group management protocol uses the IGMP that is used as IP multicast basic signaling protocol. It is run between hosts and routers, enabling routers to know whether there are members of the multicast group on the network segment. The multicast routing protocol is run between multicast routers, creating and maintaining multicast routes and implementing correct and high-efficient multicast packet forwarding. At present, multicast routing protocols mainly include PIM-SM, PIM-DM and MSDP. While the unicast routing protocol BGP can also be expanded to support transmitting multicast routing protocol information between domains.

1.3.1 Internet Group Management Protocol
Internet Group Management Protocol is the only protocol that hosts can use. It defines the membership establishment and maintenance mechanism between hosts and routers and is the basis of the entire IP multicast. Hosts report the group membership to a router through IGMP and inform the router of the conditions of other members in the group through the directly connected host. If a user on the network joins a multicast group through IGMP declaration, the multicast router on the network will transmit the
1-4

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 1 IP Multicast Overview

information sent to the multicast group through the multicast routing protocol. Finally, the network will be added to the multicast tree as a branch. When the host, as a member of a multicast group, begins receiving the information, the router will query the group periodically to check whether members in the group are involved. As long as one host is involved, the router will continue to receive data. When all users on the network quit the multicast group, the related branches are removed from the multicast tree.

1.3.2 Multicast Routing Protocol
A multicast group address is a virtual address. Unicast allows packets to be routed from the data source to the specified destination address, which is impossible for multicast. The multicast application sends the packets to a group of receivers (with multicast addresses) who want to receive the data but not only to one receiver (with unicast address). The multicast routing creates a loop-free data transmission path from one data source to multiple receivers. The task of the multicast routing protocol is to build up the distribution tree architecture. A multicast router can use multiple methods to build up a path for data transmission, i.e., the distribution tree. PIM-DM (Protocol-Independent Multicast Dense Mode, PIM-DM) PIM dense mode is suitable for small networks. It assumes that each subnet in the network contains at least one receiver who is interested in the multicast source. Therefore, multicast packets are flooded to all points of the network. Subsequent resources related (such as bandwidth and CPU of routers) will be consumed. In order to decrease the consumption of these precious network resources, branches that do not have members send Prune messages toward the source to prune off the unwanted/unnecessary traffic. To enable the receivers in the pruned branches who have multicast data forwarding requirement to receive multicast data streams, the pruned branches can be restored to forwarding state periodically. To reduce the latency time during which the pruned branches wait for being restored, PIM dense mode uses the prune mechanism to actively restore the forwarding of multicast packets. The periodical flood and prune are characteristics of PIM dense mode. Generally, the forwarding path in dense mode is a “source tree” rooted at the source with multicast members as the branches. Since the source tree uses the shortest path from the multicast source and the receiver, it is also called the shortest path tree (SPT). PIM-SM (Protocol-Independent Multicast Sparse Mode, PIM-SM) Dense mode uses the flood-prune technology, which is not applicable for WAN. In WAN, multicast receivers are sparse and the sparse mode are mostly used. In sparse mode, all hosts do not need to receive multicast packets unless there is an explicit request for the packets by default. A multicast router must send a join message to the RP (Rendezvous Point, which needs to be built up in the network and is the virtual place for data exchange) corresponding to the group to receive the multicast data traffic from the
1-5

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 1 IP Multicast Overview

specified group. The join message passes routers and finally reaches the root, i.e., the RP. The path the join message passed becomes a branch of the shared tree. In PIM sparse mode, multicast packets are sent to the RP first and then are forwarded along the shared tree rooted at the RP and with members as the branches. To prevent the branches of the shared tree from being deleted for they not updated, PIM sparse mode sends join messages to branches periodically to maintain the multicast distribution tree. To send data to the specified address, senders should register with the RP first before forwarding data to the RP. When the data reaches the RP, the multicast packets are replicated and sent to receivers along the path of the distribution tree. Replicate only happens at the branches of the distribution tree. This process can be automatically repeated until the packets reach the destination.

1.4 IP Multicast Packet Forwarding
In the multicast model, the source host sends information to the host group represented by the multicast group address within the destination address fields of the IP packets. Different from the unicast model, the multicast model must forward the multicast packets to multiple external interfaces so that the packets can be sent to all receivers. Therefore, the multicast forwarding process is much more complex than the unicast forwarding process. RPF (Reverse Path Forwarding) To ensure that a multicast packet reaches the router along the shortest path, the multicast must depend on the unicast routing table or a unicast routing table independently provided for multicast (such as the MBGP multicast routing table) to check the receiving interface of multicast packets. This check mechanism is the basis for most multicast routing protocols performing multicast forwarding, which is known as RPF (Reverse Path Forwarding) check. A multicast router uses the source address at which the multicast packet arrives to query the unicast routing table or the independent multicast routing table so as to determine that the incoming interface at which the packet arrives is on the shortest path from the receiver to the source address. If a source tree is used, the source address is the address of the source host sending the multicast packet. If a shared tree is used, the source address is the address of the root of the shared tree. When a multicast packet arrives at the router, if RPF check succeeds, the packet will be forwarded according to the multicast forwarding entry. Otherwise, the packet will be dropped.

1.5 Application of Multicast
IP multicast technology effectively solves the problem of packet forwarding from single-point to multi-point. It implements high-efficient data transmission from single-point to multi-point in IP networks and can save a large amount of network

1-6

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 1 IP Multicast Overview

bandwidth and reduce network loads. New value-added services that take advantage of multicast can be delivered in the Internet information service area including direct broadcasting, Web TV, distance learning, distance medicine, net broadcasting station and real-time audio/video conferencing. Multimedia and streaming media applications Communications of the training and corporate sites Data repository and finance (stock) applications Any “point-to-multipoint” data distribution With the increase of multimedia services on IP networks, multicast has huge market potential and multicast services will become popular gradually.

1-7

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 2 GMRP Configuration

Chapter 2 GMRP Configuration
2.1 GMRP Overview
GMRP (GARP Multicast Registration Protocol), based on GARP, is used for maintaining dynamic multicast registration information of the switch. All the switches supporting GMRP can receive multicast registration information from other switches and dynamically update local multicast registration information. Besides, local multicast registration information can be transmitted to other switches. This information switching mechanism keeps consistency of the multicast information maintained by every GMRP-supporting device in the same switching network. A host transmits GMRP Join message, if it is interested in joining a multicast group. After receiving the message, the switch adds the port to the multicast group, and broadcasts the message throughout the VLAN, thereby the multicast source in the VLAN knows the multicast member joined. When the multicast source multicasts packets to its group, the switch only forwards the packets to the ports connected to the members, thereby implementing the Layer 2 multicast in VLAN. The multicast information transmitted by GMRP includes local static multicast registration information configured manually and the multicast registration information dynamically registered by other switches.

2.2 Configure GMRP
The main tasks in GMRP configuration include: Enable/Disable GMRP Enable/Disable GMRP on the port In the configuration process, GMRP must be enabled globally before it is enabled on the port.

2.2.1 Enable/Disable GMRP Globally
Perform the following configuration in system view. Table 2-1 Enable/Disable GMRP globally
Operation Enable GMRP globally. Disable GMRP globally. gmrp undo gmrp Command

2-1

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 2 GMRP Configuration

By default, GMRP is disabled.

2.2.2 Enable/Disable GMRP on the Port
Perform the following configuration in Ethernet port view. Table 2-2 Enable/Disable GMRP on the port
Operation Enable GMRP on the port Disable GMRP on the port gmrp undo gmrp Command

GMRP should be enabled globally before enabled on a port. By default, GMRP is disabled on the port.

2.3 Display and debug GMRP
After the above configuration, execute display command in any view to display the running of the GMRP configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug GMRP configuration. Table 2-3 Display and debug GMRP
Operation Display GMRP statistics. Display GMRP global status. Enable GMRP debugging Disable GMRP debugging Command display gmrp statistics [ interface interface_list ] display gmrp status debugging gmrp event undo debugging gmrp event

2.4 GMRP Configuration Example
I. Networking requirements
Implement dynamic registration and update of multicast information between switches.

2-2

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 2 GMRP Configuration

II. Networking diagram

Switch_A

Switch_B

Figure 2-1 GMRP networking

III. Configuration procedure
Configure LS_A: # Enable GMRP globally. [Quidway] gmrp # Enable GMRP on the port. [Quidway] interface Ethernet 0/1 [Quidway-Ethernet0/1] gmrp Configure LS_B: # Enable GMRP globally. [Quidway] gmrp # Enable GMRP on the port. [Quidway] interface Ethernet 0/1 [Quidway-Ethernet0/1] gmrp

2-3

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 3 IGMP Snooping Configuration

Chapter 3 IGMP Snooping Configuration

Note: Among S3500 Series Ethernet Switches, S3552 Series, S3528 Series and S3552F support IGMP Snooping.

3.1 IGMP Snooping Overview
3.1.1 IGMP Snooping Principle
IGMP Snooping (Internet Group Management Protocol Snooping) is a multicast control mechanism running on the Layer 2 Ethernet switch and it is used for multicast group management and control. IGMP Snooping runs on the link layer. When receiving the IGMP messages transmitted between the host and router, the Layer 2 Ethernet switch uses IGMP Snooping to analyze the information carried in the IGMP messages. If the switch hears IGMP host report message from an IGMP host, it will add the host to the corresponding multicast table. If the switch hears IGMP leave message from an IGMP host, it will remove the host from the corresponding multicast table. The switch continuously listens to the IGMP messages to create and maintain MAC multicast address table on Layer 2. And then it can forward the multicast packets transmitted from the upstream router according to the MAC multicast address table. When IGMP Snooping is disabled, the packets are multicast on Layer 2. See the following figure:

3-1

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 3 IGMP Snooping Configuration
Video stream

Internet / Intranet
Multicast router

Video stream VOD Server
Layer 2 Ethernet Switch

Video stream

Video stream

Video stream

Multicast group member

Non-multicast group member

Non-multicast group member

Figure 3-1 Multicast packet transmission without IGMP Snooping When IGMP Snooping runs, the packets are not broadcast on Layer 2. See the following figure:

Video stream

Internet / Intranet
Multicast router

Video stream VOD Server
Layer 2 Ethernet Switch

Video stream

Video stream

Video stream

Multicast group member

Non-multicast group member

Non-multicast group member

Figure 3-2 Multicast packet transmission when IGMP Snooping runs

3-2

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 3 IGMP Snooping Configuration

3.1.2 Implement IGMP Snooping
I. Related concepts of IGMP Snooping
To facilitate the description, this section first introduces some related switch concepts of IGMP Snooping: Router Port: The port of the switch, directly connected to the multicast router. Multicast member port: The port connected to the multicast member. The multicast member refers to a host joined a multicast group. MAC multicast group: The multicast group is identified with MAC multicast address and maintained by the Ethernet switch. Router port aging time: Time set on the router port aging timer. If the switch has not received any IGMP general query message before the timer times out, it considers the port no longer as a router port. Multicast group member port aging time: When a port joins an IP multicast group, the aging timer of the port will begin timing. The multicast group member port aging time is set on this aging timer. If the switch has not received any IGMP report message before the timer times out, it transmits IGMP specific query message to the port. Maximum response time: When the switch transmits IGMP specific query message to the multicast member port, the Ethernet switch starts a response timer, which times before the response to the query. If the switch has not received any IGMP report message before the timer times out, it will remove the port from the multicast member ports

II. Implement Layer 2 multicast with IGMP Snooping
The Ethernet switch runs IGMP Snooping to listen to the IGMP messages and map the host and its ports to the corresponding multicast group address. To implement IGMP Snooping, the Layer 2 Ethernet switch processes different IGMP messages in the way illustrated in the figure below:

3-3

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 3 IGMP Snooping Configuration

Internet

A router running IGMP
IGMP packets

A Ethernet Switch running IGMP Snooping IGMP packets

Figure 3-3 Implement IGMP Snooping 1) IGMP general query message: Transmitted by the multicast router to the multicast group members to query which multicast group contains member. When an IGMP general query message arrives at a router port, the Ethernet switch will reset the aging timer of the port. When a port other than a router port receives the IGMP general query message, the Ethernet switch will notify the multicast router that a port is ready to join a multicast group and starts the aging timer for the port. 2) IGMP specific query message: Transmitted from the multicast router to the multicast members and used for querying if a specific group contains any member. When received IGMP specific query message, the switch only transmits the specific query message to the IP multicast group which is queried. 3) IGMP report message: Transmitted from the host to the multicast router and used for applying to a multicast group or responding to the IGMP query message. When received the IGMP report message, the switch checks if the MAC multicast group, corresponding to the IP multicast group the packet is ready to join exists. If the corresponding MAC multicast group does not exist, the switch only notifies the router that a member is ready to join a multicast group, creates a new MAC multicast group, adds the port received the message to the group, starts the port aging timer, and then adds all the router ports in the native VLAN of the port into the MAC multicast forwarding table, and meanwhile creates an IP multicast group and adds the port received the report message to it. If the corresponding MAC multicast group exists but does not contains the port received the report message, the switch adds the port into the multicast group and starts the port aging timer. And then the switch checks if the corresponding IP multicast group exists. If it does not exist, the switch creates a new IP multicast group and adds the port received the report message to it. If it exists, the switch adds the port to it. If the MAC
3-4

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 3 IGMP Snooping Configuration

multicast group corresponding to the message exists and contains the port received the message, the switch will only reset the aging timer of the port. 4) IGMP leave message: Transmitted from the multicast group member to the multicast router to notify that a router host left the multicast group. When received a leave message of an IP multicast group, the Ethernet switch transmits the specific query message concerning that group to the port received the message, in order to check if the host still has some other member of this group and meanwhile starts a maximum response timer. If the switch has not receive any report message from the multicast group, the port will be removed from the corresponding MAC multicast group. If the MAC multicast group does not have any member, the switch will notify the multicast router to remove it from the multicast tree.

3.2 Configure IGMP Snooping
The main IGMP Snooping configuration includes: Enable/disable IGMP Snooping Configure the aging time of router port Configure maximum response time Configure the aging time of multicast group member port Among the above configuration tasks, enabling IGMP Snooping is required, while others are optional for your requirements.

3.2.1 Enable/Disable IGMP Snooping
You can use the following commands to enable/disable IGMP Snooping to control whether MAC multicast forwarding table is created and maintained on Layer 2. Perform the following configuration in system view. Table 3-1 Enable/Disable IGMP Snooping
Operation Enable/disable IGMP Snooping Restore the default setting Command igmp-snooping { enable | disable } undo igmp-snooping

IGMP Snooping and GMRP cannot run at the same time. You can check if GMRP is running, using the display gmrp status command, in any view, before enabling IGMP Snooping. By default, IGMP Snooping is disabled.

3-5

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 3 IGMP Snooping Configuration

3.2.2 Configure Router Port Aging Time
This task is to manually configure the router port aging time. If the switch has not received any general query message from the router before the router port is aged, it will remove the port from all the MAC multicast group. Perform the following configuration in system view. Table 3-2 Configure router port aging time
Operation Configure router port aging time Restore the default aging time Command igmp-snooping router-aging-time seconds undo igmp-snooping router-aging-time

By default, the port aging time is 260s.

3.2.3 Configure Maximum Response Time
This task is to manually configure the maximum response time. If the Ethernet switch receives no report message from a port in the maximum response time, it will remove the port from the multicast group. Perform the following configuration in system view. Table 3-3 Configure the maximum response time
Operation Configure the maximum response time Restore the default setting Command igmp-snooping max-response-time seconds undo IGMP-snooping max-response-time

By default, the maximum response time is 10 seconds.

3.2.4 Configure Aging Time of Multicast Group Member
This task is to manually set the aging time of the multicast group member port. If the switch receives no multicast group report message during the member port aging time, it will transmit the specific query message to that port and starts a maximum response timer. Perform the following configuration in system view. Table 3-4 Configure aging time of the multicast member
Operation Configure aging time of the multicast member Restore the default setting Command igmp-snooping host-aging-time seconds undo igmp-snooping host-aging-time

3-6

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 3 IGMP Snooping Configuration

By default, the aging time of the multicast member is 260 seconds.

3.3 Display and debug IGMP Snooping
After the above configuration, execute display command in any view to display the running of the IGMP Snooping configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug IGMP Snooping configuration. Table 3-5 Display and debug IGMP Snooping
Operation Display the information about current IGMP Snooping configuration Display IGMP Snooping statistics of received and sent messages Display IP/MAC multicast group information in the VLAN Enable/disable IGMP Snooping debugging (abnormal, group, packet, timer). Disable IGMP Snooping debugging (abnormal, group, packet, timer). Command display igmp-snooping configuration display igmp-snooping statistics display igmp-snooping group [ vlan vlanid ] debugging igmp-snooping { all | abnormal | group | packet | timers } undo debugging igmp-snooping { all | abnormal | group | packet | timers }

3.4 IGMP Snooping Configuration Example
3.4.1 Enable IGMP Snooping
I. Networking requirements
To implement IGMP Snooping on the switch, first enable it. The switch is connected with the router via the router port, and with user PC through the non-router ports.

3-7

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 3 IGMP Snooping Configuration

II. Networking diagram

Internet

Router

Multicast
Switch

Figure 3-4 IGMP Snooping configuration networking

III. Configuration procedure
# Display the status of GMRP. <Quidway> display gmrp status # Display the current status of IGMP Snooping when GMRP is disabled. <Quidway> display igmp-snooping configuration # Enable IGMP Snooping if it is disabled. [Quidway] igmp-snooping enable

3.5 Troubleshoot IGMP Snooping
Fault: Multicast function cannot be implemented on the switch. Troubleshooting: 1) IGMP Snooping is disabled. Input the display current-configuration command to display the status of IGMP Snooping. If the switch disabled IGMP Snooping, you can input igmp-snooping enable in the system view to enable IGMP Snooping. 2) Multicast forwarding table set up by IGMP Snooping is wrong. Input the display igmp-snooping group command to display if the multicast group is the expected one.

3-8

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 3 IGMP Snooping Configuration

If the multicast group created by IGMP Snooping is not correct, turn to professional maintenance personnel for help. Continue with diagnosis 3 if the second step is completed. 3) Multicast forwarding table set up on the bottom layer is wrong. Enable IGMP Snooping group in user view and then input the command display igmp-snooping group to check if MAC multicast forwarding table in the bottom layer and that created by IGMP Snooping is consistent. You may also input the display mac vlan command in any view to check if MAC multicast forwarding table under vlanid in the bottom layer and that created by IGMP Snooping is consistent. If they are not consistent, please contact the maintenance personnel for help.

3-9

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 4 Common Multicast Configuration

Chapter 4 Common Multicast Configuration
4.1 Introduction to Common Multicast Configuration
The multicast common configuration is for both the multicast group management protocol and the multicast routing protocol. The configuration include enabling multicast and displaying multicast routing table and multicast forwarding table, etc.

4.2 Common Multicast Configuration
Common multicast configuration includes: Enable multicast

4.2.1 Enable Multicast
Enable multicast first before enabling the multicast routing protocol. Enabling multicast will automatically enable IGMP V2 on all interfaces. Perform the following configuration in system view. Table 4-1 Enable multicast
Operation Enable multicast Disable multicast Command multicast routing-enable undo multicast routing-enable

By default, multicast is disabled.

4.3 Display and Debug Common Multicast Configuration
After the above configuration, execute display command in any view to display the running of the multicast configuration, and to verify the effect of the configuration. Execute debugging command in user view for the debugging of multicast.

4-1

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 4 Common Multicast Configuration

Table 4-2 Display and Debug Common Multicast Configuration
Operation Display the multicast routing table Command display multicast routing-table [ group-address [ mask { mask | mask-length } ] | source-address [ mask { mask | mask-length } ] | incoming-interface { interface-type interface-number | register } ]* display multicast forwarding-table [ group-address [ mask { mask | mask-length } ] | source-address [ mask { mask | mask-length } ] | incoming-interface { interface-type interface-number | register } ]* display multicast vif debugging multicast forwarding undo debugging multicast forwarding debugging multicast status-forwarding undo debugging multicast status-forwarding debugging multicast kernel-routing undo debugging multicast kernel-routing

Display the multicast forwarding table Display the multicast virtual interface information Enable multicast packet forwarding debugging Disable multicast packet forwarding debugging Enable multicast forwarding status debugging Disable multicast forwarding status debugging Enable multicast kernel routing debugging Disable multicast kernel routing debugging

4-2

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 5 IGMP Configuration

Chapter 5 IGMP Configuration
5.1 IGMP Overview
IGMP (Internet Group Management Protocol) is a protocol in the TCP/IP suite responsible for management of IP multicast members. It is used to establish and maintain multicast membership among IP hosts and their directly connected neighboring routers. IGMP excludes transmitting and maintenance of membership information among multicast routers, which are completed by multicast routing protocols. All hosts participating in multicast must implement IGMP. Hosts participating in IP multicast can join and leave a multicast group at any time. The number of members of a multicast group can be any integer and the location of them can be anywhere. A multicast router does not need and cannot keep the membership of all hosts. It only uses IGMP to learn whether receivers (i.e., group members) of a multicast group are present on the subnet connected to each interface. A host only needs to keep which multicast groups it has joined. IGMP is not symmetric on hosts and routers. Hosts need to respond to IGMP query messages from the multicast router, i.e., report the group membership to the router. The router needs to send membership query messages periodically to discover whether hosts join the specified group on its subnets according to the received response messages. When the router receives the report that hosts leave the group, the router will send a group-specific query (IGMP Version 2) to discover whether no member exists in the group. Up to now, IGMP has three versions, namely, IGMP Version 1 (defined by RFC1112), IGMP Version 2 (defined by RFC2236) and IGMP Version 3. At present, IGMP Version 2 is the most widely used version. IGMP Version 2 boasts the following improvements over IGMP Version 1:

I. Election mechanism of multicast routers on the shared network segment
A shared network segment means that there are multiple multicast routers on a network segment. In this case, all routers running IGMP on the network segment can receive the membership report from hosts. Therefore, only one router is necessary to send membership query messages. In this case, the router election mechanism is required to specify a router as the querier. In IGMP Version 1, selection of the querier is determined by the multicast routing protocol. While IGMP Version 2 specifies that the multicast router with the lowest IP
5-1

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 5 IGMP Configuration

address is elected as the querier when there are multiple multicast routers on the same network segment.

II. Leaving group mechanism
In IGMP Version 1, hosts leave the multicast group quietly without informing the multicast router. In this case, the multicast router can only depend on the timeout of the response time of the multicast group to confirm that hosts leave the group. In Version 2, when a host is intended to leave, it will send a leave group message if it is the host who responds to the latest membership query message.

III. Specific group query
In IGMP Version 1, a query of a multicast router is targeted at all the multicast groups on the network segment, which is known as General Query. In IGMP Version 2, Group-Specific Query is added besides general query. The destination IP address of the query packet is the IP address of the multicast group. The group address domain in the packet is also the IP address of the multicast group. This prevents the hosts of members of other multicast groups from sending response messages.

IV. Max response time
The Max Response Time is added in IGMP Version 2. It is used to dynamically adjust the allowed maximum time for a host to response to the membership query message.

5.2 IGMP Configuration
IGMP configuration includes: Enable multicast Configure the IGMP version Configure a router to join specified multicast group Control the access to IP multicast groups Configure the IGMP query message interval Configure the IGMP querier present timer Configure the maximum query response time To enable multicast is mandatory for IGMP configuration and the others are optional.

5.2.1 Enable Multicast
After multicast is enabled, IGMP will automatically run on all interfaces. For details, refer to “Common Multicast Configuration”.

5-2

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 5 IGMP Configuration

5.2.2 Configure the IGMP Version
Perform the following configuration in interface view. Table 5-1 Select the IGMP version
Operation Select the IGMP version that the router uses Restore the default setting Command igmp version { 2 | 1 } undo igmp version

By default, IGMP Version 2 is used.

Caution: All routers on a subnet must support the same version of IGMP..

5.2.3 Configure a Router to Join Specified Multicast Group
Usually, the host operating IGMP will respond to IGMP query packet of the multicast router. In case of response failure, the multicast router will consider that there is no multicast member on this network segment and will cancel the corresponding path. Configuring one interface of the router as multicast member can avoid such problem. When the interface receives IGMP query packet, the router will respond, thus ensuring that the network segment where the interface is connected can normally receive multicast packets. For an ethernet switch, you can configure a port in a VLAN interface to join a multicast group. Perform the following configuration in VLAN interface view. Table 5-2 Configure a router to join specified multicast group
Operation Configure a router to join specified multicast group Quit from specified multicast group Command igmp host-join group-address port { interface_type interface_ num | interface_name } [ to { interface_type interface_ num | interface_name } ] undo igmp host-join group-address port { interface_type interface_ num | interface_name } [ to { interface_type interface_ num | interface_name } ]

By default, a router joins no multicast group.

5-3

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 5 IGMP Configuration

5.2.4 Limit Multicast Groups An Interface Can Access
A multicast router learns whether there are members of a multicast group on the network via the received IGMP membership message. A filter can be set on an interface so as to limit the range of allowed multicast groups. Perform the following configuration in interface view. Table 5-3 Limit multicast groups an interface can access
Operation Limit the range of allowed multicast groups on current interface Remove the filter set on the interface Command igmp group-policy acl-number [ 1 | 2 | port { interface_type interface_ num | interface_name } [ to { interface_type interface_ num | interface_name } ] ] undo igmp group-policy [ port { interface_type interface_ num | interface_name } [ to { interface_type interface_ num | interface_name } ] ]

By default, no filter is configured, that is, all multicast groups are allowed on the interface.

5.2.5 Configure the Interval to Send IGMP Query Message
Multicast routers send IGMP query messages to discover which multicast groups are present on attached networks. Multicast routers send query messages periodically to refresh their knowledge of members present on their networks. Perform the following configuration in interface view. Table 5-4 Configure the interval to send IGMP query message
Operation Configure the interval to send IGMP query message Restore the default value Command igmp timer query seconds undo igmp timer query

When there are multiple multicast routers on a network segment, the querier is responsible for sending IGMP query messages to all hosts on the LAN. By default, the interval is 60 seconds.

5.2.6 Configure the Present Time of IGMP Querier
The IGMP querier present timer defines the period of time before the router takes over as the querier sending query messages, after the previous querier has stopped doing so. Perform the following configuration in interface view.

5-4

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 5 IGMP Configuration

Table 5-5 Configure the present time of IGMP querier
Operation Change the present time of IGMP querier Restore the default value Command igmp timer other-querier-present seconds undo igmp timer other-querier-present

By default, the value is 120 seconds. If the router has received no query message within twice the interval specified by the igmp timer query command, it will regard the previous querier invalid.

5.2.7 Configure Maximum Response Time for IGMP Query Message
When a router receives a query message, the host will set a timer for each multicast group it belongs to. The value of the timer is randomly selected between 0 and the maximum response time. When any timer becomes 0, the host will send the membership report message of the multicast group. Setting the maximum response time reasonably can enable the host to respond to query messages quickly. In this case, the router can fast master the existing status of the members of the multicast group. Perform the following configuration in interface view. Table 5-6 Configure the maximum response time for IGMP query message
Operation Configure the maximum response time for IGMP query message Restore the maximum query response time to the default value Command igmp max-response-time seconds undo igmp max-response-time

The smaller the maximum query response time value, the faster the router prunes groups. The actual response time is a random value in the range from 1 to 25 seconds. By default, the maximum query response time is 10 seconds.

5.3 Display and Debug IGMP
After the above configuration, execute display command in any view to display the running of IGMP configuration, and to verify the effect of the configuration. Execute debugging command in user view for the debugging of IGMP.

5-5

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 5 IGMP Configuration

Table 5-7 Display and debug IGMP
Operation Display the information about members of IGMP multicast groups Display the IGMP configuration and running information about the interface Enable the IGMP information debugging Disable the IGMP information debugging Command display igmp group [ group-address | interface interface-type interface-number ] display igmp interface [ interface-type interface-number ] debugging igmp { all | event | host | packet | mpm | timer } undo debugging igmp { all | event | host | packet | mpm | timer }

5-6

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 6 PIM-DM Configuration

Chapter 6 PIM-DM Configuration
PIM-DM (Protocol Independent Multicast-Dense Mode) belongs to dense mode multicast routing protocols. PIM-DM is suitable for small networks. Members of multicast groups are relatively dense in such network environments. The working procedures of PIM-DM include neighbor discovery, flood & prune and graft.

I. Neighbor discovery
The PIM-DM router needs to use Hello messages to perform neighbor discovery when it is started. All network nodes running PIM-DM keep in touch with one another with Hello messages, which are sent periodically.

II. Flood&Prune
PIM-DM assumes that all hosts on the network are ready to receive multicast data. When a multicast source "S" begins to send data to a multicast group "G", after the router receives the multicast packets, the router will perform RPF check according to the unicast routing table first. If the RPF check is passed, the router will create an (S, G) entry and then flood the data to all downstream PIM-DM nodes. If the RPF check is not passed, that is, multicast packets enter from an error interface, the packets will be discarded. After this process, an (S, G) entry will be created in the PIM-DM multicast domain. If the downstream node has no multicast group members, it will send a Prune message to the upstream nodes to inform the upstream node not to forward data to the downstream node. Receiving the prune message, the upstream node will remove the corresponding interface from the outgoing interface list corresponding to the multicast forwarding entry (S, G). In this way, a SPT (Shortest Path Tree) rooted at Source S is built. The pruning process is initiated by leaf routers first. This process is called “flood & prune” process. In addition, nodes that are pruned provide timeout mechanism. Each router re-starts the “flood & prune” process upon pruning timeout. The consistent “flood & prune” process of PIM-DM is performed periodically. During this process, PIM-DM uses the RPF check and the existing unicast routing table to build a multicast forwarding tree rooted at the data source. When a packet arrives, the router will first judge the correctness of the path. If the interface that the packet arrives is the one indicated by the unicast routing to the multicast source, the packet is

6-1

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 6 PIM-DM Configuration

regarded to be from the correct path. Otherwise, the packet will be discarded as a redundancy packet without the multicast forwarding. The unicast routing information as path judgment can come from any unicast routing protocol independent of any specified unicast routing protocol such as the routing information learned by RIP and OSPF

III. Assert mechanism
As shown in the following figure, both routers A and B on the LAN have their own receiving paths to multicast source S. In this case, when they receive a multicast packet sent from multicast source S, they will both forward the packet to the LAN. Multicast Router C at the downstream node will receive two copies of the same multicast packet.
Multicast packets forwarded by the upstream node Router A

Router B

Router C

Receiver

Figure 6-1 Assert mechanism diagram When they detect such a case, routers need to select a unique sender by using the assert mechanism. Routers will send Assert packets to select the best path. If two or more than two paths have the same priority and metric, the path with a higher IP address will be the upstream neighbor of the (S, G) entry, which is responsible for forwarding the (S, G) multicast packet.

IV. Graft
When the pruned downstream node needs to be restored to the forwarding state, the node will send a graft packet to inform the upstream node.

6.1 PIM-DM Configuration
PIM-DM configuration include: Enable PIM-DM Configure the interface hello message interval

6-2

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 6 PIM-DM Configuration

When the router is run in the PIM-DM domain, it is recommended to enable PIM-DM on all interfaces of the non-border router.

6.1.1 Enable Multicast
Refer to “Common Multicast Configuration” of Chapter 2.

6.1.2 Enable PIM-DM
PIM-DM needs to be enabled in configuration of all interfaces. After PIM-DM is enabled on an interface, it will send PIM Hello messages periodically and process protocol packets sent by PIM neighbors. Perform the following configuration in interface view. Table 6-1 Enable PIM-DM
Operation Enable PIM-DM on an interface Disable PIM-DM on an interface pim dm undo pim dm Command

It’s recommended to configure PIM-DM on all interfaces in non-special cases. This configuration is effective only after the multicast routing is enabled in system view. Once enabled PIM-DM on an interface, PIM-SM cannot be enabled on the same interface and vice versa.

6.1.3 Configure the Interface Hello Message Interval
After PIM is enabled on an interface, it will send Hello messages periodically on the interface. The interval at which Hello messages are sent can be modified according to the bandwidth and type of the network connected to the interface. Perform the following configuration in interface view. Table 6-2 Configure hello message interval on an interface
Operation Configure the hello message interval on an interface Restore the interval to the default value Command pim timer hello seconds undo pim timer hello

The default interval is 30 seconds. You can configure the value according to different network environments. Generally, this parameter does not need to be modified.

6-3

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 6 PIM-DM Configuration

This configuration can be performed only after PIM (PIM-DM or PIM-SM) is enabled in interface view.

6.2 Display and Debug PIM-DM
After the above configuration, execute display command in any view to display the running of PIM-DM configuration, and to verify the effect of the configuration. Execute debugging command in user view for the debugging of PIM-DM. Table 6-3 Display and debug PIM-DM
Operation Command display pim routing-table [ { { *g [ group-address [ mask { mask-length | mask } ] ] | **rp [ rp-address [ mask { mask-length | mask } ] ] } | { group-address [ mask { mask-length | mask } ] | source-address [ mask { mask-length | mask } ] } * } | incoming-interface { interface interface-type interface-number | null } | { dense-mode | sparse-mode } ] * display pim interface [ interface interface-type interface-number ] display pim neighbor [ interface interface-type interface-number ] debugging pim common { all | event | packet | timer } undo debugging pim common { all | event | packet | timer } debugging pim dm { all | mbr | mrt | timer | warning | { recv | send } { all | assert | graft | graft-ack | join | prune } } undo debugging pim dm { all | mbr | mrt | timer | warning | { recv | send } { all | assert | graft | graft-ack | join | prune } }

Display the PIM multicast routing table

Display the PIM interface information Display the information about PIM neighboring routers Enable the PIM debugging Disable the PIM debugging Enable the PIM-DM debugging Disable the PIM-DM debugging

6.3 PIM-DM Configuration Example
I. Networking requirements
LS_A has a port carrying Vlan 10 to connect Multicast Source, a port carrying Vlan11 to connect LS_B and a port carrying Vlan12 to connect LS_C. Configure to implement multicast between Multicast Source and Receiver 1 and Receiver 2.

6-4

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 6 PIM-DM Configuration

II. Networking diagram

VLAN10

VLAN11 LS_B RECEIVER 1

Multicast Source

LS_A

VLAN12

LS_C

RECEIVER 2

Figure 6-2 PIM-DM configuration networking

III. Configuration procedure
This section only introduces LS_A configuration procedure, while LS_B and LS_C configuration procedures are similar. # Enable the multicast routing protocol. [Quidway] multicast routing-enable # Enable PIM-DM. [Quidway] vlan 10 [Quidway-vlan10] port Ethernet 0/2 to Ethernet 0/3 [Quidway-vlan10] quit [Quidway] vlan 11 [Quidway-vlan11] port Ethernet 0/4 to Ethernet 0/5 [Quidway-vlan11] quit [Quidway] vlan 12 [Quidway-vlan12] port Ethernet 0/6 to Ethernet 0/7 [Quidway-vlan12] quit [Quidway] interface vlan-interface 10 [Quidway-vlan-interface10] ip address 1.1.1.1 255.255.0.0 [Quidway-vlan-interface10] pim dm [Quidway-vlan-interface10] quit

6-5

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 6 PIM-DM Configuration

[Quidway] interface vlan-interface 11 [Quidway-vlan-interface11] ip address 2.2.2.2 255.255.0.0 [Quidway-vlan-interface11] pim dm [Quidway-vlan-interface11] quit [Quidway] interface vlan-interface 12 [Quidway-vlan-interface12] ip address 3.3.3.3 255.255.0.0 [Quidway-vlan-interface12] pim dm

6-6

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

Chapter 7 PIM-SM Configuration
7.1 PIM-SM Overview
7.1.1 Introduction to PIM-SM
PIM-SM (Protocol Independent Multicast-Sparse Mode) belongs to sparse mode multicast routing protocols. PIM-SM is mainly applicable to large-scale networks with broad scope in which group members are relatively sparse. Different from the flood & prune principle of the dense mode, PIM-SM assumes that all hosts do not need to receive multicast packets, unless there is an explicit request for the packets. PIM-SM uses the RP (Rendezvous Point) and the BSR (Bootstrap Router) to advertise multicast information to all PIM-SM routers and uses the join/prune information of the router to build the RP-rooted shared tree (RPT), thereby reducing the bandwidth occupied by data packets and control packets and reducing the process overhead of the router. Multicast data flows along the shared tree to the network segments the multicast group members are on. When the data traffic is sufficient, the multicast data flow can switch over to the SPT (Shortest Path Tree) rooted on the source to reduce network delay. PIM-SM does not depend on the specified unicast routing protocol but uses the present unicast routing table to perform the RPF check. Running PIM-SM needs to configure candidate RPs and BSRs. The BSR is responsible for collecting the information from the candidate RP and advertising the information.

7.1.2 PIM-SM Operating Principle
The PIM-SM working process is as follows: neighbor discovery, building the RP-rooted shared tree (RPT), multicast source registration and SPT switchover etc. The neighbor discovery mechanism is the same as that of PIM-DM, which will not be described any more.

I. Build the RP shared tree (RPT)
When hosts join a multicast group G, the leaf routers that directly connect with the hosts send IGMP messages to learn the receivers of multicast group G. In this way, the leaf routers calculate the corresponding rendezvous point (RP) for multicast group G and

7-1

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

then send join messages to the node of a higher level toward the rendezvous point (RP). Each router along the path between the leaf routers and the RP will generate (*, G) entries in the forwarding table, indicating that all packets sent to multicast group G are applicable to the entries no matter from which source they are sent. When the RP receives the packets sent to multicast group G, the packets will be sent to leaf routers along the path built and then reach the hosts. In this way, an RP-rooted tree (RPT) is built as shown in the following figure.

RP
Multicast Source S RPT join Multicast source registration

Receiver

Figure 7-1 RPT schematic diagram

II. Multicast source registration
When multicast source S sends a multicast packet to the multicast group G, the PIM-SM multicast router directly connected to S will encapsulate the received packet into a registration packet and send it to the corresponding RP in unicast form. If there are multiple PIM-SM multicast routers on a network segment, the Designated Router (DR) will be responsible for sending the multicast packet.

III. SPT switchover
When a multicast router detects that the multicast packet with the destination address of G from the RP is sent at a rate greater than the threshold, the multicast router will send a join message to the node of a higher level toward the source S, which results in switchover from the RPT to the SPT.

7.1.3 Preparations before Configuring PIM-SM
I. Configure candidate RPs
In a PIM-SM network, multiple RPs (candidate-RPs) can be configured. Each Candidate-RP (C-RP) is responsible for forwarding multicast packets with the destination addresses in a certain range. Configuring multiple C-RPs is to implement

7-2

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

load balancing of the RP. These C-RPs are equal. All multicast routers calculate the RPs corresponding to multicast groups according to the same algorithm after receiving the C-RP messages that the BSR advertises. It should be noted that one RP can serve multiple multicast groups or all multicast groups. Each multicast group can only be uniquely correspondent to one RP at a time rather than multiple RPs.

II. Configure BSRs
The BSR is the management core in a PIM-SM network. Candidate-RPs send announcement to the BSR, which is responsible for collecting and advertising the information about all candidate-RPs. It should be noted that there can be only one BSR in a network but you can configure multiple candidate-BSRs. In this case, once a BSR fails, you can switch over to another BSR. A BSR is elected among the C-BSRs automatically. The C-BSR with the highest priority is elected as the BSR. If the priority is the same, the C-BSR with the largest IP address is elected as the BSR.

III. Configure static RP
RP is the kernel router for the multicast routing. If the dynamic RP elected by BSR mechanism fails, a static RP can be configured. As the backup of dynamic RP, static RP improves robustness and operability of the multicast network.

7.2 PIM-SM Configuration
PIM-SM configuration includes: Enable Multicast Enable PIM-SM Configure the interface hello message interval Configure the PIM-SM domain border Enter PIM view Configure candidate-BSRs Configure candidate-RPs Configure static RP Configure RP to filter the register messages sent by DR Set the threshold of switchover from the RPT to the SPT The first four items of configuration are mandatory. The remaining can use the default configuration. It should be noted that at least one router in an entire PIM-SM domain should be configured with Candidate-RPs and Candidate-BSRs.

7-3

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

7.2.1 Enable Multicast
Refer to “Common Multicast Configuration” of Chapter 2.

7.2.2 Enable PIM-SM
This configuration can be effective only after multicast is enabled. Perform the following configuration in VLAN interface view. Table 7-1 Enable PIM-SM
Operation Enable PIM-SM on an interface Disable PIM-SM on an interface pim sm undo pim sm Command

Repeat this configuration to enable PIM-SM on other interfaces. Only one multicast routing protocol can be enabled on an interface at a time. Once enabled PIM-SM on an interface, PIM-DM cannot be enabled on the same interface and vice versa.

7.2.3 Configure the Interface Hello Message Interval
Generally, PIM-SM advertises Hello messages periodically on the interface enabled with it to detect PIM neighbors and discover which router is the Designated Router (DR). Perform the following configuration in VLAN interface view. Table 7-2 Configure the interface hello message interval
Operation Configure the interface hello message interval Restore the interval to the default value Command pim timer hello seconds undo pim timer hello

By default, the hello message interval is 30 seconds. Users can configure the value according to different network environments. This configuration can be performed only after the PIM (PIM-DM or PIM-SM) is enabled in VLAN interface view.

7-4

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

7.2.4 Configure the PIM-SM Domain Border
After the PIM-SM domain border is configured, bootstrap messages cannot cross the border in any direction. In this way, the PIM-SM domain can be split. Perform the following configuration in VLAN interface view. Table 7-3 Configure the PIM-SM domain border
Operation Set the PIM-SM domain border Remove the PIM-SM domain border configured Command pim bsr-boundary undo pim bsr-boundary

By default, no domain border is set. After this configuration is performed, a bootstrap message cannot cross the border but other PIM packets can. This configuration can effectively divide a network into domains using different BSRs.

7.2.5 Enter PIM View
Global parameters of PIM should be configured in PIM view. Perform the following configuration in system view. Table 7-4 Enter PIM view
Operation Enter PIM view Back to system view pim undo pim Command

Using undo pim command, you can clear the configuration in PIM view, and back to system view.

7.2.6 Configure Candidate-BSRs
In a PIM domain, one or more candidate BSRs should be configured. A BSR (Bootstrap Router) is elected among candidate BSRs. The BSR takes charge of collecting and advertising RP information. The automatic election among candidate BSRs is described as follows: One interface which has started PIM-SM must be specified when configuring the router as the candidate BSR. At first, each candidate BSR considers itself as the BSR of the PIM-SM domain, and sends Bootstrap message by taking the IP address of the interface as the BSR address.
7-5

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

When receiving Bootstrap messages from other routers, the candidate BSR will compare the BSR address of the newly received Bootstrap message with that of itself. Comparison standards include priority and IP address. The bigger IP address is considered better when the priority is the same. If the new BSR address is better, the candidate BSR will replace its BSR address and stop regarding itself as the BSR. Otherwise, the candidate BSR will keep its BSR address and continue to regard itself as the BSR. Perform the following configuration in PIM view. Table 7-5 Configure candidate-BSRs
Operation Configure a candidate-BSR Remove the candidate-BSR configured Command c-bsr interface interface-type interface-number hash-mask-len [ priority ] undo c-bsr

Candidate-BSRs should be configured on the routers in the network backbone. By default, no BSR is set. The default priority is 0.

