3Com® Stackable Switch

Family
Advanced Configuration Examples

Switch 5500
Switch 5500G
Switch 4500
Switch 4200G
Switch 4210

www.3Com.com
Part Number: 10016491 Rev. AA
Published: January 2008
3Com Corporation Copyright © 2006-2008, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any
350 Campus Drive form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without
written permission from 3Com Corporation.
Marlborough, MA
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time
USA 01752-3064 without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or
expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality,
and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s)
described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement
included with the product as a separate document, in the hard copy documentation, or on the removable media in a
directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will
be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are provided to
you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense. Software is
delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item”
as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial
license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or
FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided
on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered
in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
Cisco is a registered trademark of Cisco Systems, Inc.
Funk RADIUS is a registered trademark of Funk Software, Inc.
Aegis is a registered trademark of Aegis Group PLC.
Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are
registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a
registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.
IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.
All other company and product names may be trademarks of the respective companies with which they are associated.

ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed
to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards.
Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
 CONTENTS

ABOUT THIS GUIDE

Conventions 5
Related Documentation 6

1 DHCP CONFIGURATION EXAMPLES

Supported DHCP Functions 7
Configuration Guide 8
DHCP Server Configuration Example 15
DHCP Relay Agent/Snooping Configuration Examples 17
Precautions 24
Protocols and Standards 25

2 QACL CONFIGURATION EXAMPLES

Supported QACL Functions 27
Configuration Guide 28
Network Environment 31
Time-based ACL plus Rate Limiting plus Traffic Policing Configuration Example 31
Configuration Example of Priority Re-marking plus Queue Scheduling Algorithm plus
Congestion Avoidance plus Packet Priority Trust 33
Configuration Example of Traffic Measurement plus Port Redirection 35
Configuration Example of Local Traffic Mirroring 37
Precautions 38
Other Functions Referencing ACL Rules 39
Configuration Example of WEB Cache Redirection 40
Configuration Example of WEB Cache Redirection 40

3 802.1X CONFIGURATION EXAMPLE

Introduction to 802.1X 43
Features Configuration 43
802.1X Configuration Commands 44
Enterprise Network Access Authentication Configuration Example 45
Network Application Analysis 45
Network Diagram 45
Configuration Procedure 46

4 SSH CONFIGURATION EXAMPLE

Introduction to SSH 61
 Support for SSH Functions 61
SSH Configuration 62
SSH Configuration Commands 62
Configuring an 3Com Switch as an SSH Server 63
Configuring an 3Com Switch as an SSH Client 66
SSH Configuration Example 69

5 ROUTING OVERVIEW
Overview 87
Configuration Example 87
Configuration Examples 113
Comprehensive Configuration Example 128
Network Requirements 128
Configuration Procedure 131
Displaying the Whole Configuration on Devices 145
Verifying the Configuration 153
Precautions 156

6 MULTICAST PROTOCOL CONFIGURATION EXAMPLES

Multicast Protocol Overview 159
Support of Multicast Features 161
Configuration Guidance 161
PIM-DM plus IGMP plus IGMP Snooping Configuration Example 173
PIM-SM plus IGMP plus IGMP Snooping Configuration Examples 179
IGMP Snooping-Only Configuration Examples 185
MSDP Configuration Examples 189

7 VLAN CONFIGURATION EXAMPLES

VLAN Support Matrix 195
Configuration Guide 196
VLAN Configuration Example 199
Precautions 206
Protocols and Standards 206

8 VLAN CONFIGURATION EXAMPLES

Voice VLAN Support Matrix 207
Voice VLAN Configuration Examples 209
Protocols and Standards 217
 ABOUT THIS GUIDE

Provides advanced configuration examples for the 3Com stackable switches,

which includes the following:

■ 3Com Switch 5500

■ 3Com Switch 5500G
■ 3Com Switch 4500
■ 3Com Switch 4200G
■ 3Com Switch 4210

This guide is intended for Qualified Service personnel who are responsible for
configuring, using, and managing the switches. It assumes a working knowledge
of local area network (LAN) operations and familiarity with communication
protocols that are used to interconnect LANs.

n Always download the Release Notes for your product from the 3Com World Wide
Web site and check for the latest updates to software and product
documentation:
http://www.3com.com

Conventions Table 1 lists icon conventions that are used throughout this guide.
Table 1 Notice Icons

Icon Notice Type Description

n Information note Information that describes important features or

instructions.

c Caution Information that alerts you to potential loss of data

or potential damage to an application, system, or
device.

w Warning Information that alerts you to potential personal

injury.

Related The following manuals offer additional information necessary for managing your
Documentation Stackable Switch. Consult the documents that apply to the switch model that you
are using.

■ 3Com Switch Family Command Reference Guides — Provide detailed

descriptions of command line interface (CLI) commands, that you require to
manage your Stackable Switch.
 6 ABOUT THIS GUIDE

■ 3Com Switch Family Configuration Guides— Describe how to configure your

Stackable Switch using the supported protocols and CLI commands.
■ 3Com Switch Family Quick Reference Guides — Provide a summary of
command line interface (CLI) commands that are required for you to manage
your Stackable Switch .
■ 3Com Stackable Switch Family Release Notes — Contain the latest information
about your product. If information in this guide differs from information in the
release notes, use the information in the Release Notes.

These documents are available in Adobe Acrobat Reader Portable Document

Format (PDF) on the 3Com World Wide Web site:

http://www.3com.com/

Products Supported by
this Document Table 2 Supported Products

Product Orderable Description

SKU
4210 3CR17331-91 Switch 4210 9-Port
4210 3CR17332-91 Switch 4210 18-Port
4210 3CR17333-91 Switch 4210 26-Port
4210 3CR17334-91 Switch 4210 52-Port
4210 3CR17341-91 Switch 4210 PWR 9-Port
4210 3CR17342-91 Switch 4210 PWR 18-Port
4210 3CR17343-91 Switch 4210 PWR 26-Port
4500 3CR17561-91 Switch 4500 26-Port
4500 3CR17562-91 Switch 4500 50-Port
4500 3CR17571-91 Switch 4500 PWR 26-Port
4500 3CR17572-91 Switch 4500 PWR 50-Port
5500 3CR17161-91 Switch 5500-EI 28-Port
5500 3CR17162-91 Switch 5500-EI 52-Port
5500 3CR17171-91 Switch 5500-EI PWR 28-Port
5500 3CR17172-91 Switch 5500-EI PWR 52-Port
4200G 3CR17660-91 Switch 4200G 12-Port
4200G 3CR17661-91 Switch 4200G 24-Port
4200G 3CR17662-91 Switch 4200G 48-Port
4200G 3CR17671-91 Switch 4200G PWR 24-Port
5500G 3CR17250-91 Switch 5500G-EI 24 Port
5500G 3CR17251-91 Switch 5500G-EI 48-Port
5500G 3CR17252-91 Switch 5500G-EI PWR 24-Port
5500G 3CR17253-91 Switch 5500G-EI PWR 48-Port
Products Supported by this Document 7
8 ABOUT THIS GUIDE
 DHCP CONFIGURATION EXAMPLES
1
Keywords:
DHCP, Option 82

Abstract:
This document describes DHCP configuration and application on Ethernet
switches in specific networking environments. Based on the different roles played
by the devices in the network, the functions and applications of DHCP server,
DHCP relay agent, DHCP snooping, and DHCP Option 82 are covered.

Acronym:
DHCP (Dynamic Host Configuration Protocol).

Supported DHCP
Functions

DHCP Functions
Table 1 DHCP functions supported by the 3Com stackable switches
Supported by the 3Com
Stackable Switches Function \Model DHCP server DHCP relay agent DHCP snooping
Switch 5500 ● ● ●
Switch 4500 - ● ●
Switch 5500Gs ● ● ●
Switch 4200 - - ●
Switch 4200G - - ●
Switch 4210 - - ●

Depending on the models, the 3Com stackable switches can support part or all of
the following DHCP functions:

The DHCP server provides the:

■ Global address pool/interface address pool

■ IP address lease configuration
■ Allocation of subnet masks, gateway addresses, DNS server addresses, and
WINS server addresses to DHCP clients
■ Static bindings for special addresses
■ DHCP server security functions, including detecting unauthorized DHCP servers
and duplicate IP addresses

The DHCP relay agent includes the:

 8 CHAPTER 1: DHCP CONFIGURATION EXAMPLES

■ DHCP relay agent

■ DHCP relay agent security functions, including address checking, DHCP server
handshaking, and periodic updates of client address entries

The DHCP snooping includes the:

■ DHCP snooping
■ DHCP snooping security functions, including DHCP snooping entry update and
ARP source checking
■ DHCP Snooping, Option 82

n Refer to respective user manuals for detailed descriptions of the DHCP functions
supported by different models.

Configuration Guide

n ■ This configuration varies depending on your switch’s model. The example in

this section uses the Switch 5500. Refer to configuration guide for your
switch’s model for further information. This example provides only basic
configuration steps Refer to the appropriate Configuration Guide and
Command Reference Guide for the function’s operating principles and
applications.

Configuring the DHCP The DHCP server can be configured to assign IP addresses from a global or
Server interface address pool. These two configuration methods are applicable to the
following environments:
■ If the DHCP server and DHCP clients are on the same network segment, both
methods can be applied.
■ If the DHCP server and DHCP clients are on different network segments, the
DHCP server can only be configured to assign IP addresses from a global
address pool.
1 Use the following commands to configure the DHCP server to assign IP addresses
from a global address pool.
Table 2 Configure IP address allocation from a global address pool

Operation Command Description

Enter system view system-view -
Enable the DHCP service dhcp enable Optional
By default, the DHCP service
is enabled.
Create a DHCP address pool and enter dhcp server Required
DHCP address pool view ip-pool
By default, no global DHCP
pool-name
address pool is created.
Configure an IP address range for dynamic network Required
allocation ip-address
By default, no IP address
[ mask-length |
range is configured for
mask mask ]
dynamic allocation.
 Configuration Guide 9

Table 2 Configure IP address allocation from a global address pool

Operation Command Description

Configure the lease period of dynamically expired { day day Optional
allocated IP addresses [ hour hour
IP address lease period
[ minute
defaults to one day.
minute ] ] |
unlimited }
Configure a domain name for DHCP domain-name Required
clients domain-name
By default, no domain name
is configured for DHCP
clients.
Configure DNS server addresses for DHCP dns-list Required
clients ip-address&<1-8>
By default, no DNS server
addresses are configured.
Configure WINS server addresses for DHCP nbns-list Required
clients ip-address&<1-8>
By default, no WINS server
addresses are configured.
Specify a NetBIOS node type for DHCP netbios-type Optional
clients { b-node |
By default, the DHCP clients
h-node | m-node
are h-nodes if the command
| p-node }
is not specified.
Configure gateway addresses for DHCP gateway-list Required
clients ip-address&<1-8>
By default, no gateway
address is configured.
Configure a self-defined DHCP option option code Required
{ ascii ascii-string |
By default, no self-defined
hex
option is configured.
hex-string&<1-10
> | ip-address
ip-address&<1-8>
}
Confi Return to system view quit Optional
gure
Create an address pool for the dhcp server By default, no MAC address
a
static address binding ip-pool or client ID is bound to an IP
static
pool-name address statically.
bindi
ng Specify the IP address of the static static-bind Note:
binding ip-address
■ To configure a static
ip-address
binding, you need to
[ mask-length |
specify the IP address and
mask mask ]
the MAC address or client
Specify the Specify the MAC static-bind ID.
MAC address address of the mac-address
■ A static address pool can
or the client ID static binding mac-address
be configured with only
of the static
Specify the client static-bind one IP address-to-MAC or
binding
ID of the static client-identifier IP address-to-client ID
binding client-identifier binding.
Return to system view quit --
Specify the IP addresses to be excluded dhcp server Optional
from automatic allocation forbidden-ip
By default, all the IP
low-ip-address
addresses in a DHCP address
[ high-ip-address ]
pool are available for dynamic
allocation.
10 CHAPTER 1: DHCP CONFIGURATION EXAMPLES

Table 2 Configure IP address allocation from a global address pool

Operation Command Description

Configure On the current interface interface Optional
the global VLAN-interface
By default, an interface
address VLAN-interface-
operates in the global address
pool mode number
pool mode.
dhcp select
global
quit
On multiple interfaces in dhcp select
system view global
{ interface
VLAN-interface
VLAN-interface-
number [ to
interface-type
interface-number
] | all }
Enable the detection of unauthorized dhcp server Required
DHCP servers detect
By default, the detection of
unauthorized DHCP servers is
disabled.
Configure Set the maximum number of dhcp server ping Optional
duplicate IP ping packets sent by the packets number
The default maximum
address DHCP server for each IP
number is 2.
detection address
Set a response timeout for dhcp server ping Optional
each ping packet timeout
The default timeout is 500
milliseconds
milliseconds.
Enable the DHCP server to support Option dhcp server Optional
82 relay
By default, the DHCP server
information
supports Option 82.
enable

2 Use the following commands to configure IP address allocation through the

interface address pool.
Table 3 Configure IP address allocation through the interface address pool

Operation Command Description

Enter system view system-view -
Enable the DHCP service dhcp enable Optional
By default, the DHCP service
is enabled.
Configure multiple or all the VLAN dhcp select Optional
interfaces to operate in interface address interface
pool mode { interface
vlan-interface
vlan-interface-num
ber [ to
vlan-interface
vlan-interface-num
ber ] | all }
 Configuration Guide 11

Table 3 Configure IP address allocation through the interface address pool

Operation Command Description

Configure a VLAN interface to operate in interface Required
interface address pool mode interface-type
By default, a VLAN interface
interface-number
operates in global address
dhcp select pool mode.
interface
Bind an IP address statically to a client dhcp server Optional
MAC address or client ID static-bind
By default, no static binding is
ip-address
configured
ip-address
{ client-identifier
client-identifier |
mac-address
mac-address }
Config On the current interface dhcp server Optional
ure the expired { day day
IP address lease period
lease [ hour hour
defaults to one day.
period [ minute
of minute ] ] |
dynami unlimited }
cally
On multiple interfaces in system quit
allocat
view
ed IP dhcp server
addres expired { day day
ses [ hour hour
[ minute
minute ] ] |
unlimited }
{ interface
interface-type
interface-number
[ to interface-type
interface-number ]
| all }
Return to system view quit -
Specify the IP addresses to be excluded dhcp server Optional
from automatic allocation forbidden-ip
By default, all the IP addresses
low-ip-address
in an interface address pool
[ high-ip-address ]
are available for dynamic
allocation.
Configure a domain On one interface interface Optional
name for DHCP vlan-interface
By default, no domain name
clients vlan-interface-num
is configured for DHCP
ber
clients.
dhcp server
domain-name
domain-name
quit
On multiple dhcp server
interfaces domain-name
domain-name
{ interface
vlan-interface
vlan-interface-num
ber [ to
vlan-interface
vlan-interface-num
ber ] | all }
12 CHAPTER 1: DHCP CONFIGURATION EXAMPLES

Table 3 Configure IP address allocation through the interface address pool

Operation Command Description

Configure DNS On one interface interface Optional
server addresses for vlan-interface
By default, no DNS server
DHCP clients vlan-interface-num
address is configured.
ber
dhcp server
dns-list
ip-address&<1-8>
quit
On multiple dhcp server
interfaces dns-list
ip-address&<1-8>
{ interface
vlan-interface
vlan-interface-num
ber [ to
vlan-interface
vlan-interface-num
ber ] | all }
Configure WINS On one interface interface Optional
server addresses for vlan-interface
By default, no WINS server
DHCP clients vlan-interface-num
addresses are configured.
ber
dhcp server
nbns-list
ip-address&<1-8>
quit
On multiple dhcp server
interfaces nbns-list
ip-address&<1-8>
{ interface
vlan-interface
vlan-interface-num
ber [ to
interface-type
interface-number ]
| all }
Define a NetBIOS On one interface interface Optional
node type for DHCP interface-type
By default, no NetBIOS node
clients interface-number
type is specified and a DHCP
dhcp server client uses the h-node type.
netbios-type
{ b-node | h-node
| m-node |
p-node }
quit
On multiple dhcp server
interfaces netbios-type
{ b-node | h-node
| m-node |
p-node }
{ interface
interface-type
interface-number
[ to interface-type
interface-number ]
| all }
 Configuration Guide 13

Table 3 Configure IP address allocation through the interface address pool

Operation Command Description

Configure a On one interface interface Optional
self-defined DHCP interface-type
By default, no self-defined
option interface-number
option is configured.
dhcp server
option code
{ ascii ascii-string |
hex
hex-string&<1-10>
| ip-address
ip-address&<1-8>
}
quit
On multiple dhcp server
interfaces option code
{ ascii ascii-string |
hex
hex-string&<1-10>
| ip-address
ip-address&<1-8>
} { interface
interface-type
interface-number
[ to interface-type
interface-number ]
| all }
Enable the detection of unauthorized dhcp server Optional
DHCP servers detect
By default, the detection of
unauthorized DHCP servers is
disabled.
Configure duplicate Set the maximum dhcp server ping Optional
IP address detection number of ping packets number
The default maximum
packets sent by the
number is 2.
DHCP server for
each IP address
Set a response dhcp server ping Optional
timeout for each timeout
The default timeout is 500
ping packet milliseconds
milliseconds.
Enable the DHCP server to support Option dhcp server relay Optional
82 information
By default, the DHCP server
enable
supports Option 82.

Configuring the DHCP Use the following commands to configure the DHCP relay agent.
Relay Agent
Table 4 Configure DHCP relay agent

Operation Command Description

Enter system view system-view -
Enable the DHCP service dhcp enable Optional
By default, the DHCP service is
enabled.
Configure DHCP server IP dhcp-server groupNo ip Required
addresses for a DHCP server ip-address&<1-8>
By default, no DHCP server IP
group
address is configured for a
DHCP server group.
14 CHAPTER 1: DHCP CONFIGURATION EXAMPLES

Table 4 Configure DHCP relay agent

Operation Command Description

Configure a DHCP user dhcp-security static Optional
address entry ip-address mac-address
By default, no DHCP user
address entry is configured.
Enable DHCP relay agent dhcp relay hand enable Optional
handshake
By default, DHCP relay agent
handshake is enabled.
Configure the interval at dhcp-security tracker Optional
which the DHCP relay agent { interval | auto }
By default, the update interval
updates dynamic client
is calculated automatically
address entries
according to the number of
the DHCP client entries.
Enable the detection on dhcp-server detect Required
unauthorized DHCP servers
By default, the detection of
unauthorized DHCP servers is
disabled.
Enable the DHCP relay agent dhcp relay information Required
to support Option 82 enable
By default, the DHCP relay
agent does not support
Option 82.
Configure a strategy for the dhcp relay information Optional
DHCP relay agent to handle strategy { drop | keep |
By default, the strategy is
request packets containing replace }
replace.
Option 82
Enter VLAN interface view interface interface-type -
interface-number
Associate the interface to a dhcp-server groupNo Required
DHCP server group
By default, a VLAN interface is
not associated to any DHCP
server group.
Enable the address checking address-check enable Required
function for the DHCP relay
By default, the address
agent
checking function is disabled
for the DHCP relay agent.

Configuring DHCP Use the following commands to configure DHCP snooping:

Snooping Table 5 Configure DHCP snooping

Operation Command Description

Enter system view system-view -
Enable DHCP snooping dhcp-snooping Required
By default, DHCP snooping is
disabled.
Enter Ethernet port view interface -
eth\gig-interface-type
unit/0/0port-number
Specify the port connected to dhcp-snooping trust Optional
the DHCP server as a trusted
By default, all the ports of a
port
switch are untrusted ports.
 DHCP Server Configuration Example 15

DHCP Server
Configuration
Example

Network Requirements A Switch 5500 serves as the DHCP server in the corporate headquarters (HQ) to
allocate IP addresses to the workstations in the HQ and a branch, and it also acts
as the gateway to forward packets from the HQ. The network requirements are as
follows:
■ Assign the HQ the IP addresses in the 10.214.10.0/24 network segment, with a
lease period of two days, and exclude the IP addresses of the DNS server, WINS
server, and mail server from allocation.
■ Assign IP addresses to the DNS server, WINS server, and the mail server in HQ
through static bindings.
■ Assign the workstations in the Branch the IP addresses in the 10.210.10.0/24
network segment, with a lease period of three days, and assign the file server
in the Branch an IP address through a static IP-to-MAC binding.
■ Assign the addresses of the gateway, DNS server, and the WINS server along
with an IP address to each workstation in the HQ and Branch.
■ Enable the detection of unauthorized DHCP servers to prevent any
unauthorized DHCP server from allocating invalid addresses.

Network Diagram Figure 1 Network diagram for DHCP server configuration

     

H GF  G F H  FD E 

0DLO '16 :,16 '+&3

6HUYHU 6HUYHU 6HUYHU &OLHQW

VLAN-int 10
+4
*DWHZD\
VLAN-int 100
,3QHWZRUN

'+&35HOD\

'+&3 '+&3 )LOH6HUYHU

&OLHQW &OLHQW 
GI H

%UDQFK
 16 CHAPTER 1: DHCP CONFIGURATION EXAMPLES

Configuration Procedure Software Version Used

This example uses the Switch 5500 running software version 3.2.

Configuring DHCP server

■ Configure address allocation for the devices in the HQ.

# Configure the IP address of VLAN-interface10 on the DHCP server in the HQ.

<3Com> system-view
[3Com] interface Vlan-interface 10
[3Com-Vlan-interface10] ip address 10.214.10.1 24

# Configure the interface to operate in the interface address pool mode, assigning
the IP addresses in the 10.214.10.0/24 network segment to the devices in the HQ.

[3Com-Vlan-interface10] dhcp select interface

# Configure the address lease period of the address pool, and configure the IP
addresses of the DNS server and WINS server.

[3Com-Vlan-interface10] dhcp server expired day 2

[3Com-Vlan-interface10] dhcp server dns-list 10.214.10.3
[3Com-Vlan-interface10] dhcp server nbst-list 10.214.10.4

No gateway needs to be configured for the clients because an interface operating

in the interface address pool mode automatically serves as the gateway for DHCP
clients and sends the requested information to the clients.

# Assign IP addresses to the DNS server, WINS server, and mail server through
IP-to-MAC bindings.

[3Com-Vlan-interface10] dhcp server static-bind ip-address 10.214.10

.3 mac-address 000d-85c7-4e20
[3Com-Vlan-interface10] dhcp server static-bind ip-address 10.214.10
.4 mac-address 0013-4ca8-9b71
[3Com-Vlan-interface10] dhcp server static-bind ip-address 10.214.10
.5 mac-address 002e08d20-54c6

# Exclude the static IP addresses of the DNS server, WINS server, and mail server
from allocation.

[3Com-Vlan-interface10] quit
[3Com] dhcp server forbidden-ip 10.214.10.3 10.214.10.5
■ Configure address allocation for the devices in the Branch.

# Create a global address pool named “br” for the Branch, and specify the range
and lease period of the IP addresses for allocation.

[3Com] dhcp server ip-pool br

[3Com-dhcp-pool-br] network 10.210.10.0 mask 255.255.255.0
[3Com-dhcp-pool-br] expired day 3

# Create a static binding address pool named “br-static”, and assign the file server
in the Branch an IP address through an IP-to-MAC binding.
 DHCP Relay Agent/Snooping Configuration Examples 17

[3Com-dhcp-pool-br] quit
[3Com] dhcp server ip-pool br-static
[3Com-dhcp-pool-br-static] static-bind ip-address 10.214.10.4 mask 2
55.255.255.0
[3Com-dhcp-pool-br-static] static-bind mac-address 000d-88f8-4e71

# Specify the gateway address, DNS server address, and the WINS server address
for the workstations in the Branch.

[3Com-dhcp-pool-br-static] quit
[3Com] dhcp server ip-pool br
[3Com-dhcp-pool-br] gateway-list 10.210.10.1
[3Com-dhcp-pool-br] dns-list 10.214.10.3
[3Com-dhcp-pool-br] nbst-list 10.214.10.4

# Exclude the static IP address of the gateway in the Branch from allocation.

[3Com-dhcp-pool-br] quit
[3Com] dhcp server forbidden-ip 10.210.10.1

# Enable the detection of unauthorized DHCP servers.

[3Com] dhcp server detect

# Configure VLAN-interface100 to operate in the global address pool mode.

[3Com] interface Vlan-interface 100

[3Com-Vlan-interface100] dhcp select global

Note that:

After DHCP configuration is complete, IP addresses can be assigned to the

workstations in the Branch only when a route is active between the HQ and the
Branch.

Configuring the DHCP relay agent

This section mainly describes the DHCP server configuration. The following shows
the basic DHCP relay agent configuration that ensures the DHCP relay agent to
relay DHCP requests to the DHCP server. For details about DHCP relay agent
configuration, see “DHCP Relay Agent/Snooping Configuration Examples” on
page 17.
<3Com> system-view
[3Com] dhcp-server 1 ip 10.214.10.1
[3Com] interface Vlan-interface 5 (define Vlan 5 in configuration
above)
[3Com-Vlan-interface5] dhcp-server 1

DHCP Relay
Agent/Snooping
Configuration
Examples

Network Requirements A Cisco Catalyst 3745 switch is deployed in the HQ and serves as the DHCP server
to assign IP addresses to the workstations in the Office branch. The branches are
18 CHAPTER 1: DHCP CONFIGURATION EXAMPLES

connected to an XRN (Expandable resilient network) Fabric that serves as the

central node and the DHCP relay agent to forward the DHCP requests from the
workstations. Meanwhile, a lab DHCP server is used to assign IP addresses to the
devices in the labs. The network requirements are as follows:
■ Configure the DHCP server in the HQ to assign the IP addresses in the
192.168.10.0/24 network segment to the workstations in the Office branch,
with a lease period of 12 hours. Configure the IP addresses of the DNS server
and WINS server as 192.169.100.2 and 192.168.100.3 respectively.
■ The XRN Fabric is connected to the branches and is comprised of four switches.
It serves as the DHCP relay agent to forward the DHCP requests from the
workstations in the Office and the devices in the labs. It is enabled to detect
unauthorized DHCP servers.
■ An Ethernet switch in Lab1 serves as the Lab DHCP server to assign the IP
addresses in the 192.168.17.0/24 network segment to the devices in Lab1,
with a lease period of one day, and to assign the IP addresses in the
192.168.19.0/24 network segment to Lab2, with a lease period of two days.
The lab DHCP server and the XRN Fabric are interconnected through the
172.16.2.4/30 network segment.
■ Configure the address checking function on the DHCP relay agent so that only
the devices that are assigned legal IP addresses from the DHCP server are
allowed to access the external network.
■ Configure address entry update on the DHCP relay agent so that it updates the
address entries by sending requests to the DHCP server every one minute.
■ Enable DHCP snooping to support DHCP Option 82, adding local port
information to the Option 82 field in DHCP messages.
■ Enable the DHCP relay agent to support DHCP Option 82 so that the DHCP
relay agent keeps the original filed unchanged upon receiving DHCP messages
carrying Option 82.
■ Enable the DHCP server to support DHCP Option 82 so that it assigns the IP
addresses 192.168.10.2 through 192.168.10.25 to the DHCP clients
connected to Ethernet1/0/11 on the DHCP snooping switch and assigns
192.168.10.100 through 192.168.10.150 to the DHCP clients connected to
Ethernet1/0/12 of the DHCP snooping switch.
 DHCP Relay Agent/Snooping Configuration Examples 19

Network Diagram Figure 2 Network diagram for DHCP relay agent/snooping integrated configuration

&LVFR&DWDO\VW



/DE
+4

6ZLWFK$
,3QHWZRUN
0DVWHU
6ZLWFK%
9/$1LQW 8QLW
 
,5))DEULF
'+&35HOD\
6ZLWFK' 6ZLWFK&
 8QLW 8QLW
(WK  9/$1LQW 9/$1LQW /DE
'+&36QRRSLQJ     
'+&36HUYHU
(WK (WK  9/$1LQW

(WK    FH  GHD

2IILFH /DE

Configuration Procedure In this example, the XRN Fabric is comprised of Switch 5500s running software
version 3.2, a Switch 7750 switch running software version Release 0028 is used
as the DHCP snooping-capable switch, and a 3Com Switch 7750 Family S3528
switch running software version Release 0028 is used as the Lab DHCP server.

For better readability:

■ The devices in the XRN Fabric are SwitchA, SwitchB, SwitchC, and SwitchD.
■ The DHCP snooping-capable device is referred to as “Snooping”.
■ The device serving as the Lab DHCP server is referred to as “LAB”.

Configuring XRN Fabric

The Switch 5500 supports XRN Fabric. You can interconnect four devices to form a
Fabric for centralized management of the devices in the Fabric. For details, see the
related sections in the Switch 5500 Family Configuration Guide.
20 CHAPTER 1: DHCP CONFIGURATION EXAMPLES

Configuring the DHCP relay agent

Figure 3 Network diagram for DHCP relay agent configuration

6ZLWFK$
0DVWHU 
6ZLWFK%
9/$1 LQW  8QLW 
  
,5))DEULF
'+&35HOD\
6ZLWFK' 6ZLWFK&
8QLW   8QLW 
(WK   9/$1 LQW  9/$1 LQW 
    

Within the XRN Fabric, configuration made on a device can be synchronized to the
other devices. Therefore, configuration is performed on Switch A only in this
example.

# Configure to forward the DHCP requests from the Office to the DHCP server in
the HQ.

<SwitchA> system-view
[SwitchA] dhcp-server 1 ip 192.168.0.3
[SwitchA] interface vlan-interface10
[SwitchA-Vlan-interface10] ip address 192.168.10.1 24
[SwitchA-Vlan-interface10] dhcp-server 1

# Configure to forward the DHCP requests from Lab2 to the Lab DHCP server.

[SwitchA-Vlan-interface10] quit
[SwitchA] dhcp-server 2 ip 192.168.17.1
[SwitchA] interface Vlan-interface 25
[SwitchA-Vlan-interface25] ip address 192.168.19.1 24
[SwitchA-Vlan-interface25] dhcp-server 2

# Configure the IP address of VLAN-interface17 as 172.16.2.5/30 for forwarding

DHCP packets from the Lab DHCP Server to a non-local segment.

[SwitchA-Vlan-interface25] quit
[SwitchA] interface Vlan-interface 17
[SwitchA-Vlan-interface17] ip add 172.16.2.5 30

# Configure the address checking function on the DHCP relay agent. Make sure
you configure the IP addresses and MAC addresses of the two DHCP servers as
static entries for the security function.

[SwitchA-Vlan-interface17] quit
[SwitchA] dhcp-security static 192.168.0.3 000D-88F8-4E71
[SwitchA] dhcp-security static 192.168.17.1 0010-5ce9-1dea
[SwitchA] interface Vlan-interface 10
[SwitchA-Vlan-interface10] address-check enable
[SwitchA-Vlan-interface10] quit
[SwitchA] interface vlan-interface 25
[SwitchA-Vlan-interface25] address-check enable
[SwitchA-Vlan-interface25] quit
 DHCP Relay Agent/Snooping Configuration Examples 21

# Configure the address entry update interval on the DHCP relay agent.

[SwitchA] dhcp relay hand enable

[SwitchA] dhcp-security tracker 60

# Enable the DHCP relay agent to support DHCP Option 82 and adopt the strategy
of keeping the original filed upon receiving DHCP messages carrying Option 82.

[SwitchA] dhcp relay information enable

[SwitchA] dhcp relay information strategy keep

# Enable the DHCP relay agent to detect unauthorized DHCP servers.

[SwitchA] dhcp-server detect

# Enable UDP-Helper so that the XRN Fabric can operate in the DHCP relay agent
mode.

[SwitchA] udp-helper enable

# To ensure normal forwarding of DHCP packets across network segments, you

need configure a routing protocol and advertise the network segments of
interfaces. The following configuration uses RIP as an example. For the
configuration of other routing protocols, see the parts covering routing protocols
in product manuals.

[SwitchA] rip
[SwitchA-rip] network 192.168.10.0
[SwitchA-rip] network 192.168.19.0
[SwitchA-rip] network 172.16.0.0

n For the DHCP relay agent using the XRN structure and the DHCP server in the HQ
to communicate with each other, an active route must also be configured
between them. This configuration is performed by the ISP or the user; therefore, it
will not be covered in this document.

Configuring the Lab DHCP server

Figure 4 Network diagram for the Lab DHCP server configuration

9/$1 LQW /DE

  
'+&36HUYHU
9/$1 LQW
   
  FH  GHD

/DE
22 CHAPTER 1: DHCP CONFIGURATION EXAMPLES

# Configure an address pool for Lab2 and specify the address range, lease period,
and the gateway address.

<LAB> system-view
[LAB] dhcp enable
[LAB] dhcp server ip-pool lab2
[LAB-dhcp-lab2] network 192.168.19.0 255.255.255.0
[LAB-dhcp-lab2] expired day 2
[LAB-dhcp-lab2] gateway-list 192.168.19.1

# Configure the IP address of VLAN-interface17 as 172.16.2.6/30 and enable it to

operate in global address pool mode.

[LAB-dhcp-lab2] quit
[LAB] interface Vlan-interface 17
[LAB-Vlan-interface17] ip address 172.16.2.6 30
[LAB-Vlan-interface17] dhcp select global

# Lab1 is connected to VLAN-interface15. Therefore, to assign the IP addresses in

the 192.168.17.0/24 network segment to the devices in Lab1, you only need to
configure VLAN-interface15 to operate in the interface address pool mode.

[LAB-Vlan-interface17] quit
[LAB] interface vlan-interface 15
[LAB-Vlan-interface15] ip address 192.168.17.1 24
[LAB-Vlan-interface15] dhcp select interface
[LAB-Vlan-interface15] quit

# To ensure that the lab DHCP server forwards DHCP packets normally, you need
configure a routing protocol. The following configuration uses RIP as an example.
For the configuration of other routing protocols, see the related parts in product
manuals.

[LAB] rip
[LAB-rip] network 192.168.17.0
[LAB-rip] network 172.16.0.0

Configuring DHCP snooping

Figure 5 Network diagram for DHCP snooping configuration

(WK 
'+&36QRRSLQJ
(WK   (WK 
(WK  

2IILFH
 DHCP Relay Agent/Snooping Configuration Examples 23

# Enable DHCP snooping and enable Option 82 support for DHCP snooping.

<Snooping> system-view
[Snooping] dhcp-snooping
[Snooping] dhcp-snooping information enable
[Snooping] dhcp-packet redirect Ethernet 0/11 to 0/13

Configuring the DHCP server in the HQ

# On the 3Com series switches, port numbers, VLAN numbers, and the MAC
addresses of the DHCP snooping device and the DHCP relay agent are added to
DHCP Option 82. A complete piece of Option 82 information is a combination of
the values of two suboptions:

Circuit ID suboption: It identifies the VLAN to which the clients belong and the
port to which the DHCP snooping device is connected.

Figure 6 Packet structure of Circuit ID suboption

0 15 31
Type(1) Length(6) 0 4

VLAN ID Port Index

For example, the DHCP messages from clients connected to Ethernet1/0/11 are
added with Option 82, whose Circuit ID suboption should be
0x010600040001000a, where 01060004 is a fixed value, 0001 indicates the
access port’s VLAN is VLAN 1, and 000a is the absolute number of the port, which
is 1 less than the actual port number, indicating the actual port is Ethernet1/0/11.

Remote ID suboption: It identifies the MAC address of the DHCP snooping device
connected to the client.

Figure 7 Packet structure of Remote ID suboption

0 15 31
Type(2) Length(8) 0 6

Bridge MAC Address

For example, the DHCP messages from clients connected to the DHCP snooping
device with MAC 000f-e234-bc66 are added with Option 82, whose Remote ID
suboption should be 02080006000fe234bc66, where 02080006 is a fixed value
and 000fe234bc66 is the MAC address of the DHCP snooping device.

In this example, IP addresses are assigned based on port number only. Therefore,
on the DHCP server, only a matching port number field in the Circuit ID suboption
needs to be found.

n The following configuration is performed on the Cisco Catalyst 3745 switch

running IOS version 12.3(11)T2. If you are using any other models or devices
running any other version, see the user manuals provided with the devices.

# Enable DHCP server and allocate IP addresses using Option 82 information.

 24 CHAPTER 1: DHCP CONFIGURATION EXAMPLES

Switch> enable
Switch(config)# configure terminal
Enter Configuration commands, one per line. End with CNTL/Z.
Switch(config)# service dhcp
Switch(config)# ip dhcp use class

# Create a DHCP class for the client connected to Ethernet1/0/11 of the DHCP
snooping device and match the port number in the Circuit ID suboption of
Option82, and replace the contents without match need with a wildcard “*”.

Switch(config)# ip dhcp class office1

Switch(dhcp-class)# relay agent information hex 010600040001000a*
Switch(dhcp-class)# exit

# Configure a DHCP class for the client connected to Etherent1/0/12 of the DHCP
snooping device and match the port number in the Circuit ID suboption of
Option82.

Switch(config)# ip dhcp class office2

Switch(dhcp-class)# relay agent information hex 010600040001000b*

# Create an address pool for Office and specify address ranges for the two DHCP
classes.

Switch(config)# ip dhcp pool office

Switch(dhcp-pool)# network 192.168.10.0
Switch(dhcp-pool)# class office1
Switch(dhcp-pool-class)# address range 192.168.10.2 192.168.10.25
Switch(dhcp-pool-class)# exit
Switch(dhcp-pool)# class office2
Switch(dhcp-pool-class)# address range 192.168.10.100 192.168.10.150
Switch(dhcp-pool-class)# exit

# Configure the lease period, gateway address, DNS server address, and WINS
server address for the address pool.

Switch(dhcp-pool)# lease 0 12
Switch(dhcp-pool)# default-router 192.168.10.1
Switch(dhcp-pool)# dns-server 192.168.100.2
Switch(dhcp-pool)# netbios-name-server 192.168.100.3

After the above-mentioned configuration, the DHCP server can automatically

assign an IP address, the gateway address, DNS server address, and the WINS
server address for each device in Office.

Precautions

Cooperation Between ■ In an XRN network, the DHCP relay agent runs on all the units in the Fabric. But
DHCP Relay Agent and only the DHCP relay agent running on the master unit can receive and send
XRN packets to perform full DHCP relay agent functions. The DHCP relay agent
running on a slave unit, however, only serves as a backup for the master unit.
■ DHCP is an application-layer protocol based on UDP. Once a slave unit receives
a DHCP request, UDP-Helper redirects the packet to the master unit. Then, the
DHCP relay agent running on the master unit gives a response back to the
 Protocols and Standards 25

request and sends the real time information to each slave unit for backup. In
this way, when the current master unit fails, one of the slaves becomes the new
master and operates as the DHCP relay agent immediately. Therefore, make
sure you enable UDP-Helper before using DHCP relay agent in an XRN system.

Protocols and ■ RFC2131: Dynamic Host Configuration Protocol

Standards ■ RFC2132: DHCP Options and BOOTP Vendor Extensions
■ RFC3046: DHCP Relay Agent Information Option
26 CHAPTER 1: DHCP CONFIGURATION EXAMPLES
 QACL CONFIGURATION EXAMPLES
2
Key words:
ACL, and QoS

Abstract:
This document describes QACL configurations on Ethernet switches in actual
networking environments. To satisfy different user needs, the document covers
various functions and applications like time-based ACLs, traffic policing, priority
re-marking, queue scheduling, traffic measurement, port redirection, local traffic
mirroring, and WEB Cache redirection.

Acronyms:
Access control list (ACL), and quality of service (QoS)

Supported QACL
Functions

ACL/QoS Functions
Table 6 ACL/QoS functions supported by 3Com stackable switches
Supported by 3Com
Stackable Switches Switch Switch Switch Switch Switch
Function\Model 5500 4500 5500G 4200G 4210
Basic ACL ● ● ● ● ●
Advanced ACL ● ● ● ● ●
Layer 2 ACL ● ● ● - -
User-defined ACL ● ● ● - -
Software-based ● ● ● ● ●
ACL referenced
by upper-layer
software
Apply ● ● ● - -
hardware-based
ACL to hardware
Traffic ● ● ● - -
classification
Priority ● ● ● - -
re-marking
Port rate limiting ● ● ● ● ●
Traffic policing ● ● ● - -
Traffic shaping - - - - -
Port redirection ● ● ● - -
 28 CHAPTER 2: QACL CONFIGURATION EXAMPLES

Table 6 ACL/QoS functions supported by 3Com stackable switches

Switch Switch Switch Switch Switch

Function\Model 5500 4500 5500G 4200G 4210
Queue ● ● ● ● ●
scheduling
Congestion ● ● - - -
avoidance
Local traffic ● ● ● - -
mirroring
Traffic ● ● ● - -
measurement
WEB Cache ● - - - -
redirection

● means that the function is supported.

n
- means that the function is not supported.

n For details on the ACL and QoS functions supported by different models, refer to
switch model’s configuration guide.

