www.3Com.com
Part Number: 10016324 Rev. AA
August 2007
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or
expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality,
and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s)
described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement
included with the product as a separate document, in the hard copy documentation, or on the removable media in a
directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will
be provided to you.
If you are a United States government agency, then this documentation and the software described herein are provided to
you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense. Software is
delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item”
as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial
license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or
FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided
on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be
registered in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
All other trademarks that may be mentioned in this manual are the property of their respective owners.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed
to:
Establishing environmental performance standards that comply with national legislation and regulations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards.
Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
The documentation for this product is printed on paper that comes from sustainable, managed forests; it is fully
biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, and the inks are
vegetable-based with a low heavy-metal content.
5 ATM CONFIGURATION
Introduction to ATM Technology 127
ATM Overview 127
Hierarchical Structure of ATM 127
Overview of IPoA, IPoEoA, PPPoA and PPPoEoA Applications 128
IPoA 129
IPoEoA 129
PPPoA 129
PPPoEoA 129
Configuring ATM 130
Configuring ATM Interface 130
Configuring an ATM Sub-Interface 130
Configuring an ATM Sub-Interface 130
Checking Existence of PVCs When Determining the Protocol State of an ATM P2P
Sub-interface 131
Configuring PVC 131
Configuring PVC parameters 131
6 DCC CONFIGURATION
Introduction to DCC 153
Overview 153
Approaches to DCC 153
DCC Features 156
Preparing for DCC Configuration 156
DCC Configuration 157
DCC Configuration Task List 157
Configuring Basic Parameters for DCC 157
Configuring C-DCC 159
Configuring RS-DCC 166
Configuring MP for DCC 168
Configuring PPP Callback 170
Configuring ISDN Caller Identification Callback 174
Configuring Advanced DCC Functions 176
Configuring DCC Timers and Buffer Queue Length 178
Configuring Traffic Statistics Interval 179
Displaying and Maintaining DCC 179
DCC Configuration Example 179
C-DCC Application 180
RS-DCC Application 182
DCC Application on ISDN 186
RS-DCC Application with MP 190
7 DLSW CONFIGURATION
DLSw Overview 211
Introduction 211
Differences between DLSw v1.0 and DLSw v2.0 212
Related Specifications 213
Configuring DLSw in an Ethernet Environment 213
Creating DLSw Peers 214
Mapping a Bridge Set to DLSw 215
Adding an Ethernet Interface to a Bridge Set 215
Setting DLSw Timers 215
Configuring LLC2 Parameters 216
Enabling the Multicast Function of DLSw v2.0 217
Configuring the Maximum Number of DLSw v2.0 Explorer Retries 217
Applying an ACL in DLSw 217
Configuring DLSw in an SDLC Environment 218
Configuring DLSw 218
Configuring an SDLC Interface 219
Enabling DLSw Forwarding on an SDLC Interface 219
Configuring SDLC Roles 219
Configuring an SDLC Address for a Secondary Station 220
Configuring an SDLC Peer 221
Configuring an SDLC XID 221
Configuring an SDLC Virtual MAC Address 222
Configuring the Properties of an Synchronous Serial Interface 222
Configuring Optional SDLC Parameters 223
Configuring Local Reachable MAC or SAP Addresses 224
Configuring Remote Reachability Information 224
Displaying and Debugging DLSw 225
DLSw Configuration Examples 225
Configuring LAN-to-LAN DLSw 225
Configuring SDLC-to-SDLC DLSw 226
Configuring DLSw for SDLC-LAN Remote Media Translation 228
Configuring DLSw with VLAN Support 229
DLSw v2.0 Configuration Example 231
Troubleshooting DLSw 232
Unable to Establish a TCP Connection 232
Unable to Establish a DLSw Circuit 233
10 PPPOFR
Overview 263
Configuring PPPoFR 263
Displaying and Maintaining PPPoFR 263
PPPoFR Configuration Example 264
12 GVRP CONFIGURATION
Introduction to GVRP 271
GARP 271
GVRP 274
Protocols and Standards 274
Configuring GVRP 275
Configuring GVRP Functions 275
Configuring GARP Timers 275
Displaying and Maintaining GVRP 276
GVRP Configuration Example 276
GVRP Configuration Example I 276
GVRP Configuration Example II 277
GVRP Configuration Example III 279
13 HDLC CONFIGURATION
Introduction to HDLC 281
HDLC Overview 281
HDLC Frame Format and Frame Type 281
Configuring HDLC 282
17 MODEM CONFIGURATION
Overview 355
Modem Configuration 355
Configuring the Modem Answer Mode 356
Configuring Modem Using the AT Commands 356
Modem Configuration Example 356
Troubleshooting 357
20 PPPOE CONFIGURATION
Introduction to PPPoE 393
Configuring PPPoE Server 394
21 BRIDGING CONFIGURATION
Bridging Overview 405
Introduction to Bridging 405
Major Functionalities of Bridges 405
Bridging Configuration Task List 409
Configuring Basic Bridging Functionalities 409
Configuring Bridge Table Entries 411
Configuring Bridge Routing 411
Displaying and Maintaining Bridging Configurations 412
Transparent Bridging Configuration Examples 412
Transparent Bridging over ATM 412
Transparent Bridging over PPP 413
Transparent Bridging over MP 414
Transparent Bridging over FR 415
Transparent Bridging X.25 416
Transparent Bridging over HDLC 416
Inter-VLAN Transparent Bridging 417
Bridging with FR Sub-Interface Support 418
Bridge Routing 420
22 ISDN CONFIGURATION
Introduction to ISDN 421
Configuring ISDN 422
Configuring ISDN BRI 422
Configuring ISDN PRI 423
Configuring the Negotiation Parameters of ISDN Layer 3 Protocol 424
Configuring the SPID of the ISDN NI Protocol 428
Setting the Called Number or Sub-Address to Be Checked During a Digital
Incoming Call 429
Configuring to Send Calling Number During an Outgoing Call 429
Setting the Local Management ISDN B Channel 430
Configuring ISDN B Channel Selection Mode 430
Configuring the Sliding Window Size on the PRI Interface 431
Configuring Statistics About ISDN Message Receiving/Sending 431
Configuring to Check the Calling Number When an Incoming Call Comes 431
Configuring TEI Treatment on the BRI Interface 432
Configuring ISDN BRI Leased Line 432
23 MSTP CONFIGURATION
MSTP Overview 443
Introduction to STP 443
Introduction to MSTP 452
Protocols and Standards 457
Configuration Task List 458
Configuring the Root Bridge 459
Configuring an MST Region 459
Specifying the Root Bridge or a Secondary Root Bridge 460
Configuring the Work Mode of MSTP Device 462
Configuring the Priority of the Current Device 462
Configuring the Maximum Hops of an MST Region 463
Configuring the Network Diameter of a Switched Network 464
Configuring Timers of MSTP 464
Configuring the Timeout Factor 465
Configuring the Maximum Transmission Rate of Ports 466
Configuring Ports as Edge Ports 467
Configuring Whether Ports Connect to Point-to-Point Links 467
Configuring the Mode a Port Uses to Recognize/Send MSTP Packets 468
Enabling the Output of Port State Transition Information 469
Enabling the MSTP Feature 469
Configuring Leaf Nodes 470
Configuring an MST Region 470
Configuring the Work Mode of MSTP 470
Configuring the Timeout Factor 470
Configuring the Maximum Transmission Rate of Ports 470
Configuring Ports as Edge Ports 470
Configuring Path Costs of Ports 470
Configuring Port Priority 473
Configuring Whether Ports Connect to Point-to-Point Links 473
Configuring the Mode a Port Uses to Recognize/Send MSTP Packets 473
Enabling Output of Port State Transition Information 474
Enabling the MSTP Feature 474
Performing mCheck 474
Configuration Prerequisites 474
Configuration Procedure 474
24 VLAN CONFIGURATION
Introduction to VLAN 487
VLAN Overview 487
VLAN Fundamental 488
VLAN Classification 489
Configuring Basic VLAN Attributes 489
Configuring VLAN Interface Basic Attributes 490
Configuring a Port-Based VLAN 491
Introduction to Port-Based VLAN 491
Configuring the Access-Port-Based VLAN 492
Configuring the Trunk-Port-Based VLAN 493
Configuring the Hybrid-Port-Based VLAN 494
Displaying and Maintaining VLAN 494
VLAN Configuration Examples 495
30 ARP CONFIGURATION
ARP Overview 549
ARP Function 549
ARP Message Format 549
ARP Process 550
ARP Mapping Table 551
Configuring ARP 552
Configuring a Static ARP Entry 552
Configuring the Maximum Number of ARP Entries Dynamically Learned on an
Interface 552
Setting Aging Time for Dynamic ARP Entries 552
Enabling the ARP Entry Check 553
Enabling the Support for ARP Requests from a Natural Network 553
ARP Configuration Example 553
Configuring Gratuitous ARP 554
Introduction to Gratuitous ARP 554
Configuring Gratuitous ARP 554
Configuring ARP Source Suppression 555
Introduction to ARP Source Suppression 555
Configuring ARP Source Suppression 555
Configuring Authorized ARP 555
Introduction to Authorized ARP 555
Configuring Authorized ARP 556
Example for Configuring Authorized ARP on a DHCP Server 556
Example for Configuring Authorized ARP on a DHCP Relay Agent 557
Displaying and Maintaining ARP 559
32 DHCP OVERVIEW
Introduction to DHCP 565
38 DNS CONFIGURATION
DNS Overview 609
Static Domain Name Resolution 609
Dynamic Domain Name Resolution 609
DNS Proxy 611
Configuring the DNS Client 611
Configuring Static Domain Name Resolution 611
Configuring Dynamic Domain Name Resolution 612
Configuring the DNS Proxy 612
Displaying and Maintaining DNS 612
DNS Configuration Examples 613
Static Domain Name Resolution Configuration Example 613
Dynamic Domain Name Resolution Configuration Example 613
DNS Proxy Configuration Example 617
Troubleshooting DNS Configuration 618
40 IP ADDRESSING CONFIGURATION
IP Addressing Overview 623
IP Address Classes 623
Special Case IP Addresses 624
Subnetting and Masking 624
IP Unnumbered 625
Configuring IP Addresses 625
Assigning an IP Address to an Interface 625
IP Addressing Configuration Example 626
Configuring IP Unnumbered 628
Configuration Prerequisites 628
Configuration Procedure 628
IP Unnumbered Configuration Example 628
Displaying and Maintaining IP Addressing 630
41 IP PERFORMANCE CONFIGURATION
IP Performance Overview 631
Enabling the Device to Forward Directed Broadcasts 631
Enabling the Device to Forward Directed Broadcasts 631
Configuration Example 632
Configuring TCP Attributes 633
Configuring TCP MSS for the Interface 633
Enabling the SYN Cookie Feature 633
Enabling Protection Against Naptha Attack 634
Configuring TCP Optional Parameters 635
Configuring ICMP to Send Error Packets 636
Displaying and Maintaining IP Performance 638
44 URPF CONFIGURATION
URPF Overview 651
Basic Concepts 651
Processing Flow 651
Configuring URPF 652
49 TUNNELING CONFIGURATION
Introduction to Tunneling 693
IPv6 over IPv4 Tunnel 694
IPv4 over IPv4 Tunnel 697
IPv4/IPv6 over IPv6 Tunnel 698
6PE Overview 699
Tunneling Configuration Task List 700
Configuring an IPv6 Manually Configured Tunnel 700
Configuration Prerequisites 700
Configuration Procedure 701
Configuration Example 702
Configuring Automatic IPv4-Compatible IPv6 Tunnel 704
Configuration Prerequisites 704
Configuration Procedure 704
Configuration Example 706
Configuring 6to4 Tunnel 708
Configuration Prerequisites 708
Configuration Procedure 708
Configuration Example 1 709
Configuration Example 2 711
Configuring ISATAP Tunnel 714
Configuration Prerequisites 714
Configuration Procedure 714
Configuration Example 715
55 IP ROUTING OVERVIEW
IP Routing and Routing Table 815
Routing 815
Routing Table 815
Routing Protocol Overview 817
Static Routing and Dynamic Routing 817
Classification of Dynamic Routing Protocols 817
Routing Protocols and Routing Priority 818
Load Balancing and Route Backup 819
Route Recursion 819
Sharing of Routing Information 819
Configuring Load Sharing 820
Configuring Bandwidth-based Non-Balanced Load Sharing 820
Configuring the Load Sharing Bandwidth for an Interface 820
Displaying and Maintaining a Routing Table 821
Configuration Example 822
Bandwidth-based Load Sharing Configuration Example 822
56 BGP CONFIGURATION
BGP Overview 825
Formats of BGP Messages 826
BGP Path Attributes 829
BGP Route Selection 832
IBGP and IGP Information Synchronization 834
Settlements for Problems Caused by Large Scale BGP Networks 835
BGP GR 838
MP-BGP 839
Protocols and Standards 840
BGP Configuration Task List 840
Configuring BGP Basic Functions 841
Prerequisites 841
Configuration Procedure 841
Controlling Route Distribution and Reception 843
Prerequisites 843
Configuring BGP Route Redistribution 843
Configuring BGP Route Summarization 843
Advertising a Default Route to a Peer or Peer Group 844
Configuring BGP Route Distribution Policy 844
Configuring BGP Route Reception Policy 845
Enabling BGP and IGP Route Synchronization 846
Configuring BGP Route Dampening 846
Configuring BGP Routing Attributes 846
Prerequisites 846
Configuration Procedure 846
Tuning and Optimizing BGP Networks 849
Prerequisites 849
Configuration Procedure 849
57 IS-IS CONFIGURATION
IS-IS Overview 877
Basic Concepts 877
IS-IS Area 879
IS-IS Network Type 882
IS-IS PDU Format 883
IS-IS Features Supported 889
Protocols and Standards 891
IS-IS Configuration Task List 892
Configuring IS-IS Basic Functions 893
Configuration Prerequisites 893
Configuration Procedure 893
Configuring IS-IS Routing Information Control 894
Configuration Prerequisites 894
Specifying a Priority for IS-IS 894
Configuring IS-IS Link Cost 895
Configuring the Maximum Number of Load Balanced Routes 896
Configuring IS-IS Route Summarization 896
Advertising a Default Route 897
Configuring Inbound Route Filtering 897
Configuring Route Redistribution 897
Configuring IS-IS Route Leaking 898
Tuning and Optimizing IS-IS Network 898
Configuration Prerequisites 898
Configuring a DIS Priority for an Interface 898
Configuring IS-IS Timers 899
Disabling an Interface from Sending/Receiving IS-IS Hello Packets 900
58 OSPF CONFIGURATION
Introduction to OSPF 917
Basic Concepts 918
OSPF Area Partition and Route Summarization 919
Classification of OSPF Networks 924
DR and BDR 925
OSPF Packet Formats 926
OSPF Features Supported 935
Related RFCs 937
OSPF Configuration Task List 937
Configuring OSPF Basic Functions 939
Prerequisites 939
Configuration Procedure 939
Configuring OSPF Area Parameters 940
Prerequisites 940
Configuration Procedure 940
Configuring OSPF Network Types 941
Prerequisites 941
Configuring the OSPF Network Type for an Interface 941
Configuring an NBMA Neighbor 942
Configuring a Router Priority for an OSPF Interface 942
Configuring OSPF Routing Information Control 942
Prerequisites 942
Configuring OSPF Route Summarization 943
Configuring OSPF Inbound Route Filtering 943
Configuring ABR Type3 LSA Filtering 943
Configuring OSPF Link Cost 944
Configuring the Maximum Number of OSPF Routes 944
Configuring the Maximum Number of Load-balanced Routes 944
Configuring OSPF Priority 945
Configuring OSPF Route Redistribution 945
Configuring OSPF Network Optimization 946
Prerequisites 946
Configuring OSPF Packet Timers 946
59 RIP CONFIGURATION
RIP Overview 971
RIP Working Mechanism 971
Operation of RIP 972
RIP Version 973
RIP Message Format 973
TRIP 975
RIP Features Supported 976
Protocols and Standards 976
Configuring RIP Basic Functions 976
Configuration Prerequisites 976
Configuration Procedure 976
Configuring RIP Advanced Functions 978
Configuring an Additional Routing Metric 978
Configuring RIP-2 Route Summarization 979
Disabling Host Route Reception 980
Advertising a Default Route 980
Configuring Inbound/Outbound Route Filtering Policies 980
Configuring a Priority for RIP 981
Configuring RIP Route Redistribution 981
67 MULTICAST OVERVIEW
Introduction to Multicast 1085
Comparison of Information Transmission Techniques 1085
Roles in Multicast 1087
Advantages and Applications of Multicast 1088
69 IGMP CONFIGURATION
IGMP Overview 1115
IGMP Versions 1115
Work Mechanism of IGMPv1 1115
Enhancements in IGMPv2 1117
Enhancements in IGMPv3 1118
Multi-Instance IGMP 1119
Protocols and Standards 1119
IGMP Configuration Task List 1119
Configuring Basic Functions of IGMP 1120
Configuration Prerequisites 1120
Enabling IGMP 1120
Configuring IGMP Versions 1121
Configuring a Static Member of a Multicast Group 1122
Configuring a Multicast Group Filter 1122
Adjusting IGMP Performance 1123
70 MSDP CONFIGURATION
MSDP Overview 1131
Introduction to MSDP 1131
How MSDP Works 1132
Multi-Instance MSDP 1137
Protocols and Standards 1137
MSDP Configuration Task List 1137
Configuring Basic Functions of MSDP 1138
Configuration Prerequisites 1138
Enabling MSDP 1138
Creating an MSDP Peer Connection 1139
Configuring a Static RPF Peer 1139
Configuring an MSDP Peer Connection 1140
Configuration Prerequisites 1140
Configuring MSDP Peer Description 1140
Configuring an MSDP Mesh Group 1140
Configuring MSDP Peer Connection Control 1141
Configuring SA Messages 1141
Configuration Prerequisites 1141
Configuring SA Message Content 1142
Configuring SA Request Messages 1142
Configuring an SA Message Filtering Rule 1143
Configuring SA Message Cache 1144
Displaying and Maintaining MSDP 1144
MSDP Configuration Examples 1145
Example of Leveraging BGP Routes 1145
Anycast RP Configuration Example 1150
Static RPF Peer Configuration Example 1154
Troubleshooting MSDP 1158
MSDP Peers Stay in Down State 1158
No SA Entries in the Router’s SA Cache 1158
Inter-RP Communication Faults in Anycast RP Application 1159
71 PIM CONFIGURATION
PIM Overview 1161
Introduction to PIM-DM 1161
How PIM-DM Works 1162
Introduction to PIM-SM 1164
How PIM-SM Works 1165
73 MLD CONFIGURATION
MLD Overview 1217
Introduction to MLD 1217
MLD Version 1217
How MLDv1 Works 1217
How MLDv2 Works 1219
MLD Message Types 1220
Protocols and Standards 1223
Configuration Task List 1223
Configuring Basic Functions of MLD 1224
Configuration Prerequisites 1224
Enabling MLD 1224
Configuring the MLD Version 1224
Configuring a Static Member of an IPv6 Multicast Group 1225
Configuring an IPv6 Multicast Group Filter 1225
Adjusting MLD Performance 1226
Configuration Prerequisites 1226
Configuring MLD Message Options 1226
Configuring MLD Query and Response Parameters 1227
Configuring MLD Fast Leave Processing 1229
Displaying and Maintaining MLD Configuration 1230
MLD Configuration Example 1230
Troubleshooting MLD 1232
No Member Information on the Receiver-Side Router 1232
Inconsistent Memberships on Routers on the Same Subnet 1233
75
77 MPLS TE CONFIGURATION
MPLS TE Overview 1345
Traffic Engineering and MPLS TE 1345
Basic Concepts of MPLS TE 1347
MPLS TE Implementation 1347
CR-LSP 1348
CR-LDP 1349
RSVP-TE 1349
Traffic Forwarding 1354
Automatic Bandwidth Adjustment 1355
CR-LSP Backup 1356
Fast Reroute 1356
DiffServ-Aware TE 1357
Protocols and Standards 1358
MPLS TE Configuration Task List 1358
Configuring MPLS TE Basic Capabilities 1359
Configuration Prerequisites 1359
Configuration procedure 1359
Creating MPLS TE Tunnel over Static CR-LSP 1360
Configuration Prerequisites 1360
Configuration Procedure 1360
Configuring MPLS TE Tunnel with Dynamic Signaling Protocol 1361
Configuration Prerequisites 1362
Configuration Procedure 1362
Configuring RSVP-TE Advanced Features 1366
Configuration Prerequisites 1366
Configuration Procedure 1366
Tuning CR-LSP Setup 1370
Configuration Prerequisites 1370
Configuration Procedure 1370
80 DVPN CONFIGURATION
DVPN Overview 1557
Basic Concepts of DVPN 1557
Operation of DVPN 1558
Implementation of DVPN 1559
Supported DVPN Features 1561
Protocols and Standards 1561
DVPN Configuration Task List 1562
Configuring AAA 1562
Configuring the VAM Server 1562
VAM Server Configuration Task List 1562
Creating a VPN Domain 1562
Enabling the VAM Server 1563
Configuring the Listening IP Address and UDP Port Number 1563
Configuring Security Parameters for VAM PDUs 1563
Configuring a Client Authentication Mode 1564
81 GRE CONFIGURATION
GRE Overview 1589
Introduction to GRE 1589
GRE Applications 1591
Configuring a GRE over IPv4 Tunnel 1593
Configuration Prerequisites 1593
Configuration Procedure 1593
Configuring a GRE over IPv6 Tunnel 1594
Configuration Prerequisites 1594
Configuration Procedure 1594
Displaying and Maintaining GRE 1596
GRE over IPv4 Tunnel Configuration Example 1596
GRE over IPv6 Tunnel Configuration Example 1598
Troubleshooting GRE 1600
82 L2TP CONFIGURATION
L2TP Overview 1601
Introduction to VPDN 1601
Introduction to L2TP 1602
L2TP Configuration Task List 1607
LAC Configuration 1607
Configuring the LAC 1607
Configuring the Local AAA Scheme and the Users and Passwords 1609
LNS Configuration 1609
Configuring the LNS 1609
83 QOS OVERVIEW
Introduction 1623
Traditional Packets Forwarding Application 1623
New Requirements Caused by New Applications 1623
Congestion: Causes, Impact, and Countermeasures 1624
Causes 1624
Impact 1625
Countermeasure 1625
Traffic Management Technologies 1625
87 PRIORITY MAPPING
Priority Mapping Overview 1675
Configuring Priority Mapping Table 1676
Configuration Prerequisites 1677
Configuration Procedure 1677
Configuration Example 1677
Configuring Port Priority 1678
Configuration Prerequisites 1678
Configuration Procedure 1678
Configuration Example 1678
Configuring Port Priority Trust Mode 1678
Configuration Prerequisites 1678
Configuration Procedure 1679
Configuration Example 1679
Displaying and Maintaining Priority Mapping 1679
Priority Mapping Configuration Example 1680
Network Example 1 1680
Network Example 2 1681
90 DAR CONFIGURATION
DAR Overview 1697
IP Packet 1697
TCP Packet 1699
UDP Packet 1700
HTTP Packet 1700
RTP Packet 1701
RTCP Packet 1701
Static Protocols 1702
Configuring DAR 1704
Configuring Matching Rules of Protocol 1704
Configuring Port Number of DAR Application Protocol 1705
Renaming User-defined Protocols 1705
Configuring DAR Packet Statistics Function 1706
Configuring the Maximum Connection Number Recognizable by DAR 1706
Displaying and Maintaining DAR 1706
DAR Configuration Examples 1707
92 802.1X CONFIGURATION
802.1x Overview 1729
Architecture of 802.1x 1729
Operation of 802.1x 1731
EAP Encapsulation over LANs 1731
EAP Encapsulation over RADIUS 1733
Authentication Process of 802.1x 1734
802.1x Timers 1737
Implementation of 802.1x in the Devices 1738
Features Working Together with 802.1x 1738
Guest VLAN 1739
Configuring 802.1x 1740
Configuration Prerequisites 1740
Configuring 802.1x Globally 1740
Configuring 802.1x for a Port 1741
Configuring a Guest VLAN 1743
Configuration Prerequisites 1743
Configuration Procedure 1743
Displaying and Maintaining 802.1x 1743
802.1x Configuration Example 1744
Guest VLAN Configuration Example 1746
93 AAA/RADIUS/HWTACACS CONFIGURATION
AAA/RADIUS/HWTACACS Configuration Overview 1751
Introduction to AAA 1751
Introduction to ISP Domain 1752
Introduction to RADIUS 1753
Introduction to HWTACACS 1757
AAA/RADIUS/HWTACACS Configuration Task List 1760
Configuring AAA 1761
Configuration Prerequisites 1761
Creating an ISP Domain 1761
Configuring ISP Domain Attributes 1762
Configuring an AAA Authentication Scheme for an ISP Domain 1762
Configuring an AAA Authorization Scheme for an ISP Domain 1764
Configuring an AAA Accounting Scheme for an ISP Domain 1766
94 FIREWALL CONFIGURATION
Firewall Overview 1789
Packet Filter Firewall 1789
ASPF 1790
Configuring a Packet Filter Firewall 1794
Packet Filter Firewall Configuration Task list 1794
Enabling the Firewall Function 1794
Configuring the Default Filtering Action of the Firewall 1794
Enabling Fragment Inspection 1794
Configuring the High and Low Watermarks for Fragment Inspection 1795
Configuring Packet Filtering on an Interface 1795
Configuring Ethernet Frame Filtering 1796
Displaying and Maintaining a Packet Filter Firewall 1796
Packet Filter Firewall Configuration Example 1797
96 NAT CONFIGURATION
NAT Overview 1811
Introduction to NAT 1811
NAT Functionalities 1813
NAT Configuration Task List 1815
Configuring Address Translation 1816
Introduction to Address Translation 1816
Configuring Address Translation 1817
Configuring Internal Server 1818
Introduction to Internal Server 1818
Configuring an Internal Server 1818
Configuring NAT Log 1818
Introduction to NAT Log 1818
Enabling NAT Log Function 1819
Exporting NAT Logs 1819
Configuring Connection-limit 1820
Introduction to Connection-limit 1820
Configuration Procedure 1821
Displaying and Maintaining NAT 1822
NAT Configuration Example 1823
NAT Configuration Example 1823
Exporting NAT Logs to the Information Center 1825
Exporting NAT logs to Log Server 1826
Troubleshooting NAT 1827
Symptom 1: Abnormal Translation of IP Addresses 1827
97 PKI CONFIGURATION
Introduction to PKI 1829
PKI Overview 1829
PKI Terms 1829
Architecture of PKI 1830
Applications of PKI 1831
Operation of PKI 1831
PKI Configuration Task List 1832
Configuring an Entity DN 1832
Configuring a PKI Domain 1833
Submitting a PKI Certificate Request 1835
Submitting a Certificate Request in Auto Mode 1835
Submitting a Certificate Request in Manual Mode 1836
Retrieving a Certificate Manually 1837
Configuring PKI Certificate Validation 1837
Destroying a Local RSA Key Pair 1838
Deleting a Certificate 1839
Configuring an Access Control Policy 1839
Displaying and Maintaining PKI 1840
PKI Configuration Examples 1840
Configuring a PKI Entity to Request a Certificate from a CA 1840
Applying RSA Digital Signature in IKE Negotiation 1844
Configuring a Certificate Attribute-Based Access Control Policy 1846
Troubleshooting PKI 1848
Failed to Retrieve a CA Certificate 1848
Failed to Request a Local Certificate 1849
Failed to Retrieve CRLs 1849
98 PORTAL CONFIGURATION
Portal Overview 1851
Introduction to Portal 1851
Introduction to Extended Portal 1851
Portal System Components 1852
Portal Authentication Mode 1854
Portal Authentication Process 1855
Portal Configuration Task List 1857
Basic Portal Configuration 1857
Configuration prerequisites 1857
Configuration Procedure 1858
Configuring an Authentication-Free Rule 1858
Configuring an Authentication Subnet 1859
Forcing a User to Log Out 1859
Configuring the Name of the Resource to be Protected 1860
Displaying and Maintaining Portal 1860
Portal Configuration Examples (on Routers) 1861
Portal Direct Authentication Configuration Examples 1861
Re-DHCP Authentication Configuration Examples 1863
Portal Layer 3 Portal Authentication Configuration Examples 1864
99 RSH CONFIGURATION
Introduction to RSH 1873
Configuring RSH 1873
Configuration Prerequisites 1873
Configuration Procedure 1873
RSH Configuration Example 1874
105 GR OVERVIEW
Introduction to Graceful Restart 1957
Basic Concepts in Graceful Restart 1957
Graceful Restart communication procedure 1958
Graceful Restart Mechanism for Several Commonly Used Protocols 1960
This manual describes how to operate your H3C MSR 20/30/50 Series router. It
includes the following sections about all of the major features of the routers.
■ Network administrators
■ network engineers
■ Users who are familiar with the basics of networking
n Always download the Release Notes for your product from the 3Com World Wide
Web site and check for the latest updates to software and product
documentation: http://www.3Com.com
Conventions Table 1 lists icon conventions that are used throughout this guide.
Table 1 Notice Icons
Table 2 lists text conventions that are used throughout this guide.
Convention Description
Screen displays This typeface represents information as it appears on the
screen.
Keyboard key names If you must press two or more keys simultaneously, the key
names are linked with a plus sign (+), for example:
Press Ctrl+Alt+Del
The words “enter” and “type” When you see the word “enter” in this guide, you must type
something, and then press Return or Enter. Do not press
Return or Enter when an instruction simply says “type.”
Convention Description
Words in italics Italics are used to:
Emphasize a point.
Denote a new term at the place where it is defined in the
text.
Identify menu names, menu commands, and software
button names.
Examples:
From the Help menu, select Contents.
Click OK.
Words in bold Boldface type is used to highlight command names. For
example, “Use the display user-interface command
to...”
Related The following manuals offer additional information necessary for managing your
Documentation MSR 20/30/50 Series router:
When configuring ATM/DSL interface, go to these sections for information you are
interested in:
■ “ATM and DSL Interface” on page 71
■ “IMA-E1/T1 Interface Configuration” on page 72
■ “ATM E3/T3 Interface Configuration” on page 76
■ “ATM OC-3c/STM-1 Interface Configuration” on page 76
■ “ADSL Interface Configuration” on page 77
■ “G.SHDSL Interface Configuration” on page 80
■ “Displaying and Maintaining ATM and DSL Interfaces” on page 81
■ “Troubleshooting” on page 81
The ATM physical layer lies at the bottom of the ATM reference model. Though it
is concerned with transmission media, its functionality does not rely on the
transmission mechanism and speed of specific medium. Rather, it primarily delivers
valid cells and the associated timing signals between the upper layer and
transmission medium. The speeds of physical access media are defined in
international standards such as ATM OC-3c/STM-1, ATM E3/T3, and IMA-E1/T1.
Most DSL applications are ATM-based, combining the advantages of ATM with the
low transmission cost feature of DSL. So far, DSL technologies have been widely
adopted for broadband accessing.
These interfaces support IPoA, IPoEoA, PPPoA, and PPPoEoA. For more
information about them, refer to “ATM Configuration” on page 127.
Overview Inverse multiplexing for ATM (IMA) technology distributes an ATM cell stream over
multiple low-speed links on a cell by cell basis and reassembles the cells into the
original stream at the far end. It is a cheap way for you to transmit high-speed
ATM cell streams over low-speed links while allowing for great flexibility.
For both IMA groups and the E1/T1 links outside the groups, you can create PVCs,
specify service types, and configure the related parameters. For more information
(including the configuration of PVCs), refer to “ATM Configuration” on page 127.
ATM E1/T1 interface configuration includes interface configuration and IMA group
configuration.
Configuring an ATM Follow these steps to configure parameters for an ATM E1/T1 interface:
E1/T1 Interface
To do... Use the command... Remarks
Enter system view system-view --
Enter ATM E1/T1 interface interface atm Required
view interface-number
Set the clock mode clock { master | slave } Optional
The default is slave.
Set the On an E1 frame-format { crc4-adm | Optional
framing interface no-crc4-adm }
The default is CRC4 ADM.
format
On a T1 frame-format { esf-adm | Optional
interface sf-adm }
The default is ESF ADM.
Set the line On an E1 code { ami | hdb3 } Optional
coding format interface
The default is HDB3.
On an T1 code { ami | b8zs } Optional
interface
The default is B8ZS.
Enable scrambling scramble Optional
Enabled by default.
Set the cable length cable { long | short } Optional
The default is long, allowing
automatic cable length
adaptation.
Set the loopback mode loopback { cell | local | Optional
payload | remote }
Disabled by default.
Configure an IMA group See Configuring IMA Groups Required
The line coding formats for IMA-E1 interfaces and IMA-T1 interfaces are fixed to
high density bipolar of order 3 (HDB3) and bipolar with 8-zero substitution (B8ZS).
They are not configurable.
Network diagram
ATM IMA 1
10.110 .110 .1 /24
ĂĂ
ATM IMA 2
10.110 .120 .1 /24
Configuration procedure
# Assign two links to IMA group 1.
<Sysname> system-view
[Sysname] interface atm 5/0
[Sysname-Atm5/0] undo ip address
[Sysname-Atm5/0] ima ima-group 1
[Sysname-Atm5/0] interface atm 5/1
[Sysname-Atm5/1] undo ip address
[Sysname-Atm5/1] ima ima-group 1
[Sysname-Atm5/1] quit
Troubleshooting ATM You can start troubleshooting an ATM interface with testing network connectivity
IMA-E1/T1 Interfaces using the ping command or the extended ping command. In an extended ping
command, you can specify some options in IP header. For more information on the
use of the ping command, refer to “System Maintaining and Debugging” on page
2119.
Overview This section covers only the physical configurations of the ATM E3/T3 interface. For
more information about how to configure ATM (including PVCs), refer to “ATM
Configuration” on page 127.
Overview This section covers only the physical configurations of the interface. For more
information about how to configure ATM (including PVCs), refer to “ATM
Configuration” on page 127.
Some latest ADSL technologies, however, can provide faster transmission rates by
improving modulation rate, coding gain, initialization state machine, by reducing
frame head overhead, and by using enhanced signal processing methods. For
example, given the same bands, ADSL2 can provide uplink transmission rates up
to 1024 kbps and downlink transmission rates up to 12 Mbps. By expanding the
downlink band from 1.104 MHz to 2.208 MHz, ADSL2+ can even provide a
downlink rate as fast as 24 Mbps.
Two types of ADSL modules/cards are available: ADSL over POTS and ADSL over
ISDN (ADSL-I).
Splitter
Line ADSL ADSL Eth
DSLAM Phone
ADSL Router
Hub
A typical activation process may last 30 seconds, beginning with line negotiation
until the line comes up. During this process, the two parties examine line distance
and conditions against the line configuration template (which defines the ADSL
criteria, channel mode, uplink and downlink speeds, and noise tolerance) and
attempts to reach an agreement. If the activation succeeds, a communication
connection is set up between the two parties. When negotiating connection
parameters during the line activation, the CO equipment plays a master role to
provide and decide values for most parameters, while the CPE a slave role to
accept them.
n As ADSL transmission speed depends on distance and line quality heavily, make
sure regular twisted pairs are used and the cables are well connected when
connecting ADSL interfaces.
This section covers only the physical configurations of the ADSL interface. For
more information about how to configure ATM (including PVCs), refer to “ATM
Configuration” on page 127.
Configuring an ADSL
Interface To do... Use the command... Remarks
Enter system view system-view --
Enter ATM interface view interface atm Required
interface-number
Activate the ADSL interface clock { master | slave } Optional
The interface is active by
default.
Configure the ADSL interface adsl standard { auto | g9923 Optional
standard | g9925 | gdmt | glite |
The default is auto sensing.
t1413 }
Set the transmit power adsl tx-attenuation Optional
attenuation value attenuation
0 by default
n To have the adsl standard command take effect, you need to re-activate the
interface either by performing the shutdown and undo shutdown commands
or the activate and undo activate commands.
Upgrading ADSL2+ Card The upgradeable software includes Boot ROM and card software. You first need to
Software load the new software by FTP or some other means to the flash memory or the CF
card on your device. Before performing an upgrade, you need to shut down the
interface with the shutdown command if the interface is up. After completing
the upgrade, you need to bring the interface up with the undo shutdown
command.
n When executing the bootrom update file command, do not use the all option
unless absolutely necessary; use the part option instead. If you use the all option,
you will find it hard to roll back to the old version once the upgrade fails.
For the networking topology for the routers with G.SHDSL interfaces, refer to that
for the routers with ADSL interfaces. But note that G.SHDSL interface requires no
splitter.
For a typical network topology for routers with G.SHDSL interfaces, see Figure 2.
You should note that unlike ADSL, G.SHDSL does not use the splitter.
This section covers only the physical configurations of the G.SHDSL interface. For
more information about how to configure ATM (including PVCs), refer to “ATM
Configuration” on page 127.
Displaying and
Maintaining ATM and To do... Use the command... Remarks
DSL Interfaces Display the configuration and display interface atm Available in any view
state of a specified or all ATM or [ interface-number ]
DSL interfaces
Display the actual configuration display dsl configuration Available in any view
of a DSL line interface atm interface-number
Display the state information of display dsl status interface Available in any view
a DSL line atm interface-number
Display DSL version information display dsl version interface Available in any view
and available capabilities atm interface-number
Display the configuration and display interface ima-group Available in any view
state about a specified or all IMA [ group-interfacenumber ]
group interfaces
Display the detailed information display status interface ima Available in any view
about a specified IMA group group-number
interface
Clear the statistics about all reset atm interface [ atm Available in user view
PVCs on the specified ATM interface-number ]
interface
n For those physical interfaces that are not connected to cables, shut down them
using the shutdown command to avoid anomalies resulted from interference.
Troubleshooting ATM When diagnosing ATM interface problems, first test the interface with the ping
Interfaces command or the extended ping command.
The ping command can test network connectivity. Extended ping command can
be used to specify some options in the IP header in addition to that function. For
more information about the ping command, see “System Maintaining and
Debugging” on page 2119.
■ The interface is down, which causes missing of its route in the routing table.
■ The AAL5 encapsulation of PVC is incorrect (for 155 Mbps ATM interface only).
Troubleshooting DSL Improper line operation is one of the faults that you may encounter in DSL
Interfaces applications. Such a fault is likely to occur on whichever devices or nodes in the
hierarchical broadband network architecture. It is probably caused by the CPE
device, copper wire, splitter, DSL port on DSLAM, or even the broadband access
server. For this reason, you should segment the network to locate the problem.
Generally, DSLAM provides you with abundant fault isolating methods and a
complete guide, which are however, beyond the scope of this manual.
When the DSL line is training, the LINK LED blinks. After the activation succeeds,
the LINK LED which should otherwise be OFF lights and stays ON. The Activity LED
blinks when data being transmitted on the line.
2 Display the DSL state information with the display dsl status command
The State of driver/chipsets field provides the information about interfaces and
transceiver states.
Common transceiver states include Idle, Data Mode, HandShaking, and Training.
3 Perform the debugging physical command to view details about activation, such
as sending of the activate command, activation timeout, training process, and
activation success.
4 If line activation attempts always fail, check that the line is securely connected and
functioning normally.
5 If bit error rate is high or interference happens too often, reset the interface with
the shutdown/undo shutdown command or reboot the device and reconnect
the line. If the problem is still there, make an overall line condition and
environment check.
POS Packet over SONET/SDH (POS) is a technology popular in WAN and MAN. It can
support packet data such as IP packets.
The POS interface on your device supports PPP, Frame Relay, and HDLC at the data
link layer and IP at the network layer. Its transmission rate can vary with devices.
For example, in the sequence of STM-1 (155 Mbps), STM-4c (622 Mbps) and
STM-16c/STM-16 (2.5 Gbps), the rate of each level is four times that of the
immediate lower level.
Configuring a POS Before you configure the link layer and network layer protocols on a POS interface,
Interface you must configure its physical parameters. In addition, to have the interface
participate in backup, configure the backup parameters; to set up firewall on the
interface, configure packet filtering rules.
Displaying and
Maintaining POS To do... Use the command... Remarks
Interfaces Display status and configuration display interface pos Available in any
information about one or all POS [ interface-number ] view
interfaces
Display IP-related configurations and display ip interface pos Available in any
statistics for one or all POS interfaces [ interface-number ] view
Display IPv6-related configurations display ipv6 interface pos Available in any
and statistics for one or all POS interface-number view
interfaces
n If a physical interface is idle or has no cable connection, shut down it with the
shutdown command to avoid interface anomalies that may result from
interference. As the command can disable the interface, use it with caution.
POS Interface
Configuration
Example
Network diagram
Figure 3 Network diagram for connecting two POS interfaces through fiber
Router A Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface pos 1/0
[RouterA-Pos1/0] ip address 10.110.1.10 255.255.255.0
[RouterA-Pos1/0] link-protocol ppp
[RouterA-Pos1/0] mtu 1500
[RouterA-Pos1/0] shutdown
[RouterA-Pos1/0] undo shutdown
2 Configure Router B
<RouterB> system-view
[RouterB] interface pos 1/0
# Set the clock mode to master and other physical parameters to defaults.
You can check the interface connectivity between the POS interfaces with the
display interface pos command and test network connectivity with the ping
command.
Network diagram
Figure 4 Network diagram for POS interface connection across Frame Relay
Router A Router B
Router C
FR
POS 1/0.2
20 .10 .10 .1/24
POS1/0
DLCI=60
20 .10.10.2/24
DLCI=80
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface pos 1/0
[RouterA-Pos1/0] clock slave
[RouterA-Pos1/0] link-protocol fr
[RouterA-Pos1/0] fr interface-type dte
[RouterA-Pos1/0] quit
[RouterB-Pos1/0] link-protocol fr
[RouterB-Pos1/0] fr interface-type dte
[RouterB-Pos1/0] ip address 10.10.10.2 255.255.255.0
[RouterB-Pos1/0] fr map ip 10.10.10.1 70
[RouterB-Pos1/0] mtu 1500
You can check interface connectivity with the display interface pos command
and test network connectivity with the ping command.
Solution:
■ Check that the transmitting and receiving fibers-optic are correctly connected
to the POS interface. If you connect the two ends of a fiber-optic to the
transmitting end and the receiving end of the same POS interface, you can see
the message “loopback detected” on the screen when executing the display
interface command even if you have not enabled loopback.
■ If the two devices are directly connected back to back, one end of the POS
interfaces must be configured to use the master clock and the other end slave
clock.
Solution:
Check that:
Symptom 3:
Solution:
Check that:
■ The correct clock mode is configured on the POS interface. If not, enormous
amount of CRC errors can be generated.
■ Check that the MTU configuration is appropriate.
General Ethernet This section describes the attributes and configurations common to layer 2
Interface Ethernet interfaces and layer 3 Ethernet interfaces. For specific attributes, refer to
Configuration related sections hereinafter.
The two Ethernet interfaces of a Combo port in the device panel correspond to
only one interface view, in which the two Ethernet interfaces can be switched. A
Combo port can be a Layer 2 Ethernet interface or a Layer 3 Ethernet interface.
Basic Ethernet Interface Three types of duplex modes available to Ethernet interfaces:
Configuration ■ Full-duplex mode (full): in this mode, the sending and receiving of data packets
happen simultaneously;
■ Half-duplex mode (half): in this mode, at a particular time, either the sending
or receiving of data packets is allowed, but not both;
■ Auto-negotiation mode (auto): in this mode, the transmission mode is
negotiated between peer Ethernet interfaces.
If you configure the transmission rate for an Ethernet interface to be auto, then
the rate will be automatically negotiated between peer Ethernet interfaces.
n ■
■
The optical port does not support the speed command.
The speed 1000 command is only applicable in GigabitEthernet interface view.
Configuring Flow When flow control is turned on between peer Ethernet interfaces, if traffic
Control on an Ethernet congestion occurs at the ingress interface, it will send a Pause frame notifying the
Interface egress interface to temporarily suspend the sending of packets. The egress
interface is expected to stop sending any new packets when it receives the Pause
frame. In this way, flow controls helps to avoid the dropping of packets. Note that
only after both the ingress and the egress interfaces have turned on their flow
control will this be possible.
Configuring Loopback You can enable loopback test to check whether the Ethernet interface functions
Test on a Layer 2 properly. Note that no data packets can be forwarded during the test. Loopback
Ethernet Interface test falls into the following two categories:
■ Internal loopback test, which is performed within switching chips to test the
functions related to the Ethernet interfaces.
■ External loopback test, which is used to test the hardware functions of an
Ethernet interface. To perform external loopback test on an Ethernet port, you
need to install a loopback plug on the Ethernet interface. In this case, packets
sent from the interface are received by the same interface.
Follow the following steps to configure Layer 2 Ethernet interface loopback test:
n ■ As for the internal loopback test and external loopback test, if a Layer 2
interface is down, only the former is available on it; if the interface is shut
down, both are unavailable.
■ The speed, duplex, mdi, and shutdown commands are not applicable during
a loopback test.
■ With the loopback test enabled, the Ethernet interface works in the full duplex
mode. With the loopback testing enabled, the original configurations will be
restored.
Configuring Loopback You can enable loopback on a Layer 3 Ethernet interface to check whether the
on a Layer 3 Ethernet Ethernet interface functions properly. Note that interfaces with loopback enabled
Interface cannot forward packets properly. Loopback on Layer 3 Ethernet interfaces falls
into the following two categories.
■ Internal loopback, used to check whether there is a fault on the chip’s
functions related to the Ethernet interfaces.
■ External loopback, used to check whether there is a fault on the hardware
functions of an Ethernet interface.
Configuring the According to the layer at which the device processes received data packets,
Working Mode of an Ethernet interfaces can work in bridge or route mode.
Ethernet Interface
Follow these steps to change the working mode of an Ethernet interface:
c CAUTION:
■ Only 4SIC-FSW interface cards, 9DSIC-FSW interface cards, and the fixed
switching interfaces of 20-21 routers support work mode switching.
■ On an MSR series router, you can change the working mode to route mode for
up to two Ethernet interfaces.