Caution: One router can only be configured with one candidate-BSR. When a candidate-BSR is configured on another interface, it will replace the previous configuration.

7.2.7 Configure Candidate-RPs
In PIM-SM, the shared tree built by the multicast routing data is rooted at the RP. There is a mapping from a multicast group to an RP. A multicast group can be mapped to an RP. Different groups can be mapped to one RP. Perform the following configuration in PIM view. Table 7-6 Configure candidate-RPs
Operation Configure a candidate-RP Remove the candidate-RP configured Command c-rp interface-type interface-number [ group-policy acl-number ] undo c-rp interface-type interface-number

When configuring RP, if the range of the served multicast group is not specified, the RP will serve all multicast groups. Otherwise, the range of the served multicast group is the

7-6

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

multicast group in the specified range. It is suggested to configure Candidate RP on the backbone router.

7.2.8 Configure Static RP
A static RP can be the backup of a dynamic RP, to raise network robusticity. Please perform the following configurations in PIM view. Table 7-7 Configure static RP
Operation Configure static RP Remove the static RP configured Command static-rp rp-address [ acl-number ] undo static-rp

Basic ACL can be used to control the range of multicast group served by a static RP. If a static RP is in use, all routers in the PIM domain must adopt the same configuration. If the configured static RP address is the interface address of the local router under UP state, the router will function as the static RP. It is unnecessary to enable PIM on the interface that functions as static RP. When the RP elected by BSR mechanism is valid, static RP does not work.

7.2.9 Configure RP to Filter the Register Messages Sent by DR
In the PIM-SM network, the register message filtering mechanism can control which sources to send messages to which groups on the RP, i.e., RP can filter the register messages sent by DR to accept specified messages only. Perform the following configuration in PIM view. Table 7-8 Configure RP to filter the register messages sent by DR
Operation Configure RP to filter the register messages sent by DR Cancel the configured filter of messages Command register-policy acl-number undo register-policy

If an entry of a source group is denied by the ACL, or the ACL does not define operation to it, or there is no ACL defined, the RP will send RegisterStop messages to the DR to prevent the register process of the multicast data stream.

7-7

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

Caution: Only the register messages matching the ACL permit clause can be accepted by the RP. Specifying an undefined ACL will make the RP to deny all register messages.

7.2.10 Set the Threshold of Switchover from the RPT to the SPT
The PIM-SM router uses the shared tree to forward multicast data packets initially. If the rate of the multicast data exceeds the threshold, the last hop router the packet passes will initiate a switch from the shared tree to the shortest path tree. Perform the following configuration in PIM view. Table 7-9 Set the threshold of switchover from the RPT to the SPT
Operation Set the threshold of switchover from the RPT to the SPT Restore the default setting Command spt-switch-threshold { traffic-rate | infinity } [ group-policy acl-number ] undo spt-switch-threshold { traffic-rate | infinity } [ group-policy acl-number ]

By default, the threshold is 0. That is, the last hop router initiates the switch to the shortest path tree upon the arrival of the first multicast data packet.

7.3 Display and Debug PIM-SM
After the above configuration, execute display command in any view to display the running of PIM-SM configuration, and to verify the effect of the configuration. Execute debugging command in user view for the debugging of PIM-SM. Table 7-10 Display and debug PIM-SM
Operation Display the BSR information Display the RP information Enable the PIM-SM debugging Disable the PIM-SM debugging Command display pim bsr-info display pim rp-info [ group-address ] debugging pim sm { all | mbr | verbose | mrt | timer | warning | { recv | send } { assert | graft | graft-ack | join | prune } } undo debugging pim sm { all | mbr | verbose | mrt | timer | warning | { recv | send } { assert | graft | graft-ack | join | prune } }

7-8

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

7.4 PIM-SM Configuration Example
I. Networking requirements
In actual network, we assume that the switches can intercommunicate. Suppose that Host A is the receiver of the multicast group at 225.0.0.1. Host B begins transmitting data destined to 225.0.0.1. LS_A receives the multicast data from Host B via LS_B.

II. Networking diagram

Host A VLAN11 LS_A VLAN10 VLAN12

Host B VLAN12 VLAN10

LS_C VLAN11

VLAN10 VLAN12

VLAN11 LS_B

LSD

Figure 7-2 PIM-SM configuration networking

III. Configuration procedure
1) Configure LS_A

# Enable PIM-SM. [Quidway] multicast routing-enable [Quidway] vlan 10 [Quidway-vlan10] port Ethernet 0/2 to Ethernet 0/3 [Quidway-vlan10] quit [Quidway] interface vlan-interface 10 [Quidway-vlan-interface10] pim sm [Quidway-vlan-interface10] quit
7-9

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

[Quidway] vlan 11 [Quidway-vlan11] port Ethernet 0/4 to Ethernet 0/5 [Quidway-vlan11] quit [Quidway] interface vlan-interface 11 [Quidway-vlan-interface11] pim sm [Quidway-vlan-interface11] quit [Quidway] vlan 12 [Quidway-vlan12] port Ethernet 0/6 to Ethernet 0/7 [Quidway-vlan12] quit [Quidway] interface vlan-interface 12 [Quidway-vlan-interface12] pim sm [Quidway-vlan-interface12] quit 2) Configure LS_B

# Enable PIM-SM. [Quidway] multicast routing-enable [Quidway] vlan 10 [Quidway-vlan10] port Ethernet 0/2 to Ethernet 0/3 [Quidway-vlan10] quit [Quidway] interface vlan-interface 10 [Quidway-vlan-interface10] pim sm [Quidway-vlan-interface10] quit [Quidway] vlan 11 [Quidway-vlan11] port Ethernet 0/4 to Ethernet 0/5 [Quidway-vlan11] quit [Quidway] interface vlan-interface 11 [Quidway-vlan-interface11] pim sm [Quidway-vlan-interface11] quit [Quidway] vlan 12 [Quidway-vlan12] port Ethernet 0/6 to Ethernet 0/7
7-10

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

[Quidway-vlan12] quit [Quidway] interface vlan-interface 12 [Quidway-vlan-interface12] pim sm [Quidway-vlan-interface12] quit # Configure the C-BSR. [Quidway] pim [Quidway-pim] c-bsr vlan-interface 10 30 2 # Configure the C-RP. [Quidway] acl number 2000 [Quidway-acl-basic-2000] rule permit source 225.0.0.0 0.255.255.255 [Quidway] pim [Quidway-pim] c-rp vlan-interface 10 group-policy 2000 # Configure PIM domain boundary. [Quidway] interface vlan-interface 12 [Quidway-vlan-interface12] pim bsr-boundary After VLAN-interface 12 is configured as PIM domain boundary, the LS_D will be excluded from the local PIM domain and cannot receive the BSR information transmitted from LS_B any more. 3) Configure LS_C.

# Enable PIM-SM. [Quidway] multicast routing-enable [Quidway] vlan 10 [Quidway-vlan10] port Ethernet 0/2 to Ethernet 0/3 [Quidway-vlan10] quit [Quidway] interface vlan-interface 10 [Quidway-vlan-interface10] pim sm [Quidway-vlan-interface10] quit [Quidway] vlan 11 [Quidway-vlan11] port Ethernet 0/4 to Ethernet 0/5

7-11

Operation Manual - Multicast Quidway S3500 Series Ethernet Switches

Chapter 7 PIM-SM Configuration

[Quidway-vlan11] quit [Quidway] interface vlan-interface 11 [Quidway-vlan-interface11] pim sm [Quidway-vlan-interface11] quit [Quidway] vlan 12 [Quidway-vlan12] port Ethernet 0/6 to Ethernet 0/7 [Quidway-vlan12] quit [Quidway] interface vlan-interface 12 [Quidway-vlan-interface12] pim sm [Quidway-vlan-interface12] quit

7-12

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

7. QoS/ACL

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 ACL Configuration....................................................................................................... 1-1 1.1 Brief Introduction to ACL.................................................................................................... 1-1 1.1.1 ACL Overview ......................................................................................................... 1-1 1.1.2 ACL Supported by Ethernet Switch......................................................................... 1-3 1.2 Configure ACL of S3526 Series Ethernet Switches .......................................................... 1-4 1.2.1 Configure Time-Range............................................................................................ 1-4 1.2.2 Define ACL .............................................................................................................. 1-5 1.2.3 Activate ACL............................................................................................................ 1-7 1.2.4 Display and Debug ACL.......................................................................................... 1-9 1.3 Configure ACL of S3526E and S3526C ............................................................................ 1-9 1.3.1 Configure Time-Range.......................................................................................... 1-10 1.3.2 Define ACL ............................................................................................................ 1-10 1.3.3 Activate ACL.......................................................................................................... 1-14 1.3.4 Display and Debug ACL........................................................................................ 1-14 1.4 Configure ACL of S3552 Series Ethernet Switches ........................................................ 1-15 1.4.1 Configure Time-Range.......................................................................................... 1-15 1.4.2 Define ACL ............................................................................................................ 1-16 1.4.3 Activate ACL.......................................................................................................... 1-18 1.4.4 Display and Debug ACL........................................................................................ 1-18 1.5 ACL Configuration Example of S3526 Series Switches .................................................. 1-19 1.5.1 Advanced ACL Configuration Example................................................................. 1-19 1.5.2 Basic ACL Configuration Example ........................................................................ 1-20 1.5.3 Link ACL Configuration Example .......................................................................... 1-21 1.6 ACL Configuration Example of S3526E and S3526C ..................................................... 1-22 1.6.1 Advanced ACL Configuration Example................................................................. 1-22 1.6.2 Basic ACL Configuration Example ........................................................................ 1-24 1.6.3 Link ACL Configuration Example .......................................................................... 1-25 1.6.4 User-defined ACL Configuration Example ............................................................ 1-26 Chapter 2 QoS configuration ....................................................................................................... 2-1 2.1 QoS Overview.................................................................................................................... 2-1 2.1.1 Traffic ...................................................................................................................... 2-1 2.1.2 Traffic Classification ................................................................................................ 2-1 2.1.3 Packet Filter ............................................................................................................ 2-2 2.1.4 Traffic Policing......................................................................................................... 2-2 2.1.5 Port traffic limit......................................................................................................... 2-2 2.1.6 Redirection .............................................................................................................. 2-2 2.1.7 Traffic Priority .......................................................................................................... 2-2

i

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Table of Contents

2.1.8 Queue Scheduling................................................................................................... 2-2 2.1.9 Traffic Mirroring ....................................................................................................... 2-4 2.1.10 Traffic Counting ..................................................................................................... 2-4 2.2 Configure QoS of S3526 Series Switches......................................................................... 2-4 2.2.1 Set the Port Priority ................................................................................................. 2-7 2.2.2 Configure Trust Packet Priority ............................................................................... 2-7 2.2.3 Configure Priority Marking....................................................................................... 2-8 2.2.4 Configure Queue Scheduling .................................................................................. 2-8 2.2.5 Configure Traffic Mirroring .................................................................................... 2-10 2.2.6 Configure Traffic Statistics .................................................................................... 2-10 2.2.7 Display and Debug QoS........................................................................................ 2-11 2.3 Configure QoS of S3526E and S3526C .......................................................................... 2-11 2.3.1 Set the Port Priority ............................................................................................... 2-12 2.3.2 Configure Trust Packet Priority ............................................................................. 2-12 2.3.3 Traffic Policing....................................................................................................... 2-12 2.3.4 Port Traffic limit ..................................................................................................... 2-13 2.3.5 Configure Packet Redirection ............................................................................... 2-13 2.3.6 Configure Priority Marking..................................................................................... 2-14 2.3.7 Configure Queue Scheduling ................................................................................ 2-15 2.3.8 Configure Traffic Mirroring .................................................................................... 2-17 2.3.9 Configure Traffic Statistics .................................................................................... 2-17 2.3.10 Display and Debug QoS...................................................................................... 2-18 2.4 QoS Configuration for S3552 Series Ethernet Switches ................................................. 2-18 2.4.2 Configure Service Group Allocation Rule ............................................................. 2-19 2.4.3 Configure Traffic Policing ...................................................................................... 2-20 2.4.4 Configure Traffic Shaping ..................................................................................... 2-22 2.4.5 Configure Priority Remark..................................................................................... 2-23 2.4.6 Configure Traffic Redirection ................................................................................ 2-24 2.4.7 Configure Queue Scheduling ................................................................................ 2-25 2.4.8 Configure Congestion Avoidance.......................................................................... 2-26 2.4.9 Configure Traffic Mirroring .................................................................................... 2-27 2.4.10 Configure Port Mirroring...................................................................................... 2-28 2.4.11 Configure Traffic Statistic .................................................................................... 2-29 2.4.12 Display and Debug QoS...................................................................................... 2-30 2.5 QoS Configuration Example of S3526 Series Switches .................................................. 2-31 2.5.1 Traffic Mirroring Configuration Example ............................................................... 2-31 2.6 QoS Configuration Example of S3526E and S3526C ..................................................... 2-32 2.6.1 Traffic Policing and Interface Rate Restraint Configuration Example................... 2-32 2.6.2 Traffic Mirroring Configuration Example ............................................................... 2-34 2.7 QoS Configuration Example of S3552 Series Switches .................................................. 2-35 2.7.1 Traffic Policing Configuration Example ................................................................. 2-35 2.7.2 Bi-directional Traffic Limit to Packets on Designated VLAN Configuration Example2-36

ii

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Table of Contents

2.7.3 Bi-directional Traffic Limit to Packets at Designated Port Configuration Example 2-38 2.7.4 Priority Marking Configuration Example................................................................ 2-39 Chapter 3 Logon User ACL Control Configuration.................................................................... 3-1 3.1 Overview ............................................................................................................................ 3-1 3.2 Configure ACL Control over the TELNET User ................................................................. 3-1 3.2.1 Define ACL .............................................................................................................. 3-1 3.2.2 Call ACL to Control TELNET User .......................................................................... 3-2 3.2.3 Configuration Example............................................................................................ 3-2 3.3 Configure ACL Control over the SNMP Users................................................................... 3-3 3.3.1 Define an ACL ......................................................................................................... 3-4 3.3.2 Call ACL to Control SNMP User ............................................................................. 3-4 3.3.3 Configuration Example............................................................................................ 3-5 3.4 Configure ACL Control over the HTTP Users.................................................................... 3-6 3.4.1 Define an ACL ......................................................................................................... 3-6 3.4.2 Call ACL to Control HTTP User .............................................................................. 3-6 3.4.3 Configuration Example............................................................................................ 3-7

iii

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

Chapter 1 ACL Configuration
1.1 Brief Introduction to ACL
1.1.1 ACL Overview
A series of matching rules are required for the network devices to identify the packets to be filtered. After identifying the packets, the switch can permit or deny them to pass through according to the defined policy. Access Control List (ACL) is used to implement such functions. ACL classifies the data packets with a series of matching rules, including source address, destination address and port number, etc. The switch verifies the data packets with the rules in ACL and determines to forward or discard them. The data packet matching rules defined by ACL can also be called in some other cases requiring traffic classification, such as defining traffic classification for QoS. An access control rule includes several statements. Different statements specify different ranges of packets. When matching a data packet with the access control rule, the issue of match-order arises.

I. The case of filter or classify the data transmitted by the hardware
ACL can be used to filter or classify the data transmitted by the hardware of switch. In this case, the match order of ACL’s sub-rules is determined by the switch hardware. The match order defined by the user can’t be effective. Due the chips installed, the hardware match order of ACL’s sub-rule is different in different switch models. The details are listed in the following table. Table 1-1 Hardware match order of ACL’s sub-rule
Switch Hardware match order of ACL’s sub-rule An ACL is configured with multiple sub-rules. The deny sub-rules are matched first, and then are the permit sub-rules. Exact match mode is used for the permit sub-rules: the sub-rule with the more accurate range is matched first, for example, ACL 3000 has rule 0 and rule 1, the definition of rule 0 is “rule 0 permit ip source 1.1.1.1 0.0.255.255 destination 2.2.2.2 0.0.255.255”, the definition of rule 1 is “rule 1 permit ip source 1.1.1.1 0.0.0.255 destination 2.2.2.2 0.0.0.255”, then the rule 1 is more accurate, it will be matched first. An ACL is configured with multiple sub-rules. The latest sub-rule will be matched first. An ACL is configured with multiple sub-rules. The first sub-rule will be matched first.

S3526 Series

S3526E&S3526C S3552 Series

1-1

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

Note: For S3526 series switch, packet-filter function only supports rules which action is deny, and other QoS functions such as configure priority marking, configure traffic mirroring and configure traffic statistics supports rules which action is permit. But in some case the permit ACL and deny ACL can be matched for the same time. For example, ACL 3000 has rule 0 and rule 1, rule 0 is deny rule, rule 1 is permit rule. Packet-filter function cites ACL 100 rule 0, traffic statistics cites ACL 100 rule 1, then match order is first match the deny rule then permit rule.

The case includes: ACL cited by QoS function, ACL used for filter the packet transmitted by the hardware. etc.

II. The case of filter or classify the data transmitted by the software
ACL can be used to filter or classify the data treated by the software of switch. In this case, the match order of ACL’s sub-rules can be determined by the user. There are two match-orders: config (by following the user-defined configuration order when matching the rule) and auto (according to the system sorting automatically when matching the rule, i.e. in depth-first order). Once the user specifies the match-order of an access control rule, he cannot modify it later, unless he deletes all the content and specifies the match-order again. The case includes: ACL cited by route policy function, ACL used for control logon user, etc.

Note: The depth-first principle is to put the statement specifying the smallest range of packets on the top of the list. This can be implemented through comparing the wildcards of the addresses. The smaller the wildcard is, the less hosts it can specify. For example, 129.102.1.1 0.0.0.0 specifies a host, while 129.102.1.1 0.0.255.255 specifies a network segment, 129.102.0.1 through 129.102.255.255. Obviously, the former one is listed ahead in the access control list. The specific standard is as follows. For basic access control list statements, comparing the source address wildcards directly. If the wildcards are same, follow the configuration sequence. For the access control list based on the interface filter, the rule that is configured with any is listed in the end, while others follow the configuration sequence. For the advanced access control list, comparing the source address wildcards first. If they are the same, then comparing the destination address wildcards. For the same destination address wildcards, comparing the ranges of port number, the one with smaller range is listed ahead. If the port numbers are in the same range, follow the configuration sequence.

1-2

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

1.1.2 ACL Supported by Ethernet Switch
For Ethernet Switch, ACLs are divided into the following categories: Numbered basic ACL. Named basic ACL. Numbered advanced ACL. Named advanced ACL. Numbered Layer-2 ACL. Named Layer-2 ACL. Numbered user-defined ACL. Named user-defined ACL. The table below lists the limits to the numbers of different ACL on a switch. Table 1-2 Quantitative limitation to the ACL of S3526 series, S3526E and S3526C
Item Numbered basic ACL. Numbered advanced ACL. Numbered Layer-2 ACL. Numbered user-defined ACL. Named basic ACL. Named advanced ACL. Named Layer-2 ACL. Named user-defined ACL. The sub items of an ACL 2000 to 2999 3000 to 3999 4000 to 4999 5000 to 5999 0 to 127 Value range

Note: S3526 Series and S3552 Series Ethernet Switches don’t support user-defined ACL. S3526E and S3526C Ethernet Switches supports all kinds of ACL.

Table 1-3 Quantitative limitation to the ACL of S3552
Item Numbered basic ACL. Numbered advanced ACL. Numbered Layer-2 ACL. Named basic ACL. Named advanced ACL. Named Layer-2 ACL. The sub items of an ACL Maximum sub items for all ACL (sum of all ACL’s sub items) Value range 2000 to 2999 3000 to 3999 4000 to 4999 0 to 127 Maximum Number ACL Activated

64 per 100M-port 512 per 1000M-port

1024

1-3

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

One rule can be delivered to hardware by multiple QoS functions, which means the switch can perform many actions on a certain data stream. No matter how many QoS functions use the rule, the switch considers that only one rule is delivered to hardware. For example, up to 64 rules can be delivered at the 100Base-T port Ethernet0/1, rule 0 of ACL 1 is delivered to this port by traffic policing and priority tag functions separately. The switch considers only one rule is delivered and 63 other rules can be delivered at this port.

1.2 Configure ACL of S3526 Series Ethernet Switches
S3526 Series Ethernet Switches include S3526, S3526 FM, and S3526 FS switches. ACL configuration includes: Configure time range Define ACL Activate ACL The above three steps had better be taken in sequence. Configure time range first and then define ACL (using the defined time range in the definition), followed activating ACL to validate it.

1.2.1 Configure Time-Range
The process of configuring a time-range includes the steps of configuring the hour-minute range, date ranges and period range. The hour-minute range is expressed in the units of minute, hour. Date range is expressed in the units of minute, hour, date, month and year. The periodic time range is expressed in the day of the week. You can use the following command to set the time range by performing the following configuration in the system view. Table 1-4 Set the absolute time range
Operation Set the absolute time range Delete the absolute time range Command time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] } undo time-range time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] ]

When the start-time and end-time are not configured, it will be all the time for one day. The end time shall be later than the start time. When end-time end-date is not configured, it will be all the time from now to the date which can be displayed by the system. The end time shall be later than the start time.

1-4

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

1.2.2 Define ACL
Huawei Switches support several kinds of ACLs. Here we will introduce how to define these ACLs. Defining ACL by following the steps below: 1) 2) enter the corresponding ACL view add a rule to the ACL

You can add multiple rules to one ACL.

Note: 1) If a specific time rang is not defined, the ACL will always function after activated. 2) During the process of defining the ACL, you can use the rule command for several times to define multiple rules for an ACL. 3) If ACL is used for filter or classify the data transmitted by the hardware of switch, the match order defined in the acl command will not be effective. If ACL is used for filter or classify the data treated by the software of switch, the match order of ACL’s sub-rules will be effective. Besides, once the user specifies the match-order of an ACL rule, he cannot modify it later. 4) The default matching-order of ACL is config, i.e. following the order as that configured by the user.

I. Define basic ACL
The rules of the basic ACL are defined on the basis of the Layer-3 source IP address to analyze the data packets. You can use the following command to define basic ACL. Perform the following configuration in corresponding view. Table 1-5 Define basic ACL
Operation Enter basic ACL view(from system view) add a sub-item to the ACL(from basic ACL view) delete a sub-item from the ACL(from basic ACL view) Delete one ACL or all the ACL(from system view) Command acl { number acl-number | name acl-name basic } [ match-order { config | auto } ] rule [ rule-id ] { permit | deny } [ source source-addr wildcard | any ] [ fragment ] [ time-range name ] undo rule rule-id [ source ] [ fragment ] [ time-range ] undo acl { number acl-number | name acl-name | all }

1-5

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

II. Define advanced ACL
The rules of the classification for advanced ACL are defined on the basis of the attributes such as source and destination IP address, the TCP or UDP port number in use and packet priority to process the data packets. The advanced ACL supports the analyses of three kinds of packet priorities, ToS (Type of Service), IP and DSCP priorities.

Note: For S3526 series and S3026 F switches, there are some limits: 1) protocol type (the parameter protocol in rule command) can’t be configured if the user configures the IP-any, any-IP, NET-any, any-NET rules( source IP address is host IP address or NET segment address and destination address is any in the rules, or source IP address is any and destination address is host IP address or NET segment address in the rules). Otherwise the system will prompt the configuration is not available. 2) doesn’t support ToS, IP precedence, DSCP priority parameter when define advanced ACL. 3) parameter icmp-type is only supported when user defines advance ACL. ICMP packet type and code (the parameter type code in rule command) can’t be configured. Otherwise the system will prompt the configuration is not available.

You can use the following command to define advanced ACL. Perform the following configuration in corresponding view. Table 1-6 Define advanced ACL
Operation Enter advanced ACL view(from system view) Add a sub-item to the ACL(from advanced ACL view) Delete a sub-item from the ACL(from advanced ACL view) Delete one ACL or all the ACL(from system view) Command acl { number acl-number | name acl-name advanced } [ match-order { config | auto } ] rule [ rule-id ] { permit | deny } protocol [ source source-addr wildcard | any ] [ destination dest-addr wildcard | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type type code ] [ established ] [ [ precedence precedence | tos tos ]* | dscp dscp ] [ fragment ] [ time-range name ] undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ] [ icmp-type ] [ precedence ] [ tos ] [ dscp ] [ fragment ] [ time-range ] undo acl { number acl-number | name acl-name | all }

The advanced ACL is identified with the numbers ranging from 3000 to 3999. Note that, the port1 and port2 in the above command specify the TCP or UDP ports used by various high-layer applications. For some common port numbers, you can use

1-6

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

the mnemonic symbols as shortcut. For example, “bgp” can represent the TCP number 179 used by BGP.

III. Define Layer-2 ACL
The rules of Layer-2 ACL are defined on the basis of the Layer-2 information such as source MAC address, source VLAN ID, Layer-2 protocol type, Layer-2 ports receiving and forwarding the packet and destination MAC address to process the data packets. You can use the following command to define the numbered Layer-2 ACL. Perform the following configuration in corresponding view. Table 1-7 Define Layer-2 ACL
Operation Enter Layer-2 ACL view(from system view) Add a sub-item to the ACL(from Layer-2 ACL view) Delete a sub-item from the ACL(from Layer-2 ACL view) Delete one ACL or all the ACL(from system view) Command acl { number acl-number | name acl-name link } [ match-order { config | auto } ] rule [ rule-id ] { permit | deny } [ ingress { { source-vlan-id | source-mac-addr | interface { interface-name | interface-type interface-num } }* | any } ] [ egress { { destination-vlan-id | dest-mac-addr | interface { interface-name | interface-type interface-num } }* | any } ] [ time-range name ] undo rule rule-id undo acl { number acl-number | name acl-name | all }

Layer-2 ACL can be identified with numbers ranging from 4000 to 4999. The interface in the above command specifies the Layer-2 interface, such as the Ethernet port of a switch.

1.2.3 Activate ACL
The defined ACL can be active after activated globally on the switch. This function is used to activate the ACL filtering or classify the data transmitted by the hardware of switch. You can use the following command to activate the defined ACL. Perform the following configuration in system view. Table 1-8 Activate ACL
Operation Activate an ACL Deactivate an ACL Command packet-filter { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } undo packet-filter { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

1-7

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

S3526 has some restrictions on ACL configuration in implementing QOS function using traffic classification. The restriction details are listed in the following table. Table 1-9 ACL configuration restriction for QoS function in S3526
QoS function Implementation packet-filter { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } Restrictions on ACL configuration Packet filter only supports using the ACL of deny operation. The Layer-2 ACL supports using the rules of MAC-MAC, MAC-PORT, PORT-PORT, MAC-ANY, ANY-MAC, PORT-ANY and ANY-PORT. The Layer-3 ACL supports using the rules of IP-IP, IP-NET, NET-NET, IP-ANY, ANY-IP, NET-ANY and ANY-NET.

Packet filter

Note: 1) The Layer-3 ACL includes the advanced ACL. 2) In the description of the rules: MAC----MAC address, PORT----the switch port, IP----the host IP address, ANY----any MAC address in Layer-2 ACL and any IP address in Layer-3 ACL, NET----the segment IP address. The MAC, IP, ANY, NET and PORT before the character “-” represent the source addresses or receive port; the ones behind are the destination addresses or transmit port. MAC-MAC stands for a Layer-2 ACL rule from source MAC address to destination MAC address, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress 00e0-fc01-0102 1 time-range huawei ”. PORT-PORT stands for a Layer-2 ACL rule from received ethernet port to sent ethernet port, such as “rule 0 permit ingress interface ethernet0/1 egress interface ethernet 0/2 time-range huawei ”. MAC-PORT stands for a Layer-2 ACL rule from source MAC address to sent ethernet port, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress interface ethernet 0/1 time-range huawei ”. IP-IP stands for lay-3 ACL rules from source host IP address to destination host IP address (the wildcard parameter can only be 0) , such as “rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 time-range huawei”. NET-NET stands for lay-3 ACL rules from source segment IP address to destination segment IP address (the wildcard parameter can not be 0), such as “rule 0 permit ip source 1.1.1.1 0.0.255.255 destination 2.2.2.2 0.0.255.255 time-range huawei”. MAC-any stands for lay-2 ACL rule from source MAC address to any destination MAC address, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress any time-range huawei”, and so do any-MAC, IP-any, any-IP, NET-any and any-NET rules. 3) For the MAC-MAC rule, the source and destination MAC addresses must be configured in the same VLAN. That is, configure the same VLAN ID for the source and destination MAC addresses in defining ACL. 4) For the rules of IP-any, any-IP, NET-any and any-NET, S3526 does not support packet filtering of special protocols. You can only configure protocol type as IP (the value of the parameter protocol in rule command can only be IP) in defining these types of rules in S3526. Otherwise, error information will be returned when confirm the rule. 5) IP-IP, MAC-MAC, MAC-PORT, PORT-PORT, PORT-MAC, IP-NET and NET-NET rules will function on the two directions, that is, user defines a rule to filter packets from source address to destination address,

1-8

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

the rule will also filter the packets from the destination address to source address. For the rules of IP-any, any-IP, NET-any, any-NET, MAC-any, any-MAC, they only function on one direction which user defined. 6) For S3526, S3526 FM, S3526 FS switches, parameter icmp-type is only supported when user defines advance ACL. ICMP packet type and code (the parameter type code in rule command) can’t be configured. Otherwise the system will prompt the configuration is not available. 7) The restrictions corresponding to each QoS function describe the ACL rule available in configuring this function. Other ACL rules will not be used in implementing this function in S3526. Otherwise, the system will return error prompts. 8) Define the ACL rules to be used in it first before implementing a QoS function.

1.2.4 Display and Debug ACL
After the above configuration, execute display command in any view to display the running of the ACL configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of the ACL module. Table 1-10 Display and Debug ACL
Operation Display the status of the time range Display the detail information about the ACL Display the information about the ACL running state Clear ACL counters Command display time-range { all | name } display acl config { all | acl-number | acl-name } display acl running-packet-filter all reset acl counter { all | acl-number | acl-name }

The matched information of display acl config command specifies the rules treated by the switch’s CPU. The matched information of the transmitted data by switch can be displayed by display qos-global traffic-statistic command. For syntax description, refer to the Command Manual.

1.3 Configure ACL of S3526E and S3526C
ACL configuration includes: Configure time range Define ACL Activate ACL The above three steps had better be taken in sequence. Configure time range first and then define ACL (using the defined time range in the definition), followed activating ACL to validate it.

1-9

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

1.3.1 Configure Time-Range
The process of configuring a time-range includes the steps of configuring the hour-minute range, date ranges and period range. The hour-minute range is expressed in the units of minute, hour. Date range is expressed in the units of minute, hour, date, month and year. The periodic time range is expressed in the day of the week. You can use the following command to set the time range by performing the following configuration in the system view. Table 1-11 Set the absolute time range
Operation Set the absolute time range Delete the absolute time range Command time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] } undo time-range time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] ]

When the start-time and end-time are not configured, it will be all the time for one day. The end time shall be later than the start time. When end-time end-date is not configured, it will be all the time from now to the date which can be displayed by the system. The end time shall be later than the start time.

1.3.2 Define ACL
Huawei Switches support several kinds of ACLs. Here we will introduce how to define these ACLs. Defining ACL by following the steps below: 1) 2) enter the corresponding ACL view add a rule to the ACL

You can add multiple rules to one ACL.

Note: 1) If a specific time rang is not defined, the ACL will always function after activated. 2) During the process of defining the ACL, you can use the rule command for several times to define multiple rules for an ACL. 3) If ACL is used for filter or classify the data transmitted by the hardware of switch, the match order defined in the acl command will not be effective. If ACL is used for filter or classify the data treated by the software of switch, the match order of ACL’s sub-rules will be effective. Besides, once the user specifies the match-order of an ACL rule, he cannot modify it later.

1-10

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

4) The default matching-order of ACL is config, i.e. following the order as that configured by the user.

I. Define basic ACL
The rules of the basic ACL are defined on the basis of the Layer-3 source IP address to analyze the data packets. You can use the following command to define basic ACL. Perform the following configuration in corresponding view. Table 1-12 Define basic ACL
Operation Enter basic ACL view(from system view) add a sub-item to the ACL(from basic ACL view) delete a sub-item from the ACL(from basic ACL view) Delete one ACL or all the ACL(from system view) Command acl { number acl-number | name acl-name basic } [ match-order { config | auto } ] rule [ rule-id ] { permit | deny } [ source source-addr wildcard | any ] [ fragment ] [ time-range name ] undo rule rule-id [ source ] [ fragment ] [ time-range ] undo acl { number acl-number | name acl-name | all }

II. Define advanced ACL
The rules of the classification for advanced ACL are defined on the basis of the attributes such as source and destination IP address, the TCP or UDP port number in use and packet priority to process the data packets. The advanced ACL supports the analyses of three kinds of packet priorities, ToS (Type of Service), IP and DSCP priorities. You can use the following command to define advanced ACL. Perform the following configuration in corresponding view. Table 1-13 Define advanced ACL
Operation Enter advanced ACL view(from system view) Add a sub-item to the ACL(from advanced ACL view) Delete a sub-item from the ACL(from advanced ACL view) Delete one ACL or all the ACL(from system view) Command acl { number acl-number | name acl-name advanced } [ match-order { config | auto } ] rule [ rule-id ] { permit | deny } protocol [ source source-addr wildcard | any ] [ destination dest-addr wildcard | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type type code ] [ established ] [ [ precedence precedence | tos tos ]* | dscp dscp ] [ fragment ] [ time-range name ] undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ] [ icmp-type ] [ precedence ] [ tos ] [ dscp ] [ fragment ] [ time-range ] undo acl { number acl-number | name acl-name | all }

1-11

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

The advanced ACL is identified with the numbers ranging from 3000 to 3999. Note that, the port1 and port2 in the above command specify the TCP or UDP ports used by various high-layer applications. For some common port numbers, you can use the mnemonic symbols as shortcut. For example, “bgp” can represent the TCP number 179 used by BGP.

III. Define Layer-2 ACL
The rules of Layer-2 ACL are defined on the basis of the Layer-2 information such as source MAC address, source VLAN ID, Layer-2 protocol type, Layer-2 ports receiving and forwarding the packet and destination MAC address to process the data packets. You can use the following command to define the numbered Layer-2 ACL. Perform the following configuration in corresponding view. Table 1-14 Define Layer-2 ACL
Operation Enter Layer-2 ACL view(from system view) Command acl { number acl-number | name acl-name link } [ match-order { config | auto } ] rule [ rule-id ] { permit | deny } [ protocol ] [ cos vlan-pri ] [ ingress { { source-vlan-id | source-mac-addr source-mac-wildcard | interface { interface-name | interface-type interface-num } }* | any } ] [ egress { { dest-mac-addr dest-mac-wildcard | interface { interface-name | interface-type interface-num } }* | any } ] [ time-range name ] undo rule rule-id undo acl { number acl-number | name acl-name | all }

Add a sub-item to the ACL(from Layer-2 ACL view)

Delete a sub-item from the ACL(from Layer-2 ACL view) Delete one ACL or all the ACL(from system view)

Layer-2 ACL can be identified with numbers ranging from 4000 to 4999. The interface in the above command specifies the Layer-2 interface, such as the Ethernet port of a switch.

IV. Define user-defined ACL
The user-defined ACL matches any bytes in the first 80 bytes of the Layer-2 data frame with the character string defined by the user and then processes them accordingly. To correctly use the user-defined ACL, you are required to understand the Layer-2 data frame structure. The figure below shows the first 64 bytes of the Layer-2 data frame. (Every letter represents a hexadecimal number and every two letters are one byte.)

1-12

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

Figure 1-1 The first 64 bytes of data frame The table below lists the meaning and offset of each letter. Table 1-15 Letters and their meanings
Letter A B C D E F G H I J K L M N Meaning Destination MAC address Source MAC address Data frame length field VLAN tag field DSAP (Destination Service Access Point) field SSAP (Source Service Access Point) field Ctrl field org code field Encapsulated Data type IP version TOS field IP packet length ID number Flags field 0 6 12 14 18 19 20 21 24 26 27 28 30 32 Offset O P Q R S T U V W XY Z a b Letter Meaning TTL field Protocol number (6 is TCP and 17 is UDP). IP checksum Source IP address Destination IP address TCP source port TCP destination port Sequence number Acknowledgement field IP header length and currently unused bit Currently unused bits and flags bit Window Size field Others Offset 34 35 36 38 42 46 48 50 54 58 59 60 62

The offsets listed in the above table are the field offsets in the SNAP+tag 802.3 data frame. In the user-defined ACL, you can use the rule mask and offset parameters to select any bytes from the first 64 bytes of the data frame and compare them with the user-defined rule to filter the matched data frames and process accordingly. The rules defined by the user can be some fixed properties of the data. For example, to filter all the TCP packets, you can define the rule as “06”, the rule mask as “FF” and the offset as 35. In this case, the rule mask coordinates with the offset and picks up the TCP protocol number field from the data frame and compares it with the user-defined rule string to get all the TCP packets.

Note: When user defines user-defined ACL, please calculate and set the correct offsets according to the data frames of SNAP+tag format with the 802.3 standard described above.

1-13

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

You can use the following commands to define user-defined ACL. Perform the following configuration in corresponding view. Table 1-16 Define user-defined ACL
Operation Enter user-defined ACL view(from system view) Add a sub-item to the ACL(from user-defined ACL view) Delete a sub-item from the ACL(from user-defined ACL view) Delete one ACL or all the ACL(from system view) Command acl { number acl-number | name acl-name user } [ match-order { config | auto } ] rule [ rule-id ] { permit | deny } { rule-string rule-mask offset }&<1-8> [ time-range name ] undo rule rule-id undo acl { number acl-number | name acl-name | all }

The self-defined ACL are identified with the numbers ranging from 5000 to 5999.

1.3.3 Activate ACL
The defined ACL can be active after activated globally on the switch. This function is used to activate the ACL filtering or classify the data transmitted by the hardware of switch. You can use the following command to activate the defined ACL. Perform the following configuration in system view. Table 1-17 Activate ACL
Operation Activate an ACL Deactivate an ACL Command packet-filter { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* } undo packet-filter { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

Note: This command supports the process to activate the Layer-2 and IP ACLs at the same time(IP ACLs include basic and advanced ACLs), however the actions of the combination items should be consistent. If the actions conflict (one is permit and the other is deny), they cannot be activated.

1.3.4 Display and Debug ACL
After the above configuration, execute display command in any view to display the running of the ACL configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of the ACL module.
1-14

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

Table 1-18 Display and Debug ACL
Operation Display the status of the time range Display the detail information about the ACL Display the information about the ACL running state Clear ACL counters Command display time-range { all | name } display acl config { all | acl-number | acl-name } display acl running-packet-filter all reset acl counter { all | acl-number | acl-name }

The matched information of display acl config command specifies the rules treated by the switch’s CPU. The matched information of the transmitted data by switch can be displayed by display qos-global traffic-statistic command. For syntax description, refer to the Command Manual.

1.4 Configure ACL of S3552 Series Ethernet Switches
S3552 Series Ethernet Switches include S3552G, S3552P, S3528G, and S3528P Ethernet Switches. ACL configuration includes: Configure time range Define ACL Activate ACL The above three steps had better be taken in sequence. Configure time range first and then define ACL (using the defined time range in the definition), followed activating ACL to validate it.

1.4.1 Configure Time-Range
The process of configuring a time-range includes the steps of configuring the hour-minute range, date ranges and period range. The hour-minute range is expressed in the units of minute, hour. Date range is expressed in the units of minute, hour, date, month and year. The periodic time range is expressed in the day of the week. You can use the following command to set the time range by performing the following configuration in the system view. Table 1-19 Set the absolute time range
Operation Set the absolute time range Delete the absolute time range Command time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] } undo time-range time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] ]

1-15

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

When the start-time and end-time are not configured, it will be all the time for one day. The end time shall be later than the start time. When end-time end-date is not configured, it will be all the time from now to the date which can be displayed by the system. The end time shall be later than the start time.

1.4.2 Define ACL
Huawei Switches support several kinds of ACLs. Here we will introduce how to define these ACLs. Defining ACL by following the steps below: 1) 2) enter the corresponding ACL view add a rule to the ACL

You can add multiple rules to one ACL.

Note: 1) If a specific time rang is not defined, the ACL will always function after activated. 2) During the process of defining the ACL, you can use the rule command for several times to define multiple rules for an ACL. 3) If ACL is used for filter or classify the data transmitted by the hardware of switch, the match order defined in the acl command will not be effective. If ACL is used for filter or classify the data treated by the software of switch, the match order of ACL’s sub-rules will be effective. Besides, once the user specifies the match-order of an ACL rule, he cannot modify it later. 4) The default matching-order of ACL is config, i.e. following the order as that configured by the user.

I. Define basic ACL
The rules of the basic ACL are defined on the basis of the Layer-3 source IP address to analyze the data packets. You can use the following command to define basic ACL. Perform the following configuration in corresponding view. Table 1-20 Define basic ACL
Operation Enter basic ACL view(from system view) add a sub-item to the ACL(from basic ACL view) delete a sub-item from the ACL(from basic ACL view) Command acl { number acl-number | name acl-name basic } [ match-order { config | auto } ] rule [ rule-id ] { permit | deny } [ source source-addr wildcard | any ] [ fragment ] [ time-range name ] undo rule rule-id [ source ] [ fragment ] [ time-range ]

1-16

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches Operation Delete one ACL or all the ACL(from system view)

Chapter 1 ACL Configuration Command undo acl { number acl-number | name acl-name | all }

II. Define advanced ACL
The rules of the classification for advanced ACL are defined on the basis of the attributes such as source and destination IP address, the TCP or UDP port number in use and packet priority to process the data packets. The advanced ACL supports the analyses of three kinds of packet priorities, ToS (Type of Service), IP and DSCP priorities. You can use the following command to define advanced ACL. Perform the following configuration in corresponding view. Table 1-21 Define advanced ACL
Operation Enter advanced ACL view(from system view) Add a sub-item to the ACL(from advanced ACL view) Delete a sub-item from the ACL(from advanced ACL view) Delete one ACL or all the ACL(from system view) Command acl { number acl-number | name acl-name advanced } [ match-order { config | auto } ] rule [ rule-id ] { permit | deny } protocol [ source source-addr wildcard | any ] [ destination dest-addr dest-mask | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type type code ] [ established ] [ [ precedence precedence | tos tos ]* | dscp dscp ] [ fragment ] [ time-range name ] undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ] [ icmp-type ] [ precedence ] [ tos ] [ dscp ] [ fragment ] [ time-range ] undo acl { number acl-number | name acl-name | all }

The advanced ACL is identified with the numbers ranging from 3000 to 3999. Note that, the port1 and port2 in the above command specify the TCP or UDP ports used by various high-layer applications. For some common port numbers, you can use the mnemonic symbols as shortcut. For example, “bgp” can represent the TCP number 179 used by BGP.