Configuration Guide

n ■ ACL/QoS configuration varies with switch models. The configuration below

uses a 3Com Switch 5500 as an example. For ACL/QoS configuration on other
switches, refer to corresponding user manuals.
■ The section below lists basic configuration steps. For the function’s detailed
operational instructions, refer to the configuration guide and command
reference guidecommand reference guide for the applicable product.
Table 7 Configure ACL/QoS in system view

Configuration Command Remarks

Create an ACL and enter acl number acl-number By default, the matching order is
ACL view [ match-order { config | config.
auto } ]
Layer 2 ACLs and user-defined
ACLs do not support
match-order.
Define an ACL rule rule [ rule-id ] { permit | The parameters (criteria) available
deny } rule-string for rule-string vary with ACL
types. For additional details, refer
to the corresponding command
reference guide.
 Configuration Guide 29

Table 7 Configure ACL/QoS in system view

Configuration Command Remarks

Configure a queue queue-scheduler ■ If the weight or minimum
scheduling algorithm in { strict-priority | wfq bandwidth of a queue is set to
system view queue0-width queue1-width 0 in the WRR or WFQ
queue2-width queue3-width approach, strict priority
queue4-width queue5-width queuing applies to the queue.
queue6-width queue7-width
■ By default, the WRR queue
| wrr queue0-weight
scheduling algorithm is used
queue1-weight
for all outbound queues on a
queue2-weight
port. Default weights are
queue3-weight
1:2:3:4:5:9:13:15.
queue4-weight
queue5-weight ■ The queue scheduling
queue6-weight algorithm defined using the
queue7-weight } queue-scheduler command
in system view will work on all
ports.
Configure congestion wred queue-index qstart -
avoidance probability

Table 8 Configure ACL/QoS in port view

Configuration Command Remarks

Apply an ACL on a port packet-filter { inbound | -
outbound } acl-rule
Configure the switch to trust priority trust Configure the switch to trust
the priority of received the priority carried in received
packets packets.
Configure port-based rate line-rate { inbound | The granularity is 64 kbps. If
limit outbound } target-rate an entered number is in the
range N×64 to (N+1)×64 (N is
a natural number), the switch
takes the value (N+1)×64.
Reference an ACL for traffic traffic-priority { inbound | You can re-mark the IP
identification, and re-assign a outbound } acl-rule { { dscp priority, 802.1p priority, DSCP
priority to the matching dscp-value | ip-precedence priority of packets, and the
packets { pre-value | from-cos } } | cos priority of local queues.
{ pre-value | from-ipprec } |
local-precedence
pre-value }*
Configure traffic policing traffic-limit inbound acl-rule exceed action: specifies the
target-rate [ exceed action ] action taken on the excess
packets when the packet
traffic exceeds the preset
limit.
■ drop: Drop the excess
packets.
■ remark-dscp value: Re-set
the DSCP priority, and
forward the packets.
30 CHAPTER 2: QACL CONFIGURATION EXAMPLES

Table 8 Configure ACL/QoS in port view

Configuration Command Remarks

Configure a queue scheduling queue-scheduler { wfq ■ The queue scheduling
algorithm in port view queue0-width queue1-width algorithm defined using
queue2-width queue3-width the queue-scheduler
queue4-width queue5-width command in Ethernet port
queue6-width queue7-width | view will work on the
wrr queue0-weight current port only.
queue1-weight
■ In the globally defined
queue2-weight
WRR or WFQ queue
queue3-weight
scheduling algorithm, you
queue4-weight
can modify the weight or
queue5-weight
bandwidth in port view if
queue6-weight
the weight or bandwidth
queue7-weight }
of each queue cannot
satisfy the needs of a port.
■ Queue weight or
bandwidth defined in port
view take priority over the
global settings.
■ The queue weight or
bandwidth defined in port
view cannot be displayed
using the display
queue-scheduler
command.
Configure redirection traffic-redirect { inbound | A packet cannot be
outbound } acl-rule { cpu | forwarded normally if it is
interface interface-type redirected to the CPU.
interface-number }
Reference an ACL for traffic traffic-statistic inbound -
identification, and measure acl-rule
the traffic of the matching
packets
 Network Environment 31

Network Environment Figure 8 Network topology

10 .0 .0.2 10.0.0 .3 10.0.0.4

Server 2 Server 3 Server 4

10.0 .0.1
Server 1
LAN 2
Data Detect Server
LAN 1
GE 1/1/2

GE 1/1/1 E1 /0/20

E1 /0/1 E1 /0/4
LAN 10 LAN 12

E1 /0/2 E1/0/3

PC 1 PC 4

LAN 11 LAN 12
10.0.0.10 10 .0.0.13
0012-a 990-2440 0012- a990-2443

PC 2 PC 3

10 .0 .0.11 10.0.0 .12

0012-a 990-2441 0012 -a990 -2442

Figure 8 shows the network topology of a company. The environment is as

follows:

■ A Switch 5500 serves as the central switch of the company. The software
version is Release 3.2.
■ The devices within the company gain access to the Internet through Server1
attached to the port GigabitEthernet1/1/1.
■ Server2, Server3, and Server4 are the data server, mail server and file server of
the company respectively. They are connected to the port
GigabitEthernet1/1/2.
■ The Data Detect Server is connected to the port Ethernet1/0/20.
■ PC1, PC2, PC3 and PC4 are clients of the company, and are connected to the
ports Ethernet1/0/1, Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4
respectively.

Time-based ACL plus

Rate Limiting plus
Traffic Policing
Configuration
Example

Network Requirements The company gains access to the Internet through Server1. The requirements are
as follows:
 32 CHAPTER 2: QACL CONFIGURATION EXAMPLES

■ During the period from 8:30 to 18:30 in workdays, the clients are not allowed
to access the Internet through HTTP. In other periods, the clients are allowed to
access the Internet. The maximum access traffic is 100 Mbps.
■ For the packets with the IP priority of 7 that are sent by PC 1, the allowed
maximum rate is 20 Mbps. The DSCP priority of such packets at rates higher
than 20 Mbps is modified as EF.
■ For the packets with the CoS priority of 5 that are sent by PC 2, the allowed
maximum rate is 10 Mbps. Such packets at rates higher than 10 Mbps are
discarded.

Network Diagram Figure 9 Network diagram for configuration of time-based ACL plus port-based
bandwidth limiting plus traffic policing

10.0 .0.1
Server 1

LAN 1
GE 1/1/2

GE 1/1/1 E1 /0/20

E1 /0/1 E1 /0/4
LAN 10 LAN 12

E1 /0/2 E1/0/3

PC 1 PC 4

LAN 11 LAN 12
10.0.0.10 10 .0.0.13
0012-a 990-2440 0012- a990-2443

PC 2 PC 3

10 .0 .0.11 10.0.0 .12

0012-a 990-2441 0012 -a990 -2442

Configuration Procedure # Create time range a001, defining the office hours on working days.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] time-range a001 8:30 to 18:00 working-day

# Create time range a002, defining off hours.

[3Com] time-range a002 00:00 to 8:30 working-day

[3Com] time-range a002 18:00 to 24:00 working-day
[3Com] time-range a002 00:00 to 24:00 off-day

# Define ACL 3010: Forbid the clients to access the Internet through HTTP during
the time range a001; classify and mark the packets with the IP priority of 7
generated when PC 1 accesses the Internet during non-workday periods.

[3Com] acl number 3010

[3Com-acl-adv-3010] rule 0 deny tcp destination 10.0.0.1 0 destinati
 Configuration Example of Priority Re-marking plus Queue Scheduling Algorithm plus Congestion Avoidance plus
Packet Priority Trust 33

on-port eq 80 time-range a001

[3Com-acl-adv-3010] rule 1 permit ip source 10.0.0.10 0 precedence 7
time-range a002
[3Com-acl-adv-3010] quit

# Define ACL 4010: Classify and mark the packets with the CoS priority of 5
generated when PC 2 accesses the Internet during non-work periods.

[3Com] acl number 4010

[3Com-acl-ethernetframe-4010] rule 0 permit cos 5 source 0012-0990-2
241 ffff-ffff-ffff time-range a002
[3Com-acl-ethernetframe-4010] quit

# Apply rule 0 of ACL 3010 to the port GigabitEthernet1/1/1 connected to

Server1, and set the maximum traffic rate by clients’ accessing the Internet to 100
Mbps.

[3Com] interface GigabitEthernet 1/1/1

[3Com-GigabitEthernet1/1/1] packet-filter outbound ip-group 3010 rule 0
[3Com-GigabitEthernet1/1/1] line-rate outbound 102400
[3Com-GigabitEthernet1/1/1] quit

# Perform traffic policing for the packets marked rule 1 of ACL 3010 on the port
Ethernet1/0/1 connected to PC 1, and modify the DSCP priority of the excess
packets to EF.

[3Com] interface Ethernet 1/0/1

[3Com-Ethernet1/0/1] traffic-limit inbound ip-group 3010 rule 1 2048
0 exceed remark-dscp ef
[3Com-Ethernet1/0/1] quit

# Perform traffic policing for the packets marked rule 0 of ACL 4010 on the port
Ethernet1/0/2 connected to PC 2, set the maximum traffic rate to 10 Mbps, and
discard the excess packets.

[3Com] interface Ethernet 1/0/2

[3Com-Ethernet1/0/2] traffic-limit inbound link-group 4010 rule 0 10
240 exceed drop

n The traffic-limit command works only with the permit rules in ACLs.

Configuration
Example of Priority
Re-marking plus
Queue Scheduling
Algorithm plus
Congestion Avoidance
plus Packet Priority
Trust

Network Requirements Server2, Server3, and Server4 are the data server, mail server and file server of the
company respectively. The detailed requirements are as follows:
 34 CHAPTER 2: QACL CONFIGURATION EXAMPLES

■ The switch first processes the packets accessing the data server, then the
packets accessing the mail server, and finally the packet accessing the file
server.
■ Configure the port GigabitEthernet1/1/2 to use the WRR queue priority
algorithm, and configure the weight of outbound queues as 1:1:1:5:1:10:1:15.
■ Configure the queue with an index of 4 on the port GigabitEthernet1/1/2 to
use WRED: Discard subsequent packets at random when the queue is more
than 64 packets in size, and configure the probability of discarding as 20%.
■ Configure the port Ethernet1/0/3 to trust the priority of packets rather than to
use the priority of the port.

Network Diagram Figure 10 Network diagram for configuration of priority re-marking plus queue
scheduling algorithm plus congestion avoidance plus packet priority trust

10.0.0 .2 10.0.0 .3 10 .0 .0.4

Server 2 Server 3 Server 4

LAN 2

GE 1/1/2

Configuration Procedure # Define ACL 3020: Classify and mark packets according to their destination IP
addresses.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] acl number 3020
[3Com-acl-adv-3020] rule 0 permit ip destination 10.0.0.2 0
[3Com-acl-adv-3020] rule 1 permit ip destination 10.0.0.3 0
[3Com-acl-adv-3020] rule 2 permit ip destination 10.0.0.4 0
[3Com-acl-adv-3020] quit

# Re-mark priority for the packets on the port GigabitEthernet1/1/2 that match
the rules in ACL 3020.

[3Com] interface GigabitEthernet 1/1/2

[3Com-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020
rule 0 local-precedence 7
 Configuration Example of Traffic Measurement plus Port Redirection 35

[3Com-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020

rule 1 local-precedence 5
[3Com-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020
rule 2 local-precedence 3

# Configure the WRR queue scheduling algorithm on the port

GigabitEthernet1/1/2, and configure the weight of outbound queues as
1:1:1:5:1:10:1:15.

[3Com-GigabitEthernet1/1/2] queue-scheduler wrr 1 1 1 5 1 10 1 15

# Configure the queue with an index of 4 on the port GigabitEthernet1/1/2 to use

WRED: Discard subsequent packets at random when the queue is more than 64
packets in size, and configure the probability of discarding as 20%.

[3Com-GigabitEthernet1/1/2] wred 4 64 20
[3Com-GigabitEthernet1/1/2] quit

# Configure the port Ethernet1/0/3 connected to PC 3 to trust the 802.1p priority

carried by packets.

[3Com] interface Ethernet 1/0/3

[3Com-Ethernet1/0/3] priority trust

n The traffic-priority command works only with the permit rules in ACLs.

Configuration
Example of Traffic
Measurement plus
Port Redirection

Network Requirements The Data Detect Server is connected to the port Ethernet1/0/20. The detailed
requirements are as follows:
■ Measure the HTTP traffic generated by Internet access through the port
Ethernet1/0/1 during non-workday periods.
■ Redirect all the HTTP traffic generated by the Internet access through the port
Ethernet1/0/1 during workday period to the port Ethernet1/0/20.
 36 CHAPTER 2: QACL CONFIGURATION EXAMPLES

Network Diagram Figure 11 Network diagram for configuration of traffic measurement plus port redirection

Data Detect Server

E1 /0/20

E1 /0/1
LAN 10

PC 1

10.0.0.10
0012-a 990-2440

Configuration Procedure # Configure a workday period.

<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] time-range a001 8:30 to 18:00 working-day

# Configure non-workday periods.

[3Com] time-range a002 00:00 to 8:30 working-day

[3Com] time-range a002 18:00 to 24:00 working-day
[3Com] time-range a002 00:00 to 24:00 off-day

# Define ACL 3030: Classify the packets accessing the Internet through HTTP
according to periods.

[3Com] acl number 3030

[3Com-acl-adv-3030] rule 0 permit tcp destination 10.0.0.1 0 destina
tion-port eq 80 time-range a001
[3Com-acl-adv-3030] rule 1 permit tcp destination 10.0.0.1 0 destina
tion-port eq 80 time-range a002

# Configure traffic redirection on the port Ethernet1/0/1: Redirect all the HTTP
traffic generated by Internet access during workday period to the port
Ethernet1/0/20.

[3Com] interface Ethernet 1/0/1

[3Com-Ethernet1/0/1] traffic-redirect inbound ip 3030 rule 0 interfa
ce Ethernet 1/0/20

# Measure the HTTP traffic generated by Internet access during non-workday

periods on the port Ethernet1/0/1.

[3Com-Ethernet1/0/1] traffic-statistic inbound ip-group 3030 rule 1

 Configuration Example of Local Traffic Mirroring 37

n The traffic-redirect and traffic-statistic commands work only with the permit
rules in ACLs.

Configuration
Example of Local
Traffic Mirroring

Network Requirements The Data Detect Server is connected to the port Ethernet1/0/20. All the packets
accessing the Internet through the ports Ethernet1/0/1 and Ethernet1/0/2 using
HTTP during workday period must be mirrored to the port Ethernet1/0/20. Then,
the Data Detect Server analyzes the packets.

Network Diagram Figure 12 Network diagram for configuration of traffic mirroring

Data Detect Server

E1/0/20

E1/0/1
LAN 10

E1 /0/2

PC 1

LAN 11
10.0.0.10
0012 -a 990-2440

PC 2

10 .0.0.11
0012 -a990 -2441

Configuration Procedure # Configure a workday period.

<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] time-range a001 8:30 to 18:00 working-day

# Define ACL 3030: Classify the packets accessing the Internet through HTTP
during workday period.

[3Com] acl number 3030

[3Com-acl-adv-3030] rule 0 permit tcp destination 10.0.0.1 0 destina
tion-port eq 80 time-range a001
[3Com-acl-adv-3030] quit

# Configure the port Ethernet1/0/20 as the mirroring destination port.

 38 CHAPTER 2: QACL CONFIGURATION EXAMPLES

[3Com] interface Ethernet 1/0/20

[3Com-Ethernet1/0/20] monitor-port
[3Com-Ethernet1/0/20] quit

# Configure traffic mirroring on the ports Ethernet1/0/1 and Ethernet1/0/2:

Perform traffic identification through ACL 3030, and mirror the matching packets
to the destination port Ethernet1/0/20.

[3Com] interface Ethernet 1/0/1

[3Com-Ethernet1/0/1] mirrored-to inbound ip-group 3030 rule 0 monito
r-interface
[3Com-Ethernet1/0/1] quit
[3Com] interface Ethernet 1/0/2
[3Com-Ethernet1/0/2] mirrored-to inbound ip-group 3030 rule 0 monito
r-interface

n The mirrored-to command works only with the permit rules in ACLs.

Precautions Note the following points during the configurations:

1 When ACL rules are applied to a port, the match order of multiple rules in an ACL
depends on the hardware of the switch. For the Switch 5500 Family, the match
order is “first applied, last matched”. Even if you configure a match order while
defining an ACL, the configured one will not work.
2 Each port supports eight outbound queues. The priority of Queues 7 to 0 goes
down one by one. When the SP+WRR queue scheduling algorithm is applied on a
port, the switch will first schedule the queue with the weight of 0. If no packets
are sent from the queue, the switch will perform the WRR scheduling for the
remaining queues. When the SP+WFQ queue scheduling algorithm is applied on a
port, the switch will first schedule the queue with the bandwidth of 0. If no
packets are sent from the queue, the switch will perform the WFQ scheduling for
the remaining queues.
3 The switch can be configured with multiple mirroring source ports but only one
mirroring destination port. You are recommended to use the mirror destination
port only for forwarding mirroring traffic rather than as a service port. Otherwise,
normal services may be affected.
4 The traffic-limit, traffic-priority, traffic-redirect, and mirrored-to commands
can work only on the permit rules in ACLs.
5 For the TCP/UDP port in an advanced ACL, only the eq operator is supported.
6 For a Layer 2 ACL, the format-type (including 802.3/802.2, 802.3, ether_ii, and
snap) parameter is not supported.
7 All redirected packets will be tagged no matter whether the egress port is tagged.
8 When configuring a user-defined ACL, consider the following points for the offset
length:
■ All the packets that are processed by the switch internally have a VLAN tag.
One VLAN tag is four bytes in length.
■ If the VLAN VPN function is disabled, all the packets that are processed by the
switch internally have one VLAN tag.
 Other Functions Referencing ACL Rules 39

■ If the VLAN VPN function is enabled on a port, the switch will add another
layer of VLAN tag to the packets received on all ports. No matter whether the
packets contain a VLAN tag originally, the packets will have two layers of VLAN
tags.

The table below lists the common protocol types and offset.

Table 9 Common protocol type and offset

Offset (VLAN VPN Offset (VLAN VPN

Protocol type Protocol number disabled) enabled)
ARP 0x0806 16 20
RARP 0x8035 16 20
IP 0x0800 16 20
IPX 0x8137 16 20
AppleTalk 0x809B 16 20
ICMP 0x01 27 31
IGMP 0x02 27 31
TCP 0x06 27 31
UDP 0x17 27 31

Other Functions Other functions that reference ACL rules are as follows:
Referencing ACL Rules ■ Telnet/SNMP/WEB login user control. For Telnet users, ACLs 2000 to 4999 may
be referenced, and for SNMP/WEB users, ACLs 2000 to 2999 may be
referenced.
■ ACLs 2000 to 3999 can be referenced for routing policy match.
■ ACLs 2000 to 3999 can be referenced for filtering route information.
■ ACLs 2000 to 3999 can be referenced for displaying the routing entries that
match an ACL rule.
■ ACLs 2000 to 3999 can be referenced for displaying the FIB entries that match
an ACL rule.
■ ACLs 2000 to 3999 can be referenced for connecting a TFTP client to the TFTP
server.

The functions that reference system ACL rules include:

■ 802.1x function (after 802.1x is enabled globally and on a port, ACL rules are
referenced to apply)
■ Cluster function (the function is enabled by default. ACL rules are referenced to
apply to all ports). ACL 3998 and ACL 3999 are reserved for cluster
management, and cannot be configured.
■ DHCP snooping (after the function is enabled, ACL rules are referenced to
apply to all ports)
■ Port isolation (If the function is configured and a virtual interface is available,
ACL rules are referenced to apply)
■ MAC+IP port binding (after the function is configured on a port, ACL rules are
referenced to apply)
 40 CHAPTER 2: QACL CONFIGURATION EXAMPLES

■ Flexible QinQ (after this function is configured on a port, the ACL rules within
the configured range are referenced to apply)
■ Voice VLAN (if Voice VLAN is enabled on a port and an OUIMAC is available,
ACL rules are referenced to add)

Configuration
Example of WEB
Cache Redirection

n Now, only the Switch 5500 Family supports the WEB Cache redirection function.

Configuration
Example of WEB
Cache Redirection

Network Requirements Figure 13 shows the network topology of a company. The environment is as
follows:
■ A Switch 5500 serves as the central switch of the company. The software
version is Release 3.2.
■ The marketing department gains access to the switch through the port
Ethernet1/0/1. It belongs to VLAN 10, and the network segment is
192.168.1.1/24.
■ The R&D department gains access to the switch through the port
Ethernet1/0/2. It belongs to VLAN 20, and the network segment is
192.168.2.1/24.
■ The administrative department gains access to the switch through the port
Ethernet1/0/3. It belongs to VLAN 30, and the network segment is
192.168.3.1/24.
■ The WEB Cache Server gains access to the switch through the port
Ethernet1/0/4. It belongs to VLAN 40, and the network segment is
192.168.4.1/24.The IP address of the WEB Cache Server is 192.168.4.2, and
the MAC address of it is 0012-0990-2250.

The WEB Cache redirection function is enabled on the switch, and all the packets
of the marketing department, R&D department, and administrative department
are redirected to the WEB Cache Server, so as to relieve the load from the
connection links of the WAN, and improve the speed of Internet access.
 Configuration Example of WEB Cache Redirection 41

Network Diagram Figure 13 Network diagram for configuration of WEB Cache redirection

Internet
VLAN 40
WEB Cache Server
192.168.4.2
0012-0990-2250

E1 /0/ 4
E1 /0/1
E1/0/ 3
E1 /0/2

VLAN 10 VLAN 30
VLAN 20
Administrative
Market Department R&D Department
Department

Configuration Procedure # Create VLAN 10 for the marketing department, and assign an IP address
192.168.1.1 to the VLAN interface 10.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] vlan 10
[3Com-vlan10] port Ethernet 1/0/1
[3Com-vlan10] quit
[3Com] interface Vlan-interface 10
[3Com-Vlan-interface10] ip address 192.168.1.1 24
[3Com-Vlan-interface10] quit

# Create VLAN 20 for the R&D department, and assign an IP address 192.168.2.1
to the VLAN interface 20.

[3Com] vlan 20
[3Com-vlan20] port Ethernet 1/0/2
[3Com-vlan20] quit
[3Com] interface Vlan-interface 20
[3Com-Vlan-interface20] ip address 192.168.2.1 24
[3Com-Vlan-interface20] quit

# Create VLAN 30 for the administrative department, and assign an IP address

192.168.3.1 to the VLAN interface 30.

[3Com] vlan 30
[3Com-vlan30] port Ethernet 1/0/3
[3Com-vlan30] quit
[3Com] interface Vlan-interface 30
[3Com-Vlan-interface30] ip address 192.168.3.1 24
[3Com-Vlan-interface30] quit
42 CHAPTER 2: QACL CONFIGURATION EXAMPLES

# Create VLAN 40 for the WEB Cache Server, and assign an IP address 192.168.4.1
to the VLAN interface 40.

[3Com] vlan 40
[3Com-vlan40] port Ethernet 1/0/4
[3Com-vlan30] quit
[3Com] interface Vlan-interface 40
[3Com-Vlan-interface40] ip address 192.168.4.1 24
[3Com-Vlan-interface40] quit

# Enable the WEB Cache redirection function, and redirect all the HTTP packets
received on VLAN 10, VLAN 20 and VLAN 30 to the WEB Cache Server.

[3Com] webcache address 192.168.4.2 mac 0012-0990-2250 vlan 40 port

Ethernet 1/0/4
[3Com] webcache redirect-vlan 10
[3Com] webcache redirect-vlan 20
[3Com] webcache redirect-vlan 30

n The VLAN interface 40, VLAN interface 10, VLAN interface 20, and VLAN interface
30 must be in UP state. Otherwise, the WEB Cache redirection function will not
work.
 802.1X CONFIGURATION EXAMPLE
3
Keywords:
802.1x and AAA

Abstract:
This article introduces the application of 802.1x on Ethernet switches in real
network environments, and then presents detailed configurations of the 802.1x
client, LAN Switch and AAA server respectively.

Acronyms:
AAA (Authentication, Authorization and Accounting)

n The use of this document is restricted to 3Com Switch 4500, Switch 5500, Switch
5500G, Switch 4210, and Switch 4200 Families.

Introduction to 802.1X The LAN defined in IEEE 802 protocols does not provide access authentication. In
general, users can access network devices or resources in a LAN as long as they
access the LAN. When it comes to application circumstances like telecom network
access, building, LAN and mobile office, however, administrators need to control
and configure the access of user devices. Therefore, port- or user-based access
control comes into being.

802.1x is a port-based network access control protocol. It is widely accepted by

vendors, service providers and end users for its low cost, superior service continuity
and scalability, and high security and flexibility.

Features
Configuration

Global Configuration ■ Enable 802.1x globally

■ Set time parameters
■ Set the maximum number of authentication request attempts
■ Enable the quiet timer
■ Enable re-authentication upon reboot

Configuration in Port ■ Enable dot1x on the port

View ■ Enable Guest VLAN
■ Set the maximum number of users supported on the port
■ Set a port access control method (port-based or MAC-based)
 44 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE

■ Set a port access control mode (force-authorized, force-unauthorized or auto)

■ Enable client version checking
■ Enable proxy detection

Precautions ■ The configuration of dot1x takes effect only after the dot1x feature is enabled
globally.
■ You can configure dot1x parameters associated with Ethernet ports or devices
before enabling dot1x. However, the configured dot1x parameters only take
effect after dot1x is enabled.
■ The configured dot1x parameters are reserved after dot1x is disabled and will
take effect if dot1x is re-enabled.

802.1X Configuration To implement 802.1x, you need to configure the supplicant system (client),
Commands authenticator system (switch) and authentication/authorization server correctly.
■ Supplicant system: Ensures that the PC uses a right client.
■ Authenticator system: Configuring 802.1x and AAA on the authenticator
system is required.
■ Authentication/authorization server: Configuring the
authentication/authorization server correctly is required.

The following table shows 802.1x configuration commands necessary for

configuring the switch (authenticator system). For configuration information on
other devices, refer to related manuals.

Table 10 802.1x configuration commands

To... Use the command... Remarks

Enable 802.1x globally dot1x Required
Disabled by default
Enable 802.1x on one or In system view Required
more ports
dot1x [ interface interface-list ] Disabled on a port by default
In port view 802.1x must be enabled both
globally in system view and on
dot1x
the intended port in system view
or port view. Otherwise, it does
not function.
Set a port access control dot1x port-method Optional
method for the specified { macbased | portbased }
macbased by default
or all ports [ interface interface-list ]
Port-based access control is
required for Guest VLAN.
Enable a Guest VLAN on dot1x guest-vlan vlan-id Required
the specified or all ports [ interface interface-list ]
Not enabled by default. The
vlan-id of the Guest VLAN must
be created beforehand.
 Enterprise Network Access Authentication Configuration Example 45

Enterprise Network
Access Authentication
Configuration
Example

n The configuration or information displayed may vary with devices. The following
example uses the 3Com Switch 5500 (using software Release 1510).

Network Application An administrator of an enterprise network needs to authenticate users accessing

Analysis the network on a per-port basis on the switch to control access to network
resources. Table 11 shows the details of network application analysis.
Table 11 Network application analysis

Network requirements Solution

Access of users is controlled by authentication. Enable 802.1x
Users can only access VLAN 10 before the Enable Guest VLAN
authentication succeeds.
Users can access VLAN 100 after the Enable dynamic VLAN assignment
authentication succeeds.
Users select the monthly payment service of 50 Configure an accounting policy and
dollars and use 2M bandwidth to access the bandwidth restraint policy on the RADIUS
network. server
IP address and MAC address are bound after a Set MAC-to-IP binding
user logs in.
Tear down the connection by force if it is idle for Enable idle cut
20 minutes.
Users can be re-authenticated successfully after Enable re-authentication upon reboot
the switch reboots abnormally.

Network Diagram Figure 14 Network diagram for enterprise network application

Update Server Authentication Server

Ethernet 1/0/1 Ethernet 1/0/4

VLAN 10 VLAN 2

Ethernet 1/0/3 Ethernet 1/0/2

VLAN 1 VLAN 100

Internet

Supplicant
 46 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE

Configuration
Procedure

Configuring the Switch # Create a RADIUS scheme named cams, and specify the primary and secondary
authentication/accounting servers.
<3Com> system-view
[3Com] radius scheme cams
[3Com-radius-cams] primary authentication 192.168.1.19
[3Com-radius-cams] primary accounting 192.168.1.19
[3Com-radius-cams] secondary authentication 192.168.1.20
[3Com-radius-cams] secondary accounting 192.168.1.20

# Set the password to expert for the switch to exchange messages with the
RADIUS authentication and accounting servers.

[3Com-radius-cams] key authentication expert

[3Com-radius-cams] key accounting expert

# Set the username format to fully qualified user name with domain name.

[3Com-radius-cams] user-name-format with-domain

# Set the server type to extended.

[3Com-radius-cams] server-type extended

# Enable re-authentication upon reboot.

[3Com-radius-cams] accounting-on enable

# Create an ISP domain named abc and adopt the RADIUS scheme cams for
authentication.

[3Com] domain abc

[3Com-isp-abc] radius-scheme cams
[3Com-isp-abc] quit

# Set the ISP domain abc as the default ISP domain.

[3Com] domain default enable abc

# Enable dynamic VLAN assignment.

[3Com-isp-abc] vlan-assignment-mode integer

# Enable Guest VLAN 10 on the specified port.

[3Com] vlan 10
[3Com-Ethernet1/0/3] dot1x port-method portbased
[3Com-Ehternet1/0/3] dot1x guest-vlan 10

# Enable 802.1x.

[3Com] dot1x
 Configuration Procedure 47

# Enable dot1x in port view.

[3Com-Ethernet1/0/3] dot1x

# Use the display command to view the configuration associated with 802.1x and
AAA parameters.

[3Com] display dot1x interface ethernet1/0/3

Global 802.1x protocol is enabled
CHAP authentication is enabled
DHCP-launch is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

ReAuth Period 3600 s, ReAuth MaxTimes 2
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
Interval between version requests is 30s
Maximal request times for version information is 3
The maximal retransmitting times 2

Total maximum 802.1x user resource number is 1024

Total current used 802.1x resource number is 0

Ethernet1/0/3 is link-up
802.1x protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Version-Check is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Port-based
ReAuthenticate is disabled
Max number of on-line users is 256

Authentication Success: 0, Failed: 0

EAPOL Packets: Tx 0, Rx 0
Sent EAP Request/Identity Packets : 0
EAP Request/Challenge Packets: 0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity Packets : 0
EAP Response/Challenge Packets: 0
Error Packets: 0

Controlled User(s) amount to 0

[3Com] display radius scheme cams

SchemeName =cams Index=1 Type=extended
Primary Auth IP =192.168.1.19 Port=1812
Primary Acct IP =192.168.1.19 Port=1813
Second Auth IP =192.168.1.20 Port=1812
Second Acct IP =192.168.1.20 Port=1813
Auth Server Encryption Key= expert
Acct Server Encryption Key= expert
Accounting method = required
Accounting-On packet enable, send times = 15 , interval = 3s
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =with-domain
Data flow unit =Byte
Packet unit =1
 48 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE

unit 1 :
Primary Auth State=active, Second Auth State=active
Primary Acc State=active, Second Acc State=active
[3Com] display domain abc
The contents of Domain abc:
State = Active
RADIUS Scheme = cams
Access-limit = Disable
Vlan-assignment-mode = Integer
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Messenger Time = Disable

Configuring the RADIUS The configuration of CAMS authentication, authorization and accounting server
Server consists of four parts:
■ “Creating an accounting policy” on page 49
■ “Adding a service” on page 50
■ “Adding an account user” on page 51
■ “Configuring the access device” on page 52

The following parts take CAMS server V1.20 (standard version) as an example to
introduce CAMS configuration.

Logging in the CAMS configuration console

1 Enter the correct user name and password on the login page to log in to the
CAMS configuration console.

Figure 15 Login page of CAMS configuration console

2 After login, the following page appears:

 Configuration Procedure 49

Figure 16 CAMS configuration console

Creating an accounting policy

1 Enter the Accounting Policy Management page.

Log in the CAMS configuration console. On the navigation tree, select [Charges
Management/Accounting Policy] to enter the [Accounting Policy Management]
page, as shown in Figure 17.

Figure 17 Accounting Policy Management

The list shows the created accounting policies. You can query, modify or maintain
these policies.

2 Create an accounting policy.

Click <Add> to enter the [Accounting Policy Basic Information] page and create a
monthly payment accounting policy, as shown in Figure 18.
50 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE

Figure 18 Accounting Policy Basic Information

3 Click <Next> to enter the [Accounting Attribute Settings] page, and set
Accounting Type to By duration, Monthly Cycle to Monthly and Monthly Fixed Fee
to 50 dollars, as shown in Figure 19.

Figure 19 Accounting Attribute Settings

Click <OK>. A monthly payment accounting policy is created.

Adding a service
1 Enter the Service Config page.

Log in the CAMS configuration console. On the navigation tree, select [Service
Management/Service Config] to enter the [Service Config] page, as shown in
Figure 20.

Figure 20 Service Config

The list shows the created service types. You can query, modify or delete these
service types.

2 Add a service.

Click <Add> to enter the [Add Service] page and configure as follows:

■ Service Name: abc

 Configuration Procedure 51

■ Service Suffix Name: abc

■ Accounting Policy: Monthly Fixed Payment
■ Upstream Rate Limitation: 2M (2048 Kbps)
■ Downstream Rate Limitation: 2M (2048 Kbps)
■ VLAN Assignment: VLAN 100
■ Authentication Binding: Bind user IP address and bind user MAC address

Figure 21 Add Service

Click <OK>. A service type is added.

Adding an account user

1 Enter the Account Management page.

Log in the CAMS configuration console. On the navigation tree, select [User
Management/Account User] to enter the [Account Management] page, as shown
in Figure 22.

Figure 22 Account Management

The list shows the created account users. You can maintain these account users.

2 Add an account user.

Click <Add> to enter the [Add Account] page and configure as follows:
52 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE

■ Account: info
■ Password: info
■ Full Name: Bruce
■ Prepaid Money: 100 dollars
■ Bind multiple IP address and MAC address: enable
■ Online Limit: 1
■ Max. Idle Time: 20 minutes
■ Service Information: abc

Figure 23 Add Account

Click <OK>. An account user is added.

Configuring the access device

1 Enter the System Configuration page.

Log in the CAMS configuration console. On the navigation tree, select [System
Management/System Configuration] to enter the [System Configuration] page, as
shown in Figure 24.

Figure 24 System Configuration

 Configuration Procedure 53

2 Click the Modify link for the Access Device item to enter the [Access Device
Configuration] page to modify access device configuration like IP address, shared
key, and authentication and accounting ports.

Figure 25 Access Device Configuration

Adding configuration item

1 Click <Add> to enter the [Add Access Device] page and add configuration items,
as shown in Figure 26.

Figure 26 Add Access Device

2 Click <OK>. The prompt page appears as shown in Figure 27.

Figure 27 Page prompting that system configuration is modified successfully

3 Return to the [System Configuration] page and click <Validate Now> to make the
configuration take effect immediately.
54 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE

Figure 28 Validate Now on System Management page

Configuring the You need to install an 802.1x client on the PC, which may be 3Com’s 802.1x
Supplicant System client, the client shipped with Windows XP or other client from the third party. The
following takes 3Com’s 802.1X as an example to introduce how to configure the
supplicant system.

Starting up 3Com authentication client

Figure 29 3Com authentication client

Creating a connection
Right click the 802.1x Authentication icon and select [Create an 802.1x
connection], as shown in Figure 30.
 Configuration Procedure 55

Figure 30 Create an 802.1x connection

Configuring connection attributes

Click <Next> to enter the [Set special properties] page:
56 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE

Figure 31 Set special properties

Keep default settings and click <OK>. The prompt page appears as shown in
Figure 32.
 Configuration Procedure 57

Figure 32 Page prompting that a connection is created successfully

Initiating the connection

Double click the info connection:

Figure 33 Connecting

The connection succeeds:

58 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE

Figure 34 Page prompting that the Authentication succeeds

Verifying Configuration To verify that the configuration of Guest VLAN is taking effect, check that users
can access VLAN 10 before 802.1x authentication or the 802.1x authentication
fails.

To verify that the dynamically assigned VLAN is taking effect, check that users can
access VLAN 100 after 802.1x authentication succeeds. At the same time, 802.1x
authentication cooperates with CAMS to complete accounting and real time
monitoring.

To verify that the configuration of IP-to-MAC binding is taking effect, check that
users can be re-authenticated and access the Internet when the device reboots
abnormally. If the configured IP-to-MAC binding is different from that on the
CAMS, the user cannot access the Internet.

Troubleshooting Symptom: 802.1x authentication failed

Solution:
■ Use the display dot1x command to verify 802.1x is enabled globally and on
the specified ports.
■ Verify the username and password are set correctly.
■ Verify the connection works well.
■ Use the debugging dot1x packet command to verify the switch receives and
sends EAP and EAPoL packets normally.

Symptom: Users can access network resources without 802.1x

authentication
■ Use the display dot1x command to verify 802.1x is enabled globally and on
the specified ports.
 Configuration Procedure 59

■ Use the display interface command to verify the statistics of incoming

packets are available for the specified port. 802.1x authentication applies only
to incoming packets, not outgoing packets.
60 CHAPTER 3: 802.1X CONFIGURATION EXAMPLE
 SSH CONFIGURATION EXAMPLE
4
Keywords:
SSH, RSA

Abstract:
This article introduces the application of SSH on the 3Com stackable switches in
real network environments, and then presents detailed configurations of the
involved SSH client and Ethernet switches respectively.

Acronyms:
SSH (Secure Shell), RSA (Rivest Shamir Adleman)

Introduction to SSH Secure Shell (SSH) is designed to provide secure remote login and other security
services in insecure network environments. When users remotely access the switch
across an insecure network, SSH will automatically encrypt data before
transmission and decrypt data after they reach the destination to guarantee
information security and protect switches from such attacks as plain-text password
interception. In addition, SSH provides powerful authentication to defend against
the man-in-the-middle attacks. SSH uses the client/server mode, by which the SSH
server accepts the connection requests from SSH clients and provides
authentication. SSH clients can establish SSH connections and log into the SSH
server through the SSH connections.

SSH also provides other functions, such as compressing the data to be transmitted
to speed up the transmission speed, functioning as Telnet, and providing secure
channels for FTP, PoP and even PPP.

n For details about SSH functions supported on different Ethernet switches, refer to
related user manuals.

Support for SSH

Table 12 List of SSH functions supported on the 3Com stackable switches
Functions
Model\Function SSH server SSH client
Switch 5500 ● ●
Switch 4500 ● ●
Switch 5500G ● ●
Switch 4200 ● ●
Switch 4200G ● ●
Switch 4210 ● ●
 62 CHAPTER 4: SSH CONFIGURATION EXAMPLE

SSH Configuration

Configuring an SSH For a 3Com switch to be the SSH server

Server ■ Configure the protocols supported on user interfaces
■ Create or destroy a RSA key pair
■ Export a RSA key pair
■ Create an SSH user and specify an authentication type
■ Specify a service type for the SSH user
■ Configure the SSH management function on the SSH server
■ Configure a client public key on the SSH server
■ Specify a public key for the SSH user
■ Specify the source IP address or source interface of packets

For a non 3Com device to be the SSH server

For such configuration, refer to the related user manual.

Configuring an SSH Using SSH client software

Client There are many kinds of SSH client software, such as PuTTY, Tectia, Winscp, and
OpenSSH. You can select one as required and refer to the attached manual for
configuration.

Using an SSH2-capable switch

■ Configure whether first-time authentication is supported
■ Establish a connection between the SSH client and the SSH server

Precautions ■ If you have configured a user interface to support the SSH protocol, you must
configure AAA authentication for the user interface by using the
authentication-mode scheme command to ensure successful login.
■ Creating a RSA key pair on the SSH server is necessary for successful SSH login.
■ For new SSH users to login successfully, you must specify an authentication
type for them.

SSH Configuration To implement SSH, you need to configure the SSH client and the SSH server
Commands correctly.

The following sections describe switch’s SSH configuration commands. For more
information, refer to the SSH section of the applicable configuration guide.
 Configuring an 3Com Switch as an SSH Server 63

Configuring an 3Com
Switch as an SSH
Server

Configuration Procedure
Table 13 Configure the switch as an SSH server

Common
Public key configuration
configurati Authentication
Role on type Remarks
SSH For detailed Password - For detailed
server command, authentication command, refer to
refer to “Password
“Common authentication
configuratio configuration” on
n” on page page 65.
64.
RSA Configure a Associate For detailed
authentication public key the client commands, refer to
manually: copy public key “Configuring the
the public key saved on client RSA public
from the client the SSH key manually” on
public key file server to page 65.
to the SSH the SSH
server. client
Import a public For detailed
key: import the commands, refer to
public key from “Importing the
the client client RSA public
public file to key” on page 66 .
the SSH server
through
commands.

Precautions for authentication type configuration

The above table introduces the password authentication and RSA authentication
separately. In practice, you can combine the two authentication types.
■ Executing the ssh authentication-type default password-publickey
command or the ssh user authentication-type password-publickey
command means that users must not only pass the password authentication
but also pass the RSA authentication to login the SSH server.
■ Executing the ssh authentication-type default all command or the ssh user
authentication-type all command means that users can login the SSH server
as long as they pass either the password or RSA authentication.

Public key configuration procedure and precautions

As shown in Table 13, you need to copy or import the public key from the client to
the server.
1 Manually configure the RSA public key
■ When a switch acts as the SSH client, use the display rsa local-key-pair
public command to display the RSA public key after creating RSA key pair
through the corresponding commands.
■ Manually copy the RSA public key to the SSH server. Thus, the SSH server has
the same public key as the SSH client, and can authenticate the SSH client
when the SSH client establishes a connection with it.
64 CHAPTER 4: SSH CONFIGURATION EXAMPLE

2 Import the RSA public key

■ When a switch acts as the SSH server, use the SSH client software to generate
an RSA key pair, and then upload the RSA public key file to the SSH server
through FTP or TFTP.
■ On the SSH server, import the public key from the public key file through
commands.
3 Precautions

When some SSH client software like PuTTY is used to generate an RSA key pair,
you can either manually configure the public key for the SSH server or import the
public key to the SSH server.

Configuration Common configuration

Commands
Table 14 Common configuration

Operation Command Remarks

Enter system view system-view -
Enter the view of one or user-interface [ type-keyword ] -
multiple user interfaces number [ ending-number ]
Configure the authentication-mode scheme Required
authentication mode as [ command-authorization ]
By default, the user interface
scheme
authentication mode is
password.
Specify the supported protocol inbound { all |ssh | Optional
protocol(s) telnet }
By default, both Telnet and
SSH are supported.
Return to the system quit -
view
Create an RSA key pair rsa local-key-pair create Required
By default, no RSA key pair is
created.
Destroy the RSA key pair rsa local-key-pair destroy Optional
Specify a service type for ssh user username service-type Optional
the SSH user { stelnet | sftp | all }
stelnet by default
Set SSH authentication ssh server timeout seconds Optional
timeout time
By default, the timeout time
is 60 seconds.
Set SSH authentication ssh server authentication-retries Optional
retry times times
By default, the number of
retry times is 3.
Set RSA server key ssh server rekey-interval hours Optional
update interval
By default, the system does
not update RSA server keys.
Configure SSH server to ssh server compatible-ssh1x Optional
be compatible with enable
By default, SSH server is
SSH1.x clients
compatible with SSH1.x
clients.
 Configuring an 3Com Switch as an SSH Server 65

Table 14 Common configuration

Operation Command Remarks

Specify a source IP ssh-server source-ip ip-address Optional
address for the SSH
server
Specify a source ssh-server source-interface Optional
interface for the SSH interface-type interface-number
server

Password authentication configuration

Table 15 Configure password authentication

Operation Command Description

Create an SSH User and Specify the ssh Use either command.
specify an authentication default authentication-
By default, no SSH user is
type authentication type default
created and no
type for all SSH password
authentication type is
users
ssh user specified.
username
Note that: If both commands
Create an SSH ssh user are used and different
user, and specify username authentication types are
an authentication authentication- specified, the authentication
type for the user type password type specified with the ssh
user authentication-type
command takes precedence.

n For common configuration commands, refer to Table 14.