■ After you change the working mode of an Ethernet interface, all the settings of
the Ethernet interface are restored to their defaults.
Configuring Layer 2
Ethernet Interfaces
Configuration Task List Ethernet interface configuration in bridge mode involves the following tasks:
■ “Configuring a Port Group” on page 92
■ “Configuring the Storm Suppression Ratio for an Ethernet Interface” on page
93
■ “Configuring the Interval for Collecting Ethernet Interface Statistics” on page
94
■ “Enabling Loopback Detection on an Ethernet Interface” on page 94
■ “Configuring the Cable Type for an Ethernet Interface” on page 95
■ “Testing the Cable on an Ethernet Interface” on page 96
Configuring a Port Port group enables configurations to be applied to multiple ports at the same
Group time. It relieves users of some duplicated operations that are needed on multiple
devices. Any commands executed in port group view apply to all the ports in the
port group.
■ Manual port group: manually created by users. You can add multiple Ethernet
interfaces to a manual port group.
■ Dynamic port group: dynamically created by the system, currently mainly used
to form link aggregation port groups. A link aggregation port group is
automatically created together with the creation of a link aggregation group
and cannot be created by users through command line input. The operations to
add ports to or removing ports from a link aggregation port group can only be
achieved through operations on the link aggregation group.
Manual port group is mainly used to synchronize the configurations among the
ports in it. When you use the display current-configuration or display this
command to view the current configuration, the configuration concerning manual
port group is not displayed. The configuration of manual port group gets invalid
after you reboot the device even if you have saved the current configuration
before reboot.
Aggregation port group is mainly used to achieve the port aggregation function.
You can use the display current-configuration or display this command to
view aggregation port group-related information. In addition, if you save the
configuration concerning aggregation port group, it remains valid even if you
reboot the device.
Use the
To do... command... Remarks
Enter system view system-view -
Enter port group Enter manual port group view port-group -
view manual
port-group-name
Enter aggregation port group port-group
view aggregation
agg-id
n Refer to “Aggregation Port Group” on page 349 for the information about
aggregation port group.
Configuring the Storm You can use the following commands to suppress the broadcast, multicast, and
Suppression Ratio for an unknown unicast traffic. When the broadcast, multicast, or unknown unicast
Ethernet Interface traffic over the interface exceeds the threshold, the system will discard the extra
packets so that the broadcast, multicast, or unknown unicast traffic ratio can drop
below the limit to ensure that the network functions properly.
Follow these steps to configure a storm suppression ratio for an Ethernet interface
n If you set the suppression ratio in interface view or port group view repeatedly, the
last configuration takes effect.
Configuring the Interval Complete the following configuration tasks to configure the time interval for
for Collecting Ethernet collecting interface statistics. Use the display interface command to display the
Interface Statistics interface statistics within this time interval.
Follow these steps to configure the interval for collecting interface statistics:
■ If loops are detected on a port that is of access type, the port will be shutdown.
Meanwhile, trap messages will be sent to the terminal, and the corresponding
MAC address forwarding entries will be removed.
■ If loops are detected on a port that is of trunk or hybrid type, trap messages are
sent to the terminal. If the loopback detection control function is also enabled
on the port, the port will be blocked, trap messages will be sent to the
terminal, and the corresponding MAC address forwarding entries will be
removed.
c CAUTION:
■ Loopback detection on a given port is enabled only after the
loopback-detection enable command has been issued in both system view
and the interface view of the port.
■ Loopback detection on all ports will be disabled after the issuing of the undo
loopback-detection enable command under system view.
■ For a Trunk or Hybrid port, make sure that the default VLAN of the port exists.
n ■
■
The optical interface of a Combo port does not support this feature.
After you perform the configuration described in this section, the link goes
down and up automatically.
Two types of Ethernet cables can be used to connect Ethernet devices: crossover
cable and straight-through cable. To accommodate these two types of cables, an
Ethernet interface on a device can operate in one of the following three Medium
Dependent Interface (MDI) modes:
■ Across mode, where the Ethernet interface only accepts crossover cables.
■ Normal mode, where the Ethernet interface only accepts straight-through
cables.
■ Auto mode, where the Ethernet interface accepts both straight-through cables
and crossover cables.
Normally, the auto mode is recommended. The other two modes are useful only
when the device cannot determine the cable type.
Follow these steps to configure the cable type for an Ethernet Interface:
n The optical interface of a Combo port does not support this feature.
Complete the following configurations to test the current working state of the
cable on an Ethernet interface. The system will return the testing result within five
seconds, indicating the receiving direction (RX), transmit direction (TX), any
short-circuit or open circuit, and the length of the faulty cable.
Configuring Layer 3
Ethernet Interfaces
Configuration Task List Ethernet interface configuration in bridge mode involves the following tasks:
■ “Setting the MTU for an Ethernet Interface” on page 96
■ “Configuring the Suppression Time of Link-Layer-State Changes on an
Ethernet Interface” on page 97
Setting the MTU for an The value of Maximum Transmission Unit (MTU for short) affects the
Ethernet Interface fragmentation and grouping of IP packets.
Follow the following steps to set the MTU for an Ethernet interface:
n Limited to the QoS queue length (for example, the default length of an FIFO queue
is 75), too small an MTU will result in too many fragments, which will be discarded
from the QoS queue. In this case, you can increase MTU or QoS queue length
properly. In Ethernet interface view, you can use qos fifo queue-length to
change the QoS queue length. For detailed configurations, see “QoS Overview” on
page 1623.
Configuring the An Ethernet interface working in Layer 3 mode has two link layer states: up and
Suppression Time of down. During the suppression time, link-layer-state changes will not be
Link-Layer-State propagated to the system. Only after the suppression time has elapsed will the
Changes on an Ethernet system be notified of the link-layer-state changes by the link layer. This
Interface functionality reduces the extra overhead occurred due to frequent link-layer-state
changes within a short period of time.
n You can increase the polling interval to reduce the negative effective caused to
network traffic due to time delay or heavy congestion.
Maintaining and
Displaying an To do... Use the command... Remarks
Ethernet Interface Display the current state of a display interface [ interface-type Available in any view
specified interface and related [ interface-number ] ]
information
Display a summary of a display brief interface Available in any view
specified interface [ interface-type [ interface-number ] ]
[ | { begin | include | exclude} text ]
Reset the statistics of a reset counters interface Available in user view
specified interface [ interface-type [ interface-number ] ]
Display the current ports of a display port { hybrid | trunk } Available in any view
specified type
n Refer to “ATM and DSL Interface Configuration” on page 71 for information about
ATM interface.
Asynchronous Serial
Interface
An asynchronous serial interface can operate in the flow mode or protocol mode.
It can operate as a dialup interface when having a modem or an ISDN terminal
adapter (TA) attached to it. You can encapsulate an asynchronous serial interface
with PPP on the data link layer to provide support for network layer protocols such
as IP and IPX.
n ■ You can use the speed command to configure the baud rate for an
asynchronous serial interface. For details, refer to the “User Interface
Configuration” on page 2155.
■ Refer to “Configuring PPP” on page 367, “DCC Configuration” on page 153,
“IP Addressing Configuration” on page 623, “Firewall Configuration” on page
1789, and “Backup Center Configuration” on page 1961 for information about
the configuration concerning PPP, DCC, IP addressing, firewall, and backup
center.
AUX Interface
Overview The AUX interface is fixed on your device. It can work as a regular asynchronous
serial interface at speeds up to 115200 bps. With this interface, you can perform
functions such as remote device configuration and line backup.
n To perform other AUX interface configurations (such as baud rate, stop bit, parity,
and flow control), use the corresponding commands in user-interface view. Refer
to “User Interface Configuration” on page 2155 for related information.
USB Interface
Overview A USB interface can be used as a dial-up interface when having a 3G modem
attached to it. USB interface operates in the protocol mode. The link layer protocol
can be PPP and the network layer protocol can be IP or IPX.
Synchronous Serial
Interface
AM Interface
Overview Analog modem (AM) interfaces bring services provided by asynchronous serial
interfaces and analog modems together. Most of the configuration commands
used on asynchronous serial interfaces and modems can be directly used on AM
interfaces. When configuring an AM interface, you can treat it as a special
asynchronous serial interface.
AM interfaces provide dial-in and dial-out services for analog dial-up users.
Theoretically, if the peer (usually an ISP) uses a digital modem, the AM interface
can establish connection with V.90 Modem standard to provide downstream rates
up to 56 kbps and upstream rates up to 33.6 kbps. If the peer (usually a common
user) uses an analog modem (or an AM interface), the AM interface can establish
connection with V.34 Modem standard to provide rates (both downstream and
upstream) up to 33.6 kbps.
n To set the baud rate for an AM interface, use the speed command in
user-interface view. Refer to “User Interface Configuration” on page 2155 for
related information.
can be used to forward digital and analog information. The standardization efforts
that ITU-T made in provisioning the ISDN services make the implementation of
ISDN become possible. The provisions of the recommendations I.430, Q.921, and
Q.931 allow all the devices meeting ITU-T ISDN provisions of unbarring ISDN
network access.
5 4 3 2 1
TE2 TA
R S
■ Network terminal 1 (NT1) implements the functionality of the first layer in the
OSI reference model, such as subscriber-line transmission, loop test, D-channel
competition.
■ Network terminal 2 (NT2), also known as intelligent network terminal,
implements the functionality of layers 1 through 3.
■ Category-1 terminal equipment (TE1), also known as ISDN standard terminal, is
user equipment compliant with the ISDN interface provisions. Digital phone-set
is such an example.
■ Category-2 terminal equipment (TE2), also known as non-ISDN standard
terminal equipment, refers to the user equipment incompliant with the ISDN
interface provisions.
■ Terminal adapter (TA) implements the adaptation function so that TE2 can
access a standard ISDN interface.
■ Verify the type of the interface provided by your telecom service provider,
whether it is ISDN BRI U or ISDN BRI S/T. Despite that ITU-T I.411 has provided
an ISDN user-network interface reference model, there are some arguments in
the position of the user-network dividing point. For this reason, some nations
adopt the U interface while some others adopt the S/T interface depending on
their needs. Therefore, you must make sure the interface type provided by your
service provider before making a router purchase decision.
■ Request for digital service. As ISDN can provide integrated services including
both digital and voice, you must request for an ISDN line allowing digital call
service so that your router can make digital communications.
■ Select connection type, which can be a point-to-point connection or a
point-to-multipoint connection (optional). As ISDN supports semipermanent
connection, you can adopt the ISDN leased line in the event that you adopt
ISDN only for connecting two fixed points. Otherwise, you must select a
point-to-multipoint connection.
■ Request for the delivery of Calling Line Identification (CLI) function (optional).
With it, you can implement calling ID filtering on your ISDN line to reject some
users from accessing the local router and hence enhance the network security.
Configuring ISDN BRI Follow these steps to configure an ISDN BRI interface:
Interface
To do... Use the command... Remarks
Enter system view system-view --
Enter ISDN BRI interface view interface bri number Required
Enable external loopback on the loopback { b1 | b2 | both } Disabled by default
ISDN BRI interface
ISDN BRI interfaces are used for dialup purpose. For details on ISBN BRI interface
configuration, refer to “DCC for Dialup ISDN BRI Line and Leased Line Connection”
on page 192.
CE1/PRI Interface
Overview In 1960s, the time division multiplexing (TDM) technology gained increasingly
wide application in the data communications system along with the introduction
of pulse code modulation (PCM) technology. So far, there exist two TDM systems
in the data communications system. One is the ITU-T recommended E1 system
that is widely adopted in Europe and P.R. China. The other is the ANSI
recommended T1 system that is widely used in North American and Japan. (The
system that Japan adopts is actually called J1. It is regarded as a T1 system due to
high similarity between them.)
■ When this interface is used as a CE1 interface, all the timeslots except timeslot
0 can be randomly divided into multiple channel sets and each set can be used
as an interface upon timeslot bundling. Its logic features are the same as those
of a synchronous serial interface. It supports link layer protocols such as PPP, FR,
LAPB and X.25, and network protocols such as IP and IPX.
■ When the interface is used as a PRI interface, timeslot 16 will be used as a D
channel to transmit signaling. Therefore, rather than selecting among all the
timeslots, you are only allowed to make a random B channel selection among
the timeslot sets except timeslots 0 and 16. The selected set of timeslots can be
bundled together with timeslot 16 to form a PRI set that can be used as an
interface. The logic features of this interface will be the same as those of an
ISDN PRI interface. It will support link layer protocol PPP and network protocols
such as IP and IPX and can be configured with parameters such as DCC.
After you set the CE1/PRI interface to operate in E1 mode, the system
automatically creates a serial interface numbered serial interface-number:0. This
interface is logically equivalent to a synchronous serial interface where you can
make other configurations such as:
Configuring CE1/PRI Follow these steps to configure a CE1/PRI interface in CE1 mode:
Interface (in CE1 Mode)
To do... Use the command... Remarks
Enter system view system-view --
Enter CE1/PRI interface view controller e1 number Required
A CE1/PRI interface in CE1/PRI mode can be used as a CE1 interface where a serial
interface is created upon creation of a channel set. You may bundle timeslots on a
CE1/PRI interface into up to 31 channel sets.
For each channel set, the system automatically creates a serial interface numbered
serial interface-number:set-number. This interface is logically equivalent to a
synchronous serial interface where you can make other configurations about:
■ Data link protocol such as “PPP and MP Configuration” on page 363, “VoFR
Configuration” on page 2385, “X.25 and LAPB Configuration” on page 283
■ “IP Addressing Configuration” on page 623
■ “Backup Center Configuration” on page 1961 if the interface is used as a
primary or secondary interface for backup
■ “NAT-PT Configuration” on page 679 and “Configuring a Packet Filter Firewall”
on page 1794 if a firewall is to be set up
n The timeslots on a CE1/PRI interface can be bundled into either channel sets or a
PRI set, but not the both, at a time.
Configuring CE1/PRI Follow these steps to configure a CE1/PRI interface in PRI mode:
Interface (in PRI Mode)
To do... Use the command... Remarks
Enter system view system-view --
Enter CE1/PRI interface view controller e1 number Required
Set the interface to operate in using ce1 Optional
CE1/PRI mode
The default operating mode is
CE1/PRI mode.
Bundle timeslots on the pri-set [ timeslot-list list ] Required
interface into a PRI set
If no timeslot range is
specified, all timeslots except
timeslot 0 form a 30B + D
ISDN PRI interface.
Set other interface parameters See “WAN Interface Optional
Configuration” on page 99.
A CE1/PRI interface in CE1/PRI mode can be used as a PRI interface where only one
PRI set can be created.
For the PRI set, the system automatically creates a serial interface numbered serial
interface-numbe:15. This interface is logically equivalent to an ISDN PRI interface
where you can make other configurations about:
n The timeslots on a CE1/PRI interface can be bundled into either channel sets or a
PRI set, but not both at a time.
Configuring Other Follow these steps to configure other CE1/PRI interface parameters:
CE1/PRI Interface
Parameters To do... Use the command... Remarks
Enter system view system-view --
Enter CE1/PRI interface view controller e1 number Required
Set the line code format code { ami | hdb3 } Optional
The default is high density
bipolar 3 (HDB3).
Configure to perform AIS detect-ais Optional
(alarm indication signal) test
By default, AIS test is
performed.
Set the cable type cable { long | short } Optional
The default cable setting is
long mode.
Set the clock mode clock { master | slave } Optional
The default is slave, that is,
line clock.
Set the framing format frame-format { crc4 | Optional
no-crc4 }
The default is no-CRC4.
Set the line idle code type idlecode { 7e | ff } Optional
The default is 0x7E.
Set the type of interframe itf type { 7e | ff } Optional
filling tag
The default is 0x7E.
Set the number of interframe itf number number Optional
filling tags
The default is 4.
Set the loopback mode loopback { local | remote | Optional
payload }
Loopback is disabled by
default.
Quit to system view quit -
Enter synchronous serial interface serial Required
interface view of the interface interface-number:set-number
formed by a CE1/PRI interface
or
interface serial
interface-number:15
Set the CRC mode crc { 16 | 32 | none } Optional
By default, 16-bit CRC is
adopted.
Configuring Error
Packets Diffusion
Restraint
n The support of this feature varies with device model. Refer to your specific device.
Error packet diffusion refers to the situation when one timeslot receives a certain
error packet, all the other timeslots are affected and also receive error packets.
If, during the time specified by detect-timer, the ratio of error packets on an
interface is greater than that specified by threshold, the interface is regarded as
faulty and is shut down. After waiting for some time specified by renew-timer, the
interface is re-enabled.
Displaying and
Maintaining CE1/PRI To do... Use the command... Remarks
Interfaces Display the operating state of display controller e1 Available in any view
a CE1/PRI interface [ interface-number ]
Display the operating state of display interface serial Available in any view
a channel set or PRI set interface-number:set-number
Clear the controller counter reset counters controller e1 Available in user view
for a CE1/PRI interface interface-number
CT1/PRI Interface
Overview A CT1/PRI interface can only operate in channelized mode. It can be used in the
following two ways:
■ When it is working as a CT1 interface, all the timeslots from 1 to 24 can be
randomly divided into groups. Each of these groups can form one channel set
for which the system automatically creates an interface logically equivalent to a
synchronous serial interface. This interface supports link layer protocols such as
PPP, FR, LAPB, and X.25, and network protocols such as IP and IPX.
n The timeslots on a CT1/PRI interface can be bundled into either channel sets or a
PRI set at a time.
Configuring CT1/PRI Follow these steps to configure a CT1/PRI interface in CT1 mode:
Interface in CT1 Mode
To do... Use the command... Remarks
Enter system view system-view --
Enter CT1/PRI interface view controller t1 number Required
Bundle timeslots on the channel-set set-number Required
interface into channel sets timeslot-list list [ speed
Up to 24 channel sets can be
{ 56k | 64k } ]
bundled.
The default timeslot speed is
64 kbps.
Configure other interface See “Configuring Other Optional
parameters CT1/PRI Interface Parameters”
on page 112.
For each channel set, the system automatically creates a serial interface numbered
serial number:set-number. This interface is logically equivalent to a synchronous
serial interface where you can make other configurations about:
■ Data link protocol such as “PPP and MP Configuration” on page 363, “VoFR
Configuration” on page 2385, “X.25 and LAPB Configuration” on page 283
■ “IP Addressing Configuration” on page 623
■ “Backup Center Configuration” on page 1961 if the interface is used as a
primary or secondary interface for backup
■ “NAT-PT Configuration” on page 679 and “Configuring a Packet Filter Firewall”
on page 1794 if a firewall is to be set up
Configuring an CT1/PRI Follow these steps to configure a CT1/PI interface operating as a PRI mode:
Interface operating as a
PRI interface To do... Use the command... Remarks
Enter system view system-view --
Enter CT1/PRI interface view controller t1 number Required
Bundle timeslots on the pri-set [ timeslot-list list ] Required
interface into a PRI set
Only one PRI set can be
created at a time.
Configure other interface See “Configuring Other Optional
parameters CT1/PRI Interface Parameters”
on page 112.
For the PRI set, the system automatically creates a serial interface numbered serial
number:23. This interface is logically equivalent to an ISDN PRI interface where
you can make other configurations about:
Configuring Other Follow these steps to configure other CT1/PRI interface parameters:
CT1/PRI Interface
Parameters To do... Use the command... Remarks
Enter system view system-view --
Enter CT1/PRI interface view controller t1 number Required
Set the line code format code { ami | b8zs } Optional
The default is B8ZS1.
Set the cable length and cable long { 0db | -7.5db | Optional
attenuation -15db | -22.5db }
The long 0db keyword
cable short { 133ft | 266ft | applies by default.
399ft | 533ft | 655ft }
Set the clock mode clock { master | slave } Optional
The default is slave, that is,
line clock.
Set the framing format frame-format { sf | esf } Optional
The default is ESF.
Enable user data inversion data-coding { normal | Optional
inverted }
Disable user data inversion.
Set the line idle code type idlecode { 7e | ff } Optional
The default is 0x7E.
Set the type of interframe itf type { 7e | ff } Optional
filling tag
The default is 0x7E.
Set the number of interframe itf number number Optional
filling tags
The default is 4.
You may view the state and result of the BERT test with the display controller t1
command.
Configuring Error
Packets Diffusion
Restraint
n The support of this feature varies with device model. Refer to your specific device.
Error packet diffusion refers to the situation when one timeslot receives a certain
error packet, all the other timeslots are affected and also receive error packets.
If, during the time specified by detect-timer, the ratio of error packets on an
interface is greater than that specified by threshold, the interface is regarded as
faulty and is shut down. After waiting for some time specified by renew-timer, the
interface is re-enabled.
Displaying and
Maintaining CT1/PRI To do... Use the command... Remarks
Interfaces Display the operating state of display controller t1 Available in any view
a CT1/PRI interface [ interface-number ]
Display the operating state of display interface serial Available in any view
a channel set or PRI set interface-number:set-number
Clear the controller counter for reset counters controller t1 Available in user view
a CE1/PRI interface interface-number
E1-F Interface
Overview E1-F interfaces, fractional E1 interfaces, are simplified CE1/PRI interfaces. They are
a cost-effective alternative to CE1/PRI interfaces where E1 access does not need
multiple channel sets or ISDN PRI.
■ In framed mode, it can only bind timeslots into one channel set, while a
CE1/PRI interface can group and bundle timeslots randomly into multiple
channel sets.
■ It does not support PRI mode.
An E1-F interface can work in both framed (the default) and unframed modes.
When the E1-F interface is working in framed mode, it is physically divided into 32
timeslots numbered 0 through 31. Except timeslot 0 used for transmitting
synchronization information, all other timeslots can randomly form one channel
set. The rate of the interface is thus n × 64 kbps and its logical features are the
same as those of a synchronous serial interface where you can configure PPP, FR,
LAPB and X.25 at the data link layer and IP or IPX at the network layer.
Configuring an E1-F Follow these steps to configure an E1-F interface in framed mode:
Interface (in Framed
Mode) To do... Use the command... Remarks
Enter system view system-view --
Enter E1-F interface view interface serial Required
interface-number
Set the interface to operate in undo fe1 unframed Optional
framed mode
The default is framed mode.
Bundle timeslots on the fe1 timeslot-list range Optional
interface
If no timeslot range is
specified, all timeslots are
bundled by default.
Set other interface parameters See “Configuring Other E1-F Optional
Interface Parameters” on
page 116.
Configuring an E1-F Follow these steps to configure an E1-F interface in unframed mode:
Interface (in Unframed
Mode) To do... Use the command... Remarks
Enter system view system-view --
Enter E1-F interface view interface serial Required
interface-number
Configuring Other E1-F Follow these steps to configure other E1-F interface parameters:
Interface Parameters
To do... Use the command... Remarks
Enter system view system-view --
Enter E1-F interface view interface serial Required
serial-number
Set the line code format fe1 code { ami | hdb3 } Optional
The default is HDB3.
Set the clock mode fe1 clock { master | slave } Optional
The default is slave, that is,
line clock.
Set the cable type fe1 cable { long | short } Optional
The long keyword applies by
default.
Configure the CRC mode fe1 crc { 16 | 32 | none } Optional
16-bit CRC by default.
Configure to perform AIS test fe1 detect-ais Optional
By default, AIS test is
performed.
Set the framing format fe1 frame-format { crc4 | Optional
no-crc4 }
The default is no-CRC4.
Set the line idle code type fe1 idlecode { 7e | ff } Optional
The default is 0x7E.
Set the interframe filling tag fe1 itf type { 7e | ff } Optional
type
The default is 0x7E.
Set the number of interframe fe1 itf number number Optional
filling tags
The default is 4.
Set the loopback mode fe1 loopback { local | Optional
payload | remote }
Loopback is disabled by
default.
Displaying and
Maintaining E1-F To do... Use the command... Remarks
Interfaces Display the configuration and display fe1 [ serial Available in any view
state of a specified or all E1-F interface-number ]
interfaces
Display the operating state of display interface serial Available in any view
an E1-F interface interface-number
T1-F Interface
Overview T1-F interfaces, fractional T1 interfaces, are simplified CT1/PRI interfaces. They are
a cost-effective alternative to CT1/PRI interfaces where T1 access does not need
multiple channel sets or ISDN PRI.
■ In framed mode, it can bind timeslots into only one channel set, while a
CT1/PRI interface can group and bundle timeslots randomly into multiple
channel sets.
■ It does not support PRI mode.
A T1 line is multiplexed from 24 channels. That is, a T1 primary group frame DS1
(digital signal level-1) comprises 24 DS0 (64 kbps) timeslots and 1 framing bit for
synchronization, with each timeslot being 8 bits. Each primary group frame thus
has 193 bits (24 × 8+1). As DS1 can transmit 8000 frames per second, its
transmission speed is 1544 kbps (193 × 8 kbps).
A T1-F interface can only work in framed mode. Timeslots 1 through 24 on it can
randomly form a channel set. The rate of the interface is thus n × 64 kbps or n ×
56 kbps and its logical features are the same as those of a synchronous serial
interface where you can configure PPP, FR, LAPB and X.25 at the data link layer
and IP or IPX at the network layer.
You may view the state and result of the BERT test with the display ft1 serial
command.
Displaying and
Maintaining T1-F To do... Use the command... Remarks
Interfaces Display information about a display ft1 [ serial serial-number ] Available in any
specified or all T1-F interfaces view
Display the operating state of a display interface serial Available in any
specified T1-F interface serial-number view
CE3 Interface
Overview Like E1, E3 also belongs to the digital carrier system of ITU-T. It transmits data at
34.368 Mbps and adopts HDB3 as the line code format.
When the E1 line is working in framed (CE1) mode, you can bundle timeslots on it.
The system automatically creates a serial interface numbered serial
number/line-number:set-number for it. This interface operates at N × 64 kbps and
is logically equivalent to a synchronous serial interface where you can make other
configurations.
CE3 interfaces support link layer protocols PPP, HDLC, FR, LAPB, and X.25 and
network protocols IP and IPX.
Configuring a CE3 Follow these steps to configure a CE3 interface operating in E3 mode:
Interface (in E3 Mode)
To do... Use the command... Remarks
Enter system view system-view --
Configuring a CE3 Follow these steps to configure a CE3 interface in CE3 mode:
Interface operating in
CE3 Mode To do... Use the command... Remarks
Enter system view system-view --
Enter CE3 interface view controller e3 Required
interface-number
Set the interface to operate in CE3 using ce3 Optional
mode
The default operating mode is
CE3 mode.
Set the Set the operating e1 line-number Required
operating mode to unframed unframed
The default is CE1 mode.
mode of an E1 (E1) mode
line on the
Set the operating undo e1 line-number Optional
CE3 interface
mode to framed unframed
to unframed The default is framed mode.
(CE1) mode and
mode or
bundle timeslots e1 line-number Required
framed mode
on the CE1 channel-set set-number
No channel sets are created
interface timeslot-list list
by default.
Set other interface parameters See “Configuring Other Optional
CE3 Interface
Parameters” on page
120.
Configuring Other CE3 Follow these steps to configure other CE3 interface parameters:
Interface Parameters
To do... Use the command... Remarks
Enter system view system-view --
Displaying and
Maintaining CE3
Interfaces
You can verify the configuration of a CE3 interface by using the display
commands listed in the following table in any view.
CT3 Interface
Overview Both T3 and T1 belong to the T-carrier system promoted by ANSI. T3 uses the
digital signal level DS-3 and operates at 44.736 Mbps.
When the T1 line is working in framed (CT1) mode, you can bundle timeslots on it.
The system automatically creates a serial interface numbered serial
Configuring a CT3 Follow these steps to configure a CT3 interface in CT3 mode:
Interface (in T3 Mode)
To do... Use the command... Remarks
Enter system view system-view --
Enter CT3 interface view controller t3 Required
interface-number
Set the interface to operate in using t3 Required
T3 mode
The default operating mode is
CT3 mode.
Configure the interface to ft3 { dsu-mode { 0 | 1 | 2 | 3 | Optional
operate in the FT3 mode and 4 } | subrate number }
By default, DSU mode 0 (the
set the DSU mode or the
digital link mode) is adopted,
subrate
and the subrate is 44210
kbps.
Set other interface parameters See “Configuring Other CT3 Optional
Interface Parameters” on
page 124.
Configuring CT3 Follow these steps to configure a CT3 interface in CT3 mode:
Interface in CT3 Mode
To do... Use the command... Remarks
Enter system view system-view --
Enter CT3 interface view controller t3 Required
interface-number
Set the interface to operate in CT3 using ct3 Optional
mode
The default operating mode is
CT3 mode.
Set the Set the operating t1 line-number Required
operating mode to unframed unframed
The default is CT1 mode.
mode of a T1 (T1) mode
line on the
Set the operating undo t1 line-number Optional
CT3 interface
mode to framed unframed
to unframed The default is framed mode.
(CT1) mode and
mode or
bundle timeslots t1 line-number Required
framed mode
on the CT1 channel-set set-number
No channel sets are created
interface timeslot-list range
by default.
[ speed { 56k | 64k } ]
The default timeslot speed is
64 kbps.
Set other interface parameters See “Configuring Other Optional
CT3 Interface
Parameters” on page
124.
Configuring Other CT3 Follow these steps to configure other CT3 interface parameters:
Interface Parameters
To do... Use the command... Remarks
Enter system view system-view --
Enter CT3 interface view controller t3 Required
interface-number
Set the clock For the CT3 clock { master | slave } Optional
mode interface
The default is slave, that is,
line clock.
For a T1 line t1 line-number set clock Optional
{ master | slave }
The default is slave, that is,
line clock.
Set the cable length cable feet Optional
The default is 14.9 meters (49
feet).
Set the On the CT3 loopback { local | payload | Optional
loopback interface remote }
Loopback is disabled by
mode
On a T1 line t1 line-number set loopback default.
{ local | payload | remote }
Set the On the CT3 frame-format { c-bit | m23 } Optional
framing interface
The default is C-bit.
format
On a T1 line t1 line-number set Optional
frame-format { esf | sf }
The default is esf.
Configure On the CT3 alarm { detect | generate Optional
alarm signal interface { ais | febe | idle | rai } }
Alarm detection is enabled by
detection/sen
On a T1 line t1 line-number alarm default.
ding
{ detect | generate { ais |
rai } }
Start a BERT On the CT3 bert pattern { 2^7 | 2^11 | Optional
test interface 2^15 | qrss } time number
BERT test is disabled by
[ unframed ]
default.
On a T1 line t1 line-number bert pattern
{ 2^11 | 2^15 | 2^20 | 2^23 |
qrss } time number
[ unframed ]
Configure FEAC channel signal feac detect Optional
detection/sending on the CT3
feac generate loopback FEAC channel signal
interface
{ ds3-line | ds3-payload } detection is enabled by
default but no FEAC signals
feac generate { ds3-los |
are sent.
ds3-ais | ds3-oof | ds3-idle |
ds3-eqptfail }
Configure MDL message mdl { detect | data { eic Optional
detection/sending on the CT3 string | fic string | | gen-no
By default, MDL message
interface string | lic string | pfi string |
detection and sending are
port-no string | unit string } |
disabled and the default MDL
generate { idle-signal | path
message information applies.
| test-signal } }
Displaying and
Maintaining CT3
Interfaces
You can verify the configuration of a CT3 interface by using the display
commands listed in the following table in any view.
Note that:
Introduction to ATM
Technology
ATM Overview Asynchronous transfer mode (ATM) is a technology based on packet transmission
mode while incorporating the high speed of circuit transmission mode. It can
satisfy the need of various communication services. ATM was specified as a
broadband ISDN transmission and switching mode by ITU-T in June 1992.
Depending on its flexibility and support to multimedia services, it is regarded as
the core technology to implement broadband communications.
Hierarchical Structure of The basic ATM protocol framework consists of three planes: user plane, control
ATM plane, and management plane.
The user plane and the control plane is each subdivided into four layers, namely,
physical layer, ATM layer, ATM adaptation layer (AAL), and upper layer, each
allowing further division.
The control plane mainly uses signaling protocols to establish and release
connections.
The following figure presents the relationships between layers and planes:
Management plane
Plane management
Hierarchic al management
Upper layer Upper layer
protocol protocol
ATM layer
Physical layer
■ The physical layer mainly provides transmission channels for ATM cells, forming
continuous bit streams by adding the transmission overheads onto the cells
from the ATM layer. AT the same time, upon receiving continuous bit streams
from the physical media, the physical layer takes out the effective cells and
transfers them to the ATM layer.
■ The ATM layer, residing over the physical layer, implements cell-based
communication with peer layers by leveraging the service provided by the
physical layer. The ATM layer relies on the types of the physical media and the
specific implementation of the physical layer, as well as the types of services
being transmitted. What is input into the ATM layer are 48-byte payloads,
which are called segmentation and reassembly protocol data units (SAR-PDUs),
and what the ATM layer outputs are 53-byte cells, which are also transferred to
the physical layer for transmission. What is input into the ATM layer are 48-byte
payloads, which are called segmentation and reassembly protocol data units
(SAR-PDUs), and what the ATM layer outputs are 53-byte cells, which are also
transferred to the physical layer for transmission. The ATM layer is responsible
for generating a 5-bytes cell header, which will be inserted in front of a
payload. Other functions of the ATM layer include VPI/VCI transmission, cell
multiplexing/demultiplexing, and generic flow control.
■ As the interface between upper layer protocol and ATM Layer, ATM Adaptation
Layer (AAL) is responsible for forwarding the information between ATM Layer
and upper layer protocols. At present, four types of AAL have been put
forward -- AAL1, AAL2, AAL3/4 and AAL5, each of which supports some
special services. Most ATM equipment manufacturers’ products use AAL5 to
support the data communication service.
■ ATM upper layer protocols provide functions such as WAN interconnection,
voice interconnection, interconnection with existing Layer 3 protocols,
encapsulation mode, LAN emulation, multi-protocol over ATM, and classical IP.
Overview of IPoA, ATM interfaces support the IPoA, IPoEoA, PPPoA and PPPoEoA applications.
IPoEoA, PPPoA and
PPPoEoA Applications
IPoA IP over AAL5 (IPoA) carries IP packets over AAL5. AAL5 provides the IP hosts on
the same network with the data link layer for communications. In addition, to
allow these hosts to communicate on the same ATM network, IP packets must be
tuned somewhat.
IPoEoA IPoE over AAL5 (IPoEoA) adopts a three-layer architecture, with IP encapsulation at
the uppermost layer, IP over Ethernet (IPoE) in the middle, and IPoEoA at the
bottom.
For IPoEoA, the device can implement the following basic functions:
In the application of IPoEoA, one virtual Ethernet (VE) interface can be associated
with multiple PVCs.
PPPoA PPP over AAL5 (PPPoA) means that AAL5 bears the PPP protocol packets: Its
essence is that ATM cells are used to encapsulate PPP packets, while IP or other
packets are encapsulated in PPP packets. In this way, AAL5 may be simply viewed
as the bearer layer of PPP packets. PPPoA is important because the communication
process of PPPoA is managed by PPP, and thus it can make use of PPP’s flexibility
and extensive applications. Before transmitting PPP packets over AAL5, users must
create a virtual template (VT) interface. For more information about virtual
template interfaces, refer to “VT and VA Interface” on page 534.
PPPoEoA PPPoE over AAL5 (PPPoEoA) carries PPPoE packets over AAL5. This is to
encapsulate Ethernet frames in ATM cells. In this case, a PVC to simulate all
functions of Ethernet. To allow AAL5 carry Ethernet frames, the interface
management module provides the virtual Ethernet (VE) interface. This VE interface
has Ethernet characteristics and can be dynamically created through configuration
commands. The following is the protocol stack for the VE interface:
Protocols the same as those for the Ethernet interface at the network layer and
upper layers
For more information about the VE interface, please refer to “Introduction to VE”
on page 536.
Task Remarks
“Configuring ATM Interface” on page 130 Required
“Configuring an ATM Sub-Interface” “Configuring an ATM Required
on page 130 Sub-Interface” on page
130
“Checking Existence of
PVCs When Determining
the Protocol State of an
ATM P2P Sub-interface”
on page 131
“Configuring PVC” on page 131 “Configuring PVC Optional
parameters” on page 131
“Assigning a Transmission Optional
Priority to an ATM PVC”
on page 132
“Configuring PVC Service Optional
Map” on page 133
“Configuring an ATM Class” on page 133 Optional
“Configuring VP Policing” on page 136 Optional
“Configuring Applications over “Configuring IPoA” on Optional
ATM” on page 136 page 136
“Configuring IPoEoA” on Optional
page 137
“Configuring PPPoA” on Optional
page 137
“Configuring PPPoEoA” Optional
on page 138
Configuring ATM Depending on the actual networking environment and system requirements,
Interface sometimes it may be necessary to modify certain parameters of an ATM interface.
Note that although these parameters apply to the ATM main interface and
sub-interfaces at the same time, they must be modified in ATM main interface
view, except for the mtu command, which can be executed on a sub-interface.
Refer to “ATM and DSL Interface Configuration” on page 71 for more information
about ATM interface configuration.
Configuring an ATM
Sub-Interface
c CAUTION:
■ When creating an ATM sub-interface, the two keywords p2mp and p2p are
available. The format of the command is interface atm
interface-number.subnumber [ p2mp | p2p ].
■ When entering the view of an existing ATM sub-interface, the two keywords
are not available. The format of the command becomes interface atm
interface-number.subnumber.
Checking Existence of Follow these steps to check existence of PVCs when determining the protocol
PVCs When Determining state of an ATM P2P sub-interface:
the Protocol State of an
ATM P2P Sub-interface To do... Use the command... Remarks
Enter system view system-view -
Create an ATM sub-interface interface atm Required
and enter its view interface-number.subnumb
By default, the sub-interface is
er p2p
configured as
point-to-multipoint (p2mp).
Check existence of PVCs atm-link check Required
when determining the
By default, the protocol state of
protocol state of the ATM P2P
the ATM P2P sub-interface is
sub-interface
consistent with the state of the
physical interface.
Configuring PVC
Assigning a You can assign transmission priority to ATM PVCs associated with the UBR, VBR-T,
Transmission Priority to or VBR-NRT service. At the time of bandwidth allocation, the PVC with higher
an ATM PVC priority has priority over other PVCs.
Configuring PVC Service PVC service map allows different PVCs from the same PVC-Group to carry IP
Map packets of different priorities.
Configuring an ATM An ATM class facilitates you in ATM configuration. Configurations of PVC MAP,
Class encapsulation type, OAM loopback, and service category and can be implemented
via an ATM-Class. First create an ATM class and set the parameters needed, and
then call the ATM class in PVC view or ATM interface view.
■ All the configurations that are directly performed to the PVC, performed to the
ATM class applied to the PVC, and performed to the ATM class applied to the
ATM interface take effect if they do not conflict.
■ For different configurations performed to a PVC, the ATM class applied to the
PVC, and the ATM class applies to the ATM interface, if the configurations
conflict with each other, those apply first take effect, and conflict prompt
appears when the rest are performed.
■ When an ATM class is applied to a PVC, no message is prompted no matter
whether or not the ATM class is successfully applied.
■ Error messages are prompted when configurations performed to a PVC are
invalid.
Configuring VP VP policing is used to set the sustainable rate of a virtual path identifier (VPI).
Policing When applying VP policing, the parameters of PVC are still valid. Only when the
parameters of PVC and VP policing are satisfied, will the packets be transmitted or
received. In calculating the traffic, the LLC/SNAP, MUX and NLPID headers are
included, but the ATM cell head is not included.
Configuring
Applications over ATM
Note that a PVC cannot carry multiple protocols when the ATM AAL5 is
encapsulated with aal5mux. Once IPoA is configured on the PVC, other protocols
such as IPoEoA, PPPoA and PPPoEoA are not supported.
Configuring PPPoA When two routers are connected using DSL interfaces through a dial-up
connection, configure them as PPPoA server and client respectively. The two are
different in that, with the PPPoE server, you should configure an address pool to
allocate IP address for the remote node; with the PPPoE client, you should
configure address negotiation to accept the IP address allocated by the server end.
For relevant information, refer to “PPP and MP Configuration” on page 363
The following configurations enable the PVC to carry PPP and configure a PPP
mapping for the PVC.
Note that a PVC cannot carry multiple protocols when the ATM AAL5 is
encapsulated with aal5mux. Once PPPoA is configured on the PVC, other
protocols such as IPoA, IPoEoA, and PPPoEoA are not supported.
n As for the next hop and the outbound interface, only the former is required when
you configure a static route on a virtual-template interface. If you want to specify
the outbound interface as well, make sure the physical interface bound to the
virtual-template is valid.
Configuring PPPoEoA PPPoE adopts the Client/Server model. It encapsulates PPP packets into Ethernet
frames and provides point-to-point connection on Ethernet. The following
configurations enable the PVC to carry PPPoE and configure a PPPoE mapping for
the PVC.
Note that a PVC cannot carry multiple protocols when the ATM AAL5 is
encapsulated with aal5mux. Once PPPoEoA is configured on the PVC, other
protocols such as IPoA, IPoEoA and PPPoA are not supported.
n As for the next hop and the outbound interface, only the former is required when
you configure a static route on a virtual-template interface. If you want to specify
the outbound interface as well, make sure the physical interface bound to the
virtual-template is valid.
Displaying and
Maintaining ATM To do... Use the command... Remarks
Show the relevant information display atm interface [ atm Available in any view
of ATM interface interface-number ]
Show the relevant information display atm pvc-info Available in any view
of the PVC [ interface interface-type
interface-number [ pvc
{ pvc-name [ vpi/vci ] | vpi/vci } ] ]
Show the information of the display atm map-info Available in any view
PVC mapping [ interface interface-type
interface-number [ pvc
{ pvc-name [ vpi/vci ] | vpi/vci } ] ]
Display PVC-Group information display atm pvc-group Available in any view
[ interface interface-type
interface-number [ pvc
{ pvc-name [ vpi/vci ] | vpi/vci } ] ]
Show the relevant information display atm class Available in any view
of the ATM-Class [ atm-class-name ]
ATM Configuration
Examples
n In the following examples, the network device, the digital subscriber line access
multiplexer (DSLAM) and its configuration command sequence are MA 5100
multi-business access device and the corresponding command sequence under its
configuration environment. ADSL router is configured according to the actual
selected devices in the actual networking environment. For complete details about
configuration commands, please refer to the corresponding command manuals.
With regard to practical networking, the network devices might be different from
the assumed devices in terms of networking capacity and configuration command
format. This situation is subject to exist without notice.
The IP addresses of their ATM interfaces of the three routers are 202.38.160.1/24,
202.38.160.2/24 and 202.38.160.3/24 respectively;
In ATM network, the VPI/VCI of router A is 0/40 and 0/41, connecting to router B
and router C respectively. The VPI/VCI of router B is 0/50 and 0/51, connecting to
router A and C respectively. The VPI/VCI of router C is 0/60 and 0/61, connected
with router A and B respectively;
All the PVCs on ATM interfaces of the three routers work in IPoA application
mode.
Network diagram
Router B
ATM1/0
202 .38 .160 .2/24
VPI/VCI:
To Router A:0/50
To Router C:0/51
Router A ATM network
ATM network
ATM1/0
202 .38 .160 .1/24
VPI/VCI:
To Router B:0/40 Router C
To Router C:0/41
ATM1/0
202 .38.160.3/24
VPI/VCI:
To Router A:0/60
To Router B:0/61
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface atm 1/0
[RouterA-Atm1/0] ip address 202.38.160.1 255.255.255.0
<RouterB> system-view
[RouterB] interface atm 1/0
[RouterB-Atm1/0] ip address 202.38.160.2 255.255.255.0
<RouterC> system-view
[RouterC] interface atm 1/0
[RouterC-Atm1/0] ip address 202.38.160.3 255.255.255.0
Network diagram
ADSL Router A
Ethernet
Host A
Router A VE 1
DSLAM 202 .38.160.1/24
Host B
Router C
ATM1/0.1
VPI/VCI:
To Router A:0/60
Router B To Router B:0/61
E the rnet
Host C
ADSL Router B
Host D
Configuration procedure
Configure Router C:
<RouterC> system-view
[RouterC] interface virtual-ethernet 1
[RouterC-Virtual-Ethernet1] ip address 202.38.160.1 255.255.255.0
[RouterC-Virtual-Ethernet1] quit
The VPI/VCI value of two PVCs connecting Route C and DSLAM are 0/60 and 0/61,
pointing to ADSL Router A and ADSL Router B respectively.
■ Both the WAN port of Router C and the DSL interfaces of the two ADSL Router
adopt PPPoA. The authentication mode of ADSL Router is PAP. The IP addresses
of the two ADSL Routers are assigned by Router C.
Network diagram
ADSL Router A
ATM1/0.1
Host A Router A VPI/VCI:
To Router A:0 /60
To Router B:0 /61
Router C
VT10
DSLAM 202 .38 .160 .1 /24
Router B VT11
202 .38 .161 .1 /24
Configuration procedure
1 Configure Router C (PPPoA Server)
# Create user for PPP authentication, and establish local IP address pool.
<RouterC> system-view
[RouterC] local-user user1
[RouterC-luser-user1] service-type ppp
[RouterC-luser-user1] password simple pwd1
[RouterC-luser-user1] quit
[RouterC] local-user user2
[RouterC-luser-user2] service-type ppp
[RouterC-luser-user2] password simple pwd2
[RouterC-luser-user2] quit
[RouterC] domain system
[RouterC-isp-system] authentication ppp local
[RouterC-isp-system] ip pool 1 202.38.162.1 202.38.162.100
[RouterC-isp-system] quit
<RouterA> system-view
[RouterA] interface Virtual-Template 0
[RouterA-Virtual-Template0] ppp pap local-user user1 password simple pwd1
[RouterA-Virtual-Template0] ip address ppp-negotiate
[RouterA-Virtual-Template0] quit
c CAUTION: If the client cancels the IP address it has received through address
negotiation, or the client is configured with a fixed IP address, the communication
between the server and the client will fail. In this case, you need to shut down the
ATM interface first, and delete the IP address pool on the server.
The VPI/VCI addresses of two PVCs connecting router C with DSLAM are 0/60 and
0/61, pointing to ADSL Router A and ADSL Router B respectively.