III. Define Layer-2 ACL
The rules of Layer-2 ACL are defined on the basis of the Layer-2 information such as source MAC address, source VLAN ID, Layer-2 protocol type, Layer-2 packet format and destination MAC address. You can use the following command to define the numbered Layer-2 ACL. Perform the following configuration in corresponding view.

1-17

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

Table 1-22 Define Layer-2 ACL
Operation Enter Layer-2 ACL view(from system view) Command acl { number acl-number | name acl-name link } [ match-order { config | auto } ] rule [ rule-id ] { permit | deny } [ cos vlan-pri ] [ ingress { { source-vlan-id | source-mac-addr source-mac-wildcard }* | any } ] [ egress { { dest-vlan-id | dest-mac-addr dest-mac-wildcard }* | any } ] [ tagged | untagged ] [ time-range name ] undo rule rule-id undo acl { number acl-number | name acl-name | all }

Add a sub-item to the ACL(from Layer-2 ACL view) Delete a sub-item from the ACL(from Layer-2 ACL view) Delete one ACL or all the ACL(from system view)

Layer-2 ACL can be identified with numbers ranging from 4000 to 4999.

1.4.3 Activate ACL
The defined ACL can be active after activated globally on the switch. This function is used to activate the ACL filtering or classify the data transmitted by the hardware of switch. You can use the following command to activate the defined ACL. Perform the following configuration in Ethernet port view. Table 1-23 Activate ACL
Operation Activate an ACL Deactivate an ACL Command packet-filter inbound { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } undo packet-filter inbound { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

1.4.4 Display and Debug ACL
After the above configuration, execute display command in any view to display the running of the ACL configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of the ACL module. Table 1-24 Display and Debug ACL
Operation Display the status of the time range Display the detail information about the ACL Display the information about the ACL running state Clear ACL counters Command display time-range { all | name } display acl config { all | acl-number | acl-name } display acl running-packet-filter all reset acl counter { all | acl-number | acl-name }

1-18

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

The matched information of display acl config command specifies the rules treated by the switch’s CPU. The matched information of the transmitted data by switch can be displayed by display qos-interface traffic-statistic command. For syntax description, refer to the Command Manual.

1.5 ACL Configuration Example of S3526 Series Switches
1.5.1 Advanced ACL Configuration Example
I. Networking requirements
The interconnection between different departments on a company network is implemented through the 100M ports of the Ethernet Switch. The payment query server of the Financial Dept. is accessed via Ethernet1/1 (at 129.110.1.2). It is required to properly configure the ACL and limit the department access the payment query server between 8:00 and 18:00.

II. Networking diagram
Office of President 129.111.1.2

Pay query server 129.110.1.2

#3 #1

#4 #2

Switch

Financial Department Administration Department subnet address subnet address Connected to a router 10.120.0.0 10.110.0.0

Figure 1-2 Access control configuration example

III. Configuration precedure

Note: In the following configurations, only the commands related to ACL configurations are listed.

1-19

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

1)

Define the work time range

# Define time range from 8:00 to 18:00. [Quidway] time-range huawei 8:00 to 18:00 working-day 2) Define the ACL to access the payment server.

# Enter the named advanced ACL, named as traffic-of-payserver. [Quidway] acl name traffic-of-payserver advanced match-order config # Define the rules for other department to access the payment server. [Quidway-acl-adv-traffic-of-payserver] rule 1 deny ip source any destination 129.110.1.2 0.0.0.0 time-range huawei 3) Activate ACL.

# Activate the ACL traffic-of-payserver . [Quidway] packet-filter ip-group traffic-of-payserver

1.5.2 Basic ACL Configuration Example
I. Networking requirements
Using basic ACL, filter the packet which source IP address is 10.1.1.1 during time range 8:00 ~ 18:00 every day.

II. Networking diagram

#1

connect to Router Switch

Figure 1-3 Access control configuration example

III. Configuration precedure

Note: In the following configurations, only the commands related to ACL configurations are listed.

1)

Define the time range
1-20

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

# Define time range from 8:00 to 18:00. [Quidway] time-range huawei 8:00 to 18:00 daily 2) Define the ACL for packet which source IP is 10.1.1.1.

# Enter the named basic ACL, named as traffic-of-host. [Quidway] acl name traffic-of-host basic # Define the rules for packet which source IP is 10.1.1.1. [Quidway-acl-basic-traffic-of-host] rule 1 deny ip source 10.1.1.1 0 time-range huawei 3) Activate ACL.

# Activate the ACL traffic-of-host . [Quidway] packet-filter ip-group traffic-of-host

1.5.3 Link ACL Configuration Example
I. Networking requirements
Using Link ACL, filter the packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303 during time range 8:00 ~ 18:00 every day.

II. Networking diagram

#1

connect to Router Switch

Figure 1-4 Access control configuration example

III. Configuration precedure

Note: In the following configurations, only the commands related to ACL configurations are listed.

1)

Define the time range

# Define time range from 8:00 to 18:00.

1-21

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

[Quidway] time-range huawei 8:00 to 18:00 daily 2) Define the ACL for packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303. # Enter the named link ACL, named as traffic-of-link. [Quidway] acl name traffic-of-link link # Define the rules for packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303. [Quidway-acl-link-traffic-of-link] rule 1 deny ip ingress 00e0-fc01-0101 egress 00e0-fc01-0303 time-range huawei 3) Activate ACL.

# Activate the ACL traffic-of-link . [Quidway] packet-filter link-group traffic-of-link

1.6 ACL Configuration Example of S3526E and S3526C
1.6.1 Advanced ACL Configuration Example
I. Networking requirements
The interconnection between different departments on a company network is implemented through the 100M ports of the Ethernet Switch. The payment query server of the Financial Dept. is accessed via Ethernet1/1 (at 129.110.1.2). It is required to properly configure the ACL and limit the department other than the Office of President access the payment query server between 8:00 and 18:00. The Office of President (at 129.111.1.2) can access the server without limitation.

1-22

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

II. Networking diagram
Office of President 129.111.1.2

Pay query server 129.110.1.2

#3 #1

#4 #2

Switch

Financial Department Administration Department subnet address subnet address Connected to a router 10.120.0.0 10.110.0.0

Figure 1-5 Access control configuration example

III. Configuration precedure

Note: In the following configurations, only the commands related to ACL configurations are listed.

1)

Define the work time range

# Define time range from 8:00 to 18:00. [Quidway] time-range huawei 8:00 to 18:00 working-day 2) Define the ACL to access the payment server.

# Enter the named advanced ACL, named as traffic-of-payserver. [Quidway] acl name traffic-of-payserver advanced match-order config # Define the rules for other department to access the payment server. [Quidway-acl-adv-traffic-of-payserver] rule 1 deny ip source any destination 129.110.1.2 0.0.0.0 time-range huawei # Define the rules for the Office of President to access the payment server. [Quidway-acl-adv-traffic-of-payserver] rule 2 permit ip source 129.111.1.2 0.0.0.0 destination 129.110.1.2 0.0.0.0 3) Activate ACL.

# Activate the ACL traffic-of-payserver .

1-23

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

[Quidway] packet-filter ip-group traffic-of-payserver

1.6.2 Basic ACL Configuration Example
I. Networking requirements
Using basic ACL, filter the packet which source IP address is 10.1.1.1 during time range 8:00 ~ 18:00 every day.

II. Networking diagram

#1

connect to Router Switch

Figure 1-6 Access control configuration example

III. Configuration precedure

Note: In the following configurations, only the commands related to ACL configurations are listed.

1)

Define the time range

# Define time range from 8:00 to 18:00. [Quidway] time-range huawei 8:00 to 18:00 daily 2) Define the ACL for packet which source IP is 10.1.1.1.

# Enter the named basic ACL, named as traffic-of-host. [Quidway] acl name traffic-of-host basic # Define the rules for packet which source IP is 10.1.1.1. [Quidway-acl-basic-traffic-of-host] rule 1 deny ip source 10.1.1.1 0 time-range huawei 3) Activate ACL.

# Activate the ACL traffic-of-host . [Quidway] packet-filter ip-group traffic-of-host

1-24

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

1.6.3 Link ACL Configuration Example
I. Networking requirements
Using Link ACL, filter the packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303 during time range 8:00 ~ 18:00 every day.

II. Networking diagram

#1

connect to Router Switch

Figure 1-7 Access control configuration example

III. Configuration precedure

Note: In the following configurations, only the commands related to ACL configurations are listed.

1)

Define the time range

# Define time range from 8:00 to 18:00. [Quidway] time-range huawei 8:00 to 18:00 daily 2) Define the ACL for packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303. # Enter the named link ACL, named as traffic-of-link. [Quidway] acl name traffic-of-link link # Define the rules for packet which source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303. [Quidway-acl-link-traffic-of-link] rule 1 deny ip ingress 00e0-fc01-0101 0-0-0 egress 00e0-fc01-0303 0-0-0 time-range huawei 3) Activate ACL.

# Activate the ACL traffic-of-link . [Quidway] packet-filter link-group traffic-of-link
1-25

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 1 ACL Configuration

1.6.4 User-defined ACL Configuration Example
I. Networking requirements
Using user-defined ACL, filter the TCP packet during time range 8:00 ~ 18:00 every day.

II. Networking diagram

#1

connect to Router Switch

Figure 1-8 Access control configuration example

III. Configuration precedure

Note: In the following configurations, only the commands related to ACL configurations are listed.

1)

Define the time range

# Define time range from 8:00 to 18:00. [Quidway] time-range huawei 8:00 to 18:00 daily 2) Define the ACL for TCP packet.

# Enter the named user-defined ACL, named as traffic-of-tcp. [Quidway] acl name traffic-of-tcp user # Define the rules for TCP packet. [Quidway-acl-user-traffic-of-tcp] rule 1 deny 06 ff 35 time-range huawei 3) Activate ACL.

# Activate the ACL traffic-of-tcp . [Quidway] packet-filter user-group traffic-of-tcp

1-26

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Chapter 2 QoS configuration
2.1 QoS Overview
In the traditional IP network, all the packets are treated equally without priority difference. Every switch/router handles the packets following the First In First Out (FIFO) policy. That is, they make best effort to transmit the packets to the destination, not making any commitment or guarantee of the transmission reliability, delay or to satisfy other performance requirements. With the rapid development of computer network, people transfer more and more voice, image and important data etc at real time which are sensitive to the bandwidth, delay and jitter. This enriches the network sources. On the other hand, the network congestion occurs more frequently, hence people require higher Quality of Service (QoS) for the transmission over the network. The Ethernet technology is the most widely used network technology nowadays. Ethernet has been the dominant technology of various independent Local Area Networks (LANs), and many LANs in the Ethernet form have been part of the Internet. Moreover, along with the continuous development of the Ethernet technology, Ethernet will become one of the major ways to access the common Internet users. In order to implement the end-to-end QoS solution on the whole network, it is inevitable to consider the question of how to guarantee the Ethernet QoS service. This requires the Ethernet switching devices to apply the Ethernet QoS technology and deliver the QoS guarantee at different levels to different types of signal transmissions over the networks, especially those having requirements of shorter time delay and lower jitters.

2.1.1 Traffic
Traffic refers to all packets passing through a switch.

2.1.2 Traffic Classification
Traffic classification means identifying the packets with certain characteristics, using the matching rule called classification rule, set by the configuration administrator based on the actual requirements. The rule can be very simple. For example, the traffic with different priorities can be identified according to the ToS field in IP packet header. There are also some complex rules. For example, the information over the integrated link layer (Layer-2), network layer (Layer-3) and transport layer (Layer-4), such as MAC address, IP protocol, source IP address, destination IP address and the port number of
2-1

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

application etc can be used for traffic classification. Generally the classification standards are encapsulated in the header of the packets. The packet content is seldom used as the classification standard.

2.1.3 Packet Filter
Packet filter is to filter traffic. For example, the operation “deny” discards the traffic that is matched with a traffic classification rule, while allowing other traffic to pass through. With the complex traffic classification rules, Ethernet Switches enable the filtering of various information carried in Layer 2 traffic to discards the useless, unreliable or doubtful traffic, thereby enhancing the network security. The two key steps of realizing the frame filtering are as follows. Step 1: Classify the ingress traffic according to the classification rule; Step 2: Filter the classified traffic, i.e. the “deny” operation, the default ACL operation.

2.1.4 Traffic Policing
In order to deliver better service with the limited network resources, QoS monitors the traffic of the specific user on the ingress, so that it can make a better use of the assigned resource.

2.1.5 Port traffic limit
The port traffic limit is the port-based traffic limit used for limiting the general speed of packet output on the port.

2.1.6 Redirection
You can specify a new port to forward the packets according to your requirements on the QoS policy.

2.1.7 Traffic Priority
The Ethernet Switch can deliver priority tag service for some special packets. The tags include TOS, DSCP and 802.1p, etc., which can be used and defined in different QoS modules.

2.1.8 Queue Scheduling
When congestion occurs, several packets will compete for the resources. Three kinds of queue scheduling algorithms are used to overcome the problem. These three kinds
2-2

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

of queue scheduling algorithms are Strict-Priority Queue (SP), Weighted Round Robin (WRR) and Delay bounded WRR. 1) SP
high queue middle queue normal queue Classify bottom queue Dequeue Sending queue

Packets sent via this interface

Packets sent

Figure 2-1 SP The SP is specially designed for the key service application. A significant feature of the key service is requiring for priority to enjoy the service to reduce the responding delay when congestion occurs. Take 4 egress queues for each port as example, SP divides the queue of port into up to 4 kinds, high-priority, medium-priority, normal-priority and low-priority queues (which are shown as the Queue 3, 2, 1 and 0 in turn) with sequentially reduced priority. During the progress of queue dispatching, strictly following the priority order from high to low, the SP gives preference to and sends the packets in the higher-priority queue first. When the higher-priority queue is empty it will send the packets in the lower-priority group. In this way, put the packets of higher priority service in the higher-priority queue and put the packets of lower priority, like e-mail, in the lower-priority queue, can guarantee the key service packets of higher priority are transmitted first, while the packets of lower service priority are transmitted during the idling gap between transmitting the packets of higher service priorities. The SP also has the drawback that when congestion occurs, if there are many packets queuing in the higher-priority queue, it will require a long time to transmit these packets of higher service priority while the messages in the lower-priority queue continuously set aside without service. 2) WRR are

The round scheduling ensures every queue gets some time of service of the switch port. Take 4 egress queues for each port as example, WRR gives every queue a weight (w3, w2, w1, and w0 respectively) for resource obtaining. For example, you can configure the weight value of the WRR algorithm for 100M port as 50, 30, 10, 10 (corresponding to the w3, w2, w1 and w0 respectively). Thus the low-priority queue can be guaranteed to get the minimum bandwidth of 10Mbps, avoiding the case in SP scheduling that the
2-3

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

messages in the lower-priority queues may not get any service for long time. Another advantage of WRR queue is that the service time is assigned to each queue flexibly, although it is the round multiple queue scheduling. When a queue is empty, it will switch to the next queue immediately, thereby making good used of the bandwidth resource. 3) Delay bounded WRR

Comparing to the common WRR, the Delay bounded WRR also guarantee the packets in the highest-priority queue to leave the queue before the configured delay.

2.1.9 Traffic Mirroring
The traffic mirroring function is carried out by copying the specified data packets to the monitoring port for network diagnosis and troubleshooting.

2.1.10 Traffic Counting
With the flow-based traffic counting, you can request a traffic count to count and analyze the packets.

2.2 Configure QoS of S3526 Series Switches
QoS configuration includes: Set the Port Priority Configure Trust Packet Priority Packet filter Priority tag Queue scheduling Traffic mirroring Traffic statistics S3526 has some restrictions on ACL configuration in implementing QOS function using traffic classification. The restriction details are listed in the following table. Table 2-1 ACL configuration restriction for QoS function in S3526
QoS function Implementation packet-filter { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } Restrictions on ACL configuration Packet filter only supports using the ACL of deny operation. The Layer-2 ACL supports using the rules of MAC-MAC, MAC-PORT, PORT-PORT, MAC-ANY, ANY-MAC, PORT-ANY and ANY-PORT. The Layer-3 ACL supports using the rules of IP-IP, IP-NET, NET-NET, IP-ANY, ANY-IP, NET-ANY and ANY-NET.

Packet filter

2-4

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches QoS function Implementation mirrored-to { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } interface { interface-name | interface-type interface-num } traffic-statistic { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } traffic-priority { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } local-precedence pre-value Priority tag

Chapter 2 QoS configuration Restrictions on ACL configuration Traffic mirroring only supports using the ACL of permit operation. The Layer-2 ACL supports using the rules of MAC-MAC, MAC-PORT, PORT-PORT, MAC-ANY, ANY-MAC, PORT-ANY and ANY-PORT. The Layer-3 ACL supports using the rules of IP-IP, IP-NET, NET-NET, IP-ANY, ANY-IP, NET-ANY and ANY-NET. Traffic statistics only supports using the ACL of permit operation. The Layer-2 ACL supports using the rules of MAC-MAC. The Layer-3 ACL supports using the rules of IP-IP, but not traffic statistics of special protocols. Priority tag function only supports using the ACL of permit operation. The Layer-2 ACL supports using the rules of MAC-MAC, MAC-PORT, PORT-PORT, MAC-ANY, ANY-MAC, PORT-ANY and ANY-PORT. The Layer-3 ACL supports using the rules of IP-IP, IP-NET, NET-NET, IP-ANY, ANY-IP, NET-ANY and ANY-NET. For the ACL used in priority tag, if the destination IP addresses or destination MAC addresses for two rules are the same, the new rule will overwrite the previous one.

Traffic mirroring

Traffic statistic

2-5

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Note: 1) The Layer-3 ACL includes the advanced ACL. 2) In the description of the rules: MAC----MAC address, PORT----the switch port, IP----the host IP address, ANY----any MAC address in Layer-2 ACL and any IP address in Layer-3 ACL, NET----the segment IP address. The MAC, IP, ANY, NET and PORT before the character “-” represent the source addresses or receive port; the ones behind are the destination addresses or transmit port. MAC-MAC stands for a Layer-2 ACL rule from source MAC address to destination MAC address, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress 00e0-fc01-0102 1 time-range huawei ”. PORT-PORT stands for a Layer-2 ACL rule from received ethernet port to sent ethernet port, such as “rule 0 permit ingress interface ethernet0/1 egress interface ethernet 0/2 time-range huawei ”. MAC-PORT stands for a Layer-2 ACL rule from source MAC address to sent ethernet port, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress interface ethernet 0/1 time-range huawei ”. IP-IP stands for lay-3 ACL rules from source host IP address to destination host IP address (the wildcard parameter can only be 0) , such as “rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 time-range huawei”. NET-NET stands for lay-3 ACL rules from source segment IP address to destination segment IP address (the wildcard parameter can not be 0), such as “rule 0 permit ip source 1.1.1.1 0.0.255.255 destination 2.2.2.2 0.0.255.255 time-range huawei”. MAC-any stands for lay-2 ACL rule from source MAC address to any destination MAC address, such as “rule 0 permit ingress 00e0-fc01-0101 1 egress any time-range huawei”, and so do any-MAC, IP-any, any-IP, NET-any and any-NET rules. 3) For the MAC-MAC rule, the source and destination MAC addresses must be configured in the same VLAN. That is, configure the same VLAN ID for the source and destination MAC addresses in defining ACL. 4) For the rules of IP-any, any-IP, NET-any and any-NET, S3526 does not support packet filtering of special protocols. You can only configure protocol type as IP (the value of the parameter protocol in rule command can only be IP) in defining these types of rules in S3526. Otherwise, error information will be returned when confirm the rule. 5) IP-IP and MAC-MAC rules will function on the two directions, that is, user defines a rule to filter packets from source address to destination address, the rule will also filter the packets from the destination address to source address. For the rules of IP-any, any-IP, NET-any, any-NET, MAC-any, any-MAC, they only function on one direction which user defined. 6) For S3526, S3526 FM, S3526 FS switches, parameter icmp-type is only supported when user defines advance ACL. ICMP packet type and code (the parameter type code in rule command) can’t be configured. Otherwise the system will prompt the configuration is not available. 7) The restrictions corresponding to each QoS function describe the ACL rule available in configuring this function. Other ACL rules will not be used in implementing this function in S3526. Otherwise, the system will return error prompts. 8) Define the ACL rules to be used in it first before implementing a QoS function.

2-6

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Before configure the QoS tasks, you have to define the corresponding ACL. Packet filter function can be realized by activate the ACL.

2.2.1 Set the Port Priority
You can use the following command to set the port priority. The switch will replace the 802.1p priority carried by a packet with the port priority by default. Perform the following configuration in Ethernet port view. Table 2-2 Set the port priority
Operation Set the port priority Restore the default port priority priority priority-level undo priority Command

The port of Ethernet Switch supports 8 priority levels. You can configure the port priority at your requirements. priority-level ranges from 0 to 7. By default, the port priority is 0 and switch replaces the priority carried by a packet with the port priority.

2.2.2 Configure Trust Packet Priority
The system replaces the 802.1p priority carried by a packet with the port priority by default. User can configure system trusting the packet 802.1p priority and not replacing the 802.1p priorities carried by the packets with the port priority. Perform the following configuration in Ethernet port view. Table 2-3 Configure Port Priority Replacement
Operation Configure trust packet 802.1p priority Configure not trust packet 802.1p priority priority trust undo priority Command

Before configure trust packet 802.1p priority, the switch puts the packets into different queues according to the priorities of received port. After configure trust packet 802.1p priority, the switch will trust the packet 802.1p priority and put the packet into different queues accordingly, when forwarding the packets. By default, the system replaces the 802.1p priority carried by a packet with the port priority.

2-7

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

2.2.3 Configure Priority Marking
The priority marking configuration is a policy to tag the priority for the packets matching the ACL. The new priority can be filled in the priority field of the packet header. You can use the following command to configure the priority marking. Perform the following configuration in system view. Table 2-4 Tag packet priority
Operation Mark the packet priority Cancel the packet priority marking Command traffic-priority { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } local-precedence pre-value undo traffic-priority { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

For details about the command, refer to the Command Manual.

2.2.4 Configure Queue Scheduling
Queue scheduling is commonly used to resolve the problem that multiple messages compete for resource when the network congestion happens. The queue scheduling function put the packet to output queue of the port according to 802.1p priority of the packet. The relationship between priority and queues is as followed. Table 2-5 The default “COS ->Local-precedence” map
COS Value 0 1 2 3 4 5 6 7 2 0 1 3 4 5 6 7 Local Precedence

Table 2-6 Relationship between 802.1p priority and output queue
802.1p priority 1,2 0,3 4,5 6,7 0 1 2 3 Queue ID

2-8

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Table 2-7 Relationship between Local-precedence and output queue
Local-precedence 0,1 2,3 4,5 6,7 0 1 2 3 Queue ID

I. Configure the Mapping Relationship between COS and Local Precedence
By default, the system provides the default “COS ->Local-precedence” mapping relationship. Table 2-8 The default “COS ->Local-precedence” map
COS Value 0 1 2 3 4 5 6 7 2 0 1 3 4 5 6 7 Local Precedence

Using the following commands, you can configure the maps. Perform the following configuration in system view. Table 2-9 Map configuration
Operation Configure “COS ->Local-precedence” map Restore its default value Command qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec undo qos cos-local-precedence-map

By default, the switch uses the default mapping relationship.

II. Configure the Queue Scheduler
You can use the following command to configure the queue scheduler. Perform the following configuration in Ethernet port view.

2-9

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Table 2-10 Configure the queue scheduling algorithm
Operation Configure the queue scheduling algorithm Restore the default queue scheduling algorithm Command queue-scheduler { strict-priority | wrr queue1-weight queue2-weight queue3-weight queue4-weight } undo queue-scheduler

Ethernet Switch supports strict-priority and WRR queue schedulers. By default, the switch uses the strict-priority algorithm. For details about the command, refer to the Command Manual.

2.2.5 Configure Traffic Mirroring
The function of Traffic mirroring is to copy the traffic matching ACL rule to the designated observing port to analyze and monitor the packets. You can use the following command to configure the traffic mirroring. Perform the following configuration in system view. Table 2-11 Configure traffic mirroring
Operation Configure traffic mirroring Cancel the configuration of traffic mirroring Command mirrored-to { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } interface { interface-name | interface-type interface-num } undo mirrored-to { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

For details about the command, refer to the Command Manual.

2.2.6 Configure Traffic Statistics
The traffic statistics function is used for counting the data packets of the specified traffic, that is, this function counts the transmitted data which matches the ACL rules. After the traffic statistics function is configured, the user can use display qos-global traffic-statistic command to display the statistics information. You can use the following command to configure traffic statistics. Perform the following configuration in system view. Table 2-12 Configure traffic statistics
Operation Configure traffic statistics Command traffic-statistic { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } 2-10

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches Operation Cancel the configuration of traffic statistics Display the statistics information Command

Chapter 2 QoS configuration

undo traffic-statistic { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } display qos-global traffic-statistic

For details about the command, refer to the Command Manual.

2.2.7 Display and Debug QoS
After the above configuration, execute display command in any view to display the running of the QoS configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of QoS module. Table 2-13 Display and Debug QoS
Operation Display the parameter settings of all the QoS actions Display the mapping relationship between cos and local precedence Display the parameter settings of traffic mirroring Display the queue scheduling mode and parameter Display the settings of priority tag Display the information about the traffic Clear the statistics information Command display qos-global all display qos cos-local-precedence-map display qos-global mirrored-to display qos-interface [ interface-name | interface-type interface-num ] queue-scheduler display qos-global traffic-priority display qos-global traffic-statistic reset traffic-statistic { all | ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }

For output and description of the related commands, refer to the Command Manual.

2.3 Configure QoS of S3526E and S3526C
QoS configuration includes: Set the Port Priority Configure Trust Packet Priority Packet filter Traffic policing Redirection configuration Priority tag Queue scheduling Traffic mirroring Traffic statistics Before configure the about QoS tasks, you have to define the corresponding ACL. Packet filter function can be realized by activate the ACL.

2-11

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

2.3.1 Set the Port Priority
You can use the following command to set the port priority. The switch will tag the packet using the VLAN the received port belong to if the packet has no VLAN tag. Meanwhile the system uses the port priority as the packet the 802.1p priority when tag the packet. If the packet has VLAN tag, the system will not re-tag the packet. Perform the following configuration in Ethernet port view. Table 2-14 Set the port priority
Operation Set the port priority Restore the default port priority priority priority-level undo priority Command

The port of Ethernet Switch supports 8 priority levels. You can configure the port priority at your requirements. priority-level ranges from 0 to 7. By default, the port priority is 0 and switch replaces the priority carried by a packet with the port priority.

2.3.2 Configure Trust Packet Priority
The switch will tag the packet using the VLAN the received port belong to if the packet has no VLAN tag. Meanwhile the system uses the port priority as the packet the 802.1p priority when tag the packet. If the packet has VLAN tag, the system will not re-tag the packet. User can configure system trusting the packet 802.1p priority and not replacing the 802.1p priorities carried by the packets with the port priority. Perform the following configuration in Ethernet port view. Table 2-15 Configure Port Priority Replacement
Operation Configure trust packet 802.1p priority Configure not trust packet 802.1p priority priority trust undo priority Command

2.3.3 Traffic Policing
Traffic policing is the flow-based traffic limit. It takes corresponding actions to deal with the flow at exceeding speed, such as discarding or lowering the priority. You can use the following command to configure the traffic policing.

2-12

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Perform the following configuration in Ethernet port view. Table 2-16 Configure traffic limit
Operation Configure the flow-based traffic limit Cancel the configuration of the flow-based traffic limit Command traffic-limit inbound { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* } target-rate [ exceed action ] undo traffic-limit inbound { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

You have to define the corresponding ACL before performing this configuration task. The purpose of this configuration task is to implement the traffic policing over the data flow matching the ACL. The traffic beyond the limit will be dealt with in some other way, such as discarding. For details about the command, refer to the Command Manual.

2.3.4 Port Traffic limit
The port traffic limit is the port-based line rate used for limiting the general speed of packet output on the port. You can use the following command to configure port traffic limit. Perform the following configuration in Ethernet port view. Table 2-17 Configure port traffic limit
Operation Configure the port traffic limit Cancel the configuration port traffic limit line-rate target-rate undo line-rate Command

Ethernet Switch supports the function of configuring configure a traffic limit for a single port. For details about the command, refer to the Command Manual.

2.3.5 Configure Packet Redirection
Packet redirection is to redirect the packets to be forwarded to CPU or other output port. You can use the following command to configure the packet redirection. Perform the following configuration in system view.

2-13

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Table 2-18 Configure redirection
Operation Configure redirection Cancel the redirection configuration Command traffic-redirect { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* } { cpu | { interface interface-name | interface-type interface-num } } undo traffic-redirect { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

Note that the packets redirected to the CPU will not be dealt.

Note: The configuration of redirection only takes effects on the rules with action permit.

For details about the command, refer to the Command Manual.

2.3.6 Configure Priority Marking
The priority marking configuration is a policy to tag the priority for the packets matching the ACL. The new priority can be filled in the priority field of the packet header. You can use the following command to configure the priority marking. Perform the following configuration in system view. Table 2-19 Tag packet priority
Operation Mark the packet priority Cancel the packet priority marking Command traffic-priority { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* } { { dscp dscp-value | ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-value }* undo traffic-priority { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

Ethernet Switch support a function to tag the packets with IP precedence (specified by ip-precedence in the traffic-priority command), DSCP (specified by dscp in the traffic-priority command) or 802.1p preference (specified by cos in the traffic-priority command). You can tag the packets with different priorities at requirements on QoS policy. The switch puts the packets into corresponding egress queues according to the 802.1p preference or the local preference (specified by local-precedence in the traffic-priority command). If both the 802.1p preference and local preference have

2-14

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

been specified in the traffic-priority command, the switch will put the packets into corresponding queues according to the 802.1p preference first. For details about the command, refer to the Command Manual.

2.3.7 Configure Queue Scheduling
Queue scheduling is commonly used to resolve the problem that multiple messages compete for resource when the network congestion happens. The queue scheduling function put the packet to output queue of the port according to 802.1p priority of the packet. The mapping relationship between 802.1p priority and output queue of the port is as followed table. Table 2-20 Default “CoS → Local-precedence” mapping table
CoS Value 0 1 2 3 4 5 6 7 2 0 1 3 4 5 6 7 Local Precedence

Table 2-21 Relationship between 802.1p priority and output queue
802.1p priority 1,2 0,3 4,5 6,7 0 1 2 3 Queue ID

Table 2-22 Relationship between Local-precedence and output queue
Local-precedence 0,1 2,3 4,5 6,7 0 1 2 3 Queue ID

I. Configure the Mapping Relationship between COS and Local Precedence
By default, the system provides the default “COS ->Local-precedence” mapping relationship.

2-15

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Table 2-23 Default “CoS → Local-precedence” mapping table
CoS Value 0 1 2 3 4 5 6 7 2 0 1 3 4 5 6 7 Local Precedence

Using the following commands, you can configure the maps. Perform the following configuration in system view. Table 2-24 Map configuration
Operation Configure “COS ->Local-precedence” map Restore its default value Command qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec undo qos cos-local-precedence-map

By default, the switch uses the default mapping relationship.

II. Configure the Queue Scheduler
You can use the following command to configure the queue scheduler. Perform the following configuration in system view. Table 2-25 Configure the queue scheduling algorithm
Operation Configure the queue scheduling algorithm Restore the default queue scheduling algorithm Command queue-scheduler { strict-priority | wrr queue1-weight queue2-weight queue3-weight queue4-weight | wrr-max-delay queue1-weight queue2-weight queue3-weight queue4-weight maxdelay } undo queue-scheduler

Ethernet Switch support 3 kinds of queue schedulers, i.e., strict-priority, WRR and Delay bounded WRR. By default, the switch uses the strict-priority algorithm. For details about the command, refer to the Command Manual.

2-16

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

2.3.8 Configure Traffic Mirroring
The function of Traffic mirroring is to copy the traffic matching ACL rule to the designated observing port to analyze and monitor the packets. You can use the following command to configure the traffic mirroring. Perform the following configuration in system view. Table 2-26 Configure traffic mirroring
Operation Configure traffic mirroring Cancel the configuration of traffic mirroring Command mirrored-to { user-group acl-number | acl-name [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* } interface { interface-name | interface-type interface-num } undo mirrored-to { user-group acl-number | acl-name [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

For details about the command, refer to the Command Manual.

2.3.9 Configure Traffic Statistics
The traffic statistics function is used for counting the data packets of the specified traffic, that is, this function counts the transmitted data which matches the ACL rules. After the traffic statistics function is configured, the user can use display qos-global traffic-statistic command to display the statistics information. You can use the following command to configure traffic statistics. Perform the following configuration in system view. Table 2-27 Configure traffic statistics
Operation Configure traffic statistics Cancel the configuration of traffic statistics Display the statistics information Command traffic-statistic { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* } undo traffic-statistic { user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* } display qos-global traffic-statistic

For details about the command, refer to the Command Manual.

2-17

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

2.3.10 Display and Debug QoS
After the above configuration, execute display command in any view to display the running of the QoS configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of QoS module. Table 2-28 Display and Debug QoS
Operation Display the parameter settings of all the QoS actions Display the mapping relationship between cos and local precedence Display the parameter settings of traffic mirroring Display the parameter settings of port mirroring Display the queue scheduling mode and parameter Display the settings of QoS Display the parameter settings of traffic limit Display the port traffic limit Display the settings of priority tag Display the settings of redirection Display the information about the traffic Clear the statistics information Command display qos-global all display qos cos-local-precedence-map display qos-global mirrored-to display mirror display queue-scheduler display qos-interface [ interface-name | interface-type interface-num ] all display qos-interface [ interface-name | interface-type interface-num ] traffic-limit display qos-interface [ interface-name | interface-type interface-num ] line-rate display qos-global traffic-priority display qos-global traffic-redirect display qos-global traffic-statistic reset traffic-statistic { all | user-group { acl-number | acl-name } [ rule rule ] | { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] }* }

For output and description of the related commands, refer to the Command Manual.

2.4 QoS Configuration for S3552 Series Ethernet Switches
QoS configuration tasks include: Configure packet filter Configure service group allocation rule Configure priority remark Configure traffic policing Configure traffic shaping Configure redirection Configure queue scheduling Configure traffic mirror Configure port mirror Configure traffic statistic Before you perform the QoS configuration tasks listed above, you should define ACLs. You can use packet filter simply by activating the ACL for it, which is beyond the scope of this chapter.

2-18

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Table 2-29 Nouns of S3552 series QoS
Noun CoS Description CoS and 802.1p priority has the same meaning, that is, the priority at the header of the Ethernet packets. Its value ranges from 0 to 7. A group of parameters that allocated to the packet when it received by the switch. These parameters are used when QoS function is realized by the switch. These parameters include 802.1 priority, DSCP priority, local priority, and drop-precedence. Drop level, also known as drop-precedence, is one parameter of the service group. Its value can be 0, 1, and 2. The switch allocates a drop level to the packet when receiving it, and can change the level when process the packet. Allocating drop level to the packet is also called color up the packet: the packet with drop level of 2 is red, with drop level of 1 is yellow, and with drop of 0 is green. This parameter is mainly used in the presence of congestion and the switch has to drop packets. Confirm level is the result by operating the following user configurations when the switch performs traffic control operation: committed average rate, committed burst size, maximum burst size, peak rate, and actual traffic at the port. This parameter is only valid when you monitor the traffic using the traffic-limit command. The value of the parameter then can be 0, 1, or 2, which is a result from mathematic operation. When you use the traffic-priority command to mark the priority, this parameter is also used in the “DSCP+ Conform-Level-> Service Group” table for the purpose of reallocating service parameters for the packets, in this table, the value of Confirm-Level is 0.

Service Group

Drop-precedence

Conform-Level

2.4.2 Configure Service Group Allocation Rule
QoS that applies on the switches is set up on the basis of service group. Each service group includes a set of QoS related parameters including 802.1p precedence (CoS precedence), DSCP precedence, local precedence (which is assigned to packets and has local significance), and drop precedence. Upon the receipt of a packet, the switch automatically allocates a set of service groups to the packet based on a particular rule. First, the switch looks up the CoS to drop-precedence and CoS to local-precedence maps for drop-precedence and local-precedence of the packet based on its 802.1p precedence. Default settings of these maps are available for you, yet you are allowed to configure them as needed. If no local-precedence is available for the packet, the switch takes the default local-precedence assigned to the packet receiving port as the local-precedence of the packet.

I. Configure maps
You may configure maps by using the commands listed in the following table. Perform the following configuration in system view.

2-19

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Table 2-30 Configure maps
Operation Configure CoS to drop-precedence map. Restore the default COS to drop-precedence map setting. Configure CoS to local-precedence map. Restore the default CoS to local-precedence map setting. Command qos cos-drop-precedence-map CoS0-map-drop-prec CoS1-map-drop-prec CoS2-map-drop-prec CoS3-map-drop-prec CoS4-map-drop-prec CoS5-map-drop-prec CoS6-map-drop-prec CoS7-map-drop-prec undo qos cos-drop-precedence-map qos cos-local-precedence-map CoS0-map-local-prec CoS1-map-local-prec CoS2-map-local-prec CoS3-map-local-prec CoS4-map-local-prec CoS5-map-local-prec CoS6-map-local-prec CoS7-map-local-prec undo qos cos-local-precedence-map

By default, the switches assign drop-precedence and local-precedence to received packets using the default map settings of the system.

II. Assign a default local-precedence value to a port
Perform the following configuration in Ethernet interface view. Table 2-31 Assign a default local-precedence value to the port
Operation Assign a default local-precedence value to the port. Restore the default local-precedence value to its default setting. Command priority priority-level undo priority

2.4.3 Configure Traffic Policing
Traffic policing implements the traffic-based rate restraint. It monitors the rate of a type of traffic and takes the action appropriate to it if the traffic size exceeds the specified limitation, for example, dropping the packets beyond the specified limitation or assigning new precedence values to them. Traffic policing actions include re-assigning service group based on DSCP + conform-level to service map, re-assigning traffic’s 802.1p precedence based on local-precedence + conform-level to CoS map, etc. You may configure the mentioned two maps as needed.

I. Configure maps
You may configure DSCP + conform-level to service and local-precedence + conform-level to CoS maps using commands listed in the following table. Perform the following configuration in system view. Table 2-32 Configure maps
Operation Access conform-level view from system view. 2-20 Command qos conform-level conform-level-value

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches Operation Configure DSCP + conform-level to service map in conform-level view. Restore the default DSCP + conform-level to service map setting in conform-level view. Configure TC + conform-level to CoS map in conform-level view. Restore the default TC + conform-level to CoS map setting in conform-level view.

Chapter 2 QoS configuration Command dscp dscp-list : dscp-value CoS-value local-precedence-value drop-precedence undo dscp [ dscp-list ] local-precedence CoS-value0 CoS-value1 CoS-value2 CoS-value3 CoS-value4 CoS-value5 CoS-value6 CoS-value7 undo local-precedence

By default, the system provides default map settings.

II. Configure traffic policing
You may configure traffic policing using the command described in the following table. Perform the following configuration in Ethernet interface view. Table 2-33 Configure traffic policing
Operation Configure traffic-based traffic policing. Disable traffic-based traffic policing. Command traffic-limit inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] } cir cbs ebs [ pir ] [ conform { { remark-cos | remark-drop-priority }* | remark-policed-service } ] [ exceed { forward | drop } ] undo traffic-limit inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] }

Before you can configure traffic-based traffic policing, you should configure the ACLs for this purpose in addition to the DSCP + conform-level to service and local-precedence + conform-level to CoS maps. When setting the parameters of traffic policing, the following rule is recommended: cir<pir, cbs=ebs=(cir/8)*(1~1.5). For example, if cir is set 1000Kbps, cbs=ebs =(1000/8)*(1~1.5)= (125~180)Kbytes=(125000~180000)bytes. Note that, the parameter unit of cbs and ebs is byte. This configuration task is intended for policing the traffic filtered in by the adopted ACL, i.e., taking actions appropriate to the traffic within and beyond the specified limitation, dropping packets for example.

2-21

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Note: If you choose untrusted mode for a specific traffic in traffic-priority operation, that is, you manually specify a service group for the designated traffic, then the traffic-limit and traffic-statistic operations are invalid for this traffic. If you choose traffic-limit and traffic-statistic, however, then the untrusted mode is invalid.

For more information about these commands, see Command Manual.

2.4.4 Configure Traffic Shaping
Traffic shaping is functioning to control packet outputting speed so that packets can be outputted at an average speed. Normally, it is used for adapting to the packet receiving speed of the downstream devices in case of unnecessary packet drop and congestion. Traffic shaping is different from traffic policing in the sense that the former allows packet transmission at an average speed by buffering the packets beyond the specified rate limitation whereas the latter limits traffic size by dropping them. Due to the adoption of different approaches, traffic shaping may cause extra latency while traffic policing does not. You may configure traffic shaping using the command in the following table. Perform the following configuration in Ethernet interface view. Table 2-34 Configure traffic shaping
Operation Configure traffic shaping. Disable traffic shaping. Command traffic-shape [ queue queue-id ] max-rate burst-size [ queue-depth ] undo traffic-shape [ queue queue-id ]

The switch supports traffic shaping not only on all the traffic but also on the specified output queues at the port. You can implement those two kinds of traffic shaping by selecting different parameters. If queue queue-id in the traffic-shape command is not specified, you can perform traffic shaping on all the traffic at the port. Otherwise, you can perform traffic shaping on the specified output queue. It is recommended to configure traffic shaping on all the traffic at the port.

2-22

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Note: Comply with the following rules when you perform traffic shaping on a queue: the depth of a single queue must smaller than that of the port. By default, the queue depth of a port is 256 and the single queue depth should be smaller than 128. The default value is recommended.

For more information about the traffic-shape command, see Command Manual.

2.4.5 Configure Priority Remark
Priority remark is configured on a switch for the purpose of assigning a set of new service group for the packets filtered in by the adopted ACL. There are four modes of priority remark. You may set a priority remark to allow the system to automatically allocate a set of service group to the received packets look up the maps based on the DSCP value carried by these packets to allocate a new service group for them look up the maps based on the DSCP value assigned by you to allocate a new service group for packets. manually assign a new set of service group for these packets. You may use the command in the following table to configure priority remark. Perform the following configuration in Ethernet interface view. Table 2-35 Remark packet priority
Operation Remark packet priority. Disable packet priority remarking. Command traffic-priority inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] } { auto | remark-policed-service { trust-dscp | dscp dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } } undo traffic-priority inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] }

Before you can configure packet priority remark, you should define ACLs for this purpose and a DSCP + conform-level to service map. In DSCP + conform-level to service map used by packet priority remark function, the conform-level equal 0.