Configuring the client RSA public key manually

Table 16 Configure the client RSA public key manually

Operation Command Description

Create an SSH user and Specify the ssh Use either command.
specify an authentication default authentication-
By default, no SSH user is
type authentication type default rsa
created and no
type for all SSH
ssh user authentication type is
users
username specified.
Create an SSH ssh user Note that: If both commands
user, and specify username are used and different
an authentication authentication- authentication types are
type for it typ rsa specified, the authentication
type specified with the ssh
user authentication-type
command takes precedence.
Enter public key view rsa peer-public-key keyname Required
Enter public key edit public-key-code begin -
view
Configure the client RSA Enter the content of the RSA public The content must be a
public key key hexadecimal string that is
generated randomly by the
SSH-supported client
software and coded
compliant to PKCS. Spaces
and carriage returns are
allowed between characters.
 66 CHAPTER 4: SSH CONFIGURATION EXAMPLE

Table 16 Configure the client RSA public key manually

Operation Command Description

Return from public key public-key-code end When you exit public key
code view to public key code view, the system
view automatically saves the
public key.
Return from public key peer-public-key end -
view to system view
Assign a public key to an ssh user username assign rsa-key Required
SSH user keyname
If you issue this command
multiple times, the last
command overrides the
previous ones

n For general configuration commands, refer to Table 14.

Importing the client RSA public key

Table 17 Import the client RSA public key

Operation Command Description

Create an SSH user and Specify the ssh Use either command.
specify an authentication default authentication-
By default, no SSH user is
type authentication type default rsa
created and no
type for all SSH
ssh user authentication type is
users
username specified.
Create an SSH ssh user Note that: If both commands
user, and specify username are used and different
an authentication authentication- authentication types are
type for it type rsa specified, the authentication
type specified with the ssh
user authentication-type
command takes precedence.
Import the client RSA rsa peer-public-key keyname Required
public key from the import sshkey filename
specified public key file
Assign a public key to an ssh user username assign rsa-key Required
SSH user keyname
If you issue this command
multiple times, the last
command overrides the
previous ones

n For general configuration commands, refer to Table 14.

Configuring an 3Com When the device connects to the SSH server as an SSH client, you can configure
Switch as an SSH whether the device supports first-time authentication.
Client ■ First-time authentication means that when the SSH client accesses the server
for the first time and is not configured with the server host public key, the user
can continue accessing the server, and will save the host public key on the
client for use in subsequent authentications.
■ When first-time authentication is not supported, a client, if not configured with
the server host public key, will be denied of access to the server. To access the
 Configuring an 3Com Switch as an SSH Client 67

server, a user must configure in advance the server host public key locally and
specify the public key name for authentication.

Configuration Procedure
Table 18 Configure the switch as an SSH client

Common First-time
configurati authenticati Access the
Role on on support Public key configuration SSH server Remarks
SSH Refer to Yes -- Establish a Refer to
Client “Common connection “Enabling
configuratio between the first-time
n” on page SSH client authenticat
67. and the SSH ion” on
server page 67.
No Configure a Specify the Refer to
public key host public “Disabling
manually: key of the first-time
copy the SSH server authenticat
server public to be ion and
key from the connected manually
public key file configuring
to the SSH the server
client public key”
on page
68.

As shown in Table 18, you need to configure the server public key to the client in
the case that the SSH client does not support first-time authentication.

1 Manually configure the RSA public key

■ On the SSH server, use the display rsa local-key-pair public command to
display the RSA public key.
■ Manually copy the public key to the SSH client. Thus, the SSH client has the
same public key as the SSH server, and can authenticate the SSH server using
the public key when establishing a connection with the SSH server.

Configuration Common configuration

Commands
Table 19 Common configuration

Operation Command Description

Enter system view system-view -
Specify a source IP address ssh2 source-ip ip-address Optional
for the SSH client
Specify a source interface ssh2 source-interface interface-type Optional
for the SSH client interface-number

Enabling first-time authentication

Table 20 Enable first-time authentication

Operation Command Description

Enter system view system-view -
Enable first-time ssh client first-time enable Optional
authentication
Enabled by default
68 CHAPTER 4: SSH CONFIGURATION EXAMPLE

Table 20 Enable first-time authentication

Operation Command Description

Establish a connection with ssh2 { host-ip | host-name } [ port-num ] Required
the SSH server [ prefer_kex { dh_group1 |
In this command, you
dh_exchange_group } |
can also specify the
prefer_ctos_cipher { des | aes128 } |
preferred key
prefer_stoc_cipher { des | aes128 } |
exchange algorithm,
prefer_ctos_hmac { sha1 | sha1_96 |
encryption algorithms
md5 | md5_96 } | prefer_stoc_hmac
and HMAC algorithms
{ sha1 | sha1_96 | md5 | md5_96 } ] *
between the server
and client.

Disabling first-time authentication and manually configuring the server

public key
Table 21 Disable first-time authentication and manually configure the server public key

Operation Command Description

Enter system view system-view --
Disable first-time undo ssh client first-time Required
authentication
Enabled by default
Enter public key view rsa peer-public-key keyname Required
Enter public key edit view public-key-code begin -
Configure server public Enter the content of the public When you input the key data,
key key spaces are allowed between
the characters you input
(because the system can
remove the spaces
automatically); you can also
press <Enter> to continue
your input at the next line.
But the key you input should
be a hexadecimal digit string
coded in the public key
format.
Return to public key view public-key-code end When you exit public key
from public key edit view code view, the system
automatically saves the public
key
Exit public key view and peer-public-key end -
return to system view
Specify the host key name ssh client { server-ip | Optional
of the server server-name } assign rsa-key
Required when the SSH client
keyname
does not support first-time
authentication
You need to copy the server
public key to the SSH client
before performing this
configuration.
 SSH Configuration Example 69

Table 21 Disable first-time authentication and manually configure the server public key

Operation Command Description

Start the client to establish ssh2 { host-ip | host-name } Required
a connection with an SSH [ port-num ] [ prefer_kex
In this command, you can
server { dh_group1 |
also specify the preferred key
dh_exchange_group } |
exchange algorithm,
prefer_ctos_cipher { des |
encryption algorithms and
aes128 } | prefer_stoc_cipher
HMAC algorithms between
{ des | aes128 } |
the server and client.
prefer_ctos_hmac { sha1 |
sha1_96 | md5 | md5_96 } |
prefer_stoc_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] *

SSH Configuration
Example

n The Switch 5500 software version in this configuration example is Release 1510.

When the Switch Acts as Network requirements

the SSH Server and the As shown in Figure 35, establish an SSH connection between the host (SSH Client)
Authentication Type is and the switch (SSH Server) for secure data exchange. The host runs SSH2.0 client
Password software. Password authentication is required.

Network diagram

Figure 35 Network diagram of SSH server configuration using password authentication

192.168.0.2/24

VLAN- interface 1
192. 168.0.1/24
SSH client Switch

Configuration procedure
1 Configure the SSH server

# Create a VLAN interface on the switch and assign an IP address, which the SSH
client will use as the destination for SSH connection.

<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 192.168.0.1 255.255.255.0
[3Com-Vlan-interface1] quit

# Generate RSA key pairs.

[3Com] rsa local-key-pair create

# Set the authentication mode for the user interfaces to AAA.

[3Com] user-interface vty 0 4

[3Com-ui-vty0-4] authentication-mode scheme
70 CHAPTER 4: SSH CONFIGURATION EXAMPLE

# Enable the user interfaces to support SSH.

[3Com-ui-vty0-4] protocol inbound ssh

[3Com-ui-vty0-4] quit

# Create local client “client001”, and set the authentication password to “abc”,
protocol type to SSH, and command privilege level to 3 for the client.

[3Com] local-user client001

[3Com-luser-client001] password simple abc
[3Com-luser-client001] service-type ssh level 3
[3Com-luser-client001] quit

# Specify the authentication method of user client001 as password.

[3Com] ssh user client001 authentication-type password

2 Configure the SSH client

# Configure an IP address (192.168.0.2 in this case) for the SSH client. This IP
address and that of the VLAN interface on the switch must be in the same
network segment.

# Configure the SSH client software to establish a connection to the SSH server.

Take SSH client software “Putty” (version 0.58) as an example:

■ Run PuTTY.exe to enter the following configuration interface.

Figure 36 SSH client configuration interface

 SSH Configuration Example 71

In the Host Name (or IP address) text box, enter the IP address of the SSH server.

■ From the category on the left pane of the window, select SSH under
Connection. The window as shown in Figure 37 appears.

Figure 37 SSH client configuration interface 2

Under Protocol options, select 2 from Preferred SSH protocol version.

■ As shown in Figure 38, click Open to enter the following interface. If the
connection is normal, you will be prompted to enter the user name
“client001” and password “abc”. Once authentication succeeds, you will log
onto the server.
 72 CHAPTER 4: SSH CONFIGURATION EXAMPLE

Figure 38 SSH client interface

When the Switch Acts as Network requirements

an SSH Server and the As shown in Figure 39, establish an SSH connection between the host (SSH client)
Authentication Type is and the switch (SSH Server) for secure data exchange. The host runs SSH2.0 client
RSA software. RSA authentication is required.

Network diagram

Figure 39 Network diagram of SSH server configuration

192.168.0 .2/ 24

VLAN -interface 1
192. 168.0. 1/ 24
SSH client Switch

Configuration procedure
1 Configure the SSH server

# Create a VLAN interface on the switch and assign an IP address, which the SSH
client will use as the destination for SSH connection.

<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 192.168.0.1 255.255.255.0
[3Com-Vlan-interface1] quit

# Generate RSA key pairs.

[3Com] rsa local-key-pair create

# Set the authentication mode for the user interfaces to AAA.

 SSH Configuration Example 73

[3Com] user-interface vty 0 4

[3Com-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[3Com-ui-vty0-4] protocol inbound ssh

# Set the client’s command privilege level to 3

[3Com-ui-vty0-4] user privilege level 3

[3Com-ui-vty0-4] quit

# Configure the authentication type of the SSH client named client 001 as RSA.

[3Com] ssh user client001 authentication-type rsa

n Before performing the following steps, you must generate an RSA public key pair
(using the client software) on the client, save the key pair in a file named public,
and then upload the file to the SSH server through FTP or TFTP. For details, refer to
“Configuring an SSH Client” on page 62.

# Import the client’s public key named “Switch001” from file “public”.

[3Com] rsa peer-public-key Switch001 import sshkey public

# Assign the public key “Switch001” to client “client001”.

[3Com] ssh user client001 assign rsa-key Switch001

2 Configure the SSH client

# Generate an RSA key pair, taking PuTTYGen as an example.

■ Run PuTTYGen.exe, choose SSH2(RSA) and click Generate.

74 CHAPTER 4: SSH CONFIGURATION EXAMPLE

Figure 40 Generate a client key pair (1)

n While generating the key pair, you must move the mouse continuously and keep
the mouse off the green process bar shown in Figure 40. Otherwise, the process
bar stops moving and the key pair generating process is stopped.
 SSH Configuration Example 75

Figure 41 Generate a client key pair (2)

After the key pair is generated, click Save public key and enter the name of the
file for saving the public key (“public” in this case).

Figure 42 Generate a client key pair (3)

76 CHAPTER 4: SSH CONFIGURATION EXAMPLE

Likewise, to save the private key, click Save private key. A warning window pops
up to prompt you whether to save the private key without any protection. Click
Yes and enter the name of the file for saving the private key (“private.ppk” in this
case).

Figure 43 Generate a client key pair (4)

n After a public key pair is generated, you need to upload the pubic key file to the
server through FTP or TFTP, and complete the server end configuration before you
continue to configure the client.

# Establish a connection with the SSH server.

The following takes the SSH client software Putty (version 0.58) as an example.

■ Launch PuTTY.exe to enter the following interface.

Figure 44 SSH client configuration interface 1

In the Host Name (or IP address) text box, enter the IP address of the server.
 SSH Configuration Example 77

■ From the category on the left pane of the window, select SSH under
Connection. The window as shown in Figure 45 appears.

Figure 45 SSH client configuration interface 2

Under Protocol options, select 2 from Preferred SSH protocol version.

■ Select Connection/SSH/Auth. The following window appears.

78 CHAPTER 4: SSH CONFIGURATION EXAMPLE

Figure 46 SSH client configuration interface (2)

Click Browse... to bring up the file selection window, navigate to the private key
file and click OK.

■ From the window shown in Figure 46, click Open. The following SSH client
interface appears. If the connection is normal, you will be prompted to enter
the username and password, as shown in Figure 47.
 SSH Configuration Example 79

Figure 47 SSH client interface

When the Switch Acts Network requirements

as an SSH Client and the As shown in Figure 48, establish an SSH connection between Switch A (SSH
Authentication Type is Client) and Switch B (SSH Server) for secure data exchange. The user name for
Password login is client001 and the SSH server’s IP address is 10.165.87.136. Password
authentication is required.

Network diagram

Figure 48 Network diagram of SSH client configuration when using password

authentication

Switch B Switch A
SSH server VLAN -interface1 SSH client
10. 165. 87. 137/ 24

VLAN- interface1
10. 165.87.136 / 24

Configuration procedure
1 Configure Switch B

# Create a VLAN interface on the switch and assign an IP address, which the SSH
client will use as the destination for SSH connection.

<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.136 255.255.255.0
[3Com-Vlan-interface1] quit

# Generate RSA key pairs.

 80 CHAPTER 4: SSH CONFIGURATION EXAMPLE

[3Com] rsa local-key-pair create

# Set the authentication mode for the user interfaces to AAA.

[3Com] user-interface vty 0 4

[3Com-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[3Com-ui-vty0-4] protocol inbound ssh

[3Com-ui-vty0-4] quit

# Create local user “client001”, and set the authentication password to abc, the
login protocol to SSH, and user command privilege level to 3.

[3Com] local-user client001

[3Com-luser-client001] password simple abc
[3Com-luser-client001] service-type ssh level 3
[3Com-luser-client001] quit

# Configure the authentication type of user client001 as password.

[3Com] ssh user client001 authentication-type password

2 Configure Switch A

# Create a VLAN interface on the switch and assign an IP address, which serves as
the SSH client’s address in an SSH connection.

<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.137 255.255.255.0
[3Com-Vlan-interface1] quit

# Establish a connection to the server 10.165.87.136.

[3Com] ssh2 10.165.87.136

Username: client001
Trying 10.165.87.136 ...
Press CTRL+K to abort
Connected to 10.165.87.136 ...

The Server is not authenticated. Do you continue to access it?(Y/N):y

Do you want to save the server’s public key?(Y/N):n
Enter password:
*************************************************************************
* Copyright(c) 2004-2006 Hangzhou 3Com Technologies Co., Ltd. *
* Without the owner’s prior written consent, *
* no decompiling or reverse-switch fabricering shall be allowed. *
*************************************************************************

<3Com>

When the Switch Acts as Network requirements

an SSH Client and the As shown in Figure 49, establish an SSH connection between Switch A (SSH
Authentication Type is Client) and Switch B (SSH Server) for secure data exchange. The user name is
RSA client001 and the SSH server’s IP address is 10.165.87.136. RSA authentication is
required.
 SSH Configuration Example 81

Network diagram

Figure 49 Network diagram of SSH client configuration when using publickey

authentication

Switch B Switch A
SSH server VLAN- interface1 SSH client
10.165. 87. 137/ 24

VLAN- interface1
10. 165.87. 136 / 24

Configuration procedure
1 Configure Switch B

# Create a VLAN interface on the switch and assign an IP address, which the SSH
client will use as the destination for SSH connection.

<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.136 255.255.255.0
[3Com-Vlan-interface1] quit

# Generate RSA key pair.

[3Com] rsa local-key-pair create

# Set the authentication mode for the user interfaces to AAA.

[3Com] user-interface vty 0 4

[3Com-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[3Com-ui-vty0-4] protocol inbound ssh

# Set the user command privilege level to 3.

[3Com-ui-vty0-4] user privilege level 3

[3Com-ui-vty0-4] quit

# Specify the authentication type of user client001 as RSA.

[3Com] ssh user client001 authentication-type rsa

n Before proceeding with the following steps, you need to generate an RSA key pair
on the client, and manually configure the RSA public key for the SSH server. For
detailed information, refer to “Configuring an SSH Client” on page 62.

# Configure the public key of the SSH client on the SSH server, and specify the
public key name as Switch001.

[3Com] rsa peer-public-key Switch001

RSA public key view: return to System View with "peer-public-key end".
[3Com-rsa-public-key] public-key-code begin
RSA key code view: return to last view with "public-key-code end".
[3Com-rsa-key-code] 3047
[3Com-rsa-key-code] 0240
82 CHAPTER 4: SSH CONFIGURATION EXAMPLE

[3Com-rsa-key-code] C8969B5A 132440F4 0BDB4E5E 40308747 804F608B

[3Com-rsa-key-code] 349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834
[3Com-rsa-key-code] 74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B
[3Com-rsa-key-code] 074C0CA9
[3Com-rsa-key-code] 0203
[3Com-rsa-key-code] 010001
[3Com-rsa-key-code] public-key-code end
[3Com-rsa-public-key] peer-public-key end
[3Com]

# Assign the public key Switch001 to user client001.

[3Com] ssh user client001 assign rsa-key Switch001

2 Configure Switch A

# Create a VLAN interface on the switch and assign an IP address, which serves as
the SSH client’s address in an SSH connection.

<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.137 255.255.255.0
[3Com-Vlan-interface1] quit

# Generate a RSA key pair

[3Com] rsa local-key-pair create

# Display the RSA public key on the client.

<3Com> display rsa local-key-pair public

=====================================================
Time of Key pair created: 05:15:04 2006/12/08
Key name: 3Com_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
C8969B5A 132440F4 0BDB4E5E 40308747 804F608B
349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834
74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B
074C0CA9
0203
010001
<Omitted>

n After generating an RSA key pair on the client, you need to configure the RSA
public key for the SSH server and finish the SSH server configuration before
continuing to configure the SSH client.

# Establish an SSH connection to the server 10.165.87.136.

[3Com] ssh2 10.165.87.136

Username: client001
Trying 10.165.87.136 ...
Press CTRL+K to abort
Connected to 10.165.87.136 ...
 SSH Configuration Example 83

The Server is not authenticated. Do you continue to access it?(Y/N):y

Do you want to save the server’s public key?(Y/N):n

*************************************************************************
* Copyright(c) 2004-2006 Hangzhou 3Com Technologies Co., Ltd. *
* Without the owner’s prior written consent, *
* no decompiling or reverse-switch fabricering shall be allowed. *
*************************************************************************

<3Com>

When the Switch Acts as Network requirements

an SSH Client and As shown in Figure 50, establish an SSH connection between Switch A (SSH
First-time authentication Client) and Switch B (SSH Server) for secure data exchange. The user name is
is not Supported client001 and the SSH server’s IP address is 10.165.87.136. The RSA
authentication mode is used to enhance security.

Network diagram

Figure 50 Network diagram of SSH client configuration

Switch B Switch A
SSH server VLAN- interface1 SSH client
10.165. 87. 137/ 24

VLAN- interface 1
10. 165.87. 136 / 24

Configuration procedure
1 Configure Switch B

# Create a VLAN interface on the switch and assign an IP address for it to serve as
the destination of the client.

<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.136 255.255.255.0
[3Com-Vlan-interface1] quit

# Generate RSA key pairs.

[3Com] rsa local-key-pair create

# Set AAA authentication on user interfaces.

[3Com] user-interface vty 0 4

[3Com-ui-vty0-4] authentication-mode scheme

# Configure the user interfaces to support SSH.

[3Com-ui-vty0-4] protocol inbound ssh

# Set the user command privilege level to 3.

[3Com-ui-vty0-4] user privilege level 3

[3Com-ui-vty0-4] quit
84 CHAPTER 4: SSH CONFIGURATION EXAMPLE

# Specify the authentication type for user client001 as RSA.

[3Com] ssh user client001 authentication-type rsa

n Before proceeding with the following steps, you need to generate an RSA key pair
on the client, and manually configure the RSA public key for the SSH server. For
detailed information, refer to “Configuring an SSH Client” on page 62.

# Configure the public key of the SSH client on the SSH server, and specify the
public key name as Switch001

[3Com] rsa peer-public-key Switch001

RSA public key view: return to System View with "peer-public-key end".
[3Com-rsa-public-key] public-key-code begin
RSA key code view: return to last view with "public-key-code end".
[3Com-rsa-key-code] 3047
[3Com-rsa-key-code] 0240
[3Com-rsa-key-code] C8969B5A 132440F4 0BDB4E5E 40308747 804F608B
[3Com-rsa-key-code] 349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834
[3Com-rsa-key-code] 74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B
[3Com-rsa-key-code] 074C0CA9
[3Com-rsa-key-code] 0203
[3Com-rsa-key-code] 010001
[3Com-rsa-key-code] public-key-code end
[3Com-rsa-public-key] peer-public-key end
[3Com]

# Assign public key Switch001 to user client001

[3Com] ssh user client001 assign rsa-key Switch001

n If first-time authentication is disabled on the device, it is necessary to configure on

the SSH client the RSA public key of the SSH server.

# Display the RSA public key on the server.

[3Com] display rsa local-key-pair public

=====================================================
Time of Key pair created: 09:04:41 2000/04/04
Key name: 3Com_Host
Key type: RSA encryption Key
=====================================================
Key code:
308188
028180
C9330FFD 2E2A606F 3BFD5554 8DACDFB8 4D754E86
FC2D15E8 1996422A 0F6A2A6A A94A207E 1E25F3F9
E0EA01A2 4E0F2FF7 B1D31505 39F02333 E443EE74
5C3615C3 E5B3DC91 D41900F0 2AE8B301 E55B1420
024ECF2C 28A6A454 C27449E0 46EB1EAF 8A918D33
BAF53AF3 63B1FB17 F01E4933 00BE2EEA A272CD78
C289B7DD 2BE0F7AD
0203
010001
<Omitted>
2 Configure Switch A
 SSH Configuration Example 85

# Create a VLAN interface on the switch and assign an IP address, which serves as
the SSH client’s address in an SSH connection.

<3Com> system-view
[3Com] interface vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.137 255.255.255.0
[3Com-Vlan-interface1] quit

# Generate a RSA key pair

[3Com] rsa local-key-pair create

# Export the generated RSA key pair to a file named Switch001.

<3Com> display rsa local-key-pair public

=====================================================
Time of Key pair created: 05:15:04 2006/12/08
Key name: 3Com_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
C8969B5A 132440F4 0BDB4E5E 40308747 804F608B
349EBD6A B0C75CDF 8B84DBE7 D5E2C4F8 AED72834
74D3404A 0B14363D D709CC63 68C8CE00 57C0EE6B
074C0CA9
0203
010001
<Omitted>

n After the SSH client generates an RSA key pair, it is necessary to configure the RSA
public key for the SSH server and finish the SSH server configuration before
continuing to configure the SSH client.

# Disable first-time authentication on the device.

[3Com] undo ssh client first-time

n If first-time authentication is disabled on the device, it is necessary to configure on

the SSH client the RSA public key of the SSH server.

# Configure the public key of the SSH server on the SSH client, and specify the
public key name as Switch002.

[3Com] rsa peer-public-key Switch002

RSA public key view: return to System View with "peer-public-key end".
[3Com-rsa-public-key] public-key-code begin
RSA key code view: return to last view with "public-key-code end".
[3Com-rsa-key-code] 308188
[3Com-rsa-key-code] 028180
[3Com-rsa-key-code] C9330FFD 2E2A606F 3BFD5554 8DACDFB8 4D754E86
[3Com-rsa-key-code] FC2D15E8 1996422A 0F6A2A6A A94A207E 1E25F3F9
[3Com-rsa-key-code] E0EA01A2 4E0F2FF7 B1D31505 39F02333 E443EE74
[3Com-rsa-key-code] 5C3615C3 E5B3DC91 D41900F0 2AE8B301 E55B1420
[3Com-rsa-key-code] 024ECF2C 28A6A454 C27449E0 46EB1EAF 8A918D33
[3Com-rsa-key-code] BAF53AF3 63B1FB17 F01E4933 00BE2EEA A272CD78
[3Com-rsa-key-code] C289B7DD 2BE0F7AD
86 CHAPTER 4: SSH CONFIGURATION EXAMPLE

[3Com-rsa-key-code] 0203
[3Com-rsa-key-code] 010001
[3Com-rsa-key-code] public-key-code end
[3Com-rsa-public-key] peer-public-key end
[3Com]

# Specify the host public key pair name of the server.

[3Com] ssh client 10.165.87.136 assign rsa-key Switch002

# Establish the SSH connection to server 10.165.87.136.

[3Com] ssh2 10.165.87.136

Username: client001
Trying 10.165.87.136 ...
Press CTRL+K to abort
Connected to 10.165.87.136 ...

*************************************************************************
* Copyright(c) 2004-2006 Hangzhou 3Com Technologies Co., Ltd. *
* Without the owner’s prior written consent, *
* no decompiling or reverse-switch fabricering shall be allowed. *
*************************************************************************

<3Com>
 ROUTING OVERVIEW
5

Overview

Static Routing and Static routing

Routing Protocols Static routing features zero overhead, simple configuration, and is applicable to
simple and stable networks. But it requires human intervention when the network
topology changes.

RIP
RIP is easy to configure and is insensitive to CPU and memory, so it is applicable to
small and medium sized networks. However, it converges slowly and cannot
eliminate route loops completely. In addition, periodic RIP updating multicasts or
broadcasts consume many network resources.

OSPF
OSPF is complicated to configure and requires high-performance CPU and
memory. It is applicable to medium and large sized networks. OSPF converges fast
and can eliminate route loops completely. It supports area partition and provides
hierarchical route management.

BGP
BGP runs between ASs. Although complicated to configure, BGP features high
reliability, stability, and scalability, has flexible and powerful routing policies and
eliminates route loops completely.

Routing Protocols
Table 22 Routing protocols supported by the 3Com stackable switches
Supported by the 3Com
Stackable Switches Model\Routing Protocols RIP OSPF BGP
Switch 4500 √ - -
Switch 5500 √ √ -
Switch 5500Gs √ √ √

Configuration
Example

n ■

■
This configuration example uses the Switch 5500G.
For configuration precautions, see the configuration guide and command
reference guide of the applicable switch.
88 CHAPTER 5: ROUTING OVERVIEW

Configuration Task List

Table 23 Configuration task List

Task Details
Static route configuration “Static Route Configuration” on page
88
RIP configuration “RIP Configuration” on page 88
OSPF configuration “OSPF Configuration” on page 93
BGP configuration “BGP Configuration” on page 101

Static Route
Table 24 Configure a static route
Configuration
Operation Command Remarks
Enter system view system-view -
Configure a static ip route-static ip-address { mask | Required
route mask-length } { interface-type
By default, the system can
interface-number | next-hop }
obtain the route to the
[ preference preference-value ] [ reject |
subnet directly connected
blackhole ] [ detect-group group
to the router.
number ] [ description text ]

RIP Configuration
Table 25 RIP configuration tasks

Configuration task Remarks Related section

Configuring basic RIP Enabling RIP Required “Configuring Basic
functions RIP Functions” on
page 89
Setting the RIP Optional “Setting the RIP
operating status on an operating status on
interface an interface” on
page 90
Specifying a RIP version Optional “Specifying the RIP
version on an
interface” on page
90
 Configuration Example 89

Table 25 RIP configuration tasks

Configuration task Remarks Related section

Configuring RIP route Setting the additional Optional “Setting the
control routing metrics of an additional routing
interface metrics of an
interface” on page
90
Configuring RIP route Optional “Configuring RIP
summarization route
summarization” on
page 91
Disabling the receiving Optional “Disabling the
of host routes router from
receiving host
routes” on page 91
Configuring RIP to Optional “Configuring RIP to
filter filter
incoming/outgoing incoming/outgoing
routes routes” on page 91
Setting RIP preference Optional “Setting RIP
preference” on
page 91
Enabling load sharing Optional “Enabling load
among interfaces sharing among RIP
interfaces” on page
92
Configuring RIP to Optional “Configuring RIP to
import routes from redistribute routes
another protocol from another
protocol” on page
92
Adjusting and Configuring RIP timers Optional “Configuring RIP
optimizing a RIP timers” on page 92
network
Configuring split Optional “Configuring split
horizon horizon” on page
92
Configuring RIP-1 Optional “Configuring RIP-1
packet zero field check packet zero field
check” on page 92
Setting RIP-2 packet Optional “Setting RIP-2
authentication mode packet
authentication
mode” on page 93
Configuring RIP to Optional “Configuring RIP to
unicast packets unicast RIP packets”
on page 93

Configuring Basic RIP Functions

Table 26 Enable RIP on the interfaces attached to a specified network segment

Operation Command Remarks

Enter system view system-view -
Enable RIP and enter RIP view rip Required
Enable RIP on the specified network network-address Required
interface
Disabled by default.
90 CHAPTER 5: ROUTING OVERVIEW

Setting the RIP operating status on an interface

Table 27 Set the RIP operating status on an interface

Operation Command Remarks

Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Enable the interface to receive rip input Optional
RIP update packets
By default, all interfaces are
Enable the interface to send rip output allowed to send and receive
RIP update packets RIP update packets.
Enable the interface to receive rip work
and send RIP update packets

Specifying the RIP version on an interface

Table 28 Specify the RIP version on an interface

Operation Command Remarks

Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Specify the version of the RIP rip version { 1 | 2 Optional
running on the interface [ broadcast | multicast ] }
By default, the version of the
RIP running on an interface is
RIP-1.

Setting the additional routing metrics of an interface

Additional metric is the metric added to the original metrics of RIP routes on an
interface. It does not directly change the metric value of a RIP route in the routing
table of a router, but will be added to incoming or outgoing RIP routes on the
interface.
Table 29 Set additional routing metric

Operation Command Remarks

Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Set the additional routing rip metricin value Optional
metric to be added for
By default, the additional
incoming RIP routes on this
routing metric added for
interface
incoming routes on an
interface is 0.
Set the additional routing rip metricout value Optional
metric to be added for
By default, the additional
outgoing RIP routes on this
routing metric added for
interface
outgoing routes on an
interface is 1.
 Configuration Example 91

Configuring RIP route summarization

Table 30 Configure RIP route summarization

Operation Command Remarks

Enter system view system-view -
Enter RIP view rip -
Enable RIP-2 automatic route summary Required
summarization
By default, RIP-2 automatic route
summarization is enabled.

Disabling the router from receiving host routes

Table 31 Disable the router from receiving host routes

Operation Command Remarks

Enter system view system-view -
Enter RIP view rip -
Disable the router from undo host-route Required
receiving host routes
By default, the router receives
host routes.

Configuring RIP to filter incoming/outgoing routes

Table 32 Configure RIP to filter incoming/outgoing routes

Operation Command Remarks

Enter system view system-view -
Enter RIP view rip -
Configure RIP to filter filter-policy { acl-number | Required
incoming routes ip-prefix ip-prefix-name [ gateway
By default, RIP does not filter
ip-prefix-name ] | route-policy
any incoming route.
route-policy-name } import
The gateway keyword is
filter-policy gateway
used to filter the incoming
ip-prefix-name import
routes advertised from a
specified address.
Configure RIP to filter filter-policy { acl-number | Required
outgoing routes ip-prefix ip-prefix-name } export
By default, RIP does not filter
[ protocol ] [ process-id ]
any outgoing route.
filter-policy route-policy
route-policy-name export

Setting RIP preference

Table 33 Set RIP preference

Operation Command Remarks

Enter system view system-view -
Enter RIP view rip -
Set the RIP preference preference value Required
The default RIP preference is 100.
92 CHAPTER 5: ROUTING OVERVIEW

Enabling load sharing among RIP interfaces

Table 34 Enable load sharing among RIP interfaces

Operation Command Remarks

Enter system view system-view -
Enter RIP view rip -
Enable load sharing among traffic-share-across-interfac Required
RIP interfaces e
By default, load sharing
among RIP interfaces is
disabled

Configuring RIP to redistribute routes from another protocol

Table 35 Configure RIP to import routes from another protocol

Operation Command Remarks

Enter system view system-view -
Enter RIP view rip -
Configure a default cost for default cost value Optional
an incoming route
1 by default.
Configure RIP to redistribute import-route protocol Required
routes from another protocol [ process-id ] [ cost value |
By default, RIP does
route-policy
redistribute any route from
route-policy-name ]*
other protocols.

Configuring RIP timers

Table 36 Configure RIP timers

Operation Command Remarks

Enter system view system-view -
Enter RIP view rip -
Set the RIP timers timers { update update-timer Required
| timeout timeout-timer } *
By default, the Update timer is set
30 seconds and the Timeout timer
to 180 seconds.

Configuring split horizon

Table 37 Configure split horizon

Operation Command Remarks

Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Enable split horizon rip split-horizon Required
Enabled by default.

Configuring RIP-1 packet zero field check

Table 38 Configure RIP-1 packet zero field check

Operation Command Remarks

Enter system view system-view -
 Configuration Example 93

Table 38 Configure RIP-1 packet zero field check

Operation Command Remarks

Enter RIP view rip -
Enable the check of the “must checkzero Required
be zero” field in RIP-1 packets
Enabled by default.

Setting RIP-2 packet authentication mode

Table 39 Set RIP-2 packet authentication mode

Operation Command Remarks

Enter system view system-view -
Enter interface view interface -
interface-type
interface-number
Set RIP-2 packet rip Required
authentication mode authentication-mode
If you specify to use MD5 authentication, you
{ simple password |
must specify one of the following MD5
md5 { rfc2453
authentication types:
key-string | rfc2082
key-string key-id } } ■ rfc2453 (this type supports the packet
format defined in RFC 2453)
■ rfc2082 (this type supports the packet
format defined in RFC 2082)

Configuring RIP to unicast RIP packets

Table 40 Configure RIP to unicast RIP packets

Operation Command Remarks

Enter system view system-view -
Enter RIP view rip -
Configure RIP to unicast RIP peer ip-address Required
packets
When RIP runs on the link that does not
support broadcast or multicast, you must
configure RIP to unicast RIP packets.

OSPF Configuration
Table 41 OSPF configuration tasks

Configuration task Remarks Related section

Basic OSPF configuration Required “Basic OSPF
configuration” on
page 95
OSPF area attribute configuration Optional “Configuring OSPF
Area Attributes” on
page 95
94 CHAPTER 5: ROUTING OVERVIEW

Table 41 OSPF configuration tasks

Configuration task Remarks Related section

OSPF network type Configuring the Optional “Configuring the
configuration network type of an Network Type of an
OSPF interface OSPF Interface” on
page 96
Configuring an Optional “Configuring an
NBMA/P2MP NBMA/P2MP
neighbor Neighbor” on page
96
Configuring the DR Optional “Configuring the DR
priority on an OSPF Priority on an OSPF
interface Interface” on page
97
OSPF route control Configuring OSPF Optional “Configuring OSPF
route Route
summarization Summarization” on
page 97
Configuring OSPF Optional “Configuring OSPF
to filter received to Filter Received
routes Routes” on page 97
Configuring OSPF Optional “Configuring the
interface cost OSPF Cost on an
Interface” on page
98
Configuring OSPF Optional “Configuring OSPF
route priority Route Priority” on
page 98
Configuring the Optional “Configuring the
maximum number Maximum Number
of OSPF ECMP of OSPF ECMP
routes Routes” on page 98
Configuring OSPF Optional “Configuring OSPF
to redistribute to Redistribute
external routes External Routes” on
page 98
 Configuration Example 95

Table 41 OSPF configuration tasks

Configuration task Remarks Related section

OSPF network adjustment Configuring OSPF Optional “Configuring OSPF
and optimization timers Timers” on page 99
Configuring the Optional “Configure the LSA
LSA transmission transmission delay”
delay on page 99
Configuring the Optional “Configuring the SPF
SPF calculation Calculation Interval”
interval on page 100
Disabling OSPF Optional “Disabling OSPF
packet Packet Transmission
transmission on an on an Interface” on
interface page 100
Configuring OSPF Optional “Configuring OSPF
authentication Authentication” on
page 100
Configuring the Optional “Configuring the
MTU field in DD MTU Field in DD
packets Packets” on page
101
Enabling OSPF Optional “Enabling OSPF
logging of Logging of Neighbor
neighbor state State Changes” on
changes page 101
Configuring OSPF Optional “Configuring OSPF
network Network
management Management” on
page 101

Basic OSPF configuration

Table 42 Basic OSPF configuration

Operation Command Remarks

Enter system view system-view -
Configure the router ID router id router-id Optional
If multiple OSPF processes run on a
router, you are recommended to
use the router-id keyword in the
ospf command to specify different
router IDs for different processes.
Enable OSPF and enter OSPF ospf [ process-id Required
view [ router-id router-id ] ]
Enter OSPF view.
Enter OSPF area view area area-id -
Configure the network network ip-address Required
segments in the area wildcard-mask
By default, an interface does not
belong to any area.

Configuring OSPF Area Attributes

Table 43 Configure OSPF area attributes

Operation Command Remarks

Enter system view system-view -
96 CHAPTER 5: ROUTING OVERVIEW

Table 43 Configure OSPF area attributes

Operation Command Remarks

Enter OSPF view ospf [ process-id [ router-id -
router-id ] ]
Enter OSPF area view area area-id -
Configure the current area stub [ no-summary ] Optional
to be a stub area
By default, no area is configured
as a stub area.
Configure the current area nssa Optional
to be an NSSA area [ default-route-advertise |
By default, no area is configured
no-import-route |
as an NSSA area.
no-summary ] *
Configure the cost of the default-cost cost Optional
default route transmitted by
This can be configured on an ABR
OSPF to a stub or NSSA area
only. By default, the cost of the
default route to a stub or NSSA
area is 1.
Create and configure a vlink-peer router-id [ hello Optional
virtual link seconds | retransmit
For a virtual link to take effect,
seconds | trans-delay
you need to use this command at
seconds | dead seconds |
both ends of the virtual link and
simple password | md5
ensure consistent configurations
keyid key ] *
of the hello, dead, and other
parameters at both ends.

Configuring the Network Type of an OSPF Interface

Table 44 Configure the network type of an OSPF interface

Operation Command Remarks

Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Configure the network type ospf network-type Optional
of the OSPF interface { broadcast | nbma | p2mp
By default, the network type
[ unicast ] | p2p }
of an interface depends on
the physical interface.

Configuring an NBMA/P2MP Neighbor

Table 45 Configure NBMA/P2MP neighbor

Operation Command Remarks

Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id Required
router-id ] ]
Configure an NBMA/P2MP peer ip-address [ dr-priority Required
neighbor dr-priority ]
By default, the priority for the
neighbor of an NBMA
interface is 1.
 Configuration Example 97

Configuring the DR Priority on an OSPF Interface

Table 46 Configure the DR priority on an OSPF interface

Operation Command Remarks

Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Configure the DR priority on ospf dr-priority priority Optional
the OSPF interface
The default DR priority is 1.

Configuring OSPF Route Summarization

Table 47 Configure ABR route summarization

Operation Command Remarks

Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id -
router-id ] ]
Enter area view area area-id -
Enable ABR route abr-summary ip-address mask Required
summarization [ advertise | not-advertise ]
This command takes effect only
when it is configured on an ABR. By
default, this function is disabled on
an ABR.

Table 48 Configure ASBR route summarization

Operation Command Remarks

Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id -
router-id ] ]
Enable ASBR route asbr-summary ip-address Required
summarization mask [ not-advertise | tag
This command takes effect only
value ]
when it is configured on an ASBR.
By default, summarization of
imported routes is disabled.

Configuring OSPF to Filter Received Routes

Table 49 Configure OSPF to filter received routes

Operation Command Remarks

Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id -
router-id ] ]
Configure to filter the filter-policy { acl-number | Required
received routes ip-prefix ip-prefix-name |
By default, OSPF does not
gateway ip-prefix-name }
filter received routing
import
information.
98 CHAPTER 5: ROUTING OVERVIEW

Configuring the OSPF Cost on an Interface

Table 50 Configure the OSPF cost on an interface

Operation Command Remarks

Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Configure the OSPF cost ospf cost value Optional
on the interface
By default, the interface calculates
the OSPF cost according to the
current baud rate on it. For a VLAN
interface on the switch, a fixed value
of 10 is used.

Configuring OSPF Route Priority

Table 51 Configure OSPF route priority

Operation Command Remarks

Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id -
router-id ] ]
Configure OSPF route preference [ ase ] value Optional
priority
By default, the OSPF route priority
is 10 and the priority of OSPF ASE
is 150.

Configuring the Maximum Number of OSPF ECMP Routes

Table 52 Configure the maximum number of OSPF ECMP routes

Operation Command Remarks

Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id -
router-id ] ]
Configure the maximum multi-path-number value Optional
number of OSPF ECMP routes
3 by default.