Both the WAN port of router C and the DSL interface of ADSL Router adopt
PPPoEoA. Each host within the two Ethernets uses pre-installed PPPoE Client
program to make interactive PAP authentication with routers, and obtains IP
address from the router.
Network diagram
ADSL Router
Ethern et
Host A
ATM1/0.1
Router A VPI/VCI:
To Router A:0/60
Host B To Router B:0/61
Router C
VT10
DSLAM
Router B 202 .38 .160 .1/24
VT11
E the rnet
ADSL Router
Host D
Configuration procedure
Configure Router C:
# Configure the users in the domain to use PPP authentication scheme, and create
local IP address pool.
<RouterC> system-view
[RouterC] local-user user1
[RouterC-luser-user1] service-type ppp
[RouterC-luser-user1] password simple pwd1
[RouterC-luser-user1] quit
[RouterC] local-user user2
[RouterC-luser-user2] service-type ppp
[RouterC-luser-user2] password simple pwd2
[RouterC-luser-user2] quit
[RouterC]domain system
[RouterC-isp-system] authentication ppp local
[RouterC-isp-system] ip pool 1 202.38.162.1 202.38.162.100
[RouterC-isp-system] quit
Network diagram
ATM1/0
ATM network
Router A Server
Hub
Host A Host B
Configuration procedure
1 Configure Router A:
<RouterA> system-view
[RouterA] local-user sysname
[RouterA-luser-sysname] password simple hello
[RouterA-luser-sysname] service-type ppp
[RouterA-luser-sysname] quit
# Create dialer port and configure the dial-up and PPP authentication:
# Create a VE interface:
# Configure VE port:
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] password simple hello
[Sysname-luser-user1] service-type ppp
# Configure the users in the domain to use the local authentication scheme, and
create a local IP address pool.
# Configure a VE interface.
After the above-mentioned configuration, the link layer is able to work normally,
and the PCs can communicate with the server via the ATM upper layer protocols.
Let Router A distribute equal amount of traffic to Router B on two PVCs and
observe the statistics about received/sent/dropped packets.
Network diagram
ATM1/0 ATM1/0
202.38.160.1/24 PVC2 202 .38 .160 .2 /24
Configuration procedure
Configure Router A
<RouterA> system-view
[RouterA] interface atm 1/0
[RouterA-Atm1/0] ip address 202.38.160.1 255.255.255.0
# Create two PVCs and assign them different transmission priority values.
[RouterA-atm-pvc-Atm1/0-0/33-1] quit
[RouterA-Atm1/0] pvc 2 0/32
[RouterA-atm-pvc-Atm1/0-0/32-2] map ip 202.38.160.3
[RouterA-atm-pvc-Atm1/0-0/32-2] service ubr 100000
[RouterA-atm-pvc-Atm1/0-0/33-1] transmit-priority 3
After two equal traffics that exceed the ATM bandwidth are sent to Router B, you
can use the display atm pvc-info interface atm 1/0/0 pvc command on Router
B to view statistical results for each PVC (you can make several tests and observe
the average statistical value). You can see that the PVC with higher priority
receives more packets than that with lower priority. In other words, the PVC with
the highest priority takes preference in getting bandwidth and other PVCs (if there
are many and with different priority values), regardless of their priority values, are
treated equally in terms of bandwidth allocation
Troubleshooting ATM
Solution:
Make sure that the PVC is successful created and communication between cards is
normal.
Solution:
Refer to “Link State Error in IPoA Application” on page 149.
Solution:
If IPOA is used, make sure that the IP protocol address mapping is configured
correctly. If the interfaces of two routers are connected back-to-back, the local
PVC mapped to the remote IP must have the same VPI/VCI value as the remote
PVC mapped to the local IP. In addition, the IP addresses of the two ends must also
be in the same network segment.
If two routers are connected back-to-back, make sure that at least one of
interfaces uses internal transmission clock (master). Or, if the routers are
connected to ATM network, the transmission clock should be set to line clock.
Check the ATM interfaces of the two sides to make sure that they are of the same
type, for example, both are multimode fiber interfaces or both are single mode
fiber interfaces, or both are multimode fiber interfaces but connected using single
mode. If a multimode fiber interface and a single mode fiber interface are directly
connected, they can communicate in most cases, but sometimes with frequent
packet dropping and CRC errors.
If the two ends are PPPoA, make sure that their IP addresses (should be in the
same network segment) and authentication are correctly configured.
If, according to the ping command, small packets can pass but big packets
cannot, make sure that the mtu configurations of the two router interfaces are
the same.
Solution:
Make sure that the optical fibers are correctly plugged to ATM interface. There
should be two optical fibers, one for receiving information and one for sending
information. The two are not exchangeable. If they are wrongly plugged, the
interface state of ATM cannot be UP.
If two routers are connected back-to-back, check if neither of the two ATM
interfaces enables internal transmission clock. By default, routers use line clock. If
two routers are connected back-to-back, one of them should be configured as
internal transmission lock with the clock master command.
Please check if this fault results from enabling OAM F5 Loopback cell transmission
and retransmission detection. When two ATM devices are connected, the VPI/VCI
value of the PVCs on the two devices must be the same. Provided that OAM F5
cell transmission and retransmission detection is enabled, and the VPI/VCI value of
the remote node (connected directly with the local node) is not the same as the
local node, the local PVC state cannot change into UP.
Solution:
Make sure that the remote node supports the same application as configured on
the local node. For example, if the local node uses PPPoA, the remote node should
also use PPPoA.
If the remote node supports the same application configured on local node, make
sure that the two sides use the same type of AAL5 encapsulation protocol. For
example, if one side uses SNAP whereas the other uses MUX, they cannot
communicate. You can enable the packet debugging function of ATM to get some
clues.
Solution:
Check the ATM interfaces of the two nodes to see if their types are the same,
namely, both are multimode fiber interface or both are single mode fiber interface.
If their types are different, you should change one of them. In most cases, when a
multimode fiber interface and a single mode fiber interface are directly connected,
they can communicate, but sometimes with the above-mentioned faults.
Generally speaking, you can successfully locate most problems mentioned and not
mentioned above if you enable all the ATM debugging functions during the
process.
Overview Dial control center (DCC) is a routing technology adopted when routers
interconnect through a public switched network like a public switched telephone
network (PSTN) or an integrated services digital network (ISDN). It can provide the
dial-on-demand service where any two routers dial to set up connection when
data needs transferring instead of setting up connection before that. When the
link becomes idle, DCC automatically disconnects it.
At present, Frame Relay (FR) is widely applied. Usually, users access Frame Relay
networks through leased lines. To reduce the cost and speed up accesses, Frame
Relay over ISDN (FRoI) technology can be used instead. Meanwhile, ISDN can act
as a backup to FR access.
Approaches to DCC Two approaches are available to DCC: circular DCC (“C-DCC” on page 154), and
resource-shared DCC (“RS-DCC” on page 155). They are suitable for different
applications. In practice, the two parties in a call do not necessarily adopt the same
approach.
n DCC terms:
■ Physical interface: An interface that physically exists. Examples are serial, BRI,
and asynchronous interfaces.
■ Dialer interface: A logical interface created for configuring DCC parameters. A
physical interface inherits the DCC configuration of a dialer interface if it is
assigned to the dialer interface.
■ Dial interface: Any interface used for dialup connection. It can be a dialer
interface, a physical interface assigned to a dialer interface, or a physical
interface directly configured with DCC parameters.
C-DCC
1 Features of C-DCC
■ A logical dial (dialer) interface can contain multiple physical interfaces, but a
physical interface can be assigned to only one dialer interface. That is, a
physical interface can only provide one type of dial service.
■ You may assign a physical interface to a dialer interface to inherit DCC
parameters by assigning it to a dialer circular group, or directly configure DCC
parameters on the physical interface.
■ All the physical interfaces in a dialer circular group inherit the attributes of the
same dialer interface.
■ You may associate a dialer interface with multiple call destination addresses by
configuring the dialer route command or with a single call destination address
by configuring the dialer number command.
C-DCC is powerful and has broad applications. However, it lacks flexibility and
extensibility.
For example, on an ISDN BRI interface, all the B channels inherit its configuration
in the C-DCC approach. The static binding between call destination address
settings and physical interface configurations will restrict the use of C-DCC, as
dialer routes are becoming increasingly complicated as a result of network growth
and support to more protocols.
S2 /1
dialer route
BRI1/1 Dialer 2
Destination B
S2 /2
dialer route
Async5/0 Destination C
As shown in the above figure, a physical interface can be assigned to only one
dialer interface, but each dialer interface can contain multiple physical interfaces
and be mapped to multiple destination addresses. In addition, a physical interface
does not necessarily belong to any dialer interface. You may directly map it to one
or multiple destination addresses.
In the figure, physical interfaces Serial 2/1, BRI 1/1 and Serial 2/2 are assigned to
Dialer2, where mappings between dial strings and destination addresses are
configured.
RS-DCC
1 Different from C-DCC, RS-DCC separates logical configuration from physical
configuration. Thus, it is simpler and more flexible. RS-DCC delivers these features:
■ Physical interface configuration and logical configuration for calls are separate.
They are associated dynamically when triggered by calls. This allows a physical
interface to provide services for different dial applications.
■ Associations between dialer interfaces and call destination address are
one-to-one. You may configure them with the dialer number command.
■ Each dialer interface can contain multiple physical interfaces, and each physical
interface can be assigned to multiple dialer interfaces.
■ Dial attributes, such as dialer interface, dialer bundle, and physical interface,
are described by an RS-DCC set. All the calls destined to the same network use
the same RS-DCC set.
■ RS-DCC parameters cannot be directly configured on physical interfaces. A
physical interface can participate in RS-DCC only after it is assigned to a dialer
interface.
2 Association of physical interfaces, dialer bundles and dialer interfaces in RS-DCC
Physical
interface Dialer interface
Dialer
bundle3 S 2/0
dialer number
Dialer1 Destination A
BRI1/0
Dialer
bundle2 S 2/1
S 2/2
Dialer
bundle1
Async5 /0
dialer number
Dialer3 Destination C
use only one dialer bundle and configured with one dial string. The physical
interfaces in a dialer bundle can be assigned different priorities.
In the figure, interface Dialer2 uses Dialer bundle 2 that contains physical
interfaces BRI 1/0, BRI 1/1 and Serial 2/1. Suppose BRI 1/0 is assigned the priority
of 100, BRI 1/1 the priority of 50, and Serial 2/1 the priority of 75. Since BRI 1/0
has a higher priority over BRI 1/1 and Serial 2/1, it will be preferred first when
Dialer2 wants to place a call.
■ Enhance security: When placing a return call, the server dials the calling
number configured at the local end. This prevents the insecurity resulted from
user name and password compromise.
■ Change the charge bearer. This is useful for saving cost in the case that the call
rates in two directions are different.
■ Consolidate call charge bills to facilitate settlement.
At present, PPP callback and ISDN caller identification callback features are
available. The PPP callback conforms to RFC1570 specifications and can be used
where both client and server own fixed network addresses, or the client accepts
dynamic network address assignment.
Preparing for DCC When preparing for DCC configuration, you need to do the following:
Configuration ■ “Identifying the topology of DCC application” on page 157
DCC Configuration
Configuring Basic Regardless of which DCC approach is used, C-DCC or RS-DCC, you must perform
Parameters for DCC the tasks described in this section.
Task Remarks
“Configuring physical interfaces” on page 158 Optional
Skip this task when configuring on ISDN BRI
or PRI interfaces.
“Associating a DCC dial ACL with the dial Required
interface” on page 158
“Configuring link layer/network/routing Required
protocol on the dial interface” on page 158
For DCC to send packets normally, you must configure a dial access control list
(ACL) and associate it with the concerned dial interface (physical or dialer) by using
the dialer-group command. You may either configure a dial ACL directly using
the dialer-rule command or reference an existing ACL.
Follow these steps to associate a dial ACL with the dial interface:
Configuring C-DCC In C-DCC approach, you can configure DCC parameters for a physical interface in
either of the following two ways:
■ Directly configure DCC parameters on the physical interface. This is applicable
only to one-to-one calls or one-to-many calls.
■ Bind the interface to a dialer interface by assigning it to the dialer circular
group associated with the dialer interface. Thus, the interface can inherit the
DCC parameters configured on the dialer interface. This is applicable to
many-to-one and many-to-many calls in addition to one-to-many and
one-to-one calls.
Depending on your network topology and dial needs, for example, to allow one or
multiple interfaces to both place and receive calls, you may use any combinations
of the following C-DCC configuration approaches:
In the C-DCC implementation of DCC, the two dial parties can configure the
password authentication protocol (PAP) or the challenge-handshake
authentication protocol (CHAP) authentication. You are recommended to
configure authentication to ensure security of dialing IDs. When doing that, note
the following:
■ If one party has configured authentication, the other party must do that as
well.
■ At the sending side, if DCC is enabled on physical interfaces, directly configure
PAP or CHAP authentication on the physical interfaces. If DCC is enabled on a
dialer circular group, configure PAP or CHAP authentication on the dialer
interface corresponding to the dialer circular group.
■ At the receiving end, you are recommended to make the configuration on both
physical and dialer interfaces. This is because after a physical interface receives
a call, it negotiates PPP and authenticates the dialer prior to handing the call
over to the upper layer DCC module
if1
Local end if0 Remote end
(Single (Single
interface) interface)
In this scenario, for Interface0 (if0) to place DCC calls to a single remote interface
if1, you may configure a dial string with the dialer number or dialer route
command. As calls are to be placed from a single interface, you can configure
DCC by configuring a dialer circular group. In addition, you may configure PAP or
CHAP authentication.
After completing the basic DCC configurations, follow these steps to configure an
interface to place calls to a remote end:
Figure 16 Network diagram for an interface to receive calls from a remote end
In this scenario, for interface0 (if0) at the local end to receive DCC calls from a
remote interface if1, you can configure DCC by configuring a dialer circular group.
In addition, you may configure authentication, PAP or CHAP.
After completing the basic DCC configurations, follow these steps to configure an
interface to receive calls from a single remote end:
Figure 17 Network diagram for an interface to place calls to multiple remote ends
if1
Remote end A
(Single/Multiple
interfaces)
if0
Local end if2 Remote end B
(Single (Single/Multiple
interface) interfaces)
if3
Remote end C
(Single/Multiple
interfaces)
In this scenario, a single local interface interface0 (if0) places DCC calls to multiple
remote interfaces including if1 and if2. As multiple remote ends are involved, you
must use the dialer route command to configure the dialer strings and
destination addresses. As only one originating interface is involved, you may
configure DCC parameters for the interface by configuring a dialer circular group.
In addition, you may configure PAP or CHAP authentication.
After completing the basic DCC configurations, follow these steps to configure an
interface to place calls to multiple remote ends:
Figure 18 Network diagram for an interface to receive calls from multiple remote ends
Remote end A
(Single/Multiple
if1 interfaces)
if0 if2
Local end Remote end B
(Single (Single/Multiple
interface) interfaces)
if3
if4
Remote end C
(Single/Multiple
interfaces)
In this scenario, a single local interface interface0 (if0) receives DCC calls from
multiple remote interfaces including if1 and if4. As only one interface is involved
at the local end, you may configure DCC parameters for the interface by
configuring a dialer circular group. In addition, you may configure PAP or CHAP
authentication.
After completing the basic DCC configurations, follow these steps to configure an
interface to receive calls from multiple remote ends:
Figure 19 Network diagram for multiple interfaces place calls to one or multiple remote
ends
if0
Local end if2
if1 Remote end B
(Multiple (Single/Multiple
interfaces) interfaces)
if2
if3
Remote end C
(Single/Multiple
interfaces)
In this scenario, interfaces if0, if1, and if2 at the locate end place DCC calls to
interfaces if1, if2 and if3 at the remote end. If only one remote end is involved, use
the dialer number dial-number command to configure a dial string. If multiple
remote ends are involved, use the dialer route command to configure the dial
strings and destination addresses. As multiple interfaces are involved at the local
end, configure DCC parameters for them by configuring dialer circular groups. In
addition, you may configure PAP or CHAP authentication.
When placing calls, the physical interfaces in a dialer circular group use the IP
address of the associated dialer interface instead of its own. An ISDN BRI or PRI
interface itself can be regarded as a dialer circular group for its B channels. At the
same time, it can be assigned to other dialer circular groups.
After completing the basic DCC configurations, follow these steps to configure
multiple interfaces to place calls to one or multiple remote ends:
Figure 20 Network diagram for multiple interfaces receive calls from one or multiple
remote ends
Remote end A
(Single/Multiple
if1 interfaces)
if0 if2
Local end Remote end B
if1
(Multiple (Single/Multiple
interfaces) interfaces)
if2 if3
Remote end C
if4 (Single/Multiple
interfaces)
In this scenario, interfaces if0, if1, and if2 at the local end receive DCC calls from
multiple remote interfaces including if1, if2 and if4. As multiple interfaces are
involved at the local end, configure DCC parameters for them by configuring a
dialer circular group. In addition, you may configure PAP or CHAP authentication.
After completing the basic DCC configurations, follow these steps to configure
multiple interfaces to receive calls to one or multiple remote ends:
Configuring RS-DCC In RS-DCC approach, physical interface configuration is separated from logical
configuration for calls and they can be combined dynamically for each call.
When configuring RS-DCC for on-demand dial, you need to configure RS-DCC
sets. Each RS-DCC set is an attribute collection containing a dialer interface, dialer
interface attributes, and a dialer bundle as follows:
■ For each dialer interface, you can define only one dial string. As this dial string
has its own dial attribute set, all calls placed using this dial string use the same
DCC attribute parameters (such as dial rate).
■ Each dialer interface can use only one dialer bundle. Each dialer bundle may
contain multiple physical interfaces with different priorities while each of these
interfaces can belong to multiple dialer bundles. For an ISDN BRI or PRI
interface, you can set the number of B channels to be used by configuring the
dialer bundle command.
■ All calls destined to the same network segment use the same RS-DCC set.
Physical interface
groups Remote end A
if1
(Single/Multiple
Call remote interfaces)
end A Local end
Dialer0
(Multiple
interfaces)
Call remote if2 Remote end B
Dialer1
end B (Single/Multiple
interfaces)
Call remote
end C Dialer2 if3
Remote end C
(Single/Multiple
interfaces)
In this scenario, a dialer interface is configured only for calling one remote end.
On-demand dial in this case is implemented by assigning a physical interface to
dialer bundles associated with different dialer interfaces.
If RS-DCC sets are used to configure RS-DCC parameters, you only need to
configure link layer encapsulation and dialer bundle numbers on physical
interfaces.
■ In RS-DCC, a RS-DCC set is unable to apply the attribute information in it, PPP
authentication for example, to the physical interfaces in a dialer bundle. In
other words, the physical interfaces do not inherit the authentication attribute
in the RS-DCC set. Therefore, authentication information must be configured
on call receiving physical interfaces.
■ Authentication is mandatory in RS-DCC. You must configure authentication
(dialer user and PPP authentication) on both dialer interfaces and their physical
interfaces. This is because RS-DCC needs to conduct PPP negotiation on the
physical interface and sends the agreed-upon remote username to DCC. Based
on this remote username, DCC decides which dialer interface address is used
and then informs PPP. PPP then uses the configuration of the dialer interface to
start IP control protocol (IPCP) negotiation.
Task Remarks
“Enabling RS-DCC” on page 167 Required
“Configuring a dial string for the dialer interface” on page Required
167
“Assigning physical interfaces to the dialer bundle” on page Required
168
“Configuring dial authentication for RS-DCC” on page 168 Required
Enabling RS-DCC
Follow these steps to enable RS-DCC:
Follow these steps to configure a dial string for the dialer interface:
If you set a link load threshold in the range 1 to 99, MP tunes allocated bandwidth
according to actual traffic percentage as follows:
If you set the link load threshold to zero, DCC brings up all available links when
triggered by auto-dial or packets instead of looking at traffic size before doing
that. In addition, it does not tear down links that has been established for timeout.
To implement MP with DCC, you must use dialer interfaces. The following is how
MP operates after you configure the ppp mp and dialer threshold commands on
a dialer interface:
Some dial applications may require multiple links to carry service. To this end, you
may configure the ppp mp min-bind command, allowing DCC to bring up
multiple links when triggered to ensure minimum bandwidth. The following is
how MP operates in this case:
This process continues until the number of links in the MP bundle reaches the
lower limit.
Note that when MP is used with DCC, the commands dialer threshold, ppp mp
max-bind, and ppp mp min-bind must be configured in dialer interface view.
When configuring other PPP commands, observe the following:
■ In the RS-DCC approach, configure in dialer interface view at the calling end
and in physical dial interface view at the called end. At the calling end,
however, you are recommended to configure the same PPP parameters on
physical dial interfaces as well to ensure reliable PPP link negotiation.
When the three commands, ppp mp min-bind, dialer threshold, and ppp mp
max-bind, are configured, DCC brings up links as follows:
Configuration procedure
Follow these steps to configure MP for DCC:
Configuring PPP PPP callback adopts the client/server model where the calling party is the callback
Callback client and the called party is the callback server. The client first originates a call,
and the server decides whether to originate a return call. If a return call is needed,
the callback server disconnects and then originates a return call according to the
information such as username or callback number.
As a callback client, your router can place calls to the remote end (which can be a
router or Windows NT server with the PPP callback server function), and receive
return calls from the remote end.
Follow these steps to configure PPP callback client in the C-DCC implementation:
As a callback server, your router can place return calls according to network
addresses configured with the dialer route command (PPP authentication must
be configured in this case), or according to dial strings configured with the
service-type ppp command. You need to select either approach with the dialer
callback-center command.
You need to configure callback client usernames with the dialer route command,
so that the callback server can authenticate whether a callback client is valid when
receiving a call from it.
Follow these steps to configure PPP callback server in the C-DCC implementation:
As a callback client, your router can place calls to the remote end (which can be a
router or Windows NT server with the PPP callback server function), and receive
return calls from the remote end.
Configuring PPP callback client in RS-DCC is the same as that in C-DCC except
that the dial string is configured with the dialer number command in RS-DCC.
Follow these steps to configure PPP callback client in the RS-DCC implementation:
Configuring PPP callback server in RS-DCC is the same as that in C-DCC except
that the callback reference can only be dial-number in RS-DCC and dial strings for
callback must be configured with the service-type ppp command.
n To leave enough time for a server to call back, the interval between two calls on
the client need to be at least 10 seconds longer than that of the server. It is
recommended that the interval on the server be set to 5 seconds (the default) and
that on the client be set to 15 seconds.
Configuring ISDN Caller In an ISDN environment, implementing DCC callback through ISDN caller
Identification Callback identification function does not require authentication configuration.
Follow these steps to configure the client of ISDN caller identification callback:
Follow these steps to configure the server of ISDN caller identification callback:
n ■ To make a successful callback for an incoming number, ensure that the dial
string configured in the dialer route or dialer number command on the dial
interface at the server end is exactly the same as the incoming number.
■ To leave enough time for a server to call back, the interval between two calls
on the client need to be at least 10 seconds longer than that of the server. It is
recommended that the interval on the server be set to 5 seconds (the default)
and that on the client be set to 15 seconds.
Follow these steps to configure the client of ISDN caller identification callback:
Follow these steps to configure the server of ISDN caller identification callback:
ISDN BRI interfaces support both 64 kbps and 128 kbps leased lines. For more
information, refer to “Configuring ISDN BRI” on page 422.
Configuring auto-dial
Auto-dial can be used with C-DCC but not RS-DCC. With auto-dial enabled, DCC
automatically dials the remote end of connection upon each device startup
without requiring a triggering packet. If the connection cannot be established, it
will retry at certain intervals. The connection thus established does not disconnect
due to timeout of the idle-timeout timer as it would in the traffic-triggered dial
approach. Its configuration thus voids the dialer timer idle command.
Configuring DCC Timers C-DCC and RS-DCC are available with some optional parameters. You may
and Buffer Queue configure them appropriately to improve on-demand dial efficiency.
Length
This section covers these topics:
A link idle-timeout timer starts upon setup of a link. When the timer expires, DCC
disconnects the link.
■ Holddown timer
A holddown timer starts upon disconnection of a link. The call attempt to bring up
this link can be made only after the timer expires. This is to prevent a remote PBX
from being overloaded.
■ Compete-idle timer
If all the channels are unavailable when DCC originates a new call, contention
occurs.
■ Wait-carrier timer
Sometimes, the time that DCC waits for a connection to be established may vary
call by call. To handle this situation, you may use a wait-carrier timer. A wait-carrier
timer starts when a call is placed. If the connection is not established upon
expiration of the timer, DCC terminates the call.
Configuration procedure
Follow these steps to configure DCC timers and buffer queue length on a dial
interface:
Configuring Traffic Follow these steps to configure traffic statistics interval for DCC:
Statistics Interval
To do... Use the command... Remarks
Enter system view system-view --
Set the traffic statistics interval dialer flow-interval interval Optional
for DCC
The default is 20 seconds.
Displaying and
Maintaining DCC To do... Use the command... Remarks
Display information about display dialer [ interface interface-type Available in any
specified or all dial interfaces interface-number ] view
Display information about a display interface dialer [ number ] Available in any
dialer interface view
Tear down dialup links dialer disconnect [ interface Available in any
interface-type interface-number ] view
Configure C-DCC to allow Router A to call Router B and Router C from multiple
interfaces while disabling Router B and Router C from calling each other.
Network diagram
S2/0 Router B
100 .1 .1.2/24
S 2/0
Router A PSTN
S 2/1
Dialer 0
100 .1 .1.1/24
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
# Assign an IP address to interface Dialer0, associate dialer access group 1 with the
interface, enable C-DCC, and configure dial strings for calling Router B and Router
C.
# Set interface Serial 2/1 to work in asynchronous protocol mode and assign it to
dialer circular group 0.
# Set interface Serial 1/0 to work in asynchronous protocol mode and assign it to
dialer circular group 0.
<RouterB> system-view
[RouterB] dialer-rule 1 ip permit
# Assign an IP address to interface Serial 2/0, associate dialer access group 1 with
the interface, enable C-DCC, and configure two dial strings for calling Router A.
<RouterC> system-view
[RouterC] dialer-rule 1 ip permit
# Assign an IP address to interface Serial 2/0, associate dialer access group 1 with
the interface, enable C-DCC, and configure two dial strings for calling Router A.
The Dialer0 interfaces on Router A and Router B are located on the same network
segment, so are the Dialer1 interface on Router A and the Dialer0 interface on
Router C.
Configure RS-DCC to allow Router A to call Router B and Router C from multiple
interfaces while disabling Router B and Router C from calling each other.
Network diagram
NT 1 Router B
BRI1/0
8810052 100.1.1.2/24
Router A NT 1
8810048
ISDN
BRI1/0
100.1.1.1 /24
8810063 NT 1 Router C
BRI1 /0
100 .1.1 .3/24
Configuration procedure
1 Configure Router A
# Configure a dial access control rule for dialer access group 1; create local user
accounts userb and userc for Router B and Router C and configure PPP
authentication for them.
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
[RouterA] local-user userb
[RouterA-luser-userb] password simple userb
[RouterA-luser-userb] service-type ppp
[RouterA-luser-userb] quit
[RouterA] local-user userc
[RouterA-luser-userc] password simple userc
[RouterA-luser-userc] service-type ppp
[RouterA-luser-userc] quit
# Configure information for PPP authentication and the dial strings on interface
Dialer0. (Assume that PAP is adopted at the local end.)
[RouterA-Dialer0] dialer-group 1
[RouterA-Dialer0] ppp authentication-mode pap
[RouterA-Dialer0] ppp pap local-user usera password simple usera
[RouterA-Dialer0] dialer number 8810052
[RouterA-Dialer0] quit
# Configure information for PPP authentication and the dial strings on interface
Dialer1. (Assume that PAP is adopted at the local end.)
[RouterA-Dialer1] dialer-group 1
[RouterA-Dialer1] ppp authentication-mode pap
[RouterA-Dialer1] ppp pap local-user usera password simple usera
[RouterA-Dialer1] dialer number 8810063
[RouterA-Dialer1] quit
# Configure a dial access control rule for dialer access group 2; create a local user
account usera for Router A and configure PPP authentication for it.
<RouterB> system-view
[RouterB] dialer-rule 2 ip permit
[RouterB] local-user usera
[RouterB-luser-usera] password simple usera
[RouterB-luser-usera] service-type ppp
[RouterB-luser-usera] quit
[RouterB-Dialer0] dialer-group 2
[RouterB-Dialer0] ppp authentication-mode pap
# Configure a dial access control rule for dialer access group 1; create a local user
account usera and configure PPP authentication for it.
<RouterC> system-view
[RouterC] dialer-rule 1 ip permit
[RouterC] local-user usera
[RouterC-luser-usera] password simple usera
[RouterC-luser-usera] service-type ppp
[RouterC-luser-usera] quit
[RouterC-Dialer0] dialer-group 1
[RouterC-Dialer0] ppp authentication-mode pap
[RouterC-Dialer0] ppp pap local-user userc password simple userc
[RouterC-Dialer0] quit
The BRI 1/0 interfaces on these three routers are located on the same network
segment.
The Dialer0 interfaces on Router A and Router B are located on the same network
segment, so are the Dialer1 interface on Router A and the Dialer0 interface on
Router C.
Make configuration to allow Router A to call Router B and Router C from multiple
interfaces while disabling Router B and Router C from calling each other in both
C-DCC and RS-DCC approaches.
Network diagram
NT 1 Router B
BRI1/0
8810052 100.1.1.2/24
Router A NT 1
8810048
ISDN
BRI1/0
100.1.1.1 /24
8810063 NT 1 Router C
BRI1 /0
100 .1.1 .3/24
NT 1 Router B
BRI1/0
8810052
Dialer 0
100 .1 .1.2/24
Dialer 0
Router A 100 .1 .1.1/24 NT 1
8810048
ISDN
BRI1/0
Dialer1
122 .1.1 .1/24
8810063 NT 1 Router C
BRI1/0
Dialer 0
122 .1 .1.2/24
Configuration procedure
Solution 1: Use C-DCC to set up connection via ISDN BRI or PRI and configure
DCC parameters on physical interfaces.
1 Configure Router A
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
# Assign an IP address to interface BRI 1/0, enable C-DCC, and configure the dial
strings for calling Router B and Router C.
<RouterB> system-view
[RouterB] dialer-rule 2 ip permit
# Assign an IP address to interface BRI 1/0, enable C-DCC, and configure the dial
string for calling Router A.
<RouterC> system-view
[RouterC] dialer-rule 1 ip permit
# Assign an IP address to interface BRI 1/0, enable C-DCC, and configure the dial
string for calling Router A.
Solution 2: Use RS-DCC to set up connection via ISDN BRI or PRI and configure
DCC parameters on dialer interfaces.
4 Configure Router A
# Configure a dial access control rule for dialer access group 1; create local user
accounts userb and userc for Router B and Router C and configure PPP
authentication for them.
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
[RouterA] local-user userb
[RouterA-luser-userb] password simple userb
[RouterA-luser-userb] service-type ppp
[RouterA-luser-userb] quit
[RouterA] local-user userc
[RouterA-luser-userc] password simple userc
[RouterA-luser-userc] service-type ppp
[RouterA-luser-userc] quit
# Configure information for PPP authentication and the dial strings on interface
Dialer0.
[RouterA-Dialer0] dialer-group 1
[RouterA-Dialer0] ppp authentication-mode pap
[RouterA-Dialer0] ppp pap local-user usera password simple usera
[RouterA-Dialer0] dialer number 8810052
[RouterA-Dialer0] quit
# Configure information for PPP authentication and the dial strings on interface
Dialer1.
[RouterA-Dialer1] dialer-group 1
[RouterA-Dialer1] ppp authentication-mode pap
[RouterA-Dialer1] ppp pap local-user usera password simple usera
[RouterA-Dialer1] dialer number 8810063
[RouterA-Dialer1] quit
# Set information for PPP authentication on interface BRI 1/0 and assign the
interface to dialer bundle 1 and dialer bundle 2.
# Configure a dial access control rule for dialer access group 2; create a local user
account usera for Router A and configure PPP authentication for it.
<RouterB> system-view
[RouterB] dialer-rule 2 ip permit
[RouterB] local-user usera
[RouterB-luser-usera] password simple usera
[RouterB-luser-usera] service-type ppp
[RouterB-luser-usera] quit
# Configure information for PPP authentication and the dial string on interface
Dialer0.
[RouterB-Dialer0] dialer-group 2
[RouterB-Dialer0] ppp authentication-mode pap
[RouterB-Dialer0] dialer number 8810048
[RouterB-Dialer0] ppp pap local-user userb password simple userb
[RouterB-Dialer0] quit
# Configure PPP authentication on interface BRI 1/0 and assign it to dialer bundle
1.
# Configure a dial access control rule for dialer access group 2; create a local user
account usera for Router A and configure PPP authentication for it.
<RouterC> system-view
[RouterC] dialer-rule 1 ip permit
[RouterC] local-user usera
[RouterC-luser-usera] password simple usera
[RouterC-luser-usera] service-type ppp
[RouterC-luser-usera] quit
# Configure information for PPP authentication and the dial strings on interface
Dialer0.
[RouterC-Dialer0] dialer-group 1
[RouterC-Dialer0] dialer number 8810048
[RouterC-Dialer0] ppp authentication-mode pap
[RouterC-Dialer0] ppp pap local-user userc password simple userc
[RouterC-Dialer0] quit
# Configure information for PPP authentication on interface BRI 1/0 and assign the
interface to dialer bundle 1.
Use RS-DCC on Router A to call Router B and C-DCC on Router B to call Router A.
In addition, implement traffic distribution for the two interfaces on Router A by
setting traffic thresholds and maximum bandwidth.
Network diagram
Dialer0
NT 1 8810048
100.1.1.1 /24
Dialer0
Router A BRI1/1 NT 1 100.1.1.2 /24 Router B
8810052 E 1 2/0
ISDN
BRI1 /0
8810049
NT 1
Configuration procedure
1 Configure Router A
# Configure a dial access control rule for dialer access group 1; create a local user
account userb for Router B and configure PPP authentication for it; and set traffic
statistics interval to three seconds for DCC.
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
[RouterA] local-user userb
[RouterA-luser-userb] password simple userb
[RouterA-luser-userb] service-type ppp
[RouterA-luser-userb] quit
[RouterA] dialer flow-interval 3
# Configure information for PPP authentication, the remote user allowed to call in
and the dial strings on interface Dialer0.
# Configure a dial access control rule for dialer access group 2; create a local user
account usera for Router A and configure PPP authentication for it; and set traffic
statistics interval to three seconds for DCC.
<RouterB> system-view
[RouterB] dialer-rule 2 ip permit
[RouterB] local-user usera
[RouterB-luser-usera] password simple usera
[RouterB-luser-usera] service-type ppp
[RouterB-luser-usera] quit
[RouterB] dialer flow-interval 3
# Assign an IP address to interface Dialer0; enable C-DCC; and configure the dial
strings, MP, and information for PPP authentication.
# Enable C-DCC on interface Serial 2/0:15 created on interface E1 2/0 and assign
the serial interface to interface Dialer 0.
Configure C-DCC to allow Router A to call Router B and Router C and vice versa.
Network diagram
Figure 27 Network diagram for using DCC with dialup ISDN BRI and leased line
NT 1 Router B
BRI1/0
8810052 100 .1.1.2/24
Router A NT 1
8810048
ISDN
BRI1/0
100 .1.1.1/24
NT 1 Router C
BRI1/0
100 .1.1.3/24
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
[RouterA] interface bri 1/0
[RouterA-Bri1/0] ip address 100.1.1.1 255.255.255.0
[RouterA-Bri1/0] dialer isdn-leased 1
[RouterA-Bri1/0] dialer enable-circular
[RouterA-Bri1/0] dialer-group 1
[RouterA-Bri1/0] dialer route ip 100.1.1.2 8810052
2 Configure Router B
<RouterB> system-view
[RouterB] dialer-rule 2 ip permit
[RouterB] interface bri 1/0
[RouterB-Bri1/0] ip address 100.1.1.2 255.255.255.0
[RouterB-Bri1/0] dialer enable-circular
[RouterB-Bri1/0] dialer-group 2
[RouterB-Bri1/0] dialer route ip 100.1.1.1 8810048
3 Configure Router C
<RouterC> system-view
[RouterC] interface bri 1/0
[RouterC-Bri1/0] ip address 100.1.1.3 255.255.255.0
Network diagram
Callback Callback
Client Server
Configuration procedure
Solution 1: Use C-DCC to implement PPP callback, allowing the callback server to
make callback decision based on usernames configured in the dialer route
commands.
1 Configure Router A
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
# Assign an IP address to interface Serial 2/0, configure its physical layer and
C-DCC parameters.
# Configure the user interface to be used and enable modem dialup on it.
# Configure a dial access control rule for dialer access group 2; and create a local
user account usera for Router A and configure PPP authentication for it.
<RouterB> system-view
[RouterB] dialer-rule 2 ip permit
[RouterB] local-user usera
[RouterB-luser-usera] password simple usera
[RouterB-luser-usera] service-type ppp
[RouterB-luser-usera] quit
# Assign an IP address to interface Serial 2/0, configure its physical layer and
C-DCC parameters.
# Specify the local end as the callback server, and set the callback reference to
user. In this case, DCC identifies the dial string for callback according to the
username configured in the dialer route command.
# Configure the user interface to be used and enable modem dialup on it.
Solution 2: Use C-DCC to implement PPP callback, allowing the callback server to
identify the dial string for callback by comparing the remote username received in
PPP authentication against the local user database for a match.
3 Configure Router A
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
# Assign an IP address to interface Serial 2/0, configure its physical layer and
C-DCC parameters.
# Configure the user interface to be used and enable modem dialup on it.
# Configure a dial access control rule for dialer access group 2; create a local user
account usera for Router A and configure PPP authentication for it; and configure
the dial string for callback.
<RouterB> system-view
[RouterB] dialer-rule 2 ip permit
[RouterB] local-user usera
[RouterB-luser-usera] password simple usera
[RouterB-luser-usera] service-type ppp
[RouterB-luser-usera] service-type ppp callback-number 8810048
[RouterB-luser-usera] quit
# Assign an IP address to interface Serial 2/0, and configure physical and C-DCC
parameters.
# Specify the local end as the callback server, and set the callback reference to dial
number. In this case, DCC identifies the dial string for callback by comparing the
remote username obtained through PPP authentication against the local user
database for a match.
# Configure the user interface to be used and enable modem dialup on it.
Configure ISDN caller identification callback with C-DCC between Router A and
Router B, specifying Router A as the callback client and Router B as the callback
server.
Network diagram
Figure 29 Network diagram for ISDN caller identification callback with DCC
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
# Assign an IP address to interface BRI 1/0, and configure C-DCC parameters and
the dial string for placing calls to Router B.
<RouterB> system-view
[RouterB] dialer-rule 2 ip permit
# Assign an IP address to interface BRI 1/0, and configure C-DCC parameters and
the dial string for placing calls to Router A.
[RouterB-Bri1/0] dialer-group 2
[RouterB-Bri1/0] dialer route ip 100.1.1.1 8810048
# Enable the local end to place return calls for ISDN calling number 8810048.
Configure PPP callback with C-DCC between Router and PC, specifying PC as the
callback client and Router as the callback server to make return calls according to
dialer routes.
Network diagram
PC
Modem Modem Router
S 2/0
100 .1. 1. 2/24 8810048 8810052 100.1 . 1.1 /24
PSTN
Configuration procedure
1 Configure PC (installed with Windows 2000 for example)
# In the [Network Connection Type] dialog, select the Dial-up to the Internet
option, and click <Next>. The [Internet Connection Wizard] dialog appears. Select
to set up the Internet connection manually. Click <Next>.
# In the [Setting up your Internet connection] dialog box, select the I connect
through a phone line and a modem option. Click <Next> to set Internet
account connection information.
# Type in the phone number for dialing to the callback server. Click <Next>.
# Type in the username and password that you want to use for PPP authentication
when connecting to the server. Click <Next>.
# Assign a name to your new connection and follow the instruction to complete
the connection setup.
# In the properties setting dialog, select the [Networking] tab. In the Type of
dial-up server I am calling drop-down list, select PPP: Windows 95/98/NT4/2000,
Internet. Click <Settings> to do the following:
Click <OK>.
■ Select the No callback option. After the PPP authentication is passed in a call,
this option prevents the callback server from disconnecting the current
connection and calling back. Instead, the server will maintain the current
connection and allow the client to access the LAN or the Internet.
■ Select the Ask me during dialing when the server offers option. The
callback server will use the callback number you input to place return calls.
■ Select the Always call me back at the number(s) below option. The
callback server will place return calls always at the number or numbers already
set.
2 Configure Router
# Configure a dial access control rule for dialer access group 1; create a local user
account userpc for PC and configure PPP authentication for the account.
<Router> system-view
[Router] dialer-rule 1 ip permit
[Router] local-user userpc
[Router-luser-userc] password simple userpc
[Router-luser-userc] service-type ppp
[Router-luser-userc] quit
# Specify interface Serial 2/0 as the PPP callback server, and set the callback
reference to user mode. In this case, DCC uses the dial string corresponding to the
username configured in the dialer route command to place return calls.
# Configure the user interface to be used and enable modem dialup on it.
Configure PPP callback with C-DCC between Router and PC, specifying Router as
the callback client and NT Server as the callback server to make return calls
according to dialer routes.
Network diagram
NT Server
Router S2 /0 Modem Modem
100 .1.1.1/24 8810048 8810052 100 .1 .1.254 /24
PSTN
Configuration procedure
1 Configure Router
# Configure a dial access control rule for dialer access group 1; create a local user
account usernt for NT Server and configure PPP authentication for the account.
<Router> system-view
[Router] dialer-rule 1 ip permit
[Router] local-user usernt
[Router-luser-userc] password simple usernt
[Router-luser-userc] service-type ppp
[Router-luser-userc] quit
# Configure the user interface to be used and enable modem dialup on it.
Note that for Microsoft Windows users, the server must be Windows 2000 and a
higher version such as Windows XP. For the purpose of this example, Windows
2000 is adopted.
# Right-click on the My Network Places icon and from the popup menu select the
Properties option. The [Network and Dial-up Connections] window appears.
# Right-click on the Make New Connection icon; and from the popup menu select
the New Connection...option. The [Network Connection Wizard] window
appears. Click <Next>.
# Select the Allow virtual private connections option if the server is connected to
the Internet to provide Internet access requests for the client. If otherwise, select
the Do not allow virtual private connections. Then click <Next>.
# In the [Allowed Users] dialog, click <Add>. In the popup [New User] dialog add
the username and password for the PPP callback client and click <OK>. An icon
for the new user account appears in the box in the [Allowed Users] dialog.
# Select the new user and click <Properties>. The properties setting dialog
appears.
■ Select the Do not allow callback option. After the PPP authentication is
passed in a call, this option prevents the callback server from disconnecting the
current connection and calling back. Instead, the server will maintain the
current connection and allow the client to access the LAN or the Internet.
■ Select the Allow the caller to set the callback number option. After the PPP
authentication is passed in a call, the server will disconnect and then call back
the client at the number configured in the ppp callback ntstring dial-number
command. This option is almost the same as the last option except that the
charges are paid by the server end rather than the client end.
■ Select the Always use the following callback number option to set a
callback number.
# Assign a name to your connection and Click <Finish> to complete the creation.
Configure Router A on the dialup side to implement cyclic dial string backup with
dialer routes. Configure Router B on the access side to use asynchronous serial
interfaces to provide DCC dialup access and adopt PAP to authentication the
dialup side.
Figure 33 presents another scenario where Router C and Router D are connected
across an ISDN network. The configurations of Router C and Router D are the
same as those of Router A and Router B, except that Router D uses an ISDN dial
string 8810048, rather than PSTN dial strings, to provide services.
Configure Router C and Router D to implement DCC with one dial string and use
CHAP for authentication.
Network diagram
Figure 32 Network diagram for dial string backup/access service with DCC (PSTN)
Modem
8810048
Router A Modem
S2/0
Modem
8810049 Async1/0̚
Async1/7
ĂĂ Modem Router B
PSTN ĂĂ Internet
Modem
Modem
Host 8810054
Modem
8810055
Figure 33 Network diagram for dial string backup/access service with DCC (ISDN)
Router C
BRI1/0
NT 1
S2 /0:15 Router D
ĂĂ 100 .1.1.254/24
ISDN Internet
8810048
NT 1
Configuration procedure
Solution 1: Configure circular dial string backup on Router A on dialup side. On
Router B, configure C-DCC, allowing the router to set up connections on eight
asynchronous serial interfaces; configure C-DCC parameters on a dialer interface.
1 Configure Router A
# Configure a dial access control rule for dialer access group 1; create a local user
account userb for Router B and configure PPP authentication for the account.
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
[RouterA] local-user userb
[RouterA-luser-userb] password simple userb
[RouterA-luser-userb] service-type ppp
[RouterA-luser-userb] quit
# Configure physical layer parameters for interface Serial 2/0 and enable PPP
address negotiation.
# On the interface, enable C-DCC, and configure C-DCC parameters and the dial
strings for reaching Router B.
# Configure the user interface to be used and enable modem dialup on it.
# Configure a dial access control rule for dialer access group 2; create local user
accounts user1 through user16 and configure PPP authentication for the accounts.
<RouterB> system-view
[RouterB] dialer-rule 2 ip permit
[RouterB] local-user user1
[RouterB-luser-user1] password simple user1
[RouterB-luser-user1] service-type ppp
[RouterB-luser-user1] quit
[RouterB] local-user user2
[RouterB-luser-user2] password simple user2
[RouterB-luser-user2] service-type ppp
[RouterB-luser-user2] quit
...
[RouterB] local-user user16
[RouterB-luser-user16] password simple user16
[RouterB-luser-user16] service-type ppp
[RouterB-luser-user16] quit
# Configure physical and link layer parameters for interface Async 1/0.
Repeat this step to configure physical and link layer parameters for interfaces
Async 1/1 through Async 1/7.
# Configure user interfaces TTY 1 through TTY 7 for interfaces Async 1/0 through
Async 1/7 and enable modem dialup on them.