2-23

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Note: If you choose untrusted mode for a specific traffic in traffic-priority operation, that is, you manually specify a service group for the designated traffic, then the traffic-limit and traffic-statistic operations are invalid for this traffic. If you choose traffic-limit and traffic-statistic, however, then the untrusted mode is invalid.

For more information about the command and its negative form described in this section, refer to Command Manual.

2.4.6 Configure Traffic Redirection
Traffic redirection is configured to forward a received packet to CPU, some other port, IP address, or network segment other than the one to which the packet is originally to be forwarded. You may use the traffic-redirect command described in the following table to configure traffic redirection. Perform the following configuration in Ethernet interface view. Table 2-36 Configure traffic redirection
Operation Configure traffic redirection. Disable traffic redirection. Command traffic-redirect inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] } { cpu | interface { interface-name | interface-type interface-num } | next-hop ip-addr1 ip-addr2 } undo traffic-redirect { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] }

You should note that the packets redirected to CPU cannot be forwarded any longer.

Note: The redirection configuration is valid only when the action taken by ACLs is permit. You can use the next-hop ip-addr1 ip-addr2 parameter realizing the policy routing function.

For more information about the traffic-redirect command, see Command Manual.

2-24

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

2.4.7 Configure Queue Scheduling
Each port on a switch supports eight output queues. The system put packets into the output queues at a port based on packets' local-precedence. To prevent resource contention of packets at the time of network congestion, queue scheduling mechanism is adopted. So far, Strict Priority (SP) and Weighted Round Robin (WRR) WRR scheduling algorithms are supported. Different queue scheduling algorithms may apply on different queues at each port. Three queue scheduling approaches are supported: 1) 2) Apply SP scheduling on all the queues; Apply WRR scheduling on all the queues. In this approach, output queues are assigned into WRR group 1 and WRR group 2. When scheduling queues, the system first polls the queues in WRR group 1 and then the queues in group 2 if there is no packet waiting for transmission in the queues in group 1. In the WRR scheduling approach, all the queues are assigned into WRR group 1 by default. 3) Combine SP and WRR by applying them on different queues at the same time. At the time of queue scheduling, strict scheduling is applied on the queues inside the SP scheduling group while polling is applied inside the WRR scheduling group. Thus, the system picks out queues respectively from the SP scheduling group, WRR group 1, and WRR group 2 and then schedules them using the SP approach. You may configure queue scheduling using the queue-scheduler command and its negative form described in the following table. Perform the following configuration in Ethernet interface view. Table 2-37 Configure queue scheduling algorithm
Operation Configure queue scheduling algorithm. Restore the default queue scheduling algorithm setting. Command queue-scheduler wrr { group1 { queue-id queue-weight } &<1-8> | group2 { queue-id queue-weight } &<1-8> }* undo queue-scheduler [ queue-id ] &<1-8>

By default, SP scheduling applies. As for the queues on which WRR scheduling does not apply, SP scheduling applies. For more information about the queue-scheduler command and its negative form, refer to Command Manual.

2-25

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

2.4.8 Configure Congestion Avoidance
When congestion occurs on a switch, the switch will try to alleviate it by releasing queue resources as soon as possible and putting packets into the queues other than those suffering high latency. Upon the receipt of a packet, the switch assigns a drop-precedence value to it. This is also known as coloring packets. Drop-precedence can be set to 0, 1, or 2, meaning green, yellow, or red. When congestion occurs, red packets are the first ones being dropped and green packets are the last ones. You may configure congestion avoidance parameters and drop thresholds for each queue and conform-level. Two drop algorithms are supported: 1) Tail drop: sets different drop thresholds for different queues. Thus, after the number of red (yellow or green) packets exceeds the specified upper threshold, the arriving red (yellow or green) packets will be dropped. 2) WRED drop: takes into consideration the drop-precedence of packets in each queue when dropping them. Thus, before the number of packets in a (red, yellow, or green) queue exceeds the specified upper threshold, the system starts dropping packets once the number of packets in the queue exceeds the lower threshold. The number of packets dropped at a moment is dynamically decided taking into account the factors of specified maximum drop probability and the number of packets waiting for transmission in the queue. If the number of the packets exceeds the upper threshold, however, the system will drops all the arriving packets. Before configuring drop algorithm, you need configure the WRED parameters of the output queues.

I. Configure WRED
The system provides four default sets of WRED parameters identified by the index number 0, 1, 2, and 3. Each WRED parameter set specifies 80 parameter values, ten for each output queue on a port. You may change the WRED parameters represented by the current WRED index using the queue command described in the following table. You may use the commands in the following table to configure WRED parameters. Perform the following configurations beginning with accessing system view. Table 2-38 Configure WRED parameters
Operation Access WRED index view from system view. Restore the default WRED setting in system view. Command wred wred-index undo wred wred-index

2-26

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches Operation

Chapter 2 QoS configuration Command queue queue-id green-min-threshhold green-max-threshhold green-max-prob yellow-min-threshhold yellow-max-threshhold yellow-max-prob red-min-threshhold red-max-threshhold red-max-prob exponent undo queue queue-id quit

Set WRED parameter values in WRED index view. Restore the default WRED setting in WRED index view. Exit from WRED index view.

Using the undo wred command, you can restore the default WRED parameter settings of all the queues in the corresponding conform-level. Using the undo queue command, you can restore the default WRED parameter settings relevant to a queue. By default, the system provides four default sets of WRED parameters. For more information about the commands described in this section, refer to Command Manual.

II. Configure drop algorithm
You may configure drop algorithm using the drop-mode command described in the following table. Perform the following configuration in Ethernet interface view. Table 2-39 Configure drop algorithm
Operation Set drop algorithm. Restore the default drop algorithm. Command drop-mode { tail-drop | wred } [ wred-index ] undo drop-mode

By default, tail-drop is adopted. For more information about the command, refer to Command Manual.

2.4.9 Configure Traffic Mirroring
Traffic mirroring is to duplicate the service traffic filtered in by the adopted ACL to CPU for the purpose of traffic analysis and monitoring. You may configure traffic mirroring using the commands described in the following table. Perform the following configuration in Ethernet interface view.

2-27

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Table 2-40 Configure traffic mirroring
Operation Configure traffic mirroring. Disable traffic mirroring. Command mirrored-to inbound { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } { cpu | monitor-interface } undo mirrored-to inbound { ip-group acl-number | acl-name [ rule rule ] | link-group acl-number | acl-name [ rule rule ] }

Note: You must use the monitor-port command to configure the monitoring port before you mirror data stream to specified port. The switch only mirrors the packets received by the traffic, when you use the monitor-port command to configure the monitoring port, you must configure the direction of the monitored packets as inbound or both.

For more information about the mirrored-to command and its negative form, refer to Command Manual.

2.4.10 Configure Port Mirroring
Port mirroring is to duplicate the data on a mirroring port to a specified monitor port for the purpose of analysis and monitoring. Ethernet switches support many-to-one mirroring, allowing duplication of packets from multiple mirroring ports to one monitor port. You may specify a mirroring port to accept the monitoring of: Inbound packets Outbound packets Both inbound and outbound packets You may also specify a monitor port to monitor: Only the inbound packets on the specified mirroring ports Only the outbound packets on the specified mirroring ports You may configure port mirroring using the commands described in the following table. Perform the following configuration in system view. Table 2-41 Configure port mirroring
Operation Configure a monitor port. Configure one or more mirroring ports. Disable the configuration of mirroring port or ports. Command monitor-port { interface_name | interface_type interface_num } { inbound | outbound | both } mirroring-port port-list { inbound | outbound | both } undo mirroring-port port-list { inbound | outbound | both }

2-28

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches Operation Disable the configuration of the monitor port.

Chapter 2 QoS configuration Command undo monitor-port { interface_name | interface_type interface_num } { inbound | outbound | both }

When configuring port mirroring, you must configure a monitor port prior to mirroring port (or ports). When disabling port mirroring, you can disable the monitor port only after disabling all the mirroring ports. Each switch supports two monitor ports (also known as mirroring destination ports) at most. These two ports can function to respectively observe the inbound packets and outbound packets on one or more specified ports. A monitor port can observe as many mirroring ports as possible if it is applied to monitor the inbound packets, but it can observe only up to eight mirroring ports if it is applied to monitor the outbound packets. Inbound packets containing errors (CRC or fragment error for example) are beyond the scope of monitoring. Outbound packets being monitored will be duplicated to the appropriate monitor port even if they are forwarded to CPU en route.

Note: When disabling the configuration of a mirroring port, you are allowed to disable the monitoring on inbound packets, outbound packets, or both. When disabling the configuration of a monitor port observing both inbound and outbound packets, you are also allowed to disable the monitoring on only inbound or outbound packets. If a mirroring port accepts the monitoring on both inbound and outbound packets, disabling only the inbound or outbound packet monitoring on it means that the system is still required to monitor the packets in the opposite direction. In this case, you cannot remove the monitor port.

For more information about the commands described in this section, refer to Command Manual.

2.4.11 Configure Traffic Statistic
You may make statistics about traffic of a specified service using traffic statistic. It provides statistic information of the forwarded packets matching the specified ACLs. After completing the traffic statistic configuration, you may execute the display qos-interface traffic-statistic command to display the statistic information. You may configure traffic statistic using the commands described in the following table. Perform the following configuration in Ethernet interface view.

2-29

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

Table 2-42 Configure traffic statistic
Operation Configure traffic statistic. Disable traffic statistic. Display traffic statistic information. Command traffic-statistic inbound { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } undo traffic-statistic inbound { ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } display qos-interface [ interface-name | interface-type interface-num ] traffic-statistic

Note: If you choose untrusted mode for a specific traffic in traffic-priority operation, that is, you manually specify a service group for the designated traffic, then the traffic-limit and traffic-statistic operations are invalid for this traffic. If you choose traffic-limit and traffic-statistic, however, then the untrusted mode is invalid.

For more information about the commands of traffic statistics, refer to Command Manual.

2.4.12 Display and Debug QoS
Upon the completion of the configuration tasks described above, you may execute the display commands in any view to see the operating information of QoS configurations, thus verifying the configuration effect. You may execute the reset command to reset QoS statistic information in Ethernet interface view. Table 2-43 Display and debugging QoS
Operation Display information of all QoS actions. Display traffic mirroring information. Display priority remark information. Display redirection information. Display traffic statistics. Display port mirroring information. Display QoS settings on all the ports. Display traffic restraint settings. Display information of queue scheduling mode and related parameters. Display traffic shaping information on a port. Command display qos-global all display qos-interface [ interface-name | interface-type interface-num ] mirrored-to display qos-interface [ interface-name | interface-type interface-num ] traffic-priority display qos-interface [ interface-name | interface-type interface-num ] traffic-redirect display qos-interface [ interface-name | interface-type interface-num ] traffic-statistic display mirror display qos-interface [ interface-name | interface-type interface-num ] all display qos-interface [ interface-name | interface-type interface-num ] traffic-limit display qos-interface [ interface-name | interface-type interface-num ] queue-scheduler display qos-interface [ interface-name | interface-type interface-num ] traffic-shape

2-30

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches Operation Display the DSCP + Conform-level to service and local-precedence + Conform-level to CoS maps. Display the CoS to drop-precedence map. Display the CoS to Local-precedence map. Reset all the statistic information.

Chapter 2 QoS configuration Command display qos conform-level [ conform-level-value ] { dscp-policed-service-map [ dscp-list ] | local-precedence-CoS-map } display qos CoS-drop-precedence-map display qos CoS-local-precedence-map reset traffic-statistic inbound { link-group { acl-number | acl-name } [ rule rule ] | ip-group { acl-number | acl-name } [ rule rule ] }

For more information about the commands described in this table, refer to Command Manual.

2.5 QoS Configuration Example of S3526 Series Switches
2.5.1 Traffic Mirroring Configuration Example
I. Networking requirement
Use a Server to monitor the communication traffic that two PCs generated between them in the time range 8:00 to 18:00. Suppose the IP addresses of these two PCs are respectively 1.1.1.1 and 2.2.2.2 and the Server is attached to the Ethernet0/8 port on the switch, as shown in the following networking diagram.

II. Networking diagram

E0/8

Server

Figure 2-2 Typical access control configuration example

III. Configuration procedure
1) Define a time range.

# Set time range to the range 8:00 to 18:00. [Quidway] time-range huawei 8:00 to 18:00 daily 2) Define a rule to be applied on the traffic between two PCs.

# Access the view of the number-based advanced ACL 3000.
2-31

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

[Quidway] acl number 3000 # Define traffic classification rule to be applied on the traffic from PC1 to PC2. [Quidway-acl-adv-3000] rule 0 permit ip source 1.1.1.1 0.0.0.0 destination 2.2.2.2 0 time-range huawei # Define a rule to filter in the traffic from PC2 to PC1. [Quidway-acl-adv-3000] rule 0 permit ip source 2.2.2.2 0.0.0.0 destination 1.1.1.1 0 time-range huawei 3) Monitor the communication traffic between PCs, using Ethernet0/8 as the monitor port. [Quidway] mirrored-to ip-group 3000 interface ethernet0/8

2.6 QoS Configuration Example of S3526E and S3526C
2.6.1 Traffic Policing and Interface Rate Restraint Configuration Example
I. Networking requirement
On a company’s intranet illustrated in the following figure, the departments are connected to each other via 100 megabit ports provided by an Ethernet switch. Pay server of the financial department accesses the intranet from the Ethernet 0/1 port, using the subnet address 129.110.1.2. In this scenario, the traffic generated by each department for accessing the pay server cannot exceed 20 Mbps and this server cannot send out packets at an average speed greater than 20 Mbps. Priority of the packets beyond the limitation will be set to 4.

2-32

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

II. Networking diagram
Pay server 129. 110.1.2

E0/1

Switch

To Router

Figure 2-3 QoS configuration example

III. Configuration procedure

Note: The following configuration procedures only give the commands related to QoS and ACL.

1)

Restrict the traffic size that the pay server is allowed to send.

# Access the view of the name-based ACL traffic-of-payserver. [Quidway] acl name traffic-of-payserver advanced # Define a rule in the traffic-of-payserver ACL. [Quidway-acl-adv-traffic-of-payserver] rule 1 permit ip source 129.110.1.2 0.0.0.0 destination any 2) Restrict the traffic allowed to access the pay server.

# Restrict the pay server from sending out packets at an average rate greater than 20 Mbps and set priority of the packets beyond the limitation to 4. [Quidway-Ethernet0/1] traffic-limit inbound ip-group traffic-of-payserver 20 exceed remark-dscp 4 # Restrict the Ethernet 0/1 port from sending packets to the pay server at a rate greater than 20 Mbps. [Quidway-Ethernet0/1] line-rate 20
2-33

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

2.6.2 Traffic Mirroring Configuration Example
I. Networking requirement
Use a Server to monitor the communication traffic that two PCs generated between them in the time range 8:00 to 18:00. Suppose the IP addresses of these two PCs are respectively 1.1.1.1 and 2.2.2.2 and the Server is attached to the Ethernet0/8 port on the switch, as shown in the following networking diagram.

II. Networking diagram

E0/8

Server

Figure 2-4 QoS configuration example

III. Configuration procedure
1) Define a time range.

# Set time range to the range 8:00 to 18:00. [Quidway] time-range huawei 8:00 to 18:00 daily 2) Define a rule to be applied on the traffic between two PCs.

# Access the view of the number-based advanced ACL 3000. [Quidway] acl number 3000 # Define a rule to filter in the traffic from PC1 to PC2. [Quidway-acl-adv-3000] rule 0 permit ip source 1.1.1.1 0.0.0.0 destination 2.2.2.2 0 time-range huawei # Define a rule to filter in the traffic from PC2 to PC1. [Quidway-acl-adv-3000] rule 0 permit ip source 2.2.2.2 0.0.0.0 destination 1.1.1.1 0 time-range huawei 3) Monitor the communication traffic between PCs, using Ethernet0/8 as the monitor port. [Quidway] mirrored-to ip-group 3000 interface ethernet0/8

2-34

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

2.7 QoS Configuration Example of S3552 Series Switches
2.7.1 Traffic Policing Configuration Example
I. Networking requirement
On a company’s intranet illustrated in the following figure, the departments are connected to each other via 100 megabit ports provided by an Ethernet switch. Pay server of the financial department accesses the intranet from the Ethernet 0/2 port, using the IP address of 129.110.1.2. Research and development department connects the switch through Ethernet0/1 port. In this scenario, personnel of the research and development department are not allowed to access the pay server during working time (from 8:30 to 18:00), no limitation to personnel of other departments; the pay server sends out packets at a Committed information rate of 200 kbps, Committed burst size of 25000 bytes, Excess burst size of 25000 bytes.

II. Networking diagram

Pay server 129.110.1.2 Final Department

Research and development Department

Port 1

Port 2

Switch Majordomo (VLAN3) Connect to router

Figure 2-5 QoS configuration example

III. Configuration procedure

Note: The following configuration procedures only give the commands related to QoS and ACL.

1)

Define working time range

2-35

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

# Set this time range in system view [Quidway] time-range worktime 08:30 to 18:00 working-day 2) Restrict the traffic size sent to the pay server

# Access the view of the name-based ACL traffic-to-payserver [Quidway] acl name traffic-to-payserver advanced # Define a rule in the traffic-to-payserver ACL [Quidway-acl-adv-traffic-to-payserver] rule 1 deny ip destination 129.110.1.2 0 time-range worktime 3) Restrict the traffic size that the pay server is allowed to send

# Access the view of the name-based ACL traffic-from-payserver [Quidway] acl name traffic-from-payserver advanced # Define a rule in the traffic-of-payserver ACL [Quidway-acl-adv-traffic-from-payserver] rule 1 permit ip source 129.110.1.2 0 4) Restrict the traffic from common personnel when access the pay server

# Personnel of the research and development department are not allowed to access the pay server during working time, no limitation other time. [Quidway-Ethernet0/1] packet-filter inbound ip-group traffic-to-payserver rule 1 5) Restrict the traffic sent out the pay server

# Restrict the traffic sent out by the pay server: Committed information rate: 200 kbps Committed burst size: 25000 bytes Excess burst size: 25000 bytes [Quidway-Ethernet0/2] traffic-limit inbound ip-group traffic-from-payserver rule 1 200 25000 25000

2.7.2 Bi-directional Traffic Limit to Packets on Designated VLAN Configuration Example
I. Networking requirement
Switch port Etherenet0/1 connects to VLAN 10; the upstream port GigabitEthernet1/1 is a trunk port, allowing the pass of VLAN 10 packets. To implement bi-directional traffic limit to VLAN 10 by configuring port traffic policing, that is, to limit the speed of packets both sent out and sent to VLAN 10 to 200 kbps.

2-36

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

II. Networking diagram

Network

GE1/1

E0/1 VLAN 10

Switch

Figure 2-6 QoS configuration example

III. Configuration procedure
Note: The following configuration procedures only give the commands related to QoS and ACL.

1)

Define the traffic of VLAN 10

# Create Layer 2 ACL 4000 [Quidway] acl number 4000 # Define a rule for packets sent out VLAN 10 [Quidway-acl-link-4000] rule 1 permit ingress vlan 10 # Define a rule for packets sent to VLAN 10 [Quidway-acl-link-4000] rule 2 permit egress vlan 10 2) Restrict the speed of traffic sent out VLAN 10

# At Ethernet0/1 port, restrict the speed of traffic sent out VLAN 10 to 200 kbps, and set the Committed burst size and Excess burst size to 25000 bytes. [Quidway-Ethernet0/1] traffic-limit inbound link-group 4000 rule 1 200 25000 25000 3) Restrict the speed of traffic sent to VLAN 10

# At GigabitEthernet1/1 port, restrict the speed of traffic sent to VLAN 10 to 200 kbps. [Quidway-GigabitEthernet1/1] traffic-limit inbound link-group 4000 rule 2 200 25000 25000

2-37

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

2.7.3 Bi-directional Traffic Limit to Packets at Designated Port Configuration Example
I. Networking requirement
Restrict the speed of packets received by the Ethernet0/1 port to 200 kbps; restrict the speed of packets sent by the port to 1300 kbps. The burst size rate is set to 4k bytes.

II. Networking diagram

Network

GE1/1

E0/1
Network

Switch

Figure 2-7 QoS configuration example

III. Configuration procedure
1) Restrict the traffic at Ethernet0/1

# Create Layer 2 ACL 4000 [Quidway] acl number 4000 # Define a rule for packets received by Ethernet0/1 [Quidway-acl-link-4000] rule 1 permit ingress any egress any 2) Restrict the speed of traffic received by Ethernet0/1

# Restrict the speed of traffic received by Ethernet0/1 to 200 kbps [Quidway-Ethernet0/1] traffic-limit inbound link-group 4000 rule 1 200 25000 25000 3) Restrict the speed of traffic sent by Ethernet0/1

# Restrict the speed of traffic sent by Ethernet0/1 to 1300 kbps, and set the burst size to 4k bytes. [Quidway-Ethernet0/1] traffic-shape 1300 4

2-38

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

2.7.4 Priority Marking Configuration Example
I. Networking requirement
Specify a set of service group to packets sent by PC1 (IP address of 1.0.0.2) from 08:00 to 18:00 every day: DSCP: ef CoS priority: 0 local precedence: 0 drop precedence: 0

II. Networking diagram

GE1/1

E0/1 VLAN2, 1.0.0.1/8 PC1

E0/2 VLAN3, 2.0.0.1/8 PC2

Figure 2-8 QoS configuration example

III. Configuration procedure
1) Define time range of 8:00 to18:00

# Define time range [Quidway] time-range huawei 8:00 to 18:00 daily 2) Define a rule for PC packets

# Access the view of the number-based ACL 2000 [Quidway] acl number 2000 # Define a rule for classifying PC1 packets [Quidway-acl-basic-2000] rule 0 permit ip source 1.0.0.2 0 time-range huawei 3) Retag packets sent by PC1 with ef priority

2-39

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 2 QoS configuration

[Quidway-Ethernet0/1] traffic-priority inbound untrusted dscp ef cos 0 local-preference 0 drop-priority 0 Note: If you choose the untrusted operation to packets sent by PC1 in traffic-priority, which means you manually designate a set of service group to packets sent out PC1, then the switch do not allow you to configure traffic-limit or traffic-statistic action to packets sent out PC1.

2-40

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 3 Logon User ACL Control Configuration

Chapter 3 Logon User ACL Control Configuration
3.1 Overview
As the Ethernet switches launched by Huawei Technologies are used more and more widely over the networks, the security issue becomes even more important. The switches provide several logon and device accessing measures, mainly including TELNET access, SNMP access, and HTTP access. The security control over the access measures is provided with the switches to prevent illegal users from logging on to and accessing the devices. There are two levels of security controls. At the first level, the user connection is controlled with ACL filter and only the legal users can be connected to the switch. At the second level, a connected user can log on to the device only if he can pass the password authentication. This chapter mainly introduces how to configure the first level security control over these access measures, that is, how to configure to filter the logon users with ACL. For detailed description about how to configure the first level security, refer to “getting started” module of Operation Manual.

3.2 Configure ACL Control over the TELNET User
Configuring ACL control over the TELNET users can help filter the malicious and illegal connection requests before the password authentication and ensure the device security. Take the following steps to configure the ACL control over the TELNET users: 1) 2) Define ACLs Call ACLs to control the TELNET user

The follow section introduces the configuration procedures.

3.2.1 Define ACL
You can only call the numbered basic ACL, ranging from 2000 to 2999, to implement ACL control function. You can use the following command to configure the basic ACL. Perform the following configuration in system view.

3-1

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 3 Logon User ACL Control Configuration

Table 3-1 Define basic ACL
Operation Enter basic ACL view(from system view) add a sub-item to the ACL(from basic ACL view) delete a sub-item from the ACL(from basic ACL view) Delete one ACL or all the ACL(from system view) Command acl { number acl-number | name acl-name basic } [ match-order { config | auto } ] rule [ rule-id ] { permit | deny } [ source source-addr wildcard | any ] [ fragment ] [ time-range name ] undo rule rule-id [ source ] [ fragment ] [ time-range ] undo acl { number acl-number | name acl-name | all }

In the defining process, you can configure several rules for an ACL, using the rule command repeatedly.

3.2.2 Call ACL to Control TELNET User
To control TELNET users with ACL, you can call the defined ACL in user-interface view. You can use the following command to call an ACL. Perform the following configuration in corresponding view. Table 3-2 Call ACL to Control TELNET User
Operation Enter user-interface view(from system view) Call an ACL(from user-interface view) Command user-interface [ type ] first-number [ last-number ] acl acl-number { inbound | outbound }

For detailed description of the command, refer to the Command Manual.

Note: Only the numbered basic ACL can be called for TELNET user control.

3.2.3 Configuration Example
I. Networking requirements
Only permit TELNET user from 10.110.100.52 and 10.110.100.46 access switch.

3-2

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 3 Logon User ACL Control Configuration

II. Networking diagram

Internet

Switch

Figure 3-1 Control TELNET user with ACL

III. Configuration precedure
# Define the basic ACLs. [Quidway] acl number 2020 match-order config [Quidway-acl-basic-2020] rule 1 permit source 10.110.100.52 0 [Quidway-acl-basic-2020] rule 2 permit source 10.110.100.46 0 [Quidway-acl-basic-2020] quit # Call an ACL. [Quidway] user-interface vty 0 4 [Quidway-user-interface-vty0-4] acl 2020 inbound

3.3 Configure ACL Control over the SNMP Users
Huawei Quidway Ethernet switch series support the remote management with the network management software. The network management users can access the switch with SNMP. Controlling such users with ACL can help filter the illegal NM users and prevent them from accessing the local switch. Take the following steps to control the SNMP users with ACL. 1) 2) Define an ACL Call ACLs to control the SNMP user

The follow section introduces the configuration procedures.

3-3

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 3 Logon User ACL Control Configuration

3.3.1 Define an ACL
You can only call the numbered basic ACL, ranging from 2000 to 2999, to implement ACL control function. Use the same configuration commands introduced in the last section.

3.3.2 Call ACL to Control SNMP User
To control the NM users with ACL, call the defined ACL when configuring SNMP community name, username, and group name. You can use the following commands to call an ACL. Perform the following configuration in system view. Table 3-3 Define a numbered basic ACL
Operation Call an ACL when configuring SNMP community name. Call an ACL when configuring SNMP group name. Call an ACL when configuring SNMP username. Command snmp-agent community { read | write } community-name [ [ mib-view view-name ] | [ acl acl-number ] ]* snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-list ] snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-list ] snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-list ] snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } auth-password ] [ privacy-mode des56 priv-password ] [ acl acl-list ]

SNMP community name attribute is a feature of SNMP V1. Therefore calling an ACL for SNMP community name configuration can filter the access to SNMP V1network management system. SNMP group name and username attribute is a feature of SNMP V2C and above. Therefore calling an ACL for SNMP community name configuration can filter the access to the network management system of SNMP V2C or higher. If you configure ACL control in both of the commands, the switch will filter the NM users concerning both the features.

Note: You can call different ACLs for the above mentioned commands.

For more about the commands, refer to the Command Manual.

3-4

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 3 Logon User ACL Control Configuration

Note: Only the numbered basic ACL can be called for network management user control.

3.3.3 Configuration Example
I. Networking requirements
Only permit SNMP user from 10.110.100.52 and 10.110.100.46 access switch.

II. Networking diagram

Internet

Switch

Figure 3-2 Control SNMP user with ACL

III. Configuration precedure
# Define the basic ACLs. [Quidway] acl number 2020 match-order config [Quidway-acl-basic-2020] rule 1 permit source 10.110.100.52 0 [Quidway-acl-basic-2020] rule 2 permit source 10.110.100.46 0 [Quidway-acl-basic-2020] quit # Call the basic ACLs. [Quidway] snmp-agent community read huawei acl 2020 [Quidway] snmp-agent group v2c huaweigroup acl 2020 [Quidway] snmp-agent usm-user v2c huaweiuser huaweigroup acl 2020

3-5

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 3 Logon User ACL Control Configuration

3.4 Configure ACL Control over the HTTP Users
Quidway Ethernet switch series support the remote management through WEB. The users can access the switch through HTTP. Controlling such users with ACL can help filter the illegal users and prevent them from accessing the local switch. After configuring ACL control over these users, the switch allows only one WEB user to access the Ethernet switch at one time. Take the following steps to control the HTTP users with ACL. 1) 2) Define an ACL Call ACLs to control the HTTP user

The follow section introduces the configuration procedures.

3.4.1 Define an ACL
So far, you can only call the numbered basic ACL, ranging from 2000 to 2999, to implement ACL control function. Use the same configuration commands introduced in the last section.

3.4.2 Call ACL to Control HTTP User
To control the WEB network management users with ACL, call the defined ACL. You can use the following commands to call an ACL. Perform the following configuration in system view. Table 3-4 Call ACL to Control HTTP User
Operation Call an ACL to control the WEB NM users. Cancel the ACL control function. ip http acl acl-number undo ip http acl Command

For more about the commands, refer to the Command Manual.

Note: Only the numbered basic ACL can be called for WEB NM user control.

3-6

Operation Manual - QoS/ACL Quidway S3500 Series Ethernet Switches

Chapter 3 Logon User ACL Control Configuration

3.4.3 Configuration Example
I. Networking requirements
Only permit WEB NM user from 10.110.100.46 access switch.

II. Networking diagram

Internet

Switch

Figure 3-3 Control WEB NM user with ACL

III. Configuration precedure
# Define the basic ACL. [Quidway] acl number 2030 match-order config [Quidway-acl-basic-2030] rule 1 permit source 10.110.100.46 0 [Quidway-acl-basic-2030] quit # Call the basic ACL. [Quidway] ip http acl 2030

3-7

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

8. Integrated management

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 Stack Function Configuration .................................................................................... 1-1 1.1 Stack Function Overview ................................................................................................... 1-1 1.2 Configure Stack Function .................................................................................................. 1-1 1.2.1 Configure IP Address Pool for the Stack ................................................................ 1-1 1.2.2 Enable/Disable a Stack ........................................................................................... 1-2 1.2.3 Switch to a Slave Switch view to Perform the Configuration .................................. 1-2 1.3 Display and Debug Stack Function.................................................................................... 1-3 1.4 Stack Function Configuration Example ............................................................................. 1-3 Chapter 2 HGMP V2 Configuration .............................................................................................. 2-1 2.1 HGMP V2 Overview........................................................................................................... 2-1 2.1.1 Overview ................................................................................................................. 2-1 2.1.2 Role of Switch ......................................................................................................... 2-1 2.1.3 Functions................................................................................................................. 2-3 2.2 Configure NDP................................................................................................................... 2-4 2.2.1 NDP Overview......................................................................................................... 2-4 2.2.2 Enable/Disable System NDP .................................................................................. 2-5 2.2.3 Enable/Disable Port NDP........................................................................................ 2-5 2.2.4 Set NDP Holdtime ................................................................................................... 2-6 2.2.5 Set NDP Timer ........................................................................................................ 2-6 2.2.6 Display and Debug NDP ......................................................................................... 2-6 2.3 Configure NTDP................................................................................................................. 2-7 2.3.1 NTDP Overview....................................................................................................... 2-7 2.3.2 Enable/Disable System NTDP ................................................................................ 2-8 2.3.3 Enable/Disable Port NTDP...................................................................................... 2-8 2.3.4 Set Hop Number for Topology Collection ............................................................... 2-9 2.3.5 Set hop-delay and port-delay for Collected Device to Forward Topology Collection Request. ........................................................................................................................... 2-9 2.3.6 Set Topology Collection Interval ........................................................................... 2-10 2.3.7 Start manually Topology Information Collection ................................................... 2-10 2.3.8 Display and Debug NTDP ..................................................................................... 2-11 2.4 Configure Cluster ............................................................................................................. 2-11 2.4.1 Cluster Overview ................................................................................................... 2-11 2.4.2 Enable/Disable Cluster Function........................................................................... 2-12 2.4.3 Enter cluster view .................................................................................................. 2-12 2.4.4 Configure Cluster IP Address Pool ....................................................................... 2-13 2.4.5 Name Administrator device and Cluster ............................................................... 2-13 2.4.6 Add/Delete a Cluster Member device ................................................................... 2-14

i

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Table of Contents

2.4.7 Set up a Cluster Automatically. ............................................................................. 2-14 2.4.8 Set Cluster Holdtime ............................................................................................. 2-15 2.4.9 Set Cluster Timer to Specify the Handshaking Message Interval......................... 2-15 2.4.10 Configure Remote Control over the Member device........................................... 2-16 2.4.11 Configure the Cluster Server and Network Management and Log Hosts........... 2-17 2.4.12 Member Accessing.............................................................................................. 2-17 2.4.13 Display and Debug Cluster ................................................................................. 2-18 2.5 HGMP V2 Configuration Example ................................................................................... 2-18

ii

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 1 Stack Function Configuration

Chapter 1 Stack Function Configuration
1.1 Stack Function Overview
A stack is a management domain including several Ethernet switches (one main switch and some slave switches) connected through stack ports. These Ethernet switches stacked together can act as one set of equipment and the user can manage them through the main switch. When several Ethernet switches are connected through stack ports, the user can perform configurations on one switch and set the switch as the main switch in the stack. A stack is created as follows. First, the user sets the optional IP address pool for the stack, and enables the stack function. Then the system will automatically add the switches, which are connected to the stack ports of the main switch, to the stack. The main switch will distribute usable IP address to the slave switch automatically as the switch joins the stack. If a new switch is connected to the main switch via stack port, the system will automatically add the new switch to the stack after the stack is established. The connection of stack port automatically establishes the stack relationship. If a slave stack port is disconnected, that slave switch will exit the stack automatically.

1.2 Configure Stack Function
The stack function configuration includes: Configure IP address pool for the stack Enable/Disable a stack Switch to a slave switch view to perform the configuration

1.2.1 Configure IP Address Pool for the Stack
Before enabling a stack, the user shall set an optional IP address range for a stack first. Then the main switch will automatically assign the slave switches with an IP address in the range, when the slave switches are added to the stack. Perform the following configuration in system view.

1-1

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 1 Stack Function Configuration

Table 1-1 Configure IP address pool for the stack
Operation Configure IP address range for a stack Restore to the default IP address range Command stacking ip-pool from-ip-address ip-address-number [ ip-mask ] undo stacking ip-pool

Before setting up a stack, the user should configure a public IP address pool for the slave switch of the stack. Please note that the above configurations can only be performed on the non-stack switches. After a stack is enabled, the user is prevented from modifying the IP address pool.

1.2.2 Enable/Disable a Stack
When the user enables a stack with the following command, the system will automatically add the switches, connected to the main switch via stack ports, to the stack. After a stack has been enabled, if the stack port is disconnected, slave switch will exit the stack automatically. Perform the following configuration in system view. Table 1-2 Enable/Disable a stack
Operation Enable a stack Disable a stack stacking enable undo stacking enable Command

Please note that you can only operate on the main switch to disable a stack.

1.2.3 Switch to a Slave Switch view to Perform the Configuration
The following command can be used to switch from the main switch view to a slave switch view to change the configuration. Please perform the following configurations in user view. Table 1-3 Switch to a slave switch view to perform the configuration
Operation Switch to a slave switch view to perform the configuration stacking num Command

1-2

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 1 Stack Function Configuration

Please note that the above command can only be used for switching from the main switch view to a slave switch view and the user level remains the same after switching. To switch from a slave switch view back to a main switch view, input quit.

1.3 Display and Debug Stack Function
After the above configuration, execute display command in any view to display the running of the stack configuration, and to verify the effect of the configuration. Table 1-4 Display and Debug Stack Function
Operation Display the stack state information on the main switch Display the stack state information on a slave switch Command display stacking [ members ] display stacking

When using this command on the main switch, if the input parameter “members” is omitted, you will find the displayed information indicating that the local switch is the main switch and also the number of switches in the stack. Using the command with members, you will find the member information of the stack, including stack number of main/slave switches, stack name, stack device name, MAC address and status etc. When using this command on a slave switch, you will find in the displayed information of the slave switch of the stack, the stack number of the switch and MAC address of the main switch in the stack.

1.4 Stack Function Configuration Example
I. Networking requirements
Switch A, Switch B, and Switch C are stacked together through the stack ports. Switch A is the main switch. Switch B and Switch C are slave switches. The network administrator manages Switch B and Switch C through Switch A.

1-3

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 1 Stack Function Configuration

II. Networking diagram

Internet

Switch A

Switch B

Switch C

Figure 1-1 Stack configuration example

III. Configuration procedure
# Configure IP address pool for the stack on Switch A. [Quidway] stacking ip-pool 129.10.1.1 5 # Enable a stack on Switch A. [Quidway] stacking enable # Display stack information on the main switch, Switch A. <stack_0.Quidway> display stacking
Main device for stack. Total members:3

# Display stack member information on the main switch, Switch A. <stack_0.Quidway> display stacking members
Member number: 0 Name:stack_0.Quidway Device: Switch A MAC Address:00e0-fc07-0bc0 Member status:Cmdr

Member number: 1 Name:stack_1.Quidway Device: Switch B MAC Address:00e0-fc07-58a0 Member status:Up

Member number: 2

1-4

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches
Name:stack_2.Quidway Device: Switch C MAC Address:00e0-fc07-58a1 Member status:Up

Chapter 1 Stack Function Configuration

# Switch to the slave switch, Switch B, to perform the configuration. <stack_0.Quidway> stacking 1 <stack_1.Quidway> # Display stack information on the slave switch, Switch B. <stack_1.Quidway> display stacking
Slave device for stack. Member number: 1 Main switch mac address:00e0-fc07-0bc0

# Switch back to the main switch, Switch A to perform the configuration. <stack_1.Quidway> quit <stack_0.Quidway> # Switch to the slave switch, Switch C, to perform the configuration. <stack_0.Quidway> stacking 2 <stack_2.Quidway> # Switch back to the main switch, Switch A to perform the configuration. <stack_2.Quidway> quit <stack_0.Quidway>

1-5

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

Chapter 2 HGMP V2 Configuration
2.1 HGMP V2 Overview
2.1.1 Overview
By HGMP V2 function, the network administrator can manage multiple switches at a managing switch with a public IP address. The managing switch is called administrator device and the managed switches are called member devices. Generally, you do not assign public IP addresses for the member devices. The management and maintenance over the member devices are implemented through redirection of administrator device. An administrator device and several member devices compose a cluster. The figure below illustrates a typical application of the cluster.
Network management device

69.110.1.100

network

Administrator device

69.110.1.1

Member device Cluster Member device

Member device Candidate device

Figure 2-1 A cluster

2.1.2 Role of Switch
The switches in a cluster have different status and functions and play different roles. You can configure the role of a specified switch. And the switches can also change their roles by some defined rules.

2-1

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

The roles in a cluster include administrator device, member device and Candidate device. Administrator device: Configured with a public network IP address and providing management interface for all the switches in the cluster. The administrator device manages the member device through command redirection, that is, administrator device receives and processes the management commands from the network. If the command is destined to a member device, the administrator device will forward it to the member device. The administrator device has the functions such as discovering adjacency information, collecting the topology of the whole network, managing the cluster, maintaining the cluster status and supporting different agents. Member device: Member of a cluster, doesn’t assigned public IP address, managed by the administrator device’s command redirection. The member device has the functions such as discovering adjacent information, being managed by the administrator device, executing the commands delivered by the proxy and reporting failure/log etc. Candidate device: Not a member of any cluster yet, but member-capable, that is, being able to be a member device of a cluster. The following figure illustrates the rules of role switchover.

Candidate device switch
D co esig ad mm na ina isn ted trd de Re atsowv as t mo r idiceh v ve e ice clu from ste a r
Ad de d to ac

o o o o o o om fro r r r r r r r v v v v v v v ve er mo stttttttt R acu R acu R acu R acu R acu R acu R acu Re a clu

lus

ter

Administrator device Command device switch

Member device switch

Figure 2-2 Rules of changing roles There must be a unique administrator device configured for every cluster. The designated administrator device identifies and discovers the Candidate device through collecting NDP/NTDP information. You can configure a Candidate device as a member device of the cluster. After added to a cluster, the Candidate device becomes a member device. If a member device is deleted from the cluster, it becomes a Candidate device again.

2-2

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

Note: To configure the cluster function, perform the following operations on the administrator device: 1) Enable system NDP and port NDP 2) Configure NDP parameter 3) Enable system NTDP and port NTDP 4) Configure NTDP parameter 5) Enable cluster function 6) Configure cluster parameter And perform the following operations on the member devices and Candidate devices: 1) E Enable system NDP and port NDP 2) Enable system NTDP and port NTDP 3) Enable cluster function

2.1.3 Functions
The advantages of HGMP V2 are as follows: Streamlining the configuration management tasks: You can simply configure a public network IP address for the administrator device and thereby implement the configuration and management over multiple switches. There is no need to login to each member device and perform configuration on their Console ports respectively. Providing topology discovery and displaying function, which is useful for network displaying and debugging. Saving IP address Performing software upgrade and parameter configuration to multiple switches simultaneously. Independent of network topology and distance. The HGMP V2 management has the following functions. Network topology discovery Network topology collection Member identification Membership management Detailed functions are described as follows: Network topology discovery is implemented by NDP (Neighbor Discovery Protocol). It is used for discovering the information of the directly connected neighbors, including the device type, software/hardware version, connecting port etc. of the adjacent devices and providing the information concerning device ID, port address, device capability and hardware platform etc.

2-3

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

Network topology collection is implemented by NTDP. It is used for collecting the information concerning device connection and the Candidate device. It can also be used for setting hops for topology discovery. Member identification positions every member device in the cluster, so that the administrator device can identify them and delivery the configuration and management commands to them. Membership management includes adding or removing a member, member device authenticating the administrator device and hand-shaking interval etc. The following sections describe the detailed configuration of cluster management functions.

2.2 Configure NDP
2.2.1 NDP Overview
NDP is the protocol for discovering the related information of the adjacent points. NDP runs on the data link layer, so it supports different network layer protocols. NDP is used for discovering the information of the directly connected neighbors, including the device type, software/hardware version, and connecting port of the adjacent devices. It can also provide the information concerning device ID, port address, device capability and hardware platform, etc. All the devices supporting NDP maintain the NDP information table. The table entry will be removed by NDP automatically when the aging timer expires. You can also clear the current NDP information to collect new adjacent information. The device running NDP broadcasts the packets carrying NDP data to all the activated ports regularly. The packet carries the holdtime, indicating how long the receiving device has to keep the updating data. The receiver only keeps the information in the NDP packet, but not forwards it. The corresponding data entry in the NDP table will be updated with the arriving information. If the new information is same as the old one, only the holdtime will be updated. NDP configuration includes: Enable/Disable system NDP Enable/Disable port NDP Set NDP Holdtime Set NDP timer

2-4

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

Note: On an administrator device, you need to enable system NDP and port NDP, meanwhile configure the NDP parameters as well. However, you only have to enable NDP on a device and the corresponding ports on member device. As the protocol run, the member device will adopt the parameters of the administrator device.