Configuring OSPF to Redistribute External Routes

Table 53 Configure OSPF to redistribute external routes

Operation Command Remarks

Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id -
router-id ] ]
Configure OSPF to import-route protocol Required
redistribute routes from [ process-id ] [ cost value |
By default, OSPF does not
another protocol type value | tag value |
import the routing
route-policy
information of other
route-policy-name ] *
protocols.
Configure OSPF to filter filter-policy { acl-number | Optional
outgoing routes ip-prefix ip-prefix-name }
By default, OSPF does not
export [ protocol ]
filter advertised routes.
 Configuration Example 99

Table 53 Configure OSPF to redistribute external routes

Operation Command Remarks

Enable OSPF to import the default-route-advertise Optional
default route [ always | cost value | type
By default, OSPF does not
type-value | route-policy
import the default route.
route-policy-name ]*
Configure the default default { cost value | interval Optional
parameters for redistributed seconds | limit routes | tag
These parameters respectively
routes, including cost, tag | type type } *
default to:
interval, limit, .tag, and type
■ Cost: 1
■ Interval: 1 (second)
■ Limit: 1000
■ Tag: 1
■ Type: 2

Configuring OSPF Timers

Table 54 Configure OSPF timers

Operation Command Remarks

Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Configure the hello interval ospf timer hello seconds Optional
on the interface
By default, p2p and
broadcast interfaces send
Hello packets every 10
seconds; while p2mp and
NBMA interfaces send Hello
packets every 30 seconds.
Configure the poll interval on ospf timer poll seconds Optional
the NBMA interface
By default, poll packets are
sent every 40 seconds.
Configure the dead time of ospf timer dead seconds Optional
the neighboring router on the
By default, the dead time for
interface
the OSPF neighboring router
on a p2p or broadcast
interface is 40 seconds and
that for the OSPF neighboring
router on a p2mp or NBMA
interface is 120 seconds.
Configure the interval for ospf timer retransmit Optional
retransmitting an LSA on an interval
By default, this interval is five
interface
seconds.

Configure the LSA transmission delay

Table 55 Configure the LSA transmission delay

Operation Command Remarks

Enter system view system-view -
Enter interface view interface interface-type -
interface-number
100 CHAPTER 5: ROUTING OVERVIEW

Table 55 Configure the LSA transmission delay

Operation Command Remarks

Configure the LSA ospf trans-delay seconds Optional
transmission delay
By default, the LSA
transmission delay is one
second.

Configuring the SPF Calculation Interval

Table 56 Configure the SPF calculation interval

Operation Command Remarks

Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id -
router-id ] ]
Configure the SPF calculation spf-schedule-interval Optional
interval interval
By default, the SPF calculation
interval is five seconds.

Disabling OSPF Packet Transmission on an Interface

Table 57 Disable OSPF packet transmission on an interface

Operation Command Remarks

Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id -
router-id ] ]
Disable OSPF packet silent-interface Optional
transmission on a specified silent-interface-type
By default, all the interfaces
interface silent-interface-number
are allowed to transmit OSPF
packets.

Configuring OSPF Authentication

Table 58 Configure OSPF authentication

Operation Command Remarks

Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id -
router-id ] ]
Enter OSPF area view area area-id -
Configure the authentication authentication-mode Required
mode of the OSPF area { simple | md5 }
By default, no authentication
mode is configured for an
area.
Return to OSPF view quit -
Return to system view quit -
Enter interface view interface interface-type -
interface-number
Configure the authentication ospf authentication-mode Optional
mode of the OSPF interface { simple password | md5
By default, OSPF packets are
key-id key }
not authenticated on an
interface.
 Configuration Example 101

Configuring the MTU Field in DD Packets

Table 59 Configure to fill the MTU field when an interface transmits DD packets

Operation Command Remarks

Enter system view system-view -
Enter Ethernet interface view interface interface-type Required
interface-number
Enable the interface to fill in ospf mtu-enable Optional
the MTU field when
By default, the MTU value is 0
transmitting DD packets
when an interface transmits
DD packets. That is, the actual
MTU value of the interface is
not filled in.

Enabling OSPF Logging of Neighbor State Changes

Table 60 Enable OSPF logging of neighbor state changes

Operation Command Remarks

Enter system view system-view -
Enter OSPF view ospf [ process-id [ router-id -
router-id ] ]
Enable the OSPF logging of log-peer-change Required
neighbor state changes
Disabled by default.

Configuring OSPF Network Management

Table 61 Configure OSPF network management (NM)

Operation Command Remarks

Enter system view system-view -
Configure OSPF MIB binding ospf mib-binding process-id Optional
By default, OSPF MIB is bound
to the first enabled OSPF
process.
Enable OSPF Trap sending snmp-agent trap enable Optional
ospf [ process-id ] [ ifauthfail
You can configure OSPF to
| ifcfgerror | ifrxbadpkt |
send diversified SNMP TRAP
ifstatechange |
messages and specify a
iftxretransmit |
certain OSPF process to send
lsdbapproachoverflow |
SNMP TRAP messages by
lsdboverflow | maxagelsa |
process ID.
nbrstatechange |
originatelsa | vifauthfail |
vifcfgerror | virifrxbadpkt |
virifstatechange |
viriftxretransmit |
virnbrstatechange ]*

BGP Configuration
Table 62 BGP configuration tasks

Configuration task Remarks Related section

Configuring Basic BGP Functions Required “Configuring Basic BGP
Functions” on page
102
102 CHAPTER 5: ROUTING OVERVIEW

Table 62 BGP configuration tasks

Configuration task Remarks Related section

Configuring the way to Importing routes Optional “Importing Routes” on
advertise/receive routing page 103
information
Configuring route Optional “Configuring BGP
aggregation Route Aggregation” on
page 103
Enabling Default Optional “Enabling Default
Route Advertising Route Advertising” on
page 104
Configuring route Optional “Configuring route
reception filtering reception filtering
policies policies” on page 104
Configure route Optional “Configure route
advertisement advertisement filtering
filtering policies policies” on page 105
Disable BGP-IGP Optional “Disable BGP-IGP Route
Route Synchronization” on
Synchronization page 105
Configuring BGP Optional “Configuring BGP
Route Dampening Route Dampening” on
page 106
Configuring BGP route attributes Optional “Configuring BGP
Route Attributes” on
page 106
Adjusting and optimizing a BGP network Optional “Adjusting and
Optimizing a BGP
Network” on page 107
Configure a large-scale BGP Configuring BGP Required “Configuring BGP Peer
network Peer Group Group” on page 108
Configuring BGP Required “Configuring BGP
Community Community” on page
109
Configuring BGP Optional “Configuring BGP
RR Route Reflector (RR)”
on page 109
Configuring BGP Optional “Configuring BGP
Confederation Confederation” on
page 110

Configuring Basic BGP Functions

Table 63 Configure basic BGP functions

Operation Command Description

Enter system view system-view -
Enable BGP and enter BGP bgp as-number Required
view
By default, BGP is disabled.
Specify the AS number for the peer group-name as-number By default, a peer is not
BGP peers as-number assigned an AS number.
Assign a description string for peer { group-name | Optional
a BGP peer/a BGP peer group ip-address } description
By default, a peer/a peer
description-text
group is not assigned a
description string.
 Configuration Example 103

Table 63 Configure basic BGP functions

Operation Command Description

Activate a specified BGP peer peer { group-name | Optional
ip-address } enable
By default, a BGP peer is
active.
Enable BGP logging log-peer-change Optional
By default, BGP logging is
enabled.
Specify the source interface peer { group-name | Optional
for route update packets ip-address }
By default, the source
connect-interface
interface of the optimal route
interface-type
update packets is used as the
interface-number
source interface.
Allow routers that belong to peer group-name Optional
non-directly connected ebgp-max-hop [ hop-count ]
By default, routers that
networks to establish EBGP
belong to two non-directly
connections.
connected networks cannot
establish EBGP connections.
You can configure the
maximum hops of EBGP
connection by specifying the
hop-count argument.

Importing Routes
Table 64 Import routes

Operation Command Description

Enter system view system-view -
Enable BGP, and enter BGP bgp as-number -
view
Import the default route to default-route imported Optional
the BGP routing table
By default, BGP does not
import default routes to the
BGP routing table.
Import and advertise routing import-route protocol Required
information generated by [ process-id ] [ med
By default, BGP does not
other protocols. med-value | route-policy
import nor advertise the
route-policy-name ]*
routing information
generated by other protocols.
Advertise network segment network network-address Optional
routes to BGP routing table [ mask ] [route-policy
By default, BGP does not
route-policy-name ]
advertise any network
segment routes.

Configuring BGP Route Aggregation

Table 65 Configure BGP route aggregation

Operation Command Description

Enter system view system-view -
Enable BGP, and enter BGP view bgp as-number Required
By default, BGP is
disabled.
104 CHAPTER 5: ROUTING OVERVIEW

Table 65 Configure BGP route aggregation

Operation Command Description

Configure BGP Enable automatic summary Required
route route aggregation
By default, routes are not
aggregation
Enable manual aggregate ip-address aggregated.
route aggregation mask [ as-set |
attribute-policy
route-policy-name |
detail-suppressed |
origin-policy
route-policy-name |
suppress-policy
route-policy-name ]*

Enabling Default Route Advertising

Table 66 Enable default rout advertising

Operation Command Description

Enter system view system-view -
Enter BGP view bgp as-number -
Enable default route peer group-name Required
advertising default-route-advertise
By default, a BGP router does
[ route-policy
not send default routes to a
route-policy-name ]
specified peer/peer group.

Configuring route reception filtering policies

Table 67 Configure route reception filtering policies

Operation Command Description

Enter system view system-view -
Enter BGP view bgp as-number -
Configure the global route filter-policy { acl-number | Required
reception filtering policy gateway ip-prefix-name |
By default, the incoming
ip-prefix ip-prefix-name
routing information is not
[ gateway
filtered.
ip-prefix-name ] } import
Reference a routing policy to peer { group-name | Required
filter routes from a peer/peer ip-address } route-policy
By default, no route filtering
group policy-name import
policy is specified for a
peer/peer group.
 Configuration Example 105

Table 67 Configure route reception filtering policies

Operation Command Description

Filter the Reference an peer { group-name | Required
routing ACL to filter ip-address } filter-policy
By default, no ACL-based BGP
information BGP routes acl-number import
route filtering policy, AS path
from a from a
ACL-based BGP route filtering
peer/peer peer/peer
policy, or IP prefix list-based
group group
BGP route filtering policy is
Reference an peer { group-name | configured for a peer/peer
AS path ACL to ip-address } as-path-acl group.
filter routes acl-number import
from a
peer/peer
group
Reference an IP peer { group-name |
prefix list to ip-address } ip-prefix
filter routes ip-prefix-name import
from a
peer/peer
group

Configure route advertisement filtering policies

Table 68 Configure route advertisement filtering policies

Operation Command Description

Enter system view system-view -
Enter BGP view bgp as-number -
Configure the global route filter-policy { acl-number | Required
advertisement filtering policy ip-prefix ip-prefix-name }
By default, advertised routes
export [ protocol
are not filtered.
[ process-id ] ]
Reference a routing policy to peer group-name Required
filter the routes to a peer route-policy
By default, no route advertising
group route-policy-name export
policy is specified for the routes
advertised to a peer group.
Filter the Reference an peer group-name Required
routing ACL to filter filter-policy acl-number
Not configured by default
information BGP routes to export
to a peer a peer group
group
Reference an peer group-name
AS path ACL as-path-acl acl-number
to filter BGP export
routes to a
peer group
Reference an peer group-name ip-prefix
IP prefix list ip-prefix-name export
to filter BGP
routes to a
peer group

Disable BGP-IGP Route Synchronization

Table 69 Disable BGP-IGP route synchronization

Operation Command Description

Enter system view system-view -
Enter BGP view bgp as-number -
106 CHAPTER 5: ROUTING OVERVIEW

Table 69 Disable BGP-IGP route synchronization

Operation Command Description

Disable BGP-IGP route undo synchronization Required
synchronization
By default, BGP routes and
IGP routes are not
synchronized.

Configuring BGP Route Dampening

Table 70 Configure BGP route dampening

Operation Command Description

Enter system view system-view -
Enter BGP view bgp as-number -
Configure BGP route dampening Required
dampening-related [ half-life-reachable
By default, route dampening is
parameters half-life-unreachable reuse
disabled. Other default route
suppress ceiling ]
dampening-related parameters are as
[ route-policy
follows.
route-policy-name ]
■ half-life-reachable: 15 (in
minutes)
■ half-life-unreachable: 15 (in
minutes)
■ reuse: 750
■ suppress: 2000
■ ceiling: 16,000

Configuring BGP Route Attributes

Table 71 Configure BGP route attributes

Operation Command Description

Enter system view system-view -
Enter BGP view bgp as-number -
Configure the management preference of preference ebgp-value Optional
the exterior, interior and local routes ibgp-value local-value
By default, the
management
preference of the
exterior, interior
and local routes is
256, 256, and 130.
Set the default local preference default Optional
local-preference value
By default, the local
preference defaults
to 100.
 Configuration Example 107

Table 71 Configure BGP route attributes

Operation Command Description

Configure Configure the default local MED default med med-value Optional
the MED value
By default, the
attribute
med-value
argument is 0.
Permit to compare the MED compare-different-as- Optional
values of the routes coming from med
By default, the
the neighbor routers in different
compare of MED
ASs.
values of the routes
coming from the
neighbor routers in
different ASs is
disabled.
Configure the local address as the next hop peer group-name Required
address when a BGP router advertises a next-hop-local
In some network,
route.
to ensure an IBGP
neighbor locates
the correct next
hop, you can
configure the next
hop address of a
route to be the
local address for a
BGP router to
advertise route
information to IBGP
peer groups.
Configure the AS_Path Configure the peer { group-name | Optional
attribute number of local AS ip-address }
By default, the
number allow-as-loop [ number ]
number of local AS
occurrences
number
allowed
occurrences
allowed is 1.
Assign an AS peer group-name Optional
number for a peer as-number as-number
By default, the local
group
AS number is not
assigned to a peer
group.
Configure that the peer group-name Optional
BGP update packets public-as-only
By default, a BGP
only carry the pubic
update packet
AS number in the
carries the private
AS_Path attribute
AS number.
when a peer sends
BGP update packets
to BGP peers.

Adjusting and Optimizing a BGP Network

Table 72 Adjust and optimize a BGP network

Operation Command Description

Enter system view system-view -
Enter BGP view bgp as-number -
108 CHAPTER 5: ROUTING OVERVIEW

Table 72 Adjust and optimize a BGP network

Operation Command Description

Configure Configure the timer keepalive Optional
BGP timer Keepalive time and keepalive-interval hold
By default, the keepalive
Holdtime of BGP. holdtime-interval
time is 60 seconds, and
Configure the peer { group-name | holdtime is 180 seconds. The
Keepalive time and ip-address } timer priority of the timer
holdtime of a keepalive configured by the timer
specified peer/peer keepalive-interval hold command is lower than that
group. holdtime-interval of the timer configured by
the peer time command.
Configure the interval at which a peer group-name Optional
peer group sends the same route route-update-interval
By default, the interval at
update packet seconds
which a peer group sends
the same route update
packet to IBGP peers is 15
seconds, and to EBGP peers
is 30 seconds.
Configure the number of route peer { group-name | Optional
prefixes that can be learned from a ip-address } route-limit
By default, there is no limit
BGP peer/peer group prefix-number
on the number of route
[ { alert-only | reconnect
prefixes that can be learned
reconnect-time } |
from the BGP peer/peer
percentage-value ] *
group.
Perform soft refreshment of BGP return -
connection manually
refresh bgp { all | Optional
ip-address | group
group-name }
[ multicast ] { import |
export }
system-view Enter BGP view again
bgp as-number
Configure BGP to perform MD5 peer { group-name | Optional
authentication when establishing ip-address } password
By default, BGP dose not
TCP connection { cipher | simple }
perform MD5 authentication
password
when establishing TCP
connection.

Configuring BGP Peer Group

Table 73 Configure BGP peer group

Operation Command Description

Enter system view system-view -
Enter BGP view bgp as-number -
Create an Create an IBGP peer group group-name Optional
IBGP peer group [ internal ]
If the command is executed
group
Add a peer to a peer peer ip-address group without the internal or
group group-name external keyword, an IBGP
[ as-number peer group will be created. You
as-number ] can add multiple peers to the
group, and the system will
automatically create a peer in
BGP view, and configure its AS
number as the local AS
number.
 Configuration Example 109

Table 73 Configure BGP peer group

Operation Command Description

Create an Create an EBGP peer group group-name Optional
EBGP peer group external
You can add multiple peers to
group
Configure the AS peer group-name the group. The system
number of a peer as-number as-number automatically creates the peer
group in BGP view and specifies its AS
number as the one of the peer
Add a peer to a peer peer ip-address group
group.
group group-name
[ as-number
as-number ]
Create a Create an EBGP peer group group-name Optional
hybrid group external
You can add multiple peers to
EBGP peer
Add a peer to a peer peer ip-address group the peer group.
group
group group-name
[ as-number
as-number ]
Finish the session with the peer { group-name | Optional
specified peer/peer group ip-address } shutdown

Configuring BGP Community

Table 74 Configure BGP community

Operation Command Description

Enter system view system-view -
Enter BGP view bgp as-number -
Configure the peers to peer group-name Required
advertise community advertise-community
By default, no community
attribute to each other
attribute or extended community
attribute is advertised to any peer
group.
Specify routing policy for peer group-name Required
the routes exported to the route-policy
By default, no routing policy is
peer group route-policy-name export
specified for the routes exported
to the peer group.

Configuring BGP Route Reflector (RR)

Table 75 Configure BGP RR

Operation Command Description

Enter system view system-view -
Enter BGP view bgp as-number -
Configure the local router as peer group-name Required
the RR and configure the peer reflect-client
By default, no RR or its client
group as the client of the RR
is configured.
Enable route reflection reflect between-clients Optional
between clients
By default, route reflection is
enabled between clients.
Configure cluster ID of an RR reflector cluster-id cluster-id Optional
By default, an RR uses its own
router ID as the cluster ID.
110 CHAPTER 5: ROUTING OVERVIEW

Configuring BGP Confederation

Table 76 Configure BGP confederation

Operation Command Description

Enter system view system-view -
Enter BGP view bgp as-number -
Basic BGP Configure confederation id Required
confederation confederation ID as-number
By default, no confederation ID
configuration
Specify the confederation is configured and no sub-AS is
sub-ASs peer-as as-number-list configured for a confederation.
included in a
confederation
Configure the compatibility of a confederation Optional
confederation nonstandard
By default, the confederation
configured is consistent with
the RFC 1965.

Route Policy
Table 77 Route Policy Configuration
Configuration
Configuration task Remarks Related section
Configure an IP-prefix list Configuring an Optional “Configuring an
ip-prefix list ip-prefix list” on
page 110
AS path list Optional “AS path list
configuration configuration”
on page 111
Community list Optional “Community list
configuration configuration”
on page 111
Define a routing policy Defining a Routing Required “Defining a
Policy Routing Policy”
on page 111
Define if-match Optional “Define if-match
clauses clauses” on
page 111
Define apply clauses Optional “Define apply
clauses” on
page 112

Configuring an ip-prefix list

Table 78 Configure an IPv4 IP-prefix list

Operation Command Remarks

Enter system view system-view -
Configure an IPv4 ip ip-prefix ip-prefix-name [ index Required
IP-prefix list index-number ] { permit | deny }
By default, no IP-prefix list is
network len [ greater-equal
specified.
greater-equal | less-equal
less-equal ]
 Configuration Example 111

AS path list configuration

Table 79 AS path list configuration

Operation Command Description

Enter system view system-view -
Configure AS path list ip as-path-acl acl-number Optional
{ permit | deny }
By default, no AS path list is
as-regular-expression
defined

Community list configuration

Table 80 Community list configuration

Operation Command Description

Enter system view system-view -
Configure basic community ip community-list Optional
list basic-comm-list-number
By default, no BGP
{ permit | deny } [ aa:nn |
community list is defined
internet |
no-export-subconfed |
no-advertise | no-export ]*
Configure advanced ip community-list Optional
community list adv-comm-list-number
By default, no BGP
{ permit | deny }
community list is defined
comm-regular-expression

Defining a Routing Policy

Table 81 Define a routing policy

Operation Command Remarks

Enter system view system-view -
Define a routing policy and route-policy Required
enter the routing policy view route-policy-name { permit |
By default, no routing policy is
deny } node node-number
defined.

Define if-match clauses

Table 82 Define if-match clauses

Operation Command Description

Enter system view system-view -
Enter the route-policy view route-policy Required
route-policy-name { permit |
deny } node node-number
Define a rule to match AS if-match as-path Optional
path of BGP routing as-path-number
information
Define a rule to match if-match community Optional
community attributes of BGP { basic-community-number
routing information [ whole-match ] |
adv-community-number }
Define a rule to match the IP if-match { acl acl-number | Optional
address of routing ip-prefix ip-prefix-name }
By default, no matching is
information
performed on the address of
routing information.
112 CHAPTER 5: ROUTING OVERVIEW

Table 82 Define if-match clauses

Operation Command Description

Define a rule to match the if-match cost value Optional
routing cost of routing
By default, no matching is
information
performed on the routing cost
of routing information.
Define a rule to match the if-match interface Optional
next-hop interface of routing interface-type
By default, no matching is
information interface-number
performed on the next-hop
interface of routing
information.
Define a rule to match the if-match ip next-hop { acl Optional
next-hop address of routing acl-number | ip-prefix
By default, no matching is
information ip-prefix-name }
performed on the next-hop
address of routing
information.
Define a rule to match the tag if-match tag value Optional
field of OSPF routing
By default, no matching is
information
performed on the tag field of
OSPF routing information.

Define apply clauses

Table 83 Define apply clauses

Operation Command Description

Enter system view system-view -
Enter the route-policy view route-policy Required
route-policy-name { permit |
deny } node node-number
Add specified AS number for apply as-path as-number-1 Optional
as-path in BGP routing [ as-number-2 [ as-number-3
information ... ] ]
Configure community apply community { none | Optional
attributes for BGP routing [ aa:nn ]
information [ no-export-subconfed |
no-export | no-advertise ]*
[ additive ] }
Set next hop IP address for apply ip next-hop ip-address Optional
routing information
Set local preference of BGP apply local-preference Optional
routing information local-preference
Define an action to set the apply cost value Optional
cost of routing information
By default, no action is
defined to set the routing cost
of routing information.
Set route cost type for routing apply cost-type [ internal | Optional
information external ]
Set route source of BGP apply origin { igp | egp Optional
routing information as-number | incomplete }
Define an action to set the tag apply tag value Optional
field of routing information
By default, no action is
defined to set the tag field of
OSPF routing information.
 Configuration Examples 113

Configuration
Examples

n The following configuration examples use the Switch 5500Gs.

Static Routing Network requirements

Configuration Example
1 Requirement analysis:
A small company requires any two nodes in its network communicate with each
other. The network should be simple and stable. The customer hopes to make the
best use of the existing devices that do not support dynamic routing protocols.
Based on the customer requirements and networking environment, configure
static routes to realize network interconnection.
2 Network diagram
Figure 51 shows the network diagram.

Figure 51 Network diagram for static route configuration

Host A

1.1.5 .2/24
1.1.5.1 /24

1 .1.2.2/24 1.1 .3.1/24

Switch C

1 .1.2.1/24 1 .1.3.2/24

1.1.1.1/24 1.1.4.1/24
Switch A Switch B

1.1.1 .2/24 1.1.4.2 /24

Host C Host B

Configuration procedure
Configure the switches:

# Configure static routes on Switch A.

<SwitchA> system-view
[SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2
[SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2
[SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2

# Configure static routes on Switch B.

<SwitchB> system-view
[SwitchB] ip route-static 1.1.2.0 255.255.255.0 1.1.3.1
114 CHAPTER 5: ROUTING OVERVIEW

[SwitchB] ip route-static 1.1.5.0 255.255.255.0 1.1.3.1

[SwitchB] ip route-static 1.1.1.0 255.255.255.0 1.1.3.1

# Configure static routes on Switch C.

<SwitchC> system-view
[SwitchC] ip route-static 1.1.1.0 255.255.255.0 1.1.2.1
[SwitchC] ip route-static 1.1.4.0 255.255.255.0 1.1.3.2

Configure the hosts:

# Configure the default gateway as 1.1.5.1 on host A (omitted).

# Configure the default gateway as 1.1.4.1 on host B (omitted).

# Configure the default gateway as 1.1.1.1 on host C (omitted).

Now any two hosts or switches can communicate with each other.

RIP Configuration Network requirements

Examples
1 Requirement analysis:
A small company requires any two nodes in its network can communicate with
each other. The devices can dynamically adjust to network topology changes.
Based on the customer requirements and networking environment, use RIP to
realize network interconnection.
2 Network diagram
Figure 52 shows the network diagram.

Figure 52 Network diagram for RIP configuration

Vlan-int 2

Switch A

Ethernet

Vlan-int 1

Switch C Switch B

Vlan-int 4 Vlan-int 3
Device Interface IP Address Device Interface IP Address
Switch A Vlan-int1 110.11.2.1/24 Switch B Vlan-int1 110.11.2.2/24
Vlan-int2 155.10.1.1/24 Vlan-int3 196.38.165.1/24
Switch C Vlan-int1 110.11.2.3/24
Vlan-int4 117.102.0.1/16
 Configuration Examples 115

Configuration procedure

n Only RIP-related configurations are described below. Before performing the

following configurations, make sure that the data link layer works normally and
the IP addresses of the VLAN interfaces have been configured.
1 Configure Switch A.
# Configure RIP.
<SwitchA> system-view
[SwitchA] rip
[SwitchA-rip] network 110.11.2.0
[SwitchA-rip] network 155.10.1.0
2 Configure Switch B.
# Configure RIP.
<Switch> system-view
[SwitchB] rip
[SwitchB-rip] network 196.38.165.0
[SwitchB-rip] network 110.11.2.0
3 Configure Switch C.
# Configure RIP.
<Switch> system-view
[SwitchC] rip
[SwitchC-rip] network 117.102.0.0
[SwitchC-rip] network 110.11.2.0

OSPF DR Configuration Network requirements

Example
1 Requirement analysis
Use OSPF to realize interconnection between devices in a broadcast network.
Devices with higher performance should become the DR and BDR to improve
network performance. Devices with lower performance are forbidden to take part
in DB/BDR election.
Based on the customer requirements and networking environment, assign proper
priorities to interfaces.
2 Network diagram
Figure 53 shows the network diagram.

Figure 53 Network diagram for OSPF DR selection

Switch A Switch D
DR

Vlan- int1 Vlan -int1

Vlan- int1 Vlan-int1

BDR
Switch B Switch C
116 CHAPTER 5: ROUTING OVERVIEW

Device Interface IP address Router ID Interface priority

Switch A Vlan-int1 196.1.1.1/24 1.1.1.1 100
Switch B Vlan-int1 196.1.1.2/24 2.2.2.2 0
Switch C Vlan-int1 196.1.1.3/24 3.3.3.3 2
Switch D Vlan-int1 196.1.1.4/24 4.4.4.4 1

Configuration procedure
# Configure Switch A.
<SwitchA> system-view
[SwitchA] interface Vlan-interface 1
[SwitchA-Vlan-interface1] ip address 196.1.1.1 255.255.255.0
[SwitchA-Vlan-interface1] ospf dr-priority 100
[SwitchA-Vlan-interface1] quit
[SwitchA] router id 1.1.1.1
[SwitchA] ospf
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255

# Configure Switch B.

<SwitchB> system-view
[SwitchB] interface Vlan-interface 1
[SwitchB-Vlan-interface1] ip address 196.1.1.2 255.255.255.0
[SwitchB-Vlan-interface1] ospf dr-priority 0
[SwitchB-Vlan-interface1] quit
[SwitchB] router id 2.2.2.2
[SwitchB] ospf
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255

# Configure Switch C.

<SwitchC> system-view
[SwitchC] interface Vlan-interface 1
[SwitchC-Vlan-interface1] ip address 196.1.1.3 255.255.255.0
[SwitchC-Vlan-interface1] ospf dr-priority 2
[SwitchC-Vlan-interface1] quit
[SwitchC] router id 3.3.3.3
[SwitchC] ospf
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255

# Configure Switch D.

<SwitchD> system-view
[SwitchD] interface Vlan-interface 1
[SwitchD-Vlan-interface1] ip address 196.1.1.4 255.255.255.0
[SwitchD-Vlan-interface1] quit
[SwitchD] router id 4.4.4.4
[SwitchD] ospf
[SwitchD-ospf-1] area 0
[SwitchD-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255

Use the display ospf peer command to display OSPF neighbors on Switch A.
Note that Switch A has three neighbors.
 Configuration Examples 117

The state of each neighbor is full. This means that Switch A has formed
adjacencies with all neighbors. (Switch A and Switch C can act as the DR and BDR
only when they establish adjacencies with all the switches in the network.) Switch
A acts as the DR, while Switch C acts as the BDR. Any other neighbor is DRother
(neither DR nor BDR).

# Change the priority of Switch B to 200.

<SwitchB> system-view
[SwitchB] interface Vlan-interface 1
[SwitchB-Vlan-interface1] ospf dr-priority 200

Use the display ospf peer command to display OSPF neighbors on Switch A.
Note that the priority of Switch B is 200 now, but it is not the DR.

The DR will be reelected only after the current DR fails to work. Shut down Switch
A and use the display ospf peer command to display neighbors on Switch D.
Note that Switch C that used to be the BDR becomes the DR and Switch B
becomes the BDR.

If you shut down and then restart all the switches, Switch B with priority 200 will
be elected as the DR and Switch A with priority 100 will be elected as the BDR,
because such operation triggers a new round of DR/BDR election.

OSPF Virtual Link Network requirements

Configuration Examples
1 Requirement analysis
Devices in the network run OSPF to realize interconnection. The network is split
into three areas: one backbone area and two non-backbone areas (Area 1 and
Area 2). Area 2 has no direct connection to the backbone, and it has to reach the
backbone through Area 1. The customer hopes that Area 2 can interconnect with
other two areas.
Based on the customer requirements and networking environment, use a virtual
link to connect Area 2 to the backbone area.
2 Network diagram
Figure 54 shows the network diagram.

Figure 54 Network diagram for virtual link configuration

Switch A Area 1 Switch B

Vlan-int2

Virtual link

Vlan-int1
Vlan-int1
Area 0 Area 2
118 CHAPTER 5: ROUTING OVERVIEW

Device Interface IP address Router ID

Switch A Vlan-int1 196.1.1.2/24 1.1.1.1
Vlan-int2 197.1.1.2/24 -
Switch B Vlan-int1 152.1.1.1/24 2.2.2.2
Vlan-int2 197.1.1.1/24 -

Configuration procedure
1 Configure OSPF basic functions
# Configure Switch A.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address 196.1.1.2 255.255.255.0
[SwitchA-Vlan-interface1] quit
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 197.1.1.2 255.255.255.0
[SwitchA-Vlan-interface2] quit
[SwitchA] router id 1.1.1.1
[SwitchA] ospf
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] area 1
[SwitchA-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.1] quit
[SwitchA-ospf-1] quit
# Configure Switch B.
<SwitchB> system-view
[SwitchB] interface Vlan-interface 1
[SwitchB-Vlan-interface1] ip address 152.1.1.1 255.255.255.0
[SwitchB-Vlan-interface1] quit
[SwitchB] interface Vlan-interface 2
[SwitchB-Vlan-interface2] ip address 197.1.1.1 255.255.255.0
[SwitchB-Vlan-interface2] quit
[SwitchB] router id 2.2.2.2
[SwitchB] ospf
[SwitchB-ospf-1] area 1
[SwitchB-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.1] quit
[SwitchB-ospf-1] area 2
[SwitchB-ospf-1-area-0.0.0.2] network 152.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.2] quit
# Display the OSPF routing table on Switch A
[SwitchA] display ospf routing

OSPF Process 1 with Router ID 1.1.1.1

Routing Tables

Routing for Network

Destination Cost Type NextHop AdvRouter Area
196.1.1.0/24 10 Stub 196.1.1.2 1.1.1.1 0.0.0.0
197.1.1.0/24 10 Net 197.1.1.1 2.2.2.2 0.0.0.1

Total Nets: 2
Intra Area: 2 Inter Area: 0 ASE: 0 NSSA: 0
 Configuration Examples 119

n Since Area2 has no direct connection to Area0, the routing table of RouterA has
no route to Area2.
2 Configure a virtual link
# Configure Switch A.
[SwitchA] ospf
[SwitchA-ospf-1] area 1
[SwitchA-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2
[SwitchA-ospf-1-area-0.0.0.1] quit
[SwitchA-ospf-1] quit
# Configure Switch B.
[SwitchB-ospf-1] area 1
[SwitchB-ospf-1-area-0.0.0.1] vlink-peer 1.1.1.1
[SwitchB-ospf-1-area-0.0.0.1] quit
# Display the OSPF routing table on Switch A.
[SwitchA]display ospf routing

OSPF Process 1 with Router ID 1.1.1.1

Routing Tables

Routing for Network

Destination Cost Type NextHop AdvRouter Area
196.1.1.0/24 10 Stub 196.1.1.2 1.1.1.1 0.0.0.0
197.1.1.0/24 10 Net 197.1.1.1 2.2.2.2 0.0.0.1
152.1.1.0/24 20 SNet 197.1.1.1 2.2.2.2 0.0.0.0

Total Nets: 3
Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0

Switch A has learned the route 152.1.1.0/24 to Area2.

BGP Confederation Network requirements

Configuration Example
1 Requirement analysis
BGP runs in a large AS of a company. As the number of IBGP peers increases
rapidly in the AS, more network resources for BGP communication are occupied.
The customer hopes to reduce IBGP peers and decrease the CPU and network
resources consumption of BGP without affecting device performance.
Based on user requirements, configure a BGP confederation to achieve the goal.
2 Network diagram
Figure 55 shows the network diagram.
120 CHAPTER 5: ROUTING OVERVIEW

Figure 55 Network diagram for BGP AS confederation configuration

AS 1001 AS 1002
VLAN -int 50
AS 200 Switch B
Switch A

VLAN -int 40 VLAN-int 10

AS 1003
Switch E

VLAN -int 30
VLAN-int 20
Switch C Switch D

AS 100

Device Interface IP address AS

Switch A Vlan-int 10 172.68.10.1/24 100
Vlan-int 50 10.1.1.1/24
Switch B Vlan-int 10 172.68.10.2/24
Switch C Vlan-int 10 172.68.10.3/24
Vlan-int 20 172.68.1.1/24
Vlan-int 30 156.10.1.1/24
Switch D Vlan-int 20 172.68.1.2/24
Switch E Vlan-int 30 156.10.1.2/24 200
Vlan-int 40 8.1.1.1/24

3 Configuration plan
■ Split AS 100 into three sub-ASs: AS 1001, AS 1002, and AS 1003.
■ Run EBGP between AS 1001, AS1002, and AS 1003.
■ AS 1001, AS1002, and AS 1003 are fully meshed within themselves by running
IBGP.
■ Run EBGP between AS 100 and AS 200.

Configuration procedure
# Configure Switch A.
<SwitchA> system-view
[SwitchA] bgp 1001
[SwitchA-bgp] network 10.1.1.0 255.255.255.0
[SwitchA-bgp] confederation id 100
[SwitchA-bgp] confederation peer-as 1002 1003
[SwitchA-bgp] group confed1002 external
[SwitchA-bgp] peer 172.68.10.2 group confed1002 as-number 1002
[SwitchA-bgp] group confed1003 external
[SwitchA-bgp] peer 172.68.10.3 group confed1003 as-number 1003
[SwitchA-bgp] quit

# Configure Switch B.

<SwitchB> system-view
[SwitchB] bgp 1002
 Configuration Examples 121

[SwitchB-bgp] confederation id 100

[SwitchB-bgp] confederation peer-as 1001 1003
[SwitchB-bgp] group confed1001 external
[SwitchB-bgp] peer 172.68.10.1 group confed1001 as-number 1001
[SwitchB-bgp] group confed1003 external
[SwitchB-bgp] peer 172.68.10.3 group confed1003 as-number 1003

# Configure Switch C.

<SwitchC> system-view
[SwitchC] bgp 1003
[SwitchC-bgp] confederation id 100
[SwitchC-bgp] confederation peer-as 1001 1002
[SwitchC-bgp] group confed1001 external
[SwitchC-bgp] peer 172.68.10.1 group confed1001 as-number 1001
[SwitchC-bgp] group confed1002 external
[SwitchC-bgp] peer 172.68.10.2 group confed1002 as-number 1002
[SwitchC-bgp] group ebgp200 external
[SwitchC-bgp] peer 156.10.1.2 group ebgp200 as-number 200
[SwitchC-bgp] group ibgp1003 internal
[SwitchC-bgp] peer 172.68.1.2 group ibgp1003

# Configure Switch D.

<SwitchD> system-view
[SwitchD] bgp 1003
[SwitchD-bgp] confederation id 100
[SwitchD-bgp] group ibgp1003 internal
[SwitchD-bgp] peer 172.68.1.1 group ibgp1003

# Configure Switch E.

<SwitchE> system-view
[SwitchE] bgp 200
[SwitchE-bgp] network 8.1.1.0 255.255.255.0
[SwitchE-bgp] group ebgp100 external
[SwitchE-bgp] peer 156.10.1.1 group ebgp100 as-number 100
[SwitchE-bgp] quit

# Display the BGP routing table on Switch E.

[SwitchE] display bgp routing

Flags: # - valid ^ - active I - internal

D - damped H - history S - aggregate suppressed

Dest/Mask Next-Hop Med Local-pref Origin Path

--------------------------------------------------------------------------
#^ 8.1.1.0/24 0.0.0.0 0 100 IGP
#^ 10.1.1.0/24 156.10.1.1 0 100 IGP 100

Routes total: 2

# Display the BGP routing table on Switch A.

[SwitchA] display bgp routing

Flags: # - valid ^ - active I - internal

D - damped H - history S - aggregate suppressed
122 CHAPTER 5: ROUTING OVERVIEW

Dest/Mask Next-Hop Med Local-pref Origin Path

--------------------------------------------------------------------------
I 8.1.1.0/24 156.10.1.2 0 100 IGP (1003) 200
#^ 10.1.1.0/24 0.0.0.0 0 100 IGP

Routes total: 2

The above display shows that sub-AS routing information is advertised only within
the confederation. A device in an AS outside of the confederation, such as Switch
E, cannot learn the sub-AS routing information within the confederation because
it treats the confederation as a single AS.

BGP Route Reflector Network requirements

Configuration Example
1 Requirement analysis
BGP runs in a large AS of a company. As the number of IBGP peers increases
rapidly in the AS, more network resources for BGP communication are occupied.
The customer hopes to reduce IBGP peers and decrease CPU and network
resources consumption of BGP without affecting device performance. In addition,
IBGP peers are partially interconnected in the AS.
Based on the requirements and networking environment, configure a BGP route
reflector to achieve the goal.
2 Network diagram
Figure 56 shows the network diagram.

Figure 56 Network diagram for BGP route reflector configuration

Router
Reflector
VLAN-int100

Switch C
Switch A
VLAN -int4
VLAN -int3
VLAN-int2

AS 100
Switch B AS 200 Switch D

Device Interface IP address AS

Switch A Vlan-int 100 1.1.1.1/8 100
Vlan-int 2 192.1.1.1/24
Switch B Vlan-int 2 192.1.1.2/24 200
Vlan-int 3 193.1.1.2/24
Switch C Vlan-int 3 193.1.1.1/24
Vlan-int 4 194.1.1.1/24
Switch D Vlan-int 4 194.1.1.2/24

3 Configuration plan
■ Run EBGP between the peers in AS 100 and AS 200. Advertise network
1.0.0.0/8.
 Configuration Examples 123

■ Run IBGP between the peers in AS 200. Configure a star topology for the AS.
Specify the central device as a route reflector and other devices as clients.

Configuration procedure
1 Configure switch A.
<SwitchA> system-view
[SwitchA] interface Vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.1.1.1 255.255.255.0
[SwitchA-Vlan-interface2] interface Vlan-interface 100
[SwitchA-Vlan-interface100] ip address 1.1.1.1 255.0.0.0
[SwitchA-Vlan-interface100] quit
[SwitchA] bgp 100
[SwitchA-bgp] group ex external
[SwitchA-bgp] peer 192.1.1.2 group ex as-number 200
[SwitchA-bgp] network 1.0.0.0 255.0.0.0
2 Configure Switch B.
# Configure the VLAN interface IP addresses.
<SwitchB> system-view
[SwitchB] interface Vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.1.1.2 255.255.255.0
[SwitchB-Vlan-interface2] quit
[SwitchB] interface Vlan-interface 3
[SwitchB-Vlan-interface3] ip address 193.1.1.2 255.255.255.0
[SwitchB-Vlan-interface3] quit
# Configure BGP peers.
[SwitchB] bgp 200
[SwitchB-bgp] group ex external
[SwitchB-bgp] peer 192.1.1.1 group ex as-number 100
[SwitchB-bgp] group in internal
[SwitchB-bgp] peer 193.1.1.1 group in
3 Configure Switch C.
# Configure the VLAN interface IP addresses.
<SwitchC> system-view
[SwitchC] interface Vlan-interface 3
[SwitchC-Vlan-interface3] ip address 193.1.1.1 255.255.255.0
[SwitchC-Vlan-interface3] quit
[SwitchC] interface vlan-Interface 4
[SwitchC-Vlan-interface4] ip address 194.1.1.1 255.255.255.0
[SwitchC-Vlan-interface4] quit
# Configure BGP peers and configure Switch C as the route reflector.
[SwitchC] bgp 200
[SwitchC-bgp] group rr internal
[SwitchC-bgp] peer rr reflect-client
[SwitchC-bgp] peer 193.1.1.2 group rr
[SwitchC-bgp] peer 194.1.1.2 group rr
4 Configure Switch D.
# Configure the VLAN interface IP address.
<SwitchD> system-view
[SwitchD] interface Vlan-interface 4
124 CHAPTER 5: ROUTING OVERVIEW

[SwitchD-Vlan-interface4] ip address 194.1.1.2 255.255.255.0

[SwitchD-Vlan-interface4] quit
# Configure the BGP peer.
[SwitchD] bgp 200
[SwitchD-bgp] group in internal
[SwitchD-bgp] peer 194.1.1.1 group in

Use the display bgp routing command to display the BGP routing table on
Switch B. Note that Switch B has learned network 1.0.0.0.

Use the display bgp routing command to display the BGP routing table on
Switch D. Note that Switch D has learned network 1.0.0.0.

BGP Path Selection Network requirements

Configuration Example
1 Requirement analysis
A network consists of two ASs, which run BGP to communicate with each other.
OSPF runs in one of them.
The requirement is to control the data forwarding path from AS 200 to AS 100.
The following give two plans to meet the requirement
■ Use the MED attribute to control the forwarding path for packets from AS 200
to AS 100.
■ Use the LOCAL_PREF attribute to control the forwarding path for packets from
AS 200 to AS 100
2 Network diagram
Figure 57 shows the network diagram.