# Set the answering mode of the modem connected to the user PC (installed with
Windows 2000 for example) to auto answer.
the Make New Connection icon; and in the popup menu select the New
Connection...option. The [Network Connection Wizard] window appears. Click
<Next>.
# In the [Network Connection Type] dialog, select the Dial-up to the Internet
option, and click <Next>. The [Internet Connection Wizard] dialog appears. Select
to set up the Internet connection manually. Click <Next>.
# In the [Setting up your Internet connection] dialog box, select the I connect
through a phone line and a modem option. Click <Next> to set Internet
account connection information.
# Type in the phone number for dialing to the callback server. Click <Next>.
# Type in the username (user16 for example) and password (user16 for example)
that you want to use for PPP authentication when connecting to the server. Click
<Next>.
# Assign a name to your new connection and follow the instruction to complete
the connection setup.
# In the properties setting dialog, select the [Networking] tab. In the Type of
dial-up server I am calling drop-down list, select PPP: Windows 95/98/NT4/2000,
Internet. Click <Settings> to do the following:
Click <OK>.
Solution 2: On Router C on the dialup side configure a single dial string. On Router
D on the access side, use C-DCC approach to set up connection with Router C
through an ISDN PRI interface; configure DCC parameters on a dialer interface.
4 Configure Router C
# Configure a dial access control rule for dialer access group 1; create a local user
account userd for Router D and configure PPP authentication for the account.
<RouterC> system-view
[RouterC] dialer-rule 1 ip permit
[RouterC] local-user userd
[RouterC-luser-userd] password simple user1
# Configure physical layer parameters for interface BRI 1/0 and enable PPP address
negotiation.
# On the interface enable C-DCC, and configure C-DCC parameters and the dial
string for reaching Router D.
# Configure a dial access control rule for dialer access group 2; create local user
accounts user1 through user16 and configure PPP CHAP authentication for the
accounts.
<RouterD> system-view
[RouterD] dialer-rule 2 ip permit
[RouterD] local-user user1
[RouterD-luser-user1] password simple user1
[RouterD-luser-user1] service-type ppp
[RouterD-luser-user1] quit
[RouterD] local-user user2
[RouterD-luser-user2] password simple user2
[RouterD-luser-user2] service-type ppp
[RouterD-luser-user2] quit
...
[RouterD] local-user user16
[RouterD-luser-user16] password simple user16
[RouterD-luser-user16] service-type ppp
[RouterD-luser-user16] quit
# Configure PPP encapsulation and other PPP parameters on the serial interface.
DCC dialup connection cannot be set up because the modem does not dial when
the router forwards data.
Solution:
Check that:
■ The modem and phone cable connections are correct, and the modem
initialization process is correct.
■ The dial interface, if it is synchronous/asynchronous, is set to work in
asynchronous protocol mode.
■ DCC is enabled on the dial interface.
■ A dialer route or dialer number command is available for the packets.
Symptom 2:
Solution:
Check that:
■ The same link layer encapsulation is adopted at the two ends, and correct PPP
parameters are configured for authentication. You may use the debugging
ppp all command to verify that.
■ Correct IP address is assigned to the dial interface (physical or dialer).
■ DCC is enabled on the dial interface.
■ The correct dialer-group and dialer-rule commands are configured and
associated to ensure that the packets can pass.
■ Use the debugging dialer event and debugging dialer packet commands
to locate the problem.
DLSw Overview
Introduction Data link switching (DLSw) was jointly developed by Advanced Peer-to-Peer
Networking (APPN) and Implementers Workshop (AIW) for transmitting Systems
Network Architecture (SNA) traffic over a TCP/IP network. SNA was developed by
IBM in correspondence with the OSI reference model. The DLSw technique is a
solution for cross-WAN transmission of SNA traffic.
1 The router that runs DLSw converts logical link control type 2 (LLC2) frames from
the local SNA device into Switch-to-Switch Protocol (SSP) frames that can be
encapsulated in TCP packets,
2 The SSP frames are forwards across the WAN over a TCP connection to the remote
router
3 The remote router converts the SSP frames back into LLC2 frames and sends them
to the peer SNA device.
As a result, the remote SNA device appears to be on the same network with the
local SNA device.
DLSw is different from transparent bridging in that it does not forward LLC2
frames transparently to the peer - instead it converts the LLC2 frames into SSP
frames for data encapsulation in TCP packets. The local termination mechanism of
DLSw eliminates the requirement for link layer acknowledgments and keepalive
messages to flow across a WAN. It also solves the data link control timeout
problem.
DLSw also enables transmission of synchronous data link control (SDLC) traffic
across a TCP/IP WAN by first converting SDLC frames to LLC2 frames, and then
transporting them to the remote end system through SSP. Thus, DLSw can be used
for interconnection between LAN and SDLC media.
Currently, two DLSw versions are available: version 1.0 and version 2.0. DLSw v1.0
is implemented based on RFC1795, while DLSw v2.0 is implemented based on
RFC2166 and is intended to improve product maintainability and to reduce
n ■
■
SDLC is a data link layer protocol developed by IBM for IBM SNA networks.
For more information on LLC, refer to IEEE 802.2 standard.
■ Excessive broadcasts
■ Low maintainability
When a circuit is disconnected, DLSw v1.0 uses two types of messages to notify
the peer but cannot tell the disconnection cause. This adds to difficulty in locating
the reason for an abnormal circuit disconnection.
Origin LAN Origin DLSw UDP, TCP/IP Target DLSw LAN Target
station router router station
SSP message
In Figure 35, the origin station is the end station that originates communication,
the target station is the end station that accepts communication, the origin DLSw
router is a DLSw-enabled router connected to the origin station, and the target
DLSw router is a DLSw-enabled router connected to the target station. In this
document, an origin DLSw v2.0 router is a DLSw v2.0-capable router.
To prevent unnecessary TCP connection setups, DLSw v2.0 sends explorer frames
by using UDP packets instead of over TCP connection, unless a TCP connection is
present). These UDP packets can be sent in two ways: multicast and unicast
(depending on the specific situation). Using UDP packets reduces, to some degree,
the TCP connections required, and thereby saves network resources.
A TCP connection is set up after the origin and target DLSw v2.0 routers get
reachability information using UDP packets and when both the origin and target
stations want to set up a circuit between them. A DLSw circuit establishment
process is simplified into two stages: first, establishment of a single TCP
connection; then, capabilities exchange. If capabilities negotiation fails, the
source-end DLSw v2.0 router sends a reject packet to the peer and then the TCP
connection is taken down.
n In case the origin and target DLSw routers use different versions of DLSw, for
backward compatibility, the one uses DLSw v2.0 works as a DLSw v1.0 router and
follows RFC1795 when setting up a TCP connection with its peer.
■ Enhanced maintainability
To enable a DLSw router to notify its peer about the reason for dropping a
connection, DLSw v2.0 defines five generic circuit halt reason codes: unknown
error, received DISC from end-station, detected DLC error with end-station,
circuit-level protocol error, and operator-initiated. The halt reason codes are sent
to the peer in SSP messages.
For more information on bridge and bridge set configuration, refer to “Bridging
Configuration” on page 405.
Creating DLSw Peers Establishing a TCP connection is the first step in establishing a DLSw circuit. To
establish a TCP connection, you need to specify the IP addresses of both end
systems across the TCP connection.
Before the local router can initiate or accept a TCP connection request, you need
to configure a local DLSw peer specifying the IP address of the local end of the
TCP connection. A router can only have one local peer.
After a local peer is created, a remote DLSw peer should be created to establish a
TCP connection. The following command specifies the IP address of the remote
router with which a TCP connection is to be established. After the configuration,
the router will keep attempting to establish a TCP connection with the remote
router. A router can have multiple remote peers. A local DLSw peer must be
created before you can create a remote DLSw peer for it.
Removing a local DLSw peer will remove all its remote DLSw peers at the same
time.
Mapping a Bridge Set to DLSw was developed based on the bridging technology. Bridging between
DLSw different Ethernet interfaces is possible if these interfaces are configured in the
same bridge set. To enable forwarding frames of a bridge set to a remote end
system over a TCP connection, use the following command to map the bridge set
to DLSw. This command can be used repeatedly to map multiple bridge sets to
DLSw.
Adding an Ethernet By adding an Ethernet interface to a bridge set and mapping the bridge set to
Interface to a Bridge Set DLSw, you can enable transmission of LLC2 frames on the Ethernet interface to a
remote end system over a TCP connection.
Setting DLSw Timers You can configure the timers used in creating DLSw circuits as per your actual
needs.
Note that the timer values should be modified only when necessary.
Configuring LLC2 SNA was designed to transmit LLC2 frames over Ethernet. By means of LLC2
Parameters related commands, you can modify some LLC2 parameters.
Enabling the Multicast Before enabling the multicast function of DLSw v2.0, you first need to configure
Function of DLSw v2.0 the multicast function of the router and the local DLSw peer. DLSw v2.0 multicast
must be enabled before the origin DLSw v2.0 router can multicast SOCKET
messages (with explorer frames encapsulated) to a specific multicast address, so
that all target DLSw routers listening to the multicast address can receive the
SOCKET messages and get the explorer frames.
c CAUTION:
■ By default, the DLSw multicast function is disabled on devices running DLSw
v2.0. To enable this function, use the dlsw multicast command.
■ Before you can enable the DLSw multicast function, you need to configure the
outbound multicast interface specified with interface interface-type
interface-number in the above-mentioned command on the same interface as
the local DLSw peer.
■ Before the DLSw multicast can be enabled, you need to carry out the related
multicast command first.
Configuring the Each time the origin DLSw v2.0 router sends an explorer frame in a UDP multicast,
Maximum Number of it starts an explorer timer. If no response is received before the explorer timer times
DLSw v2.0 Explorer out, the router retransmits the explorer frame and resets the explorer timer. This
Retries process continues until a response is received or the maximum number of explorer
transmission retries is reached.
For details about creating a Layer 2 ACL, refer to ACL Configuration in the Security
Volume.
Configuring DLSw in
an SDLC Environment
Configuring an SDLC The SDLC is a link layer protocol relative to the SNA. Its working principle is similar
Interface to that of HDLC. In order to make DLSw work normally, you need to configure an
SDLC interface by specifying SDLC as the link layer protocol on the synchronous
serial interface.
Note that the SDLC link layer protocol cannot underlie the IP protocol, so all the
IP-related configurations on the interface must be removed before you configure
SDLC encapsulation. For example, you need to delete the IP address of the
interface.
Enabling DLSw With DLSw forwarding enabled on the SDLC interface, all local SNA devices
Forwarding on an SDLC connected to the interface will be able to communicate with the remote device
Interface through DLSw.
Configuring SDLC Roles In contrast with HDLC, SDLC is an “unbalanced” link layer protocol. That is, the
end systems across a TCP connection are not equal in the positions: one is primary
and the other is secondary. The primary station, whose role is primary, plays a
dominant role and controls the whole connection process. The secondary station,
whose role is secondary, is controlled by the primary station. Therefore, we need
to configure a role for an SDLC interface.
■ If the SDLC device connected with the local router has a role of primary, the
local interface should be configured to have a role of secondary;
■ If the SDLC device connected with the local router has a role of secondary, the
local interface should be configured to have a role of primary.
Generally, an IBM mainframe has a role of primary, while a terminal device such
as a UNIX host or an Auto Teller Machine (ATM) has a role of secondary.
Configuring an SDLC The SDLC protocol allows multiple virtual circuits to run on an SDLC physical link,
Address for a Secondary with one end connected to the primary station and the other end to a secondary
Station station. In order to distinguish different virtual circuits, you need to specify an
SDLC address for each virtual circuit. SDLC is an “unbalanced” protocol, a primary
station can be connected with multiple secondary devices through a multi-user
system or an SDLC switch, while the secondary devices cannot be connected with
one another. Therefore, the communication between the primary station and each
secondary station can be guaranteed as long as each secondary device is identified
with an SDLC address.
The following command is used to specify an SDLC address for a virtual circuit,
which is unique on a physical interface. The configured SDLC address on a
synchronous serial interface is actually the address of the secondary SDLC station.
On the serial interface of the DLSw router connected with the primary SDLC
station, you need to configure the address of each secondary SDLC station that
communicates with the primary station. On the serial interface of the DLSw router
connected with a secondary SDLC station, you need to configure the address of
each secondary SDLC station connected with the serial interface.
An SDLC address ranges from 0x01 to 0xFE. The SDLC address of a router is valid
on only one physical interface. That is, the SDLC addresses configured on different
interfaces may be the identical.
Configuring an SDLC The following command is used to specify the MAC address of the corresponding
Peer peer end for an SDLC virtual circuit so as to provide the destination MAC address
for SDLC-to-LLC2 frame conversion. In DLSw configuration, a peer should be
configured for each SDLC address. The MAC address of the peer should be the
MAC address of the remote SNA device (physical address in the Ethernet or Token
Ring format), or the compound MAC address derived from SDLC virtual MAC
address of the peer end and the SDLC address of the local end.
n When specifying an SDLC peer MAC address for an SDLC virtual circuit, pay
attention to the difference between a token ring address and an Ethernet address:
■ If the remote SNA device uses a token ring address, use its token ring address
directly;
■ If the remote SNA device uses an Ethernet address, revert each octet of the
Ethernet address, for example, convert 00e0.fc03.a548 to 0007.3fc0.a512, by
using the dlsw reverse command.
Configuring an SDLC XID An XID is used to identify a device in an SNA system. When configuring an SDLC
connection, pay attention to the types of the connected SNA devices. Generally,
there are two types of devices in an SNA system: PU2.0 and PU2.1. An XID has
been configured on PU2.1 devices, so they can announce their identity by
exchanging the XID. A PU2.0 device does not come with an XID. Therefore, an XID
is not required on a PU2.1 device, but it is required on a PU2.0 device.
Configuring an SDLC Initially designed for LLC2 protocols, DLSw establishes mappings with virtual
Virtual MAC Address circuits through MAC addresses. Therefore, a MAC address must be specified for
an SDLC virtual circuit so that SDLC frames can be forwarded. Use the following
command to assign the current interface a virtual MAC address on an interface,
which will serve as the source MAC address during the conversion of SDLC frames
to LLC2 frames.
n Note that the sixth byte of the MAC address should be set to 0x00. The system will
combine the first five bytes of this virtual MAC address with the SDLC address into
a new MAC address, which will serve as the source MAC address in SDLC-to-LLC2
frame format conversion.
Configuring the In practice, there are many types of SNA devices which differ from one another
Properties of an significantly. The following commands are used to tune some commonly used
Synchronous Serial parameters to ensure the compatibility among different devices.
Interface ■ Configure the encoding scheme of the synchronous serial interface
There are two encoding schemes, NRZI and NRZ, for synchronous serial interface.
The NRZ encoding scheme is generally used for synchronous serial interfaces of
routers. The serial interfaces of some SNA devices, however, use the NRZI
encoding scheme. Therefore, the encoding scheme of routers should be changed
according to the encoding schemes used on the connected devices.
While most SDLC devices use “0x7E” (flags) to indicate “idle” space between
frames, some other SDLC devices use “0xFF” (marks) for this indication. For
compatibility with different types of devices, you can configure the router to send
either flags (default) or marks to indicate its idle state.
Follow these steps to configure the properties of the synchronous serial interface:
Configuring Local To reduce the exploring time before the routers send information frames when
Reachable MAC or SAP network topology is stable, you can manually configure the local reachable MAC
Addresses addresses or SAP addresses.
Follow these steps to configure the local reachable MAC addresses or SAP
addresses:
Configuring Remote To reduce the exploring time before the routers send information frames when
Reachability network topology is stable, you can manually configure the reachability
Information information of the remote end for the router.
Displaying and
Debugging DLSw To do... Use the command... Remarks
Display the capabilities display dlsw information Available in any view
exchange information [ ip-address | local ]
Display the information of a display dlsw circuits [circuit-Id ] Available in any view
virtual circuit or all virtual [ verbose ]
circuits
Display the information of a display dlsw remote Available in any view
remote peer or all remote peers [ ip-address ]
Display the reachability display dlsw reachable-cache Available in any view
information list of DLSw
Display LLC2 statistics display llc2 [ circuit circuit-id ] Available in any view
information
Reset the TCP connection(s) reset dlsw tcp [ ip-address ] Available in user view
between the DLSw router and a
remote peer or all remote peers
Clear the information of a reset dlsw circuits [ circuit-id ] Available in user view
virtual circuit or all virtual
circuits
Clear the reachability reset dlsw reachable-cache Available in user view
information list of DLSw
DLSw Configuration
Examples
Network diagram
Router A Router B
1.1.1 .1/24 2.2.2.2/24
Internet
Eth1/0 Eth1/0
LAN
LAN
LLC2 LLC2
Configuration procedure
1 Configure Router A:
# Configure interface parameters on Router A to ensure that the local DLSw peer
1.1.1.1 and remote peer 2.2.2.2 are pingable to each other (specific configuration
steps omitted).
<RouterA> system-view
[RouterA] bridge enable
[RouterA] bridge 5 enable
[RouterA] dlsw local 1.1.1.1
[RouterA] dlsw remote 2.2.2.2
[RouterA] dlsw bridge-set 5
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] bridge-set 5
2 Configure Router B:
# Configure interface parameters on Router B to ensure that the local DLSw peer
2.2.2.2 and remote peer 1.1.1.1 are pingable to each other (specific configuration
steps omitted).
<RouterB> system-view
[RouterB] bridge enable
[RouterB] bridge 7 enable
[RouterB] dlsw local 2.2.2.2
[RouterB] dlsw remote 1.1.1.1
[RouterB] dlsw bridge-set 7
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] bridge-set 7
After this configuration, the two SNA LANs across the Internet are interconnected.
Network diagram
Router A Router B
1.1.1.1 /24 2 .2.2.2/24
Internet
S 2/0 S2/0
SDLC address: 0xC1
SDLC
SDLC
Configuration procedure
1 Configure Router A:
# Configure interface parameters on Router A to ensure that the local DLSw peer
1.1.1.1 and remote peer 2.2.2.2 are pingable to each other (specific configuration
steps omitted).
<RouterA> system-view
[RouterA] dlsw local 1.1.1.1
[RouterA] dlsw remote 2.2.2.2
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol sdlc
[RouterA-Serial2/0] sdlc enable dlsw
[RouterA-Serial2/0] sdlc status secondary
[RouterA-Serial2/0] sdlc controller c1
[RouterA-Serial2/0] sdlc mac-map remote 0000-2222-00c1 c1
[RouterA-Serial2/0] sdlc mac-map local 0000-1111-0000
[RouterA-Serial2/0] baudrate 9600
[RouterA-Serial2/0] code nrzi
2 Configure Router B:
# Configure interface parameters on Router B to ensure that the local DLSw peer
2.2.2.2 and remote peer 1.1.1.1 are pingable to each other (specific configuration
steps omitted)
<RouterB> system-view
[RouterB] dlsw local 2.2.2.2
[RouterB] dlsw remote 1.1.1.1
[RouterB] interface serial 2/0
[RouterB-Serial2/0] link-protocol sdlc
[RouterB-Serial2/0] sdlc enable dlsw
[RouterB-Serial2/0] sdlc status primary
[RouterB-Serial2/0] sdlc controller c1
[RouterB-Serial2/0] sdlc mac-map remote 0000-1111-00c1 c1
[RouterB-Serial2/0] sdlc mac-map local 0000-2222-0000
After this step, the SDLC LANs across the WAN are interconnected.
Network diagram
S2/0
Eth1/0
SDLC
SDLC
LAN
LLC2
IBM AS/400
Host A(SNA ) Host B(SNA )
Internet
MAC address: 0028 -3300 -2af5 SDLC address: 0xC1 SDLC address: 0xC2
Host C(SNA )
SDLC address: 0 xC3
Configuration procedure
1 Configure Router A:
# Configure interface parameters on Router A to ensure that the local DLSw peer
1.1.1.1 and remote peer 2.2.2.2 are pingable to each other (specific configuration
steps omitted).
<RouterA> system-view
[RouterA] bridge enable
[RouterA] bridge 1 enable
[RouterA] dlsw local 1.1.1.1
[RouterA] dlsw remote 2.2.2.2
[RouterA] dlsw bridge-set 1
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] bridge-set 1
2 Configure Router B:
# Configure interface parameters on Router B to ensure that the local DLSw peer
2.2.2.2 and remote peer 1.1.1.1 are pingable to each other (specific configuration
steps omitted).
<RouterB> system-view
[RouterB] dlsw local 2.2.2.2
[RouterB] dlsw remote 1.1.1.1
[RouterB] interface serial 2/0
[RouterB-Serial2/0] link-protocol sdlc
[RouterB-Serial2/0] sdlc enable dlsw
[RouterB-Serial2/0] sdlc status primary
[RouterB-Serial2/0] sdlc mac-map local 0000-1234-5600
[RouterB-Serial2/0] sdlc controller c1
[RouterB-Serial2/0] sdlc xid c1 03e00001
[RouterB-Serial2/0] sdlc mac-map remote 0014-cc00-54af c1
[RouterB-Serial2/0] sdlc controller c2
[RouterB-Serial2/0] sdlc xid c2 03e00002
[RouterB-Serial2/0] sdlc mac-map remote 0014-cc00-54af c2
[RouterB-Serial2/0] baudrate 9600
[RouterB-Serial2/0] quit
[RouterB] interface serial 2/1
[RouterB-Serial2/1] link-protocol sdlc
[RouterB-Serial2/1] baudrate 9600
[RouterB-Serial2/1] code nrzi
[RouterB-Serial2/1] sdlc status primary
[RouterB-Serial2/1] sdlc mac-map local 0000-2222-0000
[RouterB-Serial2/1] sdlc controller c3
[RouterB-Serial2/1] sdlc mac-map remote 0014-cc00-54af c3
[RouterB-Serial2/1] sdlc enable dlsw
[RouterB-Serial2/1] quit
# If the local and remote networks are stable, you can configure the following
commands to save the polling process.
Note that in the configuration on router B, the MAC address in the sdlc mac-map
remote and dlsw reachable-cache commands is the MAC address of the
Ethernet card of the AS/400 device, which is connected to Router A. As an
Ethernet MAC address appears in the reverse bit order of a Token-Ring MAC
address, bit order reversal is required in MAC address configuration (for example, a
MAC address 0028-3300-2af5 appears to be 0014-cc00-54af after bit order
reversal). If the peer end is Token-Ring, bit order reversal is not required.
Network diagram
Eth1/0 Eth1/0
Eth1/1 Eth1/1.1 1.1.1.1/24 2.2.2.2/24 Eth1/1
Internet
Eth1/0
LSW Router A Router B
Configuration procedure
1 Configure Router A
# Configure interface parameters on Router A to ensure that the local DLSw peer
1.1.1.1 and remote peer 2.2.2.2 are pingable to each other (specific configuration
steps omitted).
<RouterB> system-view
[RouterB] bridge enable
[RouterB] bridge 1 enable
[RouterB] dlsw local 2.2.2.2
[RouterB] dlsw remote 1.1.1.1
[RouterB] dlsw bridge-set 1
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] bridge-set 1
# Configure interface parameters on Router B to ensure that the local DLSw peer
2.2.2.2 and remote peer 1.1.1.1 are pingable to each other (specific configuration
steps omitted).
<LSW> system-view
[LSW] vlan 2
[LSW-vlan2] port ethernet 1/1
[LSW-vlan2] quit
Network diagram
Configuration procedure
1 Configure Router A.
<RouterA> system-view
[RouterA] bridge enable
[RouterA] bridge 1 enable
# Enable multicast.
# Enable DLSw multicast, set the maximum number explorer retries and specify a
local bridge set.
Before configuring Router B and Router C, first make sure of which DLSw version
they support. If they are DLSw v2.0 capable, the configuration is similar as on
Router A; if they are DLSw v1.0 capable, remove the multicast and explorer frame
retransmission part from the configuration.
Troubleshooting DLSw Proper communication of the DLSw needs sound cooperation between the
involved SNA devices and DLSw-capable routers. A fault in the cooperation
between any two nodes may cause connection failure.
Analysis
TCP connection establishment is the first step in successful DLSw connection.
Failure in establishing a TCP connection is usually caused by problems between the
two routers, normally incorrect IP routing configuration.
Solution
Check whether the IP address of the remote peer is reachable by using the ping
command carrying the source address. Alternatively, use the display ip
routing-table command to check whether there is a route to the network
segment. After both sides have established a correct route, the TCP connection
can be created.
Analysis
Many reasons can cause circuit establishment failure.
■ A TCP connection with the peer end must be successfully established first.
■ If a TCP connect can be successfully established but circuit establishment fails,
the problem usually lies in the cooperation between the router and the SNA
device, mainly with SDLC configuration.
Solution
1 First enable the SDLC debugging, and check whether the SDLC interface can
receive/forward frames normally by executing the display interface command. If
the interface cannot receive/forward frames correctly, possible causes are incorrect
encoding scheme, baud rate or clock configuration on the interface. Modify the
interface configuration parameters of the router or adjust the configuration
parameters of the SDLC device.
2 If frames can be received and forwarded correctly, examine whether the
configuration of the PU type is correct. Use the sdlc xid command to configure
the XID and change the configuration of the PU type.
3 If the PU type is correct, use the display dlsw circuit verbose command to check
whether the virtual circuit can enter the CIRCUIT_EST state. If not, the MAC
address of the SDLC peer is not correctly configured. Use the sdlc mac-map
remote command to modify the configuration parameters.
4 If the circuit can reach the CIRCUIT_EST state, but cannot reach the CONNECTED
state, this means that the configuration of the SDLC on the router does not match
that of the SNA devices. Check the configuration of the SDLC devices on both
sides and the configuration of the router. For example, check whether the XID of
the SNA device is properly configured (PU2.1), and whether the XID of the router
is properly configured (PU2.0). If all these configurations correct, check whether
the SDLC line on the primary SDLC device side (such as the AS/400 or S390) is
activated. Sometimes the SDLC line needs to be activated manually.
Frame Relay
Terminologies
Overview Frame relay protocol is a simplified X.25 WAN protocol. It is a kind of statistical
multiplexing protocol that can establish multiple virtual circuits (VC) over a single
physical cable, each of which is identified by a data link connection identifier
(DLCI). A DLCI is not of global significance. It is valid to two directly connected
interfaces only. That is, you can use the same DLCI on different physical interfaces
to identify different VCs.
DTE, DCE, UNI, and NNI Data Terminal Equipment (DTE) are end devices in frame relay networks. A frame
relay network provides the capability of data communications between end
devices.
User Network Interfaces (UNI) are interfaces used to connect DTEs and DCEs.
Virtual Circuit Virtual circuits fall into two types, permanent virtual circuit (PVC) and switched
virtual circuit (SVC), depending on how they are set up. Virtual circuits configured
manually are called PVCs, and those created by protocol negotiation are called
SVCs, which are automatically created and deleted by frame relay protocol. At
present, the most frequently used in frame relay is the PVC mode, that is.,
manually configured virtual circuit.
In the PVC mode, the availability of the virtual circuit should be checked. Local
management interface (LMI) protocol can implement this function. It is used to
maintain PVC table of frame relay protocol, including advertising added PVC entry,
detecting deleted PVC entry, monitoring PVC status change, and verifying PVC link
integrity. The system supports three LMI protocols: ITU-T Q.933 Appendix A, ANSI
T1.617 Appendix D and nonstandard compatible protocol. Their basic operating
mode is: DTE sends one Status Enquiry message to query the virtual circuit status
at a certain interval. After the DCE receives the message, it will immediately use
the Status message to inform DTE of the status of all the virtual circuits on current
interface.
The PVC status on DTE is completely determined by DCE, and the network
determines the PVC status on DCE. If two network devices are directly connected,
the equipment administrator sets the virtual circuit status of DCE.
These parameters are stipulated by Q.933 Appendix A, and their meanings are
described as follows:
A DTE sends a Status-Enquiry message at a certain interval to query the link status.
The DCE responds with a Status response message upon receiving the message. If
the DTE does not receive any response within a specified time, it will record this
error. If the number of errors exceeds the threshold, DTE will regard the physical
channel and all virtual circuits unavailable. N392 and N393 together define “error
threshold”. In other words, if the number of errors reaches N392 among the N393
Status Enquiry messages sent by DTE, DTE will consider that the number of errors
has reached the threshold and the physical channel and all virtual circuits are
unavailable.
■ N392 and N393: These two parameters have similar meanings to those related
to DTE operating mode. However, DCE requires that the fixed time interval for
DTE sending a status-enquiry message should be determined by T392, while
DTE requires that this interval should be determined by T391. If DCE does not
receive the status-enquiry message from DTE within a period determined by
T392, an error recorder is created.
■ T392: Time variable, which defines the maximum time that DCE waits for a
status-enquiry message. The time value shall be greater than the value of T391.
Frame Relay Address Frame relay address mapping associates the protocol address of a remote device
Mapping with its frame relay address (local DLCI). By consulting the frame relay address map
by protocol address, the upper layer protocol can locate a remote device.
Frame relay is used to bear IP protocol. When sending an IP packet, the frame
relay-enabled router can obtain its next hop address after consulting the routing
table, which is inadequate for sending the packet to the correct destination across
a frame relay network. To identify the DLCI corresponding to the next hop address,
the router must consult a frame relay address map retaining the associations
between remote IP addresses and next hop DLCIs.
The following figure presents how LANs are interconnected across a frame relay
network.
Router A Router B
DLCI=50 DLCI=70
Router C
DLCI=60 FR
DLCI=80
Configuring Basic DTE Follow these steps to configure DTE side frame relay:
Side Frame Relay
To do... Use the command... Remarks
Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Configure interface link-protocol fr [ ietf | Required
encapsulation protocol as nonstandard ]
ietf by default.
frame relay
The default link layer protocol
for interface encapsulation is
PPP.
Configure frame relay fr interface-type dte Required
interface type as DTE
The default frame relay
interface type is DTE.
Overview
Frame relay address mapping can be configured statically or set up dynamically.
■ Static configuration means the manual setup of the mapping relation between
the peer IP address and local DLCI, and is usually applied when there are few
peer hosts or there is a default route.
■ Dynamic setup means the dynamic setup of mapping relation between peer IP
address and local DLCI by InARP. Dynamic setup is applied when the peer
device also supports InARP and network is complex.
Configuration procedure
Follow these steps to configure frame relay address mapping:
Overview
When the frame relay interface type is DCE or NNI, the interface (either main
interface or subinterface) must be manually configured with virtual circuits. When
the frame relay interface type is DTE, for the main interface, the system will
determine the virtual circuit automatically according to the peer device, and the
main interface can also be manually configured with virtual circuits; for
subinterface, it is required to manually configure virtual circuits.
Configuration procedure
Follow these steps to configure frame relay local virtual circuit
Overview
A device with frame relay switching function enabled can act as a frame relay
switch. In this scenario, the frame relay interface should be NNI or DCE and it is
required to perform corresponding configuration on the two or more interfaces
used for frame relay switching before the frame relay switching function can work.
To configure frame relay switching, you can configure static routes for frame relay
switching in interface view or configure PVC for frame relay switching in system
view.
Configuration procedure
Follow these steps to configure frame relay switching:
Overview
The frame relay module has two types of interfaces: main interface and
subinterface. The subinterface is of logical structure, which can be configured with
protocol address and virtual circuit. One physical interface can include multiple
subinterfaces, which do not exist physically. However, for the network layer, the
subinterface and main interface make no difference and both can be configured
with virtual circuits to connect to remote devices.
The subinterface of frame relay falls into two types: point-to-point (P2P)
subinterface and point-to-multipoint (P2MP) subinterface. P2P subinterface is used
to connect a single remote device and P2MP subinterface is used to connect
multiple remote devices. A P2MP subinterface can be configured with multiple
virtual circuits, each of which sets up an address map with its connected remote
network address to distinguish different connections. Address maps can be set up
by manual configuration or dynamically set up by InARP.
The methods to configure virtual circuit and address map for P2P subinterfaces
and P2MP subinterfaces are different, as described below.
■ P2P subinterface
Since there is only one peer address for a P2P subinterface, the peer address is
determined when a virtual circuit is configured for the subinterface. You therefore
do not need to configure dynamic or static address map for P2P subinterface.
■ P2MP subinterface
For a P2MP subinterface, a peer address can be mapped to the local DLCI through
static address mapping or InARP which only needs to be configured on the main
interface. If static address mapping is required, it is necessary to set up static
address map for each virtual circuit.
Configuration procedure
Follow these steps to configure frame relay subinterface:
Overview
With the increasingly wide application of IP network, internetworking of frame
relay networks needs to be realized through Frame Relay over IP, which creates
generic routing encapsulation (GRE) tunnel between frame relay networks at two
ends and transmits frame relay packets through the GRE tunnel, as illustrated
below:
The frame relay packets transmitted through GRE tunnel fall into three categories:
FR packet and InARP packet, both of which have IP header encapsulated, and LMI
packet used to negotiate virtual circuit status in GRE tunnel.
Configuration procedure
Follow these steps to configure frame relay over IP network:
c CAUTION:
■ Before configuring frame relay over IP network, it is necessary to create and
configure tunnel interface. After the setup of a GRE tunnel interface, you can
specify the tunnel interface to be used by frame relay switching to implement
frame relay packets over IP network.
■ You need to configure static route for frame relay switching in frame relay
interface view or multilink frame relay (MFR) interface view at both ends of GRE
tunnel, or configure PVC for frame relay switching in system view. After frame
relay routes have been configured, two route entries will be added into the
frame relay routing table of the router. In one route entry, the ingress interface
is tunnel interface and the egress interface is frame relay interface. In the other
route entry, the ingress interface is frame relay interface and the egress
interface is tunnel interface. On the tunnel interface, a virtual circuit whose
DLCI number is out-dlci will be generated. The status of this virtual circuit
determines the status of the above mentioned routes.
■ The virtual circuit used for frame relay switching must be configured on the
tunnel interfaces at both ends of the GRE tunnel, and the DLCI number
(out-dlci) on the tunnel interfaces must be the same.
Configuring Annex G ANSI T1.617 Annex G (Annex G for short) defines the way to transmit X.25
packets through VCs. In an Annex G implementation, the
acknowledgement/retransmission and flow-control mechanism used in X.25 are
invoked to provide reliable transmission. Annex G can also be used to connect
X.25 networks through FR networks. It is a technology that can help you to
migrate from X.25 network to FR network and thus protects the investment on
X.25 effectively.
Configuration procedure
Follow these steps to configure Annex G:
c CAUTION:
■ As Annex G is not compliant with Inverse-ARP, you need to configure a static
FR mapping for the destination IP address.
■ An Annex G interface is either a DCE or a DTE. For the two Annex G interfaces
of a VC, you need to configure one as the DTE and the other as the DCE.
c CAUTION:
■ With FR address mapping configured in FR interface view, packets destined for
the destination are transmitted through specific DLCI. With X.25 address
mapping configured in X.25 template view, a call to the specific X.25 address is
launched before a packet is sent to the destination IP address. IP packets can
be transmitted correctly only when the both types of address mappings are
configured.
■ The configuration performed in X.25 template view is similar to that performed
in X.25 interface view. To establish an X.25 link successfully, the configurations
on the routers of both sides need to be consistent with each other.
Configuring Basic DCE Follow these steps to configure DCE side frame relay:
Side Frame Relay
To do... Use the command... Remarks
Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Configure interface link-protocol fr Required
encapsulation protocol as [ nonstandard | ietf ]
The link layer protocol for
frame relay
interface encapsulation is PPP
by default. When frame relay
protocol is used for interface
encapsulation, the default
operating mode is IETF.
Configuring Frame Relay Refer to “Configuring Frame Relay Address Mapping” on page 239.
Address Mapping
Configuring Frame Relay Refer to “Configuring Frame Relay Local Virtual Circuit” on page 239.
Local Virtual Circuit
Configuring Frame Relay Refer to “Configuring Frame Relay Switching” on page 240.
Switching
Configuring Frame Relay Refer to “Configuring Frame Relay Subinterface” on page 241.
Subinterface
Configuring Frame Relay Refer to “Configuring Frame Relay over IP Network” on page 242.
over IP Network
Displaying and
Maintaining Frame To do... Use the command... Remarks
Relay Display frame relay display fr interface Available in any view
protocol status on [ interface-type
Either all the information or the
interface { interface-number |
information of specified interfaces
interface-number.subnumber }
can be shown. The specified
]
interface can be either main
interface or subinterface.
Display mapping table display fr map-info Available in any view
of protocol address and [ interface interface-type
Either all the information or the
frame relay address { interface-number |
information of specified interfaces
interface-number.subnumber }
can be shown. The specified
]
interface can be either main
interface or subinterface.
Network diagram
Figure 43 Network diagram for connecting LANs through a frame relay network
Router A Router B
S2/0 S2/0
202 .38 .163 .251 /24 202 .38 .163 .252 /24
DLCI=50 DLCI=70
Router C
DLCI=60 FR
S2/0
202 .38 .163 .253 /24
DLCI=80
Configuration procedure
1 Configure Router A:
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ip address 202.38.163.251 255.255.255.0
[RouterA-Serial2/0] link-protocol fr
[RouterA-Serial2/0] fr interface-type dte
[RouterA-Serial2/0] fr inarp
# Assign an IP address.
<RouterB> system-view
[RouterB] interface serial 2/0
[RouterB-Serial2/0] ip address 202.38.163.252 255.255.255.0
[RouterB-Serial2/0] link-protocol fr
[RouterB-Serial2/0] fr interface-type dte
[RouterB-Serial2/0] fr inarp
# Assign an IP address.
<RouterC> system-view
[RouterC] interface serial 2/0
[RouterC-Serial2/0] ip address 202.38.163.253 255.255.255.0
[RouterC-Serial2/0] link-protocol fr
[RouterC-Serial2/0] fr interface-type dte
[RouterC-Serial2/0] fr inarp
Network diagram
S 2/0 S2/0
202 .38 .163 .251/24 202 .38 .163 .252 /24
DLCI=100
Router A Router B
Configuration procedure
Approach I: On main interfaces
1 Configure Router A:
# Assign an IP address.
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ip address 202.38.163.251 255.255.255.0
# Configure the link layer protocol on the interface to frame relay in DCE mode.
[RouterA-Serial2/0] link-protocol fr
[RouterA-Serial2/0] fr interface-type dce
2 Configure Router B:
# Assign an IP address.
<RouterB> system-view
[RouterB] interface serial 2/0
[RouterB-Serial2/0] ip address 202.38.163.252 255.255.255.0
[RouterB-Serial2/0] link-protocol fr
[RouterB-Serial2/0] fr interface-type dte
3 Configure Router A
# Set the link layer protocol on the interface to frame relay and interface type to
DCE.
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol fr
[RouterA-Serial2/0] fr interface-type dce
[RouterA-Serial2/0] quit
# Set the link layer protocol on the interface to frame relay and interface type to
DTE.
<RouterB> system-view
[RouterB] interface serial 2/0
[RouterB-Serial2/0] link-protocol fr
[RouterB-Serial2/0] quit
Network diagram
S 2/0 S2/0
202 .38 .163 .251/24 202 .38 .163 .252 /24
DLCI=100
Router A Router B
Configuration procedure
1 Configure Router A:
<RouterA> system-view
[RouterA] x25 template vofr
[RouterA-Serial2/0] link-protocol fr
[RouterA-Serial2/0] fr interface-type dce
<RouterB> system-view
[RouterB] x25 template vofr
[RouterB-Serial2/0] link-protocol fr
[RouterB-Serial2/0] fr interface-type dte
Troubleshooting Symptom 1:
Frame Relay
The physical layer is in down status.
Solution:
Symptom 2:
The physical layer is already up, but the link layer protocol is down.
Solution:
■ Ensure that both local device and remote device have been encapsulated with
frame relay protocol.
■ If two devices are directly connected, check the local device and remote device
to ensure that one end is configured as frame relay DTE interface and the other
end as frame relay DCE interface.
■ Ensure that the LMI protocol type configuration at the two ends is the same.
■ If the above conditions are satisfied, enable the monitoring function for the
frame relay LMI messages to see whether one Status Request message
correspond to one Status Response message. If not, it indicates the physical
layer data is not received/sent correctly. Check the physical layer. The
debugging fr lmi command is used to enable the monitoring function for
frame relay LMI messages.
Symptom 3:
The link layer protocol is up, but the remote party cannot be pinged.
Solution:
1 Ensure that the devices at both ends have configured (or created) correct address
mapping for the peer.
2 Ensure that there is a route to the peer if the devices are not in the same subnet
segment.
Overview Frame relay compression technique can be used to compress frame relay packets
to save network bandwidth, reduce network load and improve the data transfer
efficiency on frame relay network.
The device supports FRF.9 stac compression (referred to as FRF.9) and FRF.20 IP
header compression (IPHC), which is referred to as FRF.20.
FRF.9
FRF.9 classifies packets into two types: control packets and data packets. Control
packets are used for status negotiation between the two ends of DLCI where
compression protocol has been configured. FRF.9 data packets cannot be switched
before the negotiation succeeds. If the negotiation fails after 10 attempts to send
FRF.9 control packet are made, the negotiating parties stop negotiation and the
compression configuration does not take effect.
FRF.9 compresses only data packets and InARP packets; it does not compress LMI
packets.
FRF.20
FRF.20 compresses the IP header of packets transmitted over frame relay. For
example, you may use it to compress voice packets to save bandwidth, decrease
load, and improve transmission efficiency on a frame relay network.
FRF.20 classifies packets into control packets and data packets. Control packets are
sent between FRF.20-enabled interfaces to negotiate status information. The
interfaces cannot exchange FRF.20 data packets before the negotiation succeeds.
If the negotiation fails after 10 attempts to send control packets are made, the
interfaces stop negotiation and their compression settings do not take effect.
Configuring FRF.9 Frame relay main interface is a P2MP interface, while frame relay subinterface
Compression includes two types: P2P and P2MP. Therefore, the configuration of frame relay
FRF.9 compression varies by different interface types. For a P2P subinterface, use
the fr compression frf9 command to enable FRF.9 compression in subinterface
view. For a P2MP frame relay interface or subinterface, the frame relay
compression is configured when creating static address mapping.
Use the
To do... command... Remarks
Enter system view system-view -
Enter frame relay interface or subinterface view interface -
interface-type
interface-number
or
interface serial
interface-number.s
ubnumber
Configure FRF.9 For P2P subinterface, enable fr compression Optional
compression (select FRF.9 compression frf9
FRF.9 compression
either one
is disabled by
according to
default.
interface type)
For P2MP interface, enable fr map ip Optional
FRF.9 compression when { ip-address
creating static address [ ip-mask ] |
mapping default }
dlci-number
[ broadcast | [ ietf
| nonstandard ] ]*
compression frf9
Configuring FRF.20 IP Frame relay function provides IP header compression including RTP/TCP header
Header Compression compression. You can enable IP header compression on interfaces or when
configuring static address mapping.
Displaying and
Maintaining Frame To do... Use the command... Remarks
Relay Compression Display statistics information display fr compress Available in any view
about FRF.9 compression [ interface interface-type
interface-number ]
Display statistics information display fr iphc [ interface Available in any view
about FRF.20 IP header interface-type
compression interface-number ]
Network diagram
S 2/0 S 2/0
10 .110 .40.1/24 10 .110 .40 .2 /24
Frame Relay
network
Router A Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol fr
[RouterA-Serial2/0] ip address 10.110.40.1 255.255.255.0
[RouterA-Serial2/0] fr interface-type dte
[RouterA-Serial2/0] fr map ip 10.110.40.2 100 compression frf9
2 Configure Router B
<RouterB> system-view
[RouterB] interface serial 2/0
[RouterB-Serial2/0] link-protocol fr
[RouterB-Serial2/0] ip address 10.110.40.2 255.255.255.0
[RouterB-Serial2/0] fr interface-type dte
[RouterB-Serial2/0] fr map ip 10.110.40.1 100 compression frf9
Overview Multilink frame relay (MFR) is a cost effective bandwidth solution for frame relay
users. Based on the FRF.16 protocol of the frame relay forum, it implements MFR
function on DTE/DCE interfaces.
MFR function provides a kind of logic interface, namely MFR interface. The MFR
interface is composed of multiple frame relay physical links bound together, so as
to provide high-speed and broadband links on frame relay networks.
One MFR interface corresponds to one bundle, which may contain multiple bundle
links. One bundle link corresponds to one physical interface. A bundle manages its
bundle links. The interrelationship between bundle and bundle link is illustrated as
follows:
Bundle
Bundle Link
Bundle Link
Bundle Link
For the actual physical layer, bundle link is visible; while for the actual data link
layer, bundle is visible.
The function and configuration of the MFR interface is the same with that on the
FR interface in common sense. Like the FR interface, the MFR interface supports
DTE and DCE interface types as well as QoS queue mechanism. After physical
interfaces are bundled into an MFR interface, their original network layer and
frame relay link layer parameters become ineffective and they use the parameter
settings of the MFR interface instead.
Displaying and
Maintaining Multilink To do... Use the command... Remarks
Frame Relay Display configuration and status display interface mfr Available in any
of MFR interface [ interface-number ] view
Display configuration and display mfr [ interface interface-type Available in any
statistics information of MFR interface-number | verbose ] view
bundle and bundle links
Network diagram
Router A Router B
S 2/0 S 2/0
S 2/1 S 2/1
MFR 4 MFR 4
10.140.10.1/24 10 .140 .10 .2 /24
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface mfr 4
[Router‘A-MFR4] ip address 10.140.10.1 255.255.255.0
[RouterA-MFR4] fr interface-type dte
[RouterA-MFR4] fr map ip 10.140.10.2 100
[RouterA-MFR4] quit
<RouterB> system-view
[RouterB] interface mfr 4
[RouterB-MFR4] ip address 10.140.10.2 255.255.255.0
[RouterB-MFR4] fr interface-type dce
[RouterB-MFR4] fr dlci 100
[RouterB-fr-dlci-MFR4-100] quit
[RouterB-MFR4] fr map ip 10.140.10.1 100
[RouterB-MFR4] quit
Network diagram
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface mfr 1
[RouterA-MFR1] ip address 1.1.1.1 255.0.0.0
[RouterA-MFR1] quit
<RouterB> system-view
[RouterB] fr switching
<RouterC> system-view
[RouterC] interface mfr 2
[RouterC-MFR2] ip address 1.1.1.2 255.0.0.0
[RouterC-MFR2] quit
Overview PPP over frame relay (PPPoFR) enables routers to establish end-to-end PPP sessions
on a frame relay network, allowing frame relay stations to use PPP features such as
LCP, NCP, authentication, and MP fragmentation.
n As for the next hop and the outbound interface, only the former is required when
you configure a static route on a virtual-template interface. If you want to specify
the outbound interface as well, make sure the physical interface bound to the
virtual-template interface is valid.