2.2.2 Enable/Disable System NDP
When collecting NDP information of the adjacent device on any port, NDP should be enabled globally. With System NDP, the NDP information will be collected periodically. These information can be queried by user. After disabling System NDP, all the NDP information of the switch will be cleared and the switch will no longer process any NDP packets. Perform the following configuration in system view. Table 2-1 Enable/Disable system NDP
Operation Enable System NDP. Disable System NDP. Command ndp enable [ interface port-list ] undo ndp enable [ interface port-list ]

By default, System NDP is enabled.

2.2.3 Enable/Disable Port NDP
You can set the Port NDP enable/disable states to decide to collect adjacent node information for which port. After system NDP and port NDP have been enabled, the adjacent node NDP information can be collected for the port regularly. If port NDP is disabled, NDP information cannot be collected and transmitted on this port. Perform the following configuration in Ethernet port view. Table 2-2 Enable/Disable NDP on a Port
Operation Enable port NDP Disable port NDP ndp enable undo ndp enable Command

By default, port NDP is enabled.

2-5

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

2.2.4 Set NDP Holdtime
The NDP holdtime specifies how long the adjacent node can keep the local node information. The adjacent device knows the holdtime from the received NDP packet and will discard the packet when it expires. Perform the following configuration in System view. Table 2-3 Set NDP Holdtime
Operation Set NDP Holdtime Restore the default NDP holdtime. Command ndp timer aging aging-in-secs undo ndp timer aging

Note that NDP holdtime is supposed to be longer than the NDP timer (described in the following section). Otherwise, NDP information table will be unstable. By default, NDP is hold for up to 180 seconds.

2.2.5 Set NDP Timer
The NDP information of the adjacent nodes shall be updated frequently to guarantee the timely updating for local information. You can use the following command to decide how often the NDP information will be updated. Perform the following configuration in System view. Table 2-4 Set NDP timer
Operation Set NDP timer Set the NDP timer back to the default setting Command ndp timer hello seconds undo ndp timer hello

Note that NDP timer is supposed to be shorter than the NDP holdtime (described in the previous section). Otherwise, NDP information table will be unstable. By default, NDP is transmitted every 60 seconds.

2.2.6 Display and Debug NDP
After the above configuration, execute display command in any view to display the running of the NDP configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of NDP module. Execute debugging command in user view to debug the NDP module.

2-6

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

Table 2-5 Display and Debug NDP
Operation Display global NDP configuration information (including NDP timer and holdtime). Display the information about the port enabled with NDP Clear NDP counters. Enable/Disable Debugging NDP display ndp display ndp interface port-list reset ndp statistics [ undo ] debugging ndp packet [ interface port-list ] Command

2.3 Configure NTDP
2.3.1 NTDP Overview
Neighbor Topology Discovery Protocol (NTDP) is a protocol for network topology information collection. NTDP provides the information of available devices to join the cluster and collects the information about switches within the specified hops for the cluster management. According to the adjacent table information provided by NDP, NTDP transmits and forwards NTDP topology collection request to collect NDP information and neighboring connection information of every device in a certain network. After collecting the information, the administrator device or the network administrator can perform some functions accordingly. When the NDP on the member device finds changes of neighbor, it will advertise the changes to the administrator device by handshake message. The administrator device can run NTDP to collect the specified topology and show the network topology changes in time. NTDP configuration includes: Enable/Disable Global NTDP Enable/Disable NTDP on a Port Set hop number for topology collection. Set delay for collected device to forward topology collection request Set delay for collected port to forward topology collection request Set topology collection interval Start topology information collection

2-7

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

Note: On an administrator device, you need to enable system NTDP and port NTDP, meanwhile configure the NTDP parameters as well. However, you only have to enable system NTDP and the corresponding port NTDP on member device. As the protocol run, the member device will adopt the parameters of the administrator device.

2.3.2 Enable/Disable System NTDP
Before a device can process NTDP packet, you are supposed to enable the System NTDP first. After disabling System NTDP, all the NTDP information on the switch will be cleared and the switch will discard all the NTDP packets and stop transmitting NTDP request. Perform the following configuration in system view. Table 2-6 Enable/Disable System NTDP
Operation Enable System NTDP Disable System NTDP ntdp enable undo ntdp enable Command

By default, the System NTDP is enabled.

2.3.3 Enable/Disable Port NTDP
You can use the following command to enable/disable Port NTDP to decide to transmit/receive and forward NTDP packet via which port. After the system NTDP and port NTDP have been enabled, the NTDP packets can be transmitted, received and forwarded via the port. After the NTDP is disabled on the port, the port will not process NTDP packet. Perform the following configuration in Ethernet port view. Table 2-7 Enable/Disable port NTDP
Operation Enable port NTDP Disable port NTDP ntdp enable undo ntdp enable Command

Note that, in some occasions, it only needs collecting the topology connected to the Downlink ports, not caring about that connected to the Uplink. In this case, NTDP is supposed to be disabled on the Uplink ports.
2-8

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

By default, port NTDP is enabled on the ports supporting NDP. If you enable NTDP on a port not supporting NDP, NTDP cannot be run.

2.3.4 Set Hop Number for Topology Collection
You can set a limit to the hops for topology collection, so that only the topology information of the devices within the specified hops will be collected and infinitive collection can be avoided. The collection scope is limited by setting hop limit for discovery since the switch originating the collection. For example, if you set a limit of 2 to the hop number, only the switches 2 hops away from the first switch transmitting the topology collection request will be collected. Perform the following configuration in system view. Table 2-8 Set hop number for topology collection.
Operation Set hop number for topology collection. Restore the default hop number for topology collection. ntdp hop hop-value undo ntdp hop Command

Note that the settings are only valid on the first switch transmitting the topology collection request. The broader collection scope requires more memory of the topology-collecting device. Normally, collection is launched by the administrator device in cluster function. By default, the topology information of the switches 3 hops away from the collecting switch is collected.

2.3.5 Set hop-delay and port-delay for Collected Device to Forward Topology Collection Request.
When the topology requests are disseminated over the network, many network devices may receive them at the same time and send responses accordingly, which could cause network congestion and make the topology collector too busy. To avoid such problem, every device delays a duration (hop delay) after receiving a topology request until forwards it via the first port. And then it delays for another duration (port delay) until forwarding it via the next port and so on. You can use the following commands to configure the hop delay and port delay to forward topology collection request on the current device. Perform the following configuration in system view.

2-9

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

Table 2-9 Set delay for collected device to forward topology collection request.
Operation Set delay for collected device to forward topology collection request. Restore the default delay for collected device to forward topology collection request. Set delay for collected port to forward topology collection request. Restore the default delay for collected port to forward topology collection request. Command ntdp timer hop-delay time undo ntdp timer hop-delay ntdp timer port-delay time undo ntdp timer port-delay

By default, the device to be collected forwards the topology request after delaying for 200ms, the port to be collected forwards the topology collection request after a delay of 20ms.

2.3.6 Set Topology Collection Interval
In order to learn the global topology changes in time, it is necessary to periodically collect the topology information throughout the whole scope specified. Perform the following configuration in system view. Table 2-10 Set topology collection interval
Operation Set topology collection interval Restore the default topology collection interval. Command ntdp timer interval-in-mins undo ntdp timer

By default, the value of topology collection is 0, that is, the regular topology collection will not be performed.

2.3.7 Start manually Topology Information Collection
After the topology collection interval is specified, NTDP will automatically and periodically collects topology information throughout the network. Besides, NTDP also provides commands for network topology collection manually. Whenever you want to manually collect the network topology information for the purpose of device management and monitoring, simply use the following command to start the process. Perform the following configuration in user view. Table 2-11 Start topology information collection
Operation Start topology information collection 2-10 ntdp explore Command

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

2.3.8 Display and Debug NTDP
After the above configuration, execute display command in any view to display the running of the NTDP configuration, and to verify the effect of the configuration.

Table 2-12 Display and Debug NTDP
Operation Display global NTDP information. Display the device information collected by NTDP. Command display ntdp display ntdp device-list [ verbose ]

When the display ntdp device-list is executed without the verbose parameter, it will display the list of the devices collected by NTDP. When executed with the verbose parameter, it will display the detailed information about the devices collected by NTDP.

2.4 Configure Cluster
2.4.1 Cluster Overview
This section describes the relevant configurations of cluster management, including how to enable and set up a cluster, how to configure public network IP address for administrator device, how to add/delete a cluster member and how to configure the handshaking interval etc. There must be a unique administrator device configured for every cluster. A cluster contains only one administrator device. When creating a cluster, you are supposed to designate an administrator device first. It is the entrance and exit to access the cluster members, that is, a user on the external network can access, configure, manage, and monitor the cluster members through it. an administrator device recognizes and controls all the local members, no matter where they are located on the network or how they are connected. In addition, it is responsible for collecting the topology information about all the members and candidates to provide useful information for a user when he establishes a cluster. The administrator device learns the network topology through NDP/NTDP information collection to manage and monitor the device. Before performing other configuration tasks, the cluster function is supposed to be enabled first. Cluster configuration includes: Enable/Disable cluster function Enter cluster view Configure cluster IP address pool Name the administrator device and cluster. Add/delete a cluster member device
2-11

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

Setup a cluster automatically. Member accessing Set cluster holdtime. Set cluster timer to specify the handshaking message interval. Configure FTP/TFTP Servers and Logging/SNMP Hosts for a Cluster.

Note: You need to enable the cluster function and configure cluster parameters on an administrator device. However, you only have to enable the cluster function on the member devices and Candidate devices.

2.4.2 Enable/Disable Cluster Function
Enable the cluster function before using it. Perform the following configuration in system view. Table 2-13 Enable/Disable cluster function
Operation Enable cluster function. Disable cluster function. cluster enable undo cluster enable Command

Above commands can be used on any device supporting the cluster function. When you use the undo cluster enable command on an administrator device, the system will delete the cluster and disable the cluster function on it. When you use it on a member device, the system will exit the cluster and disable the cluster function on it. By default, the cluster function is enabled.

2.4.3 Enter cluster view
You must enter cluster view before configure the cluster function. Perform the following configuration in system view. Table 2-14 enter cluster view
Operation enter cluster view. cluster Command

2-12

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

2.4.4 Configure Cluster IP Address Pool
Before setting up a cluster, you are supposed to configure a private IP address pool. When a Candidate device is added, the administrator device will dynamically assign a private IP address, which can be used for communication inside the cluster. In this way, you can use the administrator device to manage and maintain the member devices. Perform the following configuration in cluster view. Table 2-15 Configure cluster IP address pool
Operation Configure cluster IP address pool. Restore the default IP address pool of the cluster. Command ip-pool administrator-ip-address { ip-mask | ip-mask-length} undo ip-pool

Before setting up a cluster, the user should configure a private IP address pool for the member devices of the cluster. Note that, the above configuration can only be performed on administrator device, and must be configured before the cluster is build. The IP address pool of an existing cluster cannot be modified.

2.4.5 Name Administrator device and Cluster
Every cluster has a name. Perform the following configuration in cluster view. Table 2-16 Name the administrator device and cluster.
Operation Name Administrator device and Cluster. Remove all the member devices from the cluster and configure the administrator device as a Candidate device. build name undo build Command

This command can only be used on an administrator device. When executed on an administrator device to configure a different cluster name, the command can be used to rename the cluster. By default, the switch is not an administrator device and no cluster name has been specified.

2-13

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

2.4.6 Add/Delete a Cluster Member device
You can use the following command to add a member device or delete a member device. Perform the following configuration in cluster view. Table 2-17 Add/Delete a cluster member device
Operation Add a cluster member device. Delete a cluster member device. Command add-member [ member-num ] mac-address H-H-H [ password password ] delete-member member-num

Note that, adding/deleting a member device must be performed on the administrator device, otherwise, error prompt will be given. It is not necessary for you to assign a number for the member device newly added, because the administrator device will assign an available number to it automatically. When a switch is added to a cluster, the administrator will automatically set administrator’s password as the switch’s password.

2.4.7 Set up a Cluster Automatically.
The system provides cluster auto-setup function. You can follow the prompts to setup a cluster step by step on an administrator-capable device, using the following command. After auto-build is executed, the system will ask you to enter a cluster name. Then the discovered Candidate devices within the specified hops will be listed. You can confirm the operation and add all the listed candidates to the new cluster. In the process of automatic setup, you are allowed to enter <CTRL + C> to cancel the operation. And then the system stops adding new switch to the cluster and exits the automatic setup process, however, the switches already added to the cluster will not be removed. Perform the following configuration in cluster view. Table 2-18 Automatic cluster setup
Operation Setup a cluster automatically. auto-build [ recover ] Command

Note that you can only execute the above command on the command-capable device.

2-14

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

2.4.8 Set Cluster Holdtime
After a cluster is set up, some communication fault maybe occurs due to network problem or switch reset. If the fault has not been addressed before the hold time configured on switch expires, the member state goes down. When the communication is resumed, such member needs to join the cluster again (this process is conducted automatically). Otherwise, the member stays normal and does not to join again. Perform the following configuration in cluster view. Table 2-19 Set cluster holdtime
Operation Set cluster holdtime. Restore the default cluster holdtime. holdtime seconds undo holdtime Command

Note that the above command can only be executed on the administrator device, which will advertise the cluster timer value to the member devices. By default, the cluster holdtime is 60 seconds.

2.4.9 Set Cluster Timer to Specify the Handshaking Message Interval
The member devices and administrator device send handshake messages to communicate with each other in real time. The administrator device monitors member states and link states inside the cluster through handshaking with members periodically. After joining the cluster, a member device starts handshaking with the administrator device regularly. an administrator device and member device consider the current communication as normal, as long as they can receive the handshake messages. A member or an administrator device considers the communication with each other as failed, if it has not received the handshake messages for three continuous times. In addition, the member devices send handshake messages to report the topology changes to the administrator device for processing. You can use the following command to set the handshake message interval on an administrator device. Perform the following configuration in cluster view.

2-15

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

Table 2-20 Set cluster timer to specify the handshaking message interval.
Operation Set cluster timer to specify the handshaking message interval. Restore the default handshaking message interval. timer interval undo timer Command

Note that the above command can only be executed on the administrator device, which will advertise the cluster timer value to the member devices. By default, handshaking message is transmitted every 10 seconds.

2.4.10 Configure Remote Control over the Member device
The communication between the administrator device and member devices may be interrupted due to some configuration errors. If the member device cannot be controlled in regular way, you can use remote control function provided by administrator device to control member device remotely. For example, you can delete the booting configuration file and reset the member device. Normally, the cluster packets can only be forwarded over VLAN1. In case of configuration error, for example, the member port connected to the administrator device is configured to VLAN2, the member device and the administrator device will not be able to communicate with each other. However, you can configure VLAN check on the administrator device to solve this problem. After this task is conducted, the configuration information will be contained in the cluster packets. The member device will automatically add the port receiving such packets to VLAN1, if the port does not belong to it. Thus the normal communication between an administrator device and member device is ensured. You can use the following command to perform the configuration. Perform the following configuration in cluster view. Table 2-21 Configure remote control over the member device
Operation Reset member device Configure to perform VLAN check for communication inside the cluster. Configure not to perform VLAN check for communication inside the cluster. Command reboot member { member-num | mac-address H-H-H } [ eraseflash ] port-tagged vlan vlanid undo port-tagged

Note that the above command can only be executed on the administrator device.

2-16

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

When using the reboot member command, you can decide to delete the configuration file or not with the eraseflash parameter.

2.4.11 Configure the Cluster Server and Network Management and Log Hosts
After a cluster is set up, you can configure the server and network management and log hosts on the administrator device for the entire cluster. A member device accesses the configured server through the administrator device. The cluster members output all log information to the configured log host in the end. A member outputs and sends the log information to the administrator device directly. The administrator device translates the log information addresses and sends the log packets to the cluster log host. Similarly, all the trap packets are output to the cluster NM host. You can use the following commands to configure the cluster server and network management and log hosts. Perform the following configuration in cluster view. Table 2-22 Configure FTP /TFTP Servers and Logging/SNMP Hosts for a Cluster
Operation Configure FTP server for the whole cluster. Remove the FTP server from the cluster. Configure TFTP server for the whole cluster. Remove the TFTP server from the cluster. Configure the logging host for the whole cluster. Remove the logging host from the whole cluster. Configure the SNMP host for the whole cluster. Remove the SNMP host from the whole cluster. Command ftp-server ip-address undo ftp-server tftp-server ip-address undo tftp-server logging-host ip-address undo logging-host snmp-host ip-address undo snmp-host

Note that the above command can only be executed on the administrator device.

2.4.12 Member Accessing
A member device in a cluster can be managed through the administrator device. You can configure a specified member device on administrator device .In order to do this, you should enter the specified member device view on the administrator device; after configuration, you can exit the view. Authorization is required when you want to configure a switch on the administrator device. Upon passing the member device authorization, the configuration is allowed. If the user password of the member device is different from the administrator device, you cannot configure the member device. The user level will be inherited from the

2-17

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

administrator device when you configure the member device on the administrator device. For example, system will retain in as user view when you configure the member device on the administrator device. Authorization is also required when you exit the member device view on the administrator device. After passing the authorization, the system will enter user view automatically. Perform the following configuration in user view. Table 2-23 Member accessing
Operation Member accessing Command cluster switch-to { member-num | mac-address H-H-H | administrator }

Note that, when executed on the administrator device, if the parameter member-num specifying member number is omitted, error message prompts. Enter quit to stop switchover operation.

2.4.13 Display and Debug Cluster
After the above configuration, execute display command in any view to display the running of the Cluster configuration, and to verify the effect of the configuration. Table 2-24 Display and Debug Cluster
Operation Display cluster state and statistics Display the information of Candidate devices. Display the information about member devices. Command display cluster display cluster candidates [ mac-address H-H-H | verbose ] display cluster members [ member-num | verbose ]

2.5 HGMP V2 Configuration Example
I. Network requirments
Set up a cluster of three switches and configure an administrator device to manage the other two members. The administrator device is connected with the members via Ethernet0/1 and Ethernet0/2 respectively. It is connected to the external network via Ethernet1/1 carrying VLAN2 at 163.172.55.1. The entire cluster uses the same FTP server and TFTP server at 63.172.55.1 and the NM station and log host at 69.172.55.4.

2-18

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

II. Networking diagram

FTP server/TFTP server 63.172.55.1 Administrator device E0/1 Cluster E1/1

SNMP host/ logging host 69.172.55.4
Network

E1/1

VLAN interface 2 IP address 163.172.55.1

E0/2 E1/1

Member device MAC Member device MAC address 00e0.fc01.0011 address 00e0.fc01.0012

Figure 2-3 HGMP networking

III. Configuration procedure
1) Configure the administrator device

# Enable global NDP on the device and port Ethernet0/1 and Ethernet0/2. [Quidway] ndp enable [Quidway] interface ethernet 0/1 [Quidway-Ethernet0/1] ndp enable [Quidway-Ethernet0/1] interface ethernet 0/2 [Quidway-Ethernet0/2] ndp enable # Set to hold NDP information for 200 seconds. [Quidway] ndp timer aging 200 # Configure to sends NDP packet every 70 seconds. [Quidway] ndp timer hello 70 # Enable NTDP on the device and the port Ethernet0/1 and Ethernet0/2. [Quidway] ntdp enable [Quidway] interface ethernet 0/1 [Quidway-Ethernet0/1] ntdp enable [Quidway-Ethernet0/1] interface ethernet 0/2
2-19

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

[Quidway-Ethernet0/2] ntdp enable # Configure to collect topology information within 2 hops. [Quidway] ntdp hop 2 # Configure that the collected device delays for 150 milliseconds before forwarding a topology collection request. [Quidway] ntdp timer hop-delay 150 # Configure that the port on the collected device delays for 15 milliseconds before forwarding a topology collection request. [Quidway] ntdp timer port-delay 15 # Configure to collect topology information every 3 minutes. [Quidway] ntdp timer 3 # Run cluster function. [Quidway] cluster enable # Configure the internal IP address pool for the cluster, containing 8 addresses starting from 172.16.0.1. [Quidway] cluster [Quidway-cluster] ip-pool 172.16.0.1 255.255.255.248 # Set up a cluster and give name to it. [Quidway-cluster] build huawei [huawei_0.Quidway-cluster] # Add the two connected switches into the cluster. [huawei_0.Quidway-cluster] add-member 1 mac-address 00e0-fc01-0011 [huawei_0.Quidway-cluster] add-member 17 mac-address 00e0-fc01-0012 # Set to hold the member information for 100 seconds. [huawei_0.Quidway-cluster] holdtime 100 [huawei_0.Quidway-cluster] timer 10 # Configure internal FTP Server, TFTP Server, Logging host, and SNMP host for the cluster. [huawei_0.Quidway-cluster] ftp-server 63.172.55.1 [huawei_0.Quidway-cluster] tftp-server 63.172.55.1
2-20

Operation Manual - Integrated Management Quidway S3500 Series Ethernet Switches

Chapter 2 HGMP V2 Configuration

[huawei_0.Quidway-cluster] logging-host 69.172.55.4 [huawei_0.Quidway-cluster] snmp-host 69.172.55.4 2) Configure a member device (taking one of the members as an example).

# Enable NDP on the device and the port Ethernet1/1. [Quidway] ndp enable [Quidway] interface ethernet 1/1 [Quidway-Ethernet1/1] ndp enable # Enable NTDP on the device and the port Ethernet1/1. [Quidway] ntdp enable [Quidway] interface ethernet 1/1 [Quidway-Ethernet1/1] ntdp enable # Run the cluster function. [Quidway] cluster enable

Note: Upon the completion of the above configurations, you can use the cluster switch-to { member-num | mac-address H-H-H } command to switch to the member device view to maintain and manage the member devices, and use the cluster switch-to administrator command to resume the administrator device view. To reset a member device through the administrator device, use the reboot member { member-num | mac-address H.H.H } [ eraseflash ] command. For detailed information about these configurations, refer to the preceding description of this chapter.

2-21

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

9. STP

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 RSTP Configuration..................................................................................................... 1-1 1.1 STP Overview .................................................................................................................... 1-1 1.1.1 Function of STP....................................................................................................... 1-1 1.1.2 Implement STP........................................................................................................ 1-1 1.1.3 Implement RSTP on Ethernet Switch...................................................................... 1-7 1.2 Configure RSTP................................................................................................................. 1-7 1.2.1 Enable/Disable RSTP on a Switch.......................................................................... 1-8 1.2.2 Enable/Disable RSTP on a Port.............................................................................. 1-8 1.2.3 Configure RSTP Operating Mode ........................................................................... 1-9 1.2.4 Set Priority of a Specified Bridge ............................................................................ 1-9 1.2.5 Specify the Switch as Primary or Secondary Root Switch.................................... 1-10 1.2.6 Set Forward Delay of a Specified Bridge .............................................................. 1-11 1.2.7 Set Hello Time of the Specified Bridge ................................................................. 1-12 1.2.8 Set Max Age of the Specified Bridge .................................................................... 1-12 1.2.9 Set Timeout Factor of the Bridge .......................................................................... 1-13 1.2.10 Set the Maximum Transmission Speed of the Specified Port............................. 1-13 1.2.11 Set Specified Port to be an EdgePort ................................................................. 1-14 1.2.12 Set Path Cost of the Specified Port .................................................................... 1-14 1.2.13 Set the Priority of a Specified Port ...................................................................... 1-15 1.2.14 Configure a Specified Port to be Connected to Point-to-Point Link .................... 1-15 1.2.15 Set mCheck of the Specified Port ....................................................................... 1-16 1.2.16 Configure the Switch Security Function .............................................................. 1-17 1.3 Display and Debug RSTP................................................................................................ 1-18 1.4 RSTP Configuration Example.......................................................................................... 1-18 Chapter 2 MSTP Region-configuration ....................................................................................... 2-1 2.1 MSTP Overview ................................................................................................................. 2-1 2.1.1 MSTP Concepts ...................................................................................................... 2-1 2.1.2 MSTP Principles...................................................................................................... 2-4 2.2 Configure MSTP .............................................................................................................. 2-10 2.2.1 Configure the MST Region for a Switch................................................................ 2-11 2.2.2 Specify the Switch as Primary or Secondary Root Switch.................................... 2-12 2.2.3 Configure the MSTP Running Mode ..................................................................... 2-14 2.2.4 Configure the Bridge Priority for a Switch ............................................................. 2-14 2.2.5 Configure the Max Hops in an MST Region ......................................................... 2-15 2.2.6 Configure the Switching Network Diameter .......................................................... 2-16 2.2.7 Configure the Time Parameters of a Switch ......................................................... 2-16 2.2.8 Configure the Max Transmission Speed on a Port ............................................... 2-18

i

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Table of Contents

2.2.9 Configure a Port as an Edge Port ......................................................................... 2-19 2.2.10 Configure the Path Cost of a Port ....................................................................... 2-20 2.2.11 Configure the Priority of a Port............................................................................ 2-21 2.2.12 Configure the Port (not) to Connect with the Point-to-Point Link ........................ 2-22 2.2.13 Configure the mCheck Variable of a Port ........................................................... 2-23 2.2.14 Configure the Switch Security Function .............................................................. 2-24 2.2.15 Enable MSTP on the Device ............................................................................... 2-25 2.2.16 Enable/Disable MSTP on a Port ......................................................................... 2-26 2.3 Display and Debug MSTP ............................................................................................... 2-26

ii

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

Chapter 1 RSTP Configuration
1.1 STP Overview
1.1.1 Function of STP
Spanning Tree Protocol ( STP ) is applied in loop network to block some undesirable redundant paths with certain algorithms and prune the network into a loop-free tree, thereby avoiding the proliferation and infinite cycling of the packet in the loop network.

1.1.2 Implement STP
The fundamental of STP is that the switches exchange a special kind of protocol packet (which is called configuration Bridge Protocol Data Units, or BPDU, in IEEE 802.1D) to decide the topology of the network. The configuration BPDU contains the information enough to ensure the switches to compute the spanning tree. The configuration BPDU mainly contains the following information: 1) 2) 3) 4) 5) 6) 7) 8) The root ID consisting of root priority and MAC address The cost of the shortest path to the root Designated switch ID consisting of designated switch priority and MAC address Designated port ID consisting of port priority and port number The age of the configuration BPDU: MessageAge The maximum age of the configuration BPDU: MaxAge Configuration BPDU interval: HelloTime Forward delay of the port: ForwardDelay.

What are the designated switch and designated port?

1-1

Operation Manual - STP Quidway S3500 Series Ethernet Switches
Switch A AP1 AP2 CP1 Switch C BP2 CP2

Chapter 1 RSTP Configuration

BP1 Switch B

LAN

Figure 1-1 Designated switch and designated port For a switch, the designated switch is a switch in charge of forwarding packets to the local switch via a port called the designated port accordingly. For a LAN, the designated switch is a switch that in charge of forwarding packets to the network segment via a port called the designated port accordingly. As illustrated in the figure1-1, Switch A forwards data to Switch B via the port AP1. So to Switch B, the designated switch is Switch A and the designated port is AP1. Also in the figure above, Switch B and Switch C are connected to the LAN and Switch B forwards packets to LAN. So the designated switch of LAN is Switch B and the designated port is BP2.

Note: AP1, AP2, BP1, BP2, CP1 and CP2 respectively delegate the ports of Switch A, Switch B and Switch C.

The specific calculation process of STP algorithm. The following example illustrates the calculation process of STP. The figure1-2 below illustrates the network.

1-2

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

Switch A with priority 0 AP1 5 BP1 Switch B with priority 1 10 AP2

BP2

4

CP1 CP2 Switch C with priority 2

Figure 1-2 Ethernet switch networking To facilitate the descriptions, only the first four parts of the configuration BPDU are described in the example. They are root ID (expressed as Ethernet switch priority), path cost to the root, designated switch ID (expressed as Ethernet switch priority) and the designated port ID (expressed as the port number). As illustrated in the figure above, the priorities of Switch A, B and C are 0, 1 and 2 and the path costs of their links are 5, 10 and 4 respectively. 9) Initial state

When initialized, each port of the switches will generate the configuration BPDU taking itself as the root with a root path cost as 0, designated switch IDs as their own switch IDs and the designated ports as their ports. Switch A: Configuration BPDU of AP1: {0, 0, 0, AP1} Configuration BPDU of AP2: {0, 0, 0, AP2} Switch B: Configuration BPDU of BP1: {1, 0, 1, BP1} Configuration BPDU of BP2: {1, 0, 1, BP2} Switch C: Configuration BPDU of CP2: {2, 0, 2, CP2} Configuration BPDU of CP1: {2, 0, 2, CP1} 10) Select the optimum configuration BPDU Every switch transmits its configuration BPDU to others. When a port receives a configuration BPDU with a lower priority than that of its own, it will discard the message and keep the local BPDU unchanged. When a higher-priority configuration BPDU is

1-3

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

received, the local BPDU is updated. And the optimum configuration BPDU will be elected through comparing the configuration BPDUs of all the ports. The comparison rules are: The configuration BPDU with a smaller root ID has a higher priority f the root IDs are the same, perform the comparison based on root path costs. The cost comparison is as follows: the path cost to the root recorded in the configuration BPDU plus the corresponding path cost of the local port is set as S, the configuration BPDU with a smaller S has a higher priority. If the costs of path to the root are also the same, compare in sequence the designated switch ID, designated port ID and the ID of the port via which the configuration BPDU was received. In summary, we assume that the optimum BPDU can be selected through root ID comparison in the example. 11) Specify the root port, block the redundancy link and update the configuration BPDU of the designated port. The port receiving the optimum configuration BPDU is designated to be the root port, whose configuration BPDU remains the same. Any other port, whose configuration BPDU has been updated in the step Select the optimum configuration BPDU, will be blocked and will not forward any data, in addition, it will only receive but not transmit BPDU and its BPDU remains the same. The port, whose BPDU has not been updated in the step Select the optimum configuration BPDU will be the designated port. Its configuration BPDU will be modified as follows: substituting the root ID with the root ID in the configuration BPDU of the root port, the cost of path to root with the value made by the root path cost plus the path cost corresponding to the root port, the designated switch ID with the local switch ID and the designated port ID with the local port ID. The comparison process of each switch is as follows. Switch A: AP1 receives the configuration BPDU from Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the received configuration BPDU. The configuration BPDU is processed on the AP2 in a similar way. Thus Switch A finds itself the root and designated switch in the configuration BPDU of every port; it regards itself as the root, retains the configuration BPDU of each port and transmits configuration BPDU to others regularly thereafter. By now, the configuration BPDUs of the two ports are as follows: Configuration BPDU of AP1: {0, 0, 0, AP1}. Configuration BPDU of AP2: {0, 0, 0, AP2}. Switch B:

1-4

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

BP1 receives the configuration BPDU from Switch A and finds that the received BPDU has a higher priority than the local one, so it updates its configuration BPDU. BP2 receives the configuration BPDU from Switch C and finds that the local BPDU priority is higher than that of the received one, so it discards the received BPDU. By now the configuration BPDUs of each port are as follows: Configuration BPDU of BP1: {0, 0, 0, AP1}, Configuration BPDU of BP2: {1, 0, 1, BP2}. Switch B compares the configuration BPDUs of the ports and selects the BP1 BPDU as the optimum one. Thus BP1 is elected as the root port and the configuration BPDUs of Switch B ports are updated as follows. The configuration BPDU of the root port BP1 retains as {0, 0, 0, BP1}. BP2 updates root ID with that in the optimum configuration BPDU, the path cost to root with 5, sets the designated switch as the local switch ID and the designated port ID as the local port ID. Thus the configuration BPDU becomes {0, 5, 1, BP2}. Then all the designated ports of Switch B transmit the configuration BPDUs regularly. Switch C: CP2 receives from the BP2 of Switch B the configuration BPDU {1, 0, 1, BP2} that has not been updated and then the updating process is launched. {1, 0, 1, BP2}. CP1 receives the configuration BPDU {0, 0, 0, AP2} from Switch A and Switch C launches the updating. The configuration BPDU is updated as {0, 0, 0, AP2}. By comparison, CP1 configuration BPDU is elected as the optimum one. The CP1 is thus specified as the root port with no modifications made on its configuration BPDU. However, CP2 will be blocked and its BPDU also remains same, but it will not receive the data (excluding the STP packet) forwarded from Switch B until spanning tree calculation is launched again by some new events. For example, the link from Switch B to C is down or the port receives any better configuration BPDU. CP2 will receive the updated configuration BPDU, {0, 5, 1, BP2}, from Switch B. Since this configuration BPDU is better then the old one, the old BPDU will be updated to {0, 5, 1, BP2}. Meanwhile, CP1 receives the configuration BPDU from Switch A but its configuration BPDU will not be updated and retain {0, 0, 0, AP2}. By comparison, the configuration BPDU of CP2 is elected as the optimum one, CP2 is elected as the root port, whose BPDU will not change, while CP1 will be blocked and retain its BPDU, but it will not receive the data forwarded from Switch A until spanning tree calculation is triggered again by some changes. For example, the link from Switch B to C as down.

1-5

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

Thus the spanning tree is stabilized. The tree with the root Switch A is illustrated in the figure1-3 below.
Switch A with priority 0 AP1 5 BP1 Switch B with priority 1

BP2

4

CP2 Switch C with priority 2

Figure 1-3 The final stabilized spanning tree To facilitate the descriptions, the description of the example is simplified. For example, the root ID and the designated switch ID in actual calculation should comprise both switch priority and switch MAC address. Designated port ID should comprise port priority and port MAC address. In the updating process of a configuration BPDU, other configuration BPDUs besides the first four items will make modifications according to certain rules. The basic calculation process is described below: Configuration BPDU forwarding mechanism in STP: Upon the initiation of the network, all the switches regard themselves as the roots. The designated ports send the configuration BPDUs of local ports at a regular interval of HelloTime. If it is the root port that receives the configuration BPDU, the switch will enable a timer to time the configuration BPDU as well as increase MessageAge carried in the configuration BPDU by certain rules. If a path goes wrong, the root port on this path will not receive configuration BPDUs any more and the old configuration BPDUs will be discarded due to timeout. Hence, recalculation of the spanning tree will be initiated to generate a new path to replace the failed one and thus restore the network connectivity. However, the new configuration BPDU as now recalculated will not be propagated throughout the network right away, so the old root ports and designated ports that have not detected the topology change will still forward the data through the old path. If the new root port and designated port begin to forward data immediately after they are elected, an occasional loop may still occur. In RSTP, a transitional state mechanism is thus adopted to ensure the new configuration BPDU has been propagated throughout the network before the root port and designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state.

1-6

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

1.1.3 Implement RSTP on Ethernet Switch
The Ethernet Switch implements the Rapid Spanning Tree Protocol (RSTP), i.e., the enhancement of STP. The Forward Delay for the root ports and designated ports to enter forwarding state is greatly reduced in certain conditions, thereby shortening the time period for stabilizing the network topology. To achieve the rapid transition of the root port state, the following requirement should be met: The old root port on this switch has stopped data forwarding and the designated port in the upstream has begun forwarding data. The conditions for rapid state transition of the designated port are: The port is an Edge port that does not connect with any switch directly or indirectly. If the designated port is an edge port, it can switch to forwarding state directly without immediately forwarding data. The port is connected with the point-to-point link, that is, it is the master port in aggregation ports or full duplex port. It is feasible to configure a point-to-point connection. However, errors may occur and therefore this configuration is not recommended. If the designated port is connected with the point-to-point link, it can enter the forwarding state right after handshaking with the downstream switch and receiving the response. The switch that uses RSTP is compatible with the one using STP. Both protocol packets can be identified by the switch running RSTP and used in spanning tree calculation.

Note: RSTP is the protocol of single spanning tree. A switching network only has one spanning tree. To guarantee the normal communication inside a VLAN, the devices of a VLAN shall have routes to one another on the Spanning Tree, otherwise, the communication inside the VLAN will be affected if some links inside a VLAN are blocked. For some VLAN that cannot be arranged along the spanning tree paths for some special requirements, you have to disable RSTP on the switch port corresponding to the VLAN.

1.2 Configure RSTP
RSTP configuration includes: Enable/Disable RSTP on the switch Enable/Disable RSTP on the port Configure RSTP Operating Mode Set priority of a specified bridge
1-7

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

Set Forward Delay of a specified bridge Set Hello Time of the specified bridge Set Max Age of the specified bridge Set the maximum transmission speed of the specified port Set specified port as the EdgePort Set path cost of the specified port Set the priority of a specified port Configure a specified port to be connected to a point-to-point link Set mCheck of the specified port Among the above-mentioned tasks, only the steps of enabling STP on the switch and enabling STP on the port are required. For other tasks, if you do not configure them, the system will use the default settings. Before enabling spanning tree, relative parameters of Ethernet port or the device can be configured. After disabling the spanning tree, these configuration parameters will be reserved and becoming functional after enabling the spanning tree again.

1.2.1 Enable/Disable RSTP on a Switch
You can use the following command to enable RSTP on the switch. Perform the following configurations in system view. Table 1-1 Enable/Disable RSTP on a device
Operation Enable/Disable RSTP on a device Restore RSTP to the default value Command stp { enable | disable } undo stp

Only after the RSTP is enabled on the switch can other configurations take effect. Note that some network resource will be occupied after RSTP is enabled. By default, RSTP is disabled.

1.2.2 Enable/Disable RSTP on a Port
You can use the following command to enable/disable the RSTP on the designated port. To flexibly control the RSTP operations, after RSTP is enabled on the Ethernet ports of the switch, it can be disabled again to forbid the ports to participate in the spanning tree calculation. Perform the following configurations in Ethernet port view.

1-8

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

Table 1-2 Enable/Disable RSTP on a port
Operation Enable RSTP on a specified port Disable RSTP on a specified port stp enable stp disable Command

Note that the redundancy route may be generated after RSTP is disabled on the Ethernet port. By default, RSTP on all the ports will be enabled after it is enabled on the switch.

1.2.3 Configure RSTP Operating Mode
RSTP is executable in RSTP mode or STP-compatible mode. RSTP mode is applied when all the network devices provided for executing RSTP, while the STP-compatible mode is applied when both STP and RSTP are executable on the network. You can use the following command to set the RSTP operating mode. Perform the following configurations in system view. Table 1-3 Set RSTP operating mode
Operation Configure to run RSTP in STP-compatible/RSTP mode Restore the default RSTP mode Command stp mode { stp | rstp } undo stp mode

Normally, if there is a bridge provided to execute STP in the switching network, the port (in the switch running RSTP), which connects to another port (in the switch for executing STP), can automatically switch to STP compatible mode from RSTP mode. By default, RSTP runs in RSTP mode.

1.2.4 Set Priority of a Specified Bridge
Whether a bridge can be selected as the “root” of the spanning tree depends on its priority. By assigning a lower priority, a bridge can be artificially specified as the root of the spanning tree. You can use the following command to configure the priority of a specified bridge. Perform the following configurations in system view.

1-9

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

Table 1-4 Set priority of a specified bridge
Operation Set priority of a specified bridge Restore the default priority of specified bridge Command stp priority bridge-priority undo stp priority

Note that if the priorities of all the bridges in the switching network are the same, the bridge with the smallest MAC address will be selected as the “root”. When RSTP is enabled, an assignment of a priority to the bridge will lead to recalculation of the spanning tree. By default, the priority of the bridge is 32768.

1.2.5 Specify the Switch as Primary or Secondary Root Switch
RSTP can determine the spanning tree root through calculation. You can also specify the current switch as the root using this command. You can use the following commands to specify the current switch as the primary or secondary root of the spanning tree. Perform the following configuration in system view. Table 1-5 Specify the switch as primary or secondary root switch
Operation Specify the current switch as the primary root switch of the spanning tree. Specify the current switch as the secondary root switch of the spanning tree. Disqualify the current switch as the primary or secondary root. Command stp root primary stp root secondary undo stp root

After a switch is configured as primary root switch or secondary root switch, user can’t modify the bridge priority of the switch. A switch can either be a primary or secondary root bridge, but not both of them. If the primary root of a spanning tree instance is down or powered off, the secondary root will take its place, unless you configure a new primary root. Of two or more configured secondary root switches, RSTP selects the one with the smallest MAC address to take the place of the failed primary root.

1-10

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

Note: To configure a switch as the root of the spanning tree instance, you can specify its priority as 0 or simply set it as the root, using the command. It is not necessary to specify two or more roots for an STI. In other words, please do not specify the root for an STI on two or more switches. You can configure more than one secondary root for a spanning tree through specifying the secondary STI root on two or more switches. Generally, you are recommended to designate one primary root and more than one secondary roots for a spanning tree.

By default, a switch is neither the primary root nor the secondary root of the spanning tree.

1.2.6 Set Forward Delay of a Specified Bridge
Link failure will cause recalculation of the spanning tree and change its structure. However, the newly calculated configuration BPDU cannot be propagated throughout the network immediately. If the newly selected root port and designated port begin to forward data frame right away, occasional loop can be caused. Accordingly, the protocol adopts a state transition mechanism, that is, the root port and the designated port must undergo a transition state for a period of Forward Delay before they transition to the forwarding state and resume data frame forwarding. This delay ensures that the new configuration BPDU has been propagated throughout the network before the data frame forwarding is resumed. You can use the following command to set the Forward Delay for a specified bridge. Perform the following configurations in system view. Table 1-6 Set forward delay of a specified bridge
Operation Set Forward Delay of a specified bridge Restore the default Forward Delay of specified bridge Command stp timer forward-delay centiseconds undo stp timer forward-delay

Forward Delay of the bridge is related to the diameter of the switching network. As a rule , the larger the network diameter , the longer the Forward Delay. Note that if the Forward Delay is configured too short, occasional path redundancy may occur. If the Forward Delay is configured too long, the restoring of network connection may take a long time. It is recommended to use the default setting. By default, the bridge Forward Delay is 15 seconds.

1-11

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

1.2.7 Set Hello Time of the Specified Bridge
A bridge transmits hello packet regularly to the adjacent bridges to check if there is link failure. You can use the following command to set the Hello Time of a specified bridge. Perform the following configurations in system view. Table 1-7 Set Hello Time of the specified bridge
Operation Set Hello Time of the specified bridge Restore the default Hello Time of the specified bridge Command stp timer hello centiseconds undo stp timer hello

Appropriate Hello Time can ensure that the bridge can detect the link failure in the network in time without occupying too many network resources. If the Hello Time is too long it will result in the spanning tree recalculation because the bridge mistakes due to the frame dropping of the link for link failure. If the Hello Time is too short, it will result in frequently sending of configuration BPDUs by the bridge and thus unduly increasing the switch load and wastes of network resource. By default, the Hello Time of the bridge is 2 seconds.