Figure 57 Network diagram for BGP path selection

AS 200

AS 100
VLAN- int4
Vlan -int101 Switch B
VLAN -int2
VLAN-int2

VLAN-int5
VLAN -int3 Switch D
VLAN -int3
Switch A

Switch C
 Configuration Examples 125

Device Interface IP address AS

Switch A Vlan-int 101 1.1.1.1/8 100
Vlan-int 2 192.1.1.1/24
Vlan-int 3 193.1.1.1/24
Switch B Vlan-int 2 192.1.1.2/24 200
Vlan-int 4 194.1.1.2/24
Switch C Vlan-int 3 193.1.1.2/24
Vlan-int 5 195.1.1.2/24
Switch D Vlan-int 4 194.1.1.1/24
Vlan-int 5 195.1.1.1/24

3 Configuration plan
■ Run EBGP between AS 100 and AS 200. Advertise network 1.0.0.0/8.
■ Run OSPF in AS 200 to realize network interconnection.
■ Run IBGP between Switch D and Switch B as well as between Switch D and
Switch C.
■ Apply a routing policy on Switch A to modify the MED attribute of the route to
be advertised to AS 200, making the data forwarding path from Switch D to AS
100 as Switch D - Switch C - Switch A.
■ Apply a routing policy on Switch C to modify the LOCAL_PREF attribute of the
route to be advertised to Switch D, making the data forwarding path from AS
200 to AS 100 as Switch D - Switch C - Switch A.

Configuration procedure
1 Configure Switch A.
# Configure the VLAN interface IP addresses.
<SwitchA> system-view
[SwitchA] interface Vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.1.1.1 255.255.255.0
[SwitchA-Vlan-interface2] quit
[SwitchA] interface Vlan-interface 3
[SwitchA-Vlan-interface3] ip address 193.1.1.1 255.255.255.0
[SwitchA-Vlan-interface3] quit
[SwitchA] interface Vlan-interface 101
[SwitchA-Vlan-interface101] ip address 1.1.1.1 255.0.0.0
[SwitchA-Vlan-interface101] quit
# Enable BGP.
[SwitchA] bgp 100
# Advertise network 1.0.0.0/8.
[SwitchA-bgp] network 1.0.0.0
# Configure BGP peers.
[SwitchA-bgp] group ex192 external
[SwitchA-bgp] peer 192.1.1.2 group ex192 as-number 200
[SwitchA-bgp] group ex193 external
[SwitchA-bgp] peer 193.1.1.2 group ex193 as-number 200
[SwitchA-bgp] quit
# Define ACL 2000 to permit the routes destined for 1.0.0.0/8.
126 CHAPTER 5: ROUTING OVERVIEW

[SwitchA] acl number 2000

[SwitchA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255
[SwitchA-acl-basic-2000] rule deny source any
[SwitchA-acl-basic-2000] quit
# Create a routing policy named apply_med_50, and specify node 10 with the
permit matching mode for the routing policy. Set the MED value of the route
matching ACL 2000 to 50.
[SwitchA] route-policy apply_med_50 permit node 10
[SwitchA-route-policy] if-match acl 2000
[SwitchA-route-policy] apply cost 50
[SwitchA-route-policy] quit
# Create a routing policy named apply_med_100, and specify node 10 with the
permit matching mode for the routing policy. Set the MED value of the route
matching ACL 2000 to 100.
[SwitchA] route-policy apply_med_100 permit node 10
[SwitchA-route-policy] if-match acl 2000
[SwitchA-route-policy] apply cost 100
[SwitchA-route-policy] quit
# Apply the routing policy apply_med_50 to routing updates to the peer group
ex193 (the peer 193.1.1.2) and apply_med_100 to routing updates to the peer
group ex192 (the peer 192.1.1.2).
[SwitchA] bgp 100
[SwitchA-bgp] peer ex193 route-policy apply_med_50 export
[SwitchA-bgp] peer ex192 route-policy apply_med_100 export
2 Configure Switch B.
# Configure the VLAN interface IP addresses.
<SwitchB> system-view
[SwitchB] interface vlan 2
[SwitchB-Vlan-interface2] ip address 192.1.1.2 255.255.255.0
[SwitchB-Vlan-interface2] quit
[SwitchB] interface Vlan-interface 4
[SwitchB-Vlan-interface4] ip address 194.1.1.2 255.255.255.0
[SwitchB-Vlan-interface4] quit
# Configure OSPF.
[SwitchB] ospf
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Enable BGP, create a peer group, and add peers to the peer group.
[SwitchB] bgp 200
[SwitchB-bgp] undo synchronization
[SwitchB-bgp] group ex external
[SwitchB-bgp] peer 192.1.1.1 group ex as-number 100
[SwitchB-bgp] group in internal
[SwitchB-bgp] peer 194.1.1.1 group in
[SwitchB-bgp] peer 195.1.1.2 group in
3 Configure Switch C.
# Configure the VLAN interface IP addresses.
 Configuration Examples 127

<SwitchC> system-view
[SwitchC] interface Vlan-interface 3
[SwitchC-Vlan-interface3] ip address 193.1.1.2 255.255.255.0
[SwitchC-Vlan-interface3] quit
[SwitchC] interface Vlan-interface 5
[SwitchC-Vlan-interface5] ip address 195.1.1.2 255.255.255.0
[SwitchC-Vlan-interface5] quit
# Enable OSPF.
[SwitchC] ospf
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 193.1.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
# Enable BGP, create a peer group, and add peers to the peer group.
[SwitchC] bgp 200
[SwitchC-bgp] undo synchronization
[SwitchC-bgp] group ex external
[SwitchC-bgp] peer 193.1.1.1 group ex as-number 100
[SwitchC-bgp] group in internal
[SwitchC-bgp] peer 195.1.1.1 group in
[SwitchC-bgp] peer 194.1.1.2 group in
4 Configure Switch D.
# Configure the VLAN interface IP addresses.
<SwitchD> system-view
[SwitchD] interface Vlan-interface 4
[SwitchD-Vlan-interface4] ip address 194.1.1.1 255.255.255.0
[SwitchD-Vlan-interface4] quit
[SwitchD] interface Vlan-interface 5
[SwitchD-Vlan-interface5] ip address 195.1.1.1 255.255.255.0
[SwitchD-Vlan-interface5] quit
# Enable OSPF.
[SwitchD] ospf
[SwitchD-ospf-1] area 0
[SwitchD-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.0] network 4.0.0.0 0.255.255.255
[SwitchD-ospf-1-area-0.0.0.0] quit
[SwitchD-ospf-1] quit
# Enable BGP, create a peer group, and add peers to the peer group.
[SwitchD] bgp 200
[SwitchD-bgp] undo synchronization
[SwitchD-bgp] group in internal
[SwitchD-bgp] peer 195.1.1.2 group in
[SwitchD-bgp] peer 194.1.1.2 group in
■ To validate the configuration, you need to use the reset bgp all command on all
the BGP peers.
■ Since the MED attribute of route 1.0.0.0 learned by Switch C is smaller than
that learned by Switch B, Switch D selects the route 1.0.0.0 from Switch C.
 128 CHAPTER 5: ROUTING OVERVIEW

■ If you do not configure MED attribute control on Switch A, setting the local
preference attribute for route 1.0.0.0 on Switch C is another choice.
# Define ACL 2000 to permit the routes destined for 1.0.0.0/8.
[SwitchC] acl number 2000
[SwitchC-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255
[SwitchC-acl-basic-2000] rule deny source any
[SwitchC-acl-basic-2000] quit
# Create a routing policy named localpref, and specify node 10 with the permit
matching mode for the routing policy. Set the local preference value of the route
matching ACL 2000 to 200
[SwitchC] route-policy localpref permit node 10
[SwitchC-route-policy] if-match acl 2000
[SwitchC-route-policy] apply local-preference 200
[SwitchC-route-policy] quit
# Create a routing policy named localpref, and specify node 20 with the permit
matching mode for the routing policy. Set the local preference value of the route
to 100.
[SwitchC] route-policy localpref permit node 20
[SwitchC-route-policy] apply local-preference 100
[SwitchC-route-policy] quit
# Apply the routing policy localpref to the routing information from the peer
193.1.1.1 (Switch A).
[SwitchC] bgp 200
[SwitchC-bgp] peer 193.1.1.1 route-policy localpref import
Since the local preference (200) of the route learned by Switch C is bigger than
that learned by Switch B (100), Switch D prefers the route 1.0.0.0 from Switch C.
Note that the local preference is not set for route 1.0.0.0 on Switch B, so the route
uses the default value 100.

Comprehensive
Configuration
Example

n ■ For details about routing protocols, see corresponding configuration guide of

products.
■ For details on using specific commands, see the corresponding command
reference guide.
■ The following examples use the Switch 5500 and Switch 5500G.

Network
Requirements

Requirement Analysis, Requirement analysis

Network Diagram and An ISP has four ASs: AS 100, AS 200, AS 300, and AS 400. AS 100 is the core
Configuration Plan layer. It connects AS 200, AS 300, and AS 400 and forwards data between them.
AS 200, AS 300, and AS 400 constitutes the distribution layer. They provide access
services for users. The specific requirements are as follows:
 Network Requirements 129

■ Fast convergence is required for AS 200 and AS 400 because their networks
are quite large and complicated.
■ The network of AS 300 is small and simple. The devices in the network
supports only RIP. Their performances are low and the capacities of routing
tables are quite limited.
■ Access users in AS 200 require a very reliable network.
■ Access users in AS 200, AS 300, and AS 400 are accessible to each other.
■ S200_10 in AS 200 is connected with Layer 2 devices.
■ S300_B in AS 300 is connected with Layer 2 devices.
■ The data forwarding path needs to be controlled when users in AS 400 access
AS 200 and AS 300.
■ An AS 300 access user is interconnected with the ISP through a single link.

Network diagram
Figure 58 shows the network diagram designed according to the requirements.

Figure 58 Network diagram

AS 400

S400 _0

S400
OSPF
EBGP EBGP

AS 100
IBGP
S100 _1 S100 _2

EBGP EBGP

AS 200 EBGP
AS 300
S 200 S300

S200 _0 S 300_A

S200 _10 S300_B

OSPF RIP

Configuration plan
■ Run BGP in AS 100 to interconnect with AS 200, AS 300, and AS 400. Use the
MED attribute to control the forwarding path.
■ Run OSPF in AS 200. The device in AS 200 connecting to AS 100 runs both
OSPF and BGP. Use static routes as backup routes to implement link
redundancy and improve network reliability. Apply a routing policy when
redistributing BGP routes for filtering.
130 CHAPTER 5: ROUTING OVERVIEW

■ Run OSPF in AS 400. The device in AS 400 connecting to AS 100 runs both
OSPF and BGP. Apply a routing policy when redistributing BGP routes for
filtering.
■ Run RIPv2 in AS 300. The device in AS 300 connecting to AS 100 runs both
RIPv2 and BGP. Apply a routing policy when redistributing BGP routes for
filtering.
■ AS 300 users use the combination of static routes, RIP, and routing policy to
access the ISP.
■ Interaction between IGP and BGP is involved in the configuration. Since the
default BGP preference is 256, when backup routes exist in the routing table,
you need to modify the BGP preference in order to select the primary route as
required.

Devices Used for

Table 84 Device model and device name
Networking
Model Device name
7500 S200/S300
5600 S100_1/S100_2/S400
3600 S200_0/S200_10/S300_A/S300_B/
S400_0

n ■ Either Switch 7750 Ethernet switches or Switch 5500Gs Ethernet switches can
serve as S100_1/S100_2/S400/S200/S300.
■ You can use other partially layer 3 capable switches as S300_B.

Routing Protocols and

Table 85 Routing protocols supported by devices
Related Parameters on
Devices Device name Routing protocol Router ID AS
S100_1 BGP (IBGP&EBGP) 1.1.1.1 100
S100_2 BGP (IBGP&EBGP) 1.2.1.1
S200 BGP (EBGP)/OSPF 2.1.1.1 200
S200_0 OSPF -
S200_10 OSPF/STATIC
S300 BGP (EBGP)/RIPv2 3.1.1.1 300
S300_A RIPv2/STATIC -
S300_B RIPv2
S400 BGP (EBGP)/OSPF 4.1.1.1 400
S400_0 OSPF -

Software Version Switch 5500 Release 1510

Switch 5500G Release 1510

Switch 7750 Release 3130

 Configuration Procedure 131

Configuration
Procedure

Configuration Guide
Table 86 Configuration guide

Configuration task Description

“Basic Configuration” on page 131 Create VLANs and configure IP addresses
for VLAN interfaces
“Basic RIPv2/OSPF/BGP Configuration” on page Basic RIPv2/OSPF/BGP configuration
131
“RIP, Static Route, and Routing Policy Using a routing policy, configure RIP to
Configuration Example” on page 137 advertise route updates but does not
receive route updates and use static routing
to access the ISP.
“BGP and IGP Interaction Configuration IGP and BGP share routes. Apply a routing
Example” on page 138 policy for BGP redistribution to IGP as
required
“Route Backup Configuration Example” on page To improve network reliability, run OSPF on
140 the primary link and run static routing on
the backup link to realize interconnection
“BGP MED Attribute Configuration Example” on Apply a routing policy to change the MED
page 141 attribute of routes to control the
forwarding path

Basic Configuration Creating VLANs and configuring IP addresses for VLAN interfaces are omitted
here, refer to “Displaying the Whole Configuration on Devices” on page 145 for
related information.

Basic RIPv2/OSPF/BGP Basic RIPv2 configuration

Configuration Figure 59 shows the relevant network diagram of AS 300.

Figure 59 Network diagram for RIPv2 configuration

EBGP VLAN -int 22

AS 300
EBGP
S300
LAN-int 13

VLAN -int 14

S300 _A

AN -int 665

VLAN-int 662

S300 _B

VLAN-int 623 VLAN -int 624

RIP
132 CHAPTER 5: ROUTING OVERVIEW

Device Interface IP address

S300 Vlan-int 14 206.1.4.2/24
S300_A Vlan-int 14 206.1.4.1/24
Vlan-int 662 166.1.2.1/24
Vlan-int 665 166.1.5.2/24
S300_B Vlan-int 662 166.1.2.2/24
Vlan-int 623 162.1.3.1/24
Vlan-int 624 162.1.4.1/24

■ Configure S300.
# Run RIP on the interface with the IP address 206.1.4.0.
<S300> system-view
[S300] rip
[S300-rip] network 206.1.4.0
# Disable RIPv2 route summarization.
[S300-rip] undo summary
[S300-rip] quit
# Run RIPv2 on VLAN-interface 14.
[S300] interface vlan-interface 14
[S300-Vlan-interface14] rip version 2
[S300-Vlan-interface14] quit
■ Configure S300_A.
# Run RIP on the interfaces on networks 206.1.4.0 and 166.1.0.0.
<S300_A> system-view
[S300_A] rip
[S300_A-rip] network 206.1.4.0
[S300_A-rip] network 166.1.0.0
# Disable RIPv2 route summarization.
[S300_A-rip] undo summary
[S300_A-rip] quit
# Run RIPv2 on VLAN-interface 14 and VLAN-interface 662.
[S300_A] interface vlan-interface 14
[S300_A-Vlan-interface14] rip version 2
[S300_A-Vlan-interface14] quit
[S300_A] interface vlan-interface 662
[S300_A-Vlan-interface662] rip version 2
[S300_A-Vlan-interface662] quit
■ Configure S300_B.
# Run RIP on the interfaces connected to networks 162.1.0.0 and 166.1.0.0.
<S300_B> system-view
[S300_B] rip
[S300_B-rip] network 162.1.0.0
[S300_B-rip] network 166.1.0.0
# Disable RIPv2 route summarization.
[S300_B-rip] undo summary
[S300_B-rip] quit
 Configuration Procedure 133

# Run RIPv2 on VLAN-interface 623, VLAN-interface 624, and VLAN-interface 662.

[S300_B] interface vlan-interface 623
[S300_B-Vlan-interface623] rip version 2
[S300_B-Vlan-interface623] quit
[S300_B] interface vlan-interface 624
[S300_B-Vlan-interface624] rip version 2
[S300_B-Vlan-interface624] quit
[S300_B] interface vlan-interface 662
[S300_B-Vlan-interface662] rip version 2
[S300_B-Vlan-interface662] quit

Basic OSPF configuration

Figure 60 shows the relevant network diagram of AS 200.

Figure 60 Network diagram for OSPF configuration

VLAN- int 11 EBGP

AS 200
S200
VL

VLAN- int 12

S 200_0

VLA

VLAN -int 661

S200_ 10

VLAN-int 621 VLAN -int 622

OSPF

Device Interface IP address Area

S200 Vlan-int 12 206.1.2.3/24 0
S200_0 Vlan-int 12 206.1.2.1/24 0
Vlan-int 661 166.1.1.1/24 10
S200_10 Vlan-int 661 166.1.1.2/24 10
Vlan-int 621 162.1.1.1/24 10
Vlan-int 622 162.1.2.1/24 10

■ Configure S200.
# Run OSPF on the interface connected to network 206.1.2.0/24 and specify its
area ID as 0.
<S200> system-view
[S200] ospf
[S200-ospf-1] area 0
[S200-ospf-1-area-0.0.0.0] network 206.1.2.0 0.0.0.255
■ Configure S200_0.
# Run OSPF on the interface connected to network 206.1.2.0/24 and specify its
area ID as 0.
<S200_0> system-view
[S200_0] ospf
[S200_0-ospf-1] area 0
134 CHAPTER 5: ROUTING OVERVIEW

[S200_0-ospf-1-area-0.0.0.0] network 206.1.2.0 0.0.0.255

[S200_0-ospf-1-area-0.0.0.0] quit
# Run OSPF on the interface connected to network 166.1.1.0/24 and specify its
area ID as 10.
[S200_0-ospf-1] area 10
[S200_0-ospf-1-area-0.0.0.10] network 166.1.1.0 0.0.0.255
■ Configure S200_10.
# Run OSPF on interfaces connected to networks 162.1.1.0/24, 162.1.2.0/24, and
166.1.1.0/24 and specify their area ID as 10.
<S200_10> system-view
[S200_10] ospf
[S200_10-ospf-1] area 10
[S200_10-ospf-1-area-0.0.0.10] network 162.1.1.0 0.0.0.255
[S200_10-ospf-1-area-0.0.0.10] network 162.1.2.0 0.0.0.255
[S200_10-ospf-1-area-0.0.0.10] network 166.1.1.0 0.0.0.255
Figure 61 shows the network diagram of AS 400.

Figure 61 Network diagram for AS 400 configuration

AS 400 VLAN-int 663 VLAN- int 664

S400 _0

VLAN-int 16

S400
OSPF

Device Interface IP address Area

S400 Vlan-int 16 206.1.6.3/24 0
S400_0 Vlan-int 16 206.1.6.1/24 0
Vlan-int 663 166.1.3.1/24 0.0.1.44
Vlan-int 664 166.1.4.1/24 0.0.1.44

■ Configure S400.
# Run OSPF on the interface connected to network 206.1.6.0/24 and specify its
area ID as 0.
<S400> system-view
[S400] ospf
[S400-ospf-1] area 0
[S400-ospf-1-area-0.0.0.0] network 206.1.6.0 0.0.0.255
■ Configure S400_0.
# Run OSPF on the interface connected to network 206.1.6.0/24 and specify its
area ID as 0.
<S400_0> system-view
[S400_0] ospf
[S400_0-ospf-1] area 0
[S400_0-ospf-1-area-0.0.0.0] network 206.1.6.0 0.0.0.255
[S400_0-ospf-1-area-0.0.0.0] quit
# Run OSPF on interfaces connected to networks 166.1.3.0/24 and 166.1.4.0/24
and specify their area ID as 0.0.1.44.
 Configuration Procedure 135

[S400_0-ospf-1] area 0.0.1.44

[S400_0-ospf-1-area-0.0.1.44] network 166.1.3.0 0.0.0.255
[S400_0-ospf-1-area-0.0.1.44] network 166.1.4.0 0.0.0.255

Basic BGP configuration

Figure 62 shows the relevant network diagram.

Figure 62 Network diagram for BGP configuration

6

S400
OSPF
VLAN-int 15 EBGP EBGP VLAN-int 23
AS 100
IBGP
S100 _1 S100_ 2
VLAN -int 31

VLAN- int 11 EBGP EBGP VLAN -int 22

AS 200 AS 300
EBGP
S200 S300
VLAN-int 13

Device Interface IP address Router ID AS

S100_1 Vlan-int 11 196.1.1.1/24 1.1.1.1 100
Vlan-int 15 196.1.3.1/24
Vlan-int 31 196.3.1.1/24
S100_2 Vlan-int 22 196.2.2.1/24 1.2.1.1
Vlan-int 23 196.2.3.2/24
Vlan-int 31 196.3.1.2/24
S200 Vlan-int 11 196.1.1.3/24 2.1.1.1 200
Vlan-int 13 206.1.3.3/24
S300 Vlan-int 22 196.2.2.2/24 3.1.1.1 300
Vlan-int 13 206.1.3.2/24
S400 Vlan-int 15 196.1.3.3/24 4.1.1.1 400
Vlan-int 23 196.2.3.3/24

■ Configure S100_1.
# Configure the router ID of S100_1 as 1.1.1.1.
<S100_1> system-view
[S100_1] router id 1.1.1.1
# Enable BGP and specify the local AS number as 100.
[S100_1] bgp 100
# Create IBGP peer group 100 and EBGP peer groups 200 and 400.
[S100_1-bgp] group 100 internal
[S100_1-bgp] group 200 external
[S100_1-bgp] group 400 external
# Add peer 196.3.1.2 in AS 100 into peer group 100; Add peer 196.1.1.3 in AS
200 into peer group 200; Add peer 196.1.3.3 in AS 400 into peer group 400.
[S100_1-bgp] peer 196.3.1.2 group 100
[S100_1-bgp] peer 196.1.1.3 group 200 as-number 200
[S100_1-bgp] peer 196.1.3.3 group 400 as-number 400
136 CHAPTER 5: ROUTING OVERVIEW

# Advertise networks 196.1.3.0, 196.3.1.0, and 196.1.1.0.

[S100_1-bgp] network 196.1.3.0
[S100_1-bgp] network 196.3.1.0
[S100_1-bgp] network 196.1.1.0
# Set the preferences of EBGP routes, IBGP routes, and local routes to 200.
[S100_1-bgp] preference 200 200 200
■ Configure S100_2.
# Configure the router ID of S200_2 as 1.2.1.1.
<S100_2> system-view
[S100_2] router id 1.2.1.1
# Enable BGP and specify the local AS number as 100.
[S100_2] bgp 100
# Create IBGP peer group 100 and EBGP peer groups 300 and 400.
[S100_2-bgp] group 100 internal
[S100_2-bgp] group 300 external
[S100_2-bgp] group 400 external
# Add peer 196.3.1.1 in AS 100 into peer group 100; Add peer 196.2.2.2 in AS
300 into peer group 300; Add peer 196.2.3.3 in AS 400 into peer group 400.
[S100_2-bgp] peer 196.3.1.1 group 100
[S100_2-bgp] peer 196.2.2.2 group 300 as-number 300
[S100_2-bgp] peer 196.2.3.3 group 400 as-number 400
# Advertise networks 196.2.2.0, 196.2.3.0, and 196.3.1.0.
[S100_2-bgp] network 196.2.2.0
[S100_2-bgp] network 196.2.3.0
[S100_2-bgp] network 196.3.1.0
# Set the preferences of EBGP routes, IBGP routes, and local routes to 200.
[S100_2-bgp] preference 200 200 200
■ Configure S200.
# Configure the router ID of S200 as 2.1.1.1.
<S200> system-view
[S200] router id 2.1.1.1
# Enable BGP and specify the local AS number as 200.
[S200] bgp 200
# Create EBGP peer groups 100 and 300.
[S200-bgp] group 100 external
[S200-bgp] group 300 external
# Add peer 196.1.1.1 in AS 100 into peer group 100; Add peer 206.1.3.2 in AS
300 into peer group 300.
[S200-bgp] peer 196.1.1.1 group 100 as-number 100
[S200-bgp] peer 206.1.3.2 group 300 as-number 300
# Advertise networks 192.1.1.0 and 206.1.3.0.
[S200-bgp] network 192.1.1.0
[S200-bgp] network 206.1.3.0
# Set the preferences of EBGP routes, IBGP routes, and local routes to 200.
 Configuration Procedure 137

[S200-bgp] preference 200 200 200

■ Configure S300.
# Configure the router ID of S300 as 3.1.1.1.
<S300> system-view
[S300] router id 3.1.1.1
# Enable BGP and specify the local AS number as 300.
[S300] bgp 300
# Create EBGP peer groups 100 and 200.
[S300-bgp] group 100 external
[S300-bgp] group 200 external
# Add peer 196.2.2.1 in AS 100 into peer group 100; Add peer 206.1.3.3 in AS
200 into peer group 200.
[S300-bgp] peer 196.2.2.1 group 100 as-number 100
[S300-bgp] peer 206.1.3.3 group 200 as-number 200
# Advertise networks 206.1.3.0 and 196.2.2.0.
[S300-bgp] network 206.1.3.0
[S300-bgp] network 196.2.2.0
# Set the preferences of EBGP routes, IBGP routes, and local routes to 200.
[S300-bgp] preference 200 200 200
■ Configure S400.
# Configure the router ID of S400 as 4.1.1.1.
<S400> system-view
[S400] router id 4.1.1.1
# Enable BGP and specify the local AS number as 400.
[S400] bgp 400
# Create EBGP peer groups 100_1 and 100_2.
[S400-bgp] group 100_1 external
[S400-bgp] group 100_2 external
# Add peer 196.1.3.1 in AS 100 into peer group 100_1; Add peer 196.2.3.2 in AS
100 into peer group 100_2.
[S400-bgp] peer 196.1.3.1 group 100_1 as-number 100
[S400-bgp] peer 196.2.3.2 group 100_2 as-number 100
# Advertise networks 196.1.3.0 and 196.2.3.0.
[S400-bgp] network 196.1.3.0
[S400-bgp] network 196.2.3.0
# Set the preferences of EBGP routes, IBGP routes, and local routes to 200.
[S400-bgp] preference 200 200 200

RIP, Static Route, and Network requirements

Routing Policy As shown in Figure 63, RIPv2 runs on S300_A/S300_B. To control the number of
Configuration Example routes learned by S300_B through RIP, allow S300_B to advertise routes to S300_A
and forbid S300_B to receive routes advertised by S300_A. Packets from S300_B
to S300_A are forwarded through the default route.
138 CHAPTER 5: ROUTING OVERVIEW

Network diagram

Figure 63 Network diagram for RIP, static route, and routing policy configuration

EBGP VLAN -int 22

AS 300
EBGP
S300
LAN-int 13

VLAN -int 14

S300 _A

AN -int 665

VLAN-int 662

S300 _B

VLAN-int 623 VLAN -int 624

RIP

Device Interface IP address

S300_A Vlan-int 662 166.1.2.1/24
S300_B Vlan-int 662 166.1.2.2/24
Vlan-int 623 162.1.3.1/24
Vlan-int 624 162.1.4.1/24

Configuration procedure
# Create ACL 2000 and deny all packets.
<S300_B> system-view
[S300_B] acl number 2000
[S300_B-acl-basic-2000] rule deny source any
[S300_B-acl-basic-2000] quit

# Apply ACL 2000 to incoming RIP routes.

[S300_B] rip
[S300_B-rip] filter-policy 2000 import

# Configure a default route and specify the next-hop IP address as 166.1.2.1.

[S300_B] ip route-static 0.0.0.0 0.0.0.0 166.1.2.1 preference 60

BGP and IGP Interaction Network requirements

Configuration Example As shown in Figure 64, OSPF and BGP run on S400/S200. RIPv2 and BGP run on
S300. To ensure that devices in each AS can learn network topologies of other
ASs, configure interaction between IGP and BGP to share routes. When
redistributing routes from IGP to BGP, apply a routing policy to redistribute routes
with IP prefixes 162.1.1.0/24, 162.1.2.0/24, 162.1.3.0/24, 162.1.4.0/24,
166.1.3.0/24, and 166.1.4.0/24 only.
 Configuration Procedure 139

Network diagram

Figure 64 Network diagram for BGP and IGP interaction

VLAN-int 16

S400
OSPF
VLAN-int 15 EBGP EBGP VLAN-int 23
AS 100
IBGP
S100 _1 S100_ 2
VLAN -int 31

VLAN- int 11 EBGP EBGP VLAN -int 22

AS 200 AS 300
EBGP
S200 S300
VLAN-int 13

VLAN- int 12 VLAN -int 14

Configuration procedure
■ Configure interaction between IGP and BGP on S200.
# Redistribute OSPF routes into BGP.
<S200> system-view
[S200] bgp 200
[S200-bgp] import-route ospf 1
[S200-bgp] quit
# Define a prefix list named ospf_import and permit the routes with IP prefixes
162.1.3.0/24, 162.1.4.0/24, 166.1.3.0/24, or 166.1.4.0/24.
[S200] ip ip-prefix ospf_import index 10 permit 162.1.3.0 24
[S200] ip ip-prefix ospf_import index 20 permit 162.1.4.0 24
[S200] ip ip-prefix ospf_import index 30 permit 166.1.4.0 24
[S200] ip ip-prefix ospf_import index 40 permit 166.1.3.0 24
# Create a routing policy named ospf_import with the match mode as permit.
Define an if-match clause to permit routes whose destination addresses match IP
prefix list ospf_import.
[S200] route-policy ospf_import permit node 10
[S200-route-policy] if-match ip-prefix ospf_import
[S200-route-policy] quit
# Redistribute BGP routes into OSPF and apply routing policy ospf_import.
[S200] ospf
[S200-ospf-1] import-route bgp route-policy ospf_import
■ Configure interaction between IGP and BGP on S300.
# Redistribute RIP routes into BGP.
<S300> system-view
[S300] bgp 300
[S300-bgp] import-route rip
[S300-bgp] quit
# Define a prefix list named rip_import and permit the routes with IP prefixes
162.1.1.0/24, 162.1.2.0/24, 166.1.3.0/24, and 166.1.4.0/24.
[S300] ip ip-prefix rip_import index 10 permit 162.1.1.0 24
[S300] ip ip-prefix rip_import index 20 permit 162.1.2.0 24
[S300] ip ip-prefix rip_import index 30 permit 166.1.3.0 24
[S300] ip ip-prefix rip_import index 40 permit 166.1.4.0 24
140 CHAPTER 5: ROUTING OVERVIEW

# Create a routing policy named rip_import with the matching mode as permit.
Define an if-match clause to permit routes whose destination addresses match IP
prefix list rip_import.
[S300] route-policy rip_import permit node 10
[S300-route-policy] if-match ip-prefix rip_import
[S300-route-policy] quit
# Redistribute BGP routes into RIP and apply routing policy rip_import.
[S300] rip
[S300-rip] import-route bgp route-policy rip_import
■ Configure interaction between IGP and BGP on S400.
# Redistribute OSPF routes into BGP.
<S400> system-view
[S400] bgp 400
[S400-bgp] import-route ospf 1
[S400-bgp] quit
# Define a prefix list named ospf_import and permit the routes with IP prefixes
162.1.1.0/24, 162.1.2.0/24, 162.1.3.0/24, and 162.1.4.0/24.
[S400] ip ip-prefix ospf_import index 10 permit 162.1.1.0 24
[S400] ip ip-prefix ospf_import index 20 permit 162.1.2.0 24
[S400] ip ip-prefix ospf_import index 30 permit 162.1.3.0 24
[S400] ip ip-prefix ospf_import index 40 permit 162.1.4.0 24
# Create a routing policy named ospf_import with the match mode as permit.
Define an if-match clause to permit the routes whose destination addresses match
IP prefix list ospf_import.
[S400] route-policy ospf_import permit node 10
[S400-route-policy] if-match ip-prefix ospf_import
[S400-route-policy] quit
# Redistribute BGP routes into OSPF and apply the routing policy named
ospf_import.
[S400] ospf
[S400-ospf-1] import-route bgp route-policy ospf_import

Route Backup Network requirements

Configuration Example As shown in Figure 65, implement route backup on S200_10. Run OSPF between
S200_10 and S200_0. The OSPF route is the primary route. Configure a default
route between S200_10 and S300_A. This route is the backup route. When the
primary route cannot work, the device switches to the backup route automatically.
When the primary route becomes feasible, the device switches to the primary
route automatically. To achieve the route backup of S200_10, configure a static
route to S200_10 on S300_A and redistribute this route into RIPv2.
 Configuration Procedure 141

Network diagram

Figure 65 Network diagram for route backup

AS 200 AS 300
EBGP
S200 S300
VLAN-int 13

VLAN- int 12 VLAN -int 14

S 200_0 S300 _A

VLAN -int 665

VLAN -int 661 VLAN-int 662

S200_ 10 S300 _B

VLAN-int 621 VLAN -int 622 VLAN-int 623 VLAN -int 624
OSPF RIP

Device Interface IP address AS

S300_A Vlan-int 665 166.1.5.2/24 300
S200_10 Vlan-int 665 166.1.5.1/24 200
Vlan-int 621 162.1.1.1/24
Vlan-int 622 162.1.2.1/24

Configuration procedure
# Configure a default route on S200_10 and specify the next-hop IP address as
166.1.5.2. Set the default preference to 200.
<S200_10> system-view
[S200_10] ip route-static 0.0.0.0 0.0.0.0 166.1.5.2 preference 200

# Configure a static route on S300_A and specify the destination IP addresses as

162.1.1.0/24 and 162.1.2.0/24. Specify the next-hop IP address as 166.1.5.1 and
the default preference to 200.

<S300_A> system-view
[S300_A] ip route-static 162.1.1.0 255.255.255.0 166.1.5.1 preference 200
[S300_A] ip route-static 162.1.2.0 255.255.255.0 166.1.5.1 preference 200

# Redistribute the static route into RIP.

[S300_A] rip
[S300_A-rip] import-route static

BGP MED Attribute Network requirements

Configuration Example As shown in Figure 66, S100_1 forwards packets from S400 to S200_10. S100_2
forwards packets from S400 to S300_B. Modify the MED value to achieve this
goal.
142 CHAPTER 5: ROUTING OVERVIEW

Network diagram

Figure 66 Network diagram for MED attribute configuration

AS 400 VLAN-int 663 VLAN- int 664

S400 _0

VLAN-int 16

S400
OSPF
VLAN-int 15 EBGP EBGP VLAN-int 23

AS 100
IBGP
S100 _1 S100_ 2
VLAN -int 31

VLAN- int 11 EBGP EBGP VLAN -int 22

AS 200 AS 300
EBGP
S200 S300
VLAN-int 13

VLAN- int 12 VLAN -int 14

S 200_0 S300 _A

VLAN -int 665

VLAN -int 661 VLAN-int 662

S200_ 10 S300 _B

VLAN-int 621 VLAN -int 622 VLAN-int 623 VLAN -int 624
OSPF RIP

Device Interface IP address AS

S200_10 Vlan-int 621 162.1.1.1/24 200
Vlan-int 622 162.1.2.1/24
S300_B Vlan-int 623 162.1.3.1/24 300
Vlan-int 624 162.1.4.1/24
S400_0 Vlan-int 663 166.1.3.1/24 400
Vlan-int 664 166.1.4.1/24

Configuration procedure
■ Configure S100_1.
# Define a prefix list named as200_1 and permit the route with IP prefix
162.1.1.0/24.
<S100_1> system-view
[S100_1] ip ip-prefix as200_1 index 10 permit 162.1.1.0 24
# Define a prefix list named as200_2 and permit the route with IP prefix
162.1.2.0/24.
[S100_1] ip ip-prefix as200_2 index 10 permit 162.1.2.0 24
# Define a prefix list named as300_1 and permit the route with IP prefix
162.1.3.0/24.
[S100_1] ip ip-prefix as300_1 index 10 permit 162.1.3.0 24
 Configuration Procedure 143

# Define a prefix list named as300_2 and permit the route with IP prefix
162.1.4.0/24.
[S100_1] ip ip-prefix as300_2 index 10 permit 162.1.4.0 24
# Define a prefix list named other and permit all the routes.
[S100_1] ip ip-prefix other index 10 permit 0.0.0.0 0 less-equal 32
# Create a routing policy named as200, and specify node 10 with the permit
matching mode in the routing policy. Set the MED value of the route matching
prefix list as200_1 to 100.
[S100_1] route-policy as200 permit node 10
[S100_1-route-policy] if-match ip-prefix as200_1
[S100_1-route-policy] apply cost 100
[S100_1-route-policy] quit
# Create node 20 with the matching mode as permit in routing policy as200. Set
the MED value of the route matching prefix list as200_2 to 100
[S100_1] route-policy as200 permit node 20
[S100_1-route-policy] if-match ip-prefix as200_2
[S100_1-route-policy] apply cost 100
[S100_1-route-policy] quit
# Create node 30 with the permit matching mode in routing policy as200. Set the
MED value of the route matching prefix list as300_1 to 200.
[S100_1] route-policy as200 permit node 30
[S100_1-route-policy] if-match ip-prefix as300_1
[S100_1-route-policy] apply cost 200
[S100_1-route-policy] quit
# Create node 40 with the permit matching mode in routing policy as200. Set the
MED value of the route matching prefix list as300_2 to 200.
[S100_1] route-policy as200 permit node 40
[S100_1-route-policy] if-match ip-prefix as300_2
[S100_1-route-policy] apply cost 200
[S100_1-route-policy] quit
# Create node 50 with the permit matching mode in routing policy as200. Permit
all the routes.
[S100_1] route-policy as200 permit node 50
[S100_1-route-policy] if-match ip-prefix other
[S100_1-route-policy] quit
# Apply the routing policy as200 to the routes outgoing to peer group 400 (the
peer 196.1.3.3).
[S100_1] bgp 100
[S100_1-bgp] peer 400 route-policy as200 export
■ Configure S100_2.
# Define a prefix list named as200_1 and permit the route with IP prefix
162.1.1.0/24.
<S100_2> system-view
[S100_2] ip ip-prefix as200_1 index 10 permit 162.1.1.0 24
# Define a prefix list named as200_2 and permit the route with IP prefix
162.1.2.0/24.
[S100_2] ip ip-prefix as200_2 index 10 permit 162.1.2.0 24
144 CHAPTER 5: ROUTING OVERVIEW

# Define a prefix list named as300_1 and permit the route with IP prefix
162.1.3.0/24.
[S100_2] ip ip-prefix as300_1 index 10 permit 162.1.3.0 24
# Define a prefix list named as300_2 and permit the route with IP prefix
162.1.4.0/24.
[S100_2] ip ip-prefix as300_2 index 10 permit 162.1.4.0 24
# Define a prefix list named other and permit all the routes.
[S100_2] ip ip-prefix other index 10 permit 0.0.0.0 0 less-equal 32
# Create a routing policy named as300. Configure the node number as 10 and
the matching mode as permit. Set the MED value of the route matching prefix list
as200_1 to 200.
[S100_2] route-policy as300 permit node 10
[S100_2-route-policy] if-match ip-prefix as200_1
[S100_2-route-policy] apply cost 200
[S100_2-route-policy] quit
# Create node 20 with the permit matching mode in routing policy as300. Set the
MED value of the route matching prefix list as200_2 to 200.
[S100_2] route-policy as300 permit node 20
[S100_2-route-policy] if-match ip-prefix as200_2
[S100_2-route-policy] apply cost 200
[S100_2-route-policy] quit
# Create node 30 with the permit matching mode in routing policy as300. Set the
MED value of the route matching prefix list as300_1 to 100.
[S100_2] route-policy as300 permit node 30
[S100_2-route-policy] if-match ip-prefix as300_1
[S100_2-route-policy] apply cost 100
[S100_2-route-policy] quit
# Create node 40 with the permit matching mode in routing policy as300. Set the
MED value of the route matching prefix list as300_2 to 100.
[S100_2] route-policy as300 permit node 40
[S100_2-route-policy] if-match ip-prefix as300_2
[S100_2-route-policy] apply cost 100
[S100_2-route-policy] quit
# Create node 50 with the permit matching mode in routing policy as300 and
permit all routes.
[S100_2] route-policy as300 permit node 50
[S100_2-route-policy] if-match ip-prefix other
[S100_2-route-policy] quit
# Apply routing policy as300 to the routes outgoing to peer group 400 (peer
196.2.3.3).
[S100_2] bgp 100
[S100_2-bgp] peer 400 route-policy as300 export
 Displaying the Whole Configuration on Devices 145

Displaying the Whole

Configuration on
Devices

Displaying the Whole S100_1

Configuration on <S100_1> display current-configuration
Devices #
sysname S100_1
#
router id 1.1.1.1
#
....
#
vlan 11
#
vlan 15
#
vlan 31
#
interface Vlan-interface11
ip address 196.1.1.1 255.255.255.0
#
interface Vlan-interface15
ip address 196.1.3.1 255.255.255.0
#
interface Vlan-interface31
ip address 196.3.1.1 255.255.255.0
#
...
#
undo fabric-port Cascade1/2/1 enable
undo fabric-port Cascade1/2/2 enable
#
interface NULL0
#
bgp 100
network 196.1.3.0
network 196.3.1.0
network 196.1.1.0
undo synchronization
group 100 internal
peer 196.3.1.2 group 100
group 200 external
peer 196.1.1.3 group 200 as-number 200
group 400 external
peer 400 route-policy as200 export
peer 196.1.3.3 group 400 as-number 400
preference 200 200 200
#
route-policy as200 permit node 10
if-match ip-prefix as200_1
apply cost 100
route-policy as200 permit node 20
if-match ip-prefix as200_2
apply cost 100
route-policy as200 permit node 30
146 CHAPTER 5: ROUTING OVERVIEW

if-match ip-prefix as300_1

apply cost 200
route-policy as200 permit node 40
if-match ip-prefix as300_2
apply cost 200
route-policy as200 permit node 50
if-match ip-prefix other
#
ip ip-prefix as200_1 index 10 permit 162.1.1.0 24
ip ip-prefix as200_2 index 10 permit 162.1.2.0 24
ip ip-prefix as300_1 index 10 permit 162.1.3.0 24
ip ip-prefix as300_2 index 10 permit 162.1.4.0 24
ip ip-prefix other index 10 permit 0.0.0.0 0 less-equal 32
#
...