Displaying and
Maintaining PPPoFR To do... Use the command... Remarks
Display PPPoFR MAP and display fr map-info pppofr [ interface Available in any
status interface-type interface-number ] view
Network diagram
VT1 VT1
10.1.1.2/8 10.1.1.1/8
FR
S2/0 S2/0
Router A Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface virtual-template 1
[RouterA-Virtual-Template1] ip address 10.1.1.2 255.0.0.0
[RouterA-Virtual-Template1] quit
<RouterB> system-view
[RouterB] interface virtual-template 1
[RouterB-Virtual-Template1] ip address 10.1.1.1 255.0.0.0
[RouterB-Virtual-Template1] quit
# Create DLCI 16
[RouterB-Serial2/0] fr dlci 16
[RouterB-fr-dlci-Serial2/0-16] quit
Overview Multilink PPP over frame relay (MPoFR) is PPPoFR making use of MP fragments to
transmit MP fragments over frame relay stations.
In MPoFR configuration, first configure PPPoFR on two or more virtual templates (it
is not necessary to configure IP address on virtual templates), and then perform
the following configurations on these virtual templates to bind them to another
virtual template with PPP MP.
c CAUTION:
■ To ensure packet transmission quality over virtual-template (VT) interfaces, you
can configure queue-independent QoS features on VT interface and
queue-dependent QoS features on FR interface. For detailed information, refer
to “QoS Overview” on page 1623.
■ As for the next hop and the outbound interface, only the former is required
when you configure a static route on a virtual-template interface. If you want
to specify the outbound interface as well, make sure the physical interface
bound to the virtual-template interface is valid.
■ Refer to “PPP and MP Configuration” on page 363 for information about
MP-related configuration.
The bandwidth of Router B Serial2/0 is 64 kbps. PC3 sends data service stream 3
to PC1, PC4 sends data service stream 4 to PC2, and there is also a voice service
stream.
To ensure voice quality, it is required to fragment the data packets to reduce voice
jitter caused by transmission delay. MPoFR is adopted here, and MP is used to
fragment data packets.
Network diagram
ATM
FR FR
Configuration procedure
n This example only covers PPPoFR related configuration. You need perform other
configurations on services, routes and so on.
1 Configure Router A.
<RouterA> system-view
[RouterA] acl number 3001
[RouterA-acl-adv-3001] rule 0 permit ip source 1.1.1.0 0.0.0.255
[RouterA-acl-adv-3001] rule 1 permit ip source 10.1.1.0 0.0.0.255
[RouterA] acl number 3002
[RouterA-acl-adv-3002] rule 0 permit tcp destination-port eq 1720
[RouterA-acl-adv-3002] rule 1 permit tcp source-port eq 1720
[RouterA-acl-adv-3002] quit
# Configure policy.
# Cancel fast forwarding defined in virtual template (CBQ is not supported when
fast forwarding is enabled).
<RouterB> system-view
[RouterB] acl number 3001
[RouterB-acl-adv-3001] rule 0 permit ip source 1.1.4.0 0.0.0.255
[RouterB-acl-adv-3001] rule 1 permit ip source 10.1.4.0 0.0.0.255
[RouterB] acl number 3002
[RouterB-acl-adv-3002] rule 0 permit tcp destination-port eq 1720
[RouterB-acl-adv-3002] rule 1 permit tcp source-port eq 1720
[RouterB-acl-adv-3002] quit
# Configure class 1
# Configure class 2
# Configure policy
# Cancel fast forwarding defined in virtual template (CBQ is not supported when
fast forwarding is enabled)
When configuring GVRP, go to these sections for information you are interested
in:
GARP Generic attribute registration protocol (GARP) provides a mechanism that allows
participants in a GARP application to distribute, propagate, and register with other
participants in a bridged LAN the attributes specific to the GARP application, such
as the VLAN or multicast address attribute.
Join messages, Leave messages, and LeaveAll message make sure the
reregistration and deregistration of GARP attributes are performed in an orderly
way.
2 GARP timers
■ Hold timer
■ Join timer
Each GARP participant sends a Join message twice for reliability sake and uses a
join timer to set the sending interval. If the first Join message is not acknowledged
after the interval defined by the Join timer, the GARP participant sends the second
Join message.
■ Leave timer
A Leave timer starts upon receipt of a Leave message sent for deregistering some
attribute information. If no Join message is received before this timer expires, the
GARP application entity removes the attribute information as requested.
■ LeaveAll timer
A LeaveAll timer starts when a GARP application entity starts. When this timer
expires, the entity sends a LeaveAll message so that other entities can re-register
its attribute information. Then, a LeaveAll timer starts again.
n ■ The settings of GARP timers apply to all GARP applications, such as GVRP, on a
LAN.
■ Unlike other three timers, which are set on a port basis, the LeaveAll timer is
set in system view and takes effect globally.
■ A GARP application entity may send LeaveAll messages at the interval set by its
LeaveAll timer or the LeaveAll timer on another device on the network,
whichever is smaller. This is because each time a device on the network receives
a LeaveAll message it resets its LeaveAll timer.
GARP application entities send protocol data units (PDU) with a particular
multicast MAC address as destination. Based on this address, a device can identify
to which GVRP application, GVRP for example, should a GARP PDU be delivered.
1 3 N
1 2 N
Attribute Type Attribute List Message structure
1 N
1 2 3 N
Attribute Length Attribute Event Attribute Vlaue Attribute structure
GVRP GVRP enables a device to propagate local VLAN registration information to other
participant devices and dynamically update the VLAN registration information
from other devices to its local database about active VLAN members and through
which port they can be reached. It thus ensures that all GVRP participants on a
bridged LAN maintain the same VLAN registration information. The VLAN
registration information propagated by GVRP includes both manually configured
local static entries and dynamic entries from other devices.
■ Normal: Enables the port to dynamically register and deregister VLANs, and to
propagate both dynamic and static VLAN information.
■ Fixed: Disables the port to dynamically register and deregister VLANs or
propagate information about dynamic VLANs, but allows the port to propagate
information about static VLANs. A trunk port with fixed registration type thus
allows only manually configured VLANs to pass through even though it is
configured to carry all VLANs.
■ Forbidden: Disables the port to dynamically register and deregister VLANs, and
to propagate VLAN information except information about VLAN 1. A trunk
port with forbidden registration type thus allows only VLAN 1 to pass through
even though it is configured to carry all VLANs.
Configuring GVRP
Configuring GVRP Follow these steps to configure GVRP functions on a trunk port:
Functions
To do... Use the command... Remarks
Enter system view system-view --
Enable global GVRP gvrp Required
Disabled by default
Enter Ethernet Enter Ethernet interface interface-type Use either the command.
interface view interface view interface-number
Configured in Ethernet
or port group
Enter port port-group { aggregation interface view, the
view
group view agg-id | manual subsequent configuration is
port-group-name } effective on the current port
only; configured in port
group view, the subsequent
configuration is effective on
all ports in the port group.
Enable GVRP gvrp Required
Disabled by default
Set the GVRP registration gvrp registration { fixed | Optional
mode forbidden | normal }
The default is normal.
Displaying and
Maintaining GVRP To do... Use the command... Remarks
Display statistics about GARP display garp statistics Available in any view
[ interface interface-list ]
Display GARP timers for display garp timer Available in any view
specified or all ports [ interface interface-list ]
Display statistics about GVRP display gvrp statistics Available in any view
[ interface interface-list ]
Display the global GVRP state display gvrp status Available in any view
Clear the GARP statistics reset garp statistics Available in user view
[ interface interface-list ]
GVRP Configuration
Example
Network diagram
Eth1/0 Eth1/1
Device A Device B
Configuration procedure
1 Configure Device A
<DeviceA> system-view
[DeviceA] gvrp
# Configure port Ethernet 1/0 as a trunk port, allowing all VLANs to pass.
[DeviceA-Ethernet1/0] gvrp
[DeviceA-Ethernet1/0] quit
[DeviceA] vlan 2
2 Configure Device B
<DeviceB> system-view
[DeviceB] gvrp
# Configure port Ethernet 1/1 as a trunk port, allowing all VLANs to pass.
[DeviceB-Ethernet1/1] gvrp
[DeviceB-Ethernet1/1] quit
[DeviceB] vlan 3
3 Verify the configuration
Network diagram
Eth1/0 Eth1/1
Device A Device B
Configuration procedure
1 Configure Device A
<DeviceA> system-view
[DeviceA] gvrp
# Configure port Ethernet 1/0 as a trunk port, allowing all VLANs to pass.
[DeviceA-Ethernet1/0] gvrp
[DeviceA] vlan 2
2 Configure Device B
<DeviceB> system-view
[DeviceB] gvrp
# Configure port Ethernet 1/1 as a trunk port, allowing all VLANs to pass.
[DeviceB-Ethernet1/1] gvrp
[DeviceB-Ethernet1/0] quit
[Sysname] vlan 3
3 Verify the configuration
Network diagram
Eth1/0 Eth1/1
Device A Device B
Configuration procedure
1 Configure Device A
<DeviceA> system-view
[DeviceA] gvrp
# Configure port Ethernet 1/0 as a trunk port, allowing all VLANs to pass.
[DeviceA-Ethernet1/0] gvrp
[DeviceA] vlan 2
2 Configure Device B
<DeviceB> system-view
[DeviceB] gvrp
# Configure port Ethernet 1/1 as a trunk port, allowing all VLANs to pass.
[DeviceB-Ethernet1/1] gvrp
[DeviceB-Ethernet1/1] quit
[DeviceB] vlan 3
3 Verify the configuration
Introduction to HDLC
HDLC Overview High-level data link control (HDLC) is a bit-oriented link layer protocol. Its most
prominent feature is that it can transmit any types of bit stream transparently.
■ HDLC supports point-to-point link only and does not support
point-to-multipoint link.
■ HDLC supports neither IP address negotiation nor authentication. It uses
keepalive messages to check link status.
■ HDLC can only be encapsulated on synchronous link. A synchronous
/asynchronous interface can also apply HDLC provided that it works in
synchronous mode. Currently, this protocol is applied on the Serial interface
and POS interface that work in synchronous mode.
HDLC Frame Format and There are three types of HDLC frames: information frame (I frame), supervision
Frame Type frame (S frame) and unnumbered frame (U frame).
■ Information frame is responsible for transmitting useful data or information.
■ Supervision frame is responsible for error control and flow control.
■ Unnumbered frame is responsible for the link establishment, teardown, and so
on.
An HDLC frame is composed of flag field, address field, control field, information
field and checksum field.
■ The flag field, 0111111, marks the beginning and end of an HDLC frame. Each
frame begins with F and ends with F.
■ The address field is eight bits; it identifies the source or destination where the
frame is sent or received.
■ The control field is eight bits; it identifies the control type and defines the frame
type (control or data).
■ The information field can be an arbitrary binary bit set. The minimum length
can be zero and the maximum length is decided by the FCS field or the buffer
size of the communicating node. Generally, the maximum length is between
1000 and 2000 bits.
■ The checksum field can use a 16-bit CRC to check the content of a frame.
Introduction to X.25 The X.25 protocol specifies the interface standards between data terminal
and LAPB Protocols equipment (DTE) and data circuit-terminating equipment (DCE). In 1974, CCITT
issued the first draft of X.25, whose initial files were based on the experiences and
recommendations of Telnet and Tymnet of USA and Datapac packet-switched
networks of Canada. It was revised in 1976, 1978, 1980 and 1984, added many
optional service functions and facilities.
X.25 allows two DTEs to communicate with each other over the existing telephone
network.
One DTE contacts the other to setup a connection. The other DTE can either
accept or refuse the connection as required. Once the connection is established,
the devices at both ends can transmit information in full duplex mode, and either
end can disconnect the connection at any time.
X.25 is the protocol for point-to-point interaction between DTE and DCE. DTE
usually refers to the host or terminal at the user side, and DCE usually refers to a
device like the synchronous modem. DTE is connected with DCE directly, DCE is
connected to a port of packet switching exchange (PSE), and some connections
are established between the packet switching exchanges, thus forming the paths
between different DTEs. In an X.25 network, the relation of entities is shown in
the following diagram:
DTE
PSE DCE
PSE DCE
DTE
PSN
DTE Data terminal equipment
DCE Data circuit-terminating equipment
PSE Packet switching equipment
PSN Packet switching network
The X.25 protocol defines the lowest three layers of the OSI (Open System
Interconnection) reference model. As shown in the following figure, layer 3
(packet layer) provision of X.25 describes the packet format used by the packet
layer and the procedure of packet switching between two layer-3 entities. Layer 2
(link layer) provision of X.25, also known as Link Access Procedure Balanced
(LAPB), defines the frame format and procedure adopted in the DTE-DCE
interaction. Layer 1 (physical layer) of X.25 defines some physical and electrical
characteristics in the connection between DTE and DCE.
7
6
5
4
Packet layer
3 X.25 packet layer X.25 packet layer
interface
Data link
2 X.25 data link layer X.25 data link layer
interface
Physical layer
1 X.25 physical layer X.25 physical layer
interface
DTE DCE
The connection established via X.25 protocol between two DTEs is called virtual
circuit (VC), which exists logically and is distinct from the physical circuit in circuit
switching in nature. VCs involve Permanent Virtual Circuit (PVC) and Switched
Virtual Circuit (SVC). PVC is used for transmitting traffic that is generated in a
frequent but stable way and SVC for transmitting traffic that is generated in a
burst way.
established between DTE and DCE by X.25 layer 2 (LAPB) is multiplexed by X.25
layer 3, and those finally presented to users are several usable virtual circuits.
The relation between packets and frames in the X.25 layers is shown in the
following diagram.
Frame
X.25 Layer 2 Frame Frame Frame
delimiter header Data check
delimiter
Frame sequence
X.25 link layer specifies the frame switching process between DTE and DCE. From
the perspective of layering, the link layer is just like a bridge interconnecting the
packet layer interface of DTE and that of DCE. Through this bridge, packets can be
transmitted continuously between the packet layer of DTE and that of DCE. The
link layer has the following main functions:
As specified in international standards, the link layer protocol LAPB of X.25 adopts
the frame structure of High-level Data Link Control (HDLC) and is a subset of
HDLC. It requires for setting up a link by making use of the Set Asynchronous
Balanced Mode (SABM) command. A two-way link can be established after either
site sends an SABM command and the other replies with a UA response.
Although defined for X.25, as a separate link layer protocol, LAPB can directly
carry non-X.25 upper layer protocols for data transmission. You can set the link
layer protocol of serial interface as LAPB and transmit data locally. Meanwhile, the
X.25 implementation has switching function. Therefore, the device can be used as
a small-sized X.25 packet switch, thus protecting users’ investment in X.25. The
following figure describes the relation between LAPB, X.25 and X.25 switching.
IP
X.25
switching
X.25
LAPB
Configuring X.25
Note that an X.25 public packet switching network requires the device to access
the network as DTE and to be encapsulated with the IETF format generally.
Therefore, the operating mode of X.25 should be DTE and the encapsulation
format should be IETF. When two routers are connected back to back through
serial interfaces, ensure that they are using the same encapsulation format and are
respectively working as the DTE and DCE.
X.25, and their numbers range from 1 to 4095. The number used to differentiate
each virtual circuit (or logic channel) is called Logic Channel Identifier (LCI) or
Virtual Circuit Number (VCN).
n Strictly speaking, VC and LC are different. However, at the user end, they are
generally not distinguished strictly.
An important part of X.25 operation is how to manage the total 4,095 virtual
circuits. All the virtual circuit numbers are divided into four ranges (listed here in
ascending order):
The numbers of the virtual circuits established by an X.25 call must be set in the
ranges of B, C and D. The permanent virtual circuits must be set in the A range.
■ Only the DCE can initiate a call using a channel in the incoming-only channel
range.
■ Only the DTE can initiate a call using a channel in the outgoing-only channel
range.
■ Both the DCE and the DTE can initiate a call using a channel in the two-way
channel range.
■ DCE always uses the lowest available logic channel.
■ DTE always uses the highest available logic channel.
Thus, we can avoid the case that one side of the communication occupies all the
channels, and minimize the possibility of call collision.
In X.25 protocol, six parameters are employed to define the four ranges, as shown
in the following figure.
1
PVC range
LIC Incoming-only
channel range
HIC
unused
LTC Two-way
channel range
HTC
Unused
LOC
Outgoing-only
channel range
HOC
Unused
4095
Parameter Description
LIC Lowest Incoming-only Channel
HIC Highest Incoming-only Channel
LTC Lowest Two-way Channel
HTC Highest Two-way Channel
LOC Lowest Outgoing-only Channel
HOC Highest Outgoing-only Channel
Each range (except PVC range) is defined by two parameters respectively working
as the upper limit and lower limit. The parameters are in the range of 1 to 4095
(including 1 and 4095), but they are regarded correct only if they satisfy the
following conditions:
■ In strict ascending order, i.e. 1 ≤ lic ≤ hic< ltc ≤ htc < loc ≤ hoc ≤ 4095.
■ If the upper limit (or lower limit) of a range is 0, then the lower limit (or upper
limit) shall also be 0, (which indicates this range is disabled from use).
■ At the two sides (i.e. DTE and DCE) of a physical connection, these six
parameters of X.25 must be equal in a symmetric way, as different settings at
the two sides are very likely to result in an improper procedure and hence result
in transmission failures.
■ In configuration process, implement the correct settings of parameters with
consideration on the default of each parameter and the ascending order.
■ The new configuration cannot take effect immediately on a connection in use
unless you reset the interface using the commands shutdown and undo
shutdown.
The X.25 protocol requires DTE and DCE have the same packet sequence
numbering mode. The new configuration is not effective unless you reset the
interface using the shutdown command and undo shutdown command.
Besides, the packet sequence numbering mode of X.25 layer 3 is different from
the frame sequence numbering mode of LAPB (X.25 layer 2). When modulo 128
numbering mode is employed in the DTE/DCE interface with high throughput rate,
for LAPB, only the efficiency of local DTE/DCE interface is affected, that is,
point-to-point efficiency increases. While for X.25 layer 3, the efficiency of
end-to-end is affected, that is, the efficiency between the two DTE increases.
cannot perform traffic control effectively and correctly unless correctly configured.
Any inappropriate configuration will cause CLEAR and RESET events of X.25. As
most public X.25 packet networks use the default window size and maximum
packet size specified in ITU-T X.25 Recommendation, the device also adopts the
same default values. Therefore, you need not set the two parameters unless
requested by the access service providers.
After the default window size and the default maximum packet size are set, the
SVC, which can be established only via calling, will use these default values if
related parameters are not negotiated in the call process. (Parameter negotiation
will be described in the later sections). The PVC, which can be established directly
without calling, will also use these default values if no window size or packet size
option is appended when it is specified. (Refer to “Configuring PVC Application of
X.25 over FR” on page 311).
An X.25 sender will fragment the oversize data packets at the upper layer based
on the maximum packet size, and mark the final fragment packet (M bit not set).
After the packets reach the receiver, X.25 will reassemble the fragment packets,
and determine whether a piece of complete upper layer packet is received based
on the M bit flag. Therefore, too small value of the maximum packet size will
consume too much router resources on message fragmenting and reassembling,
thus lowering efficiency.
Note that:
Configuration procedure
To configure X.25 interface parameters, use the following commands:
Configuring X.25 It is necessary to configure certain supplementary X.25 parameters in some special
Interface Supplementary network environments. The section is related to these supplementary parameters.
Parameters
X.25 layer 3 delay timer
X.25 protocol defines a series of timers to facilitate its procedure. After X.25 sends
a control message, if it does not receive the response before the timeout of the
corresponding timer, X.25 protocol will take corresponding measure to handle this
abnormal event. The names and corresponding procedures of these timers are
shown in the following table.
Table 5 X.25 Layer 3 timer
Timer name
Procedure name DTE side DCE side
Restart T20 T10
Call T21 T11
Reset T22 T12
Clear T23 T13
Register T28 -
T28 is “Registration request sending” timer that is only defined on DTE for
dynamically requesting the network for optional services or stopping these
services. Its default value is 300 seconds, which cannot be changed.
When an X.25 call is forwarded across multiple networks, different networks will
likely make some modifications on the called address as needed, such as adding or
deleting the prefix. In such cases, the destination address of a call that reaches
X.25 interface may be inconsistent with X.121 address of the destination interface
(because the destination address of this call is modified within the network), still
the interface should accept this call. For this purpose, one or more alias names
must be specified for this interface.
To meet the requirements of different networks, X.25 defines nine match types
and their relevant alias string formats, as shown in the following table.
As defined in the X.25 protocol, a call packet must carry the information set of
both the calling DTE address (source address) and the called DTE address
(destination address). This address information set is called the address code block.
While in call accept packet, some networks require that both (the calling DTE
address and the called DTE address) be carried, some networks require that only
one of the two be carried, while some others require that neither should be
carried. To adapt the difference between various networks, you can select as
required.
An X.25 call request packet includes a CUD (Call User Data) field that indicates the
upper layer protocol type carried over X.25 protocol. When receiving an X.25 call,
the device will check the CUD field in the packet. If receiving a call carrying an
unidentifiable CUD field, the router will deny it. However, an upper layer protocol
can be specified as the default protocol on the X.25. When X.25 receives a call
with an unrecognizable CUD, it will treat it as the customized default upper layer
protocol.
Configuration procedure
To configure X.25 interface supplementary parameters, use the following
commands:
Configuring X.25 In the most frequently used X.25 service, data is transmitted between two hosts
Datagram Transmission using the X.25 protocol through X.25 packet switching network. As shown in the
following figure, LAN 1 and LAN 2 are far apart, and the large and distributed
X.25 packet switching network can be used to realize information exchange
between them.
LAN 1 LAN 2
X.25 packet
switching
network
Router A Router B
LAN 1 and LAN 2 communicate with each other by sending the datagrams
carrying Internet Protocol (IP) addresses. However, X.25 uses the X.121 address.
Therefore, to solve the problem, the mapping between IP address and X.121
address needs to be established. In other words, to enable X.25 to transmit data
remotely, correctly establishing the address mapping is very significant. This
section will deal with how to establish address mapping.
Then, how can the router target the destination of the call? In other words, how
can the router determine the X.121 address for the IP address destination? For this
purpose, the router will look up the protocol-address-to-X.121 address mappings
that have been configured on the router. A direct call destination has its own
protocol address and X.121 address. In this case, a destination
protocol-address-to-X.121 address mapping must be created on the source.
Through the mapping, X.25 can find the destination X.121 address according to
the destination protocol address to initiate a call successfully. This is why the
address mapping shall be established for X.25.
Creating PVC
A PVC can be created for the data transmission featuring large but stable traffic
size and requiring the service quality of leased line. A PVC does not need any call
process and will always exist once set up. Before creating a PVC, it is unnecessary
to create an address mapping, because an address mapping is created implicitly
when a PVC is created.
Configuration procedure
To configure X.25 datagram transmission, use the following commands:
n ■ Since the default two-way channel range: LTC=1, HTC=1024 does not support
PVC configuration, you need to specify a VC range using the x25 vc-range
command to create a PVC.
■ If a PVC has no related parameters configured, its traffic control parameters are
the same as that of its X.25 interface that is set by the commands x25
packet-size, x25 window-size.
Configuring Additional X.25 allows the addition of some characteristics, including a series of optional user
Parameters for X.25 facilities provisioned in ITU-T Recommendation X.25, for the sake of improving
Datagram Transmission performance and broadening application ranges.
This section describes how to configure such additional features, including the
options in the x25 map and x25 pvc command. Select and configure these
additional features according to X.25 network structure, and the services provided
by service provider.
To do... Remarks
Enter system view -
“Specify the maximum idle time of SVC” on page 294 Optional
“Specify the maximum number of SVCs allowed to associate with the same Optional
address mapping” on page 295
“Configure packet pre-acknowledgement” on page 295 Optional
“Configure X.25 user facility” on page 296 Optional
“Configure the data queue length of VC” on page 297 Optional
“Broadcast via X.25” on page 298 Optional
“Restrict the use of address mapping” on page 298 Optional
Specify the maximum number of SVCs allowed to associate with the same
address mapping
You can specify the maximum number of SVCs allowed to set up for the same
address mapping. Be default, an X.25 address mapping can only be associated
with one VC. In case of busy traffic and slow line speed, you can increase this
number properly to reduce data loss. Up to 8 SVCs can be associated to an X.25
address mapping.
For information about input window size, refer to “Traffic control parameters” on
page 288.
The configuration based on X.25 interface will be effective in every call originating
from this X.25 interface, while the configuration based on address mapping will
be effective only in the calls originating from this address mapping.
2 Address-mapping-based configuration
For CUG configuration, refer to “Configuring X.25 Closed User Group” on page
303.
You can determine whether to copy and send a broadcast to a destination. This is
very important. For instance, you must enable X.25 to send broadcast datagrams
so that broadcast-based application layer routing protocols can interact route
information on an X.25 network.
Configuring X.25 X.25 subinterface is a virtual interface that has its protocol address and VC. On a
Subinterface physical interface, you can create multiple subinterfaces to implement the
interconnections of multiple networks through a physical interface. All
subinterfaces under master interface share an X.121 address with the master
interface. X.25 subinterfaces fit into point-to-point subinterfaces and
point-to-multipoint subinterfaces. Point-point subinterface is used to connect a
single remote end, while point-to-multipoint subinterface is used to connect
multiple ones, which must be on the same network segment.
n When the link layer protocol of the interface is LAPB, HDLC, or PPP, no
subinterface can be created.
Simply speaking, X.25 packet switching means that, after receiving a packet from
an X.25 port or Annex G DLCI, a switch will select a certain X.25 port or Annex G
DLCI to send the packet according to the related destination information
contained in the packet. Introducing X.25 switching enables the system to
implement packet switching function at packet layer. The device can act as a
packet switch.
Host A Host B
Configuration procedure
To configure X.25 switching, use the following commands:
Enabling/Disabling X.25 switching only affects call establishment, and not affects
the established links.
The switching routes can be configured after x.25 switching enabled. If you
disable the switching (using undo x25 switching command) after configuring
some switching routes, then
■ All static SVC routes will display invisible, while PVC routes display visible.
■ If you execute the x25 switching command again without restart, SVC routes
will be restored and visible upon using the display command.
■ At this time, if you execute the save command and restart, all SVC and PVC
routes will be lost.
n Since the default two-way channel range: LTC=1, HTC=1024 does not support
PVC configuration, you need to specify a VC range using the x25 vc-range
command to create a PVC.
Note that X.25 hunt group selects different transmission lines only during VC call
establishment. Once the whole VC completes the establishment and enters data
transfer phase, X.25 hunt group will not function any longer and data transfer will
be processed based on the normal VC. Since PVC is in data transfer phase after
establishment and experiences no call establishment and call clearing processes,
X.25 load sharing can function only on SVC, and not on PVC.
In an X.25 hunt group, the position of all DTEs is identical, and they have the same
X.121 address. DTEs inside hunt group can call other DTEs outside hunt group
according to the normal mode. When accessing hunt group, the devices outside
hunt group can not know which device they are accessing, and the line selection is
controlled by the DCE configured with hunt group.
The DTE address in hunt group can either be the same as the hunt group address,
or different from that. X.25 hunt group supports the substitution between the
source address and the destination address. You can use the destination address
substitution function to hide the DTE address inside hunt group, and the DTE
outside hunt group only knows the hunt group address, to strengthen the
network security inside hunt group. You can use the source address substitution
function to hide the DTE address outside hunt group, because the DTE inside hunt
group cannot know the source address of a call connection but the substituted
address, thus protecting users’ privacy.
HG 1
8888
Terminal A 9999
Server A
X.25 packet
switching
network
Router A
Terminal B
9999
Server B
Terminal C
As shown in the above figure, server A and server B, which be configured with a
hunt group HG 1, provide users with the same service. Server A and server B
addresses are 9999, and the hunt group address is 8888. Enabling the destination
address substitution function on Router A means that the address 8888 is replaced
by the address 9999. When a user transacts a service, the user terminal will send a
call to the destination address 8888. Such calls from any terminal are directed
towards the address 9999, which is transmitted to server A or server B via Router
A. The load sharing between server A and server B is implemented to lower the
pressure on a single server.
X.25 hunt group supports two call channel selection policies: round-robin mode
and vc-number mode. However, a hunt group only uses one policy.
■ The round-robin mode uses a cyclic selection method to select next interface or
XOT channel inside hunt group for each call. For example, in the above figure,
if the hunt group HG 1 uses the round-robin mode, the call will be sent in turn
to server A or server B.
■ The vc-number mode selects the interface with the maximum idle logic
channels inside hunt group for each call. For example, in the above figure, if
the hunt group HG 1 uses the vc-number mode, the remaining logic channels
of the lines between server A and DCE are 500, while those of the lines
between server B and DCE are 300. Thus, the first 200 calls will be sent to
server A, and the subsequent calls will be sent in turn to server A or server B.
X.25 hunt group supports synchronous serial interface and XOT channel, and can
select the available lines between them indistinctly. However, since XOT channel
cannot calculate the number of logic channels, it will not be added to the hunt
group that uses the vc-number selection policy.
X.25 network load sharing is configured on DCE device. In most cases, your device
is used as DTE device in X.25 network. The network providers provide the load
sharing function on packet switch. In this way, no special configuration is required
on the device. For the specific configuration procedure, refer to the previous
chapters. When it is used as DCE device in X.25 network, it provides load sharing
function for DTE device. At this time, X.25 load sharing needs to be configured on
it.
n You need not configure the hunt group address, and only need to set the
destination address as the hunt group address on the source DTE.
Configuration procedure
To configure X.25 load sharing, use the following commands:
Note that:
■ A hunt group can have 10 synchronous serial interfaces, Annex G DLCI or XOT
channels at most.
■ XOT channel cannot be added to the hunt group that uses vc-number channel
selection policy.
One user may belong to multiple CUGs. When the user calls another user in a
CUG, the CUG number is included in its capability negotiation message. The user
may also be set not to belong to any CUG, in which case the capability message
does not carry CUG information.
Call 1
Bar outgoing
Release call
X.25 network
Call 2
Bar incoming
Release call
n Call 1: DTE originates a call, but outgoing capability is barred, so the call is
removed by DCE with CUG enabled.
Call 2: DCE receives a call request and requests a connection with DTE. CUG
function is enabled on DCE and the incoming capability is barred, so the call is
removed by DCE.
■ CUG function
You must enable CUG function first before configuring it, which by default is not
enabled.
After CUG function is enabled, all calls, including those with or without CUG
facilities are suppressed. You can also define some suppression policies for CUG to
process calls in different ways.
Two types of CUG suppression policies are available. One is to suppress all
incoming calls, where the system removes the CUG facilities of all incoming calls
with CUG facilities. The other is to suppress the incoming calls matching the
mapping specified as preference rule, where the system removes the CUG facilities
only of those incoming calls matching the mapping specified as preference rule,
but lets other incoming calls with CUG facilities pass through. The details are:
1 Incoming suppression policy, in which the system lets the incoming calls without
CUG facilities pass through, but suppresses the incoming calls with CUG facilities
but without access configuration configured by the CUG mapping rule.
2 Outgoing suppression policy, in which the system lets the outgoing calls without
CUG facilities pass through, but suppresses the outgoing calls with CUG facilities
but without access configuration configured by the CUG mapping rule.
3 All suppression policy, in which the systems removes CUG facilities (if any) and
make call processing for all incoming calls. This policy is ineffective to outgoing
calls.
4 Preference mapping suppressing policy, in which the system removes CUG facilities
and make call processing for the incoming calls with CUG facilities and with
preference mapping rule, but lets the incoming calls without preference mapping
rule pass through. This policy is ineffective to outgoing calls.
n You can only configure the CUG function on an X.25 interface working as DCE,
that is, you must specify the serial interface as DCE when specifying the X.25
protocol on it.
■ CUG mapping and suppression rule
CUG mapping refers to CUG number conversation from local end (DTE) to
network end (X.25) during CUG call processing. For example, when processing the
call from the DTE with CUG 10 to DTE with CUG 20, the system first searches the
mapping table for this mapping entry: if the table has this entry, it forwards the
packets, if not, it denies the forwarding.
You can define suppression rules in configuring CUG mapping, including three
types:
Specifying as preference rule depends on CUG suppression policy. That is, if the
suppression policy is configured as only suppressing the CUG of preference
mapping, then the system removes the CUG facilities in the incoming call packet
of this mapping and makes call processing.
n You must configure CUG function on X.25 DCE interface, that is, you must specify
it as DCE end in encapsulating X.25 protocol on serial interface.
Configuration procedure
To configure CUG, use the following commands:
n The x25 cug-service and x25 local-cug commands are supported only on the
X.25 DCE interface, that is, you need to specify the interface as DCE when
encapsulating X.25 protocol on the serial interface.
Non-X.25
terminal
Non-X.25
X.25 procedure procedure
X.25 network
X.25 PAD facilities are thus regarded procedures translators or network servers,
helping different terminals access X.25 networks.
The system implements X.29 and X.3 protocols in the X.25 PAD protocol suite. In
addition, it implements X.29-based Telnet. This allows you to telnet to a remote
router through X.25 PAD when IP-based Telnet is not preferred for security sake, as
shown in the figure below.
S 2/0 S2/0
X.25 network
Router A Router B
Configuring X.25 PAD Place an X.25 PAD call to log onto a remote device
If two routers on an X.25 network support X.25 PAD, you can use the pad
command to place an X.25 PAD call on one router (the client) to log onto the
other router (the server). If authentication is configured, the server will
authenticate the client before allowing it to log in.
After logging onto the server, you can access the configuration interface on the
server.
You can nest a pad command within another pad command or a telnet
command. By nesting commands, you can do the following on your router:
■ Place an X.25 PAD call to log onto another router; and from that router, place
another X.25 PAD call to log onto a third router, and so on.
■ Telnet to another router; and from that router, place an X.25 call to log onto a
third router, and so on.
■ Place an X.25 PAD call to log onto another router; and from that router, telnet
to a third router, and so on.
Logout operations are done in the reverse direction. You can execute the quit
command multiple times to log out the currently logged-in router and all the
in-between routers one by one.
Set the delay waiting for the response to an Invite Clear message
The server end of X.25 PAD may send an Invite Clear message to the client, for
example, after receiving an exit request from client or in order to release the link.
At the same time, a timer is started. If no response is received upon expiration of
the timer, the server will clear the link.
Configuration procedure
To configure X.25 PAD, use the following commands:
Troubleshooting X.25 Symptom: Failed to log onto a remote device after placing an X.25 PAD call to the
PAD remote device. The system prompted the destination address was unreachable.
Solution:
Check that:
■ The two ends of the X.25 PAD call are connected through an X.25 network and
the physical connection is normal. The serial interfaces used for connection are
encapsulated with X.25 and both of them support X.25 PAD. One end is DCE,
the other is DTE, both using the same encapsulation type (ietf or nonstandard).
■ The destination X.121 address is correct. It must be the one assigned to the
intended serial interface at server end.
■ Check that X.25 switching is disabled, or a route is available to the server end
when X.25 switching is enabled. In the former case, the default route is used to
route the call. In the second case, at least one route must be configured for
routing the call.
Introduction to XOT X.25 over TCP (XOT) carries X.25 packets over TCP to interconnect two X.25
Protocol networks across an IP network. The following figure presents an XOT application
environment.
IP network
Router B Router C
Router A Router D
■ Supporting SVC application. The routers at both ends can dynamically establish
an SVC by sending call packet, and this SVC will be automatically cleared when
no data is transmitted.
■ Supporting PVC application. After being configured with a PVC, the routers at
both ends directly enter the data transmission status without establishing a call.
Moreover, this PVC will not be dynamically deleted when no data is
transmitted.
■ Supporting Keepalive attribute of TCP. If Keepalive is not configured, TCP
connection will still not be cleared or cleared after a long time even if the
connection is interrupted. However, after Keepalive is configured, TCP will
timely detect the availability of the link. If TCP does not receive the response
from the peer for many times, it will initiatively clear its connection.
As shown in the above figure, when transmitting data, Router A first sends a call
request packet to establish VC. After receiving this call packet and judging it as
XOT application, Router B will establish a TCP connection with Router C, then add
XOT header to X.25 call packet and encapsulate it into TCP, finally transmit it to
Router C. After deleting TCP and XOT header, Router C transfers the call request
packet to Router D via X.25 local switching. After receiving it, Router D will give
out call acknowledgement until the link is completely established to transmit data.
The whole process for establishment and application of TCP connection is
transparent for Router A and Router D that do not care whether data is forwarded
via IP network or X.25 network.
n ■
■
In SVC mode, X.25 routes are required.
Since the default two-way channel range: LTC=1, HTC=1024 does not support
PVC configuration, you need to specify a VC range using the x25 vc-range
command to create a PVC.
■ For IP address configuration, refer to “IP Addressing Configuration” on page
623.
Option Indicates
timer seconds Keepalive timer for the XOT connection, in the range 1 to 3600
seconds. Upon its timeout the router begins to send keepalive
packets to test availability of the connection
retry times The maximum number of Keepalive packet sending attempts, in
the range 3 to 3600. When the number of keepalive packet
sending attempts exceeds the limit, the XOT connection is
disconnected
source interface-type Interface where the XOT connection is initiated
interface-number
Introduction to X.25 X.25 over FR carries X.25 packets over FR to interconnect two X.25 networks
over FR across an FR network, as shown in the following figure.
FR network
Router B Router C
Router A Router D
Configuring SVC X.25 over FR is an extension to X.25 switching, so you need enable X.25 switch
Application of X.25 over first.
FR
To configure SVC application of X.25 over FR, use the following commands:
Configuring PVC X.25 over FR is an extension to X.25 switching, so you need enable X.25 switch
Application of X.25 over first.
FR
To configure SVC application of X.25 over FR, use the following commands:
Configuring X2T
Introduction X.25 to TCP switch (X2T) connects X.25 to TCP/IP networks, allowing the access
between X.25 and IP hosts.
TCP
TCP
X2T
X.25 X.25 IP IP
LAPB LAPB Data Link Layer Data Link Layer
Physical Layer Physical Layer
The X.25 terminal has an X.121 address to the IP host. Whenever the router
receives an X.25 call request packet, it checks the destination address of X.121 in
the packet and looks up in the X2T routing table for a match. If there is a
matching route, the router will set up a TCP connection with the host at the
destination IP address of the X2T route. After that, the router will extract the pure
data from the X.25 packet and send them to the IP host through the TCP
connection.
The IP host can go through the IP address on the interface of the IP network to
access the X.25 host. Whenever the router receives a TCP connection request, it
checks the destination IP address and TCP port number of the TCP connection and
looks up in the X2T routing table for a match. If there is a match, the router will
set up an X.25 SVC destined to the host at the associated destination X.121
address of the X2T route. After that, the router will extract the pure data from the
TCP packet and send them to the X.25 host through the X.25 SVC. If the router
sets up a PVC connection with X.25 host, it transmits the data directly to X.25
host through X.25 PVC.
c CAUTION:
■ Number of X2T mapping entries varies by device. The maximum number of
entries is 100 by default, including both entries configured using the translate
ip and translate x25 commands.
■ When specifying a port number using the translate ip command, for an IP
address using one port, specify port 102, for an IP address using multiple ports,
specify port numbers from 1024 to 5000 instead of well known port numbers
such as 21, 23 to avoid network failures.
Displaying and
Maintaining LAPB and To do... Use the command... Remarks
X.25 Display interface information display interface [interface-type Available in any
interface-number ] view
Display X.25 alias table display x25 alias-policy [ interface
interface-type interface-number ]
Display X.25 address mapping display x25 map
table
Display CUG configuration display x25 cug { local-cug
[ local-cug-number ] | network-cug
[ network-cug-number ] }
Display X.25 PAD (Packet display x25 pad [ pad-id ]
Assembler/Disassembler)
connection information
Display X.25 switching table display x25 switch-table svc
{ dynamic | static }
Display X.25 PVC switching display x25 switch-table pvc
table
Display X.25 virtual circuit display x25 vc [ lci-number ]
Display X.25 XOT VCs display x25 xot
Display X2T dynamic display x25 x2t switch-table
switching table
Display X.25 hunt group display x25 hunt-group-info Available in any
information [ hunt-group-name ] view
Clear X.25 interface statistics reset x25 { counters interface Available in user
or VC interface-type interface-number | vc view
interface interface-type
interface-number [ vc-number ] }
Clear (reset) an XOT link reset xot local local-ip-address
local-port remote remote-ip-address
remote-port
Clear the LAPB statistic reset lapb statistics
information
Network diagram
S 2/0 S2 /0
10 .1 .1.2/8 10.1.1.1 /8
Router A Router B
Configuration procedure
1 Configure Router A:
<RouterA> system-view
[RouterA] interface serial 2/0
# Configure the link layer protocol of the interface as LAPB, and specify it to work
in DTE mode.
# Configure other LAPB parameters (If the link is sound enough and a higher rate
is desired, you can increase the traffic control parameters modulo to 128, k to
127, but the connected parties must always keep the configured parameters in
consistency.
<RouterB> system-view
[RouterB] interface serial 2/0
# Configure the link layer protocol of the interface as LAPB, and specify it to work
in DCE mode.
# Configure other LAPB parameters (If the link is sound enough and a higher rate
is desired, you can increase the traffic control parameters modulo to 128, k to
127, but the connected parties must always keep the configured parameters in
consistency.
Note that the IP addresses of the two connected interfaces must be in the same
network segment. If they are not on the same network segment, you need to
configure a static route in between and make sure the traffic control parameters
of both sides are the same.
X.25 Configuration
Examples
Network diagram
S 2/0 S 2/0
202 .38.60 .1 /24 202 .38 .60 .2 /24
X 121 address: 20112451 X121 address: 20112452
Router A Router B
Configuration procedure
1 Configure RouterA:
<RouterA> system-view
[RouterA] interface serial 2/0
# Configure the link layer protocol of the interface as X.25, and configure the
interface to operate in DTE mode.
# Configure the maximum packet size allowed and the window size.
<RouterB> system-view
[RouterB] interface serial 2/0
# Configure the link layer protocol of the interface as X.25, and specify it to
operate in DCE mode.
# Configure the maximum packet size allowed and the window size.
Note that, since IP to X.121 mapping is available, IP addresses of both ends can be
on different network segments and no static route is needed.
Network diagram
S 2/0 S2/0
202 .38.160 .1/24 202 .38.160.2/24
X 121 address: 20112451 X121 address: 20112452
Router A Router B
Configuration procedure
1 Configure RouterA
<RouterA> system-view
[RouterA] interface serial 2/0
# Configure the link layer protocol as X.25 and the interface to operate in DTE
mode.
# Configure the maximum packet size allowed and the window size.
<RouterB> system-view
[RouterB] interface serial 2/0
#Configure the link layer protocol of the interface as X.25 and specify the
interface to operate in DCE mode.
# Configure the maximum packet size allowed and the window size.
# Since the peer (Router A) has two IP addresses corresponding to the X.121
address at the local end (Router B) and the local IP address is not in the first
mapping, two VCs will be created when connection being established, so you
need to specify the maximum number of VCs in the mapping as 2.
Network diagram
S 2/0
168 .173 .24 .2 /24
X121 address: 30561002
Router B
X.25 network
S2 /0
168 .173 .24.1 /24 S2/0
Router A X121 address: 30561001 168.173.24.3/24
X121 address: 30561003
Router C
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface Serial 2/0
[RouterA-Serial2/0] ip address 168.173.24.1 255.255.255.0
# Access the public packet network, and configure the router to operate in DTE
mode.
2 Configure Router B
<RouterB> system-view
[RouterB] interface Serial 2/0
[RouterB-Serial2/0] ip address 168.173.24.2 255.255.255.0
# Access public packet network, and configure the router to operate in DTE mode.
<RouterC> system-view
[RouterC] interface Serial 2/0
[RouterC-Serial2/0] ip address 168.173.24.3 255.255.255.0
# Access public packet network, configure the router to operate in DTE mode.
Configuration procedure
<Router> system-view
[Router] interface serial 2/0
[Router-Serial2/0] link-protocol x25
[Router-Serial2/0] x25 vc-range in-channel 9 16 bi-channel 17 1024
[Router-Serial2/0] shutdown
[Router-Serial2/0] undo shutdown
Network diagram
X.25 network
PVC 3 PVC 4
S2/0 S2/0
192.149.13.1/24 192.149 .13 .2/24
X121 address: 1004358901 X121 address: 1004358902
Router A Router B
Eth1 /0 Eth1/0
202 .38 .165 .1/24 196 .25.231 .1/24
LAN 1 LAN 2
Host A Host B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] ip address 202.38.165.1 255.255.255.0
[RouterA-Ethernet1/0] quit
# Enable RIP.
[RouterA] rip
[RouterA-rip-1] network 192.0.0.0
[RouterA-rip-1] network 202.0.0.0
2 Configure Router B
<RouterB> system-view
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] ip address 196.25.231.1 255.255.255.0
[RouterB-Ethernet1/0] quit
# Enable RIP.
[RouterB] rip
[RouterB-rip-1] network 192.0.0.0
[RouterB-rip-1] network 196.0.0.0
X.25 network
LC 24
LC 243 LC 3
LC 3 LC 4
Router A Router B
Therefore, the PVC 3 and PVC 4 mentioned in the example actually refer to the
numbers of the logic-channels between the routers and the PBXs directly
connected. The two sides of the PVC can identify the same PVC by using their
logic-channel numbers, however, without the likelihood of causing any mistake.
This is why no strict distinction is made between “virtual circuit” and “logic
channel”.