1.2.8 Set Max Age of the Specified Bridge
Max Age is a parameter to judge whether the configuration BPDU is “timeout”. Users can configure it according to the actual network situation. You can use the following command to set Max Age of a specified bridge. Perform the following configurations in system view. Table 1-8 Set Max Age of the specified bridge
Operation Set Max Age of the specified bridge Restore the default Max Age of the specified bridge Command stp timer max-age centiseconds undo stp timer max-age

If the Max Age is too short, it will result in frequent calculation of spanning tree or misjudge the network congestion as a link fault. On the other hand, too long Max Age may make the bridge unable to find link failure in time and weaken the network auto-sensing ability. It is recommended to use the default setting. By default, the bridge Max Age is 20 seconds.

1-12

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

1.2.9 Set Timeout Factor of the Bridge
A bridge transmits hello packet regularly to the adjacent bridges to check if there is link failure. Generally, if the switch doesn’t receive the RSTP packets from the upstream switch for 3 times of hello time, the switch will decide the upstream switch is dead and will recalculate the topology of the network. Then in steady network, the recalculation may be caused when the upstream is busy. In this case, user can redefine the timeout interval to a longer time by define the multiple of hello time. You can use the following command to set the multiple value of hello time of a specified bridge. Perform the following configurations in system view. Table 1-9 Set Timeout Factor of the Bridge
Operation Set the multiple value of hello time of a specified bridge Restore the default multiple value of hello time Command stp timeout-factor number undo stp timeout-factor

It is recommended to set 5, 6 or 7 as the value of multiple in the steady network. By default, the multiple value of hello time of the bridge is 3.

1.2.10 Set the Maximum Transmission Speed of the Specified Port
The maximum transmission speed of Ethernet port is related to its physical state and network structure. Users can configure it according to the actual network situation. You can use the following command to set the maximum transmission speed of the specified port. Perform the following configurations in Ethernet port view. Table 1-10 Set the maximum transmission speed of the specified port
Operation Set the maximum transmission speed of the specified port Restore the default maximum transmission speed of the specified port Command stp transit-limit packetnum undo stp transit-limit

If the max transmission speed on a port is too high, there will be too many packets being transmitted per unit time, which occupies excessive network resources. It is recommended to use the default setting. By default, the maximum transmission speed is 3 (a counter value without unit) on all the Ethernet ports of the bridge.

1-13

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

1.2.11 Set Specified Port to be an EdgePort
EdgePort is not connected to any switch directly or indirectly via the connected network. You can use the following command to set a specified port as an EdgePort. Perform the following configurations in Ethernet port view. Table 1-11 Set specified port as the EdgePort
Operation Set a specified port as an EdgePort or a non-EdgePort Set the specified port as the non-EdgePort, as defaulted Command stp edged-port { enable | disable } undo stp edged-port

In the process of recalculating the spanning tree, the EdgePort can transfer to the forwarding state directly and reduce unnecessary transition time. If the current Ethernet port is not connected with any Ethernet port of other bridges, this port should be set as an EdgePort. If a specified port connected to a port of any other bridge is configured as an edge port, RSTP will automatically detect and reconfigure it as a non-EdgePort. After the network topology changed, if a configured non-EdgePort changes to an EdgePort and is not connected to any other port, it is recommended to configure it as an EdgePort manually because RSTP cannot configure a non-EdgePort as an EdgePort automatically. Configure the port directly connected to the terminal as an EdgePort, so that the port can transfer immediately to the forwarding state. By default, all the Ethernet ports are configured as non-EdgePort.

1.2.12 Set Path Cost of the Specified Port
The path cost of Ethernet port is related to the speed of a link connected to the port. You can use the following command to set the Path Cost of a specified port. Perform the following configurations in Ethernet port view. Table 1-12 Set path cost of the specified port
Operation Set path cost of the specified port Restore the default path cost of the specified port stp cost cost undo stp cost Command

1-14

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

The path cost of Ethernet port is related to its link speed. The higher the link speed is, the lower the path cost should be configured. RSTP can automatically detect the link speed on the current Ethernet port and convert it to the corresponding path cost. Note that configuring path cost of an Ethernet port will cause the recalculation of the spanning tree. It is recommended to use the default value and let RSTP calculate the path cost on the current Ethernet port. By default, the bridge gets the path cost of a port according to the link speed directly.

1.2.13 Set the Priority of a Specified Port
The port priority is an important basis to decide if the port can be a root port. In the calculation of the spanning tree, the port with the highest priority will be selected as the root assuming all other conditions are the same. You can use the following command to set the priority of a specified port. Perform the following configurations in Ethernet port view. Table 1-13 Set the priority of a specified port
Operation Set the priority of a specified port Restore the default priority of the specified port Command stp port priority port-priority undo stp port priority

By setting the priority of an Ethernet port, you can put a specified Ethernet port into the final spanning tree. Generally, the lower the value is set, the higher priority the port has and the more likely it is for this Ethernet port to be included in the spanning tree. If all the Ethernet ports of the bridge adopt the same priority parameter value, then the priority of these ports depends on the Ethernet port index number. Note that changing the priority of Ethernet port will cause recalculation of the spanning tree. You can set the port priority at the time when setting up the networking requirements. By default, priorities of all the Ethernet ports are 128.

1.2.14 Configure a Specified Port to be Connected to Point-to-Point Link
Generally, a point-to-point link connects the switches. You can use the following command to configure a specified port to be connected to a point-to-point link. Perform the following configurations in Ethernet port view.

1-15

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

Table 1-14 Configure a specified port to be connected to a point-to-point link
Operation Configure a specified port to be connected to a point-to-point link Configure a specified port not to be connected to a point-to-point link Configure RSTP to automatically detect if the port is connected to a point-to-point link. Configure the port to be automatically detected if it is connected to a point-to-point link, as defaulted. Command stp point-to-point force-true stp point-to-point force-false stp point-to-point auto undo stp point-to-point

The two ports connected via the Point-to-Point link can enter the forwarding state rapidly by transmitting synchronous packets, so that the unnecessary forwarding delay can be reduced. If this parameter is configured to be auto mode, RSTP can automatically detect if the current Ethernet port is connected to a Point-to-Point link. Note that, for an aggregated port, only the master port can be configured to connect with the point-to-point link. After auto-negotiation, the port working in full duplex can also be configured to connect with such link. You can manually configure the active Ethernet port to connect with the Point-to-Point link. However, if the link is not a point-to-point link, the command may cause a system problem, and therefore it is recommended to set it as auto mode. By default, this parameter is configured to auto, namely in auto mode.

1.2.15 Set mCheck of the Specified Port
Suppose there are some switches running STP and some other switches running RSTP on a switching network. RSTP is STP-compatible. In a relatively stable network, though the bridge running STP has been removed, the port of the switch running RSTP is still working in STP-compatible mode. You can use the following command to manually command the port to work in RSTP mode. This command can only be issued if the bridge runs RSTP in RSTP mode and has no effect in the STP-compatible mode. You can use the following command to configure mCheck of a specified port. Perform the following configurations in Ethernet port view. Table 1-15 Set mCheck of the specified port
Operation Set mCheck of the specified port stp mcheck Command

This command can be used when the bridge runs RSTP in RSTP mode, but it cannot be used when the bridge runs RSTP in STP-compatible mode.

1-16

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

1.2.16 Configure the Switch Security Function
An RSTP switch provides BPDU protection and Root protection functions. For an access device, the access port is generally directly connected to the user terminal (e.g., PC) or a file server, and the access port is set to edge port to implement fast transition. When such port receives BPDU packet, the system will automatically set it as a non-edge port and recalculate the spanning tree, which causes the network topology flapping. In normal case, these ports will not receive STP BPDU. If someone forges BPDU to attack the switch, the network will flap. BPDU protection function is used against such network attack. In case of configuration error or malicious attack, the primary root may receive the BPDU with a higher priority and then loose its place, which causes network topology change errors. Due to the erroneous change, the traffic supposed to travel over the high-speed link may be pulled to the low-speed link and congestion will occur on the network. Root protection function is used against such problem. The root port and other blocked ports maintain their state according to the BPDUs send by uplink switch. Once the link is blocked or encountering a faulty condition, the ports cannot receive BPDUs and the switch will select root port again. In this case, the former root port will turn into a BDPU specified port and the former blocked ports will enter into a forwarding state, as a result, a link loop will be generated. The security functions can control the generation of loop. After it is enabled, the root port cannot be changed, the blocked port will maintain in “Discarding” state and do not forward packets, thus to avoid link loop. You can use the following command to configure the security functions of the switch. Perform the following configuration in corresponding views. Table 1-16 Configure the switch security function
Operation Configure switch BPDU protection (from system view) Restore the disabled BPDU protection state, as defaulted, (from system view). Configure switch Root protection (from Ethernet port view) Restore the disabled Root protection state, as defaulted, (from Ethernet port view) Configure switch loop protection function (from Ethernet port view) Restore the disabled loop protection state, as defaulted (from Ethernet port view) Command stp bpdu-protection undo stp bpdu-protection stp root-protection undo stp root-protection stp loop-protection undo stp loop-protection

After configured with BPDU protection, the switch will disable the edge port through RSTP, which receives a BPDU, and notify the network manager at same time. Only the network manager can resume these ports.

1-17

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

The port configured with Root protection only plays a role of a designated port. Whenever such port receives a higher-priority BPDU when it is about to turn into non-designated port, it will be set to a listening state and not forward packets any more (as if the link to the port is disconnected). If the port has not received any higher-priority BPDU for a certain period of time thereafter, it will resume to the normal state. When configure a port, only one configuration can be effective among loop protection, Root protection and Edge port configuration at same moment. By default, the switch does not enable loop protection, BPDU protection or Root protection. For detailed information about the configuration commands, refer to the Command Manual.

1.3 Display and Debug RSTP
After the above configuration, execute display command in any view to display the running of the RSTP configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of RSTP module. Execute debugging command in user view to debug the RSTP module. Table 1-17 Display and Debug RSTP
Operation Display RSTP configuration information about the local switch and the specified ports Clear RSTP statistics information Enable RSTP (error/event/packet) debugging Disable RSTP debugging Command display stp [ interface interface-list ] reset stp [ interface interface-list ] debugging stp { error | event | packet } undo debugging stp { error | event | packet }

1.4 RSTP Configuration Example
I. Networking requirements
In the following scenario, Switch C serves as a standby of Switch B and forwards data when fault occurs on Switch B. They are connected to each other with two links, so that, in case one of the links fails, the other one can still work normally. Switch D through Switch F are directly connected with the downstream user computers and they are connected to Switch C and Switch B with uplink ports. You can configure RSTP on the Switch B through Switch F to meet these requirements. Only the configurations related to RSTP are listed in the following procedure. Switch A is not involved in the spanning tree calculation. It is not necessary to configure RSTP on Switch A, so the configurations on it will not be introduced hereafter. Switch D through
1-18

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

Switch F are configured in same way basically, so only the RSTP configuration on Switch D will be introduced.

Note: Switch A can be a mid-range switch of Huawei, such as S5516 and S6500 Series Switches. Switch B and Switch C can be the low-end switches of Huawei, such as S3500 Series Switches. Switch D through Switch F can be the low-end switches of Huawei, such as S3000 Series, S2000 Series etc.

II. Networking diagram

Switch A

GE1/1

E0/23 E0/3 E1/1

E0/23

GE1/1

Switch B
E0/1 E0/2 E1/1 E2/1

E0/24 E0/24 E0/1 E0/2 E0/3 E1/1

Switch C

E2/1

E2/1

Switch D

Switch E

Switch F

Figure 1-4 RSTP configuration example

III. Configuration procedure
1) Configure Switch B

# Enable RSTP globally. [Quidway] stp enable # The port RSTP defaults are enabled after global RSTP is enabled. You can disable RSTP on those ports that are not involved in RSTP calculation, however, be careful and do not disable those involved. (The following configuration takes Ethernet 0/4 as an example.) [Quidway] interface ethernet 0/4 [Quidway-Ethernet0/4] stp disable

1-19

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

# To configure Switch B as a root, you can either configure the Bridge priority of it as 0 or simply use the command to specify it as the root. 2) Set the Bridge priority of Switch B to 0

[Quidway] stp priority 0 3) Designate Switch B as the root, using the following command.

[Quidway] stp root primary # Enable the Root protection function on every designated port. [Quidway] interface ethernet 0/1 [Quidway-Ethernet0/1] stp root-protection [Quidway] interface ethernet 0/2 [Quidway-Ethernet0/2] stp root-protection [Quidway] interface ethernet 0/2 [Quidway-Ethernet0/2] stp root-protection # RSTP operating mode, time parameters, and port parameters take default values. 4) Configure Switch C

# Enable RSTP globally. [Quidway] stp enable # The port RSTP defaults are enabled after global RSTP is enabled. You can disable RSTP on those ports that are not involved in RSTP calculation, however, be careful and do not disable those involved. (The following configuration takes Ethernet 0/4 as an example.) [Quidway] interface ethernet 0/4 [Quidway-Ethernet0/4] stp disable # To configure Switch C as a secondary root, you can either configure the Bridge priority of it as 4096 or simply use the command to specify it as the secondary root. 5) Set the Bridge priority of Switch C to 4096

[Quidway] stp priority 4096 6) Designate Switch C as the root, using the following command.

[Quidway] stp root secondary # Enable the Root protection function on every designated port. [Quidway] interface ethernet 0/1 [Quidway-Ethernet0/1] stp root-protection
1-20

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 1 RSTP Configuration

[Quidway] interface ethernet 0/2 [Quidway-Ethernet0/2] stp root-protection [Quidway] interface ethernet 0/2 [Quidway-Ethernet0/2] stp root-protection # RSTP operating mode, time parameters, and port parameters take default values. 7) Configure Switch D

# Enable RSTP globally. [Quidway] stp enable # The port RSTP defaults are enabled after global RSTP is enabled. You can disable RSTP on those ports that are not involved in RSTP calculation, however, be careful and do not disable those involved. (The following configuration takes Ethernet 0/4 as an example.) [Quidway] interface ethernet 0/4 [Quidway-Ethernet0/4] stp disable # Configure the ports (Ethernet 0/1 through Ethernet 0/24) directly connected to users as edge ports and enables BPDU PROTECTION function. (Take Ethernet 0/1 as an example.) [Quidway] interface ethernet 0/1 [Quidway-Ethernet0/1] stp edged-port enable [Quidway-Ethernet0/1] quit [Quidway] stp bpdu-protection # RSTP operating mode, time parameters, and port parameters take default values.

1-21

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

Chapter 2 MSTP Region-configuration
2.1 MSTP Overview

Note: For Quidway series switches, MSTP feature is compatible to STP and RSTP, but if a switch supports RSTP, it will not support MSTP. S3552 Series Switches support MSTP feature.

MSTP stands for Multiple Spanning Tree Protocol, which is compatible with STP and RSTP. STP cannot transit fast. Even on the point-to-point link or the edge port, it has to take an interval as long as twice forward delay before the network converges. RSTP can converge fast, but still has the drawback, that is, all the network bridges in a VLAN share a spanning tree and the redundant links cannot be blocked by VLAN. MSTP makes up for the drawback of STP and RSTP. It makes the network converge fast and the traffic of different VLAN distributed along their respective paths, which provides a better load-balance mechanism for the redundant links. MSTP associates VLAN and the spanning tree and divides a switching network into several regions, each of which has a spanning tree independent of one another. MSTP prunes the network into a loopfree tree to avoid proliferation, it also provides multiple redundant paths for data forwarding to implement the VLAN data forwarding load-balance.

2.1.1 MSTP Concepts
There are 4 MST region in Figure 2-1. The concept of MSTP will be introduced with this figure in the followed text.

2-1

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

CIST: Common and Internal Spanning Tree MSTI: Multiple Spanning Tree Instance BPDU

Region A0 vlan 1 mapped to Instance 1 vlan 2 mapped to Instance 2 Other vlans mapped to CIST
BPDU

A B D Region A0 vlan 1 mapping to Instance 1, region root B vlan 3 mapped to Instance 2 , region root C Other vlans mapped to CIST C
CST: Common Spanning Tree

BPDU

RegionC0 vlan 1 mapped to Instance 1 vlan 2 and 3 mapped to Instance 2 Other vlans mapped to CIST

RegionB0 vlan 1 mapped to Instance 1 vlan 2 mapped to Instance 2 Other vlans mapped to CIST

Figure 2-1 Basic MSTP concepts

I. MST region
Multiple Spanning Tree Regions: A multiple spanning tree region contains several physically and directly connected MSTP switches sharing the same region name, VLAN-spanning tree mapping configuration, and MSTP revision level configuration, and the network segments between them. There can be several MST regions on a switching network. You can group several switches into a MST region, using MSTP configuration commands. For details, refer to the operation manual in this chapter. For example, MST region A0 in the network of figure2-1, the 4 switches in this region are configured same region name, same vlan mapping table (VLAN1 map to instance 1, VLAN 2 map to instance 2, other VLAN map to instance 0), same revision level (not indicated in Figure 2-1).

II. VLAN mapping table
An attribute of MST region, is used for descript the mapping relationship of VLAN and STI. For example, the VLAN mapping table of MST region A0 in figure2-1 is VLAN1 map to instance 1, VLAN 2 map to instance 2, other VLAN map to instance 0.

III. IST
Internal Spanning Tree (IST): The entire switching network has a Common and Internal Spanning Tree (CIST). An MSTP region has an Internal Spanning Tree (IST), which is a fragment of CIST. For example, every MST region in figure2-1 has an IST.

2-2

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

IV. CST
Common Spanning Tree (CST): Connects the spanning trees of all the MST region. Taking every MST region as a “switch”, the CST can be regarded as their spanning tree generated with STP/RSTP. For example, the red line indicates the CST in figure2-1.

V. CIST
CIST (Common and Internal Spanning Tree): A single spanning tree made of IST and CST (Common Spanning Tree). CIST of figure2-1 is composed by each IST in every MST region and the CST.

VI. MSTI
Multiple Spanning Tree Instance (MSTI): Multiple spanning trees can be generated with MSTP in an MSTI and independent of one another. Such a spanning tree is called an MSTI. Every MST region can have many STI called MSTI. These STI is related to corresponding VLAN.

VII. Region root
The region root refers to the root of the IST and MSTI of the MST region. The spanning trees in an MST region have different topology and their region roots may also be different. In each MST region in Figure 2-1, every STI has its region root.

VIII. Common Root Bridge
The Common Root Bridge refers to the root bridge of CIST. There is only one common root bridge in the specified network.

IX. Edge port
The edge port refers to the port located at the MST region edge, connecting different MST regions, MST region and STP region, or MST region and RSTP region. For MSTP calculation, the edge port shall take the same role on MSTI and CIST instance. For example, the edge port as a master port on CIST instance should serve as a master port on every MSTI in the region.

X. Port role
In the process of MSTP calculation, a port can serve as a designated port, root port, master port, Alternate port, or BACKUP. The root port is the one through which the data are forwarded to the root. The designated port is the one through which the data are forwarded to the downstream network segment or switch.

2-3

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

Master port is the port connecting the entire region to the Common Root Bridge and located on the shortest path between them. Alternate port is the backup of the master port. When the master port is blocked, the alternate port will take its place. If two ports of a switch are connected, there must be a loop. In this case, the switch will block one of them. The blocked one is called BACKUP port. A port can play different roles in different spanning tree instances. The following figure illustrates the above mentioned concepts for your better understanding.
Connected to the common root EdgePort Port 2

MST region
Master port

Port 1

A

Alternate port C

B D
Designated Port 5

Port 6 Backup port

port

Port 3

Port 4

Figure 2-2 Port roles

2.1.2 MSTP Principles
MSTP divides the entire Layer 2 network into several MST regions and calculates and generates CST for them. Multiple spanning trees are generated in a region and each of them is called an MSTI. The instance 0 is called IST, and others are called MSTI.

I. CIST calculation
The CIST root is the highest-priority switch elected from the switches on the entire network through comparing their configuration BPDUs. MSTP calculates and generates IST in an MST region and also the CST connecting the regions. CIST is the unique single spanning tree of the entire switching network.

2-4

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

II. MSTI calculation
Inside an MST region, MSTP generates different MSTIs for different VLANs according to the association between VLAN and the spanning tree. The calculation process of MSTI is same like RSTP. In this way, the packets of a VLAN travel along the corresponding MSTI inside the MST region and the CST between different regions. Followed introduce the calculation process of one MSTI. The fundamental of STP is that the switches exchange a special kind of protocol packet (which is called configuration Bridge Protocol Data Units, or BPDU, in IEEE 802.1D) to decide the topology of the network. The configuration BPDU contains the information enough to ensure the switches to compute the spanning tree. The configuration BPDU mainly contains the following information: 1) 2) 3) 4) 5) 6) 7) 8) The root ID consisting of root priority and MAC address The cost of the shortest path to the root Designated switch ID consisting of designated switch priority and MAC address Designated port ID consisting of port priority and port number The age of the configuration BPDU: MessageAge The maximum age of the configuration BPDU: MaxAge Configuration BPDU interval: HelloTime Forward delay of the port: ForwardDelay.

What are the designated switch and designated port?
Switch A AP1 AP2 CP1 Switch C BP2 CP2

BP1 Switch B

LAN

Figure 2-3 Designated switch and designated port For a switch, the designated switch is a switch in charge of forwarding packets to the local switch via a port called the designated port accordingly. For a LAN, the designated switch is a switch that in charge of forwarding packets to the network segment via a port called the designated port accordingly. As illustrated in the Figure 2-3, Switch A forwards data to Switch B via the port AP1. So to Switch B, the designated switch is
2-5

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

Switch A and the designated port is AP1. Also in the figure above, Switch B and Switch C are connected to the LAN and Switch B forwards packets to LAN. So the designated switch of LAN is Switch B and the designated port is BP2.

Note: AP1, AP2, BP1, BP2, CP1 and CP2 respectively delegate the ports of Switch A, Switch B and Switch C.

The specific calculation process of STP algorithm. The following example illustrates the calculation process of STP. The Figure 2-4 below illustrates the network.
Switch A with priority 0 AP1 5 BP1 Switch B with priority 1 10 AP2

BP2

4

CP1 CP2 Switch C with priority 2

Figure 2-4 Ethernet switch networking To facilitate the descriptions, only the first four parts of the configuration BPDU are described in the example. They are root ID (expressed as Ethernet switch priority), path cost to the root, designated switch ID (expressed as Ethernet switch priority) and the designated port ID (expressed as the port number). As illustrated in the figure above, the priorities of Switch A, B and C are 0, 1 and 2 and the path costs of their links are 5, 10 and 4 respectively. 9) Initial state

When initialized, each port of the switches will generate the configuration BPDU taking itself as the root with a root path cost as 0, designated switch IDs as their own switch IDs and the designated ports as their ports. Switch A: Configuration BPDU of AP1: {0, 0, 0, AP1} Configuration BPDU of AP2: {0, 0, 0, AP2}

2-6

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

Switch B: Configuration BPDU of BP1: {1, 0, 1, BP1} Configuration BPDU of BP2: {1, 0, 1, BP2} Switch C: Configuration BPDU of CP2: {2, 0, 2, CP2} Configuration BPDU of CP1: {2, 0, 2, CP1} 10) Select the optimum configuration BPDU Every switch transmits its configuration BPDU to others. When a port receives a configuration BPDU with a lower priority than that of its own, it will discard the message and keep the local BPDU unchanged. When a higher-priority configuration BPDU is received, the local BPDU is updated. And the optimum configuration BPDU will be elected through comparing the configuration BPDUs of all the ports. The comparison rules are: The configuration BPDU with a smaller root ID has a higher priority f the root IDs are the same, perform the comparison based on root path costs. The cost comparison is as follows: the path cost to the root recorded in the configuration BPDU plus the corresponding path cost of the local port is set as S, the configuration BPDU with a smaller S has a higher priority. If the costs of path to the root are also the same, compare in sequence the designated switch ID, designated port ID and the ID of the port via which the configuration BPDU was received. In summary, we assume that the optimum BPDU can be selected through root ID comparison in the example. 11) Specify the root port, block the redundancy link and update the configuration BPDU of the designated port. The port receiving the optimum configuration BPDU is designated to be the root port, whose configuration BPDU remains the same. Any other port, whose configuration BPDU has been updated in the step Select the optimum configuration BPDU, will be blocked and will not forward any data, in addition, it will only receive but not transmit BPDU and its BPDU remains the same. The port, whose BPDU has not been updated in the step Select the optimum configuration BPDU will be the designated port. Its configuration BPDU will be modified as follows: substituting the root ID with the root ID in the configuration BPDU of the root port, the cost of path to root with the value made by the root path cost plus the path cost corresponding to the root port, the designated switch ID with the local switch ID and the designated port ID with the local port ID. The comparison process of each switch is as follows. Switch A:
2-7

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

AP1 receives the configuration BPDU from Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the received configuration BPDU. The configuration BPDU is processed on the AP2 in a similar way. Thus Switch A finds itself the root and designated switch in the configuration BPDU of every port; it regards itself as the root, retains the configuration BPDU of each port and transmits configuration BPDU to others regularly thereafter. By now, the configuration BPDUs of the two ports are as follows: Configuration BPDU of AP1: {0, 0, 0, AP1}. Configuration BPDU of AP2: {0, 0, 0, AP2}. Switch B: BP1 receives the configuration BPDU from Switch A and finds that the received BPDU has a higher priority than the local one, so it updates its configuration BPDU. BP2 receives the configuration BPDU from Switch C and finds that the local BPDU priority is higher than that of the received one, so it discards the received BPDU. By now the configuration BPDUs of each port are as follows: Configuration BPDU of BP1: {0, 0, 0, AP1}, Configuration BPDU of BP2: {1, 0, 1, BP2}. Switch B compares the configuration BPDUs of the ports and selects the BP1 BPDU as the optimum one. Thus BP1 is elected as the root port and the configuration BPDUs of Switch B ports are updated as follows. The configuration BPDU of the root port BP1 retains as {0, 0, 0, BP1}. BP2 updates root ID with that in the optimum configuration BPDU, the path cost to root with 5, sets the designated switch as the local switch ID and the designated port ID as the local port ID. Thus the configuration BPDU becomes {0, 5, 1, BP2}. Then all the designated ports of Switch B transmit the configuration BPDUs regularly. Switch C: CP2 receives from the BP2 of Switch B the configuration BPDU {1, 0, 1, BP2} that has not been updated and then the updating process is launched. {1, 0, 1, BP2}. CP1 receives the configuration BPDU {0, 0, 0, AP2} from Switch A and Switch C launches the updating. The configuration BPDU is updated as {0, 0, 0, AP2}. By comparison, CP1 configuration BPDU is elected as the optimum one. The CP1 is thus specified as the root port with no modifications made on its configuration BPDU. However, CP2 will be blocked and its BPDU also remains same, but it will not receive the data (excluding the STP packet) forwarded from Switch B until spanning tree calculation is launched again by some new events. For example, the link from Switch B to C is down or the port receives any better configuration BPDU.

2-8

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

CP2 will receive the updated configuration BPDU, {0, 5, 1, BP2}, from Switch B. Since this configuration BPDU is better then the old one, the old BPDU will be updated to {0, 5, 1, BP2}. Meanwhile, CP1 receives the configuration BPDU from Switch A but its configuration BPDU will not be updated and retain {0, 0, 0, AP2}. By comparison, the configuration BPDU of CP2 is elected as the optimum one, CP2 is elected as the root port, whose BPDU will not change, while CP1 will be blocked and retain its BPDU, but it will not receive the data forwarded from Switch A until spanning tree calculation is triggered again by some changes. For example, the link from Switch B to C as down. Thus the spanning tree is stabilized. The tree with the root Switch A is illustrated in the Figure 2-5 below.
Switch A with priority 0 AP1 5 BP1 Switch B with priority 1

BP2

4

CP2 Switch C with priority 2

Figure 2-5 The final stabilized spanning tree To facilitate the descriptions, the description of the example is simplified. For example, the root ID and the designated switch ID in actual calculation should comprise both switch priority and switch MAC address. Designated port ID should comprise port priority and port MAC address. In the updating process of a configuration BPDU, other configuration BPDUs besides the first four items will make modifications according to certain rules. The basic calculation process is described below: Configuration BPDU forwarding mechanism in STP: Upon the initiation of the network, all the switches regard themselves as the roots. The designated ports send the configuration BPDUs of local ports at a regular interval of HelloTime. If it is the root port that receives the configuration BPDU, the switch will enable a timer to time the configuration BPDU as well as increase MessageAge carried in the configuration BPDU by certain rules. If a path goes wrong, the root port on this path will not receive configuration BPDUs any more and the old configuration BPDUs will be discarded due to timeout. Hence, recalculation of the spanning tree will be

2-9

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

initiated to generate a new path to replace the failed one and thus restore the network connectivity. However, the new configuration BPDU as now recalculated will not be propagated throughout the network right away, so the old root ports and designated ports that have not detected the topology change will still forward the data through the old path. If the new root port and designated port begin to forward data immediately after they are elected, an occasional loop may still occur. In RSTP, a transitional state mechanism is thus adopted to ensure the new configuration BPDU has been propagated throughout the network before the root port and designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state. MSTP is compatible with STP and RSTP. The MSTP switch can recognize both the STP and RSTP packets and calculate the spanning tree with them. Beside the basic MSTP functions, Quidway Ethernet Switch Series also provide some features easy to manage from the point of view of the users. These features include root bridge hold, secondary root bridge, ROOT PROTECTION, BPDU PROTECTION, protocol hot swapping, master/slave switchover, and so on.

2.2 Configure MSTP
MSTP configuration includes: Configure the MST region for a switch Specify the switch as primary or secondary root switch Configure the MSTP running mode Configure the Bridge priority for a switch Configure the max hops in an MST region Configure the switching network diameter Configure the time parameters of a switch Configure the max transmission speed on a port Configure a port as an edge port Configure the Path Cost of a port Configure the priority of a port Configure the port (not) to connect with the point-to-point link Configure the mCheck variable of a port Configure the switch security function Enable MSTP on the device Enable MSTP on a port Only after MSTP is enabled on the device will other configurations take effect. Before enabling MSTP, you can configure the related parameters of the device and Ethernet ports, which will take effect upon enabling MSTP and stay effective even after resetting MSTP. The check command can show the region parameters yet to take effect. The
2-10

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

display active-region-configuration command shows the parameters configured before MSTP is enabled. For those configured after MSTP is enabled, you can use the related display commands to display. For detailed information, refer to the “Display and Debug MSTP” section. . You do not have to perform all the mentioned tasks to configure MSTP. Many of them are designed to adjust the MSTP parameters provided with default values. You can configure these parameters per the actual conditions or simply take the defaults. For detail information, refer to the task description or the Command Manual.

Note: When GVRP and MSTP startup on the switch simultaneously, GVRP packets will propagate along CIST which is a spanning tree instance. In this case, if you want to issue a certain VLAN through GVRP on the network, you should make sure that the VLAN is mapped to CIST when configuring the VLAN mapping table of MSTP. CIST is spanning tree instance 0.

2.2.1 Configure the MST Region for a Switch
Which MST region a switch belongs to is determined with the configurations of the region name, VLAN mapping table, and MSTP revision level. You can perform the following configurations to put a switch into an MST region. Follow the procedure listed in the table below and perform these configurations from system view.

I. Enter MST region view
Perform the following configuration in system view. Table 2-1 Enter MST region view
Operation Enter MST region view (from system view) Restore the default settings of MST region Command stp region-configuration undo stp region-configuration

II. Configure the MST Region
Perform the following configuration in MST region view.

2-11

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

Table 2-2 Configure the MST region for a switch
Operation Configure MST region name Restore the default MST region name Configure VLAN mapping table Restore the default VLAN mapping table Configure the MSTP revision level of MST region Restore the MSTP revision level of MST region Command region-name name undo region-name instance instance-id vlan vlan-list undo instance revision-level level undo revision-level

An MST region can contain up to 17 spanning tree instances, among which the Instance 0 is IST and the Instances 1 through 16 are MSTIs. Upon the completion of the above configurations, the current switch is put into a specified MST region. Note that two switches belong to the same MST region only if they have been configured with the same MST region name, STI-VLAN mapping tables of an MST region, and the MST region revision level. Configuring the related parameters, especially the VLAN mapping table, of the MST region, will lead to the recalculation of spanning tree and network topology flapping. To bate such flapping, MSTP triggers to recalculate the spanning tree according to the configurations only if one of the following conditions is met: The user manually activates the configured parameters related to the MST region, using the active region-configuration command. The user enables MSTP, using the stp enable command. By default, the MST region name is the first switch MAC address, all the VLANs in the MST region are mapped to the STI 0, and the MSTP region revision level is 0. You can restore the default settings of MST region, using the undo stp region-configuration command in system view.

III. Activate the MST Region Configuration,and exit the MST Region View
Perform the following configuration in MST region view. Table 2-3 Activate the MST Region Configuration and exit the MST Region View
Operation Show the configuration information of the MST region under revision (from MST region view) Manually activate the MST region configuration (from MST region view) Exit MST region view (from MST region view) Command check region-configuration active region-configuration quit

2.2.2 Specify the Switch as Primary or Secondary Root Switch
MSTP can determine the spanning tree root through calculation. You can also specify the current switch as the root, using the command provided by the switch.

2-12

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

You can use the following commands to specify the current switch as the primary or secondary root of the spanning tree. Perform the following configuration in system view. Table 2-4 Specify the switch as primary or secondary root switch
Operation Specify current switch as the primary root switch of the specified spanning tree. Specify current switch as the secondary root switch of the specified spanning tree. Specify current switch not to be the primary or secondary root. Command stp [ instance instance-id ] root primary [ bridge-diameter bridgenum ] [ hello-time centi-senconds ] stp [ instance instance-id ] root secondary [ bridge-diameter bridgenum ] [ hello-time centi-senconds ] undo stp [ instance instance-id ] root

After a switch is configured as primary root switch or secondary root switch, user can’t modify the bridge priority of the switch. You can configure the current switch as the primary or secondary root switch of the STI (specified by the instance instance-id parameter). If the instance-id takes 0, the current switch is specified as the primary or secondary root switch of the CIST. The root types of a switch in different STIs are independent of one another. The switch can be a primary or secondary root of any STI. However, it cannot serve as both the primary and secondary roots of one STI. If the primary root is down or powered off, the secondary root will take its place, unless you configure a new primary root. Of two or more configured secondary root switches, MSTP selects the one with the smallest MAC address to take the place of the failed primary root. When configuring the primary and secondary switches, you can also configure the network diameter and hello time of the specified switching network. For detailed information, refer to the configuration tasks “Configure switching network diameter” and “Configure the Hello Time of the switch”.

Note: You can configure the current switch as the root of several STIs, however, it is not necessary to specify two or more roots for an STI. In other words, please do not specify the root for an STI on two or more switches. You can configure more than one secondary root for a spanning tree through specifying the secondary STI root on two or more switches. Generally, you are recommended to designate one primary root and more than one secondary roots for a spanning tree.

2-13

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

By default, a switch is neither the primary root or the secondary root of the spanning tree.

2.2.3 Configure the MSTP Running Mode
MSTP and RSTP are compatible and they can recognize the packets of each other. However, STP cannot recognize MSTP packets. To implement the compatibility, MSTP provides two operation modes, STP-compatible mode and MSTP mode. In STP-compatible mode, the switch sends STP packets via every port and serves as a region itself. In MSTP mode, the switch ports send MSTP or STP packets (when connected to the STP switch) and the switch provides multiple spanning tree function. You can use the following command to configure MSTP running mode. MSTP can intercommunicate with STP. If there is STP switch in the switching network, you may use the command to configure the current MSTP to run in STP-compatible mode, otherwise, configure it to run in MSTP mode. Perform the following configuration in system view. Table 2-5 Configure the MSTP running mode
Operation Configure MSTP to run in STP-compatible mode Configure MSTP to run in MSTP mode. Restore the default MSTP running mode stp mode stp stp mode mstp undo stp mode Command

Generally, if there is STP switch on the switching network, the port connected to it will automatically transit from MSTP mode to STP-compatible mode. But the port cannot automatically transit back to MSTP mode after the STP switch is removed. By default, MSTP runs in MSTP mode.

2.2.4 Configure the Bridge Priority for a Switch
Whether a switch can be elected as the spanning tree root depends on its Bridge priority. The switch configured with a smaller Bridge priority is more likely to become the root. An MSTP switch may have different priorities in different STIs. You can use the following command to configure the Bridge priorities of the designated switch in different STIs. Perform the following configuration in system view.

2-14

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

Table 2-6 Configure the Bridge priority for a switch
Operation Configure the Bridge priority of the designated switch. Restore the default Bridge priority of the designated switch. Command stp [ instance instance-id ] bridge-priority priority undo stp [ instance instance-id ] bridge-priority

When configuring the switch priority with the instance instance-id parameter as 0, you are configuring the CIST priority of the switch.

Caution: In the process of spanning tree root election, of two or more switches with the lowest Bridge priorities, the one has a smaller MAC address will be elected as the root.

By default, the switch Bridge priority is 32768.

2.2.5 Configure the Max Hops in an MST Region
The scale of MST region is limited by the max hops in an MST region, which is configured on the region root. As the BPDU traveling from the spanning tree root, each time when it is forwarded by a switch, the max hops is reduced by 1. The switch discards the configuration BPDU with 0 hops left. This makes it impossible for the switch beyond the max hops to take part in the spanning tree calculation, thereby limiting the scale of the MST region. You can use the following command to configure the max hops in an MST region. Perform the following configuration in system view. Table 2-7 Configure the max hops in an MST region
Operation Configure the max hops in an MST region. Restore the default max hops in an MST region stp max-hops hop undo stp max-hops Command

The more the hops in an MST region, the larger the scale of the region. Only the max hops configured on the region root can limit the scale of MST region. Other switches in the MST region also apply the configurations on the region root, even if they have been configured with max hops. By default, the max hops of an MST is 20.

2-15

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

2.2.6 Configure the Switching Network Diameter
Any two hosts on the switching network are connected with a specific path carried by a series of switches. Among these paths, the one passing more switches than all others is the network diameter, expressed as the number of passed switches. You can use the following command to configure the diameter of the switching network. Perform the following configuration in system view. Table 2-8 Configure the switching network diameter
Operation Configure the switching network diameter. Restore the default switching network diameter. Command stp bridge-diameter bridgenum undo stp bridge-diameter

The network diameter is the parameter specifying the network scale. The larger the diameter, the lager the scale. When a user configures the network diameter on a switch, MSTP automatically calculates and sets the hello time, forward-delay time and maximum-age time of the switch to the desirable values. Setting the network diameter takes effect on CIST only, but has no effect on MSTI. By default, the network diameter is 7 and the three corresponding timers take the default values.

2.2.7 Configure the Time Parameters of a Switch
The switch has three time parameters, Forward Delay, Hello Time, and Max Age. Forward Delay is the switch state transition mechanism. The spanning tree will be recalculated upon link faults and its structure will change accordingly. However, the configuration BPDU recalculated cannot be immediately propagated throughout the network. The temporary loops may occur if the new root port and designated port forward data right after being elected. Therefore the protocol adopts a state transition mechanism. It takes a Forward Delay interval for the root port and designated port to transit from the learning state to forwarding state. The Forward Delay guarantees a period of time during which the new configuration BPDU can be propagated throughout the network. The switch sends Hello packet periodically at an interval specified by Hello Time to check if there is any link fault. Max Age specifies when the configuration BPDU will expire. The switch will discard the expired configuration BPDU.
2-16

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

You can use the following command to configure the time parameters for the switch. Perform the following configuration in system view. Table 2-9 Configure the time parameters of a switch
Operation Configure Forward Delay on the switch. Restore the default Forward Delay of the switch. Configure Hello Time on the switch. Restore the default Hello Time on the switch. Configure Max Age on the switch. Restore the default Max Age on the switch. Command stp timer forward-delay centiseconds undo stp timer forward-delay stp timer hello centiseconds undo stp timer hello stp timer max-age centiseconds undo stp timer max-age

Every switch on the switching network adopts the values of the time parameters configured on the root switch of the CIST.

Caution: The Forward Delay configured on a switch depends on the switching network diameter. Generally, the Forward Delay is supposed to be longer when the network diameter is longer. Note that too short a Forward Delay may redistribute some redundant routes temporarily, while too long a Forward Delay may prolong the network connection resuming. The default value is recommended. A suitable Hello Time ensures the switch to detect the link fault on the network but occupy moderate network resources. The default value is recommended. If you set too long a Hello Time, when there is packet dropped over a link, the switch may consider it as link fault and the network device will recalculate the spanning tree accordingly. However, for too short a Hello Time, the switch frequently sends configuration BPDU, which adds its burden and wastes the network resources. Too short a Max Age may cause the network device frequently calculate the spanning tree and mistake the congestion as link fault. However, if the Max Age is too long, the network device may not be able to discover the link fault and recalculate the spanning tree in time, which will weaken the auto-adaptation capacity of the network. The default value is recommended.

To avoid frequent network flapping, the values of Hello Time, Forward Delay and Maximum Age should guarantee the following formulas equal. 2 * (forward-delay - 1seconds) >= maximum-age maximum-age >= 2 * (hello + 1.0 seconds) You are recommended to use the stp root primary command to specify the network diameter and Hello Time of the switching network, thus MSTP will automatically calculate and give the rather desirable values.

2-17

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

By default, Forward Delay is 15 seconds, Hello Time is 2 seconds, and Max Age is 20 seconds.

2.2.8 Configure the Max Transmission Speed on a Port
The max transmission speed on a port specifies how many MSTP packets will be transmitted every Hello Time via the port. The max transmission speed on a port is limited by the physical state of the port and the network structure. You can configure it according the network conditions. You can configure the max transmission speed on a port in the following ways.

I. Configure in system view
Perform the following configuration in system view. Table 2-10 Configure the max transmission speed on a port
Operation Configure the max transmission speed on a port. Restore the max transmission speed on a port. Command stp interface interface-list transit-limit packetnum undo stp interface interface-list transit-limit

II. Configure in Ethernet port view
Perform the following configuration in Ethernet port view. Table 2-11 Configure the max transmission speed on a port
Operation Configure the max transmission speed on a port. Restore the max transmission speed on a port. Command stp transit-limit packetnum undo stp transit-limit

You can configure the max transmission speed on a port with either of the above-mentioned measures. For more about the commands, refer to the Command Manual. This parameter only takes a relative value without units. If it is set too large, too many packets will be transmitted during every Hello Time and too many network resourced will be occupied. The default value is recommended. By default, the max transmission speed on every Ethernet port of the switch is 3.

2-18

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

2.2.9 Configure a Port as an Edge Port
An edge port refers to the port not directly connected to any switch or indirectly connected to a switch over the connected network. You can configure a port as an edge port or non-edge port in the following ways.