S100_2
<S100_2> display current-configuration
#
sysname S100_2
#
router id 1.2.1.1
#
......
#
vlan 22
#
vlan 23
#
vlan 31
#
interface Vlan-interface22
ip address 196.2.2.1 255.255.255.0
#
interface Vlan-interface23
ip address 196.2.3.2 255.255.255.0
#
interface Vlan-interface31
ip address 196.3.1.2 255.255.255.0
#
...
#
interface Cascade1/2/1
#
interface Cascade1/2/2
#
undo fabric-port Cascade1/2/1 enable
undo fabric-port Cascade1/2/2 enable
#
interface NULL0
#
bgp 100
network 196.2.2.0
network 196.2.3.0
network 196.3.1.0
undo synchronization
group 100 internal
 Displaying the Whole Configuration on Devices 147

peer 196.3.1.1 group 100

group 300 external
peer 196.2.2.2 group 300 as-number 300
group 400 external
peer 400 route-policy as300 export
peer 196.2.3.3 group 400 as-number 400
preference 200 200 200
#
route-policy as300 permit node 10
if-match ip-prefix as200_1
apply cost 200
route-policy as300 permit node 20
if-match ip-prefix as200_2
apply cost 200
route-policy as300 permit node 30
if-match ip-prefix as300_1
apply cost 100
route-policy as300 permit node 40
if-match ip-prefix as300_2
apply cost 100
route-policy as300 permit node 50
if-match ip-prefix other
#
ip ip-prefix as200_1 index 10 permit 162.1.1.0 24
ip ip-prefix as200_2 index 10 permit 162.1.2.0 24
ip ip-prefix as300_1 index 10 permit 162.1.3.0 24
ip ip-prefix as300_2 index 10 permit 162.1.4.0 24
ip ip-prefix other index 10 permit 0.0.0.0 0 less-equal 32
#
.....

S200
<S200> display current-configuration
#
sysname S200
#
......
#
router id 2.1.1.1
#
...........
#
vlan 11
#
vlan 12
#
vlan 13
#
interface Vlan-interface11
ip address 196.1.1.3 255.255.255.0
#
interface Vlan-interface12
ip address 206.1.2.3 255.255.255.0
#
interface Vlan-interface13
ip address 206.1.3.3 255.255.255.0
#
148 CHAPTER 5: ROUTING OVERVIEW

.......
#
bgp 200
network 192.1.1.0
network 206.1.3.0
import-route ospf 1
undo synchronization
group 100 external
peer 196.1.1.1 group 100 as-number 100
group 300 external
peer 206.1.3.2 group 300 as-number 300
preference 200 200 200
#
ospf 1
import-route bgp route-policy ospf_import
area 0.0.0.0
network 206.1.2.0 0.0.0.255
#
route-policy ospf_import permit node 10
if-match ip-prefix ospf_import
#
ip ip-prefix ospf_import index 10 permit 162.1.3.0 24
ip ip-prefix ospf_import index 20 permit 162.1.4.0 24
ip ip-prefix ospf_import index 30 permit 166.1.4.0 24
ip ip-prefix ospf_import index 40 permit 166.1.3.0 24
#
......

S200_0
<S200_0> display current-configuration
#
sysname S200_0
#
.......
#
vlan 12
#
vlan 661
#
interface Vlan-interface12
ip address 206.1.2.1 255.255.255.0
#
interface Vlan-interface661
ip address 166.1.1.1 255.255.255.0
#
.......
#
ospf 1
area 0.0.0.10
network 166.1.1.0 0.0.0.255
#
area 0.0.0.0
network 206.1.2.0 0.0.0.255
#
..........
 Displaying the Whole Configuration on Devices 149

S200_10
<S200_10> display current-configuration
#
sysname S200_10
#
.......
#
vlan 621 to 622
#
vlan 661
#
vlan 665
#
interface Vlan-interface621
ip address 162.1.1.1 255.255.255.0
#
interface Vlan-interface622
ip address 162.1.2.1 255.255.255.0
#
interface Vlan-interface661
ip address 166.1.1.2 255.255.255.0
#
interface Vlan-interface665
ip address 166.1.5.1 255.255.255.0
#
.........
#
ospf 1
area 0.0.0.10
network 162.1.1.0 0.0.0.255
network 162.1.2.0 0.0.0.255
network 166.1.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 166.1.5.2 preference 200
#
.........

S300
<S300> display current-configuration
#
sysname S300
#
router id 3.1.1.1
#
.....
#
vlan 13
#
vlan 14
#
vlan 22
#
interface Vlan-interface13
ip address 206.1.3.2 255.255.255.0
#
interface Vlan-interface14
ip address 206.1.4.2 255.255.255.0
150 CHAPTER 5: ROUTING OVERVIEW

rip version 2 multicast

#
interface Vlan-interface22
ip address 196.2.2.2 255.255.255.0
#
......
#
bgp 300
network 206.1.3.0
network 196.2.2.0
import-route rip
undo synchronization
group 100 external
peer 196.2.2.1 group 100 as-number 100
group 200 external
peer 206.1.3.3 group 200 as-number 200
preference 200 200 200
#
rip
undo summary
network 206.1.4.0
import-route bgp route-policy rip_import
#
route-policy rip_import permit node 10
if-match ip-prefix rip_import
#
ip ip-prefix rip_import index 10 permit 162.1.1.0 24
ip ip-prefix rip_import index 20 permit 162.1.2.0 24
ip ip-prefix rip_import index 30 permit 166.1.3.0 24
ip ip-prefix rip_import index 40 permit 166.1.4.0 24
#
.........

S300_A
<S300_A> display current-configuration
#
sysname S300_A
#
......
#
vlan 14
#
vlan 662
#
vlan 665
#
interface Vlan-interface14
ip address 206.1.4.1 255.255.255.0
rip version 2 multicast
#
interface Vlan-interface662
ip address 166.1.2.1 255.255.255.0
rip version 2 multicast
#
interface Vlan-interface665
ip address 166.1.5.2 255.255.255.0
#
 Displaying the Whole Configuration on Devices 151

......
#
rip
undo summary
network 206.1.4.0
network 166.1.0.0
import-route static
#
ip route-static 162.1.1.0 255.255.255.0 166.1.5.1 preference 200
ip route-static 162.1.2.0 255.255.255.0 166.1.5.1 preference 200
#
.........

S300_B
<S300_B> display current-configuration
#
sysname S300_B
#
......
#
acl number 2000
rule 5 deny
#
......
#
vlan 623
#
vlan 624
#
vlan 662
#
interface Vlan-interface623
ip address 162.1.3.1 255.255.255.0
rip version 2 multicast
#
interface Vlan-interface624
ip address 162.1.4.1 255.255.255.0
rip version 2 multicast
#
interface Vlan-interface662
ip address 166.1.2.2 255.255.255.0
rip version 2 multicast
#
......
#
rip
undo summary
network 166.1.0.0
network 162.1.0.0
filter-policy 2000 import
#
ip route-static 0.0.0.0 0.0.0.0 166.1.2.1 preference 60
#
......
152 CHAPTER 5: ROUTING OVERVIEW

S400
<S400> display current-configuration
#
sysname S400
#
router id 4.1.1.1
#
......
#
vlan 15 to 16
#
vlan 23
#
interface Vlan-interface15
ip address 196.1.3.3 255.255.255.0
#
interface Vlan-interface16
ip address 206.1.6.3 255.255.255.0
#
interface Vlan-interface23
ip address 196.2.3.3 255.255.255.0
#
......
#
interface Cascade1/2/1
#
interface Cascade1/2/2
#
undo fabric-port Cascade1/2/1 enable
undo fabric-port Cascade1/2/2 enable
#
interface NULL0
#
bgp 400
network 196.1.3.0
network 196.2.3.0
import-route ospf 1
undo synchronization
group 100_1 external
peer 196.1.3.1 group 100_1 as-number 100
group 100_2 external
peer 196.2.3.2 group 100_2 as-number 100
preference 200 200 200
#
ospf 1
import-route bgp route-policy ospf_import
area 0.0.0.0
network 206.1.6.0 0.0.0.255
#
route-policy ospf_import permit node 10
if-match ip-prefix ospf_import
#
ip as-path-acl 1 permit ^100 200$
ip as-path-acl 2 permit ^100 300$
#
ip ip-prefix ospf_import index 10 permit 162.1.1.0 24
ip ip-prefix ospf_import index 20 permit 162.1.2.0 24
 Verifying the Configuration 153

ip ip-prefix ospf_import index 30 permit 162.1.3.0 24

ip ip-prefix ospf_import index 40 permit 162.1.4.0 24
#
.....

S400_0
<S400_0> display current-configuration
#
sysname S400_0
#
.........
#
vlan 16
#
vlan 663 to 664
#
.........
#
interface Vlan-interface16
ip address 206.1.6.1 255.255.255.0
#
interface Vlan-interface663
ip address 166.1.3.1 255.255.255.0
#
interface Vlan-interface664
ip address 166.1.4.1 255.255.255.0
#
.........
#
ospf 1
area 0.0.1.44
network 166.1.3.0 0.0.0.255
network 166.1.4.0 0.0.0.255
#
area 0.0.0.0
network 206.1.6.0 0.0.0.255
#
.........

Verifying the
Configuration

Verifying the <S300_B> display ip routing-table

Configuration of Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
Routing Policy and Static 0.0.0.0/0 STATIC 60 0 166.1.2.1 Vlan-interface662
Routes 127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.3.0/24 DIRECT 0 0 162.1.3.1 Vlan-interface623
162.1.3.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.4.0/24 DIRECT 0 0 162.1.4.1 Vlan-interface624
162.1.4.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.2.0/24 DIRECT 0 0 166.1.2.2 Vlan-interface662
166.1.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
<S300_B> tracert -a 162.1.3.1 166.1.4.1
traceroute to 166.1.4.1(166.1.4.1) 30 hops max,40 bytes packet
1 166.1.2.1 18 ms 3 ms 3 ms
154 CHAPTER 5: ROUTING OVERVIEW

2 206.1.4.2 9 ms 4 ms 4 ms
3 196.2.2.1 9 ms 9 ms 18 ms
4 196.2.3.3 6 ms 3 ms 4 ms
5 206.1.6.1 14 ms 4 ms 3 ms

Verifying the BGP and <S400_0> display ip routing-table

IGP Interaction Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
Configuration 127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.1.0/24 O_ASE 150 1 206.1.6.3 Vlan-interface16
162.1.2.0/24 O_ASE 150 1 206.1.6.3 Vlan-interface16
162.1.3.0/24 O_ASE 150 1 206.1.6.3 Vlan-interface16
162.1.4.0/24 O_ASE 150 1 206.1.6.3 Vlan-interface16
166.1.3.0/24 DIRECT 0 0 166.1.3.1 Vlan-interface663
166.1.3.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.4.0/24 DIRECT 0 0 166.1.4.1 Vlan-interface664
166.1.4.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.0.0/24 DIRECT 0 0 192.168.0.30 Vlan-interface1
192.168.0.30/32 DIRECT 0 0 127.0.0.1 InLoopBack0
206.1.6.0/24 DIRECT 0 0 206.1.6.1 Vlan-interface16
206.1.6.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
<S300_A> display ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.1.0/24 RIP 100 1 206.1.4.2 Vlan-interface14
162.1.2.0/24 RIP 100 1 206.1.4.2 Vlan-interface14
162.1.3.0/24 RIP 100 1 166.1.2.2 Vlan-interface662
162.1.4.0/24 RIP 100 1 166.1.2.2 Vlan-interface662
166.1.2.0/24 DIRECT 0 0 166.1.2.1 Vlan-interface662
166.1.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.3.0/24 RIP 100 1 206.1.4.2 Vlan-interface14
166.1.4.0/24 RIP 100 1 206.1.4.2 Vlan-interface14
166.1.5.0/24 DIRECT 0 0 166.1.5.2 Vlan-interface665
166.1.5.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
206.1.4.0/24 DIRECT 0 0 206.1.4.1 Vlan-interface14
206.1.4.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
<S200_10> display ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 200 0 166.1.5.2 Vlan-interface665
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.1.0/24 DIRECT 0 0 162.1.1.1 Vlan-interface621
162.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.2.0/24 DIRECT 0 0 162.1.2.1 Vlan-interface622
162.1.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.3.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
162.1.4.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.1.0/24 DIRECT 0 0 166.1.1.2 Vlan-interface661
166.1.1.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.3.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.4.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.5.0/24 DIRECT 0 0 166.1.5.1 Vlan-interface665
166.1.5.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
206.1.2.0/24 OSPF 10 20 166.1.1.1 Vlan-interface661

Verifying the Route Verify the primary route is installed into the routing table
Backup Configuration <S200_10> display ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 200 0 166.1.5.2 Vlan-interface665
 Verifying the Configuration 155

127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0

127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.1.0/24 DIRECT 0 0 162.1.1.1 Vlan-interface621
162.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.2.0/24 DIRECT 0 0 162.1.2.1 Vlan-interface622
162.1.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.3.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
162.1.4.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.1.0/24 DIRECT 0 0 166.1.1.2 Vlan-interface661
166.1.1.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.3.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.4.0/24 O_ASE 150 1 166.1.1.1 Vlan-interface661
166.1.5.0/24 DIRECT 0 0 166.1.5.1 Vlan-interface665
166.1.5.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
206.1.2.0/24 OSPF 10 20 166.1.1.1 Vlan-interface661
<S200_10> tracert -a 162.1.1.1 166.1.3.1
traceroute to 166.1.3.1(166.1.3.1) 30 hops max,40 bytes packet
1 166.1.1.1 10 ms 3 ms 3 ms
2 206.1.2.3 13 ms 3 ms 5 ms
3 196.1.1.1 9 ms 3 ms 4 ms
4 196.1.3.3 12 ms 3 ms 3 ms
5 206.1.6.1 14 ms 5 ms 3 ms

Verify the backup route is installed into the routing table after the primary
one fails
<S200_10> display ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 200 0 166.1.5.2 Vlan-interface665
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.1.0/24 DIRECT 0 0 162.1.1.1 Vlan-interface621
162.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
162.1.2.0/24 DIRECT 0 0 162.1.2.1 Vlan-interface622
162.1.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
166.1.5.0/24 DIRECT 0 0 166.1.5.1 Vlan-interface665
166.1.5.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
<S200_10> tracert -a 162.1.1.1 166.1.3.1
traceroute to 166.1.3.1(166.1.3.1) 30 hops max,40 bytes packet
1 166.1.5.2 11 ms 3 ms 4 ms
2 206.1.4.2 13 ms 3 ms 4 ms
3 196.2.2.1 13 ms 3 ms 6 ms
4 196.2.3.3 11 ms 3 ms 4 ms
5 206.1.6.1 12 ms 3 ms 4 ms

Verifying the MED Trace the packet forwarding path when the default MED is used
Attribute Configuration <S400_0> tracert -a 166.1.3.1 162.1.1.1
traceroute to 162.1.1.1(162.1.1.1) 30 hops max,40 bytes packet
1 206.1.6.3 11 ms 3 ms 7 ms
2 196.1.3.1 10 ms 3 ms 8 ms
3 196.1.1.3 8 ms 3 ms 3 ms
4 206.1.2.1 13 ms 4 ms 3 ms
5 166.1.1.2 13 ms 4 ms 3 ms
<S400_0> tracert -a 166.1.3.1 162.1.3.1
traceroute to 162.1.3.1(162.1.3.1) 30 hops max,40 bytes packet
1 206.1.6.3 11 ms 3 ms 3 ms
2 196.1.3.1 14 ms 4 ms 5 ms
3 196.3.1.2 10 ms 8 ms 17 ms
4 196.2.2.2 14 ms 3 ms 3 ms
5 206.1.4.1 13 ms 3 ms 3 ms
6 166.1.2.2 13 ms 3 ms 4 ms
 156 CHAPTER 5: ROUTING OVERVIEW

Trace the packet forwarding path after the MED is modified

# Create AS path ACL 1 and permit the routes whose AS_PATH starts with 100
and ends with 200.
[S400] ip as-path-acl 1 permit ^100 200$

# Display the routes that match AS path ACL 1.

<S400> display bgp routing as-path-acl 1

Flags: # - valid ^ - active I - internal

D - damped H - history S - aggregate suppressed
Dest/Mask Next-Hop Med Local-pref Origin Path
----------------------------------------------------------------------
#^ 162.1.1.0/24 196.1.3.1 100 100 INC 100 200
# 162.1.1.0/24 196.2.3.2 200 100 INC 100 200
#^ 162.1.2.0/24 196.1.3.1 100 100 INC 100 200
# 162.1.2.0/24 196.2.3.2 200 100 INC 100 200
#^ 166.1.1.0/24 196.1.3.1 0 100 INC 100 200
# 166.1.1.0/24 196.2.3.2 0 100 INC 100 200
#^ 206.1.3.0 196.1.3.1 0 100 IGP 100 200

# Create AS path ACL 2 and permit the routes whose AS_PATH starts with 100
and ends with 300.

[S400] ip as-path-acl 2 permit ^100 300$

# Display the routes that match AS path ACL 2.

<S400> display bgp routing as-path-acl 2

Flags: # - valid ^ - active I - internal

D - damped H - history S - aggregate suppressed
Dest/Mask Next-Hop Med Local-pref Origin Path
----------------------------------------------------------------------
#^ 162.1.3.0/24 196.2.3.2 100 100 INC 100 300
# 162.1.3.0/24 196.1.3.1 200 100 INC 100 300
#^ 162.1.4.0/24 196.2.3.2 100 100 INC 100 300
# 162.1.4.0/24 196.1.3.1 200 100 INC 100 300
#^ 166.1.2.0/24 196.1.3.1 0 100 INC 100 300
# 166.1.2.0/24 196.2.3.2 0 100 INC 100 300
#^ 166.1.5.0/24 196.1.3.1 0 100 INC 100 300
# 166.1.5.0/24 196.2.3.2 0 100 INC 100 300
# 206.1.3.0 196.2.3.2 0 100 IGP 100 300
<S400_0> tracert -a 166.1.3.1 162.1.1.1
traceroute to 162.1.1.1(162.1.1.1) 30 hops max,40 bytes packet
1 206.1.6.3 9 ms 4 ms 3 ms
2 196.1.3.1 13 ms 4 ms 3 ms
3 196.1.1.3 14 ms 4 ms 3 ms
4 206.1.2.1 12 ms 3 ms 3 ms
5 166.1.1.2 13 ms 4 ms 3 ms
<S400_0> tracert -a 166.1.3.1 162.1.3.1
traceroute to 162.1.3.1(162.1.3.1) 30 hops max,40 bytes packet
1 206.1.6.3 10 ms 4 ms 3 ms
2 196.2.3.2 13 ms 3 ms 5 ms
3 196.2.2.2 12 ms 5 ms 3 ms
4 206.1.4.1 12 ms 4 ms 3 ms
5 166.1.2.2 14 ms 3 ms 5 ms

Precautions In the configuration and verification process, pay attention to the following points:
■ Disable the Fabric function before enabling BGP on Fabric-capable devices.
 Precautions 157

■ To achieve the configuration goal, you are recommended to set the BGP
preference to 200. For devices with static routes configured, set a preference
for the static routes as required.
■ On S300_A, the backup route (static route) cannot be switched to the primary
RIP route automatically, so you need to delete the backup route manually and
then add it again.
■ Since the routing policy is applied when BGP routes are redistributed into IGP,
some route entries may not be redistributed, so you are recommended to use
the tracert -a /ping -a command to verify the configuration in the source
address mode.
158 CHAPTER 5: ROUTING OVERVIEW
 MULTICAST PROTOCOL
6 CONFIGURATION EXAMPLES

Keywords:
IGMP, PIM-DM, PIM-SM, MSDP, IGMP Snooping

Abstract:
This document introduces how to configure multicast functions on Ethernet
switches in practical networking, based on three typical networking scenarios:
1 Deployment of PIM-DM plus IGMP, with and without IGMP Snooping respectively.
Multicast group filtering in IGMP and IGMP Snooping is mainly described for this
scenario.
2 Deployment of PIM-SM plus IGMP, with and without IGMP Snooping respectively.
Simulated joining is mainly described for this scenario.
3 IGMP Snooping only. The function of dropping unknown multicast data is mainly
described for this scenario.

Acronyms:
Internet Group Management Protocol (IGMP), Internet Group Management
Protocol Snooping (IGMP Snooping), Protocol Independent Multicast Dense Mode
(PIM-DM), Protocol Independent Multicast Sparse Mode (PIM-SM), Multicast
Source Discovery Protocol (MSDP)

Multicast Protocol Different from unicast and broadcast, the multicast technique efficiently addresses
Overview the issue of point-to-multipoint data transmission. By allowing high-efficiency
point-to-multipoint data transmission, multicast greatly saves network bandwidth
and reduces network load.

With the multicast technique, service providers can easily provide new
value-added services, such as live Webcasting, Web TV, distance learning,
Telemedicine, Web radio, real-time videoconferencing, and other bandwidth- and
time-critical information services.

IGMP
As a TCP/IP protocol responsible for IP multicast group membership management,
the Internet Group Management Protocol (IGMP) is used by IP hosts to establish
and maintain their multicast group memberships to the immediately neighboring
multicast router.

PIM
Protocol Independent Multicast (PIM) provides IP multicast forwarding by
leveraging unicast routing tables generated by static routing or any unicast routing
protocol, such as the Routing Information Protocol (RIP), Open Shortest Path First
160 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

(OSPF), Intermediate System to Intermediate System (IS-IS), or the Border Gateway

Protocol (BGP). PIM uses the unicast routing table to perform reverse path
forwarding (RPF) check in multicast forwarding.

Based on the forwarding mechanism, PIM falls into two modes:

■ PIM-DM
■ PIM-SM

PIM-DM is a type of dense mode multicast protocol. It uses the “push mode” for
multicast forwarding, suitable for small-sized networks with densely distributed
multicast group members.

PIM-SM is a type of sparse mode multicast protocol. It uses the “pull mode” for
multicast forwarding, suitable for large- and medium-sized networks with sparsely
and widely distributed multicast group members.

IGMP Snooping
Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast
monitoring mechanism that runs on Layer 2 devices to manage and control
multicast groups. By analyzing received IGMP messages, a Layer 2 device running
IGMP Snooping establishes mappings between ports and MAC multicast groups
and forwards multicast data based on these mappings.

MSDP
The Multicast Source Discovery Protocol (MSDP) is an inter-domain multicast
solution for the interconnection of PIM-SM domains. It is used to discover the
multicast source information in other PIM-SM domains.

Within a PIM-SM domain, the multicast source registers only with the local
rendezvous point (RP). Therefore, the RP knows all the sources within its own
domain only. If there is a mechanism that allows RPs of different PIM-SM domains
to share their multicast source information, the information of active sources in
other domains can be delivered to the local receivers, so that multicast data can be
transmitted among different domains. MSDP achieves this objective. By setting up
MSDP peering relationships among RPs of different domains, MSDP propagates
source active (SA) messages, which carry multicast source information, between
these MSDP peers, thus to allow multicast traffic to flow between different
PIM-SM domains.

IGMP Proxy
When a multicast routing protocol (such as PIM-DM) is deployed on a large
network, many stub networks may exist. It is tedious work to configure and
manage these stub networks.

To minimize the workload of such configuration and management without

affecting the multicast connections of the multicast networks, you can configure
IGMP Proxy on a Layer 3 switch in the edge networks, so that the Layer 3 switch
forwards the IGMP join and IGMP leave messages sent by the hosts attached to it.
After the IGMP Proxy configuration, the Layer 3 switch is no longer a PIM neighbor
to the external network; instead, it is a host. The Layer 3 switch receives multicast
data for a multicast group only when a member of that group is directly attached
to it.
 Support of Multicast Features 161

Support of Multicast Multicast features supported by the 3Com series Ethernet switches vary with
Features device models. For details, see the corresponding configuration guide. Table 87
lists the multicast features supported by 3Com series Ethernet switches.
Table 87 Multicast features supported by the 3Com stackable switches

Model\Feature IGMP Snooping IGMP PIM MSDP

Switch 5500 ● ● ● ●
Switch 4500 ● - - -
Switch 5500Gs ● ● ● ●
Switch 4200 ● - - -
Switch 4200G ● - - -
Switch 4210 ● - - -
E352&E328 ● - - -
E126 ● - - -
S3152P ● - - -
E152 ● - - -

Configuration The following configuration guidance describes the configuration of multicast

Guidance features based on the implementations on the Switch 5500Gs Ethernet switches.
For more information, see the corresponding configuration guide.

Configuring IGMP Complete these tasks to configure IGMP Snooping:

Snooping
Configuration task Remarks
“Enabling IGMP Snooping” on page 161 Required
“Configuring IGMP-Snooping timers” on page 161 Optional
“Configuring fast leave processing” on page 162 Optional
“Configuring a multicast group filter” on page 162 Optional
“Configuring the maximum number of multicast groups that can Optional
be joined on a port” on page 163
“Configuring IGMP Snooping querier” on page 163 Optional

Enabling IGMP Snooping

Follow these steps to enable IGMP Snooping:

To... Use the command... Remarks

Enter system view system-view -
Enable IGMP Snooping igmp-snooping enable Required
Disabled by default.
Enter VLAN view vlan vlan-id -
Enable IGMP Snooping igmp-snooping enable Required
Disabled by default.

Configuring IGMP-Snooping timers

Follow these steps to configure IGMP-Snooping timers:
162 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

To... Use the command... Remarks

Enter system view system-view -
Configure an aging timer igmp-snooping Optional
of router port router-aging-time seconds
By default, the router port aging
time is 105 seconds.
Configure a igmp-snooping Optional
response-to-query timer max-response-time seconds
By default, the maximum
response-to-query time is 10
seconds.
Configure an aging timer igmp-snooping Optional
of a member port of a host-aging-time seconds
By default, the aging time of the
multicast group
multicast group member port is
260 seconds.

Configuring fast leave processing

1 Configure fast leave processing in system view

Follow these steps to configure fast leave processing in system view:

To... Use the command... Remarks

Enter system view system-view -
Configure fast leave igmp-snooping fast-leave Required
processing [ vlan vlan-list ]
Disabled by default

2 Configure fast leave in Ethernet port view

Follow these steps to configure fast leave processing in Ethernet port view:

To... Use the command... Remarks

Enter system view system-view -
Enter Ethernet port view interface interface-type -
interface-number
Configure fast leave igmp-snooping fast-leave Required
processing [ vlan vlan-list ]
Disabled by default

Configuring a multicast group filter

1 Configure a multicast group filter in system view

Follow these steps to configure a multicast group filter in system view:

To... Use the command... Remarks

Enter system view system-view -
Configure a multicast group igmp-snooping Required
filter group-policy acl-number
Disabled by default
[ vlan vlan-list ]

2 Configure a multicast group filter in Ethernet port view

Follow these steps to configure a multicast group filter in Ethernet port view:
 Configuration Guidance 163

To... Use the command... Remarks

Enter system view system-view -
Enter Ethernet port view interface interface-type -
interface-number
Configure a multicast group igmp-snooping Required
filter group-policy acl-number
Disabled by default
[ vlan vlan-list ]

Configuring the maximum number of multicast groups that can be joined

on a port
Follow these steps to configure the maximum number of multicast groups that
can be joined on a port:

To... Use the command... Remarks

Enter system view system-view -
Enter Ethernet port view interface interface-type -
interface-number
Configure maximum number igmp-snooping group-limit Required
of multicast groups that can limit [ vlan vlan-list
The system default is 255.
be joined on the port [ overflow-replace ] ]

Configuring IGMP Snooping querier

Follow these steps to configure IGMP Snooping querier:

To... Use the command... Remarks

Enter system view system-view -
Enable IGMP Snooping igmp-snooping enable Required
Disabled by default
Enter VLAN view vlan vlan-id -
Enable IGMP Snooping igmp-snooping enable Required
Disabled by default
Enable IGMP-Snooping igmp-snooping querier Required
querier
Disabled by default
Configure the query interval igmp-snooping Optional
query-interval seconds
The system default is 60
seconds.
Configure a source IP address igmp-snooping Optional
for general query messages general-query source-ip
The system default is 0.0.0.0.
{ current-interface |
ip-address }

Configuring IGMP Complete these tasks to configure IGMP:

Configuration task Remarks

“Enabling IGMP” on page 164 Required
“Configuring IGMP version” on page 164 Optional
“Configuring parameters related to IGMP queries” on page 164 Optional
“Configuring the maximum allowed number of multicast groups” on Optional
page 165
164 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

Configuration task Remarks

“Configuring a multicast group filter” on page 165 Optional
“Configuring simulated joining” on page 166 Optional
“Configuring IGMP proxy” on page 166 Optional
“Removing joined IGMP groups from an interface” on page 167 Optional

Enabling IGMP
Follow these steps to enable IGMP:

To... Use the command... Remarks

Enter system view system-view -
Enable multicast routing multicast routing-enable -
Enter VLAN interface view interface Vlan-interface -
interface-number
Enabling IGMP igmp enable Required
Disabled by default

c CAUTION: The following configurations in this chapter are implemented after

multicast routing is enabled on the device and IGMP is enabled on the
corresponding interface.

Configuring IGMP version

Follow these steps to configure IGMP version:

To... Use the command... Remarks

Enter system view system-view -
Enter VLAN interface view interface Vlan-interface -
interface-number
Configure IGMP version igmp version { 1 | 2 } Required
IGMPv2 by default

c CAUTION: The device cannot switch from one IGMP version to another
automatically. All switches on the same subnet must run the same version of IGMP.

Configuring parameters related to IGMP queries

Follow these steps to configure parameters related to IGMP queries:

To... Use the command... Remarks

Enter system view system-view -
Enter VLAN interface view interface Vlan-interface -
interface-number
Configure IGMP query interval igmp timer query seconds Optional
The system default is 60
seconds.
Configure the IGMP last igmp Optional
member query interval lastmember-queryinterval
The system default is 1
seconds
second.
 Configuration Guidance 165

To... Use the command... Remarks

Configure the IGMP last igmp robust-count Optional
member query count robust-value
The system default is two.
Configure the IGMP other igmp timer Optional
querier present interval other-querier-present
The system default is 120
seconds
seconds, twice the interval
specified by the igmp timer
query command.
Configure the maximum igmp max-response-time Optional
response time seconds
The system default is 10
seconds.

Configuring the maximum allowed number of multicast groups

Follow these steps to configure the maximum number of multicast groups allowed
to be joined on an interface:

To... Use the command... Remarks

Enter system view system-view -
Enter VLAN interface view interface Vlan-interface -
interface-number
Configure the maximum igmp group-limit limit Required
number of multicast groups
The system default is 256.
allowed on the interface

c CAUTION: If you configure the maximum number of multicast groups allowed on

an interface to 1, a new group joined on the interface automatically supersedes
the existing one.

If the number of existing multicast groups is larger than the limit configured on
the interface, the system will remove the oldest entries automatically until the
number of multicast groups on the interface conforms to the configured limit.

Configuring a multicast group filter

1 Configure a multicast group filter in VLAN interface view

Follow these steps to configure a multicast group filter in VLAN interface view:

To... Use the command... Remarks

Enter system view system-view -
Enter VLAN interface view interface Vlan-interface -
interface-number
Configure a multicast group igmp group-policy acl-number [ 1 | 2 | Optional
filter port interface-type interface-number
No filter is
[ to interface-type interface-number ] ]
configured by
default.

2 Configuring a multicast group filter in Ethernet port view

Follow these steps to configure a multicast group filter in Ethernet port view:
166 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

To... Use the command... Remarks

Enter system view system-view -
Enter Ethernet port view interface interface-type -
interface-number
Configure a multicast igmp group-policy Optional
group filter acl-number vlan vlan-id
No multicast group filter is configured
by default. The port must belong to
the specified VLAN.

Configuring simulated joining

1 Configure simulated joining in VLAN interface view

Follow these steps to configure simulated joining in VLAN interface view:

To... Use the command... Remarks

Enter system view system-view -
Enter VLAN interface view interface Vlan-interface -
interface-number
Configure simulated joining igmp host-join Optional
group-address port
Disabled by default
interface-list

2 Configure simulated joining in Ethernet port view

Follow these steps to configure simulated joining in VLAN interface view:

To... Use the command... Remarks

Enter system view system-view -
Enter Ethernet port view interface interface-type -
interface-number
Configure simulated joining igmp host-join Optional
group-address vlan vlan-id
Disabled by default

c CAUTION: Before configuring simulated joining, you must enable IGMP in VLAN
interface view.

If you configure a port as a simulated host in Ethernet port view, the Ethernet port
must belong to the specified VLAN; otherwise the configuration does not take
effect.

Configuring IGMP proxy

Follow these steps to configure IGMP proxy:

To... Use the command... Remarks

Enter system view system-view -
Enable multicast routing multicast routing-enable Required
Enter VLAN interface view interface Vlan-interface -
interface-number
Enable IGMP igmp enable Required
 Configuration Guidance 167

To... Use the command... Remarks

Configure IGMP proxy igmp proxy Vlan-interface Required
interface-number
Disabled by default

c CAUTION:
■ You must enable PIM on the interface before configuring the igmp proxy
command. Otherwise, the IGMP proxy feature does not take effect.
■ One interface cannot serve as the proxy interface for two or more interfaces.
■ When you configure the IP address of the interface that will serve as an IGMP
proxy, make sure that the IP address is not the lowest on this subnet to prevent
this interface from being elected as the IGMP querier on the subnet, as this will
result in failure of multicast data forwarding.

Removing joined IGMP groups from an interface

Follow these steps to remove joined IGMP groups from an interface:

To... Use the command... Remarks

Remove the specified group reset igmp group { all | The reset command available
or all groups from the interface interface-type in user view.
specified interface or all interface-number { all |
interfaces group-address
[ group-mask ] } }

c CAUTION: After a multicast group is removed from an interface, hosts attached

to interface can join the multicast group again.

Configuring PIM Configuring PIM-DM

Follow these steps to configure PIM-DM:

To... Use the command... Remarks

Enter system view system-view -
Enable multicast routing multicast routing-enable Required
Disabled by default
Enter PIM view pim -
Configure a multicast source source-policy acl-number Optional
or multicast source-group
You can define the related IP
filter
addresses in an ACL.
Enter VLAN interface view interface Vlan-interface -
interface-number
Enable PIM-DM pim dm Required
Configure the hello interval pim timer hello seconds Optional
on the interface
The system default is 30
seconds.
Configure a limit on the pim neighbor-limit limit Optional
number of PIM neighbors on
The default value is 128.
the interface
168 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

To... Use the command... Remarks

Configure the filtering policy pim neighbor-policy Optional
for PIM neighbors acl-number
You can define the related IP
addresses in an ACL.
Disabled by default

Configuring PIM-SM
Follow these steps to configure PIM-SM:

To... Use the command... Remarks

Enter system view system-view -
Enable multicast routing multicast routing-enable Required
Disabled by default
Enter PIM view pim -
Configure a multicast source source-policy acl-number Optional
or multicast source-group
You can define the related IP
filter
addresses in an ACL.
Configure a C-BSR c-bsr interface-type Optional
interface-number
By default, no C-BSR is
hash-mask-len [ priority ]
configured. The default
priority is 0.
Configure a C-RP c-rp interface-type Optional
interface-number
By default, no C-RP is
[ group-policy acl-number |
configured. The default
priority priority ]*
priority is 0.
Configure a static RP static-rp rp-address Optional
[ acl-number ]
No static RP is configured by
default.
Configure a legal BSR address bsr-policy acl-number Optional
range
No legal BSR address range is
configured by default.
Configure a legal C-RP crp-policy acl-number Optional
address range
You can define the related IP
address ranges in an ACL.
No legal C-RP address range is
configured by default.
Configure to filter the register register-policy acl-number Optional
messages from RP to DR
You can define the related IP
addresses in an ACL.
Disabled by default.
Disable RPT-to-SPT switchover spt-switch-threshold Optional
infinity [ group-policy
By default, the device
acl-number [ order
switches to the SPT
order-value ] ]
immediately after it receives
the first multicast packet from
the RPT.
Enter VLAN interface view interface Vlan-interface -
interface-number
Enable PIM-SM pim sm Required
 Configuration Guidance 169

To... Use the command... Remarks

Configuring a PIM-SM pim bsr-boundary Optional
domain boundary
By default, no PIM-SM
domain boundary is
configured
Configure the hello interval pim timer hello seconds Optional
on the interface
The system default is 30
seconds.
Configure the maximum pim neighbor-limit limit Optional
number of PIM neighbors
The default value is 128.
allowed on the interface
Configure the filtering policy pim neighbor-policy Optional
for PIM neighbors acl-number
You can define the related IP
addresses in an ACL.
Disabled by default

Configuring MSDP Configuring MSDP basic functions

Follow these steps to configure MSDP basic functions:

To... Use the command... Remarks

Enter system view system-view -
Enable MSDP and enter msdp Required
MSDP view
Create an MSDP peer peer peer-address Required
connection connect-interface
You need to configure related
interface-type
parameters on both devices between
interface-number
which the peer connection is to be
created. The peer ID is an address pair
(the IP address of the local interface and
the IP address of the remote MSDP
peer).
Configure a static RPF static-rpf-peer Optional
peer peer-address [ rp-policy
For an area with only one MSDP peer, if
ip-prefix-name ]
BGP or MBGP is not running, you need
to configure a static RPF peer.

Configuring MSDP peer connections

Complete these tasks to configure connection between MSDP peers:

Configuration task Remarks

“Configure description information for MSDP peers” on page 169 Required
“Configure an MSDP mesh group” on page 170 Optional
“Configure MSDP peer connection control” on page 170 Optional

1 Configure description information for MSDP peers

Follow these steps to configure description information of an MSDP peer:

To... Use the command... Remarks

Enter system view system-view -
170 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

To... Use the command... Remarks

Enter MSDP view msdp -
Configure description peer peer-address Optional
information for an MSDP description text
No description information is
peer
configured for MSDP peers by
default.

2 Configure an MSDP mesh group

Follow these steps to configure an MSDP mesh group:

To... Use the command... Remarks

Enter system view system-view -
Enter MSDP view msdp -
Add an MSDP peer in a peer peer-address Required
mesh group mesh-group name
An MSDP peer does not belong to any
mesh group by default.

n ■ Before grouping multiple routers into an MSDP mesh group, make sure that
these routers are interconnected with one another.
■ To add different MSDP peers into an MSDP mesh group, configure the same
mesh group name on them.
■ An MSDP peer can belong to only one mesh group. A newly configured mesh
group name supersedes the existing one.
3 Configure MSDP peer connection control

Follow these steps to configure MSDP peer connection control:

To... Use the command... Remarks

Enter system view system-view -
Enter MSDP view msdp -
Shut down an MSDP peer shutdown peer-address Optional
By default, MSDP peers are
connected.
Configure the MSDP peer timer retry seconds Optional
connection retry period
The system default is 30
seconds.

Configuring SA message delivery

Complete these tasks to configure SA message delivery:
 Configuration Guidance 171

Configuration task Remarks

“Configure the RP address in SA messages” on page 171 Optional
“Configure the SA message cache” on page 171 Optional
“Configure SA message transmission and filtering” on page 171 Optional
“Configure a rule for filtering multicast sources in SA messages” on page Optional
172
“Configure a filtering rule for receiving or forwarding SA messages” on Optional
page 172

1 Configure the RP address in SA messages

Follow these steps to configure the RP address in SA messages:

To... Use the command... Remarks

Enter system view system-view -
Enter MSDP view msdp -
Configure the RP address originating-rp Optional
in SA messages interface-type
By default, the RP address in an SA
interface-number
message is the PIM RP address.

n In Anycast RP application, C-BSR and C-RP must be configured on different devices

or ports.
2 Configure the SA message cache

Follow these steps to configure the SA message cache:

To... Use the command... Remarks

Enter system view system-view -
Enter MSDP view msdp -
Enable the SA message cache cache-sa-enable Optional
mechanism
Enabled by default
Configure the maximum peer peer-address Optional
number of SA messages the sa-cache-maximum sa-limit
The system default is 2048.
router can cache

3 Configure SA message transmission and filtering

Follow these steps to configure SA message transmission and filtering:

To... Use the command... Remarks

Enter system view system-view -
Enter MSDP view msdp -
Enable the SA message cache cache-sa-enable Optional
mechanism
After receiving an SA message, a
router caches SA state by default.
172 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

To... Use the command... Remarks

Enable the router to send SA peer peer-address Optional
requests to the designated request-sa-enable
By default, upon receiving a new
MSDP peer
Join message, a router does not
send an SA request message to its
designated MSDP peer; instead it
waits for the next SA message.
Configure a filtering rule for peer peer-address Optional
SA requests from the sa-request-policy [ acl
Be default, a router receives all SA
specified MSDP peer acl-number ]
request messages from its MSDP
peer.

4 Configure a rule for filtering multicast sources in SA messages

Follow these steps to configure a rule for filtering the multicast sources of SA
messages:

To... Use the command... Remarks

Enter system view system-view -
Enter MSDP view msdp -
Configure multicast source import-source [ acl Optional
filtering at SA message acl-number ]
By default, SA messages
creation
advertise all the (S, G) entries
in the domain.

5 Configure a filtering rule for receiving or forwarding SA messages

Follow these steps to configure a filtering rule for receiving or forwarding SA

messages:

To... Use the command... Remarks

Enter system view system-view -
Enter MSDP view msdp -
Configure a filtering rule for peer peer-address sa-policy Optional
receiving or forwarding SA { import | export } [ acl
By default, no filtering rule is
messages acl-number ]
configured for receiving or
forwarding SA messages,
namely, all SA messages from
MSDP peers will be accepted
or forwarded.
Configure the minimum TTL peer peer-address Optional
required for an minimum-ttl ttl-value
The system default is 0.
SA-encapsulated multicast
packet to be forwarded to the
specified MSDP peer
 PIM-DM plus IGMP plus IGMP Snooping Configuration Example 173

PIM-DM plus IGMP

plus IGMP Snooping
Configuration
Example

Requirement Analysis When users receive voice on demand (VOD) information through multicast, the
information receiving mode may vary based on user requirements:
1 To avoid video broadcast at Layer 2, IGMP Snooping is enabled on Switch E,
through which Host A and Host B receive the multicast data.
2 To ensure reliable and stable reception of multicast data, Switch B and Switch C
provide uplink backup for the directly attached stub network N1, which comprises
multicast receivers Host C and Host D.
3 All the Layer 3 switches run RIP for unicast routing and run PIM-DM for multicast
routing.