Network diagram
S2/0
Router A Router D 20.1.1.1/16 Router C
X 121 address:300
S 2/0.1 S 2/0 S2/2
10 .1.1.2/16 S 2/1
S 2/0.2
20 .1.1.2/16
X 121 address:100
S 2/0
10 .1 .1.1/16
X 121 address:200
Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol x25 dte
[RouterA-Serial2/0] x25 x121-address 100
Network diagram
Router B Router C
XOT
Eth1 /0 Eth1/0
S2/0 10 .1 .1.1/8 10.1.1 .2/8 S2 /0
S2/0 S2/0
1.1 .1.1/8 1 .1.1.2/8
X121 address:1 X 121 address:2
Router A Router D
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol x25 dte ietf
[RouterA-Serial2/0] x25 x121-address 1
[RouterA-Serial2/0] x25 map ip 1.1.1.2 x121-address 2
[RouterA-Serial2/0] ip address 1.1.1.1 255.0.0.0
2 Configure Router D
<RouterD> system-view
[RouterD] interface serial 2/0
[RouterD-Serial2/0] link-protocol x25 dte ietf
[RouterD-Serial2/0] x25 x121-address 2
[RouterD-Serial2/0] x25 map ip 1.1.1.1 x121-address 1
[RouterD-Serial2/0] ip address 1.1.1.2 255.0.0.0
3 Configure Router B
<RouterB> system-view
[RouterB] x25 switching
<RouterC> system-view
[RouterC] x25 switching
Network diagram
Eth1/0 Eth1/0
S2/0 10.1.1 .1/8 10.1.1.2/8 S2 /0
PVC 1 PVC 2
S2/0 S2/0
1.1.1.1/8 1.1 .1.2/8
X121 address :1111 X121 address :2222
Router A Router D
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol x25 dte ietf
[RouterA-Serial2/0] x25 x121-address 1111
[RouterA-Serial2/0] x25 vc-range in-channel 10 20 bi-channel 30 1024
[RouterA-Serial2/0] x25 pvc 1 ip 1.1.1.2 x121-address 2222
[RouterA-Serial2/0] ip address 1.1.1.1 255.0.0.0
2 Configure Router D
<RouterD> system-view
[RouterD] interface serial 2/0
[RouterD-Serial2/0] link-protocol x25 dte ietf
[RouterD-Serial2/0] x25 x121-address 2222
[RouterD-Serial2/0] x25 vc-range in-channel 10 20 bi-channel 30 1024
[RouterD-Serial2/0] x25 pvc 2 ip 1.1.1.1 x121-address 1111
[RouterD-Serial2/0] ip address 1.1.1.2 255.0.0.0
3 Configure Router B
<RouterB> system-view
[RouterB] x25 switching
<RouterC> system-view
[RouterC] x25 switching
Network diagram
Host A Host B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface serial 2/0
<RouterD> system-view
[RouterD] interface serial 2/0
[RouterD-Serial2/0] link-protocol x25 dte
[RouterD-Serial2/0] x25 x121-address 2
[RouterD-Serial2/0] x25 map ip 1.1.1.1 x121-address 1
[RouterD-Serial2/0] ip address 1.1.1.2 255.0.0.0
3 Configure Router B
<RouterB> system-view
[RouterB] x25 switching
<RouterC> system-view
[RouterC] x25 switching
Network diagram
Host A Host B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol x25 dte
[RouterA-Serial2/0] x25 x121-address 1
[RouterA-Serial2/0] x25 vc-range bi-channel 10 20
[RouterA-Serial2/0] x25 pvc 1 ip 1.1.1.2 x121-address 2
[RouterA-Serial2/0] ip address 1.1.1.1 255.255.255.0
2 Configure Router D
<RouterD> system-view
[RouterD] interface serial 2/0
[RouterD-Serial2/0] link-protocol x25 dte
[RouterD-Serial2/0] x25 x121-address 2
[RouterD-Serial2/0] x25 vc-range bi-channel 10 20
[RouterD-Serial2/0] x25 pvc 1 ip 1.1.1.1 x121-address 1
[RouterD-Serial2/0] ip address 1.1.1.2 255.255.255.0
3 Configure Router B
<RouterB> system-view
[RouterB] x25 switching
<RouterC> system-view
[RouterC] x25 switching
# Configure the PVC switching route on the X.25 interface Serial 2/0.
Network diagram
Hg 1
X121 address:2222
Router B
S2/0
X.25 terminal X121 address:8888
X121 address:1111
S2/3 S2 /2
S 2/0
S2/4 S2/1 X121 address:8888
S2/0 Eth1/0
10.1.1.1/24 Router C
X.25 terminal
Router A
X121 address:1112
Router D S2/0
Eth1/0 X121 address:8888
10.1.1.2/24
S2/0
Router E
X.25 terminal
X121 address:1113
Configuration procedure
1 Configure Router A
# Configure the link layer protocol of the interface Serial 2/0 as X.25, and
configure it to operate in DCE mode.
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol x25 dce
# In the same way as listed above, configure the link layer protocol of the interface
Serial 2/2, Serial 2/3, and Serial 2/4 as X.25 and configure them to operate in DCE
mode.
# Add interfaces Serial 2/2, Serial 2/1, and XOT channel to the hunt group.
# Configure X.25 switching route forwarded towards the hunt group hg1, and
enable destination address and source address substitution, substituting 3333 and
8888 for source and destination addresses of packets destined to hunt group
address 2222.
[RouterA] x25 switch svc 2222 sub-dest 8888 sub-source 3333 hunt-group hg1
# Configure the link layer protocol of interface Serial 2/0 as X.25, and configure it
to operate in DTE mode.
<RouterB> system-view
[RouterB] interface serial 2/0
[RouterB-Serial2/0] link-protocol x25 dte
[RouterB-Serial2/0] x25 x121-address 8888
3 Configure Router C
<RouterC> system-view
[RouterC] x25 template vofr
[RouterC-x25-vofr] x25 x121-address 8888
[RouterC-x25-vofr] quit
# Configure the link layer protocol on Serial 2/0 as X.25 and configure it to
operate in DTE mode.
<RouterE> system-view
[RouterE] interface serial 2/0
[RouterE-Serial2/0] link-protocol x25 dte
[RouterE-Serial2/0] x25 x121-address 8888
5 Configure Router D.
<RouterD> system-view
[RouterD] x25 switching
# Configure the link layer protocol of the interface Serial 2/0 as X.25, and
configure it to operate in DCE mode.
<RouterD> system-view
[RouterD] interface serial 2/0
[RouterD-Serial2/0] link-protocol x25 dce
[RouterD-Serial2/0] quit
Network diagram
Eth1 /0 S2/0
10.1.1 .1/16 1.1.1.1 /24
X121 address :1111 S 2/0
1.1.1.3 /24
Host A Router A X121 address:3333 Eth1/0
10.1.1.2 /16 Server A
X.25 packet 10.3.1.1/24
switching 10.3.1 .2/24
Eth1 /0 network S 2/1
Router C
10.2.1 .1/16 2.1.1.3 /24
S2/0 X121 address:3333
1.1.1.2 /24
X121 address :2222
Host B Router B Server B
10.2.1.2 /16 10.3.1 .3/24
Configuration procedure
In this example, since the network providers have configured load sharing on the
packet switch, you only need to configure X.25 switching.
Note that there have been two lines connected to the same peer on Router C, so
you must configure a virtual IP address and two static routes on the interface Serial
2/1 to “cheat” the router. In this way, Router C will deem that there are two
routes towards the network segment 10.1.1.0, to implement the load sharing.
1 Configure Router A
<RouterA> system-view
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] ip address 10.1.1.1 255.255.255.0
[RouterA-Ethernet1/0] quit
<RouterB> system-view
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] ip address 10.2.1.1 255.255.255.0
[RouterB-Ethernet1/0] quit
<RouterC> system-view
[RouterC] interface ethernet 1/0
[RouterC-Ethernet1/0] ip address 10.3.1.1 255.255.255.0
Network diagram
S 2/0 S2/0
16 .16 .16 .1/16 16.16.16.2/16
X 121 address:1001 X121 address:1002
Router A Router B
Configuration procedure
1 Configure RouterA
# Configure the link layer protocol of Serial 2/0 as X.25, and configure the
interface to operate in DTE mode.
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-serial2/0] link-protocol x25 dte ietf
# Configure the link layer protocol of Serial 2/0 as X.25, and configure the
interface to operate in DCE mode.
<RouterB> system-view
[RouterB] interface serial 2/0
[RouterB-serial2/0] link-protocol x25 dce ietf
Network diagram
S 2/0 S2/0
X 121 address:1 X 121 address:2
X.25 network
Router A Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] local-user pad1
[RouterA-luser-pad1] password simple pad1
[RouterA-luser-pad1] service-type pad
[RouterA-luser-pad1] quit
# Configure the link layer protocol of the interface Serial 2/0 as X.25. Configure
the interface to operate in DTE mode.
# Configure the link layer protocol of the interface Serial 2/0 as X.25. Configure
the interface to operate in DCE mode.
<RouterB> system-view
[RouterB] interface serial 2/0
[RouterB-Serial2/0] link-protocol x25 dce
<RouterB> pad 1
Trying 1...Open
Username:pad1
Password:pad1
X2T Configuration
Example
Network diagram
S2 /0 Eth1/0
X121 address:1111 10.1.1.1 /24 10 .1.1.2/24
Configuration procedure
# Enable X.25 switching.
<Router> system-view
[Router] x25 switching
Network diagram
Eth1/0
S 2/0 10 .1 .1.2/24
10.1.1.1/24
X.25 network
IP network
PVC 1
X.25 terminal Router Host
Configuration procedure
# Enable X.25 switching.
<Router> system-view
[Router] x25 switching
Troubleshooting LAPB
Configuration
Troubleshooting
Enable the debugging on both sides. If one side sends SABM frames and the other
sends FRMR frames cyclically, the two sides are working in the same mode (DTE or
DCE). Change the working mode of one side to solve it.
Troubleshooting
Enable the debugging on both sides. If one side discards incoming frames without
delivering them to the upper layer, it indicates the maximum length of frames set
for this side is too small. Change the frame length configuration of this side.
Troubleshooting
Change the working mode of one side.
Troubleshooting
■ If addresses are not correct, change them to the correct ones.
■ For the last two causes, you need contact the network administration to get
the correct channel range and user facilities.
Analysis
The symptom may be caused by erroneous flow control parameter settings.
Troubleshooting
■ If the two sides are connected directly, verify the output window and input
window of the local match the input window and output window of the
remote.
■ If both sides are connected to the public packet network, consult the network
administration for the correct flow control parameters.
Analysis
A possible reason is that the PVC range is disabled.
Troubleshooting
If the assigned PVC number is in the disabled PVC channel range, X.25 will surely
reject the PVC setup request. In this case, enable the permanent virtual circuit
channel range.
Analysis
The physical status and protocol status of the interface are not up, or the SVC/XOT
configuration is not correct.
Troubleshooting
Perform the following procedure to remove the fault.
■ First verify the physical connection status and protocol status of the interface
are UP.
■ If the interface status is DOWN, check whether the physical connections and
lower layer configurations are correct.
■ If the interface configuration is correct, check whether SVC is configured
properly.
■ If the SVC configuration is also correct, check whether XOT is configured
properly.
Analysis
The physical status and protocol status of the interface are not up, or the PVC/XOT
configuration is not correct.
Troubleshooting
■ First check whether the physical connection status and protocol status of the
interface are UP.
■ If the interface status is DOWN, check whether the physical connections and
lower layer configurations are correct.
■ If the interface configuration is correct, check whether the PVC is configured
properly.
■ If the PVC configuration is also correct, check whether XOT is configured
properly.
Link aggregation aggregates multiple physical Ethernet ports into one logical link,
also called a logical group, to increase reliability and bandwidth.
LACP The link aggregation control protocol (LACP), as defined in IEEE 802.3ad, is used
for link aggregation control.
LACP interacts with its peer by sending link aggregation control protocol data
units (LACPDUs).
By adding a port to a static aggregation group, you can enable LACP on the port.
After LACP is enabled on a port, the port sends an LACPDU to notify the remote
system of its system LACP priority, system MAC address, port LACP priority, port
number, and operational key. Upon receipt of an LACPDU, the remote system
compares the received information with the information received on other ports to
determine the ports that can operate as selected ports. This allows the two
systems to reach an agreement on whether a port is a selected port.
When aggregating ports, link aggregation control automatically assigns each port
an operational key based on its rate, duplex mode, and other basic configurations.
In an aggregation group, the selected ports share the same operational key.
Consistency To participate in traffic sharing, member ports in an aggregation must use the
Considerations for Ports same configurations with respect to STP, QoS, GVRP, VLAN, port attributes, MAC
in an Aggregation address learning, and so on, as shown in the following table.
Table 8 Consistency considerations for ports in an aggregation
Category Considerations
STP State of port-level STP (enabled or disabled)
Attribute of the link (point-to-point or otherwise) connected to the port
Port path cost
STP priority
Maximum transmission rate
Loop protection
Root protection
Port type (whether the port is an edge port)
QoS Traffic policing
Traffic shaping
Congestion avoidance
Physical interface rate limiting
Strict priority (SP) queuing
Weighted round robin (WRR) queuing
Hardware weighted fair queuing (HWFQ)
Port priority
Policy setting on the port
Port priority trust mode
Flow template
GVRP GVRP state on ports (enabled or disabled)
GVRP registration type
GARP timers
VLAN VLANs carried on the port
Default VLAN ID on the port
Link type of the port, which can be trunk, hybrid, or access
Port attribute Port rate
Duplex mode
Up/down state of the link
Isolation group membership of the port
MAC address MAC address learning capability
learning
Setting of maximum number of MAC addresses that can be learned on
the port
Forwarding of frames with unknown destination MAC addresses after the
upper limit of the MAC address table is reached
Approaches to Link Two ways are available for implementing link aggregation, as described in
Aggregation “Manual Link Aggregation” on page 347 and “Static LACP Link aggregation” on
page 348.
When setting the state of ports in a manual aggregation group, the system
considers the following:
■ Select a port from the ports in up state, if any, in the order of full duplex/high
speed, full duplex/low speed, half duplex/high speed, and half duplex/low
speed, with the full duplex/high speed being the most preferred. If two ports
with the same duplex mode/speed pair are present, the one with the lower
port number wins out. Then, place those ports in up state with the same
speed/duplex pair, link state and basic configuration in selected state and all
others in unselected state.
■ When all ports in the group are down, select the port with the lowest port
number as the master port and set all ports (including the master) in unselected
state.
■ Place the ports that cannot aggregate with the master in unselected state, for
example, as the result of the cross-board aggregation restriction.
In addition, unless the master port should be selected, a port that joins the group
after the limit is reached will not be placed in selected state even if it should be in
normal cases. This is to prevent the ongoing service on selected ports from being
interrupted. You need to avoid the situation however as the selected/unselected
state of a port may become different after a reboot.
You need to maintain the basic configurations of these ports manually to ensure
consistency. As one configuration change may involve multiple ports, this can
become troublesome if you need to do that port by port. As a solution, you may
add the ports to an aggregation group where you can make configuration for all
member ports.
When the configuration of some port in a manual aggregation group changes, the
system does not remove the aggregation; instead, it re-sets the
selected/unselected state of the member ports and re-selects a master port.
All member ports that cannot aggregate with the master are placed in unselected
state. These ports include those using the basic configurations different from the
master port or those located on a board different from the master port because of
the cross-board aggregation restriction.
Member ports in up state can be selected if they have the configuration same as
that of the master port. The number of selected ports however, is limited in a static
aggregation group. When the limit is exceeded, the local and remote systems
negotiate the state of their ports as follows:
1 Compare the actor and partner system IDs that each comprises a system LACP
priority plus a system MAC address as follow:
■ First compare the system LACP priorities. The system with lower system LACP
priority wins out.
■ If they are the same, compare the system MAC addresses. The system with the
smaller ID has higher priority. (the lower the LACP priority, the smaller the MAC
address, and the smaller the device ID)
2 Compare the port IDs that each comprises a port LACP priority and a port number
on the system with higher ID as follows:
■ Compare the port LACP priorities. The port with lower port LACP priority wins
out.
■ If two ports with the same port LACP priority are present, compare their port
numbers. The state of the ports with lower IDs then change to selected and the
state of the ports with higher IDs to unselected, so does the state of their
corresponding remote ports. (the lower the LACP priority, the smaller the port
number, and the smaller the port ID)
You need to maintain the basic configurations of these ports manually to ensure
consistency. As one configuration change may involve multiple ports, this can
become troublesome if you need to do that port by port. As a solution, you may
add the ports to an aggregation group where you can make configuration for all
member ports.
When the configuration of some port in a static aggregation group changes, the
system does not remove the aggregation; instead, it re-sets the
selected/unselected state of the member ports and re-selects a master port.
Load Sharing in a Link Link aggregation groups fall into load sharing aggregation groups and non-load
Aggregation Group sharing aggregation groups depending on their support to load sharing.
A load sharing aggregation group can contain at least one selected port but a
non-load sharing aggregation group can contain only one.
n ■ After you remove all ports but one selected port from a load sharing
aggregation group, whether the group continues to perform load sharing
varies with device models.
■ The load sharing implementation and the number of load sharing aggregation
groups supported varies with device models.
Aggregation Port As mentioned earlier, in a manual or static aggregation group, a port can be
Group selected only when its configuration is the same as that of the master port in
terms of duplex/speed pair, link state, and other basic configurations. Their
configuration consistency requires administrative maintenance, which is
troublesome after you change some configuration.
Configuring Link When configuring link aggregation, go to these sections for information you are
Aggregation interested in:
■ “Configuring a Manual Link Aggregation Group” on page 351
■ “Configuring a Static LACP Link Aggregation Group” on page 352
■ “Assigning a Name for an Aggregation Group” on page 352
■ “Entering Aggregation Port Group View” on page 353
Note that:
■ To guarantee a successful aggregation, ensure that the ports at the two ends of
each link to be aggregated are consistent in selected/unselected state.
Note that:
Assigning a Name for an Follow these steps to assign a name for an aggregation group:
Aggregation Group
Entering Aggregation In aggregation port group view, you can make configuration for all the member
Port Group View ports in a link aggregation group at one time.
c CAUTION: In aggregation port group view, you can configure aggregation related
settings such as STP, VLAN, QoS, GVRP, MAC address learning, but cannot add or
remove member ports.
Displaying and
Maintaining Link To do... Use the command... Remarks
Aggregation Display the local system ID display lacp system-id Available in any
view
Display detailed information display link-aggregation interface Available in any
about link aggregation for interface-type interface-number [ to view
the specified port or ports interface-type interface-number ]
Display summaries for all link display link-aggregation summary Available in any
aggregation groups view
Display detailed information display link-aggregation verbose Available in any
about specified or all link [ agg-id ] view
aggregation groups
Clear the statistics about reset lacp statistics [ interface Available in user
LACP for specified or all ports interface-type interface-number [ to view
interface-type interface-number ] ]
Create an IPv6 service-loop group and assign port Ethernet 1/1 to the group.
Network diagram
Device A
Eth1/1
Eth1/2
Eth1/3
Link aggregation
Eth1/1
Eth1/2
Eth1/3
Device B
Configuration procedure
<DeviceA> system-view
[DeviceA] link-aggregation group 1 mode manual
<DeviceA> system-view
[DeviceA] link-aggregation group 1 mode static
Overview Modem is a network device that is widely used. It is important for a device to
properly manage and control the use of modem in a network. However, there are
many modem manufacturers and various modem models. Even though all of them
support the AT command set and are compliant with the industry standard, each
type of modem differs somewhat on the implementations and command details.
Configuring the Modem You need to configure the modem answer mode depending on the answer state
Answer Mode of the connected external modem. When the modem is in auto-answer mode (AA
LED of the modem lights), configure the modem auto-answer command to
prevent the device from sending an answer instruction after the modem answers
automatically. If the modem is in non-auto answer mode, configure the undo
modem auto-answer command.
n If the modem answer mode configured is not consistent with the current answer
mode of the connected modem, the modem may operate improperly. So, do not
perform the operation unless absolutely needed.
Configuring Modem Follow these steps to configure your modem through the AT commands:
Using the AT Commands
Operation Command Description
Enter system view system-view -
Enter corresponding interface interface-type -
interface-number
interface view
Configure modem sendat at-string Required
through the AT
The command works in the mode of
commands
asynchronous serial interface
(including synchronous/asynchronous
operating in the asynchronous mode),
AUX interface or AM interface.
2.2.2.2/16, your device can automatically dial to the remote end through DCC for
data transmission, as shown in the network diagram.
For more information about DCC dialup, refer to “DCC Configuration” on page
153.
Network diagram
Figure 88 Network of the configuration for the router to manage the modem
S2/0 S2/0
1.1.1.1/16 2.2.2.2/16
PSTN
Router Modem Modem Cisco Router
Configuration procedure
1 Configure Router:
<Router> system-view
[Router] dialer-rule 1 ip permit
[Router] interface serial 2/0
[Router-Serial2/0] physical-mode async
[Router-Serial2/0] async mode protocol
[Router-Serial2/0] link-protocol ppp
[Router-Serial2/0] ip address 1.1.1.1 255.255.0.0
[Router-Serial2/0] dialer enable-circular
[Router-Serial2/0] dialer-group 1
[Router-Serial2/0] dialer timer enable 5
[Router-Serial2/0] dialer number 666666
[Router-Serial2/0] quit
[Router] user-interface tty 1
[Router-ui-tty1] modem both
For information about DCC commands, refer to “DCC Configuration” on page
153.
2 Configuring the Cisco router
For details, refer to Cisco documentation.
Troubleshooting Symptom:
Modem is in abnormal status (such as the dial tone or busy tone keeps humming
for a long time).
Solution:
Port Mirroring
Overview
Introduction to Port Port mirroring allows you to duplicate the packets passing specified ports to the
Mirroring destination mirroring port. As destination mirroring ports usually have data
monitoring devices connected to them, you can analyze the packets duplicated to
the destination mirroring port on these devices so as to monitor and troubleshoot
the network.
Implementation of Port Local port mirroring is implemented through local port mirroring groups.
Mirroring
In a local port mirroring group, the source ports and the destination port are in the
same local port mirroring group. Packets passing through the source ports are
duplicated and then are forwarded to the destination port.
Configuring Local Port Follow these steps to configure local port mirroring:
Mirroring
To do... Use the command... Remarks
Enter system view system-view -
Create a local mirroring group mirroring-group groupid Required
local
Add ports to In system view mirroring-group groupid You can add ports to a port
the port mirroring-port mirroring group as source
mirroring mirroring-port-list { both | ports in either system view
group as inbound | outbound } or interface view.
source ports
In interface view interface interface-type In system view, you can add
interface-number multiple ports to a port
mirroring group at one
or
time. While in interface
controller cpos view, you can only add the
interface-number current port to a port
mirroring group.
[ mirroring-group groupid ]
mirroring-port { both | The support for source port
inbound | outbound } configuration in CPOS
interface view varies with
quit
device models.
Add a port to In system view mirroring-group groupid You can add a destination
the mirroring monitor-port port to a port mirroring
group as the monitor-port-id group in either system view
destination or interface view. They
In interface view interface interface-type
port achieve the same purpose.
interface-number
[ mirroring-group groupid ]
monitor-port
n ■ A local mirroring group is effective only when it has both source ports and the
destination port configured.
■ Layer 2 Ethernet ports, Layer 3 Ethernet interfaces, POS interfaces, and CPOS
interfaces can all be source mirroring ports, depending on device models.
■ Layer 2 Ethernet ports, Layer 3 Ethernet interfaces, and tunnel interfaces can all
be destination mirroring ports, depending on device models.
■ Do not enable STP, MSTP, or RSTP on destination ports for fear of interrupting
the device operation.
■ On some types of devices, aggregation ports can be destination ports.
■ Other restrictions concerning destination port exist. Refer to the user manuals
of your device for more information.
■ A port mirroring group can contain multiple source ports and only one
destination port.
■ A port can belong to only one port mirroring group.
■ The destination port and the source ports of a port mirroring group can only be
on the same board.
■ The destination port and the source ports of port mirroring groups created on
SIC-4FSW, DSIC-9FSW, and MSR20-21 Fabrics cannot be in different VLANs. So
make sure all the ports in a port mirroring group belong to the same VLAN
before you create the port mirroring group. For an existing port mirroring
group, removing a member port from the VLAN invalidates the port mirroring
group. In this case, you need to remove the port mirroring group and then
create another one.
■ Only Layer 2 ports support port mirroring.
Displaying and Follow these steps to display and maintain port mirroring:
Maintaining Port
Mirroring To do... Use the command... Remarks
Display the configuration of a display mirroring-group Available in any view
port mirroring group { groupid | local }
Examples of Typical
Port Mirroring
Configuration
This can be achieved by configuring a local port mirroring group. Perform the
following configuration on Device C.
■ Configure port Ethernet 1/1 and Ethernet 1/2 as source mirroring ports.
■ Configure port Ethernet 1/3 as the destination mirroring port.
Network diagram
Department 1 Device A
Eth1/1
Eth1/3
Eth1/2
Device C Server
Department 2 Device B
Configuration procedure
# Enter system view.
<DeviceC> system-view
# Add port Ethernet 1/1 and Ethernet 1/2 to the port mirroring group as source
ports. Add port Ethernet 1/3 to the port mirroring group as the destination port.
After finishing the configuration, you can monitor all the packets received and
sent by Department 1 and Department 2 on the Server.
When configuring PPP and MP, go to these sections for information you are
interested in:
Introduction to PPP
and MP
PPP Point-to-point protocol (PPP) is a link layer protocol that carries network layer
packets over point-to-point links. It has found wide application because it can
provide user authentication, support synchronous/asynchronous communication,
and can be extended easily.
PPP defines a whole set of protocols, including link control protocol (LCP), network
control protocol (NCP), and authentication protocols like password authentication
protocol (PAP) and challenge handshake authentication protocol (CHAP), where,
PAP authentication
PAP is a two-way handshake authentication protocol using plain text password. It
operates in the following way:
1 The requester sends its username and password to the authenticator.
2 The authenticator then checks if the username and password are correct
according to its local user list and then return responses accordingly (Acknowledge
or Not Acknowledge).
Authenticator Authenticatee
During PAP authentication, the password is transmitted on the link in plain text. In
addition, the authenticatee sends the username and the password repeatedly
through the established PPP link until the authentication is over. So PAP is not a
secure authentication protocol. It cannot prevent attacks.
CHAP authentication
Challenge-handshake authentication protocol (CHAP) is a three-way handshake
authentication protocol using ciphertext password.
Authenticator Authenticatee
Challenge
Rsponse
FAIL FAIL
SUCCESS/NONE
DOWN CLOSING
Terminate Network
Implementation
You can configure MPs through virtual templates (VT) or MP-group interfaces. VTs
are used to configure virtual access interfaces. After binding multiple PPP links to
an MP, you need to create a VA interface for the MP to enable it to exchange data
with the peers. VT and MP-group differ in the following.
■ Configuring MP through VT interfaces can involve an authentication process.
The device locates the interfaces associated to a specified VT according to the
username provided by the peers, and creates a bundle (called VT channel in the
system) corresponding to an MP link based on the configurations of the
template.
■ Multiple bundles can be created on the same virtual template interface, each of
which is an MP link. From the perspective of the network layer, these links form
a point to multipoint network topology. In this sense, virtual template
interfaces are more flexible than MP-group interfaces.
■ Bundling mode can be used to distinguish multiple bundles created on a VT
interface. You can use the ppp mp binding-mode command in VT interface
view to specify the bundling mode. Three bundling modes are available:
authentication, both (the default), and descriptor. The authentication
mode specifies to bundle links according to username, the descriptor mode
specifies to bundle links according to the peer descriptor (which is determined
during LCP negotiation), and the both mode specifies to bundle links
according to both username and descriptor.
■ MP-group interfaces are intended only for MP. On an MP-group interface, only
one bundle is allowed. Compared with VT interfaces, the configuration of
MP-group interfaces is simpler and easier, and accordingly is fast and effective,
easy to configure and understand.
Negotiation
MP negotiation involves two processes: first LCP negotiation, and then NCP
negotiation.
■ LCP negotiation, during which both sides negotiate the common LCP
parameters and check whether their peer interface is working in the MP mode.
If not, the LCP negotiation fails. After the LCP negotiation succeeds, NCP
negotiation starts.
■ NCP negotiation, which are performed based on the NCP parameters of the
MP-group interface or the specified VT interface. NCP parameters on physical
interfaces are not effective.
Functions
MP functions to:
MP can work on any physical or virtual interfaces encapsulated with PPP, such as
serial, ISDN BRI/PRI, and PPPoX (PPPoE, PPPoA, or PPPoFR). However, a multilink
bundle is preferred to include only one type of interfaces.
Configuring PPP
n This chapter only discusses local authentication. For information about the remote
AAA authentication, refer to “AAA/RADIUS/HWTACACS Configuration” on page
1751.
Configuring the Local Follow these steps to configure the local device to authenticate the peer using
Device to Authenticate PAP:
the Peer Using PAP
To do... Use the command... Remarks
Enter system view system-view -
Enter the specified interface interface interface-type -
view interface-number
Configure the local device to ppp authentication-mode Required
authenticate the peer using pap [ [ call-in ] domain
If this command is used
PAP isp-name ]
without specifying the
domain keyword, the
system-default domain named
“system” will be used. The
authentication mode is local
authentication and the
address pool for address
allocation must be the one
configured for this domain
Exit to system view quit -
Create local user, and enter local-user username Required
local user view
Configure a password for the password { cipher | simple } Required
local user password
Configure service type of the service-type ppp Required
local user as well as other [ callback-nocheck |
attributes callback-number
callback-number |
call-number call-number
[ :subcall-number ] ]
Exit to system view quit -
Create an ISP domain, or domain { isp-name | default Optional
enter an existing ISP domain { disable | enable
view isp-name } }
Configure domain user to use authentication ppp local Optional
local authentication scheme
n For detailed description on how to create a local user and configure its attributes,
and how to create a domain and configure its attributes, refer to “Configuring
Local User Attributes” on page 1767.
Configuring the Local Follow these steps to configure the local device to authenticate the peer using
Device to Authenticate CHAP:
the Peer Using CHAP
To do... Use the command... Remarks
Enter system view system-view -
Enter the specified interface interface interface-type -
view interface-number
n For detailed description on how to create a local user and configure its attributes,
and how to create a domain and configure its attributes, refer to “Configuring
Local User Attributes” on page 1767.
Configuring the Local Follow these steps to configure the local device to be authenticated by the peer
Device to Be using PAP:
Authenticated by the
Peer Using PAP To do... Use the command... Remarks
Enter system view system-view -
Enter the specified interface interface interface-type -
view interface-number
Set the PAP username and ppp pap local-user username Required
password when configuring the password { cipher | simple }
By default, the username
local device to be authenticated password
and password are null.
by the peer using PAP
Configuring the Local Follow these steps to configure the local device to be authenticated by the peer
Device to Be using CHAP:
Authenticated by the
Peer Using CHAP Use the
To do... command... Remarks
Enter system view system-view -
Use the
To do... command... Remarks
Enter the specified interface view interface -
interface-type
interface-number
Configure local username ppp chap user Required
username
Configure local user Exit to system view quit -
and its corresponding
Create local user, and local-user Optional
password
enter local user view username
Configure local user’s password { cipher | Optional
password simple } password
Configure the default Configure the default ppp chap Optional
CHAP authentication CHAP password when password { cipher |
password implementing CHAP simple } password
authentication
Timeout interval negotiation: In PPP negotiation, if, during the timeout interval,
the local device does not receive the response packet from the peer, PPP will
resend the last packet. The time ranges from 1 to 10 seconds.
■ Configure the device as client: when the local interface, with PPP encapsulated,
is not configured with an IP address, whereas its peer is configured with an IP
address, you can configure IP address negotiation for the local interface so that
it can receive IP address allocated from its peer. This configuration applies to
the situation when you access internet via ISP, and obtain an IP address from
the ISP.
■ Configure the device as server: If the device is configured as a server to allocate
IP address for its peer, you should first configure a local IP address pool in
domain view or system view, indicate the scope of the address pool, and then
specify the address pool used for the interface in interface view.
Use the
To do... command... Remarks
Enter system view system-view -
Enter the specified interface view interface -
interface-type
interface-number
Configure IP address Configure the device Refer to the section Required
negotiation (as either client as client below
or server)
Configure the device Refer to the section Required
as server below
Follow these steps to configure the device as server for PPP users do not need
authentication:
Follow the following steps to configure the device as server for PPP users that need
authentication:
Note that the domain used in defining the pool address is the domain specified
when performing PPP authentication.
Before you enable PPP LQC, the PPP interface sends keepalives to the peer every
some time. After you enable LQC on the interface, it sends link quality reports
(LQRs) instead of keepalives to monitor the link.
When link quality is normal, the system calculates link quality based on each LQR
and disables the link if the results of two consecutive calculations are below the
close-percentage. Once the link is disabled, the system starts to calculate link
quality every ten LQRs, and brings the link up if the results of three consecutive
calculations are higher than the resume-percentage. This means a disabled link
must experience 30 keepalive periods before it can go up again. If a large
keepalive period is specified, it may take long time for the link to go up.
Configuration procedure
Follow these steps to configure PPP link quality control:
Configuring MP
When configuring MP on the virtual template interface, you can use either
username or endpoint descriptor or both. The username discussed here refers to
the remote username received during PAP or CHAP authentication performed
when setting up a PPP connection. An endpoint descriptor, which uniquely
identifies a device, refers to the remote endpoint descriptor received during LCP
negotiation. The system distinguishes among the MP bundles on a virtual template
interface by username and endpoint descriptor.
Configuration procedure
Follow these steps to configure MP on the virtual template interface:
n ■ After you have configured the ppp mp max-bind command or the ppp mp
min-bind command, you must shutdown and then undo shutdown all the
relevant physical interfaces before the modification takes effect.
■ When MP binding is only based on descriptors, users cannot be differentiated.
So, to bind users to different groups, use the keyword both in the command.
■ When MP binding is only based on authentication usernames, peer devices
cannot be differentiated. So, authentication username-based MP binding
cannot be used when multiple peer devices exist.
■ For a VT interface, if a static route is used, you are recommended to specify the
next hop rather than the outgoing interface. If the outgoing interface must be
specified, make sure that the physical interfaces bound in the VT are effective
to ensure normal transport of packets.
■ For detailed description on configuring MP parameters in Dialer interface view,
refer to “Configuring MP for DCC” on page 168.
Configuring PPP Link Four mechanisms are available for improving transmission efficiency on PPP links.
Efficiency Mechanism They are IP header compression (IPHC), Stac Lempel-Ziv standard (STAC LZS)
compression on PPP packets, V. Jacobson Compressing TCP/IP Headers (VJ TCP
header compression), and link fragmentation and interleaving (LFI).
IP header compression
IPHC is a host-to-host protocol used to support real-time multimedia services such
as voice and video over IP networks. To decrease the bandwidth consumed by
headers, you may enable IP header compression on PPP links to compress RTP
(including IP, UDP, and RTP) headers or TCP headers. The following describes how
compression operates by taking RTP header compression as an example.
The real-time transport protocol (RTP) is virtually a UDP protocol using fixed port
number and format. The protocol includes a 40-byte header and a data section.
There is a concern that the 40-byte header which is composed of a 20-byte IP
header, an 8-byte UDP header and a 12-byte RTP header, is too large when
compared with the 20 bytes to 160 bytes typical payloads of RTP. To reduce
unnecessary bandwidth consumption, you can use IPHC to compress headers.
After compression, the 40-byte header can be reduced to 2 to 5 bytes. If the
payload is 40 bytes, the compression ratio will be (40+40) / (40+5), about 1.78,
which is very efficient. The process of IPHC is illustrated in the following figure.
Incoming
packets RTP header compression
Output
queue
Queue
Traffic
classifying
Non-RTP traffic
Each TCP/IP packet transmitted over a TCP connection contains a typical 40-byte
TCP/IP header containing an IP header and a TCP header that are 20-byte long
each. The information in some fields of these headers, however, is unchanged
through the lifetime of the connection and needs sending only once, while the
information in some other fields changes but regularly and within a definite range.
Based on this idea, VJ TCP header compression may compress a 40-byte TCP/IP
header to 3 to 5 bytes. It can significantly improve the transmission speed of some
applications, such as FTP, on a low-speed serial link like PPP.
cause block and delay, consequently, the remote end cannot hear continuous
speech. It is required by the interactive voice that the end-to-end delay cannot be
larger than 100-150 ms.
Dispatching a large packet of 1500 bytes through a 56-kbps line, perhaps will take
215 ms, this will exceed the delay point that one can tolerate. LFI is a method for
fragmenting larger packets and adding both the smaller packets and fragments of
the large packet to the queue. The fragmented datagrams are reassembled at the
destination. LFI can reduce delay of real-time packets on relatively slow bandwidth
links.
The following figure describes the process of link fragmentation and interleaving.
When large packets and small voice packets arrives at an interface at the same
time, the large packets are fragmented into small fragments. If the interface is
configured with WFQ, the voice packets and these small fragments are interleaved
together and put into the WFQ.
WFQ
Fragmentation
Large packet
Output queue
WFQ
Traffic
Voice packet classifying
Use the
To do... command... Remarks
Enter system view system-view -
Create an MP-group interface mp-group Required
number
Exit to system view quit -
Enter the specified interface view interface -
interface-type
interface-number
Configure Enable IPHC ppp compression Required
IPHC iphc
(optional) [ nonstandard ]
Configure the maximum number of ppp compression Optional
TCP header compression connections iphc
16 by default
tcp-connections
number
Configure the maximum number of ppp compression Optional
RTP header compression connections iphc
16 by default
rtp-connections
number
Use the
To do... command... Remarks
Enable Stac-LZS compression on the interface ppp compression Optional
stac-lzs
disabled by default
Currently,
outbound expedite
forwarding is not
applicable on links
with Stac-LZS
compression
enabled. So, it is
recommended that
you disable
outbound expedite
forwarding before
performing this
operation.
Enable VJ TCP header compression on PPP ip tcp vjcompress Optional
interface
disabled by default
Configure PPP link Enter VT interface interface Required
fragmentation and view or MP-group virtual-template
interleaving (optional) interface view number
interface mp-group
number
Enable LFI ppp mp lfi Required
Disable by default
Configure the ppp mp lfi Required
maximum time delay delay-per-frag time
10 ms by default
of LFI fragments
Displaying and
Maintaining To do... Use the command...
PPP/MP/PPP Link Display the information about an display interface mp-group [ mp-number ]
Efficiency Mechanism existing MP-group interface
Display the information about a VA display virtual-access [ dialer dialer-number | vt
interface vt-number | user user-name | peer peer-address |
va-number ] *
Display the information about an display interface virtual-template [ number ]
existing VT
Display the information about an MP display ppp mp [ interface interface-type
interface interface-number ]
Display the statistics on TCP header display ppp compression iphc tcp [ interface-type
compression interface-number ]
Display statistics on RTP header display ppp compression iphc rtp [ interface-type
compression interface-number ]
Display statistics on Stac LZS header display ppp compression stac-lzs [ interface-type
compression interface-number ]
Clear all statistics on IP header reset ppp compression iphc [ interface-type
compression interface-number ]
PPP and MP
Configuration
Example
Network diagram
Router A Router B
Configuration procedure
1 Configure Router A.
<RouterA> system-view
[RouterA] local-user user2
[RouterA-luser-user2] service-type ppp
[RouterA-luser-user2] password simple pass2
[RouterA-luser-user2] quit
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol ppp
[RouterA-Serial2/0] ppp authentication-mode pap domain system
[RouterA-Serial2/0] ip address 200.1.1.1 16
[RouterA-Serial2/0] quit
[RouterA] domain system
[RouterA-isp-system] authentication ppp local
2 Configure Router B.
<RouterB> system-view
[RouterB] interface serial 2/0
[RouterB-Serial2/0] link-protocol ppp
[RouterB-Serial2/0] ppp pap local-user user2 password simple pass2
[RouterB-Serial2/0] ip address 200.1.1.2 16
Configuration procedure
Approach I: use local username and password to perform CHAP
1 Configure Router A.
<RouterA> system-view
[RouterA] local-user user2
[RouterA-luser-user2] password simple hello
[RouterA-luser-user2] service-type ppp
[RouterA-luser-user2] quit
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol ppp
[RouterA-Serial2/0] ppp chap user user1
1 Configure Router A.
<RouterA> system-view
[RouterA] local-user user2
[RouterA-luser-user2] password simple hello
[RouterA-luser-user2] service-type ppp
[RouterA-luser-user2] quit
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ppp authentication-mode chap domain system
[RouterA-Serial2/0] ip address 200.1.1.1 16
[RouterA-Serial2/0] quit
[RouterA] domain system
[RouterA-isp-system] authentication ppp local
2 Configure Router B.
<RouterB> system-view
[RouterB] interface serial 2/0
[RouterB-Serial2/0] ppp chap user user2
[RouterB-Serial2/0] ppp chap password simple hello
[RouterB-Serial2/0] ip address 200.1.1.2 16
Do the following:
■ Bind two channels on Router A with the two channels on Router B and another
two channels with the two channels on Router C.
Network diagram
S 2/0
Host Host
S 2/0
DDN
Router A
Host
S 2/0
Host
Router C Host
Configuration procedure
1 Configure Router A:
<RouterA> system-view
[RouterA] local-user router-b
[RouterA-luser-router-b] password simple router-b
[RouterA] local-user router-c
[RouterA-luser-router-c] password simple router-c
[RouterA-luser-router-c] quit
# Assign interfaces Serial 2/0:1, Serial 2/0:2, Serial 2/0:3, and Serial 2/0:4 to MP
channels, taking Serial 2/0:1 for an example.
# Configure the users in the domain to use the local authentication scheme.
<RouterB> system-view
[RouterB] local-user router-a
[RouterB-luser-router-a] password simple router-a
[RouterB-luser-router-a] quit
# Specify the virtual-template for this user and perform PPP negotiation by using
the NCP information of this template
# Assign interfaces Serial 2/0:1 and Serial 2/0/:2 to the MP channel, taking Serial
2/0:1 for an example.
3 Configure Router C:
<RouterC> system-view
[RouterC] local-user router-a
[RouterC-luser-router-a] password simple router-a
[RouterC-luser-router-a] quit
# Specify a virtual-template for this user and the NCP information of the template
will be used for PPP negotiation.
# Assign interfaces Serial 2/0:1 and Serial 2/0:2 to the MP channel, taking Serial
2/0:1 for an example.
# Configure the users in the domain to use the local authentication scheme.
Network diagram
Configuration procedure
1 Directly assign physical interfaces to a virtual template interface
Configure Router A:
<RouterA> system-view
[RouterA] local-user rtb
[RouterA-luser-rtb] password simple rtb
[RouterA-luser-rtb] service-type ppp
[RouterA-luser-rtb] quit
Configure Router B:
<RouterB> system-view
[RouterB] local-user rta
[RouterB-luser-rta] password simple rta
[RouterB-luser-rta] service-type ppp
[RouterB-luser-rta] quit
In addition, you can view the state of MP virtual channels by viewing the state of
virtual access interfaces with the display virtual-access command.
Configure Router A:
<RouterA> system-view
[RouterA] local-user rtb
[RouterA-luser-rtb] password simple rtb
[RouterA-luser-rtb] service-type ppp
[RouterA-luser-rtb] quit
# Configure the user in the domain to use the local authentication scheme
Configure Router B
<RouterB> system-view
[RouterB] local-user rta
[RouterB-luser-rta] password simple rta
[RouterB-luser-rta] service-type ppp
[RouterB-luser-rta] quit
Incorrect configuration:
If you intend to bind interfaces serial 2/1 and serial 2/0 into the same MP, but you
configured one as ppp mp while the other as ppp mp virtual-template 1, the
system will bind the two interfaces into different MP.
Configure Router A:
<RouterA> system-view
[RouterA] local-user rtb
[RouterA-luser-rtb] password simple rtb
[RouterA-luser-rtb] service-type ppp
[RouterA-luser-rtb] quit
# Configure the users in the domain to use the local authentication scheme.
Configure Router B
<RouterB> system-view
[RouterB] local-user rta
[RouterB-luser-rta] password simple rta
[RouterB-luser-rta] service-type ppp
[RouterB-luser-rta] quit
# Configure the users in the domain to use the local authentication scheme.
Note that in this approach to MP binding, all users are bound together and the
concept of virtual access is not involved.
Enable the debugging of PPP, and you will see the information describing that LCP
went up upon a successful LCP negotiation but went down after the PAP or CHAP
negotiation.
Solution: Execute the display interface serial type number command to view
the current interface statuses, including:
serial number is down, line protocol is down", which indicates that the interface is
not active or the physical layer has not gone up yet.
serial number is up, line protocol is up", which indicates that the link negotiation,
i.e., the LCP negotiation on this interface has succeeded.
serial number is up, line protocol is down", which indicates that this interface is
active, but link negotiation has failed.
PPPoE is divided into two distinct phases: discovery and PPP session.
■ Discovery phase
When a host wants to start a PPPoE process, it must first identify the MAC address
of the Ethernet on the access end and create the SESSION ID of PPPoE. This is the
very purpose of the discovery phase.
After entering the session phase of PPPoE, the system can encapsulate the PPP
packet as the payload of PPPoE frame into an Ethernet frame and then send the
Ethernet frame to the peer. In the frame, the SESSION ID must be the one
determined at the discovery phase, MAC address must be the address of the peer,
and the PPP packet section begins with the Protocol ID. In the Phase of Session,
either the host or the server may send PPPoE Active Discovery Terminate (PADT)
packets to notify the other to end this Session.
PPPoE server
The device allows you to configure PPPoE server which provide the following
functions:
PPPoE client
PPPoE is widely used in ADSL broadband access applications. Generally, a host
must be installed with PPPoE client dialing software in order to access the Internet
via ADSL. Currently, the PPPoE client, or PPPoE client dialup, is available on the
device to enable users to access the Internet without installing client dial-up
software on the hosts. Moreover, all the hosts on the same LAN can share the
same ADSL account.