I. Configure in system view
Perform the following configuration in system view. Table 2-12 Configure a port as an edge port or a non-edge port
Operation Configure a port as an edge port. Configure a port as a non-edge port. Restore the default setting, non-edge port, of the port. Command stp interface interface-list edged-port enable stp interface interface-list edged-port disable undo stp interface interface-list edged-port

II. Configure in Ethernet port view
Perform the following configuration in Ethernet port view. Table 2-13 Configure a port as an edge port or a non-edge port
Operation Configure a port as an edge port. Configure a port as a non-edge port. Restore the default setting, non-edge port, of the port. Command stp edged-port enable stp edged-port disable undo stp edged-port

You can configure a port as an edge port or a non-edge port with either of the above-mentioned measures. For more about the commands, refer to the Command Manual. After configured as an edge port, the port can fast transit from blocking state to forwarding state without any delay. In the case that BPDU protection has not been enabled on the switch, the configured edge port will turn into non-edge port again when it receives BPDU from other port. In the case that BPDU protection is enabled, the port will be disabled. The configuration of this parameter takes effect on all the STIs. In other words, if a port is configured as an EdgedPort or Non- EdgedPort, it is configured the same on all the STIs. It is better to configure the BPDU protection on the edged port, so as to prevent the switch from being attacked. Before BPDU protection is enabled on the switch, the port runs as a non-edge port when it receives BPDU, even if the user has set it as an edge port.

2-19

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

By default, all the Ethernet ports of the switch have been configured as non-edge ports.

Note: It is better to configure the port directly connected with terminal as the edged port, and enable the BPDU function on the port. That is to realize fast state-transition and prevent the switch from being attacked.

2.2.10 Configure the Path Cost of a Port
Path Cost is related to the speed of the link connected to the port. On the MSTP switch, a port can be configured with different path costs for different STIs. Thus the traffic from different VLANs can run over different physical links, thereby implementing the VLAN-based load-balancing. You can configure the path cost of a port in the following ways.

I. Configure in system view
Perform the following configuration in system view. Table 2-14 Configure the Path Cost of a port
Operation Configure the Path Cost of a port. Restore the default path cost of a port. Command stp interface interface-list [ instance instance-id ] cost cost undo stp interface interface-list [ instance instance-id ] cost

II. Configure in Ethernet port view
Perform the following configuration in Ethernet port view. Table 2-15 Configure the Path Cost of a port
Operation Configure the Path Cost of a port Restore the default path cost of a port. Command stp [ instance instance-id ] cost cost undo stp [ instance instance-id ] cost

You can configure the path cost of a port with either of the above-mentioned measures. For more about the commands, refer to the Command Manual. Upon the change of path cost of a port, MSTP will recalculate the port role and transit the state. When instance-id takes 0, it indicates to set the path cost on the CIST. By default, MSTP is responsible for calculating the port path cost.
2-20

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

2.2.11 Configure the Priority of a Port
For spanning tree calculation, the port priority is an importance factor to determine if a port can be elected as the root port. With other things being equal, the port with the highest priority will be elected as the root port. On the MSTP switch, a port can have different priorities in different STIs and plays different roles respectively. Thus the traffic from different VLANs can run over different physical links, thereby implementing the VLAN-based load-balancing. You can configure the port priority in the following ways.

I. Configure in system view
Perform the following configuration in system view. Table 2-16 Configure the port priority
Operation Configure the port priority. Restore the default port priority. Command stp interface interface-list [ instance instance-id ] port priority priority undo stp interface interface-list [ instance instance-id ] port priority

II. Configure in Ethernet port view
Perform the following configuration in Ethernet port view. Table 2-17 Configure the port priority
Operation Configure the port priority. Restore the default port priority. Command stp [ instance instance-id ] port priority priority undo stp [ instance instance-id ] port priority

You can configure the port priority with either of the above-mentioned measures. For more about the commands, refer to the Command Manual. Upon the change of port priority, MSTP will recalculate the port role and transit the state. Generally, a smaller value represents a higher priority. If all the Ethernet ports of a switch are configured with the same priority value, the priorities of the ports will be differentiated by the index number. The change of Ethernet port priority will lead to spanning tree recalculation. You can configure the port priority per actual networking requirements. By default, the priority of all the Ethernet ports is 128.

2-21

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

2.2.12 Configure the Port (not) to Connect with the Point-to-Point Link
The point-to-point link directly connects two switches. You can configure the port (not) to connect with the point-to-point link in the following ways.

I. Configure in system view
Perform the following configuration in system view. Table 2-18 Configure the port (not) to connect with the point-to-point link
Operation Configure the port to connect with the point-to-point link. Configure the port not to connect with the point-to-point link. Configure MSTP to automatically detect if the port is directly connected with the point-to-point link. Configure MSTP to automatically detect if the port is directly connected with the point-to-point link, as defaulted. Command stp interface interface-list point-to-point force-true stp interface interface-list point-to-point force-false stp interface interface-list point-to-point auto undo stp interface interface-list point-to-point

II. Configure in Ethernet port view
Perform the following configuration in Ethernet port view. Table 2-19 Configure the port (not) to connect with the point-to-point link
Operation Configure the port to connect with the point-to-point link. Configure the port not to connect with the point-to-point link. Configure MSTP to automatically detect if the port is directly connected with the point-to-point link. Configure MSTP to automatically detect if the port is directly connected with the point-to-point link, as defaulted. Command stp point-to-point force-true stp point-to-point force-false stp point-to-point auto undo stp point-to-point

You can configure the port (not) to connect with the point-to-point link with either of the above-mentioned measures. For more about the commands, refer to the Command Manual. For the ports connected with the point-to-point link, upon some port role conditions met, they can transit to forwarding state fast through transmitting synchronization packet, thereby reducing the unnecessary forwarding delay. If the parameter is configured as auto mode, MSTP will automatically detect if the current Ethernet port is connected with the point-to-point link.

2-22

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

Note: For a link aggregation, only the master port can be configured to connect with the point-to-point link. If a port in auto-negotiation mode operates in full-duplex mode upon negotiation, it can be configured to connect with the point-to-point link.

This configuration takes effect on the CIST and all the MSTIs. The settings of a port whether to connect the point-to-point link will be applied to all the STIs to which the port belongs. Note that a temporary loop may be redistributed if you configure a port not physically connected with the point-to-point link as connected to such a link by force. By default, the parameter is configured as auto.

2.2.13 Configure the mCheck Variable of a Port
The port of an MSTP switch operates in either STP-compatible or MSTP mode. Suppose a port of an MSTP switch on a switching network is connected to an STP switch, the port will automatically transit to operate in STP-compatible mode. However, the port stays in STP-compatible mode and cannot automatically transit back to MSTP mode when the STP switch is removed. In this case, you can perform mCheck operation to transit the port to MSTP mode by force. You can use the following measure to perform mCheck operation on a port.

I. Configure in system view
Perform the following configuration in system view. Table 2-20 Configure the mCheck variable of a port
Operation Perform mCheck operation on a port. Command stp interface interface-list mcheck

II. Configure in Ethernet port view
Perform the following configuration in Ethernet port view. Table 2-21 Configure the mCheck variable of a port
Operation Perform mCheck operation on a port. stp mcheck Command

2-23

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

You can configure mCheck variable on a port with either of the above-mentioned measures. For more about the commands, refer to the Command Manual. Note that the command can be used only if the switch runs MSTP. The command does not make any sense when the switch runs in STP-compatible mode.

2.2.14 Configure the Switch Security Function
An MSTP switch provides BPDU protection and Root protection functions. For an access device, the access port is generally directly connected to the user terminal (e.g., PC) or a file server, and the access port is set to edge port to implement fast transition. When such port receives BPDU packet, the system will automatically set it as a non-edge port and recalculate the spanning tree, which causes the network topology flapping. In normal case, these ports will not receive STP BPDU. If someone forges BPDU to attack the switch, the network will flap. BPDU protection function is used against such network attack. The primary and secondary root switches of the spanning tree, especially those of ICST, shall be located in the same region. It is because the primary and secondary roots of CIST are generally placed in the core region with a high bandwidth in network design. In case of configuration error or malicious attack, the legal primary root may receive the BPDU with a higher priority and then loose its place, which causes network topology change errors. Due to the illegal change, the traffic supposed to travel over the high-speed link may be pulled to the low-speed link and congestion will occur on the network. Root protection function is used against such problem. The root port and other blocked ports maintain their state according to the BPDUs send by uplink switch. Once the link is blocked or has trouble, then the ports cannot receive BPDUs and the switch will select root port again. In this case, the former root port will turn into specified port and the former blocked ports will enter forwarding state, as a result, a link loop will be generated. The security functions can control the generation of loop. After it is enabled, the root port cannot be changed, the blocked port will maintain in “Discarding” state and do not forward packets, thus to avoid link loop. You can use the following command to configure the security functions of the switch. Perform the following configuration in corresponding configuration modes.

2-24

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

Table 2-22 Configure the switch security function
Operation Configure switch BPDU protection (from system view) Restore the disabled BPDU protection state as defaulted (from system view) Configure switch Root protection (from system view) Restore the disabled Root protection state as defaulted (from system view) Configure switch Root protection (from Ethernet port view) Restore the disabled Root protection state as defaulted (from Ethernet port view) Configure switch loop protection function (from Ethernet port view) Restore the disabled loop protection state, as defaulted (from Ethernet port view) Command stp bpdu-protection undo stp bpdu-protection stp interface interface-list root-protection undo stp interface interface-list root-protection stp root-protection undo stp root-protection stp loop-protection stp loop-protection

After configured with BPDU protection, the switch will disable the edge port through MSTP, which receives a BPDU, and notify the network manager at same time. These ports can be resumed by the network manager only. The port configured with Root protection only plays a role of designated port on every instance. Whenever such port receives a higher-priority BPDU, that is, it is about to turn into non-designated port, it will be set to listening state and not forward packets any more (as if the link to the port is disconnected). If the port has not received any higher-priority BPDU for a certain period of time thereafter, it will resume the normal state. When configure a port, only one configuration can be effective among loop protection, Root protection and Edge port configuration at same moment. By default, the switch does not enable BPDU protection or Root protection. For more about the configuration commands, refer to the Command Manual.

2.2.15 Enable MSTP on the Device
You can use the following command to enable MSTP on the device. Perform the following configuration in system view. Table 2-23 Enable/Disable MSTP on a device
Operation Enable MSTP on a device. Disable MSTP on a device. Restore the disable state of MSTP, as defaulted. stp enable stp disable undo stp Command

Only if MSTP has been enabled on the device will other MSTP configurations take effect.
2-25

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

By default, MSTP is disabled.

2.2.16 Enable/Disable MSTP on a Port
You can use the following command to enable/disable MSTP on a port. You may disable MSTP on some Ethernet ports of a switch to spare them from spanning tree calculation. This is a measure to flexibly control MSTP operation and save the CPU resources of the switch. MSTP can be enabled/disabled on a port through the following ways.

I. Configure in system view
Perform the following configuration in system view. Table 2-24 Enable/Disable MSTP on a port
Operation Enable MSTP on a port. Disable MSTP on a port. Restore the default MSTP state on the port. Command stp interface interface-list enable stp interface interface-list disable undo stp interface-list

II. Configure in Ethernet port view
Perform the following configuration in Ethernet port view. Table 2-25 Enable/Disable MSTP on a port
Operation Enable MSTP on a port. Disable MSTP on a port. Restore the default MSTP state on the port. stp enable stp disable undo stp Command

You can enable/disable MSTP on a port with either of the above-mentioned measures. For more about the commands, refer to the Command Manual. Note that redundant route may be generated after MSTP is disabled. By default, MSTP is enabled on all the ports after it is enabled on the device.

2.3 Display and Debug MSTP
After the above configuration, execute display command in any view to display the running of the MSTP configuration, and to verify the effect of the configuration. Execute reset command in user view to clear the statistics of MSTP module. Execute debugging command in user view to debug the MSTP module
2-26

Operation Manual - STP Quidway S3500 Series Ethernet Switches

Chapter 2 MSTP Region-configuration

Table 2-26 Display and Debug MSTP
Operation Show the configuration information about the current port and the switch. Show the configuration information about the region. Clear the MSTP statistics information. Enable/Disable MSTP (packet receiving/transmitting, event, error) debugging on the port. Enable/Disable the global MSTP debugging. Enable/Disable specified STI debugging Command display stp [ instance instance-id ] [ interface interface-list | slot slot-num ] [ brief ] display stp region-configuration reset stp [ interface interface-list ] [ undo ] debugging stp [ interface interface-list ] { packet | event } [ undo ] debugging stp { global-event | global-error | all } [ undo ] debugging stp instance instance-id

2-27

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

10. Security

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 802.1x Configuration ................................................................................................... 1-1 1.1 802.1x Overview ................................................................................................................ 1-1 1.1.1 802.1x Standard Overview...................................................................................... 1-1 1.1.2 802.1x System Architecture .................................................................................... 1-1 1.1.3 802.1x Authentication Process................................................................................ 1-2 1.1.4 Implement 802.1x on Ethernet Switch .................................................................... 1-3 1.2 Configure 802.1x................................................................................................................ 1-3 1.2.1 Enable/Disable 802.1x ............................................................................................ 1-4 1.2.2 Set the Port Access Control Mode. ......................................................................... 1-4 1.2.3 Set Port Access Control Method ............................................................................. 1-5 1.2.4 Check the Users that Log on the Switch via Proxy ................................................. 1-5 1.2.5 Set Supplicant Number on a Port............................................................................ 1-6 1.2.6 Set to Enable DHCP to Launch Authentication....................................................... 1-6 1.2.7 Configure Authentication Method for 802.1x User .................................................. 1-6 1.2.8 Set the Maximum times of authentication request message retransmission.......... 1-7 1.2.9 Set the handshake period of 802.1x ....................................................................... 1-7 1.2.10 Configure Timers................................................................................................... 1-8 1.2.11 Enable/Disable quiet-period Timer........................................................................ 1-9 1.3 Display and Debug 802.1x................................................................................................. 1-9 1.4 802.1x Configuration Example........................................................................................... 1-9 Chapter 2 AAA and RADIUS Protocol Configuration ................................................................ 2-1 2.1 AAA and RADIUS Protocol Overview................................................................................ 2-1 2.1.1 AAA Overview ......................................................................................................... 2-1 2.1.2 RADIUS Protocol Overview .................................................................................... 2-1 2.1.3 Implement AAA/RADIUS on Ethernet Switch ......................................................... 2-2 2.2 Configure AAA ................................................................................................................... 2-3 2.2.1 Create/Delete ISP Domain...................................................................................... 2-3 2.2.2 Configure Relevant Attributes of ISP Domain......................................................... 2-4 2.2.3 Create a Local User ................................................................................................ 2-5 2.2.4 Set Attributes of Local User .................................................................................... 2-5 2.2.5 Disconnect a User by Force.................................................................................... 2-6 2.3 Configure RADIUS Protocol .............................................................................................. 2-7 2.3.1 Create/Delete a RADIUS server Group .................................................................. 2-7 2.3.2 Set IP Address and Port Number of RADIUS Server ............................................. 2-8 2.3.3 Set RADIUS Packet Encryption Key ....................................................................... 2-9 2.3.4 Set Response Timeout Timer of RADIUS Server ................................................. 2-10 2.3.5 Set Retransmission Times of RADIUS Request Packet....................................... 2-10

i

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Table of Contents

2.3.6 Set a Real-time Accounting Interval...................................................................... 2-10 2.3.7 Set Maximum Times of Real-time Accounting Request Failing to be Responded 2-11 2.3.8 Enable/Disable Stopping Accounting Request Buffer........................................... 2-12 2.3.9 Set the Maximum Retransmitting Times of Stopping Accounting Request .......... 2-12 2.3.10 Set the Supported Type of RADIUS Server........................................................ 2-13 2.3.11 Set RADIUS Server State ................................................................................... 2-13 2.3.12 Set Username Format Transmitted to RADIUS Server ...................................... 2-14 2.3.13 Set the Unit of Data Flow that Transmitted to RADIUS Server........................... 2-14 2.3.14 Configure Local RADIUS Server Group.............................................................. 2-15 2.4 Display and Debug AAA and RADIUS Protocol .............................................................. 2-15 2.5 AAA and RADIUS Protocol Configuration Examples ...................................................... 2-16 2.5.1 Configuring FTP/Telnet User Authentication at Remote RADIUS Server ............ 2-16 2.5.2 Configuring FTP/Telnet User Authentication at Local RADIUS Server ................ 2-18 2.6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting.................................. 2-18 Chapter 3 HABP Configuration .................................................................................................... 3-1 3.1 HABP Overview ................................................................................................................. 3-1 3.2 HABP configuration ........................................................................................................... 3-1 3.2.1 Configuring HABP Server ....................................................................................... 3-1 3.2.2 Configuring HABP Client......................................................................................... 3-2 3.3 Displaying and Debugging HABP Attribute ....................................................................... 3-2 Chapter 4 System-guard Configuration ...................................................................................... 4-1 4.1 System-guard Overview .................................................................................................... 4-1 4.2 System-guard Configuration .............................................................................................. 4-1 4.2.1 Enable system-guard function................................................................................. 4-1 4.2.2 Set the max detection count of the affected hosts .................................................. 4-2 4.2.3 Set parameters of address learning ........................................................................ 4-2 4.3 Display and Debug System-guard ..................................................................................... 4-3

ii

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

Chapter 1 802.1x Configuration
1.1 802.1x Overview
1.1.1 802.1x Standard Overview
IEEE 802.1x (hereinafter simplified as 802.1x) is a Port Based Network Access Control protocol. IEEE issued it in 2001 and suggested the related manufacturers should use the protocol as the standard protocol for LAN user access authentication. The 802.1x originated from the IEEE 802.11 standard, which is the standard for wireless LAN user access. The initial purpose of 802.1x was to implement the wireless LAN user access authentication. Since its principle is commonly applicable to all the LANs complying with the IEEE 802 standards, the protocol finds wide application in wired LANs. In the LANs complying with the IEEE 802 standards, the user can access the devices and share the resources in the LAN through connecting the LAN access control device like the LAN Switch. However, in telecom access, commercial LAN (a typical example is the LAN in the office building) and mobile office etc., the LAN providers generally hope to control the user’s access. In these cases, the requirement on the above-mentioned “Port Based Network Access Control” originates. As the name implies, “Port Based Network Access Control” means to authenticate and control all the accessed devices on the port of LAN access control device. If the user’s device connected to the port can pass the authentication, the user can access the resources in the LAN. Otherwise, the user cannot access the resources in the LAN. It equals that the user is physically disconnected. 802.1x defines port based network access control protocol and only defines the point-to-point connection between the access device and the access port. The port can be either physical or logical. The typical application environment is as follows: Each physical port of the LAN Switch only connects to one user workstation (based on the physical port) and the wireless LAN access environment defined by the IEEE 802.11 standard (based on the logical port), etc.

1.1.2 802.1x System Architecture
The system using the 802.1x is the typical C/S (Client/Server) system architecture. It contains three entities, which are illustrated in the following figure: Supplicant System, Authenticator System and Authentication Sever System.

1-1

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

The LAN access control device needs to provide the Authenticator System of 802.1x. The devices at the user side such as the computers need to be installed with the 802.1x client Supplicant software, for example, the 802.1x client provided by Huawei Technologies Co., Ltd. (or by Microsoft Windows XP). The 802.1x Authentication Sever system normally stays in the carrier’s AAA center. Authenticator and Authentication Sever exchange information through EAP (Extensible Authentication Protocol) frames. The Supplicant and the Authenticator exchange information through the EAPoL (Extensible Authentication Protocol over LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which is to be encapsulated in the packets of other AAA upper layer protocols (e.g. RADIUS) so as to go through the complicated network to reach the Authentication Server. Such procedure is called EAP Relay. There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the other is the Controlled Port. The Uncontrolled Port is always in bi-directional connection state. The user can access and share the network resources any time through the ports. The Controlled Port will be in connecting state only after the user passes the authentication. Then the user is allowed to access the network resources.
Authenticator Server System Authenticator Server
EAP protocol exchanges carried in higher layer protocol

Supplicant System

Authenticator System Services offered by Authenticators System
Port unauthorized Controlled Port

Supplicant

Authenticator PAE

Uncontrolled Port

EAPoL LAN

Figure 1-1 802.1x system architecture

1.1.3 802.1x Authentication Process
802.1x configures EAP frame to carry the authentication information. The Standard defines the following types of EAP frames: EAP-Packet: Authentication information frame, used to carry the authentication information.

1-2

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

EAPoL-Start: Authentication originating frame, actively originated by the Supplicant. EAPoL-Logoff: Logoff request frame, actively terminating the authenticated state. EAPoL-Key: Key information frame, supporting to encrypt the EAP packets. EAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert Standard Forum (ASF). The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the Supplicant and the Authenticator. The EAP-Packet information is re-encapsulated by the Authenticator System and then transmitted to the Authentication Server System. The EAPoL-Encapsulated-ASF-Alert is related to the network management information and terminated by the Authenticator. From the above fundamentals we can see that 802.1x provides an implementation solution of user ID authentication. However, 802.1x itself is not enough to implement the scheme. The administrator of the access device should configure the AAA scheme by selecting RADIUS or local authentication so as to assist 802.1x to implement the user ID authentication. For detailed description of AAA, refer to the corresponding AAA configuration.

1.1.4 Implement 802.1x on Ethernet Switch
Quidway Series Ethernet Switches not only support the port access authentication method regulated by 802.1x, but also extend and optimize it in the following way: Support to connect several End Stations in the downstream via a physical port. The access control (or the user authentication method) can be based on port or MAC address. In this way, the system becomes much securer and easier to manage.

1.2 Configure 802.1x
The configuration tasks of 802.1x itself can be fulfilled in system view of the Ethernet switch. When the global 802.1x is not enabled, the user can configure the 802.1x state of the port. The configured items will take effect after the global 802.1x is enabled.

Note: 1) Do not enable 802.1x and RSTP( or MSTP) simultaneously, otherwise switch may not work normally. 2) When 802.1x is enabled on a port, the max number of MAC address learning which is configured by the command mac-address max-mac-count cannot be configured on the port, and vice versa.

1-3

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

The Main 802.1x configuration includes: Enable/Disable 802.1x Set the port access control mode Set port access control method Check the users that log on the switch via proxy Set maximum number of users via each port Set to enable DHCP to launch authentication configure authentication method for 802.1x user Set the Maximum times of authentication request message retransmission Set the handshake period of 802.1x Configure timers Enable/Disable quiet-period Timer Among the above tasks, the first one is compulsory, otherwise 802.1x will not take any effect. The other tasks are optional. You can perform the configurations at requirements.

1.2.1 Enable/Disable 802.1x
The following commands can be used to enable/disable the 802.1x on the specified port. When no port is specified in system view, the 802.1x is enabled/disabled globally. Perform the following configurations in system view or Ethernet port view. Table 1-1 Enable/Disable 802.1x
Operation Enable the 802.1x Disable the 802.1x Command dot1x [ interface interface-list ] undo dot1x [ interface interface-list ]

User can configure 802.1x on individual port, but it is not enabled yet. The configuration will take effect right after 802.1x is enabled globally. By default, 802.1x authentication has not been enabled globally and on any port.

1.2.2 Set the Port Access Control Mode.
The following commands can be used for setting 802.1x access control mode on the specified port. When no port is specified, the access control mode of all ports is configured. Perform the following configurations in system view or Ethernet port view.

1-4

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

Table 1-2 Set the port access control mode.
Operation Set the port access control mode. Restore the default access control mode of the port. Command dot1x port-control { authorized- force | unauthorized-force | auto } [ interface interface-list ] undo dot1x port-control [ interface interface-list ]

By default, the mode of 802.1x performing access control on the port is auto (automatic identification mode, which is also called protocol control mode). That is, the initial state of the port is unauthorized. It only permits EAPoL packets receiving/transmitting and does not permit the user to access the network resources. If the authentication flow is passed, the port will be switched to the authorized state and permit the user to access the network resources. This is the most common case.

1.2.3 Set Port Access Control Method
The following commands are used for setting 802.1x access control method on the specified port. When no port is specified in system view, the access control method of port is configured globally. Perform the following configurations in system view or Ethernet port view. Table 1-3 Set port access control method
Operation Set port access control method Restore the default port access control method Command dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ]

By default, 802.1x authentication method on the port is macbased. That is, authentication is performed based on MAC addresses.

1.2.4 Check the Users that Log on the Switch via Proxy
The following commands are used for checking the users that log on the switch via proxy. Perform the following configurations in system view or Ethernet port view. Table 1-4 Check the users that log on the switch via proxy
Operation Enable the check for access users via proxy Cancel the check for access users via proxy Command dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] 1-5

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

By default, cancel the control method set for access 802.1x users via proxy.

1.2.5 Set Supplicant Number on a Port
The following commands are used for setting number of users allowed by 802.1x on specified port. When no port is specified, all the ports accept the same number of supplicants. Perform the following configurations in system view or Ethernet port view. Table 1-5 Set maximum number of users via specified port
Operation Set maximum number of users via specified port Restore the maximum number of users on the port to the default value Command dot1x max-user user-number [ interface interface-list ] undo dot1x max-user [ interface interface-list ]

By default, 802.1x allows up to 256 supplicants on each port for S3500 Series Ethernet switches.

1.2.6 Set to Enable DHCP to Launch Authentication
The following commands are used for setting whether 802.1x enables the Ethernet switch to launch the user ID authentication when the user runs DHCP and applies for dynamic IP addresses. Perform the following configurations in system view. Table 1-6 Set to enable DHCP to launch authentication
Operation Enable DHCP to launch authentication Disable DHCP to launch authentication dot1x dhcp-launch undo dot1x dhcp-launch Command

By default, authentication will not be launched when the user runs DHCP and applies for dynamic IP addresses.

1.2.7 Configure Authentication Method for 802.1x User
The following commands can be used to configure the authentication method for 802.1x user. Three kinds of methods are available: PAP authentication (RADIUS server must support PAP authentication), CHAP authentication (RADIUS server must support CHAP authentication), EAP relay authentication (switch send authentication

1-6

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

information to RADIUS server in the form of EAP packets directly and RADIUS server must support EAP authentication). Perform the following configurations in system view. Table 1-7 Configure authentication method for 802.1x user
Operation Configure authentication method for 802.1x user Restore the default authentication method for 802.1x user Command dot1x authentication-method { chap | pap | eap md5-challenge} undo dot1x authentication-method

By default, CHAP authentication is used for 802.1x user authentication.

1.2.8 Set the Maximum times of authentication request message retransmission
The following commands are used for setting the maximum retransmission times of the authentication request message that the switch sends to the supplicant. Perform the following configurations in system view. Table 1-8 Set the maximum times of the authentication request message retransmission
Operation Set the maximum times of the authentication request message retransmission Restore the default maximum retransmission times Command dot1x retry max-retry-value undo dot1x retry

By default, the max-retry-value is 3. That is, the switch can retransmit the authentication request message to a supplicant for 3 times at most.

1.2.9 Set the handshake period of 802.1x
The following commands are used to set the handshake period of 802.1x. After setting handshake-period, system will send the handshake packet by the period. Suppose the dot1x retry time is configured as N, the system will consider the user having logged off and set the user as logoff state if system doesn’t receive the response of user for consecutive N times. Perform the following configurations in system view.

1-7

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

Table 1-9 Set the handshake period of 802.1x
Operation Set the handshake period of 802.1x Restore the handshake period to default value Command dot1x timer handshake-period interval undo dot1x timer handshake-period

By default, handshake period is 15s.

1.2.10 Configure Timers
The following commands are used for configuring the 802.1x timers. Perform the following configurations in system view. Table 1-10 Configure timers
Operation Configure timers Restore default settings of the timers Command dot1x timer { quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value | server-timeout server-timeout-value } undo dot1x timer { quiet-period | tx-period | supp-timeout | server-timeout }

quiet-period: Specify the quiet timer. If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by quiet-period timer) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication. quiet-period-value: Specify how long the quiet period is. The value ranges from 10 to 120 in units of second. server-timeout: Specify the timeout timer of an Authentication Server. If an Authentication Server has not responded before the specified period expires, the Authenticator will resend the authentication request. server-timeout-value: Specify how long the duration of a timeout timer of an Authentication Server is. The value ranges from 100 to 300 in units of second. supp-timeout: Specify the authentication timeout timer of a Supplicant. If a Supplicant has not responded before the specified period expires, Authenticator will resend the authentication request. supp-timeout-value: Specify how long the duration of an authentication timeout timer of a Supplicant is. The value ranges from 10 to 120 in units of second. tx-period: Specify the transmission timeout timer. If a Supplicant has not responded before the specified period expires, Authenticator will resend the authentication request.

1-8

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

tx-period-value: Specify how long the duration of the transmission timeout timer is. The value ranges from 10 to 120 in units of second. By default, the quiet-period-value is 60s, the tx-period-value is 30s, the supp-timeout-value is 30s, the server-timeout-value is 100s .

1.2.11 Enable/Disable quiet-period Timer
You can use the following commands to enable/disable a quiet-period timer of an Authenticator (which can be a Quidway Series Ethernet Switch). If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by dot1x timer quiet-period command) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication. Perform the following configuration in system view. Table 1-11 Enable/Disable a quiet-period timer
Operation Enable a quiet-period timer. Disable a quiet-period timer dot1x quiet-period undo dot1x quiet-period Command

1.3 Display and Debug 802.1x
After the above configuration, execute display command in any view to display the running of the VLAN configuration, and to verify the effect of the configuration. Execute reset command in user view to reset 802.1x statistics information. Execute debugging command in user view to debug the 802.1x module. Table 1-12 Display and debug 802.1x
Operation Display the configuration, running and statistics information of 802.1x Reset the 802.1x statistics information Enable the error/event/packet/all debugging of 802.1x Disable the error/event/packet/all debugging of 802.1x. Command display dot1x [ sessions | statistics ] [ interface interface-list ] reset dot1x statistics [ interface interface-list ] debugging dot1x { error | event | packet | all } undo debugging dot1x { error | event | packet | all }

1.4 802.1x Configuration Example
I. Networking requirements

1-9

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

As shown in the following figure, the workstation of a user is connected to the port Ethernet 0/1 of the Switch. The switch administrator will enable 802.1x on all the ports to authenticate the supplicants so as to control their access to the Internet. The access control mode is configured as based on the MAC address All the supplicants belong to the default domain huawei163.net, which can contain up to 30 users. RADIUS authentication is performed first. If there is no response from the RADIUS server, local authentication will be performed. For accounting, if the RADIUS server fails to account, the user will be disconnected. In addition, when the user is accessed, the domain name does not follow the user name. Normally, if the user’s traffic is less than 2kbps consistently over 20 minutes, he will be disconnected. A server group, consisting of two RADIUS servers at 10.11.1.1 and 10.11.1.2 respectively, is connected to the switch. The former one acts as the primary-authentication/second-accounting server. The latter one acts as the secondary-authentication/primary-accounting server. Set the encryption key as “name” when the system exchanges packets with the authentication RADIUS server and “money” when the system exchanges packets with the accounting RADIUS server. Configure the system to retransmit packets to the RADIUS server if no response received in 5 seconds. Retransmit the packet no more than 5 times in all. Configure the system to transmit a real-time accounting packet to the RADIUS server every 15 minutes. The system is instructed to transmit the user name to the RADIUS server after removing the user domain name. The user name of the local 802.1x access user is localuser and the password is localpass (input in plain text). The idle cut function is enabled.

II. Networking diagram

Authentication Serv ers (RADIUS Server Cluster IP Address: 10.11.1.1 10.11.1.2) Sw itch E0/1 Internet

Supplicant

Authenticator

Figure 1-2 Enabling 802.1x and RADIUS to perform AAA on the supplicant

1-10

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

III. Configuration procedure

Note: The following examples concern most of the AAA/RADIUS configuration commands. For details, refer to the chapter AAA and RADIUS Protocol Configuration. The configurations of accessing user workstation and the RADIUS server are omitted.

# Enable the 802.1x performance on the specified port Ethernet 0/1. [Quidway] dot1x interface ethernet 0/1 # Set the access control mode. (This command could not be configured, when it is configured as MAC-based by default.) [Quidway] dot1x port-method macbased interface ethernet 0/1 # Create the RADIUS group radius1 and enters its configuration mode. [Quidway] radius scheme radius1 #Set IP address of the primary authentication/accounting RADIUS servers. [Quidway-radius-radius1] primary authentication 10.11.1.1 [Quidway-radius-radius1] primary accounting 10.11.1.2 # Set the IP address of the second authentication/accounting RADIUS servers. [Quidway-radius-radius1] secondary authentication 10.11.1.2 [Quidway-radius-radius1] secondary accounting 10.11.1.1 # Set the encryption key when the system exchanges packets with the authentication RADIUS server. [Quidway-radius-radius1] key authentication name # Set the encryption key when the system exchanges packets with the accounting RADIUS server. [Quidway-radius-radius1] key accounting money # Set the timeouts and times for the system to retransmit packets to the RADIUS server. [Quidway-radius-radius1] timer 5 [Quidway-radius-radius1] retry 5
1-11

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 1 802.1x Configuration

# Set the interval for the system to transmit real-time accounting packets to the RADIUS server. [Quidway-radius-radius1] timer realtime-accounting 15 # Configure the system to transmit the user name to the RADIUS server after removing the domain name. [Quidway-radius-radius1] user-name-format without-domain [Quidway-radius-radius1] quit # Create the user domain huawei163.net and enters isp configuration mode. [Quidway] domain huawei163.net # Specify radius1 as the RADIUS server group for the users in the domain huawei163.net. [Quidway-isp-huawei163.net] radius-scheme radius1 # Set a limit of 30 users to the domain huawei163.net. [Quidway-isp-huawei163.net] access-limit enable 30 # Enable idle cut function for the user and set the idle cut parameter in the domain huawei163.net. [Quidway-isp-huawei163.net] idle-cut enable 20 2000 # Add a local supplicant and sets its parameter. [Quidway] local-user localuser [Quidway-luser-localuser] service-type lan-access [Quidway-luser-localuser] password simple localpass # Enable the 802.1x globally. [Quidway] dot1x

1-12

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

Chapter 2 AAA and RADIUS Protocol Configuration
2.1 AAA and RADIUS Protocol Overview
2.1.1 AAA Overview
Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management. The network security mentioned here refers to access control and it includes: Which user can access the network server? Which service can the authorized user enjoy? How to keep accounts for the user who is using network resource? Accordingly, AAA shall provide the following services: Authentication: authenticates if the user can access the network sever. Authorization: authorizes the user with specified services. Accounting: traces network resources consumed by the user. Generally applying Client/Server architecture, in which client ends run as managed sources and the servers centralize and store user information, AAA framework owns the good scalability, and is easy to realize the control and centralized management of user information.

2.1.2 RADIUS Protocol Overview
As mentioned above, AAA is a management framework, so it can be implemented by some protocols. RADIUS is such a protocol frequently used.

I. What is RADIUS
Remote Authentication Dial-In User Service, RADIUS for short, is a kind of distributed information switching protocol in Client/Server architecture. RADIUS can prevent the network from interruption of unauthorized access and it is often used in the network environments requiring both high security and remote user access. For example, it is often used for managing a large number of scattering dial-in users who use serial ports

2-1

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

and modems. RADIUS system is the important auxiliary part of Network Access Server (NAS). After RADIUS system is started, if the user wants to have right to access other network or consume some network resources through connection to NAS (dial-in access server in PSTN environment or Ethernet switch with access function in Ethernet environment), NAS, namely RADIUS client end, will transmit user AAA request to the RADIUS server. RADIUS server has a user database recording all the information of user authentication and network service access. When receiving user’s request from NAS, RADIUS server performs AAA through user database query and update and returns the configuration information and accounting data to NAS. Here, NAS controls supplicant and corresponding connections, while RADIUS protocol regulates how to transmit configuration and accounting information between NAS and RADIUS. NAS and RADIUS exchange the information with UDP packets. During the interaction, both sides encrypt the packets with keys before uploading user configuration information (like password etc.) to avoid being intercepted or stolen.

II. RADIUS operation
RADIUS server generally uses proxy function of the devices like access server to perform user authentication. The operation process is as follows: First, the user send request message (the client username and encrypted password is included in the message ) to RADIUS server. Second, the user will receive from RADIUS server various kinds of response messages in which the ACCEPT message indicates that the user has passed the authentication, and the REJECT message indicates that the user has not passed the authentication and needs to input username and password again, otherwise he will be rejected to access.

2.1.3 Implement AAA/RADIUS on Ethernet Switch
By now, we understand that in the above-mentioned AAA/RADIUS framework, Quidway Series Ethernet Switches, serving as the user access device or NAS, is the client end of RADIUS. In other words, the AAA/RADIUS concerning client-end is implemented on Quidway Series Ethernet Switches. The figure below illustrates the RADIUS authentication network including Quidway Series Ethernet Switches.

2-2

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

PC user1 PC user2 S3500 series S3000 series PC user3 PC user4 S3500 series Internet Internet ISP2 S2000 series ISP1

Authentication Serv er Accounting Serv er1

Figure 2-1 Networking when S3500 Series Ethernet switches applying RADIUS authentication

2.2 Configure AAA
AAA configuration includes: Create/Delete ISP Domain Configure Relevant Attributes of ISP Domain Create a local user Set attributes of local user Disconnect a user by force Among the above configuration tasks, creating ISP domain is compulsory, otherwise the supplicant attributes cannot be distinguished. The other tasks are optional. You can configure them at requirements.

2.2.1 Create/Delete ISP Domain
What is Internet Service Provider (ISP) domain? To make it simple, ISP domain is a group of users belonging to the same ISP. Generally, for a username in the userid@isp-name format, taking gw20010608@huawei163.net as an example, the isp-name (i.e. huawei163.net) following the @ is the ISP domain name. When Quidway Series Ethernet Switches control user access, as for an ISP user whose username is in userid@isp-name format, the system will take userid part as username for identification and take isp-name part as domain name. The purpose of introducing ISP domain settings is to support the multi-ISP application environment. In such environment, one access device might access users of different ISP. Because the attributes of ISP users, such as username and password formats, etc, may be different, it is necessary to differentiate them through setting ISP domain. In
2-3

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

Quidway Series Ethernet Switches ISP domain view, you can configure a complete set of exclusive ISP domain attributes on a per-ISP domain basis, which includes AAA policy ( RADIUS server group applied etc.) For Quidway Series Ethernet Switches, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system will put it into the default domain. Perform the following configurations in system view. Table 2-1 Create/Delete ISP domain
Operation Create ISP domain or enter the view of a specified domain. Remove a specified ISP domain Command domain [ isp-name | default { disable | enable isp-name }] undo domain isp-name

By default, a domain named “system” has been created in the system. The attributes of “system” are all default valuesthere is no ISP domain in the system.

2.2.2 Configure Relevant Attributes of ISP Domain
The relevant attributes of ISP domain include the adopted RADIUS server group, state, and maximum number of supplicants . Where, The adopted RADIUS server group is the one used by all the users in the ISP domain. The RADIUS server group can be used for RADIUS authentication or accounting. By default, the default RADIUS server group is used. The command shall be used together with the commands of setting RADIUS server and server cluster. For details, refer to the following Configuring RADIUS section of this chapter. Every ISP has active/block states. If an ISP domain is in active state, the users in it can request for network service, while in block state, its users cannot request for any network service, which will not affect the users already online. An ISP is in the block state when it is created. No user in the domain is allowed to request for network service. Maximum number of supplicants specifies how many supplicants can be contained in the ISP. For any ISP domain, there is no limit to the number of supplicants by default. The idle cut function means: If the traffic from a certain connection is lower than the defined traffic, cut off this connection. Perform the following configurations in ISP domain view.

2-4

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

Table 2-2 Configure relevant attributes of ISP domain
Operation Specify the adopted RADIUS server group Restore the adopted RADIUS server group to the default RADIUS server group Specify the ISP domain state to be used Set a limit to the amount of supplicants Restore the limit to the default setting Set the idle Command radius-scheme radius-scheme-name undo radius-scheme state { active | block } access-limit { disable | enable max-user-number } undo access-limit idle-cut { disable | enable minute flow}

By default, after an ISP domain is created, the used RADIUS server group is the default one named “default” (for relevant parameter configuration, refer to the Configuring RADIUS section of this chapter).,the state of domain is active , there is no limit to the amount of supplicants ,and disable the idle-cut configure.

2.2.3 Create a Local User
A local user is a group of users set on NAS. The username is the unique identifier of a user. A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS. Perform the following configurations in system view Table 2-3 Create/Delete a local user and relevant properties
Operation Add local users Delete all the local users Delete a local user by specifying its type Command local-user user-name undo local-user all undo local-user { user-name | all [ service-type { lan-access | ftp | telnet | ssh } ] }

By default, there is no local user in the system.

2.2.4 Set Attributes of Local User
The attributes of a local user include its password, state, service type and some other settings. Perform the following configurations in system view.

2-5

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

Table 2-4 Set the method that a local user uses to set password
Operation Set the method that a local user uses to set password Cancel the method that the local user uses to set password Command local-user password-display-mode { cipher-force | auto } undo local-user password-display-mode

Where, auto means that the password display mode will be the one specified by the user at the time of configuring password (see the password command in the following table for reference), and cipher-force means that the password display mode of all the accessing users must be in cipher text. Perform the following configurations in local user view. Table 2-5 Set/Remove the attributes concerned with a specified user
Operation Set a password for a specified user Remove the password set for the specified user Set the state of the specified user Set a service type for the specified user Cancel the service type of the specified user Configure the attributes of lan-access users Remove the attributes defined for the lan-access users Command password { simple | cipher } password undo password state { active | block } service-type { ftp [ ftp-directory directory ] | lan-access | ssh [ level level | telnet [ level level ] ] | telnet [ level level | ssh [ level level ] ] } undo service-type { ftp [ ftp-directory ] | lan-access | ssh [ level | telnet [ level ] ] | telnet [ level | ssh [ level ] ] } attribute { ip ip-address | mac mac-address | idle-cut second | access-limit max-user-number | vlan vlanid | location { nas-ip ip-address port portnum | port portnum } }* undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*

2.2.5 Disconnect a User by Force
Sometimes it is necessary to disconnect a user or a category of users by force. The system provides the following command to serve for this purpose. Perform the following configurations in system view. Table 2-6 Disconnect a user by force
Operation Disconnect a user by force Command cut connection { all | access-type { dot1x | gcm } | domain domain-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name }

By default, no online user will be disconnected by force.

2-6

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

2.3 Configure RADIUS Protocol
For the Quidway Series Ethernet Switches, the RADIUS protocol is configured on the per RADIUS server group basis. In real networking environment, a RADIUS server group can be an independent RADIUS server or a set of primary/second RADIUS servers with the same configuration but two different IP addresses. Accordingly, attributes of every RADIUS server group include IP addresses of primary and second servers, shared key and RADIUS server type etc. Actually, RADIUS protocol configuration only defines some necessary parameters using for information interaction between NAS and RADIUS Server. To make these parameters effective, it is necessary to configure, in the view, an ISP domain to use the RADIUS server group and specify it to use RADIUS AAA schemes. For more about the configuration commands, refer to the AAA Configuration section above. RADIUS protocol configuration includes: Create/Delete a RADIUS server group Set IP Address and Port Number of RADIUS Server Set RADIUS packet encryption key Set response timeout timer of RADIUS server Set retransmission times of RADIUS request packet Set a real-time accounting interval Set maximum times of real-time accounting request failing to be responded Enable/Disable stopping accounting request buffer Set the maximum retransmitting times of stopping accounting request Set the Supported Type of RADIUS Server Set RADIUS server state Set username format transmitted to RADIUS server Set the unit of data flow that transmitted to RADIUS server Set local RADUIS server group Among the above tasks, creating RADIUS server group and setting IP address of RADIUS server are required, while other takes are optional and can be performed as per your requirements.