Configuration Plan
1 Switch D connects to the network that comprises the multicast source (Source)
through VLAN-interface 300.
2 Switch A connects to Switch E through VLAN-interface 100, and to Switch D
through VLAN-interface 103.
3 Switch B and Switch C connect to stub network N1 through their respective
VLAN-interface 200, and to Switch D through VLAN-interface 101 and
VLAN-interface 102 respectively.
4 Enable IGMPv2 on VLAN-interface 100 of Switch A. Enable IGMP Snooping on
Switch E and in VLAN 100. Run IGMPv2 on Switch B, Switch C, and the hosts in
stub network N1. Typically, Switch B acts as the IGMP querier.
 174 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

Network Diagram Figure 67 Network diagram for PIM-DM plus IGMP plus IGMP Snooping configuration

Receiver

Switch A
Host A
Vlan100
Vlan-int100

03
Switch E

t1
- in
an
03
Vl
t1
-in
an
Host B

N1
Vl
Ethernet Vlan-int300 Vlan
IGMP querier
-int1
Source
01 Receiver
Vlan Vlan-int200
-int1
Switch D 01

Vl
an

Ethernet
-
in
t1

Vl
02
Switch B

an
-
Host C

in
t1
10.110.5.100/24

02
Vlan-int200
PIM-DM

Switch C
Host D

Device Interface IP address Ports

Switch A Vlan-int100 10.110.1.1/24 Ethernet1/0/1
Vlan-int103 192.168.1.1/24 Ethernet1/0/2
Switch B Vlan-int200 10.110.2.1/24 Ethernet1/0/1
Vlan-int101 192.168.2.1/24 Ethernet1/0/2
Switch C Vlan-int200 10.110.2.2/24 Ethernet1/0/1
Vlan-int102 192.168.3.1/24 Ethernet1/0/2
Switch D Vlan-int300 10.110.5.1/24 Ethernet1/0/1
Vlan-int103 192.168.1.2/24 Ethernet1/0/2
Vlan-int101 192.168.2.2/24 Ethernet1/0/3
Vlan-int102 192.168.3.2/24 Ethernet1/0/4
Switch E Vlan 100 - Ethernet1/0/1,
Ethernet1/0/2,
Ethernet1/0/3

Configuration Procedure Configuring VLANs, VLAN interfaces and IP addresses on each switch
# Configure VLANs, VLAN interfaces, and their IP addresses on Switch A.
<SwitchA> system-view
System View: return to User View with Ctrl+Z.
[SwitchA] vlan 100
[SwitchA-vlan100] port Ethernet 1/0/1
[SwitchA-vlan100] quit
[SwitchA] vlan 103
[SwitchA-vlan103] port Ethernet 1/0/2
[SwitchA-vlan103] quit
[SwitchA] interface Vlan-interface 100
[SwitchA-Vlan-interface100] ip address 10.110.1.1 24
 PIM-DM plus IGMP plus IGMP Snooping Configuration Example 175

[SwitchA-Vlan-interface100] quit
[SwitchA] interface Vlan-interface 103
[SwitchA-Vlan-interface103] ip address 192.168.1.1 24
[SwitchA-Vlan-interface103] quit

Configure VLANs, VLAN interfaces, and their IP addresses on other switches as per
Figure 67. The detailed configuration steps are omitted here.

Configuring the unicast routing protocol

# Enable RIP on Switch A, and then enable RIP on subnets 192.168.1.0 and
10.110.1.0.
<SwitchA> system-view
[SwitchA] rip
[SwitchA- rip] network 192.168.1.0
[SwitchA- rip] network 10.110.1.0
[SwitchA- rip] quit

The configuration on Switch B, Switch C, and Switch D is similar to the

configuration on Switch A.

Configuring the multicast protocols

# Enable IP multicast routing on Switch A, enable PIM-DM on each interface, and
then enable IGMPv2 on VLAN-interface 100.
<SwitchA> system-view
[SwitchA] multicast routing-enable
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] igmp enable
[SwitchA-Vlan-interface100] pim dm
[SwitchA-Vlan-interface100] quit
[SwitchA] interface vlan-interface 103
[SwitchA-Vlan-interface103] pim dm
[SwitchA-Vlan-interface103] quit

The configuration on Switch B and Switch C is similar to the configuration on

Switch A.

# Enable multicast routing on Switch D, and enable PIM-DM on each interface.

<SwitchD> system-view
[SwitchD] multicast routing-enable
[SwitchD] interface vlan-interface 300
[SwitchD-Vlan-interface300] pim dm
[SwitchD-Vlan-interface300] quit
[SwitchD] interface vlan-interface 103
[SwitchD-Vlan-interface103] pim dm
[SwitchD-Vlan-interface103] quit
[SwitchD] interface vlan-interface 101
[SwitchD-Vlan-interface101] pim dm
[SwitchD-Vlan-interface101] quit
[SwitchD] interface vlan-interface 102
[SwitchD-Vlan-interface102] pim dm
[SwitchD-Vlan-interface102] quit

# Enable IGMP Snooping on Switch E, and enable IGMP Snooping in VLAN 100.
176 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

<SwitchE> system-view
[SwitchE] igmp-snooping enable
Enable IGMP-Snooping ok.
[SwitchE] vlan 100
[SwitchE-vlan100] igmp-snooping enable
[SwitchE-vlan100] quit

Verifying the configuration

Now start sending multicast data to multicast group 224.1.1.1 from Source and
start receiving the multicast data on Host A, and take the following steps to verify
the configurations made on the switches.
1 Check whether the multicast stream can flow to Host A.

# View the PIM neighboring relationships on Switch D.

<SwitchD> display pim neighbor

Neighbor’s Address Interface Name Uptime Expires
192.168.2.1 Vlan-interface101 02:45:04 00:04:46
192.168.3.1 Vlan-interface102 02:42:24 00:04:45
192.168.1.1 Vlan-interface103 02:43:44 00:05:44

# View the multicast forwarding table of Switch D.

<SwitchD>display multicast forwarding-table

Multicast Forwarding Cache Table
Total 1 entries: 0 entry created by IP, 1 entries created by protocol

00001. (10.110.5.110, 224.1.1.1), iif Vlan-interface1, 1 oifs,

Protocol Create
List of outgoing interface:
01: Vlan-interface101
Matched 181 pkts(271500 bytes), Wrong If 0 pkts
Forwarded 130 pkts(195000 bytes)

Total 1 entries Listed

# View the multicast forwarding table of Switch A.

<SwitchA>display multicast forwarding-table

Multicast Forwarding Cache Table
Total 1 entry: 0 entry created by IP, 1 entry created by protocol

00001. (10.110.5.110, 224.1.1.1), iif Vlan-interface101, 1 oifs,

Protocol Create
List of outgoing interface:
01: Vlan-interface100
Matched 451 pkts(676500 bytes), Wrong If 0 pkts
Forwarded 451 pkts(676500 bytes)

Total 1 entry Listed

Matched 1 entry

# View the multicast group information that contains port information on Switch
A.

<SwitchA> display mpm group

Total 1 IP Group(s).
Total 1 MAC Group(s).
 PIM-DM plus IGMP plus IGMP Snooping Configuration Example 177

Vlan(id):101.
Total 0 IP Group(s).
Total 0 MAC Group(s).
Router port(s):Ethernet1/0/2
Vlan(id):200.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):
IP group(s):the following ip group(s) match to one mac group.
IP group address:224.1.1.1
Host port(s):Ethernet1/0/15
MAC group(s):
MAC group address:0100-5e01-0101
Host port(s):Ethernet1/0/15

# View the information about the multicast group entries created by IGMP
Snooping on Switch E.

<SwitchE> display igmp-snooping group

Total 1 IP Group(s).
Total 1 MAC Group(s).

Vlan(id):100.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):Ethernet1/0/2
IP group(s):the following ip group(s) match to one mac group.
IP group address:224.1.1.1
Host port(s):Ethernet1/0/19
MAC group(s):
MAC group address:0100-5e01-0101
Host port(s):Ethernet1/0/19

The above-mentioned information shows that multicast forwarding entries have

been correctly established on Switch D and Switch A, and multicast traffic can
successfully flow to Host A.

2 Configure IGMP Snooping multicast group filtering on Switch E

# Configure to filter the packets for the multicast group 224.1.1.1 on Switch E.

<SwitchE> system-view
[SwitchE-acl-basic-2000] rule deny source 224.1.1.1 0
[SwitchE-acl-basic-2000] rule permit source any
[SwitchE-acl-basic-2000] quit
[SwitchE]igmp-snooping group-policy 2000 vlan 100

# View multicast forwarding entries on Switch A.

<SwitchA> display multicast forwarding-table

Multicast Forwarding Cache Table
Total 1 entry: 0 entry created by IP, 1 entry created by protocol

00001. (10.110.5.100, 224.1.1.1), iif Vlan-interface101, 0 oifs,

Protocol Create
Matched 5 pkts(7500 bytes), Wrong If 0 pkts
178 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

Forwarded 0 pkts(0 bytes)

Total 1 entry Listed

As shown above, Switch A has stopped forwarding multicast data for the
multicast group 224.1.1.1.

# View multicast group information on Switch E.

<SwitchE> display igmp-snooping group

Total 0 IP Group(s).
Total 0 MAC Group(s).

Vlan(id):200.
Total 0 IP Group(s).
Total 0 MAC Group(s).
Router port(s):Ethernet1/0/19

With multicast group filtering enabled, the corresponding ports drop IGMP reports
for the filtered group and will be removed for that group when their respective
port aging timer expires.

3 Configure IGMP multicast group filtering on Switch A.

# Disable multicast group filtering on Switch E.

<SwitchE> system-view
[SwitchE] undo igmp-snooping group-policy

n To verify the configuration of IGMP multicast group filtering on Switch A, disable

IGMP Snooping multicast group filtering on Switch E first.

Configure to filter the multicast group 224.1.1.1 on VLAN-interface 100 of Switch

A, and then display the multicast forwarding entries of Switch A.

# Configure to filter the multicast group 224.1.1.1 on VLAN-interface 100 of

Switch A.

<SwitchA> system-view
[SwitchA] acl number 2000
[SwitchA-acl-basic-2000] rule deny source 224.1.1.1 0
[SwitchA-acl-basic-2000] rule permit source any
[SwitchA-acl-basic-2000] quit
[SwitchA] interface Vlan-interface 100
[SwitchA-Vlan-interface100] igmp group-policy 2000
[SwitchA-Vlan-interface100] return

# View multicast forwarding entries on Switch A.

<SwitchA> display multicast forwarding-table

Multicast Forwarding Cache Table
Total 1 entry: 0 entry created by IP, 1 entry created by protocol

00001. (10.110.5.100, 224.1.1.1), iif Vlan-interface101, 0 oifs,

Protocol Create
Matched 5 pkts(7500 bytes), Wrong If 0 pkts
Forwarded 0 pkts(0 bytes)
 PIM-SM plus IGMP plus IGMP Snooping Configuration Examples 179

Total 1 entry Listed

# View multicast group information on Switch A.

<SwitchA> display igmp group

Total 0 IGMP groups reported on this router

After multicast group filtering is enabled, the corresponding port cannot receive
IGMP reports. Thus, the corresponding multicast groups are deleted after the port
aging timer expires.

n As shown above, IGMP Snooping multicast group filtering has the same function
as IGMP multicast group filtering. You can use either approach based on the
specific situation.

PIM-SM plus IGMP

plus IGMP Snooping
Configuration
Examples

Requirement Analysis When users receive VOD information through multicast, the information receiving
mode may vary based on user requirements:
1 To avoid broadcasting of the video information at Layer 2, IGMP Snooping is
enabled on Switch E, through which Host A and Host B receive the multicast data.
2 To ensure reliable and stable reception of multicast data, Switch B and Switch C
provide uplink backup for the directly attached stub network N1, which comprises
multicast receivers Host C and Host D.
3 Configure the PIM-SM domain as a single-BSR domain. Run OSPF for unicast
routing in the domain.

Configuration Plan
1 Switch D connects to the network that comprises the multicast source (Source)
through VLAN-interface 300.
2 Switch A connects to Switch F through VLAN-interface 100, and to Switch D and
Switch E through VLAN-interface 101 and VLAN-interface 102 respectively.
3 Switch B and Switch C connect to stub network N1 through their respective
VLAN-interface 200, and to Switch E through VLAN-interface 103 and
VLAN-interface 104 respectively.
4 It is required that VLAN-interface 105 of Switch D and VLAN-interface 102 of
Switch E act as C-BSR and C-RP.
5 IGMPv2 is required on VLAN-interface 100 of Switch A. IGMP Snooping is required
on Switch F and in VLAN 100. IGMPv2 is also required between Switch B, Switch
C, and stub network N1. Typically, Switch B acts as the querier.
 180 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

Network Diagram Figure 68 Network diagram for PIM-SM plus IGMP plus IGMP Snooping configuration

Receiver

Switch A
Host A
Vlan-int100
Vlan100

1
Vlan-int102
Switch F

0
t1
-in
an
Vl
01
Host B

t1

N1
-in
an
Vlan-int102 Receiver
Ethernet

Vl
Vlan-int300 Vlan-int105 Vlan-int103 Vlan-int200
Source Vlan-int105 Vlan-int103
Switch D Switch E Vlan-int104 Switch B
Host C

Ethernet
10.110.5.100/24
Vlan-int104
Vlan-int200
PIM-SM
Host D
Switch C

Device Interface IP address Ports

Switch A Vlan-int100 10.110.1.1/24 Ethernet1/0/1
Vlan-int101 192.168.1.1/24 Ethernet1/0/2
Vlan-int102 192.168.9.1/24 Ethernet1/0/3
Switch B Vlan-int200 10.110.2.1/24 Ethernet1/0/1
Vlan-int103 192.168.2.1/24 Ethernet1/0/2
Switch C Vlan-int200 10.110.2.2/24 Ethernet1/0/1
Vlan-int104 192.168.3.1/24 Ethernet1/0/2
Switch D Vlanint300 10.110.5.1/24 Ethernet1/0/1
Vlanint101 192.168.1.2/24 Ethernet1/0/2
Vlanint105 192.168.4.2/24 Ethernet1/0/3
Switch E Vlanint104 192.168.3.2/24 Ethernet1/0/3
Vlanint103 192.168.2.2/24 Ethernet1/0/2
Vlanint102 192.168.9.2/24 Ethernet1/0/1
Vlanint105 192.168.4.1/24 Ethernet1/0/4
Switch F Vlan 100 - Ethernet1/0/1,
Ethernet1/0/2,
Ethernet1/0/3

Configuration Procedure Configuring VLANs, VLAN interfaces and IP addresses for each switch
# Configure VLANs, VLAN interfaces, and their IP addresses on Switch A.
<SwitchA> system-view
System View: return to User View with Ctrl+Z.
[SwitchA] vlan 100
[SwitchA-vlan100] port Ethernet 1/0/1
[SwitchA-vlan100] quit
 PIM-SM plus IGMP plus IGMP Snooping Configuration Examples 181

[SwitchA] vlan 101

[SwitchA-vlan101] port Ethernet 1/0/2
[SwitchA-vlan101] quit
[SwitchA] vlan 102
[SwitchA-vlan102] port Ethernet 1/0/3
[SwitchA-vlan102] quit
[SwitchA] interface Vlan-interface 100
[SwitchA-Vlan-interface100] ip address 10.110.1.1 24
[SwitchA-Vlan-interface100] quit
[SwitchA] interface Vlan-interface 101
[SwitchA-Vlan-interface101] ip address 192.168.1.1 24
[SwitchA-Vlan-interface101] quit
[SwitchA] interface Vlan-interface 102
[SwitchA-Vlan-interface102] ip address 192.168.9.1 24
[SwitchA-Vlan-interface102] quit

Configure VLANs, VLAN interfaces, and their IP addresses on other switches as per
Figure 68. The detailed configuration steps are omitted here.

Configuring the unicast routing protocol

# Configure a router ID and enable OSPF on Switch A.
<SwitchA> system-view.
[SwitchA]router id 1.1.1.1
[SwitchA]ospf
[SwitchA-ospf-1]area 0
[SwitchA-ospf-1-area-0.0.0.0]network 10.110.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0]network 192.168.9.0 0.0.0.255

The configuration on Switch B, Switch C, Switch D, and Switch E is similar to the

configuration on Switch A.

Configuring the multicast protocols

# Enable IP multicast routing on Switch A, enable PIM-SM on each interface, and
then enable IGMPv2 on VLAN-interface 100.
<SwitchA> system-view
[SwitchA] multicast routing-enable
[SwitchA] interface Vlan-interface 100
[SwitchA-Vlan-interface100] igmp enable
[SwitchA-Vlan-interface100] pim sm
[SwitchA-Vlan-interface100] quit
[SwitchA] interface vlan-interface 101
[SwitchA-Vlan-interface101] pim sm
[SwitchA-Vlan-interface101] quit
[SwitchA] interface vlan-interface 102
[SwitchA-Vlan-interface102] pim sm

n It is necessary to enable IGMP only on interfaces with attached multicast receivers.

As the default IGMP version is IGMPv2, it is not necessary to use the version
configuration command on the interface.

The configuration on Switch B and Switch C is similar to that on Switch A. The

configuration on Switch D and Switch E is also similar to that on Switch A except
that it is not necessary to enable IGMP on the corresponding interfaces on these
two switches.
182 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

# Configure the group range to be served by the RP and configure a C-BSR and a
C-RP on Switch D.

<SwitchD> system-view
[SwitchD] acl number 2005
[SwitchD-acl-basic-2005] rule permit source 225.1.1.0 0.0.0.255
[SwitchD-acl-basic-2005] quit
[SwitchD] pim
[SwitchD-pim] c-bsr vlan-interface 105 24 2
[SwitchD-pim] c-rp vlan-interface 105 group-policy 2005 priority 2
[SwitchD-pim] quit

# Configure the group range to be served by the RP and configure a C-BSR and a
C-RP on Switch E.

<SwitchE> system-view
[SwitchE] acl number 2005
[SwitchE-acl-basic-2005] rule permit source 225.1.1.0 0.0.0.255
[SwitchE-acl-basic-2005] quit
[SwitchE] pim
[SwitchE-pim] c-bsr vlan-interface 102 24 1
[SwitchE-pim] c-rp vlan-interface 102 group-policy 2005 priority 1
[SwitchE-pim] quit

# Enable IGMP Snooping globally on Switch E, and enable IGMP Snooping in

VLAN 100.

<SwitchF> system-view
[SwitchF] igmp-snooping enable
Enable IGMP-Snooping ok.
[SwitchF] vlan 100
[SwitchF-vlan100] igmp-snooping enable
[SwitchF-vlan100] quit

Verifying the configuration

Now start sending multicast data to multicast group 225.1.1.1 from Source and
start receiving the multicast data on Host A and Host C, and take the following
steps to verify the configurations made on the switches.
1 Check whether the multicast stream flows to Host A and Host C.

# View PIM neighboring relationships on Switch E.

<SwitchE> display pim neighbor

Neighbor’s Address Interface Name Uptime Expires
192.168.9.1 Vlan-interface102 02:47:04 00:01:42
192.168.2.1 Vlan-interface103 02:45:04 00:04:46
192.168.3.1 Vlan-interface104 02:42:24 00:04:45
192.168.4.2 Vlan-interface105 02:43:44 00:05:44

# View BSR information on Switch E.

<SwitchE> display pim bsr-info

Current BSR Address: 192.168.4.2
Priority: 2
Mask Length: 24
Expires: 00:01:39
Local Host is C-BSR: 192.168.9.2
 PIM-SM plus IGMP plus IGMP Snooping Configuration Examples 183

Priority: 1
Mask Length: 24

# View RP information on Switch E.

<SwitchE> display pim rp-info

PIM-SM RP-SET information:
BSR is: 192.168.4.2

Group/MaskLen: 225.1.1.0/24
RP 192.168.9.2
Version: 2
Priority: 1
Uptime: 00:03:15
Expires: 00:01:14
RP 192.168.4.2
Version: 2
Priority: 2
Uptime: 00:04:25
Expires: 00:01:09

# View PIM routing table entries on Switch A.

<SwitchA> display pim routing-table

PIM-SM Routing Table
Total 1 (S,G) entries, 1 (*,G) entries, 0 (*,*,RP) entry

(*, 225.1.1.1), RP 192.168.9.2

Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF
Uptime: 00:23:21, never timeout
Upstream interface: Vlan-interface102, RPF neighbor: 192.168.9.2
Downstream interface list:
Vlan-interface100, Protocol 0x1: IGMP, never timeout
(10.110.5.100, 225.1.1.1)
Protocol 0x20: PIMSM, Flag 0x80004: SPT
Uptime: 00:03:43, Timeout in 199 sec
Upstream interface: Vlan-interface102, RPF neighbor: 192.168.9.2
Downstream interface list:
Vlan-interface100, Protocol 0x1: IGMP, never timeout
Matched 1 (S,G) entries, 1 (*,G) entries, 0 (*,*,RP) entry

The information on Switch B and Switch C is similar to that on Switch A.

# View PIM routing table entries on Switch D.

<SwitchD> display pim routing-table

PIM-SM Routing Table
Total 1 (S,G) entry, 0 (*,G) entry, 0 (*,*,RP) entry

(10.110.5.100, 225.1.1.1)
Protocol 0x20: PIMSM, Flag 0x4: SPT
Uptime: 00:03:03, Timeout in 27 sec
Upstream interface: Vlan-interface300, RPF neighbor: NULL
Downstream interface list:
Vlan-interface101, Protocol 0x200: SPT, timeout in 147 sec
Vlan-interface105, Protocol 0x200: SPT, timeout in 145 sec
Matched 1 (S,G) entry, 0 (*,G) entry, 0 (*,*,RP) entry
184 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

# View PIM routing table entries on Switch E.

<SwitchE> display pim routing-table

PIM-SM Routing Table
Total 1 (S,G) entry, 1 (*,G) entry, 0 (*,*,RP) entry

(*,225.1.1.1), RP 192.168.9.2
Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF
Uptime: 00:02:34, Timeout in 176 sec
Upstream interface: Null, RPF neighbor: 0.0.0.0
Downstream interface list:
Vlan-interface102, Protocol 0x100: RPT, timeout in 176 sec
Vlan-interface103, Protocol 0x100: SPT, timeout in 135 sec

(10.110.5.100, 225.1.1.1)
Protocol 0x20: PIMSM, Flag 0x4: SPT
Uptime: 00:03:03, Timeout in 27 sec
Upstream interface: Vlan-interface105, RPF neighbor: 192.168.4.2
Downstream interface list:
Vlan-interface102, Protocol 0x200: SPT, timeout in 147 sec
Vlan-interface103, Protocol 0x200: SPT, timeout in 145 sec
Matched 1 (S,G) entry, 1 (*,G) entry, 0 (*,*,RP) entry

# View the information about multicast group entries created by IGMP Snooping
on Switch F.

<SwitchF> display igmp-snooping group

Total 1 IP Group(s).
Total 1 MAC Group(s).

Vlan(id):100.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):Ethernet1/0/2
IP group(s):the following ip group(s) match to one mac group.
IP group address:225.1.1.1
Host port(s):Ethernet1/0/19
MAC group(s):
MAC group address:0100-5e01-0101
Host port(s):Ethernet1/0/19

# View multicast group information that contains port information on Switch B.

<SwitchB> display mpm group

Total 1 IP Group(s).
Total 1 MAC Group(s).

Vlan(id):200.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):
IP group(s):the following ip group(s) match to one mac group.
IP group address:225.1.1.1
Host port(s):Ethernet1/0/24
MAC group(s):
MAC group address:0100-5e01-0101
Host port(s):Ethernet1/0/24
 IGMP Snooping-Only Configuration Examples 185

Vlan(id):103.
Total 0 IP Group(s).
Total 0 MAC Group(s).
Router port(s):Ethernet1/0/10

As shown above, multicast traffic can successfully flow to Host A and Host C.

2 Configure simulated joining

Configure simulated joining on Switch B, thus to prevent the multicast switch from
considering that no multicast receiver exist on the subnet due to some reason and
removing the corresponding path from the multicast forwarding tree.

# Configure Ethernet 1/0/21 as a simulated host to join multicast group 225.1.1.1.

<SwitchB> system-view
[SwitchB] interface Vlan-interface 200
[SwitchB-Vlan-interface200] igmp host-join 225.1.1.1 port Ethernet 1/0/21

# View multicast group information that contains port information on Switch B.

<SwitchB> display mpm group

Total 1 IP Group(s).
Total 1 MAC Group(s).

Vlan(id):200.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):
IP group(s):the following ip group(s) match to one mac group.
IP group address:225.1.1.1
Host port(s):Ethernet1/0/21 Ethernet1/0/24
MAC group(s):
MAC group address:0100-5e01-0101
Host port(s):Ethernet1/0/21 Ethernet1/0/24

Vlan(id):103.
Total 0 IP Group(s).
Total 0 MAC Group(s).
Router port(s):Ethernet1/0/10

As shown above, Ethernet 1/0/21 has become a member port for multicast group
225.1.1.1.

IGMP Snooping-Only
Configuration
Examples

Network Requirements In case that it is unnecessary or infeasible to build a Layer-3 multicast network,
enabling IGMP Snooping on all the devices in a Layer 2 network can implement
some multicast functions.
 186 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

Configuration Plan
1 As shown in Figure 69, in a Layer-2 network without Layer-3 devices, Switch C
connects to the multicast source through Ethernet 1/0/3. At least one receiver is
attached to Switch B and Switch C respectively.
2 Enable IGMP Snooping on Switch A, Switch B, and Switch C, with Switch A acting
as the IGMP Snooping querier.
3 Enable Switch A and Switch B to drop unknown multicast traffic so that multicast
traffic for unknown multicast groups are not flooded in the VLAN.

Network Diagram Figure 69 Network diagram for IGMP Snooping-only configuration

Querier
Eth1/0/1 Eth1/0/2

Switch A

Switch B Eth1/0/1 Eth1/0/1 Switch C

Eth1/0/2 Eth1/0/3 Eth1/0/2 Eth1/0/3

Source
Receiver Receiver Receiver

Host A Host B Host C 1.1.1.1/24

Configuration Procedure Configuring switch A

# Enable IGMP Snooping globally.
<SwitchA> system-view
[SwitchA] igmp-snooping enable
Enable IGMP-Snooping ok.

# Create VLAN 100, add Ethernet 1/0/1 and Ethernet 1/0/2 into VLAN 100, and
then enable IGMP Snooping in this VLAN.

[SwitchA] vlan 100

[SwitchA-vlan100] port Ethernet 1/0/1 Ethernet 1/0/2
[SwitchA-vlan100] igmp-snooping enable

# Enable IGMP Snooping querier in VLAN 100.

[SwitchA-vlan100] igmp-snooping querier

[SwitchA-vlan100] quit

# Enable the function of dropping unknown multicast packets.

[SwitchA] unknown-multicast drop enable

 IGMP Snooping-Only Configuration Examples 187

Configuring Switch B
# Enable IGMP Snooping globally.
<SwitchB> system-view
[SwitchB] igmp-snooping enable
Enable IGMP-Snooping ok.

# Create VLAN 100, add Ethernet 1/0/1 through Ethernet 1/0/3 into VLAN 100,
and then enable IGMP Snooping in this VLAN.

[SwitchB] vlan 100

[SwitchB-vlan100] port Ethernet 1/0/1 to Ethernet 1/0/3
[SwitchB-vlan100] igmp-snooping enable
[SwitchB-vlan100] quit

# Enable the function of dropping unknown multicast packets.

[SwitchB] unknown-multicast drop enable

Configuring Switch C
# Enable IGMP Snooping globally.
<SwitchC system-view
[SwitchC] igmp-snooping enable
Enable IGMP-Snooping ok.

# Create VLAN 100, add Ethernet 1/0/1 through Ethernet 1/0/3 into VLAN 100,
and then enable IGMP Snooping in this VLAN.

[SwitchC] vlan 100

[SwitchC-vlan100] port Ethernet 1/0/1 to Ethernet 1/0/3
[SwitchC-vlan100] igmp-snooping enable

c CAUTION: Switch C is not the IGMP Snooping querier, so it does not have
member ports for non-directly-connected hosts, and the corresponding
forwarding entries cannot be created on it. Therefore, do not enable the function
of dropping unknown multicast packets on Switch C. To avoid impact on the
network and on Switch C caused by multicast flooding, it is recommended to
enable IGMP Snooping querier on the switch to which the multicast source is
directly attached.

Verifying the configuration

1 View information on Switch B.

# View IGMP packet statistics on Switch B.

<SwitchB> display igmp-snooping statistics

Received IGMP general query packet(s) number:16.
Received IGMP specific query packet(s) number:3.
Received IGMP V1 report packet(s) number:0.
Received IGMP V2 report packet(s) number:53.
Received IGMP leave packet(s) number:1.
Received error IGMP packet(s) number:0.
Sent IGMP specific query packet(s) number:1.
188 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

Switch B received IGMP general queries sent by the querier and IGMP reports from
receivers.

# View multicast group information on Switch B.

<Switch B> display igmp-snooping group

Total 1 IP Group(s).
Total 1 MAC Group(s).

Vlan(id):100.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):Ethernet1/0/1
IP group(s):the following ip group(s) match to one mac group.
IP group address:224.1.1.1
Host port(s):Ethernet1/0/2
MAC group(s):
MAC group address:0100-5e7f-fffe
Host port(s):Ethernet1/0/2

As shown above, a forwarding entry for the multicast group 224.1.1.1 has been
created on Switch A, with Ethernet 1/0/1 as the router port and Ethernet 1/0/2 as
the member port.

2 View information on Switch A.

# View IGMP packet statistics on Switch A.

<SwitchA> display igmp-snooping statistics

Received IGMP general query packet(s) number:0.
Received IGMP specific query packet(s) number:0.
Received IGMP V1 report packet(s) number:0.
Received IGMP V2 report packet(s) number:53.
Received IGMP leave packet(s) number:1.
Received error IGMP packet(s) number:0.
Sent IGMP specific query packet(s) number:1.

Switch A receives IGMP reports from the receivers.

# View multicast group information on Switch A.

<Switch A> display igmp-snooping group

Total 1 IP Group(s).
Total 1 MAC Group(s).

Vlan(id):100.
Total 1 IP Group(s).
Total 1 MAC Group(s).
Router port(s):
IP group(s):the following ip group(s) match to one mac group.
IP group address:224.1.1.1
Host port(s):Ethernet1/0/1
MAC group(s):
MAC group address:0100-5e7f-fffe
Host port(s):Ethernet1/0/1
 MSDP Configuration Examples 189

As shown above, a forwarding entry for the multicast group 224.1.1.1 has been
created on Switch A, with Ethernet 1/0/1 as the member port. Acting as the IGMP
Snooping querier, Switch A does not have a router port.

3 View information on Switch C.

# View IGMP packet statistics on Switch C.

<SwitchC> display igmp-snooping statistics

Received IGMP general query packet(s) number:10.
Received IGMP specific query packet(s) number:0.
Received IGMP V1 report packet(s) number:0.
Received IGMP V2 report packet(s) number:0.
Received IGMP leave packet(s) number:.0
Received error IGMP packet(s) number:0.
Sent IGMP specific query packet(s) number:0.

Switch C received only IGMP general queries from the querier.

# View multicast group information on Switch C.

<Switch C> display igmp-snooping group

Total 0 IP Group(s).
Total 0 MAC Group(s).

Vlan(id):100.
Total 0 IP Group(s).
Total 0 MAC Group(s).
Router port(s):Ethernet1/0/1

As shown above, no forwarding entries have been created on Switch C. The

switch must flood multicast data in the VLAN to allow the multicast data to flow
to the receivers downstream; therefore, do not enable the function of dropping
unknown multicast packets on Switch C.

MSDP Configuration
Examples

Network Requirements To enable communication between receivers and multicast sources in different
PIM-SM domains, use MSDP to establish MSDP peering relationships between the
RPs of different PIM-SM domains, so that these RPs can forward SA messages
between PIM-SM domains to share multicast source information.

Configuration Plan ■ Two ISPs maintain their respective ASs, AS 100 and AS 200. OSPF runs within
each AS, and BGP is deployed for interoperability between the two ASs.
■ PIM-SM 1 belongs to AS 100. PIM-SM 2 and PIM-SM 3 belong to AS 200.
■ Both PIM-SM domains have 0 or 1 multicast source and at least one receiver.
OSPF runs within each domain for unicast routing.
■ The respective loopback interfaces, Loopback 0, of Switch C, Switch D and
Switch F are configured as C-BSRs and C-RPs of the respective PIM-SM
domains.
 190 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

■ Establish MSDP peering relationship between Switch C and Switch D through

EBGP. Establish MSDP peering relationship between Switch D and Switch F
through IBGP.

Network Diagram Figure 70 Network diagram for MSDP configuration

AS 100 AS 200 Receiver

Receiver
Loop0

Vl
Switch G

an
-in
Switch F

t1
00
Vlan-int400
Vlan-int400

Vl
Switch A

an
-i n
Switch B Vlan-int102

t2
00
Vlan-int300 PIM-SM 3
Vlan-int300
Source 1
00
t1

Vlan-int200
-i n

00
an

t1
-in
Vl

an
Receiver
00

Vl
t1

Vl
-in

an
an

Vlan-int200 Vlan-int102

-
in
Vl

t1
Vlan-int101

00
Vlan-int101 Vlan-int300
Vlan-int300
Switch C Switch D
Source 2

00
Switch E

t2
-in
an
Loop0 Loop0

Vl
PIM-SM 2
PIM-SM 1

MSDP peers
Device Interface IP address Device Interface IP address
SwitchA Vlan-int100 10.110.1.2/24 Switch D Vlan-int300 10.110.4.1/24
Vlan-int200 10.110.6.1/24 Vlan-int102 192.168.3.1/24
Vlan-int300 10.110.5.1/24 Vlan-int101 192.168.1.2/24
SwitchB Vlan-int100 10.110.7.1/24 Loop0 2.2.2.2/32
Vlan-int200 10.110.2.2/24 Switch E Vlan-int100 10.110.8.1/24
Vlan-int300 10.110.5.2/24 Vlan-int200 10.110.9.1/24
Switch C Vlan-int100 10.110.1.1/24 Vlan-int300 10.110.4.2/24
Vlan-int200 10.110.2.1/24 Loop0 2.2.2.2/32
Vlan-int101 192.168.1.1/24 Switch F Vlan-int400 10.110.3.1/24
Loop0 1.1.1.1/32 Vlan-int102 192.168.3.2/24
Loop0 3.3.3.3/32
SwitchG Vlan-int100 10.110.10.1/24
Vlan-int400 10.110.3.2/24

Configuration Procedure Configuring an interface IP address and a unicast routing protocol for each
switch
Configure an IP address and a subnet mask for each interface as per Figure 70.
The detailed configuration steps are not discussed in this document.

Configure OSPF for interoperation between switches in each PIM-SM domain.

Ensure the network-layer interoperation among Switch A, Switch B and Switch C
 MSDP Configuration Examples 191

in PIM-SM 1, the network-layer interoperation between Switch D and Switch E in

PIM-SM 2, and the network-layer interoperation between Switch F and Switch G
in PIM-SM 3, and ensure the dynamic update of routing information between the
switches in each PIM-SM domain through the unicast routing protocol.

Configuring a unicast routing protocol for each AS

# Configure OSPF on Switch C.
<SwitchC> system-view.
[SwitchC]ospf
[SwitchC-ospf-1]area 0
[SwitchC-ospf-1-area-0.0.0.0]network 10.110.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0]network 10.110.2.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0

The configuration on Switch A, Switch B, Switch D, Switch E, Switch F and Switch

G is similar to the configuration on Switch C.

Configuring a multicast routing protocol

1 Enable IP multicast routing, enable PIM-SM on each interface, and enable IGMP on
the interfaces connected with receivers.

# Enable IP multicast routing on Switch A, enable PIM-SM on each interface, and

enable IGMP on VLAN-interface 200.

<SwitchA> system-view
[SwitchA] multicast routing-enable
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] pim sm
[SwitchA-Vlan-interface100] quit
[SwitchA] interface vlan-interface 200
[SwitchA-Vlan-interface200] pim sm
[SwitchA-Vlan-interface200] igmp enable
[SwitchA-Vlan-interface200] quit
[SwitchA] interface vlan-interface 300
[SwitchA-Vlan-interface101] pim sm

The configuration on Switch E and Switch G is similar to the configuration on

Switch A. The specific configuration steps are omitted here.

# Enable IP multicast routing on Switch C and enable PIM-SM on each interface.

<SwitchC> system-view
[SwitchC] multicast routing-enable
[SwitchC] interface vlan-interface 100
[SwitchC-Vlan-interface100] pim sm
[SwitchC-Vlan-interface100] quit
[SwitchC] interface vlan-interface 200
[SwitchC-Vlan-interface200] pim sm
[SwitchC-Vlan-interface200] quit
[SwitchC] interface vlan-interface 101
[SwitchC-Vlan-interface101] pim sm

The configuration on Switch B, Switch D, and Switch F is similar to the

configuration on Switch C. The specific configuration steps are omitted here.
192 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

# Configure a BSR boundary on Switch C.

[SwitchC-Vlan-interface101] pim bsr-boundary

[SwitchC-Vlan-interface101] quit

The configuration on Switch D and Switch F is similar to the configuration on

Switch C.

2 Configure the position of interface Loopback 0, C-BSR, and C-RP.

# Configure the position of Loopback 0, C-BSR, and C-RP on Switch C.

[SwitchC] interface loopback 0

[SwitchC-LoopBack0] ip address 1.1.1.1 255.255.255.255
[SwitchC-LoopBack0] pim sm
[SwitchC-LoopBack0] quit
[SwitchC] pim
[SwitchC-pim] c-bsr loopback 0 24
[SwitchC-pim] c-rp loopback 0
[SwitchC-pim] quit

The configuration on Switch D and Switch F is similar to the configuration on

Switch C.

Configuring inter-AS BGP for mutual route redistribution between BGP

and OSPF
# Configure EBGP on Switch C, and configure OSPF route redistribution.
[SwitchC] bgp 100
[SwitchC-bgp] group 100 external
[SwitchC-bgp] peer 192.168.1.2 group 100 as-number 200
[SwitchC-bgp] import-route ospf 1
[SwitchC-bgp] import-route direct
[SwitchC-bgp] quit

# Configure IBGP and EBGP on Switch D, and configure OSPF route redistribution.

[SwitchD] bgp 200

[SwitchD-bgp] group 100 external
[SwitchD-bgp] group 200
[SwitchD-bgp] peer 192.168.1.1 group 100 as-number 100
[SwitchD-bgp] peer 192.168.3.2 group 200
[SwitchD-bgp] import-route ospf 1
[SwitchD-bgp] import-route direct
[SwitchD-bgp] quit

# Configure IBGP on Switch F, and configure OSPF route redistribution.

[SwitchF] bgp 200

[SwitchF-bgp] group 200
[SwitchF-bgp] peer 192.168.3.1 group 200
[SwitchF-bgp] import-route ospf 1
[SwitchF-bgp] import-route direct
[SwitchF-bgp] quit

# Configure BGP route redistribution to OSPF on Switch C.

 MSDP Configuration Examples 193

[SwitchC] ospf 1
[SwitchC-ospf-1] import-route bgp
[SwitchC-ospf-1] quit

The configuration on Switch D and Switch F is similar to the configuration on

Switch C.

Carry out the display bgp peer command to view the BGP peering relationships
between the switches. For example:

# View the information about BGP peering relationships on Switch C.

[SwitchC] display bgp peer

Peer AS-num Ver Queued-Tx Msg-Rx Msg-Tx Up/Down State

--------------------------------------------------------------------------
192.168.1.2 200 4 0 950 945 15:41:14 Established

# View the information about BGP peering relationships on Switch D.

[SwitchD] display bgp peer

Peer AS-num Ver Queued-Tx Msg-Rx Msg-Tx Up/Down State

--------------------------------------------------------------------------
192.168.1.1 100 4 0 946 953 15:43:32 Established
192.168.3.2 200 4 0 946 954 15:41:18 Established

# View the information about BGP peering relationships on Switch F.

[SwitchF] display bgp peer

Peer AS-num Ver Queued-Tx Msg-Rx Msg-Tx Up/Down State

--------------------------------------------------------------------------
192.168.3.1 200 4 0 953 948 15:42:23 Established

Configuring MSDP peers

# Configure an MSDP peer on Switch C.
[SwitchC] msdp
[SwitchC-msdp] peer 192.168.1.2 connect-interface vlan-interface 101
[SwitchC-msdp] quit

# Configure an MSDP peer on Switch D.

[SwitchD] msdp
[SwitchD-msdp] peer 192.168.1.1 connect-interface vlan-interface 101
[SwitchD-msdp] peer 192.168.3.2 connect-interface vlan-interface 102
[SwitchD-msdp] quit

# Configure MSDP peers on Switch F.

[SwitchF] msdp
[SwitchF-msdp] peer 192.168.3.1 connect-interface vlan-interface 102
[SwitchF-msdp] quit

When the multicast source Source 1 sends multicast information, receivers in

PIM-SM2 and PIM-SM3 can receive the multicast data. You can use the display
msdp brief command to view the brief information of MSDP peering
relationships between the switches. For example:
194 CHAPTER 6: MULTICAST PROTOCOL CONFIGURATION EXAMPLES

# View the brief information about MSDP peering relationships on Switch C.

[SwitchC] display msdp brief

MSDP Peer Brief Information
Peer’s Address State Up/Down time AS SA Count Reset Count
192.168.1.2 Up 00:12:27 200 13 0

# View the brief information about MSDP peering relationships on Switch D.

[SwitchD] display msdp brief

MSDP Peer Brief Information
Peer’s Address State Up/Down time AS SA Count Reset Count
192.168.3.2 Up 00:15:32 200 8 0
192.168.1.1 UP 00:06:39 100 13 0

# View the brief information about MSDP peering relationships on Switch F.

[SwitchF] display msdp brief

MSDP Peer Brief Information
Peer’s Address State Up/Down time AS SA Count Reset Count
192.168.3.1 UP 01:07:08 200 8 0

# View the detailed MSDP peer information on Switch C.

[SwitchC] display msdp peer-status

MSDP Peer 192.168.1.2, AS 200
Description:
Information about connection status:
State: Up
Up/down time: 00:15:47
Resets: 0
Connection interface: Vlan-interface101 (192.168.1.1)
Number of sent/received messages: 16/16
Number of discarded output messages: 0
Elapsed time since last connection or counters clear: 00:17:51
Information about (Source, Group)-based SA filtering policy:
Import policy: none
Export policy: none
Information about SA-Requests:
Policy to accept SA-Request messages: none
Sending SA-Requests status: disable
Minimum TTL to forward SA with encapsulated data: 0
SAs learned from this peer: 0, SA-cache maximum for the peer: none
Input queue size: 0, Output queue size: 0
Counters for MSDP message:
Count of RPF check failure: 0
Incoming/outgoing SA messages: 0/0
Incoming/outgoing SA requests: 0/0
Incoming/outgoing SA responses: 0/0
Incoming/outgoing data packets: 0/0
 VLAN CONFIGURATION EXAMPLES
7
Keywords:
VLAN, 802.1q, VLAN interface, protocol VLAN

Abstract:
This document introduces how VLAN of the 3Com series Ethernet switches is
applied and configured in practical networking implementations and how
protocols are used in conjunction with VLANs.