PPPoE Server
PPPoE Client
Host A Host B
As shown in the above figure, PCs on the Ethernet are connected to the device
where PPPoE client runs. The data destined to the Internet first reaches the router
and is encapsulated in PPPoE there. After leaving the router, it passes through the
ADSL modem attached to the router and then the ADSL access server before
reaching the Internet. This can be done without PPPoE client dial-up software.
Configuring PPPoE PPPoE server can be configured on physical Ethernet interfaces or virtual Ethernet
Server interfaces generated by ADSL interface. For more information on the
configuration of PPPoE server on virtual Ethernet interface, refer to “ATM and DSL
Interface Configuration” on page 71.
n For a virtual template interface, if a static route is used, you are recommended to
specify the next hop rather than the outgoing interface. If the outgoing interface
must be specified, make sure that the physical interface bound in the virtual
template is effective to ensure normal transport of packets.
Configuring PPPoE
Client
Introduction to PPPoE PPPoE client configuration tasks include dialer interface configuration and PPPoE
Client session configuration.
Before configuring PPPoE session, you should first configure a dialer interface and
configure a dialer bundle on the interface. Each PPPoE session uniquely
corresponds to a dialer bundle and each dialer bundle uniquely corresponds to a
dialer interface. Thus, a PPPoE session can be created via a dialer interface.
Displaying and
Maintaining PPPoE To do... Use the command... Remarks
Display statistics and state display pppoe-server session { all Available in any view
information about PPPoE | packet }
server sessions.
Display statistics and state display pppoe-client session Available in any view
information about PPPoE { packet | summary }
client sessions. [ dial-bundle-number number ]
PPPoE Configuration
Example
Network diagram
The router is connected to the Ethernet through the interface Ethernet 1/0 and the
Internet through Serial 2/0.
Host A
Router
Eth 1/ 0 S2 / 0
Internet
Host B
Configuration procedure
# Add a PPPoE user
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] password simple pass1
[Sysname-luser-user1] service-type ppp
[Sysname-luser-user1] quit
# Configure the users in the domain to use the local authentication scheme.
After these configurations, you should then install a PPPoE client software on each
host, and configure a username and a password (in this case, user1 and pass1,
respectively). As such, the hosts can run PPPoE and can access the Internet
through the router.
Network diagram
Eth 1/ 0 Eth1/ 0
Router A Router B
Configuration procedure
1 PAP authentication:
a Configure Router A as PPPoE server
<RouterA> system-view
[RouterA] local-user user2
[RouterA-luser-user2] password simple hello
[RouterA-luser-user2] service-type ppp
[RouterA-luser-user2] quit
<RouterA> system-view
[RouterA] local-user user2
[RouterA-luser-user2] password simple hello
[RouterA-luser-user2] service-type ppp
[RouterA-luser-user2] quit
Network diagram
DSLAM Router B
ATM 1/ 0 PPPoE Server
Modem
Eth 1/ 1
192. 168. 1. 1/ 24
Eth1/ 0
Configuration procedure
1 Configure Router A as PPPoE client
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
[RouterA] interface dialer 1
[RouterA-Dialer1] dialer-group 1
[RouterA-Dialer1] dialer bundle 1
[RouterA-Dialer1] ip address ppp-negotiate
[RouterA-Dialer1] ppp pap local-user user1 password cipher 123456
[RouterA-Dialer1] quit
If the IP addresses of the PCs in the LAN are private addresses, you need to
configure NAT (Network Address Translation) on the device. The NAT
configuration will not be elaborated here. For details, refer to “NAT-PT
Configuration” on page 679.
<RouterB> system-view
[RouterB] local-user user1
[RouterB-luser-user1] password simple 123456
[RouterB-luser-user1] service-type ppp
[RouterB-luser-user1] quit
Network diagram
Modem
Eth 1/0 ADSL
Configuration procedure
Configure the router:
<Router> system-view
[Router] dialer-rule 1 ip permit
[Router] interface dialer 1
[Router-Dialer1] dialer user user1
[Router-Dialer1] dialer-group 1
[Router-Dialer1] dialer bundle 1
[Router-Dialer1] ip address ppp-negotiate
Network diagram
Internet
ATM1/ 0
Router
Configuration procedure
# Configure a dialer interface
<Router> system-view
[Router] dialer-rule 1 ip permit
[Router] interface dialer 1
[Router-Dialer1] dialer user mypppoe
[Router-Dialer1] dialer-group 1
[Router-Dialer1] dialer bundle 1
[Router-Dialer1] ip address ppp-negotiate
# Configure a VE interface
n Presently the devices support only transparent bridging, so this document provides
information about transparent bridging only.
Bridging Overview
Introduction to Bridging A bridge is a store-and-forward device that connects and transfers traffic between
local area network (LAN) segments at the data-link layer. In some small-sized
networks, especially those with dispersed distribution of users, the use of bridges
can reduce the network maintenance costs, without requiring the end users to
perform special configurations on the devices.
Transparent bridging is used to bridge LAN segments of the same physical media
type, primarily in Ethernet environments. Typically, a transparent bridging device
keeps a bridge table, which contains mappings between destination MAC
addresses and outbound interfaces.
segment, a bridge listens to all Ethernet frames on the segments. When it receives
an Ethernet frame, it extracts the source MAC address of the frame and creates a
mapping entry between this MAC address and the interface on which the
Ethernet frame was received.
As shown in Figure 105, Hosts A, B, C and D are attached to two LAN segments,
of which LAN segment 1 is connected with bridge interface 1 while LAN segment
2 is connected with bridge interface 2. When Host A sends an Ethernet frame to
Host B, both bridge interface 1 and Host B receive this frame.
Host A Host B
LAN segment 1
Bridge interface 1
Bridge
Bridge interface 2
LAN segment 2
Host C Host D
As the bridge receives the Ethernet frame on bridge interface 1, it determines that
Host A is attached to bridge interface 1 and creates a mapping between the MAC
address of Host A and bridge interface 1 in its bridge table, as shown in
Figure 106.
Host A Host B
Bridge interface 2
LAN segment 2
Host C Host D
When Host B responds to Host B, the bridge also hears the Ethernet frame from
Host B. As the frame is received on bridge interface 1, the bridge determines that
Host B is also attached to bridge interface 1, and creates a mapping between the
MAC address of Host B and bridge interface 1 in its bridge table, as shown in
Figure 107.
Figure 107 The bridge determines that Host B is also attached to interface 1
Host A Host B
LAN segment 2
Host C Host D
Finally, the bridge obtains all the MAC-interface mappings (assume that all hosts
are in use), as shown in Figure 108.
Host A Host B
Host C Host D
Host A Host B
■ When Host A sends an Ethernet frame to Host B, as Host B is on the same LAN
segment with Host A, the bridge filters the Ethernet frame instead of
forwarding it, as shown in Figure 110.
Host A Host B
LAN segment 1
Bridge table
MAC address Interface Bridge interface 1
00e 0.fcaa .aaaa 1
Bridge
00e 0.fcbb . bbbb 1
00e 0.fccc . cccc 2 Bridge interface 2
Host C Host D
■ When Host A sends an Ethernet frame to Host C, if the bridge does not find a
MAC-to-interface mapping about Host C in its bridge table, the bridge
forwards the Ethernet frame to all interfaces except the interface on which the
frame was received, as shown in Figure 111.
Figure 111 The proper MAC-to-interface mapping is not found in the bridge table
Host A Host B
LAN segment 1
Bridge table
MAC address Interface Bridge interface 1
00e0.fcaa .aaaa 1
Bridge
00e0. fcbb .bbbb 1
Bridge interface 2
LAN segment 2
Host C Host D
Configuring Basic
Bridging
Functionalities
For more information about ATM configuration, refer to “ATM and DSL Interface
Configuration” on page 71.
Configuring Bridge Typically, a bridge dynamically creates and maintains a bridge table based on the
Table Entries correlations between the MAC addresses it learned and the corresponding
interfaces. The administrator, however, can manually configure some bridge table
entries, which will never get aged out.
The aging time of a dynamic bridge table entry refers to the lifetime of the entry
before it is deleted from the table. When the aging timer of a dynamic table entry
expires, the system deletes the entry from the table.
Configuring Bridge Bridge routing provides a forward capability that combines bridging and routing.
Routing When data of a given protocol is exchanged between bridge interfaces, bridging
occurs; when data of a given protocol is exchanged between a bridge set and a
non-bridge-set network, the protocol can be routed. Before the built-in routing
and bridging functionalities are not activated, all protocol data can only be
bridged. With the built-in routing and bridging functionalities activated,
datagrams of the specified protocol can be either bridged or routed, and
switching between bridging and routing can be implemented flexibly through
configuration commands.
If bridge sets by the same bridge set number are enabled on two or more devices
and a bridge-template interface is created for each of these bridges sets while no
Ethernet interfaces have been added into these bridge sets, these bridge-template
interfaces will use exactly the same default MAC address. This will cause MAC
address conflict. To avoid this situation, you can different MAC addresses on
different bridge-template interfaces.
Displaying and
Maintaining Bridging To do... Use the command... Remarks
Configurations View bridge set information display bridge information Available in any
[ bridge-set bridge-set ] view
View the statistics information display interface bridge-template Available in any
of a virtual bridge-template [interface-number] view
interface
View bridge table information display bridge address-table Available in any
[ bridge-set bridge-set | dlsw | view
interface interface-type
interface-number | mac mac-address]
[ dynamic | static ]
View the statistics information display bridge traffic [ bridge-set Available in any
of bridged traffic bridge-set | dlsw | interface view
interface-type interface-number ]
Clear bridge table entries reset bridge address-table Available in user
[ bridge-set bridge-set | dlsw | view
interface interface-type
interface-number ]
Clear the statistics reset bridge traffic [ bridge-set Available in user
information of bridged traffic bridge-set | dlsw | interface view
interface-type interface-number ]
Transparent Bridging
Configuration
Examples
Network diagram
Figure 112 Network diagram for transparent bridging over ATM configuration
LAN 1
LAN 2
Eth1/0 ATM5/0 ATM5/0 Eth1/0
Router A Router B
Configuration procedure
1 Configure Router A
[RouterA] bridge enable
[RouterA] bridge 1 enable
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] bridge-set 1
[RouterA-Ethernet1/0] interface atm 5/0
[RouterA-Atm5/0] pvc 32/50
[RouterA-atm-pvc-Atm5/0-32/50] map bridge-group broadcast
[RouterA-atm-pvc-Atm5/0-32/50] quit
[RouterA-Atm5/0] bridge-set 1
2 Configure Router B
[RouterB] bridge enable
[RouterB ]bridge 1 enable
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] bridge-set 1
[RouterB-Ethernet1/0] interface atm 5/0
[RouterB-Atm5/0] pvc 32/50
[RouterB-atm-pvc-Atm5/0-32/50] map bridge-group broadcast
[RouterB-atm-pvc-Atm5/0-32/50] quit
[RouterB-Atm5/0] bridge-set 1
Network diagram
Figure 113 Network diagram for transparent bridging over PPP configuration
LAN 1
LAN 2
Router A Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] bridge enable
[RouterA] bridge 1 enable
Network diagram
S2/1 S2 /1
LAN 1
LAN 2
Eth1 /0 Eth1/0
S2/0 S2/0
Router A Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] bridge enable
[RouterA] bridge 1 enable
[RouterA] interface virtual-template 1
[RouterA-virtual-template1] bridge-set 1
[RouterA-virtual-template1] quit
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] bridge-set 1
[RouterA-Ethernet1/0] quit
[RouterA] interface serial 2/1
[RouterA-Serial2/1] link-protocol ppp
[RouterA-Serial2/1] ppp mp virtual-template 1
[RouterA-Serial2/1] quit
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol ppp
[RouterA-Serial2/0] ppp mp virtual-template 1
2 Configure Router B
<RouterB> system-view
[RouterB] bridge enable
Network diagram
S2 /0
LAN 2
Eth1 /0 Eth1/0
S 2/0
Router A Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] bridge enable
[RouterA] bridge 1 enable
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] bridge-set 1
[RouterA-Ethernet1/0] quit
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol fr
[RouterA-Serial2/0] fr interface-type dce
[RouterA-Serial2/0] fr dlci 50
[RouterA-Serial2/0] bridge-set 1
[RouterA-Serial2/0] fr map bridge 50 broadcast
2 Configure Router B
<RouterB> system-view
[RouterB] bridge enable
[RouterB] bridge 1 enable
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] bridge-set 1
[RouterB-Ethernet1/0] quit
[RouterB] interface serial 2/0
[RouterB-Serial2/0] link-protocol fr
Network diagram
Figure 116 Network diagram for transparent bridging over X.25 configuration
LAN 1
S2 /0
LAN 2
Eth1 /0 Eth1/0
S 2/0
Router A Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] bridge enable
[RouterA] bridge 1 enable
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] bridge-set 1
[RouterA-Ethernet1/0] quit
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol x25 dce
[RouterA-Serial2/0] x25 x121-address 100
[RouterA-Serial2/0] x25 map bridge x121-address 200 broadcast
[RouterA-Serial2/0] bridge-set 1
2 Configure Router B
<RouterB> system-view
[RouterB] bridge enable
[RouterB] bridge 1 enable
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] bridge-set 1
[RouterB-Ethernet1/0] quit
[RouterB] interface serial 2/0
[RouterB-Serial2/0] link-protocol x25
[RouterB-Serial2/0] x25 x121-address 200
[RouterB-Serial2/0] x25 map bridge x121-address 100 broadcast
[RouterB-Serial2/0] bridge-set 1
Network diagram
Figure 117 Network diagram for transparent bridging over HDLC configuration
LAN 1
S2 /0
LAN 2
Eth1 /0 Eth1/0
S 2/0
Router A Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] bridge enable
[RouterA] bridge 1 enable
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] bridge-set 1
[RouterA-Ethernet1/0] quit
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol hdlc
[RouterA-Serial2/0] bridge-set 1
2 Configure Router B
<RouterB> system-view
[RouterB] bridge enable
[RouterB] bridge 1 enable
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] bridge-set 1
[RouterB-Ethernet1/0] quit
[RouterB] interface Serial 2/0
[RouterB-Serial2/0] link-protocol hdlc
[RouterB-Serial2/0] bridge-set 1
Network diagram
Eth1 /0 Eth1/0
Eth1/2 Eth1/2
Router A Router B
Eth1/1 Eth1/1
Configuration procedure
1 Configure Router A
[RouterA] bridge enable
[RouterA] bridge 1 enable
[RouterA] bridge 2 enable
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] bridge-set 1
[RouterA-Ethernet1/0] quit
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] bridge-set 2
[RouterA-Ethernet1/1] quit
[RouterA] interface ethernet 1/2.1
[RouterA-Ethernet1/2.1] vlan-type dot1q vid 1
[RouterA-Ethernet1/2.1] bridge-set 1
[RouterA-Ethernet1/2.1] quit
[RouterA] interface ethernet 1/2.2
[RouterA-Ethernet1/2.2] vlan-type dot1q vid 2
[RouterA-Ethernet1/2.2] bridge-set 2
2 Configure Router B
<RouterB> system-view
[RouterB] bridge enable
[RouterB] bridge 1 enable
[RouterB] bridge 2 enable
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] bridge-set 1
[RouterB-Ethernet1/0] quit
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] bridge-set 2
[RouterB-Ethernet1/1] quit
[RouterB] interface ethernet 1/2.1
[RouterB-Ethernet1/2.1] vlan-type dot1q vid 1
[RouterB-Ethernet1/2.1] bridge-set 1
[RouterB-Ethernet1/2.1] quit
[RouterB] interface ethernet 1/2.2
[RouterB-Ethernet1/2.2] vlan-type dot1q vid 2
[RouterB-Ethernet1/2.2] bridge-set 2
Network diagram
Host A Host B
Eth1 /0 Eth1/0
S2/0 S2/0
Router A Router B
Eth1/1 Eth1/1
Host C Host D
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] bridge enable
[RouterA] bridge 1 enable
[RouterA] bridge 2 enable
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] bridge-set 1
[RouterA-Ethernet1/0] quit
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] bridge-set 2
[RouterA-Ethernet1/1] quit
[RouterA] interface serial 2/0
[RouterA-Serial2/0] link-protocol fr
[RouterA-Serial2/0] quit
[RouterA] interface serial 2/0.1
[RouterA-Serial2/0.1] fr map bridge 50 broadcast
[RouterA-Serial2/0.1] bridge-set 1
[RouterA-Serial2/0.1] quit
[RouterA] interface serial 2/0.2
[RouterA-Serial2/0.2] fr map bridge 60 broadcast
[RouterA-Serial2/0.2] bridge-set 2
2 Configure Router B
<RouterB> system-view
[RouterB] bridge enable
[RouterB] bridge 1 enable
[RouterB] bridge 2 enable
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] bridge-set 1
[RouterB-Ethernet1/0] quit
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] bridge-set 2
[RouterB-Ethernet1/1] quit
[RouterB] interface serial 2/0
[RouterB-Serial2/0] link-protocol fr
[RouterB-Serial2/0] fr interface-type dce
[RouterB-Serial2/0] quit
[RouterB] interface serial 2/0.1
[RouterB-Serial2/0.1] fr dlci 50
[RouterB-Serial2/0.1] fr map bridge 50 broadcast
[RouterB-Serial2/0.1] bridge-set 1
[RouterB-Serial2/0.1] quit
[RouterB] interface serial 2/0.2
[RouterB-Serial2/0.2] fr dlci 60
[RouterB-Serial2/0.2] fr map bridge 60 broadcast
[RouterB-Serial2/0.2] bridge-set 2
Network diagram
Bridge -Template 1
1.1.1.1/16
Eth 1/0 Eth1/2
2.1 .1.1/ 16
Eth 1/1
Bridge set 1
Configuration procedure
<Router> system-view
[Router] bridge enable
[Router] bridge routing-enable
[Router] bridge 1 enable
[Router] bridge 1 routing ip
[Router] interface ethernet 1/0
[Router-Ethernet1/0] bridge-set 1
[Router-Ethernet1/0] quit
[Router] interface ethernet 1/1
[Router-Ethernet1/1] bridge-set 1
[Router-Ethernet1/1] quit
[Router] interface bridge-template 1
[Router-Bridge-template1] ip address 1.1.1.1 255.255.0.0
[Router-Bridge-template1] quit
[Router] interface ethernet 1/2
[Router-Ethernet1/2] ip address 2.1.1.1 255.255.0.0
Introduction to ISDN Derived from integrated digital network (IDN), integrated services digital network
(ISDN), provides end-to-end digital connectivity and supports an extensive ranges
of services, covering both voice and non-voice services.
CC
Layer 3
Q.931
Layer 2 Q.921 LAPD
The ISDN protocols proposed by ITU-T provides different services in different areas,
forming the ISDN protocols that are suitable for different regions, such as NTT
NI protocol used in North America is only applied to BRI interface. The ISDN
network uses SPID (Service Profile Identification) as the ID of different services, and
the switch provides the corresponding service to the terminal user according to the
SPID. Each B channel corresponds to a SPID. Only after having employed the SPID
to perform the SPID handshake interaction, can the user proceed with normal
calling and disconnection process. Therefore, after the Q.921 establishes link
successfully and before the Q.931 calling processing starts, the user needs to
obtain SPID to interact with the switch to perform the Layer 3 (Q.931)
initialization, then he can start normal calling and disconnect process., otherwise,
the calling will fail.
By far, there are three ways to obtain the SPID on one BRI interface over the ISDN
in North America.
The former two ways to obtain SPID are regarded as static configuration methods,
and the third one is taken as dynamic negotiation method. If the user does not
specify a SPID in static method, the system will adopt dynamic method by default.
Configuring ISDN
Configuring the Follow these steps to configure the negotiation parameters of ISDN layer 3
Negotiation Parameters protocol:
of ISDN Layer 3 Protocol
To do... Use the command... Remarks
Enter system view system-view -
Enter specified interface view interface interface-type -
interface-number
Set the length of the call isdn crlength Optional
reference adopted when the call-reference-length
The call reference length is
ISDN interface initiates a call
two bytes for CE1 PRI and
CT1 PRI interfaces and one
byte for BRI interfaces by
default.
Configure the router to switch isdn ignore connect-ack Optional
the ISDN protocol state to
By default, in the event that
ACTIVE to start the data and
the router is communicating
voice service communications
with an exchange, the ISDN
after sending a CONNECT
protocol must wait for the
message without having to
CONNECT ACK in response to
wait for a CONNECT ACK
the CONNECT message
message.
before it can switch to the
ACTIVE state to start the data
and voice service
communications.
n The undefined bits in all the protocols are reserved for other purposes.
Configuring the SPID of You may configure SPID on the BRI interfaces that are running the ISDN NI
the ISDN NI Protocol protocol.
Follow these steps to configure the SPID parameters of the ISDN NI protocol:
Setting the Called If a called number or subaddress is specified, the system will deny an incoming
Number or Sub-Address digital call if the calling party sends a wrong called number or subaddress or does
to Be Checked During a not send at all.
Digital Incoming Call
Follow these steps to configure the called number or sub-address to be checked
during a digital incoming call:
Configuring to Send The purpose for setting this command is to reduce cost in some networks that
Calling Number During charge the calling side by providing advantageous accounting numbers for users.
an Outgoing Call
Follow these steps to configure to send calling number during an outgoing call:
Setting the Local Configured with isdn bch-local-manage command, the router operates in local
Management ISDN B B-channel management mode to select available B channels for calls. Despite this,
Channel the connected exchange has higher priority in B channel selection. If the B channel
the router selected for a call is different from the one indicated by the exchange,
the one indicated by the exchange is used for communication.
Configuring ISDN B Follow these steps to configure ISDN B channel selection mode:
Channel Selection Mode
To do... Use the command... Remarks
Enter system view system-view -
Enter specified interface interface interface-type -
interview interface-number
Configuring the Sliding Follow these steps to configure the size of the sliding window on the PRI interface:
Window Size on the PRI
Interface To do... Use the command... Remarks
Enter system view system-view -
Enter specified interface view interface interface-type -
interface-number
Configure the sliding window isdn pri-slipwnd-size Optional
size on the PRI interface or { window-size | default }
The sliding window on the PRI
restore the default.
interface defaults to 7.
Configuring Statistics Follow these steps to configure the statistics about ISDN message
About ISDN Message receiving/sending:
Receiving/Sending
To do... Use the command... Remarks
Enter system view system-view -
Enter specified interface view interface interface-type -
interface-number
Set ISDN to start the statistics of isdn statistics start Required
message receiving/sending
Set ISDN to stop the statistics of isdn statistics stop Required
message receiving/sending
Display ISDN statistics isdn statistics display [ flow ] Required
Set ISDN to continue the statistics isdn statistics continue Optional
of information received by ISDN
Clear ISDN statistics isdn statistics clear Optional
Configuring to Check Follow these steps to configure to check the calling number when an incoming
the Calling Number call comes:
When an Incoming Call
Comes To do... Use the command... Remarks
Enter system view system-view -
Enter specified interface view interface interface-type -
interface-number
Configure to check the calling isdn caller-number Required
number when an incoming caller-number
Execute this command to
call comes
configure limited incoming
calls.
Configuring TEI Follow these steps to configure TEI treatment on the BRI interface:
Treatment on the BRI
Interface To do... Use the command... Remarks
Enter system view system-view -
Enter specified BRI interface interface bri -
view interface-number
Request the switch for a new isdn two-tei Optional
TEI each time a B channel on
All B channels on the BRI
the BRI interface places a call.
interface use the same TEI by
default.
Configuring ISDN BRI ISDN leased lines are implemented by establishing MP semi-permanent
Leased Line connections. This requires that the PBXs of your telecommunication service
provider provide leased lines and are connected to the remote devices.
n ■
■
Before you can use this command, you must configure C-DCC.
For description of DCC configuring, refer to “DCC Configuration” on page 153.
Configuring Permanent To enable a BRI interface to set up the Q.921 link automatically and maintain the
Link Function on ISDN link permanently even when no calls are received from the network layer, you may
BRI Link Layer configure the isdn q921-permanent command. If the two-tei mode is also
configured on the interface, two such links will be present.
You may need to configure permanent Q.921 link mode where the ISDN NI
protocol is adopted to ensure the success of every call attempt.
Follow these steps to configure Q.921 permanent link mode for an ISDN BRI
interface:
Specifying an ISDN BRI On a BRI interface operating on the network side, the T325 timer is triggered
Interface to be in when the link is torn down on data link layer and deactivating requests are sent
Permanent Active State from data link layer to physical layer when the timer expires. Deactivating request
on Physical Layer causes BRI interface to turn to active mode on physical layer and thus helps reduce
power consumption. To make a BRI interface to remain in the active state on
physical layer even if no link exists on the data link layer, you can perform the
operations listed in the following table, through which you can disable
deactivating request sending.
Follow these steps to specify an ISDN BRI interface to be in permanent active state
on physical layer:
n ■
■
The support for this function varies with device models.
This function is only applicable to BRI interfaces operating in the network side
mode. Currently, only BSV board can operate on network side.
■ This function is different from the permanent link function. The former
maintains the active state of BRI interfaces on physical layer and is only
applicable to BRI interfaces operating on the network side. It cannot activate
the BRI interfaces that are in inactive state on physical layer. The latter,
however, enables BRI interfaces to enter Q.921 multi-framing state
immediately after the user side and the network side connects correctly. It is
only applicable to BRI interfaces operating on the user side. If you enable the
permanent link function while no Q.921 link is established, the system
attempts to establish Q.921 links.
Enabling Remote Follow these steps to enable remote powering on an ISDN BRI interface:
Powering on an ISDN
BRI Interface To do... Use the command... Remarks
Enter system view system-view -
Enter specified BRI interface interface-type -
interface view interface-number
Enable remote powering power-source Optional
on the interface
The remote powering function is
disabled on an ISDN BRI interface by
default.
n ■
■
The support for this function varies with device models.
This function is available to BSV interfaces operating in the network side mode.
Currently, only BSV board can operate in the network side mode. For example,
you can enable this function on a BSV interface operating in the network side
mode to provide power supply to the ISDN digital phone sets attached to the
interface.
Displaying and
Maintaining ISDN To do... Use the command... Remarks
Display the active calling Display isdn active-channel Available in any view.
information on an ISDN [ interface interface-type
interface interface-number ]
Display the current status of display isdn call-info Available in any view.
an ISDN interface [ interface interface-type
interface-number ]
Display the history record of display isdn call-record Available in any view.
an ISDN call [ interface interface-type
interface-number ]
Display the system parameters display isdn parameters Available in any view.
of ISDN protocol Layer 2 and { protocol | interface
Layer 3 running on the interface-type
interface. interface-number ]
Display the information of display isdn spid interface Available in any view.
SPID on the BRI interface interface-type
adopting NI protocol interface-number ]
Shut down the current BRI shutdown Available in ISDN interface
interface view
Bring up the current BRI undo shutdown Available in ISDN interface
interface view
ISDN Configuration
Example
Network diagram
CE /PRI 1/0
202.38 .154 .1 /16
8810152
ISDN network
CE/PRI 1/0
202 .38.154.2/16
8810154
Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] controller e1 1/0
[RouterA-E1 1/0] pri-set
[RouterA-E1 1/0] quit
Network diagram
BRI2/0
202.38 .154 .1 /16
8810152
ISDN network
BRI2/0
202 .38 .154 .2 /16
8810154
Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface bri 2/0
[RouterA-Bri2/0] ip address 202.38.154.1 255.255.0.0
[RouterA-Bri2/0] dialer enable-circular
[RouterA-Bri2/0] dialer route ip 202.38.154.2 8810154
[RouterA-Bri2/0] dialer-group 1
[RouterA-Bri2/0] quit
[RouterA] dialer-rule 1 ip permit
Network diagram
BRI2/0
202.38 .154 .1 /16
ISDN network
BRI2/0
202 .38 .154 .2 /16
Router B
Configuration procedure
1 Configure Router A.
<RouterA> system-view
[RouterA] interface bri2/0
[RouterA-Bri2/0] link-protocol ppp
[RouterA-Bri2/0] ppp mp virtual-template 5
[RouterA-Bri2/0] dialer enable-circular
[RouterA-Bri2/0] dialer isdn-leased 0
[RouterA-Bri2/0] dialer isdn-leased 1
[RouterA-Bri2/0] quit
[RouterA] interface virtual-template 5
[RouterA-Virtual-Template5] ip address 202.38.154.1 255.0.0.0
2 Configure Router B
<RouterB> system-view
[RouterB] interface Bri2/0
[RouterB-Bri2/0] link-protocol ppp
[RouterB-Bri2/0] ppp mp virtual-template 5
[RouterB-Bri2/0] dialer enable-circular
[RouterB-Bri2/0] dialer isdn-leased 0
[RouterB-Bri2/0] dialer isdn-leased 1
[RouterB-Bri2/0] quit
[RouterB] interface virtual-template 5
[RouterB-Virtual-Template5] ip address 202.38.154.2 255.0.0.0
Network diagram
Figure 125 Network diagram for ISDN 128K leased line connection
BRI2/ 0 BRI2/ 0
100. 1. 1.1 /24 100. 1. 1.2 /24
ISDN network
Router A Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
[RouterA] interface bri 2/0
[RouterA-Bri2/0] ip address 100.1.1.1 255.255.255.0
[RouterA-Bri2/0] link-protocol ppp
[RouterA-Bri2/0] dialer enable-circular
[RouterA-Bri2/0] dialer-group 1
[RouterA-Bri2/0] dialer isdn-leased 128k
2 Configure Router B
<RouterB> system-view
[RouterB] dialer-rule 1 ip permit
[RouterB] interface bri 2/0
[RouterB-Bri2/0] ip address 100.1.1.2 255.255.255.0
[RouterA-Bri2/0] link-protocol ppp
[RouterB-Bri2/0] dialer enable-circular
[RouterB-Bri2/0] dialer-group 1
[RouterB-Bri2/0] dialer isdn-leased 128k
n You do not need to configure a dial number because setup of leased line
connection does not involve dial process.
After you configure a lease line successfully, you can dial through. To view state
about the interfaces, execute the following commands:
0 broadcasts, 0 multicasts
2 errors, 0 runts, 0 giants,
2 CRC, 0 align errors, 0 overruns,
0 dribbles, 0 aborts, 0 no buffers
0 frame errors
Output:0 packets, 0 bytes
0 errors, 0 underruns, 0 collisions
0 deferred
As you can see, the state of interface Bri 2/0:1 is up, its speed is 128 kbps, and
channels (timeslots used) B1 and B2 are in use; the state of Bri 2/0:2 is down, and
the field of timeslots used is NULL.
In addition, the username and password for dialing are user and hello respectively.
Router D needs to place an MP call on interface Bri 2/0 to obtain an address from
the carrier for accessing the Internet.
Network diagram
BRI2/0 8810148
SPID1:31427583620101,LDN1= 1234567
SPID1:31427583870101,LDN1= 7654321
Configuration procedure
# Enable IP packet-triggered dial.
<Router> system-view
[Router] dialer-rule 1 ip permit
# Enable C-DCC.
# Configure the static route to the segment 65.0.0.0 where the network access
server is located.
To interoperate with the DMS 100, you must configure two commands: isdn
two-tei and isdn number-property 0. The isdn two-tei command allows each
call on the BRI interface to use a unique TEI. The isdn number-property 0
command sets the numbering plan and numbering type in the called-party
information element in ISDN Q.931 SETUP messages to unknown.
Troubleshooting Symptom:
Two routers are interconnected via ISDN PRI line and they cannot ping through
each other.
Solution:
MSTP Overview
In the narrow sense, STP refers to the STP protocol defined in IEEE 802.1d; in the
broad sense, it refers to the STP protocol defined in IEEE 802.1d and various
enhanced spanning tree protocols derived from the STP protocol.
STP identifies the network topology by transmitting BPDUs between STP compliant
network devices. BPDUs contain sufficient information for the network devices to
complete the spanning tree computing.
■ Configuration BPDUs, used for calculating spanning trees and maintaining the
spanning tree topology.
■ Topology change notification (TCN) BPDUs, used for notifying concerned
devices of network topology changes, if any.
A tree network must have a root; hence the concept of “root bridge” has been
introduced in STP.
There is one and only one root bridge in the entire network, and the root bridge
can change alone with changes of the network topology. Therefore, the root
bridge is not fixed.
Upon network convergence, the root bridge generates and sends out
configuration BPDUs at a certain interval, and other devices just forward the
BPDUs. This mechanism ensures topological stability.
2 Root port
On a non-root bridge device, the root port is the port nearest to the root bridge.
The root port is responsible for communicating with the root bridge. A
non-root-bridge device has one and only one root port. The root bridge has no
root port.
Refer to Table 10 for the description of designated bridge and designated port.
Figure 127 shows designated bridges and designated ports. In the figure, AP1 and
AP2, BP1 and BP2, and CP1 and CP2 are ports on Device A, Device B, and Device
C respectively.
■ If Device A forwards BPDUs to Device B through AP1, the designated bridge for
Device B is Device A, and the designated port is the port AP1 on Device A.
■ Two devices are connected to the LAN: Device B and Device C. If Device B
forwards BPDUs to the LAN, the designated bridge for the LAN is Device B, and
the designated port is the port BP2 on Device B.
Device A
AP1 AP2
BP1 CP1
Device B Device C
BP 2 CP2
LAN
4 Path cost
Path cost is a reference value used for link selection in STP. By calculating the path
cost, STP selects relatively “robust” links and blocks redundant links, and finally
prunes the network into a loop-free tree structure.
n For the convenience of description, the description and examples below involve
only four parts of a configuration BPDU
■ Root bridge ID (in the form of device priority)
■ Root path cost
■ Designated bridge ID (in the form of device priority)
■ Designated port ID (in the form of port name)
1 Specific computing process of the STP algorithm
■ Initial state
Upon initialization of a device, each port generates a BPDU with itself as the root
bridge, in which the root path cost is 0, designated bridge ID is the device ID, and
the designated port is the local port.
Each device sends out its configuration BPDU and receives configuration BPDUs
from other devices.
Step Description
1 Upon receiving a configuration BPDU on a port, the device performs the
following processing:
■ If the received configuration BPDU has a lower priority than that of the
configuration BPDU generated by the port, the device will discard the
received configuration BPDU without doing any processing on the
configuration BPDU of this port.
■ If the received configuration BPDU has a higher priority than that of the
configuration BPDU generated by the port, the device will replace the
content of the configuration BPDU generated by the port with the
content of the received configuration BPDU.
2 The device compares the configuration BPDUs of all the ports and chooses
the optimum configuration BPDU.
The process of selecting the root port and designated ports is as follows:
Step Description
1 A non-root-bridge device regards the port through which it received the
optimum configuration BPDU as the root port.
2 Based on the configuration BPDU and the path cost of the root port, the device
calculates a designated port configuration BPDU for each of the rest ports.
■ The root bridge ID is replaced with that of the configuration BPDU of the
root port.
■ The root path cost is replaced with that of the configuration BPDU of the
root port plus the path cost corresponding to the root port.
■ The designated bridge ID is replaced with the ID of this device.
■ The designated port ID is replaced with the ID of this port.
3 The device compares the calculated configuration BPDU with the configuration
BPDU on the port of which the port role is to be determined, and proceeds the
following according to the comparison result:
■ If the calculated configuration BPDU is superior, the device will consider this
port as the designated port, and the configuration BPDU on the port will be
replaced with the calculated configuration BPDU, which will be sent out
periodically.
■ If the configuration BPDU on the port is superior, the device will block this
port without updating its configuration BPDU, so that the port will only
receive BPDUs, but not send any, and will not forward data.
n When the network topology is stable, only the root port and designated ports
forward traffic, while other ports are all in the blocked state - they only receive STP
packets but do not forward user traffic.
Once the root bridge, the root port on each non-root bridge and designated ports
have been successfully elected, the entire tree-shaped topology has been
constructed.
The following is an example of how the STP algorithm works. The specific network
diagram is shown in Figure 128. In the feature, the priority of Device A is 0, the
priority of Device B is 1, the priority of Device C is 2, and the path costs of these
links are 5, 10 and 4 respectively.
Device A
With priority 0
AP 1 AP 2
5
10
BP 1
BP 2
4 CP 1
CP 2
Device B
With priority 1
Device C
With priority 2
The following table shows the comparison process and result on each device.
BPDU of port
after
Device Comparison process comparison
Device A ■ Port AP1 receives the configuration BPDU of Device B {1, AP1: {0, 0, 0,
0, 1, BP1}. Device A finds that the configuration BPDU of AP1}
the local port {0, 0, 0, AP1} is superior to the configuration
AP2: {0, 0, 0,
received message, and discards the received configuration
AP2}
BPDU.
■ Port AP2 receives the configuration BPDU of Device C {2,
0, 2, CP1}. Device A finds that the BPDU of the local port
{0, 0, 0, AP2} is superior to the received configuration
BPDU, and discards the received configuration BPDU.
■ Device A finds that both the root bridge and designated
bridge in the configuration BPDUs of all its ports are
Device A itself, so it assumes itself to be the root bridge. In
this case, it does not make any change to the
configuration BPDU of each port, and starts sending out
configuration BPDUs periodically.
BPDU of port
after
Device Comparison process comparison
Device B ■ Port BP1 receives the configuration BPDU of Device A {0, BP1: {0, 0, 0,
0, 0, AP1}. Device B finds that the received configuration AP1}
BPDU is superior to the configuration BPDU of the local
BP2: {1, 0, 1,
port {1, 0,1, BP1}, and updates the configuration BPDU of
BP2}
BP1.
■ Port BP2 receives the configuration BPDU of Device C {2,
0, 2, CP2}. Device B finds that the configuration BPDU of
the local port {1, 0, 1, BP2} is superior to the received
configuration BPDU, and discards the received
configuration BPDU.
■ Device B compares the configuration BPDUs of all its Root port BP1:
ports, and determines that the configuration BPDU of BP1
{0, 0, 0, AP1}
is the optimum configuration BPDU. Then, it uses BP1 as
the root port, the configuration BPDUs of which will not Designated port
be changed. BP2:
■ Based on the configuration BPDU of BP1 and the path cost {0, 5, 1, BP2}
of the root port (5), Device B calculates a designated port
configuration BPDU for BP2 {0, 5, 1, BP2}.
■ Device B compares the computed configuration BPDU {0,
5, 1, BP2} with the configuration BPDU of BP2. If the
computed BPDU is superior, BP2 will act as the designated
port, and the configuration BPDU on this port will be
replaced with the computed configuration BPDU, which
will be sent out periodically.
BPDU of port
after
Device Comparison process comparison
Device C ■ Port CP1 receives the configuration BPDU of Device A {0, CP1: {0, 0, 0,
0, 0, AP2}. Device C finds that the received configuration AP2}
BPDU is superior to the configuration BPDU of the local
CP2: {1, 0, 1,
port {2, 0, 2, CP1}, and updates the configuration BPDU of
BP2}
CP1.
■ Port CP2 receives the configuration BPDU of port BP2 of
Device B {1, 0, 1, BP2} before the message was updated.
Device C finds that the received configuration BPDU is
superior to the configuration BPDU of the local port {2, 0,
2, CP2}, and updates the configuration BPDU of CP2.
By comparison: Root port CP1:
■ The configuration BPDUs of CP1 is elected as the optimum {0, 0, 0, AP2}
configuration BPDU, so CP1 is identified as the root port,
Designated port
the configuration BPDUs of which will not be changed.
CP2:
■ Device C compares the computed designated port
{0, 10, 2, CP2}
configuration BPDU {0, 10, 2, CP2} with the configuration
BPDU of CP2, and CP2 becomes the designated port, and
the configuration BPDU of this port will be replaced with
the computed configuration BPDU.
■ Next, port CP2 receives the updated configuration BPDU CP1: {0, 0, 0,
of Device B {0, 5, 1, BP2}. Because the received AP2}
configuration BPDU is superior to its old one, Device C
CP2: {0, 5, 1,
launches a BPDU update process.
BP2}
■ At the same time, port CP1 receives configuration BPDUs
periodically from Device A. Device C does not launch an
update process after comparison.
By comparison: Blocked port
CP2:
■ Because the root path cost of CP2 (9) (root path cost of
the BPDU (5) + path cost corresponding to CP2 (4)) is {0, 0, 0, AP2}
smaller than the root path cost of CP1 (10) (root path cost
Root port CP2:
of the BPDU (0) + path cost corresponding to CP2 (10)),
the BPDU of CP2 is elected as the optimum BPDU, and {0, 5, 1, BP2}
CP2 is elected as the root port, the messages of which will
not be changed.
■ After comparison between the configuration BPDU of CP1
and the computed designated port configuration BPDU,
port CP1 is blocked, with the configuration BPDU of the
port remaining unchanged, and the port will not receive
data from Device A until a spanning tree computing
process is triggered by a new condition, for example, the
link from Device B to Device C becomes down.
After the comparison processes described in the table above, a spanning tree with
Device A as the root bridge is stabilized, as shown in Figure 129.
Device A
With priority 0
AP 1 AP 2
BP 1
BP 2
4
CP 2
Device B
With priority 1
Device C
With priority 2
3 STP timers
STP calculations need three important timing parameters: forward delay, hello
time, and max age.
■ Forward delay is the delay time for device state transition. A path failure will
cause re-calculation of the spanning tree, and the spanning tree structure will
STP does not support rapid state transition of ports. A newly elected root port or
designated port must wait twice the forward delay time before transitioning to the
forwarding state, even if it is a port on a point-to-point link or it is an edge port,
which directly connects to a user terminal rather than to another device or a
shared LAN segment.
The rapid spanning tree protocol (RSTP) is an optimized version of STP. RSTP allows
a newly elected root port or designated port to enter the forwarding state much
quicker under certain conditions than in STP. As a result, it takes a shorter time for
the network to reach the final topology stability.
n ■ In RSTP, a newly elected root port can enter the forwarding state rapidly if this
condition is met: The old root port on the device has stopped forwarding data
and the upstream designated port has started forwarding data.
■ In RSTP, a newly elected designated port can enter the forwarding state rapidly
if this condition is met: The designated port is an edge port or a port connected
with a point-to-point link. If the designated port is an edge port, it can enter
the forwarding state directly; if the designated port is connected with a
point-to-point link, it can enter the forwarding state immediately after the
device undergoes handshake with the downstream device and gets a response.
Although RSTP support rapid network convergence, it has the same drawback as
STP does: All bridges within a LAN share the same spanning tree, so redundant
links cannot be blocked based on VLANs, and the packets of all VLANs are
forwarded along the same spanning tree.
2 Features of MSTP
The multiple spanning tree protocol (MSTP) overcomes the shortcomings of STP
and RSTP. In addition to support for rapid network convergence, it also allows data
flows of different VLANs to be forwarded along their own paths, thus providing a
better load sharing mechanism for redundant links. For description about VLANs,
refer to “VLAN Configuration” on page 487.
Region A0
VLAN 1 mapped to instance 1
VLAN 2 mapped to instance 2
Other VLANs mapped CIST
BPDU BPDU
CST
B
C
D
Region D0 BPDU
VLAN 1 mapped to instance1, Region B0
B as regional root bridge VLAN 1 mapped to instance 1
VLAN 2 mapped to instance2, VLAN 2 mapped to instance 2
C as regional root bridge Other VLANs mapped CIST
Region C0
Other VLANs mapped CIST VLAN 1 mapped to instance1
VLANs 2 and 3mapped to instance 2
Other VLANs mapped CIST
1 MST region
In area A0 in Figure 130, for example, all the device have the same MST region
configuration:
Multiple MST regions can exist in a switched network. You can use an MSTP
command to group multiple devices to the same MST region.
3 IST
Internal spanning tree (IST) is a spanning tree that runs in an MST region.
ISTs in all MST regions and the common spanning tree (CST) jointly constitute the
common and internal spanning tree (CIST) of the entire network. An IST is a
section of the CIST in the given MST region.
In Figure 130, for example, the CIST has a section in each MST region, and this
section is the IST in the respective MST region.
4 CST
The CST is a single spanning tree that connects all MST regions in a switched
network. If you regard each MST region as a “device”, the CST is a spanning tree
calculated by these devices through STP or RSTP. For example, the red lines in
Figure 130 describe the CST.
5 CIST
Jointly constituted by ISTs and the CST, the CIST is a single spanning tree that
connects all devices in a switched network.
In Figure 130, for example, the ISTs in all MST regions plus the inter-region CST
constitute the CIST of the entire network.
6 MSTI
Multiple spanning trees can be generated in an MST region through MSTP, one
spanning tree being independent of another. Each spanning tree is referred to as a
multiple spanning tree instance (MSTI). In Figure 130, for example, multiple
spanning tree can exist in each MST region, each spanning tree corresponding to a
VLAN. These spanning trees are called MSTIs.
The root bridge of the IST or an MSTI within an MST region is the regional root
bridge of the MST or that MSTI. Based on the topology, different spanning trees in
an MST region may have different regional roots. For example, in region D0 in
Figure 130, the regional root of instance 1 is device B, while that of instance 2 is
device C.
The common root bridge is the root bridge of the CIST. In Figure 130, for example,
the common root bridge is a device in region A0.
9 Boundary port
During MSTP computing, a boundary port assumes the same role on the CIST and
on MST instances. Namely, if a boundary port is master port on the CIST, it is also
the master port on all MST instances within this region. In Figure 130, for example,
if a device in region A0 is interconnected with the first port of a device in region
D0 and the common root bridge of the entire switched network is located in
region A0, the first port of that device in region D0 is the boundary port of region
D0.
n Currently, the device is not capable of recognizing boundary ports. When the
device interworks with a third party’s device that supports boundary port
recognition, the third party’s device may malfunction in recognizing a boundary
port.
10 Roles of ports
In the MSTP computing process, port roles include root port, designated port,
master port, alternate port, backup port, and so on.
■ Root port: a port responsible for forwarding data to the root bridge.
■ Designated port: a port responsible for forwarding data to the downstream
network segment or device.
■ Master port: A port on the shortest path from the entire region to the common
root bridge, connecting the MST region to the common root bridge.
■ Alternate port: The standby port for the root port or master port. When the
root port or master port is blocked, the alternate port becomes the new root
port or master port.