2.3.1 Create/Delete a RADIUS server Group
As mentioned above, RADIUS protocol configurations are performed on the per RADIUS server group basis. Therefore, before performing other RADIUS protocol configurations, it is compulsory to create the RADIUS server group and enter its view to set its IP address. You can use the following commands to create/delete a RADIUS server group. Perform the following configurations in system view.
2-7

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

Table 2-7 Create/Delete a RADIUS server group
Operation Create a RADIUS server group and enter its view Delete a RADIUS server group Command radius scheme radius-server-name undo radius scheme radius-server-name

Several ISP domains can use a RADIUS server group at the same time. By default, the system has a RADIUS server group named “default” whose attributes are all default values. The default attribute values will be introduced in the following text.

2.3.2 Set IP Address and Port Number of RADIUS Server
After creating a RADIUS server group, you are supposed to set IP addresses and UDP port numbers for the RADIUS servers, including primary/second authentication/authorization servers and accounting servers. So you can configure up to 4 groups of IP addresses and UDP port numbers. However, at least you have to set one group of IP address and UDP port number for each pair of primary/second servers to ensure the normal AAA operation. You can use the following commands to configure the IP address and port number for RADIUS servers. Perform the following configurations in RADIUS server group view. Table 2-8 Set IP Address and Port Number of RADIUS Server
Operation Set IP address and port number of primary RADIUS authentication/authorization server. Restore IP address and port number of primary RADIUS authentication/authorization or server to the default values. Set IP address and port number of primary RADIUS accounting server. Restore IP address and port number of primary RADIUS accounting server or server to the default values. Set IP address and port number of secondary RADIUS authentication/authorization server. Restore IP address and port number of second RADIUS authentication/authorization or server to the default values. Set IP address and port number of second RADIUS accounting server. Restore IP address and port number of second RADIUS accounting server or server to the default values. Command primary authentication ip-address [ port-number ] undo primary authentication primary accounting ip-address [ port-number ] undo primary accounting secondary authentication ip-address [ port-number ] undo secondary authentication secondary accounting ip-address [ port-number ] undo secondary accounting

In real networking environments, the above parameters shall be set according to the specific requirements. For example, you may specify 4 groups of different data to map 4 RADIUS servers, or specify one of the two servers as primary

2-8

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

authentication/authorization server and second accounting server and the other one as second authentication/authorization server and primary accounting server, or you may also set 4 groups of exactly same data so that every server serves as a primary and second AAA server. To guarantee the normal interaction between NAS and RADIUS server, you are supposed to guarantee the normal routes between RADIUS server and NAS before setting IP address and UDP port of the RADIUS server. In addition, because RADIUS protocol uses different UDP ports to receive/transmit authentication/authorization and accounting packets, you shall set two different ports accordingly. Suggested by RFC2138/2139, authentication/authorization port number is 1812 and accounting port number is 1813. However, you may use values other than the suggested ones. (Especially for some earlier RADIUS Servers, authentication/authorization port number is often set to 1645 and accounting port number is 1646.) The RADIUS service port settings on Quidway Series Ethernet Switches are supposed to be consistent with the port settings on RADIUS server. 1812. By default, all the IP addresses of primary/second authentication/authorization and accounting servers are 0.0.0.0, authentication/authorization service port is 1812 and accounting service UDP port is 1813. Normally, RADIUS accounting service port is 1813 and the authentication/authorization service port is

2.3.3 Set RADIUS Packet Encryption Key
RADIUS client (switch system) and RADIUS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify the packet through setting the encryption key. Only when the keys are identical can both ends to accept the packets from each other end and give response. You can use the following commands to set the encryption key for RADIUS packets. Perform the following configurations in RADIUS server group view. Table 2-9 Set RADIUS packet encryption key
Operation Set RADIUS authentication/authorization packet encryption key Restore the default RADIUS authentication/authorization packet encryption key. Set RADIUS accounting packet key Restore the default RADIUS accounting packet key Command key authentication string undo key authentication key accounting string undo key accounting

By default, the keys of RADIUS authentication/authorization and accounting packets are all “huawei”.

2-9

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

2.3.4 Set Response Timeout Timer of RADIUS Server
After RADIUS (authentication/authorization or accounting) request packet has been transmitted for a period of time, if NAS has not received the response from RADIUS server, it has to retransmit the request to guarantee RADIUS service for the user. You can use the following command to set response timeout timer of RADIUS server. Perform the following configurations in RADIUS server group view. Table 2-10 Set response timeout timer of RADIUS server
Operation Set response timeout timer of RADIUS server Restore the response timeout timer of RADIUS server to default value Command timer second undo timer

By default, timeout timer of RADIUS server is 3 seconds.

2.3.5 Set Retransmission Times of RADIUS Request Packet
Since RADIUS protocol uses UDP packet to carry the data, the communication process is not reliable. If the RADIUS server has not responded NAS before timeout, NAS has to retransmit RADIUS request packet. If it transmits more than the specified retry-times, NAS considers the communication with the primary and secondary RADIUS servers has been disconnected. You can use the following command to set retransmission times of RADIUS request packet. Perform the following configurations in RADIUS server group view. Table 2-11 Set retransmission times of RADIUS request packet
Operation Set retransmission times of RADIUS request packet Restore the default value of retransmission times Command retry retry-times undo retry

By default, RADIUS request packet will be retransmitted up to three times.

2.3.6 Set a Real-time Accounting Interval
To implement real-time accounting, it is necessary to set a real-time accounting interval. After the attribute is set, NAS will transmit the accounting information of online users to the RADIUS server regularly. You can use the following command to set a real-time accounting interval.
2-10

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

Perform the following configurations in RADIUS server group view. Table 2-12 Set a real-time accounting interval
Operation Set a real-time accounting interval Restore the default value of the interval Command timer realtime-accounting minute undo timer realtime-accounting

minute specifies the real-time accounting interval in minutes. The value shall be a multiple of 3. The value of minute is related to the performance of NAS and RADIUS server. The smaller the value is, the higher the performances of NAS and RADIUS are required. When there are a large amount of users (more than 1000, inclusive), we suggest a larger value. The following table recommends the ratio of minute value to the number of users. Table 2-13 Recommended ratio of minute to number of users
Number of users 1 to 99 100 to 499 500 to 999 ≥1000 3 6 12 ≥15 Real-time accounting interval (minute)

By default, minute is set to 12 minutes.

2.3.7 Set Maximum Times of Real-time Accounting Request Failing to be Responded
RADIUS server usually checks if a user is online with timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS for long, it will consider that there is device failure and stop accounting. Accordingly, it is necessary to disconnect the user at NAS end and on RADIUS server synchronously when some unpredictable failure exists. Quidway Series Switches support to set maximum times of real-time accounting request failing to be responded. NAS will disconnect the user if it has not received real-time accounting response from RADIUS server for some specified times. You can use the following command to set the maximum times of real-time accounting request failing to be responded Perform the following configurations in RADIUS server group view.

2-11

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

Table 2-14 Set maximum times of real-time accounting request failing to be responded
Operation Set maximum times of real-time accounting request failing to be responded Restore the maximum times to the default value Command retry realtime-accounting retry-times undo retry realtime-accounting

How to calculate the value of retry-times? Suppose that RADIUS server connection will timeout in T and the real-time accounting interval of NAS is t, then the integer part of the result from dividing T by t is the value of count. Therefore, when applied, T is suggested the numbers which can be divided exactly by t. By default, the real-time accounting request can fail to be responded no more than 5 times.

2.3.8 Enable/Disable Stopping Accounting Request Buffer
Because the stopping accounting request concerns account balance and will affect the amount of charge, which is very important for both the subscribers and the ISP, NAS shall make its best effort to send the message to RADIUS accounting server. Accordingly, if the message from Quidway Series Ethernet Switches to RADIUS accounting server has not been responded, switch shall save it in the local buffer and retransmit it until the server responds or discards the messages after transmitting for specified times. The following command can be used for setting to save the message or not. If save, use the command to set the maximum retransmission times. Perform the following configurations in RADIUS server group view. Table 2-15 Enable/Disable stopping accounting request buffer
Operation Enable stopping accounting request buffer Disable stopping accounting request buffer Command stop-accounting-buffer enable undo stop-accounting-buffer enable

By default, the stopping accounting request will be saved in the buffer.

2.3.9 Set the Maximum Retransmitting Times of Stopping Accounting Request
Because the stopping accounting request concerns account balance and will affect the amount of charge, which is very important for both the subscribers and the ISP, NAS shall make its best effort to send the message to RADIUS accounting server. Accordingly, if the message from Quidway Series Ethernet Switch to RADIUS

2-12

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

accounting server has not been responded, switch shall save it in the local buffer and retransmit it until the server responds or discards the messages after transmitting for specified times. Use the command to set the maximum retransmission times. Perform the following configurations in RADIUS server group view. Table 2-16 Set the maximum retransmitting times of stopping accounting request
Operation Set the maximum retransmitting times of stopping accounting request Restore the maximum retransmitting times of stopping accounting request to the default value Command retry stop-accounting retry-times undo retry stop-accounting

By default, the stopping accounting request can be retransmitted for up to 500 times.

2.3.10 Set the Supported Type of RADIUS Server
Quidway Series Ethernet Switches support the standard RADIUS protocol and the extended RADIUS service platforms, such as IP Hotel, 201+ and Portal, independently developed by Huawei. You can use the following command to set the supported types of RADIUS servers. Perform the following configurations in RADIUS server group view. Table 2-17 Set the supported type of RADIUS server
Operation Setting the Supported Type of RADIUS Server Restore the RADIUS server type to the default setting Command server-type { huawei | iphotel | portal | standard } undo server-type

By default, RADIUS server type is standard.

2.3.11 Set RADIUS Server State
For the primary and second servers (no matter it is an authentication/authorization server or accounting server), if the primary is disconnected to NAS for some fault, NAS will automatically turn to exchange packets with the second server. However, after the primary one recovers, NAS will not resume the communication with it at once, instead, it continues communicating with the second one. When the second one fails to communicate, NAS will turn to the primary one again. The following commands can be used to set the primary server to be active manually, in order that NAS can communicate with it right after the troubleshooting. When the primary and second servers are both active or block, NAS will send the packets to the primary server only.
2-13

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

Perform the following configurations in RADIUS server group view. Table 2-18 Set RADIUS server state
Operation Set the state of primary RADIUS server Set the state of second RADIUS sever Command state primary { accounting | authentication } { block | active } state secondary{ accounting | authentication } { block | active }

By default, the state of each server in RADIUS server group is active.

2.3.12 Set Username Format Transmitted to RADIUS Server
As mentioned above, the supplicants are generally named in userid@isp-name format. The part following “@” is the ISP domain name. Quidway Series Ethernet Switches will put the users into different ISP domains according to the domain names. However, some earlier RADIUS servers reject the username including ISP domain name. In this case, you have to remove the domain name before sending the username to the RADIUS server. The following command of switch decides whether the username to be sent to RADIUS server carries ISP domain name or not. Table 2-19 Set username format transmitted to RADIUS server
Operation Set Username Format Transmitted to RADIUS Server Command user-name-format { with-domain | without-domain }

Note: If a RADIUS server group is configured not to allow usernames including ISP domain names, the RADIUS server group shall not be simultaneously used in more than one ISP domain. Otherwise, the RADIUS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)

By default, RADIUS server group acknowledges that the username sent to it includes ISP domain name.

2.3.13 Set the Unit of Data Flow that Transmitted to RADIUS Server
The following command defines the unit of the data flow sent to RADIUS server.

2-14

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

Table 2-20 Set the unit of data flow transmitted to RADIUS server
Operation Set the unit of data flow transmitted to RADIUS server Restore the unit to the default setting Command data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-byte | kilo-byte | mega-byte | one-packet } undo data-flow-format

By default, the default data unit is byte and the default data packet unit is one packet.

2.3.14 Configure Local RADIUS Server Group
RADIUS service, which adopts authentication/authorization/accounting servers to manage users, is widely used in Huawei Quidway series switches. Besides, local authentication/authorization/accounting service is also used in these products and it is called local RADIUS function, i.e. realize basic RADIUS function on the switch. Perform the following commands in system view to create/delete local RADIUS server group. Table 2-21 Create/Delete local RADIUS server group
Operation Create local RADIUS server group and enter its view Delete local RADIUS server group Command local-radius nas-ip ip-address key password undo local-radius nas-ip ip-address

By default, the IP address of local RADIUS server group is 127.0.0.1 and the password is Huawei. When using local RADIUS server function of Huawei, remember the number of UDP port used for authentication is 1645 and that for authorization is 1646.

2.4 Display and Debug AAA and RADIUS Protocol
After the above configuration, execute display command in any view to display the running of the AAA and RADIUS configuration, and to verify the effect of the configuration. Execute reset command in user view to reset AAA and RADIUS configuration . Execute debugging command in user view to debug AAA and RADIUS. Table 2-22 Display and debug AAA and RADIUS protocol
Operation Display the configuration information of the specified or all the ISP domains. Command display domain [ isp-name ]

2-15

Operation Manual - Security Quidway S3500 Series Ethernet Switches Operation Display related information of user’s connection

Chapter 2 AAA and RADIUS Protocol Configuration Command display connection { access-type { dot1x | gcm } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name } display local-user [ domain isp-name | idle-cut { disable | enable } | service-type { telnet | ftp | lan-access | ssh } | state { active | block } | user-name user-name | vlan vlan-id ] display local-server statistics display radius [ radius-server-name ] display radius statistics display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } debugging radius packet undo debugging radius packet debugging local-server { all | error | event | packet } undo debugging local-server { all | error | event | packet }

Display related information of the local user Display information of local RADIUS server group Display the configuration information of all the RADIUS server groups or a specified one Display the statistics information of RADIUS packets Display the stopping accounting requests saved in buffer without response (from system view) Delete the stopping accounting requests saved in buffer without response (from system view) Enable RADIUS packet debugging Disable RADIUS packet debugging Enable debugging of localRADIUS server group Disable debugging of localRADIUS server group

2.5 AAA and RADIUS Protocol Configuration Examples
For the hybrid configuration example of AAA/RADIUS protocol and 802.1x protocol, refer to Configuration Example in 802.1x Configuration. It will not be detailed here.

2.5.1 Configuring FTP/Telnet User Authentication at Remote RADIUS Server

Note: Configuring Telnet user authentication at the remote server is similar to configuring FTP users. The following description is based on Telnet users.

I. Networking Requirements
In the environment as illustrated in the following figure, it is required to achieve through proper configuration that the RADIUS server authenticates the Telnet users to be registered.
2-16

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

One RADIUS server (as authentication server) is connected to the switch and the server IP address is 10.110.91.146. The password for exchanging messages between the switch and the authentication server is "expert”. The switch cuts off domain name from username and sends the left part to the RADIUS server.

II. Networking Topology

Authentication Servers ( IP address:10.110.91.164 )

Switch Internet Internet

telnet user

Figure 2-2 Configuring remote RADIUS authentication for Telnet users

III. Configurtion Schedule
# Add a Telnet user. Omitted

Note: For details about configuring FTP and Telnet users, refer to User Interface Configuration in Getting Started.

# Configure remote authentication mode for the Telnet user, i.e. scheme mode. [Quidway-ui-vty0-4] authentication-mode scheme # Configure domain. [Quidway] domain cams [Quidway-isp-cams] quit # Configure RADIUS scheme.
2-17

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

[Quidway] radius scheme cams [Quidway-radius-cams] primary authentication 10.110.91.146 1812 [Quidway-radius-cams] key authentication expert [Quidway-radius-cams] service-type Huawei [Quidway-radius-cams] user-name-format without-domain # Configuration association between domain and RADIUS. [Quidway-radius-cams] quit [Quidway] domain cams [Quidway-isp-cams] radius-scheme cams

2.5.2 Configuring FTP/Telnet User Authentication at Local RADIUS Server
Local RADIUS authentication of Telnet/FTP users is similar to remote RADIUS authentication. But you should modify the server IP address to 127.0.0.1, authentication password to Huawei, the UDP port number of the authentication server to 1645.

Note: For details about local RADIUS authentication of Telnet/FTP users, refer to “Configuring local RADIUS Server Group”.

2.6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting
RADIUS protocol of TCP/IP protocol suite is located on the application layer. It mainly specifies how to exchange user information between NAS and RADIUS server of ISP. So it is very likely to be invalid. Fault one: User authentication/authorization always fails Troubleshooting: 1) The username may not be in the userid@isp-name format or NAS has not been configured with a default ISP domain. Please use the username in proper format and configure the default ISP domain on NAS.

2-18

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

2)

The user may have not been configured in the RADIUS server database. Check the database and make sure that the configuration information of the user does exist in the database.

3) 4) 5)

The user may have input a wrong password. So please make sure that the supplicant inputs the correct password. The encryption keys of RADIUS server and NAS may be different. Please check carefully and make sure that they are identical. There might be some communication fault between NAS and RADIUS server, which can be discovered through pinging RADIUS from NAS. So please ensure the normal communication between NAS and RADIUS. Fault two: RADIUS packet cannot be transmitted to RADIUS server.

Troubleshooting: 6) 7) 8) The communication lines (on physical layer or link layer) connecting NAS and RADIUS server may not work well. So please ensure the lines work well. The IP address of the corresponding RADIUS server may not have been set on NAS. Please set a proper IP address for RADIUS server. UDP ports of authentication/authorization and accounting services may not be set properly. So make sure they are consistent with the ports provided by RADIUS server. Fault three: After being authenticated and authorized, the user cannot send charging bill to the RADIUS server. Troubleshooting: 9) The accounting port number may be set improperly. Please set a proper number. different servers, but NAS requires the services to be provided on one server (by specifying the same IP address). So please make sure the settings of servers are consistent with the actual conditions. 10) The accounting service and authentication/authorization service are provided on

2-19

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 3 HABP Configuration

Chapter 3 HABP Configuration
3.1 HABP Overview
If 802.1x attribute is configured at a switch, on a switch, 802.1x will run authentication at those ports where 802.1x is enabled. Only those which pass the authentication are able to forward packets. For those ports where 802.1x authentication is skipped, packets will be filtered by 802.1x attribute, so the management over them is also impossible. HABP(Huawei Authentication Bypass Protocol) attribute can be used to solve this problem. HABP packets contain the MAC address and other information of the member switches. When HABP attribute is enabled at the management switch, 802.1x authentication will be skipped for HABP packets, so management over switches is possible. HABP includes HABP server and HABP client. In general, the server regularly sends HABP request packets to the client to collect the MAC addresses of the member switches, while the client responds to the request packets and forwards them to the lower-level switches. HABP server is often enabled at the management switch, while HABP client is at the member switches. HABP attribute had better be enabled at a switch where 802.1x is enabled.

3.2 HABP configuration
HABP attribute configuration tasks include: Configuring HABP server Configuring HABP client

3.2.1 Configuring HABP Server
When HABP server is enabled, the management switch sends HABP request packets to its member switches to collect their MAC addresses, for the convenience of management. You can define the time interval for transmitting HABP request packets on the management switch. To configure HABP server, follow these steps: Enable HABP attribute Configure HABP server Set time interval for HABP request transmission

3-1

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 3 HABP Configuration

Please perform the following operations in system view. Table 3-1 Configuring HABP server
Operation Enable HABP attribute Restore HABP attribute to the default value Configure the switch as HABP Server Delete HABP Server configuration Set time interval for HABP request transmission Restore the time interval to the default value Command habp enable undo habp enable habp server vlan vlan-id undo habp server habp timer interval undo habp timer

By default, HABP attribute is disabled at a switch, the HABP mode is client, and the time interval for HABP request transmission is 20 seconds.

3.2.2 Configuring HABP Client
HABP client runs at the member switches. Since the default HABP mode is client, you only need to enable HABP attribute at a switch. Please perform the following operations in system view. Table 3-2 Configuring HABP client
Operation Enable HABP attribute Restore HABP to the default value habp enable undo habp enable Command

By default, HABP attribute is disabled at a switch.

3.3 Displaying and Debugging HABP Attribute
After the above configurations, you can view HABP attribute information using the display command in any view, or just for check. You can also debug HABP module using the debugging command in user view. Table 3-3 Displaying and debugging HABP attribute
Operation Display configuration information and state of HABP attribute Display MAC address table of HABP attribute Display HABP packet statistics Display HABP debugging state Enable HABP debugging Disable HABP debugging Command display habp display habp table display habp traffic display debugging habp debugging habp undo debugging habp

3-2

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 4 System-guard Configuration

Chapter 4 System-guard Configuration

Note: Among S3500 series ethernet switches, S3526, S3526E Series and S3526C support system-guard function.

4.1 System-guard Overview
System-guard is a worm virus detection function supported by ethernet switches. It uses automatic confirm ACL to hardware and forces the affected host logoff, so as to isolate the affected host from the network and prevent other hosts from being affected. And after a specified time, ethernet switch will recover normal forwarding of the affected host.

4.2 System-guard Configuration
System-guard configuration includes: Enable system-guard function Set the max detection count of the affected hosts Set parameters of address learning

4.2.1 Enable system-guard function
The following commands can be used to enable/disable system-guard function. Only after the system-guard function is enabled, should other configurations of system-guard be valid. Perform the following configurations in system view. Table 4-1 Enable system-guard function
Operation Enable system-guard function Disable system-guard function Command system-guard enable undo system-guard enable

By default, system-guard function is disabled.

4-1

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 4 System-guard Configuration

Note: 1) Before enabling safe-guard function, be sure the port priority is default value 0 and the ethernet switch doesn’t trust the cos priority of packets. 2) After safe-guard is enabled, please don’t change the port priority and the mode of queue-scheduling.

4.2.2 Set the max detection count of the affected hosts
The following commands can be used to set the max detection count of of the affected hosts. Perform the following configurations in system view. Table 4-2 Set the max detection count
Operation Set the max detection count of the affected hosts Restore the max detection count of the affected hosts to default value Command system-guard detect-maxnum number undo system-guard detect-maxnum

By default, the max detection count of the affected hosts is 30.

4.2.3 Set parameters of address learning
The following commands can be used to set the max number of the learned IP addresses ( IP-record-threshold ), threshold of consecutive detection times which the learned address number exceed the threshold of IP address learned for one time ( record-times-threshold) and isolate time ( isolate-time ) of system-guard function. For example, if IP-record-threshold, record-times-threshold, isolate-time of system-guard function are set to 50, 3, 5, the system will consider to be attacked and not learn the destination IP address of the packet from source IP address for 5 times of aging period if the IP address number system learned from one source IP address exceed 50 for consecutive 3 times. Perform the following configurations in system view. Table 4-3 Set parameters of address learning
Operation Set IP-record-threshold, record-times-threshold, isolate-time of system-guard function Restore IP-record-threshold, record-times-threshold, isolate-time to the default values Command system-guard detect-threshold IP-record-threshold record-times-threshold isolate-time undo system-guard detect-threshold

4-2

Operation Manual - Security Quidway S3500 Series Ethernet Switches

Chapter 4 System-guard Configuration

By default, IP-record-threshold, record-times-threshold, isolate-time of system-guard function are 30, 1 and 3.

4.3 Display and Debug System-guard
After the above configuration, execute display command in any view to display the running of system-guard configuration, and to verify the effect of the configuration. Table 4-4 Display and Debug System-guard
Operation Display current IP pool state of system-guard Display current detection results and parameters of system-guard Command display system-guard ip-record display system-guard state

4-3

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

11. Reliability

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 VRRP Configuration .................................................................................................... 1-1 1.1 VRRP Overview ................................................................................................................ 1-1 1.2 Configure VRRP ................................................................................................................ 1-2 1.2.1 Enable/disable the Function to Ping the Virtual IP Address ................................... 1-3 1.2.2 Set Correspondence between Virtual IP Address and MAC Address .................... 1-3 1.2.3 Add/Delete a Virtual IP Address.............................................................................. 1-4 1.2.4 Configure the priority of switches in the virtual router. ............................................ 1-5 1.2.5 Configure Preemption and Delay for a Switch within a Virtual Router.................... 1-5 1.2.6 Configure Authentication Type and Authentication Key ......................................... 1-6 1.2.7 Configure VRRP Timer ........................................................................................... 1-7 1.2.8 Configure Switch to Track a Specified Interface ..................................................... 1-7 1.3 Display and Debug VRRP ................................................................................................. 1-8 1.4 VRRP Configuration Example ........................................................................................... 1-8 1.4.1 VRRP Single Virtual Router Example ..................................................................... 1-8 1.4.2 VRRP Tracking Interface Example ....................................................................... 1-10 1.4.3 Multiple Virtual Routers Example .......................................................................... 1-11 1.5 Troubleshoot VRRP......................................................................................................... 1-12

i

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

Chapter 1 VRRP Configuration
1.1 VRRP Overview
Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. In general, a default route (for example, 10.100.10.1 as shown in the following internetworking diagram) will be configured for every host on a network, so that the packets destined to some other network segment from the host will go through the default route to the Layer 3 Switch1, implementing communication between the host and the external network. If Switch1 is down, all the hosts on this segment taking Switch1 as the next-hop on the default route will be disconnected to the external network.

Network

Switch 10.100.10.1

Ethernet 10.100.10.8 10.100.10.9

10.100.10.7

Host 1

Host 2

Host 3

Figure 1-1 LAN Networking VRRP, designed for LANs with multicast and broadcast capabilities (such as Ethernet) settles the above problem. The diagram below is taken as an example to explain the implementation principal of VRRP. VRRP combines a group of LAN switches (including a Master and several Backups) into a virtual router (a backup group).

1-1

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

Network

Actual IP address10.100.10.2 Master

Actual IP address10.100.10.3 Backup Virtual IP address10.100.10.1

Virtual IP address10.100.10.1

Ethernet 10.100.10.8

10.100.10.7

10.100.10.9

Host 1

Host 2

Host 3

Figure 1-2 Virtual router This virtual router has its own IP address: 10.100.10.1 (which can be the interface address of a switch within the virtual router). The switches within the virtual router have their own IP addresses (such as 10.100.10.2 for the Master switch and 10.100.10.3 for the BACKUP switch). The host on the LAN only knows the IP address of this virtual router 10.100.10.1, but not the specific IP addresses 10.100.10.2 of the Master switch and 10.100.10.3 of the BACKUP switch. They configure their own default routes as the IP address of this virtual router: 10.100.10.1. Therefore, hosts within the network will communicate with the external network through this virtual router. If a Master switch in the virtual group breaks down, another BACKUP switch will function as the new Master switch to continue serving the host with routing to avoid interrupting the communication between the host and the external networks.

1.2 Configure VRRP
VRRP configuration includes: Enable/disable the Function to Ping the Virtual IP Address Set Correspondence between Virtual IP Address and MAC Address Add/Remove virtual IP address Configure the priority of switches in the virtual router. Enable the preemption mode and configure a period of delay. Configure authentication type and authentication key Configure timer of the virtual router Configure to track a specified interface

1-2

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

1.2.1 Enable/disable the Function to Ping the Virtual IP Address
This operation enables or disables the function to ping the virtual IP address of the backup group. The standard protocol of VRRP does not support the ping function, then the user cannot judge with ping command whether an IP address is used by the backup group. If the user configure the IP address for the host same as the virtual IP address of the backup group, then all messages in this segment will be forwarded to the host. So Huawei switches provide the ping function. The following commands can be used to enable and disable the ping function. Perform the following configuration in system view. Table 1-1 Enable/disable the ping function
Operation Enable the function to ping the virtual IP address Disable the function to ping the virtual IP address Command vrrp ping-enable undo vrrp ping-enable

By default, the function to ping the virtual IP address is disabled. You can set the ping function before configuring the backup group.

1.2.2 Set Correspondence between Virtual IP Address and MAC Address
This operation sets correspondence between the virtual lP address and the real/virtual MAC address. In the standard protocol of VRRP, the virtual IP address of the backup group corresponds to the virtual MAC address, as guarantees correct data forwarding in the sub-net. Due to the chips installed, some switches support matching one IP address to multiple MAC addresses. Huawei switches not only guarantee correct data forwarding in the sub-net, also support such function: the user can choose to match the virtual IP address with the real MAC address or virtual MAC address of the routing interface. The following commands can be used to set correspondence between the IP address and the MAC address. Perform the following configuration in system view.

1-3

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

Table 1-2 Set correspondence between virtual IP address and MAC address
Operation Set correspondence between the virtual IP address and the MAC address Set the correspondence to the default value Command vrrp method { real-mac | virtual-mac } undo vrrp method

By default, the virtual IP address of the backup group corresponds to the virtual MACA address. You should set correspondence between the virtual IP address of the backup group and the MAC address before configuring the backup group. Otherwise, you cannot configure the correspondence. S3526, S3526 FM, S3526 FS Ethernet switches don’t support this configuration.

1.2.3 Add/Delete a Virtual IP Address
The following command is used for assigning an IP address of the local segment to a virtual router or removing an assigned virtual IP address of a virtual router from the virtual address list. Perform the following configuration in VLAN interface view. Table 1-3 Add/Delete a virtual IP address
Operation Add a virtual IP address. Delete a virtual IP address. Command vrrp vrid virtual-router-ID virtual-ip virtual-address undo vrrp vrid virtual-router-ID [ virtual-ip virtual-address ]

The virtual-router-ID covers the range from 1 to 255. The virtual-address can be an unused address in the network segment where the virtual router resides, or the IP address of an interface in the virtual router. If the IP address is of the switch, it can also be configured. In this case, the switch will be called an IP Address Owner. When adding the first IP address to a virtual router, the system will create a new virtual router accordingly. When adding new address to this backup group thereafter, the system will directly add it into the virtual IP address list. After the last virtual IP address is removed from the virtual router, the whole virtual router will also be removed. That is, there is no more virtual router on the interface any more and any configuration of it is invalid accordingly.

1-4

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

1.2.4 Configure the priority of switches in the virtual router.
The status of each switch in the virtual router will be determined by its priority in VRRP. The switch with the highest priority will become the Master. The priority ranges from 0 to 255 (the greater the number, the higher the priority). However the value can only be taken from 1 to 254. The priority 0 is reserved for special use and 255 is reserved for the IP address owner by the system. Perform the following configuration in VLAN interface view. Table 1-4 Configure the priority of switches in the virtual router.
Operation Configure the priority of switches in the virtual router. Clear the priority of switches in the virtual router. Command vrrp vrid virtual-router-ID priority priority undo vrrp vrid virtual-router-ID priority

By default, the priority is 100.

Note: The priority for IP address owner is always 255, which cannot be configured otherwise.

1.2.5 Configure Preemption and Delay for a Switch within a Virtual Router
Once a switch in the virtual router becomes the Master switch, so long as it still functions properly, other switches, even configured with a higher priority later, cannot become the Master switch unless they are configured to work in preemption mode. The switch in preemption mode will become the Master switch, when it finds its own priority is higher than that of the current Master switch. Accordingly, the former Master switch will become the BACKUP switch. Together with preemption settings, a delay can also be set. In this way, a Backup will wait for a period of time before becoming a Master. In an unstable network if the BACKUP switch has not received the packets from the Master switch punctually, it will become the Master switch. However, the failure of BACKUP to receive the packets may be due to network congestion, instead of the malfunction of the Master switch. In this case, the Backup will receive the packet after a while. The delay settings can thereby avoid the frequent status changing. Perform the following configuration in VLAN interface view.

1-5

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

Table 1-5 Configure preemption and delay for a switch within a virtual router
Operation Enable the preemption mode and configure a period of delay. Disable the preemption mode. Command vrrp vrid virtual-router-ID preempt-mode [ timer delay delay-value ] undo vrrp vrid virtual-router-ID preempt-mode

The delay ranges from 0 to 255, measured in seconds. By default, the preemption mode is preemption with a delay of 0 second..

Note: If preemption mode is cancelled, the delay time will automatically become 0 second.

1.2.6 Configure Authentication Type and Authentication Key
VRRP provides following authentication types: simple: Simple character authentication md5: MD5 authentication In a network under possible security threat, the authentication type can be set to simple. Then the switch will add the authentication key into the VRRP packets before transmitting it. The receiver will compare the authentication key of the packet with the locally configured one. If they are the same, the packet will be taken as a true and legal one. Otherwise it will be regarded as an illegal packet to be discarded. In this case, an authentication key not exceeding 8 characters should be configured. In a totally unsafe network, the authentication type can be set to md5. The switch will use the authentication type and MD5 algorithm provided by the Authentication Header to authenticate the VRRP packets. In this case an authentication key not exceeding 16 characters should be configured. Those packets failing to pass the authentication will be discarded and a trap packet will be sent to the network management system. Perform the following configuration in VLAN interface view. Table 1-6 Configure authentication type and authentication key.
Operation Configure authentication type and authentication key. Clear authentication type and authentication key. Command vrrp authentication-mode type [ key ] undo vrrp authentication-mode

1-6

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

Note: The same authentication type and authentication key should be configured for all vlan interfaces that belong to the virtual router.

1.2.7 Configure VRRP Timer
The Master switch advertises its normal operation state to the switches within the VRRP virtual router by sending them VRRP packets regularly (at adver-interval). If the Backup has not received any VRRP packet from the Master after a period of time (specified by master-down-interval), it will consider the Master as down. It will then take his place and become the Master. You can use the following command to set a timer and adjust the interval, adver-interval, between Master transmits VRRP packets. The master-down-interval of the BACKUP switch is three times that of the adver-interval. The excessive network traffic or the differences between different switch timers will result in master-down-interval timing out and state changing abnormally. Such problems can be solved through prolonging the adver-interval and setting delay time. adver-interval is measured in seconds. Perform the following configuration in VLAN interface view. Table 1-7 Configure VRRP timer
Operation Configure VRRP timer Clear VRRP timer Command vrrp vrid virtual-router-ID timer advertise adver-interval undo vrrp vrid virtual-router-ID timer advertise

By default, adver-interval is configured to be 3.

1.2.8 Configure Switch to Track a Specified Interface
VRRP interface track function has expanded the backup function. Backup is provided not only to the interface where the virtual router resides, but also to some other malfunctioning switch interface. By implementing the following command you can track some interface. If the interface which is tracked is DOWN, the priority of the switch including the interface will reduce automatically by the value specified by value-reduced, thus resulting in comparatively higher priorities of other switches within the virtual router, one of which will turn to Master switch so as to track this interface. Perform the following configuration in VLAN interface view.
1-7

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

Table 1-8 Configure Switch to Track a Specified Interface
Operation Configure to track a specified interface Stop tracking the specified interface Command vrrp vrid virtual-router-ID track vlan-interface interface-num [ reduced value-reduced ] undo vrrp vrid virtual-router-ID track [ vlan-interface interface-num ]

By default, value-reduced is taken 10.

Note: When the switch is an IP address owner, its interfaces cannot be tracked.

1.3 Display and Debug VRRP
After the above configuration, execute display command in any view to display the running of the VRRP configuration, and to verify the effect of the configuration. Execute debugging command in user view to debug VRRP configuration. Table 1-9 Display and debug VRRP
Operation Display VRRP state information. Enable VRRP debugging. Disable VRRP debugging. Command display vrrp [ interface vlan-interface interface-num ] [ virtual-router-ID ] debugging vrrp { state | packet } undo debugging vrrp { state | packet }

You can enable VRRP debugging to display how it runs. You can set the argument option to packet or state to debug the VRRP packet or VRRP state respectively. By default, the switch disables the debugging.

1.4 VRRP Configuration Example
1.4.1 VRRP Single Virtual Router Example
I. Networking requirements
Host A uses the VRRP virtual router which combines switch A and switch B as its default gateway to visit host B on the Internet.

1-8

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

VRRP virtual router information includes: virtual router ID1, virtual IP address 202.38.160.111, switch A as the Master and switch B as the BACKUP allowed preemption.

II. Networking diagram

10.2.3.1

Host B

Internet

VLAN-interface3: 10.100.10.2 Switch_A Switch_B

VLAN-interface2: 202.38.160.1

Virtual IP address: 202.38.160.111 202.36.160.3

VLAN-interface2: 202.38.160.2

Host A

Figure 1-3 VRRP configuration networking

III. Configuration Procedure
Configure switch A [LSW_A-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 [LSW_A-vlan-interface2] vrrp vrid 1 priority 110 Configure switch B [LSW_B-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 The virtual router can be used soon after configuration. Host A can configure the default gateway as 202.38.160.111. Under normal conditions, switch A functions as the gateway, but when switch A is turned off or malfunctioning, switch B will function as the gateway instead. Configure preemption mode for switch A, so that it can resume its gateway function as the Master after recovery.

1-9

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

1.4.2 VRRP Tracking Interface Example
I. Networking requirements
Even when switch A is still functioning, it may want switch B to function as gateway when the Internet interface connected with it does not function properly. This can be implemented by configuration of tracking interface. In simple language, the virtual router ID is set as 1 with additional configurations of authorization key and timer

II. Networking diagram
See Figure 1-3.

III. Configuration Procedure
Configure switch A # Create a virtual router. [LSW_A-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority for the virtual router. [LSW_A-vlan-interface2] vrrp vrid 1 priority 110 # Set the authentication key for the virtual router. [LSW_A-vlan-interface2] vrrp authentication-mode md5 switch # Set Master to send VRRP packets every 5 seconds. [LSW_A-vlan-interface2] vrrp vrid 1 timer advertise 5 # Track an interface. [LSW_A-vlan-interface2] vrrp vrid 1 track vlan-interface 3 reduced 30 Configure switch B # Create a virtual router. [LSW_B-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the authentication key for the virtual router. [LSW_B-vlan-interface2] vrrp authentication-mode md5 switch # Set Master to send VRRP packets every 5 seconds. [LSW_B-vlan-interface2] vrrp vrid 1 timer advertise 5

1-10

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

Under normal conditions, switch A functions as the gateway, but when the interface vlan-interface 3 of switch A is down, its priority will be reduced by 30, lower than that of switch B so that switch B will preempt the Master for gateway services instead. When vlan-interface3, the interface of switch A, recovers, this switch will resume its gateway function as the Master.

1.4.3 Multiple Virtual Routers Example
I. Networking requirements
A Switch can function as the backup switch for many virtual routers. Such a multi-backup configuration can implement load balancing. For example, switch A as the Master switch of group 1 can share the responsibility of the backup switch for virtual router 2 and vice versa for switch B. Some hosts employ virtual router 1 as the gateway, while others employ virtual router 2 as the gateway. In this way, both load balancing and mutual backup are implemented.

II. Networking diagram
See Figure 1-3.

III. Configuration Procedure
Configure switch A # Create virtual router 1. [LSW_A-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority for the virtual router. [LSW_A-vlan-interface2] vrrp vrid 1 priority 150 # Create virtual router 2. [LSW_A-vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 Configure switch B # Create virtual router 1. [LSW_B-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Create virtual router 2. [LSW_B-vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 # Set the priority for the virtual router.

1-11

Operation Manual - Reliability Quidway S3500 Series Ethernet Switches

Chapter 1 VRRP Configuration

[LSW_B-vlan-interface2] vrrp vrid 2 priority 110

1.5 Troubleshoot VRRP
As the configuration of VRRP is not very complicated, almost all the malfunctions can be found through viewing the configuration and debugging information. Here are some possible failures you might meet and the corresponding troubleshooting methods.

I. Fault 1: Frequent prompts of configuration errors on the console
This indicates that an incorrect VRRP packet has been received. It may be because of the inconsistent configuration of another switch within the virtual router, or the attempt of some devices to send out illegal VRRP packets. The first possible fault can be solved through modifying the configuration. And as the second possibility is caused by the malicious attempt of some devices, non-technical measures should be resorted to.

II. Fault 2: More than one Masters existing within the same virtual router
There are also 2 reasons. One is short time coexistence of many Master switches, which is normal and needs no manual intervention. Another is the long time coexistence of many Master switches, which may be because several Masters cannot receive VRRP packets from each other, or receive some illegal packets. To solve such problems, an attempt should be made to ping among the many Master switches and if such an attempt fails, it indicates that there are other problems in existence. If they can be pinged through, it indicates that the problems are caused by inconsistent configuration. For the configuration of the same VRRP virtual router, complete consistence for the number of virtual IP addresses, each virtual IP address, timer duration and authentication type must be guaranteed.

III. Fault 3: Frequent switchover of VRRP state
Such problem occurs when the virtual router timer duration is set too short. So the problem can be solved through prolonging this duration or configuring the preemption delay.

1-12

HUAWEI

Quidway S3500 Series Ethernet Switches Operation Manual

12. System Management

Operation Manual - System Management Quidway S3500 Series Ethernet Switches

Table of Contents

Table of Contents
Chapter 1 File System Management............................................................................................ 1-1 1.1 File System ........................................................................................................................ 1-1 1.1.1 File System Overview ............................................................................................. 1-1 1.1.2 Directory Operation ................................................................................................. 1-1 1.1.3 File Operation.......................................................................................................... 1-1 1.1.4 Storage Device Operation....................................................................................... 1-2 1.1.5 Set the Prompt Mode of the File System ................................................................ 1-2 1.2 Configure File Management .............................................................................................. 1-3 1.2.1 Configure File Management Overview.................................................................... 1-3 1.2.2 Display the Current-configuration and Saved-configuration of Ethernet Switch..... 1-3 1.2.3 Save the Current-configuration ............................................................................... 1-4 1.2.4 Erase Configuration Files from Flash Memory........................................................ 1-4 1.3 FTP .................................................................................................................................... 1-5 1.3.1 FTP Overview.......................................................................................................... 1-5 1.3.2 Enable/Disable FTP Server..................................................................................... 1-6 1.3.3 Configure the FTP Server Authentication and Authorization .................................. 1-6 1.3.4 Configure the Running Parameters of FTP Server ................................................. 1-7 1.3.5 Display and Debug FTP Server .............................................................................. 1-7 1.3.6 Introduction to FTP Client ....................................................................................... 1-8 1.3.7 FTP client configuration example............................................................................ 1-8 1.3.8 FTP server configuration example ........................................................................ 1-10 1.4 TFTP ................................................................................................................................ 1-11 1.4.1 TFTP Overview ..................................................................................................... 1-11 1.4.2 Configure the File Transmission Mode ................................................................. 1-12 1.4.3 Download Files by means of TFTP ....................................................................... 1-12 1.4.4 Upload Files by means of TFTP............................................................................ 1-12 1.4.5 TFTP Client Configuration Example...................................................................... 1-13 Chapter 2 MAC Address Table Management.............................................................................. 2-1 2.1 MAC Address Table Management Overview .................................................................... 2-1 2.2 MAC Address Table Configuration .................................................................................... 2-2 2.2.1 Set MAC