Acronyms:
VLAN (Virtual local area network)

VLAN Support Matrix

Support for VLAN on

Table 88 Support for VLAN on 3Com stackable switches
3Com Stackable
Switches Feature (right)
Model (below) 802.1Q VLAN VLAN interface Protocol VLAN
Switch 5500 ● ● ●
Switch 4500 ● ● ●
Switch 5500Gs ● ● ●
Switch 4200 ● ❍ ●
Switch 4210 ● ❍ -
Switch 4210 52-Port ● ● -
E352/E328 ● ● ●
E126 ● ❍ -
E152 ● ❍ -

n ■ In the above table, the solid dots (●) indicate that the corresponding models
provide full support for the function; the hollow dots (❍) indicate that the
corresponding models provide incomplete support for the function, that is, the
corresponding models support only the VLAN-interface for the management
VLAN; the dashes (-) indicate that the corresponding models do not support
the function.
■ For detailed information about the support of your device for VLAN, refer to
the user manual for your device.
 196 CHAPTER 7: VLAN CONFIGURATION EXAMPLES

Configuration Guide

n ■ The configuration procedure differs by device. In this guide, the Switch 5500 is
used as an example. For informaiton on how to configure VLAN on other
models, refer to the Configuration Guide for that model.
■ The configuration example in this guide provides only basic configuration
procedures. For detailed information about individual functions, refer to the
Configuraiton Guide and Command Reference Guide for that model.

Configuring Basic VLAN The 3Com series switches support IEEE 802.1Q VLAN. The technology allows you
Settings to organize Ethernet ports into virtual workgroups by assigning them to different
VLANs.

Follow these steps to create a VLAN and perform basic VLAN configuration:

To... Use the command... Remarks

Enter system view system-view -
Create multiple VLANs in bulk vlan { vlan-id1 to vlan-id2 | Optional
all }
Create a VLAN and enter vlan vlan-id Required
VLAN view
By default, only one default
VLAN (VLAN 1) exists in the
system.
Assign a name for the current name text Optional
VLAN
By default, the name of a
VLAN is its VLAN ID, for
example, VLAN 0001.
Configure the description of description text Optional
the current VLAN
By default, the description of
a VLAN is its VLAN ID, for
example, VLAN 0001.
Display VLAN information display vlan [ vlan-id [ to Available in any view
vlan-id ] | all | dynamic |
static ]

You can assign a port to a VLAN in Ethernet port view or in VLAN view.

Follow these steps to assign a port to a VLAN in VLAN view:

To... Use the command... Remarks

Enter system view system-view -
Enter VLAN view vlan vlan-id -
Assign a list of Ethernet ports port interface-list Required
to the VLAN
By default, all ports belong to
the default VLAN (VLAN 1).

n Only access ports can be assigned to a VLAN in VLAN view. You can assign trunk
or hybrid ports to a VLAN only in Ethernet port view.

Follow these steps to assign a port to a VLAN in Ethernet port view:

 Configuration Guide 197

To... Use the command... Remarks

Enter system view system-view -
Enter Ethernet port view interface interface-type -
interface-number
Configure the port type port link-type { access | Optional
trunk | hybrid }
By defaults, all ports are
access ports.
Assign the For an access port access vlan vlan-id Required
current port to port
By default, all the three
the specified
For a trunk port port trunk permit vlan types of ports belong to the
VLAN(s)
{ vlan-id-list | all } default VLAN (VLAN 1).
For a hybrid port hybrid vlan vlan-id-list
port { tagged | untagged }
Specify the For a trunk port port trunk pvid vlan Optional
default VLAN vlan-id
By default, the default VLAN
for the current
For a hybrid port hybrid pvid vlan of an Ethernet port is VLAN
port
port vlan-id 1.
Because an access port can
be assigned to only one
VLAN, its default VLAN is
the VLAN to which it
belongs. Therefore, you do
not need to configure a
default VLAN for it.

Configuring Basic You can enable your switch to perform Layer 3 forwarding by configuring VLAN
Settings of a VLAN interfaces with IP addresses on the switch.
Interface
Follow these steps to configure basic settings of a VLAN interface:

To... Use the command... Remarks

Enter system view system-view -
Create a VLAN interface and interface Vlan-interface Required
enter VLAN interface view vlan-id
By default, no VLAN interface
exists.
Assign an IP address to the ip address ip-address { mask | Required
current VLAN interface mask-length } [ sub ]
No IP address is assigned to
any VLAN interface by default.
Configure the description of description text Optional
the current VLAN interface
By default, the description of
a VLAN interface is its name,
for example, Vlan-interface1
Interface.
198 CHAPTER 7: VLAN CONFIGURATION EXAMPLES

To... Use the command... Remarks

Shut down the VLAN interface shutdown Optional
Bring up the VLAN interface undo shutdown By default, a VLAN interface is
in the up state. In this case,
the VLAN interface is up so
long as one port in the VLAN
is up and goes down if all
ports in the VLAN go down.
An administratively shut down
VLAN interface however will
be in the down state until you
bring it up, regardless of how
the state of the ports in the
VLAN changes.
Display information about the display interface Available in any view
VLAN interface Vlan-interface [ vlan-id ]

n ■

■
Before creating a VLAN interface for a VLAN, create the VLAN first.
On some 3Com series switches, only one VLAN interface is supported, and you
must configure its VLAN as the default VLAN with the management-vlan
command before creating the VLAN interface. For detailed configurations,
refer to the corresponding user manual.

Protocol VLAN Protocol VLAN enables your switch to assign an incoming untagged frame to a
Configuration VLAN based on its protocol. To configure a protocol VLAN, first create a protocol
template to enable protocol VLAN, and then assign Ethernet ports to the protocol
VLAN.

Follow these steps to configure a protocol VLAN:

To... Use the command... Remarks

Enter system view system-view -
Enter VLAN view vlan vlan-id -
Create a protocol template protocol-vlan Required
[ protocol-index ] { at | ip | ipx
No protocol template exists by
{ ethernetii | llc | raw |
default.
snap } | mode { ethernetii
etype etype-id | llc { dsap
dsap-id ssap ssap-id } | snap
etype etype-id } }
Return to system view quit -
Enter Ethernet port view interface interface-type -
interface-number
Configure the port as a hybrid port link-type hybrid Required
port
All Ethernet ports are access
ports by default.
Assign the port to the port hybrid vlan vlan-id Required
protocol VLAN and configure untagged
All ports belong to VLAN 1 by
the port to forward the
default.
frames of the VLAN with their
VLAN tag removed
 VLAN Configuration Example 199

To... Use the command... Remarks

Associate the port with the port hybrid protocol-vlan Required
protocol VLAN vlan vlan-id { protocol-index
By default, an Ethernet port is
[ to protocol-index-end ] | all }
not associated with any
protocol VLAN.
Display information about the display protocol-vlan vlan Available in any view
protocol templates of the { vlan-id [ to vlan-id ] | all }
specified VLAN(s)
Display information about the display protocol-vlan
protocol templates of the interface { interface-type
protocol VLANs associated interface-number [ to
with the specified port(s) interface-type
interface-number ] | all }

VLAN Configuration
Example

Network Requirements A company has three departments: the R&D department, the marketing
department, and the design department. The three departments are located in the
same building. The R&D department and the marketing department are located in
different office areas. The design department and part of the R&D department
share the same office area. The hosts of the design department use the Apple
operating system (OS), and the hosts of the other two departments use Windows.
Use VLANs to fulfill the following:
■ Employees of the same department can communicate with each other, while
employees of different departments cannot.
■ The R&D department and the marketing department are on different IP
network segments. A switch (Core-Switch A in Figure 71) assigns addresses to
hosts of the two departments automatically.
■ Both the R&D department and the marketing department can access the public
servers. However, the design server and the R&D server are accessible to only
the employees of the design department and the R&D department respectively.
■ The hosts and server of the R&D department and those of the design
department cannot access the Internet; the hosts and server of the marketing
department and those of the design department cannot access the VPN of the
R&D department.
200 CHAPTER 7: VLAN CONFIGURATION EXAMPLES

Network Diagram Figure 71 Network diagram for VLAN configuration

VPN Internet

Public Servers
R&D Dept. Core-SwitchA

Core-SwitchB

SwitchA SwitchB

Market Dept. Design Server R& D Server

Market Dept. R&D Dept.

Design Dept. & R& D Dept.

Configuration Outlines Configuration on Switch A

Figure 72 Network diagram for Switch A

R&D Dept.

Eth1 /0/5
Eth1/0 /7 SwitchA
GE 1/1/1
Eth1/0/10
Market Dept.

Design Dept. & R&D Dept.

On Switch A, assign the port connecting to the independent office area of the
R&D department and the port connecting to the independent office area of the
marketing department to different VLANs, thus isolating the two areas.

As the shared office area is used by two departments, assigning the port
connecting to the area to a VLAN cannot isolate the two departments.
Considering that the design department and the R&D department use different
operating systems, you can assign Apple hosts whose network protocol is
Appletalk and Windows hosts whose network protocol is IP to different protocol
VLANs.

Configure GigabitEthernet 1/1/1 to permit frames of all existing VLANs to pass

through with VLAN tags for VLAN identification.
 VLAN Configuration Example 201

Configuration on Switch B

Figure 73 Network diagram for Switch B

GE 1/1 /2
GE1/1/1 SwitchB

Eth 1 /0/2 Eth 1/0/3

Market Dept. R&D Dept.

On Switch B, assign the port connecting to the marketing department and the
port connecting to the R&D department to different VLANs. Note that, the
configuration of the VLAN to which a department belongs must be the same on
both Switch A and Switch B. Configure the port connecting to Core-Switch A to
permit the frames of all existing VLANs to pass through with VLAN tags.

Configuration on Core-Switch A

Figure 74 Network diagram for Core-Switch A

VPN

Eth 1/0/20 Core -SwitchA

GE 1/1/1
GE 1/1 /2

On Core-Switch A, configure the port connecting to Switch B to permit the frames

of the three departments to pass through.

Configure Core-Switch A as the DHCP server for IP address assignment. As it is the

egress device for the R&D department to access the VPN, configure Core-Switch A
as the gateway for the R&D department and configure the port connecting to the
VPN to permit only the frames of the R&D department to pass through. As
Core-Switch B is the egress device for accessing the Internet and only the
marketing department is allowed to access the Internet, configure Core-Switch B
as the gateway for the marketing department.
202 CHAPTER 7: VLAN CONFIGURATION EXAMPLES

Configuration on Core-Switch B

Figure 75 Network diagram for Core-Switch B

Internet

Public Servers
Eth 1/0/15 Core-SwitchB
GE 1/1 /1 GE1/1/2

GE 1/1 /3 GE1 /1/4

Design Server R&D Server

Each server is connected to Core-Switch B through an individual port. Assign these

ports to different VLANs to provide the departments exclusive access to their
respective servers.

As the public servers are accessible to both the R&D department and the
marketing department, create an individual VLAN for the public servers to forward
Layer 3 traffic between the servers and the clients. As Core-Switch A forwards
Layer 3 traffic between the R&D department and the public servers, configure the
link between Core-Switch B and Core-Switch A to permit the frames of the VLAN
created for the public servers to pass through besides the frames of the three
departments.

As Core-Switch B is the egress device for accessing the Internet and only the
marketing department is allowed to access the Internet, configure a VLAN
interface with an IP address for the VLAN of the marketing department and
configure the port connecting to the Internet to permit only the frames of the
VLAN to pass through. The IP address of the VLAN interface will be used as the
gateway address for the marketing department on Core-Switch A.

Summary
Assign the hosts and server of the R&D department, those of the marketing
department, and those of the design department to VLAN 100, VLAN 200, and
VLAN 300 respectively. The public servers belong to VLAN 500 and lie on the
network segment 192.168.50.0. The following diagram shows the planned
VLANs:
 VLAN Configuration Example 203

Figure 76 Network diagram for the deployment of VLANs

VPN Internet

VLAN 500
VLAN 100 Core-SwitchA

Core-SwitchB

SwitchA SwitchB

VLAN 200 VLAN 300 VLAN 100

Access VLAN 100

VLAN 200 VLAN 100 Access VLAN 200
Hybrid VLAN 100/300 untagged
VLAN 100 & VLAN 300 Trunk permit VLAN 100/200/300
Trunk permit VLAN 100/200/300/500
Access VLAN 500

Configuration Procedure Device and version used

Switch 5500 Release version 1510.

Configuration procedure
■ Configure Switch A

# Create VLAN 100, VLAN 200, and VLAN 300.

<SwitchA> system-view
[SwitchA] vlan 100
[SwitchA-vlan100] quit
[SwitchA] vlan 200
[SwitchA-vlan200] quit
[SwitchA] vlan 300
[SwitchA-vlan300]
[SwitchA-vlan300] quit

# Assign Ethernet 1/0/5 to VLAN 100.

[SwitchA] interface Ethernet 1/0/5

[SwitchA-Ethernet1/0/5] port access vlan 100
[SwitchA-Ethernet1/0/5] quit

# Assign Ethernet 1/0/10 to VLAN 200.

[SwitchA] interface Ethernet 1/0/10

[SwitchA-Ethernet1/0/10] port access vlan 200
[SwitchA-Ethernet1/0/10] quit

# Create a protocol template for VLAN 100 to carry IP and a protocol template for
VLAN 300 to carry Appletalk.
204 CHAPTER 7: VLAN CONFIGURATION EXAMPLES

[SwtichA] vlan 100

[SwitchA-vlan100] protocol-vlan ip
[SwitchA-vlan100] quit
[SwitchA] vlan 300
[SwitchA-vlan300] protocol-vlan at
[SwitchA-vlan300] quit

# Create a user-defined protocol template for VLAN 100 to carry ARP for IP
communication, assuming that Ethernet_II encapsulation is used.

[SwitchA] vlan 100

[SwitchA-vlan100] protocol-vlan mode ethernetii etype 0806

# Configure Ethernet 1/0/10 as a hybrid port permitting the frames of VLAN 100
and VLAN 300 to pass through untagged.

[SwitchA] interface Ethernet 1/0/10

[SwitchA-Ethernet1/0/10] port link hybrid
[SwitchA-Ethernet1/0/10] port hybrid vlan 100 300 untagged

# Associate Ethernet 1/0/10 with all the protocol templates of VLAN 100 and
VLAN 300.

[SwitchA-Ethernet1/0/10] port hybrid protocol-vlan vlan 100 all

[SwitchA-Ethernet1/0/10] port hybrid protocol-vlan vlan 300 all
[SwitchA-Ethernet1/0/10] quit

# Configure GigabitEthernet 1/1/1 as a trunk port permitting the frames of VLAN

100, VLAN 200, VLAN 300, and VLAN 500 to pass through with VLAN tags.

[SwitchA] interface GigabitEthernet 1/1/1

[SwitchA-GigabitEthernet1/1/1] port link-type trunk
[SwitchA-GigabitEthernet1/1/1] port trunk permit vlan 100 200 300 500
■ Configure Switch B

# Create VLAN 100, VLAN 200, and VLAN 300 on Switch B as you have done on
Switch A.

# Assign Ethernet 1/0/2 and Ethernet 1/0/3 to VLAN 200 and VLAN 100
respectively.

<SwitchB> system-view
[SwitchB] interface Ethernet 1/0/2
[SwitchB-Ethernet1/0/2] port access vlan 200
[SwitchB-Ethernet1/0/2] quit
[SwitchB] interface Ethernet 1/0/3
[SwitchB-Ethernet1/0/3] port access vlan 100
[SwitchB-Ethernet1/0/3] quit

# Configure GigabitEthernet 1/1/1 and GigabitEthernet 1/1/2 as trunk ports

permitting the frames of VLAN 100, VLAN 200, VLAN 300, and VLAN 500 to pass
through with VLAN tags.

[SwitchB] interface GigabitEthernet 1/1/1

[SwitchB-GigabitEthernet1/1/1] port link-type trunk
[SwitchB-GigabitEthernet1/1/1] port trunk permit vlan 100 200 300 500
[SwitchB-GigabitEthernet1/1/1] quit
 VLAN Configuration Example 205

[SwitchB] interface GigabitEthernet 1/1/2

[SwitchB-GigabitEthernet1/1/2] port link-type trunk
[SwitchB-GigabitEthernet1/1/2] port trunk permit vlan 100 200 300 500
[SwitchB-GigabitEthernet1/1/2] quit
■ Configure Core-Switch A

# Create VLAN 100, VLAN 200, and VLAN 300 on Core-Switch A. The
configuration procedure is the same as that on Switch A.

# Configure GigabitEthernet 1/1/1 and GigabitEthernet 1/1/2 as trunk ports

permitting the frames of VLAN 100, VLAN 200, VLAN 300, and VLAN 500 to pass
through with VLAN tags. The configuration procedure is the same as that on
Switch B.

# Create VLAN-interface 100 and assign it IP address 192.168.30.1. Use this

address as the IP address of the gateway for the R&D department. Allocate IP
addresses in the address pool 192.168.30.0/24 for the hosts of the R&D
department.

[Core-SwitchA] dhcp enable

[Core-SwitchA] interface Vlan-interface 100
[Core-SwitchA-Vlan-interface100] ip address 192.168.30.1 24
[Core-SwitchA-Vlan-interface100] dhcp select interface
[Core-SwitchA-Vlan-interface100] quit

# Create a global IP address pool mk with the address segment 192.168.40.0/24

to allocate IP addresses for the hosts of the marketing department. Configure the
gateway IP address as 192.168.40.1 for the hosts, pointing to Core-Switch B.

[Core-SwitchA] dhcp server ip-pool mk

[Core-SwitchA-dhcp-pool-mk] network 192.168.40.0 mask 255.255.255.0
[Core-SwitchA-dhcp-pool-mk] gateway-list 192.168.40.1

n For detailed information about configuring DHCP, refer to the Switch 5500 Family
Configuration Guide.

# Create VLAN 500 and VLAN-interface 500 on Core-Switch A and assign IP

address 192.168.50.1/24 to VLAN-interface 500. Configure the trunk port
GigabitEthernet 1/1/1 to carry VLAN 500 and configure GigabitEthernet 1/1/1 to
permit the frames of VLAN 500 to pass through with VLAN tags.

[Core-SwitchA] vlan 500

[Core-SwitchA-vlan500] quit
[Core-SwitchA] interface Vlan-interface 500
[Core-SwitchA-Vlan-interface500] ip address 192.168.50.1 24
[Core-SwitchA-Vlan-interface500] quit
[Core-SwitchA] interface GigabitEthernet 1/1/1
[Core-SwitchA-GigabitEthernet1/1/1] port trunk permit vlan 500

# Create a VLAN-interface on Core-Switch A to forward traffic of the R&D

department to the VPN and assign an IP address to the VLAN-interface. Assign
Ethernet 1/0/20 to the VLAN corresponding to the VLAN-interface. The
configuration procedure is omitted here.

■ Configuration on Core-Switch B
 206 CHAPTER 7: VLAN CONFIGURATION EXAMPLES

# Create VLAN 100, VLAN 200, VLAN 300, and VLAN 500 on Core-Switch B. The
configuration procedure is the same as that on Switch A.

# Configure GigabitEthernet 1/1/1 as a trunk port permitting the frames of all

existing VLANs to pass through with VLAN tags. The configuration procedure is
omitted here.

# Create a VLAN-interface on Core-Switch B to forward traffic of the marketing

department to the Internet and assign an IP address to the VLAN-interface. Assign
Ethernet 1/0/15 to the VLAN corresponding to the VLAN-interface. The
configuration procedure is omitted here.

# Configure GigabitEthernet 1/1/3 and GigabitEthernet 1/1/4 to permit only the

frames of VLAN 300 and only the frames of VLAN 100 to pass through
respectively.

# Configure GigabitEthernet 1/1/2 to permit only the frames of VLAN 500 to pass
through.

# Assign IP address 192.168.40.1 to VLAN-interface 200. The configuration

procedure is omitted here.

Configuration remarks
After you finish the configuration, the hosts of the three departments should be
isolated at the data link layer.

As no VLAN interface is created for the VLAN of the marketing department on the
VPN gateway Core-Switch A, the hosts of the marketing department should not
be able to access the VPN or the R&D department through Layer 3 forwarding.
Similarly, as no VLAN interface is created for the VLAN of the R&D department on
the Internet gateway Core-Switch B, the hosts of the R&D department should not
be able to access the Internet or the marketing department through Layer 3
forwarding.

Thus, all departments are isolated at both the data link layer and the network
layer.

n To prevent users from modifying the IP addresses and gateways of hosts for
accessing unauthorized network resources, you are recommended to enable
DHCP-Snooping on Switch A and Switch B to monitor the IP addresses of clients.
For detailed information about configuring DHCP-Snooping, refer to the Switch
5500 Family Configuration Guide.

Precautions ■ Because IP depends on ARP for address resolution in Ethernet, you are
recommended to configure the IP and ARP templates in the same VLAN and
associate them with the same port to prevent communication failure.
■ The maximum number of protocol templates that can be bound to a port varies
by device.

Protocols and IEEE 802.1Q: Virtual Bridged Local Area Networks

Standards
 VLAN CONFIGURATION EXAMPLES
8
Keywords:
VLAN, 802.1q, voice VLAN

Abstract:
This document introduces how voice VLAN of the 3Com series Ethernet switches is
applied and configured in a network.

Acronyms:
VLAN (Virtual local area network)

Voice VLAN Support In the 3Com series Ethernet switches based on the Comware V3.10 software
Matrix platform, the following models support voice VLAN:
■ Switch 5500
■ Switch 5500G
■ Switch 4500
■ Switch 4200
■ E352/E328
■ Switch 4210
■ E126A

Configuring Voice VLAN

n ■ For how to configure VLAN, port type and other related functions that voice
VLAN configuration involves, refer to the configuration guide that applicable to
your switch.
■ The configuration procedure differs by device. This configuration example uses
the Switch 5500. For information on how to configure voice VLAN on other
switches, refer to the Configuration Guide for that model.
■ The configuration example in this guide provides only basic configuration
procedures. For detailed information about the involved functions, refer to the
switch’s configuration guide and command reference guide.

Configuring a Voice VLAN in automatic mode

Follow these steps to configure a voice VLAN in automatic mode:

To... Use the command... Remarks

Enter system view system-view -
208 CHAPTER 8: VLAN CONFIGURATION EXAMPLES

To... Use the command... Remarks

Add a recognizable voice voice vlan mac-address oui Optional
device vendor OUI to the OUI mask oui-mask [ description
By default, the switch
address list text ]
identifies voice traffic
according to the default OUI
address list.
Enable the voice VLAN voice vlan security enable Optional
security mode
Enabled by default.
Set the voice VLAN aging time voice vlan aging minutes Optional
1440 minutes by default.
Enable voice VLAN globally voice vlan vlan-id enable Required
Enter Ethernet port view interface interface-type -
interface-number
Enable voice VLAN on the voice vlan enable Required
port
Disabled by default.
Enable voice VLAN legacy on voice vlan legacy Optional
the port to allow for
Disabled by default.
automatic voice VLAN
assignment for voice traffic
from third-party vendors’
voice devices
Configure the voice VLAN to voice vlan mode auto Optional
operate in automatic mode on
Automatic mode applies by
the port
default.

Configuring a Voice VLAN in manual mode

Follow these steps to configure a voice VLAN in manual mode:

To... Use the command... Remarks

Enter system view system-view -
Add a recognizable voice device voice vlan mac-address Optional
vendor OUI to the OUI address list oui mask oui-mask
By default, the switch
[ description text ]
identifies voice traffic
according to the default
OUI address list.
Enable the voice VLAN security mode voice vlan security Optional
enable
Enabled by default.
Set the voice VLAN aging time voice vlan aging Optional
minutes
1440 minutes by default.
Enable voice VLAN globally voice vlan vlan-id Required
enable
Enter Ethernet port view interface interface-type -
interface-number
Enable voice VLAN on the port voice vlan enable Required
Disabled by default.
Enable voice VLAN legacy on the port voice vlan legacy Optional
to allow for automatic voice VLAN
Disabled by default.
assignment for voice traffic from
third-party vendors’ voice devices
 Voice VLAN Configuration Examples 209

To... Use the command... Remarks

Configure the voice VLAN to operate undo voice vlan mode Required
in manual mode on the port auto
Automatic mode applies
by default.
Return to system view quit -
Assign Access port Enter VLAN vlan vlan-id Required
the view
port to
Assign the port interface-list
the
specified
voice
port(s) to
VLAN
the VLAN
Trunk port or Enter port interface interface-type
hybrid port view interface-number
Assign the port trunk permit vlan
port to the vlan-id
specified
port hybrid vlan vlan-id
VLAN
{ tagged | untagged }
Configure port trunk pvid vlan Optional
the voice vlan-id
VLAN as
port hybrid pvid vlan
the default
vlan-id
VLAN of
the port

Voice VLAN A company plans to deploy IP phones in the office area and meeting rooms. To
Configuration guarantee voice quality, the voice traffic must be transmitted in a VLAN dedicated
Examples to voice traffic. At the same time, assign different network segments for the IP
phones in the meeting rooms and those in the office area.
■ Network requirements of the IP phones in the office area

All IP phones can get an IP address and voice VLAN information automatically. In
addition, they can send tagged voice traffic. The IP phones connect to a switch
port via the PCs of their users. It is required that the switch port exit the voice
VLAN automatically if no voice traffic has passed by within 100 minutes.

■ Network requirements of the IP phones in the meeting rooms

The company deploys IP phones in two meeting rooms. The IP phone in meeting
room 1 sends VLAN untagged voice traffic. The OUI address of the IP phone is
00e3-f200-0000. In addition, the IP address of the IP phone is manually
configured. In meeting room 2, a Cisco IP phone capable of getting an IP address
and voice VLAN information automatically is deployed. The IP phone sends VLAN
tagged voice traffic.

■ Overall network requirements

The IP phones and PCs in the office area connect to the enterprise network
through Switch A, and the IP phones in the two meeting rooms connect to the
enterprise network via Switch B. The two switches and an XE voice server are
connected to the core switch. The core switch connects to the Internet through an
egress router. In addition, the core switch also operates as the DHCP server to
210 CHAPTER 8: VLAN CONFIGURATION EXAMPLES

allocate IP addresses and voice VLAN configuration for the IP phones configured to
get IP addresses automatically.

Network Diagram Figure 77 Network diagram for voice VLAN configuration

Internet
XE SIP
Server

Router

Switch A
Core switch
(DHCP Server˅

Office area
Switch B

Meeting room Meeting room 2

1

Configuration Outlines Configuration on Switch A

Figure 78 Network diagram for Switch A

Switch A
GE 1/1 /1

Eth1/ 0/10

Office area

As the IP phones connected to Switch A get IP addresses automatically, they

should send an untagged DHCP request to the DHCP server for an IP address upon
their startup. When the DHCP server receives a request, it responds with a
temporary IP address, and in addition, the voice VLAN ID, and the IP address of the
voice server. After the IP phone receives the response, it discards the temporary IP
address and re-sends a DHCP request with the voice VLAN tag to the DHCP server.
Thus, the IP phone gets an IP address within the voice VLAN to communicate with
the voice server normally.

n The above procedure describes how a common IP phone gets an IP address. The
procedure may differ depending on your IP phone. For the actual procedure of
your IP phone, refer to its user manual.
 Voice VLAN Configuration Examples 211

In this network, as Ethernet 1/0/10 of Switch A is required to forward traffic of the

default VLAN and the voice VLAN, you should configure Ethernet 1/0/10 as a
trunk port or hybrid port. In this example, Ethernet 1/0/10 is configured as a hybrid
port. As the traffic from the PCs is untagged, it will be transmitted through the
default VLAN. Configure VLAN 100 as the default VLAN and configure the port to
transmit the traffic of the default VLAN untagged. As the IP phones send tagged
traffic after getting IP addresses within the voice VLAN, configure VLAN 200 as the
voice VLAN and configure the voice VLAN to operate in automatic mode on the
port. Thus, the port can join/exit the voice VLAN automatically.

n A hybrid port with voice VLAN enabled in automatic mode joins the voice VLAN in
tagged mode automatically and sends the traffic of the voice VLAN tagged.

On Switch A, GigabitEthernet 1/1/1 is uplinked to the core switch to transmit both

service traffic and voice traffic. To discriminate data, configure the port as a trunk
port to carry VLAN 100 and VLAN 200. As the switch is required to send traffic of
the two VLANs tagged, do not configure either of them as the default VLAN.

Figure 77 lists the port configurations on Switch A.

Table 89 Port configurations on Switch A

Permitted VLANs and

operations on the VLAN
Port Voice VLAN mode Port type traffic
Ethernet 1/0/10 Automatic mode Trunk/hybrid VLAN100: pvid, untagged
GigabitEthernet - Trunk VLAN100: tagged
1/1/1
VLAN200: tagged

n The following describes the operations on VLAN traffic

■ pvid: Indicates that the VLAN is configured as the default VLAN of the port.
■ untagged: Indicates that the port sends the traffic of the VLAN untagged.
■ tagged: Indicates that the port sends the traffic of the VLAN tagged.

For instructions on configuring the port’s default VLAN and configuring the port to
send traffic untagged or tagged, refer to the applicable configuration
guideconfiguration guide.

In the following configuration, Ethernet 1/0/10 is configured as a hybrid port.

212 CHAPTER 8: VLAN CONFIGURATION EXAMPLES

Configuration on Switch B

Figure 79 Network diagram for Switch B

GE1/ 1/ 2

Eth1/0/1 Eth1/ 0/ 2

Switch B

Meeting room 1 Meeting room 2

As two types of IP phones are connected to Switch B, the configuration on

Ethernet 1/0/1 is different from that on Ethernet 1/0/2.

■ Ethernet 1/0/1

The IP phones connected to Ethernet 1/0/1 are configured with an IP address

manually and they send voice traffic untagged. As the port with the voice VLAN
mode set to auToes not support receiving untagged voice traffic, you should
configure the voice VLAN to operate in manual mode on the port. In addition,
configure the voice VLAN as the default VLAN of the port.

■ Ethernet 1/0/2

You can configure Ethernet 1/0/2 in a way similar to configuring Ethernet 1/0/10
on Switch A. However, because only IP phones are connected to Ethernet 1/0/2,
you can assign the port to the voice VLAN manually to guarantee stable
transmission for voice traffic. For the Cisco IP phones connected to the port to
communicate with the switch, enable voice VLAN legacy on the port to notify
them of the voice VLAN ID, so that the Cisco IP phones can request IP addresses
within the voice VLAN. Because the IP phones send tagged voice traffic, you
should configure the port to send the traffic of the voice VLAN tagged.

■ GigabitEthernet 1/1/2

The port sends the voice traffic received on Switch B. As the meeting rooms should
use a voice VLAN different from that for the office area, configure VLAN 400 as
the voice VLAN on Switch B and configure the port to send the traffic of VLAN
400 tagged.

Table 90 lists the port configurations on Switch B.

Table 90 Port configurations on Switch B

Permitted VLANs and

operations on the
Port Voice VLAN mode Port type VLAN traffic
Ethernet 1/0/1 Manual mode Access/hybrid/trunk VLAN400: pvid untagged
Ethernet 1/0/2 Manual mode Trunk/hybrid VLAN400: tagged
 Voice VLAN Configuration Examples 213

Table 90 Port configurations on Switch B

Permitted VLANs and

operations on the
Port Voice VLAN mode Port type VLAN traffic
GigabitEthernet - Trunk/hybrid VLAN400: tagged
1/1/2

In the following configuration, Ethernet 1/0/1 is configured as an access port, and

Ethernet 1/0/2 and GigabitEthernet 1/1/2 are configure as trunk ports.

Configuration on Core Switch

Figure 80 Network diagram for the Core Switch

GE 1/0/3 GE1/0/4
Core switch
GE 1/0/1 (DHCP Server)
GE1/0/2

The core switch forwards traffic, allocates IP addresses to IP phones, and specifies
the voice VLAN and the voice server address.

According to the configuration on Switch A and Switch B, the core switch is

required to forward the traffic of VLAN 100, VLAN 200, and VLAN 400, and
allocate IP addresses to IP phones in VLAN 200 and VLAN 400.

As analyzed earlier, when an IP phone is powered up, it first gets an IP address in

the default VLAN (VLAN 100) from the DHCP server. The DHCP server should
return not only an IP address but also the voice VLAN and the voice server address
to the IP phone. To achieve that, you should configure the core switch to use
option 184 in the DHCP responses in VLAN 100 for conveying voice related
information.

After the IP phone gets the voice VLAN information, it requests for an IP address in
the voice VLAN instead of using the IP address obtained in the default VLAN.
When receiving the request, the core switch allocates an IP address in VLAN 200 or
VLAN 400, whichever the IP phone belongs to. Note that VLAN 200 and VLAN
400 use different IP address segments.

As both the XE voice server and the egress router are connected to the core
switch, you should create two VLAN interfaces, and assign GigabitEthernet 1/0/3
and GigabitEthernet 1/0/4 to the two VLANs respectively, thus achieving Layer-3
forwarding.

Table 91 lists the interface and port configurations on Switch A.

 214 CHAPTER 8: VLAN CONFIGURATION EXAMPLES

Table 91 Interface and port configurations on the core switch

IP address and
network Operations on
VLAN interface segment Ports involved Port type the VLAN traffic
Vlan-interface10 192.168.1.1/24 GigabitEthernet Trunk tagged
0 1/0/1
Vlan-interface20 192.168.2.1/24 GigabitEthernet Trunk tagged
0 1/0/1
Vlan-interface40 192.168.4.1/24 GigabitEthernet Trunk tagged
0 1/0/2
Vlan-interface30 192.168.3.1/24 GigabitEthernet Access untagged
0 1/0/3
Vlan-interface50 192.168.5.1/24 GigabitEthernet Access untagged
0 1/0/4

Configuration Procedure Devices and software version used

Switch A and Switch B are Switch 5500s with software version Release 1510. The
core switch is a Switch 5500Gs Ethernet switch whose software version is Release
1510.

Configuration steps
■ Configuration on Switch A

# Create VLAN 100 and VLAN 200.

<SwitchA> system-view
[SwitchA] vlan 100
[SwitchA-vlan100] quit
[SwitchA] vlan 200
[SwitchA-vlan200] quit

# Assign GigabitEthernet 1/1/1 and Ethernet 1/1/10 to the specified VLANs

according to Table 89.

[SwitchA] interface GigabitEthernet 1/1/1

[SwitchA-GigabitEthernet1/1/1] port link-type trunk
[SwitchA-GigabitEthernet1/1/1] port trunk permit vlan 100 200
[SwitchA-GigabitEthernet1/1/1] quit
[SwitchA] interface Ethernet 1/0/10
[SwitchA-Ethernet1/0/10] port link-type hybrid
[SwitchA-Ethernet1/0/10] port hybrid vlan 100 untagged
[SwitchA-Ethernet1/0/10] port hybrid pvid vlan 100
[SwitchA-Ethernet1/0/10] quit

# Enable voice VLAN on Ethernet 1/0/10.

[SwitchA-Ethernet1/0/10] voice vlan enable

# Set the voice VLAN aging time to 100 minutes.

[SwitchA-Ethernet1/0/10] quit
[SwitchA] voice vlan aging 100
 Voice VLAN Configuration Examples 215

# Enable voice VLAN security mode so that only voice traffic is transmitted in the
voice VLAN. (Optional. The voice VLAN security mode is enabled by default.)

[SwitchA] voice vlan security enable

# Configure VLAN 200 as the voice VLAN globally.

[SwitchA] voice vlan 200 enable

■ Configuration on Switch B

# Create VLAN 100 and VLAN 400.

<SwitchB> system-view
[SwitchB] vlan 100
[SwitchB-vlan100] quit
[SwitchB] vlan 400
[SwitchB-vlan400] quit

# Assign Ethernet 1/0/1, Ethernet 1/0/2, and GigabitEthernet 1/1/2 to the specified
VLANs according to Table 90.

[SwitchB] interface Ethernet 1/0/1

[SwitchB-Ethernet1/0/1] port access vlan 400
[SwitchB-Ethernet1/0/1] quit
[SwitchB] interface Ethernet 1/0/2
[SwitchB-Ethernet1/0/2] port link-type trunk
[SwitchB-Ethernet1/0/2] port trunk permit vlan 100 400
[SwitchB-Ethernet1/0/2] quit
[SwitchB] interface GigabitEthernet1/1/2
[SwitchB-GigabitEthernet1/1/2] port link-type trunk
[SwitchB-GigabitEthernet1/1/2] port trunk permit vlan 100 400
[SwitchB-GigabitEthernet1/1/2] quit

# Enable voice VLAN legacy on Ethernet 1/0/2.

[SwitchB] interface Ethernet 1/0/2

[SwitchB-Ethernet1/0/2] voice vlan legacy
[SwitchB-Ethernet1/0/2] quit

# Configure the voice VLAN to operate in manual mode on Ethernet 1/0/1 and
Ethernet 1/0/2, and enable voice VLAN on the two ports.

[SwitchB] interface Ethernet 1/0/1

[SwitchB-Ethernet1/0/1] undo voice vlan mode auto
[SwitchB-Ethernet1/0/1] voice vlan enable
[SwitchB-Ethernet1/0/1] quit
[SwitchB] interface Ethernet 1/0/2
[SwitchB-Ethernet1/0/2] undo voice vlan mode auto
[SwitchB-Ethernet1/0/2] voice vlan enable
[SwitchB-Ethernet1/0/2] quit

# Add an OUI address 00e3-f200-0000 with the description of Meeting room1

globally.

[SwitchB] voice vlan mac-address 00e3-f200-0000 mask ffff-ff00-0000

description Meeting room1
216 CHAPTER 8: VLAN CONFIGURATION EXAMPLES

# Enable voice VLAN security mode so that only voice traffic is transmitted in the
voice VLAN. This step is optional. The voice VLAN security mode is enabled by
default.

[SwitchB] voice vlan security enable

# Configure VLAN 400 as the voice VLAN globally.

[SwitchB] voice vlan 400 enable

■ Configure the core switch

# Create VLAN 100, VLAN 200, VLAN 300, VLAN 400, and VLAN 500 on the core
switch. Assign the specified ports to their respective VLANs according to Table 91.
The configuration procedure is omitted here.

# Create VLAN interfaces and assign IP addresses to the VLAN interfaces according
to Table 91. The configuration procedure is omitted here.

# Enable DHCP globally.

<CoreSwitch> system-view
[CoreSwitch] dhcp enable

# Create a global address pool vlan100 to allocate IP addresses on the network

segment 192.168.1.1/24 to devices in the default VLAN (VLAN 100).

[CoreSwitch] dhcp server ip-pool vlan100

[CoreSwitch-dhcp-pool-vlan100] network 192.168.1.0 mask 255.255.255.0

# Configure VLAN 200 as the voice VLAN and the voice server IP address as
192.168.3.3 for option 184 in the address pool vlan100.

[CoreSwitch-dhcp-pool-vlan100] voice-config ncp-ip 192.168.3.3

[CoreSwitch-dhcp-pool-vlan100] voice-config voice-vlan 200 enable
[CoreSwitch-dhcp-pool-vlan100] quit

# Configure VLAN-interface 100 to operate in global address pool mode.

[CoreSwitch] interface Vlan-interface 100

[CoreSwitch-Vlan-interface100] dhcp select global
[CoreSwitch-Vlan-interface100] quit

# Create an address pool for VLAN-interface 200 and VLAN-interface 400

respectively to allocate IP addresses for the IP phones in the office area and the IP
phone in meeting room 2.

[CoreSwitch] interface Vlan-interface 200

[CoreSwitch-Vlan-interface200] dhcp select interface
[CoreSwitch-Vlan-interface200] quit
[CoreSwitch] interface Vlan-interface 400
[CoreSwitch-Vlan-interface400] dhcp select interface

n For detailed information about configuring DHCP, refer to the Switch 5500 Family
Configuration Guide.
 Protocols and Standards 217

The core switch thus configured should be able to allocate IP addresses, voice
VLANs, and the voice server IP address for IP phones in VLAN 200 and VLAN 400,
and to forward voice traffic at Layer 3. If required, configure dynamic routing
protocols on the core switch, which is beyond the scope of this document.

Configuration remarks
After you finish the configuration, the IP phones in each area can establish
connections with the voice server, get telephone numbers, and communicate
normally. For the configuration on the voice server, refer to the user manual of the
3Com XE voice server.

You are recommended to enable DHCP snooping and some security functions on
Switch A and Switch B to ensure that only legal IP phones that get IP addresses
from the core switch can use the service, thus preventing malicious interception.

Protocols and IEEE 802.1Q: Virtual Bridged Local Area Networks

Standards
218 CHAPTER 8: VLAN CONFIGURATION EXAMPLES