■ Backup port: The backup port of designated ports. When a designated port is
blocked, the backup port becomes a new designated port and starts
forwarding data without delay. When a loop occurs while two ports of the
same MSTP device are interconnected, the device will block either of the two
ports, and the backup port is that port to be blocked.
Connecting to the
common root bridge
Edge port
B C
Port 6
Port 5
Backup port
D
Designated
port
Port 3 Port 4
■ Forwarding: the port learns MAC addresses and forwards user traffic;
■ Learning: the port learns MAC addresses but does not forwards user traffic;
■ Discarding: the port neither learns MAC addresses nor forwards user traffic.
A port state is not exclusively associated with a port role. Table 15 lists the port
state(s) supported by each port role (“√” indicates that the port supports this
state, while “-” indicates that the port does not support this state).
Root
port/Master Designated
Role \State port port Alternate port Backup port
Forwarding √ √ - -
Learning √ √ - -
Discarding √ √ √ √
2 MSTI computing
Within an MST region, MSTP generates different MSTIs for different VLANs based
on the VLAN-to-instance mappings.
■ Within an MST region, the packet is forwarded along the corresponding MSTI.
■ Between two MST regions, the packet is forwarded along the CST.
Configuration Task Before configuration, you need to know the position of each device in each MST
List instance: root bridge or leave node. In each instance, one, and only one device
acts as the root bridge, while all others as leaf nodes.
Task Remarks
“Configuring the Root “Configuring an MST Region” Required
Bridge” on page 459 on page 459
“Specifying the Root Bridge or a Optional
Secondary Root Bridge” on page
460
“Configuring the Work Mode of Optional
MSTP Device” on page 462
“Configuring the Priority of the Optional
Current Device” on page 462
“Configuring the Maximum Optional
Hops of an MST Region” on
page 463
“Configuring the Network Optional
Diameter of a Switched
Network” on page 464
“Configuring Timers of MSTP” Optional
on page 464
“Configuring the Timeout Optional
Factor” on page 465
“Configuring the Maximum Optional
Transmission Rate of Ports” on
page 466
“Configuring Ports as Edge Optional
Ports” on page 467
“Configuring Whether Ports Optional
Connect to Point-to-Point Links”
on page 467
“Configuring the Mode a Port Optional
Uses to Recognize/Send MSTP
Packets” on page 468
“Enabling the Output of Port Optional
State Transition Information” on
page 469
“Enabling the MSTP Feature” on Required
page 469
Task Remarks
“Configuring Leaf “Configuring an MST Region” Required
Nodes” on page 470 on page 470
“Configuring the Work Mode of Optional
MSTP” on page 470
“Configuring the Timeout Optional
Factor” on page 470
“Configuring the Maximum Optional
Transmission Rate of Ports” on
page 470
“Configuring Ports as Edge Optional
Ports” on page 470
“Configuring Path Costs of Optional
Ports” on page 470
“Configuring Port Priority” on Optional
page 473
“Configuring Whether Ports Optional
Connect to Point-to-Point Links”
on page 473
“Configuring the Mode a Port Optional
Uses to Recognize/Send MSTP
Packets” on page 473
“Enabling the MSTP Feature” on Required
page 474
“Performing mCheck” on page 474 Optional
“Configuring Digest Snooping” on page 475 Optional
“Configuring No Agreement Check” on page 477 Optional
“Configuring Protection Functions” on page 479 Optional
n If both GVRP and MSTP are enabled on a device at the same time, GVRP packets
will be forwarded along the CIST. Therefore, if both GVRP and MSTP are running
on the same device and you wish to advertise a certain VLAN within the network
through GVRP, make sure that this VLAN is mapped to the CIST (instance 0) when
configuring the VLAN-to-instance mapping table. For detailed information of
GVRP, refer to “GVRP Configuration” on page 271.
n Two device belong to the same MST region only if they are configure to have the
same MST region name, the same VLAN-to-instance mapping entries in the MST
region and the same MST region revision level, and they are interconnected via a
physical link.
Configuration example
# Configure the MST region name to be “info”, the MSTP revision level to be 1,
and VLAN 2 through VLAN 10 to be mapped to instance 1 and VLAN 20 through
VLAN 30 to instance 2.
<Sysname> system-view
[Sysname] stp region-configuration
[Sysname-mst-region] region-name info
[Sysname-mst-region] instance 1 vlan 2 to 10
[Sysname-mst-region] instance 2 vlan 20 to 30
[Sysname-mst-region] revision-level 1
[Sysname-mst-region] active region-configuration
Specifying the Root MSTP can determine the root bridge of a spanning tree through MSTP computing.
Bridge or a Secondary Alternatively, you can specify the current device as the root bridge using the
Root Bridge commands provided by the system.
Specifying the current device as the root bridge of a specific spanning tree
Follow these steps to specify the current device as the root bridge of a specific
spanning tree:
Note that:
■ Upon specifying the current device as the root bridge or a secondary root
bridge, you cannot change the priority of the device.
■ You can configure the current device as the root bridge or a secondary root
bridge of an MST instance, which is specified by instance instance-id in the
command. If you set instance-id to 0, the current device will be the root bridge
or a secondary root bridge of the CIST.
■ The current device has independent roles in different instances. It can act as the
root bridge or a secondary root bridge of one instance while it can also act as
the root bridge or a secondary root bridge of another instance. However, the
same device cannot be the root bridge and a secondary root bridge in the same
instance at the same time.
■ There is one and only one root bridge in effect in a spanning tree instance. If
two or more devices have been designated to be root bridges of the same
spanning tree instance, MSTP will select the device with the lowest MAC
address as the root bridge.
■ You can specify multiple secondary root bridges for the same instance. Namely,
you can specify secondary root bridges for the same instance on two or more
than two device.
■ When the root bridge of an instance fails or is shut down, the secondary root
bridge (if you have specified one) can take over the role of the instance.
However, if you specify a new root bridge for the instance at this time, the
secondary root bridge will not become the root bridge. If you have specified
multiple secondary root bridges for an instance, when the root bridge fails,
MSTP will select the secondary root bridge with the lowest MAC address as the
new root bridge.
■ Alternatively, you can also specify the current device as the root bridge by
setting by priority of the device to 0. For the device priority configuration, refer
to “Configuring the Priority of the Current Device” on page 462.
Configuration example
# Specify the current device as the root bridge of MST instance 1 and a secondary
root bridge of MST instance 2.
<Sysname> system-view
[Sysname] stp instance 1 root primary
[Sysname] stp instance 2 root secondary
Configuring the Work MSTP and RSTP can recognize each other’s protocol packets, so they are mutually
Mode of MSTP Device compatible. However, STP is unable to recognize MSTP packets. For hybrid
networking with legacy STP devices and full interoperability with RSTP-compliant
devices, MSTP supports three work modes: STP-compatible mode, RSTP mode,
and MSTP mode.
■ In STP-compatible mode, all ports of the device send out STP BPDUs,
■ In RSTP mode, all ports of the device send out RSTP BPDUs. If the device
detects that it is connected with a legacy STP device, the port connecting with
the legacy STP device will automatically migrate to STP-compatible mode.
■ In MSTP mode, all ports of the device send out MSTP BPDUs. If the device
detects that it is connected with a legacy STP device, the port connecting with
the legacy STP device will automatically migrate to STP-compatible mode.
Configuration procedure
Follow these steps to configure the MSTP work mode:
Configuration example
# Configure MSTP to work in STP-compatible mode.
<Sysname> system-view
[Sysname] stp mode stp
Configuring the Priority The priority of a device determines whether it can be elected as the root bridge of
of the Current Device a spanning tree. A lower value indicates a higher priority. By setting the priority of
a device to a low value, you can specify the device as the root bridge of spanning
tree. An MSTP-compliant device can have different priorities in different MST
instances.
Configuration procedure
Follow these steps to configure the priority of the current device:
c CAUTION:
■ Upon specifying the current device as the root bridge or a secondary root
bridge, you cannot change the priority of the device.
■ During root bridge selection, if all devices in a spanning tree have the same
priority, the one with the lowest MAC address will be selected as the root
bridge of the spanning tree.
Configuration example
# Set the device priority in MST instance 1 to 4096.
<Sysname> system-view
[Sysname] stp instance 1 priority 4096
Configuring the By setting the maximum hops of an MST region, you can restrict the region size.
Maximum Hops of an The maximum hops setting configured on the regional root bridge will be used as
MST Region the maximum hops of the MST region.
After a configuration BPDU leaves the root bridge of the spanning tree in the MST
region, its hop count is decremented by 1 whenever it passes a device. When its
hop count reaches 0, it will be discarded by the device that has received it. As a
result, devices beyond the maximum hops are unable to take part in spanning tree
computing, and thereby the size of the MST region is restricted.
When a device becomes the root bridge of the CIST or MSTI of an MST region, the
maximum hop in the configuration BPDUs generated by this device defines the
network diameter of the spanning tree to define how far the spanning tree can
reach in this MST region. All the devices other than the root bridge in the MST
region use the maximum hop value set for the root bridge.
Configuration procedure
Follow these steps to configure the maximum hops of the MST region
n A larger maximum hops setting means a larger size of the MST region. Only the
maximum hops configured on the regional root bridge can restrict the size of the
MST region.
Configuration example
# Set the maximum hops of the MST region to 30.
<Sysname> system-view
[Sysname] stp max-hops 30
Configuring the Any two stations in a switched network are interconnected through specific paths,
Network Diameter of a which are composed of a series of devices. Represented by the number of devices
Switched Network on a path, the network diameter is the path that comprises more devices than any
other among these paths.
Configuration procedure
Follow these steps to configure the network diameter of the switched network:
Configuration example
# Set the network diameter of the switched network to 6.
<Sysname> system-view
[Sysname] stp bridge-diameter 6
Configuring Timers of MSTP involves three timers: forward delay, hello time and max age. You can
MSTP configure these three parameters for MSTP to calculate spanning trees.
Configuration procedure
Follow these steps to configure the timers of MSTP:
These three timers set on the root bridge of the CIST apply on all the devices on
the entire switched network.
c CAUTION:
■ The length of the forward delay time is related to the network diameter of the
switched network. Typically, the larger the network diameter is, the longer the
forward delay time should be. Note that if the forward delay setting is too
small, temporary redundant paths may be introduced; if the forward delay
setting is too big, it may take a long time for the network to resume
connectivity. We recommend that you use the default setting.
■ An appropriate hello time setting enables the device to timely detect link
failures on the network without using excessive network resources. If the hello
time is set too long, the device will take packet loss on a link for link failure and
trigger a new spanning tree computing process; if the hello time is set too
short, the device will send repeated configuration BPDUs frequently, which
adds to the device burden and causes waste of network resources. We
recommend that you use the default setting.
■ If the max age time setting is too small, the network devices will frequently
launch spanning tree computing and may take network congestion to a link
failure; if the max age setting is too large, the network may fail to timely detect
link failures and fail to timely launch spanning tree computing, thus reducing
the auto-sensing capability of the network. We recommend that you use the
default setting.
The setting of hello time, forward delay and max age must meet the following
formulae; otherwise network instability will frequently occur.
Configuration example
# Set the forward delay to 1,600 centiseconds, hello time to 300 centiseconds,
and max age to 2,100 centiseconds.
<Sysname> system-view
[Sysname] stp timer forward-delay 1600
[Sysname] stp timer hello 300
[Sysname] stp timer max-age 2100
Configuring the Timeout After the network topology is stabilized, each non-root-bridge device forwards
Factor configuration BPDUs to the surrounding devices at the interval of hello time to
check whether any link is faulty. Typically, if a device does not receive a BPDU from
the upstream device within nine times the hello time, it will assume that the
upstream device has failed and start a new spanning tree computing process.
In a very stable network, this kind of spanning tree computing may occur because
the upstream device is busy. In this case, you can avoid such unwanted spanning
tree computing by lengthening the timeout time.
Configuration procedure
Follow these steps to configure the timeout factor:
Configuration example
# Set the timeout factor to 6.
<Sysname> system-view
[Sysname] stp timer-factor 6
Configuring the The maximum transmission rate of a port refers to the maximum number of MSTP
Maximum Transmission packets that the port can send within each hello time.
Rate of Ports
The maximum transmission rate of an Ethernet port is related to the physical
status of the port and the network structure.
Configuration procedure
Following these steps to configure the maximum transmission rate of a port or a
group of ports:
n ■ If the maximum transmission rate setting of a port is too big, the port will send
a large number of MSTP packets within each hello time, thus using excessive
network resources. We recommend that you use the default setting.
■ Refer to “Aggregation Port Group” on page 349 for information about port
groups.
Configuration example
# Set the maximum transmission rate of port Ethernet 1/0 to 5.
<Sysname> system-view
[Sysname] interface ethernet 1/0
[Sysname-Ethernet1/0] stp transmit-limit 5
Configuring Ports as If a port directly connects to a user terminal rather than another device or a shared
Edge Ports LAN segment, this port is regarded as an edge port. When a network topology
change occurs, an edge port will not cause a temporary loop. Therefore, if you
specify a port as an edge port, this port can transition rapidly from the blocked
state to the forwarding state without delay.
Configuration procedure
Following these steps to specify a port or a group of ports as edge port(s):
n ■ With BPDU guard disabled, when a port set as an edge port receives a BPDU
from another port, it will become a non-edge port again. In this case, you must
reset the port before you can configure it to be an edge port again.
■ If a port directly connects to a user terminal, configure it to be an edge port
and enable BPDU guard for it. This enables the port to transition to the
forwarding state while ensuring network security.
Configuration example
# Configure Ethernet1/0 to be an edge port.
<Sysname> system-view
[Sysname] interface ethernet 1/0
[Sysname-Ethernet1/0] stp edged-port enable
Configuring Whether A point-to-point link is a link directly connecting with two devices. If the two ports
Ports Connect to across a point-to-point link are root ports or designated ports, the ports can
Point-to-Point Links rapidly transition to the forwarding state after a proposal-agreement handshake
process.
Configuration procedure
Following these steps to configure whether a port or a group of ports connect to
point-to-point links:
Configuration example
# Configure port Ethernet 1/0 as connecting to a point-to-point link.
<Sysname> system-view
[Sysname] interface ethernet 1/0
[Sysname-Ethernet1/0] stp point-to-point force-true
Configuring the Mode a A port can send/recognize MSTP packets that are of the following two formats:
Port Uses to ■ 802.1s-compliant standard format
Recognize/Send MSTP
Packets ■ Compatible format
By default, the packet format recognition mode of a port is auto, namely the port
automatically distinguishes the two MSTP packet formats, and determines the
format of packets it will send based on the recognized format. You can configure
the MSTP packet format to be used by a port. After the configuration, when
working in MSTP mode, the port sends and receives only MSTP packets of the
format you have configured to communicate with devices that send the same
format of packets.
Configuration procedure
Follow these steps to configure the mode a port uses to recognize/send MSTP
packets:
Configuration example
# Configure Ethernet 1/0 to receive and send only standard-format MSTP packets.
<Sysname> system-view
[Sysname] interface ethernet 1/0
[Sysname-Ethernet1/0] stp compliance dot1s
Enabling the Output of In a large-scale, MSTP-enabled network, there are a large number of MSTP
Port State Transition instances, so ports may frequently transition from one state to another. In this
Information situation, you can enable the device to output the port state transition information
of all STP instances or the specified STP instance so as to monitor the port states in
real time.
n ■ You must enable MSTP for the device before any other MSTP-related
configuration can take effect.
■ To control MSTP flexibly, you can use the stp disable or undo stp command
to disable the MSTP feature for certain ports so that they will not take part in
spanning tree computing and thus to save the device’s CPU resources.
Configuration example
# Enable MSTP for the device and disable MSTP for port Ethernet 1/0.
<Sysname> system-view
[Sysname] stp enable
[Sysname] interface ethernet 1/0
[Sysname-Ethernet1/0] stp disable
Configuring Leaf
Nodes
Configuring the Work Refer to “Configuring the Work Mode of MSTP Device” on page 462.
Mode of MSTP
Configuring the Refer to “Configuring the Maximum Transmission Rate of Ports” on page 466.
Maximum Transmission
Rate of Ports
Configuring Path Costs Path cost is a parameter related to the rate of port-connected links. On an
of Ports MSTP-compliant device, ports can have different priorities in different MST
The device can automatically calculate the default path cost; alternatively, you can
also configure the path cost for ports.
Specifying a standard that the device uses when calculating the default
path cost
You can specify a standard for the device to use in automatic calculation for the
default path cost. The device supports the following standards:
■ dot1d-1998: The device calculates the default path cost for ports based on
IEEE 802.1D-1998.
■ dot1t: The device calculates the default path cost for ports based on IEEE
802.1t.
■ legacy: The device calculates the default path cost for ports based on a private
standard.
Follow these steps to specify a standard for the device to use when calculating the
default path cost:
n In the calculation of the path cost value of an aggregated link, 802.1D-1998 does
not take into account the number of ports in the aggregated link. Whereas,
802.1T takes the number of ports in the aggregated link into account. The
calculation formula is: Path Cost = 200,000,000/link speed (in 100 kbps), where
link speed is the sum of the link speed values of the non-blocked ports in the
aggregated link.
c CAUTION:
■ If you change the standard that the device uses in calculating the default path
cost, the port path cost value set through the stp cost command will be out of
effect.
■ When the path cost of a port is changed, MSTP will re-compute the role of the
port and initiate a state transition. If you use 0 as instance-id, you are setting
the path cost of the CIST.
Configuring Port Priority The priority of a port is an import basis that determines whether the port can be
elected as the root port of device. If all other conditions are the same, the port
with the highest priority will be elected as the root port.
Configuration procedure
Follow these steps to configure the priority of a port or a group of ports:
n ■ When the priority of a port is changed, MSTP will re-compute the role of the
port and initiate a state transition.
■ Generally, a lower configured value priority indicates a higher priority of the
port. If you configure the same priority value for all the Ethernet ports on the a
device, the specific priority of a port depends on the index number of that port.
Changing the priority of an Ethernet port triggers a new spanning tree
computing process.
Configuration example
# Set the priority of port Ethernet 1/0 to 16 in MST instance 1.
<Sysname> system-view
[Sysname] interface ethernet 1/0
[Sysname-Ethernet1/0] stp instance 1 port priority 16
Configuring Whether Refer to “Configuring Whether Ports Connect to Point-to-Point Links” on page
Ports Connect to 467.
Point-to-Point Links
Configuring the Mode a Refer to “Configuring the Mode a Port Uses to Recognize/Send MSTP Packets” on
Port Uses to page 468.
Recognize/Send MSTP
Packets
Enabling Output of Port Refer to “Enabling the Output of Port State Transition Information” on page 469.
State Transition
Information
Enabling the MSTP Refer to “Enabling the MSTP Feature” on page 469.
Feature
Performing mCheck Ports on an MSTP-compliant device have three working modes: STP compatible
mode, RSTP mode, and MSTP mode.
In a switched network, if a port on the device running MSTP (or RSTP) connects to
a device running STP, this port will automatically migrate to the STP-compatible
mode. However, if the device running STP is removed, this will not be able to
migrate automatically to the MSTP (or RSTP) mode, but will remain working in the
STP-compatible mode. In this case, you can perform an mCheck operation to force
the port to migrate to the MSTP (or RSTP) mode.
You can perform mCheck on a port through two approaches, which lead to the
same result.
c CAUTION: The stp mcheck command is meaningful only when the device works
in the MSTP (or RSTP) mode, not in the STP-compatible mode.
<Sysname> system-view
[Sysname] stp mcheck
<Sysname> system-view
[Sysname] interface ethernet 1/0
[Sysname-Ethernet1/0] stp mcheck
Configuring Digest As defined in IEEE 802.1s, interconnected devices are in the same region only
Snooping when the region related configuration (domain name, revision level,
VLAN-to-instance mappings) on them is identical. An MSTP enabled device
identifies devices in the same MST region via checking the configuration ID in
BPDU packets. The configuration ID includes the region name, revision level,
configuration digest that is in 16-byte length and is the result computed via the
HMAC-MD5 algorithm based on VLAN-to-instance mappings.
Enabling the Digest Snooping feature on the associated port can make a device
communicate with another vendor’s device in the same MST region.
Configuration Associated devices of different vendors are interconnected and run MSTP.
Prerequisites
c CAUTION:
■ You can only enable the Digest Snooping feature on the device connected to
another vendor’s device that use private key to compute the configuration
digest.
■ With the Digest Snooping feature enabled, comparison of configuration digest
is not needed for in-the-same-region check, so the VLAN-to-instance mappings
must be the same on associated ports.
Network diagram
Root port
Designated port
Eth 1 /1 Eth 1 /0 Blocked port
Eth 1 /0 Eth 1 /1
Eth 1 / 1 Eth 1/ 0
Device A Device B
Configuration procedure
1 Enable Digest Snooping on Device A.
<DeviceA> system-view
[DeviceA] interface ethernet 1/0
[DeviceA-Ethernet1/0] stp config-digest-snooping
[DeviceA-Ethernet1/0] quit
[DeviceA] stp config-digest-snooping
2 Enable Digest Snooping on Device B (the same as above, omitted).
Configuring No Two types of packet are used for rapid state transition on designated RSTP and
Agreement Check MSTP ports:
■ Proposal: Packets sent by designated ports to request rapid transition
■ Agreement: Packets used to acknowledge rapid transition requests
Both RSTP and MSTP devices can perform rapid transition operation on a
designated port only when the port receives an agreement packet from the
downstream device. The differences between RSTP and MSTP devices are:
■ For MSTP, the downstream device’s root port sends an agreement packet only
after it receives an agreement packet from the upstream device.
■ For RSTP, the down stream device sends an agreement packet regardless of
whether an agreement packet from the upstream device is received.
Figure 133 and Figure 134 show the rapid state transition mechanism on MSTP
and RSTP designated ports.
Figure 133 Rapid state transition mechanism on the MSTP designated port
to upstream switch
em ent
Agr e
Designated port Root port
changes to
Designated port
forwarding state
Figure 134 Rapid state transition mechanism on the RSTP designated port
If the upstream device comes from another vendor, the rapid state transition
implementation may be limited. For example, when the upstream device adopts
RSTP, the downstream device adopts MSTP and does not support RSTP mode, the
root port on the downstream device receives no agreement packet from the
upstream device and thus sends no agreement packets to the upstream device. As
a result, the designated port of the upstream device fails to transit rapidly and can
only change to the Forwarding state after a period twice the Forward Delay.
In this case, you can enable the No Agreement Check feature on the downstream
device’s port to perform rapid state transition.
Prerequisites ■ A device is the upstream one that is connected to another vendor’s MSTP
supported device via a point-to-point link.
■ Configure the same region name, revision level and VLAN-to-instance
mappings on the two devices, making them in the same region.
n The No Agreement Check feature can only take effect on the root port or
Alternate port after enabled.
Network diagram
Third-party device
Eth 1/1
Eth 1/0
Root port
Designated port
Device A
Configuration procedure
# Enable No Agreement Check on Ethernet 1/0 of Device A.
<DeviceA > system-view
[DeviceA] interface ethernet 1/0
[DeviceA-Ethernet1/0] stp no-agreement-check
n Among loop guard, root guard and edge port setting, only one function can take
effect on the same port at the same time.
For access layer devices, the access ports generally connect directly with user
terminals (such as PCs) or file servers. In this case, the access ports are configured
as edge ports to allow rapid transition of these ports. When these ports receive
configuration BPDUs, the system will automatically set these ports as non-edge
ports and starts a new spanning tree computing process. This will cause network
topology instability. Under normal conditions, these ports should not receive
configuration BPDUs. However, if someone forges configuration BPDUs
maliciously to attack the devices, network instability will occur.
MSTP provides the BPDU guard function to protect the system against such
attacks. With the BPDU guard function enabled on the devices, when edge ports
receive configuration BPDUs, MSTP will close these ports and notify the NMS that
these ports have been closed by MSTP. Those ports closed thereby can be restored
only by the network administers.
The root bridge and secondary root bridge of a panning tree should be located in
the same MST region. Especially for the CIST, the root bridge and secondary root
bridge are generally put in a high-bandwidth core region during network design.
However, due to possible configuration errors or malicious attacks in the network,
the legal root bridge may receive a configuration BPDU with a higher priority. In
this case, the current legal root bridge will be superseded by another device,
causing undesired change of the network topology. As a result of this kind of
illegal topology change, the traffic that should go over high-speed links is drawn
to low-speed links, resulting in network congestion.
To prevent this situation from happening, MSTP provides the root guard function
to protect the root bridge. If the root guard function is enabled on a port, this port
will keep playing the role of designated port on all MST instances. Once this port
receives a configuration BPDU with a higher priority from an MST instance, it
immediate sets that instance port to the listening state, without forwarding the
packet (this is equivalent to disconnecting the link connected with this port). If the
port receives no BPDUs with a higher priority within twice the forwarding delay,
the port will revert to its original state.
By keeping receiving BPDUs from the upstream device, a device can maintain the
state of the root port and other blocked ports. However, due to link congestion or
unidirectional link failures, these ports may fail to receive BPDUs from the
upstream device. In this case, the downstream device will reselect the port roles:
those ports failed to receive upstream BPDUs will become designated ports and
the blocked ports will transition to the forwarding state, resulting in loops in the
switched network. The loop guard function can suppress the occurrence of such
loops.
If a loop guard-enabled port fails to receive BPDUs from the upstream device, and
if the port took part in STP computing, all the instances on the port, no matter
what roles they play, will be set to, and stay in, the Discarding state.
Enabling TC-BPDU When receiving a TC-BPDU (a PDU used as notification of topology change), the
Attack Guard device will delete the corresponding forwarding address entry. If someone forges
TC-BPDUs to attack the device, the device will receive a larger number of
TC-BPDUs within a short time, and frequent deletion operations bring a big
burden to the device and hazard network stability.
With the TC-BPDU guard function enabled, the device limits the maximum
number of times of immediately deleting forwarding address entries within 10
seconds after it receives TC-BPDUs to the value set with the stp tc-protection
threshold command (assume the value is X). At the same time, the system
monitors whether the number of TC-BPDUs received within that period of time is
larger than X. If so, the device will perform another deletion operation after that
period of time elapses. This prevents frequent deletion of forwarding address
entries.
Displaying and
Maintaining MSTP To do... Use the command... Remarks
View the information about the display stp abnormal-port Available in any view
ports that are blocked abnormally
View the information about the display stp down-port Available in any view
port blocked by STP
Network diagram
Device A Device B
Permit: all VLAN s
Permit: Permit:
VLANs 10, 20 VLANs 20, 30
Permit: Permit:
VLANs 10, 20 VLANs 20, 30
n “Permit:” beside each link in the figure is followed by the VLANs the packets of
which are permitted to pass this link.
Configuration procedure
1 Configuration on Device A
<DeviceA> system-view
[DeviceA] stp region-configuration
[DeviceA-mst-region] region-name example
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 3 vlan 30
[DeviceA-mst-region] instance 4 vlan 40
[DeviceA-mst-region] revision-level 0
# Configure the region name, VLAN-to-instance mappings and revision level of the
MST region.
# View the MST region configuration information that has taken effect.
<DeviceB> system-view
[DeviceB] stp region-configuration
[DeviceB-mst-region] region-name example
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 3 vlan 30
[DeviceB-mst-region] instance 4 vlan 40
[DeviceB-mst-region] revision-level 0
# Configure the region name, VLAN-to-instance mappings and revision level of the
MST region.
# View the MST region configuration information that has taken effect.
<DeviceC> system-view
[DeviceC] stp region-configuration
[DeviceC-mst-region] region-name example
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 3 vlan 30
[DeviceC-mst-region] instance 4 vlan 40
[DeviceC-mst-region] revision-level 0
# Configure the region name, VLAN-to-instance mappings and revision level of the
MST region.
# View the MST region configuration information that has taken effect.
<DeviceD> system-view
[DeviceD] stp region-configuration
[DeviceD-mst-region] region-name example
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 3 vlan 30
[DeviceD-mst-region] instance 4 vlan 40
[DeviceD-mst-region] revision-level 0
# Configure the region name, VLAN-to-instance mappings and revision level of the
MST region.
# View the MST region configuration information that has taken effect.
Introduction to VLAN
VLAN Overview Ethernet is a network technique based on CSMA/CD (carrier sense multiple
access/collision detect) mechanism. As the medium is shared in an Ethernet,
network performance degrades with the increasing of the number of the hosts in
the network. If the number of the hosts in the network reaches a certain level,
problems caused by collisions, broadcasts, and so on emerge, which may cause
the network operating improperly. Although switch prevents collisions between
LANs, it still cannot block broadcast packets. VLAN, however, divides a LAN into
multiple logical LANs, with each being a broadcast domain. Hosts in the same
VLAN can communicate with each other just like in a LAN, and hosts from
different VLANs cannot communicate directly. In this way, broadcast packets are
confined in VLANs, as illustrated in the following figure.
VLAN 2 VLAN 2
Switch A Switch B
Router
VLAN 5 VLAN 5
A VLAN is not restricted by physical factors, that is to say, hosts that reside in
different network segments may belong to the same VLAN, users in a VLAN can
be connected to the same switch, or span across multiple switches or routers.
VLAN Fundamental To enable packets being distinguished by the VLANs they belong to, a field used to
identify VLANs is added to packets. As common switches operate on the data link
layer of the OSI model, they only process Layer 2 encapsulation information and
the field thus needs to be inserted to the Layer 2 encapsulation information of
packets.
The format of the packets carrying the fields identifying VLANs is defined in IEEE
802.1Q, which is issued in 1999.
In the header of a traditional Ethernet packet, the field following the destination
MAC address and the source MAC address is protocol type, which indicates the
upper layer protocol type. Figure 138 illustrates the format of a traditional
Ethernet packet, where DA stands for destination MAC address, SA stands for
source MAC address, and Type stands for upper layer protocol type.
IEEE802.1Q defines a four-byte VLAN Tag field between the DA&SA field and the
Type field to carry VLAN-related information, as shown in Figure 139.
Figure 139 The position and the format of the VLAN Tag field
VLAN Tag
The VLAN Tag field comprises four sub-fields: the tag protocol identifier (TPID)
field, the Priority field, the canonical format indicator (CFI) field, and the VLAN ID
field.
■ The TPID field, 16 bits in length and with a value of 0x8100, indicates that a
packet carries a VLAN tag with it.
■ The Priority field, three bits in length, indicates the 802.1p priority of a packet.
For information about packet priority, refer to “Priority Mapping” on page
1675.
■ The CFI field, one bit in length, specifies whether or not the MAC addresses are
encapsulated in standard format when packets are transmitted across different
medium. With the field set to 0, MAC addresses are encapsulated in standard
format; with the field set to 1, MAC addresses are encapsulated in
non-standard format. The filed is 0 by default.
■ The VLAN ID field, 12 bits in length and with its value ranging from 0 to 4095,
identifies the ID of the VLAN a packet belongs to. As VLAN IDs of 0 and 4095
are reserved by the protocol, the actual value of this field ranges from 1 to
4094.
A network device determines the VLAN to which a packet belongs to by the VLAN
ID field the packet carries. The VLAN tag determines the way a packet is
processed. For more information, refer to “Introduction to Port-Based VLAN” on
page 491.
n The frame format mentioned here is that of Ethernet II. Besides Ethernet II
encapsulation, other types of encapsulation, including 802.2 LLC, 802.2 SNAP,
and 802.3 raw are also supported. The VLAN tag fields are also added to packets
adopting these encapsulation formats for VLAN identification.
VLAN Classification Based on different criteria, VLANs can be classified into different categories. The
following types are the most commonly used:
■ Port-based
■ MAC address-based
■ Protocol-based
■ IP-subnet-based
■ Policy-based
■ Other types
Configuring Basic Follow the following steps to configure basic VLAN attributes:
VLAN Attributes
To do... Use the command... Remarks
Enter system view system-view -
Create VLANs vlan { vlan-id1 [ to Optional
vlan-id2 ] | all }
Using this command can create multiple
VLANs.
Configuring VLAN Hosts of different VLANs cannot communicate directly. That is, routers or Layer 3
Interface Basic switches are needed for packets to travel across different VLANs. VLAN interfaces
Attributes are used to forward VLAN packets on Layer 3.
VLAN interfaces are Layer 3 virtual interfaces (which do not exist physically on
devices) used for Layer 3 interoperability between different VLANs. Each VLAN can
have one VLAN interface. Packets of a VLAN can be forwarded on network layer
through the corresponding VLAN interface. As each VLAN forms a broadcast
domain, a VLAN can be an IP network segment and the VLAN interface can be the
gateway to enable IP address-based Layer 3 forwarding.
n Before creating a VLAN interface, ensure that the corresponding VLAN already
exists. Otherwise, the specified VLAN interface will not be created.
Configuring a
Port-Based VLAN
Introduction to This is the simplest and yet the most effective way of classifying VLANs. It groups
Port-Based VLAN VLAN members by port. After added to a VLAN, a port can forward the packets of
the VLAN.
■ A Hybrid port allows packets of multiple VLANs to be sent without the Tag
label;
■ A Trunk port only allows packets from the default VLAN to be sent without the
Tag label.
Default VLAN
You can configure the default VLAN for a port. By default, VLAN 1 is the default
VLAN for all ports. However, this can be changed as needed.
■ An Access port only belongs to one VLAN. Therefore, its default VLAN is the
VLAN it resides in and cannot be configured.
■ You can configure the default VLAN for the Trunk port or the Hybrid port as
they can both belong to multiple VLANs.
■ After deletion of the default VLAN using the undo vlan command, the default
VLAN for an Access port will revert to VLAN 1, whereas that for the Trunk or
Hybrid port remains, meaning the port can use a nonexistent VLAN as the
default VLAN.
Configured with the default VLAN, a port handles packets in the following ways:
the default VLAN the VLAN ID is in the list the packet if the VLAN
ID of the port is in of VLANs allowed to ID is the same as the
the list of VLANs pass through the port default VLAN ID
allowed to pass
■ Discard the packet if ■ Keep the tag and send
through the port,
the VLAN ID is not in the packet if the VLAN
if yes, tag the
the list of VLANs ID is not the same as
packet with the
allowed to pass the default VLAN ID but
default VLAN ID; if
through the port allowed to pass
no, discard the
through the port
packet
Hybrid port Send the packet if the
VLAN ID is allowed to pass
through the port. Use the
port hybrid vlan
command to configure
whether the port keeps or
strips the tags when
sending packets of a VLAN
(including default VLAN).
Configuring the There are two ways to configure Access-port-based VLAN: one way is to configure
Access-Port-Based VLAN in VLAN view, the other way is to configure in Ethernet port view or port group
view.
Follow the following steps to configure the Access-port-based VLAN (in Ethernet
port view or port group view):
n ■ Ensure that you create a VLAN first before trying to add an Access port to the
VLAN.
■ Refer to “Aggregation Port Group” on page 349 for information about port
group.
Configuring the A Trunk port may belong to multiple VLANs, and you can only perform this
Trunk-Port-Based VLAN configuration in Ethernet port view or port group view.
n ■ To convert a Trunk port into a Hybrid port (or vice versa), you need to use the
Access port as a medium. For example, the Trunk port has to be configured as
an Access port first and then a Hybrid port.
■ The default VLAN ID on the Trunk ports of the local and peer devices must be
the same. Otherwise, packets cannot be transmitted properly.
■ Refer to“Aggregation Port Group” on page 349 for information about port
group.
Configuring the A Hybrid port may belong to multiple VLANs, and this configuration can only be
Hybrid-Port-Based VLAN performed in Ethernet port view or port group view.
n ■ To configure a Trunk port into a Hybrid port (or vice versa), you need to use the
Access port as a medium. For example, the Trunk port has to be configured as
an Access port first and then a Hybrid port.
■ Ensure that a VLAN already exists before configuring it to pass through a
certain Hybrid port.
■ The default VLAN ID on the Hybrid ports of the local and the peer devices must
be the same. Otherwise, packets of the local default VLAN cannot be
transmitted properly.
■ Refer to “Aggregation Port Group” on page 349 for information about port
groups.
Displaying and
Maintaining VLAN To do... Use the command... Remarks
Display VLAN information display vlan [ vlan-id1 [ to Available in any view
vlan-id2 ] | all | dynamic |
interface interface-type
interface-number.subnumber |
reserved | static]
Display VLAN interface display interface vlan-interface Available in any view
information [ vlan-interface-id ]
Clear the statistics on a VLAN reset counters interface Available in user view
interface [ interface-type
[ interface-number ] ]
n The reset counters interface command can be used to clear the statistics on a
VLAN interface. For more information, refer to “Ethernet Interface Configuration”
on page 89.
Network diagram
Eth1/0
Eth1/0
Device A Device B
Configuration procedure
1 Configure Device A
<DeviceA> system-view
[DeviceA] vlan 2
[DeviceA-vlan2] quit
[DeviceA] vlan 100
[DeviceA-vlan100] vlan 6 to 50
Please wait... Done.
# Configure Ethernet 1/0 as a Trunk port and configure its default VLAN ID as 100.
# Configure Ethernet 1/0 to deny packets of VLAN 1 to pass. (All ports allow
packets of VLAN 1 to pass by default.)
# Configure Ethernet 1/0 to permit packets of VLAN 2, VLAN 6 through VLAN 50,
and VLAN 100.
Verification
Verifying the configuration of Device A is similar to that of Device B. so only Device
A is taken for example here.
# Display the information about Ethernet 1/0 of Device A to verify the above
configurations.
n ■ Voice VLAN automatic mode and secure mode are not supported on MSR 20
series routers.
■ Voice VLAN automatic mode and secure mode are not supported on SIC-4FSW
and DSIC-9FSW modules.
■ Voice VLAN automatic mode and secure mode are supported on 16FSW and
24FSW modules.
Introduction to Voice Voice VLANs are configured specially for voice traffic. By adding the ports that
VLAN connect voice devices to voice VLANs, you can configure quality of service (QOS
for short) attributes for the voice traffic, increasing transmission priority and
ensuring voice quality. A device determines whether a received packet is a voice
packet by checking its source MAC address. Packets containing source MAC
addresses that comply with the voice device Organizationally Unique Identifier
(OUI for short) addresses are regarded as voice traffic, and are forwarded in the
voice VLANs.
You can configure the OUI addresses in advance or use the default OUI addresses
as listed in Table 17.
n ■ As the first 24 bits of a MAC address (in binary format), an OUI address is a
globally unique identifier assigned to a vendor by IEEE (Institute of Electrical
and Electronics Engineers).
■ The default OUI address can be configured/removed manually.
Working Modes of Voice A voice VLAN can operate in two working modes: automatic mode and manual
VLAN mode (the mode here refers to the way of adding a port to a voice VLAN).
■ In automatic mode, the system identifies the source MAC address contained in
the protocol packets (untagged packets) sent when the IP phone is powered on
and matches it against the OUI addresses. If a match is found, the system will
automatically add the port into the Voice VLAN and apply ACL rules to ensure
the packet precedence. An aging time can be configured for the voice VLAN.
The system will remove a port from the voice VLAN if no voice packet is
received from it after the aging time. The adding and deleting of ports are
automatically realized by the system.
■ In manual mode, the IP phone access port needs to be added to the voice
VLAN manually. It then identifies the source MAC address contained in the
packet, matches it against the OUI addresses. If a match is found, the system
issues ACL rules and configures the precedence for the packets. In this mode,
the operation of adding ports to the voice VLAN and removing ports from the
voice VLAN are carried out by the administrators.
■ Both modes forward tagged packets according to their tags.
The following table lists the co-relation between the working modes of a voice
VLAN, the voice traffic type of an IP phone, and the interface modes of a VLAN
interface.
Voice VLAN
operating mode Voice traffic type Interface link type
Automatic mode Tagged voice traffic Access: the traffic type is not supported
Trunk: supported provided that the default
VLAN of the access port exists and is not a
voice VLAN and that the access port belongs
to the voice VLAN
Hybrid: supported provided that the default
VLAN of the access port exists and is not a
voice VLAN. Besides, the default VLAN need to
be in the list of tagged VLANs whose packets
can pass through the access port
Untagged voice traffic Access, Trunk, Hybrid: not supported
Voice VLAN
operating mode Voice traffic type Interface link type
Manual mode Tagged voice traffic Access: not supported
Trunk: supported provided that the default
VLAN of the access port exists and is not a
voice VLAN and that the access port belongs
to the default VLAN
Hybrid: supported provided that the default
VLAN of the access port exists and is not the
voice VLAN. Besides, the voice VLAN must be
in the list of tagged VLANs whose packets can
pass through the access port
Untagged voice traffic Access: supported provided that the default
VLAN of the access port is a voice VLAN
Trunk: supported provided that the default
VLAN of the access port is a voice VLAN and
that the access port allows packets from the
voice VLAN to pass through
Hybrid port: supported provided that the
default VLAN of the access port is a voice
VLAN and that the voice VLAN is in the list of
untagged VLANs whose packets are allowed
to pass through the access port
c CAUTION:
■ If the voice traffic sent by an IP phone is tagged and that the access port has
802.1x authentication and Guest VLAN enabled, assign different VLAN IDs for
the voice VLAN, the default VLAN of the access port, and the 802.1x guest
VLAN.
■ If the voice traffic sent by an IP phone is untagged, to realize the voice VLAN
feature, the default VLAN of the access port can only be configured as the
voice VLAN. Note that at this time 802.1 x authentication function cannot be
realized.
n ■ The default VLANs for all ports are VLAN 1. Using commands, users can either
configure the default VLAN of a port, or configure to allow a certain VLAN to
pass through the port. For more information, refer to “Configuring a
Port-Based VLAN” on page 491.
■ Use the display interface command to display the default VLAN and the
VLANs that are allowed to go through a certain port.
Security Mode and Ports that have the voice VLAN feature enabled can be divided into two modes
Normal Mode of Voice based on their filtering mechanisms applied to inbound packets.
VLAN ■ Security mode: only voice packets with source OUI MAC addresses can pass
through the inbound port (with the voice VLAN feature enabled), other
non-voice packets will be discarded, including authentication packets, such as
802.1 authentication packet.
■ Normal mode: both voice packets and non-voice packets are allowed to pass
through an inbound port (with the voice VLAN feature enabled), the former
will abide by the voice VLAN forwarding mechanism whereas the latter normal
VLAN forwarding mechanism.
It is recommended that you do not mix voice packets with other types of data in a
voice VLAN. If necessary, please ensure that the security mode is disabled.
Configuration ■ Create the corresponding VLAN before configuring the voice VLAN;
Prerequisites ■ As a default VLAN, VLAN 1 does not need to be created. However, it cannot be
enabled with the voice VLAN feature.
Configuring Voice VLAN Follow the following steps to configure the voice VLAN under automatic mode:
under Automatic Mode
To do... Use the command... Remarks
Enter system view system-view -
Configure the aging time of voice vlan aging minutes Optional
the voice VLAN
Only applicable to ports in
automatic mode and defaults
to 1,440 minutes
Enable the security mode of voice vlan security enable Optional
the voice VLAN
Enabled by default
Configure the OUI address for voice vlan mac-address oui Optional
the voice VLAN mask oui-mask [ description
By default, each voice VLAN
text ]
has 8 default OUI addresses as
listed in Table 17.
Enable the global voice VLAN voice vlan vlan-id enable Required
feature
Enter Ethernet interface view interface interface-type -
interface-number
Configure the working mode voice vlan mode auto Optional
on a port as automatic
Automatic mode by default
The working mode of the
voice VLAN on each port is
independent of each other.
Enable the voice VLAN feature voice vlan enable Required
on the interface
Not enabled by default
Configuring Voice VLAN Follow the following steps to configure the voice VLAN under manual mode:
under Manual Mode
To do... Use the command... Remarks
Enter system view system-view -
Enable the security mode of a voice vlan security enable Optional
voice VLAN
Enabled by default
n ■ At the same time, only one VLAN of a device can have the voice VLAN feature
enabled.
■ A port that has the Link Aggregation Control Protocol (LACP for short) enabled
cannot have the voice VLAN feature enabled at the same time.
■ A dynamic VLAN becomes a static VLAN automatically after it is enabled with
the voice VLAN feature.
■ Issuing of the voice vlan security enable command and the undo voice
vlan security enable command only takes effect before the voice VLAN
feature is enabled globally.
■ If the port is enabled with voice VLAN in manual mode, you need to add the
port to the voice VLAN manually to validate the voice VLAN.
Displaying and
Maintaining Voice To do... Use the command... Remarks
VLAN Display the voice VLAN state display voice vlan state Available in any view
Display the OUI addresses display voice vlan oui Available in any view
currently supported by system
Voice VLAN
Configuration
Examples
Network diagram
Device A Device B
Internet
VLAN 2
Eth1/1 Eth2/1
VLAN 2
Configuration procedure
# Create VLAN 2 and VLAN 6.
<DeviceA> system-view
[DeviceA] vlan 2
[DeviceA-vlan2] quit
[DeviceA] vlan 6
[DeviceA-vlan6] quit
# Configure the OUI address 0011-2200-0000 as the legal address of the voice
VLAN.
# Configure the working mode of the voice VLAN of Ethernet 1/1 as automatic.
(Optional, by default, the voice VLAN works in automatic mode)
# Configure the default VLAN of the port as VLAN 6 and allow packets from VLAN
6 to pass through the port.
Verification
# Display information about the OUI addresses, OUI address masks, and
descriptive strings.
<DeviceA> display voice vlan oui
Oui Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
0011-2200-0000 ffff-ff00-0000 test
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3com phone
<DeviceA>
■ Ethernet 1/1 works in manual mode. It only allows voice packets with an OUI
address of 0011-2200-0000, a mask of ffff-ff00-0000, and a descriptive string
of “test” to be forwarded.
Network diagram
Device A Device B
Internet
VLAN 2
Eth1/1 Eth2/1
VLAN 2
Configuration procedure
# Configure the voice VLAN to work in security mode and only allows legal voice
packets to pass through the voice VLAN enabled port. (Optional, enabled by
default)
<DeviceA> system-view
[DeviceA] voice vlan security enable
# Configure the OUI address 0011-2200-0000 as the legal voice VLAN address.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
[DeviceA] voice vlan 2 enable
# Configure the default VLAN of Ethernet 1/1 as voice VLAN and add it to the list
of tagged VLANs whose packets can pass through the port.
Verification
# Display information about the OUI addresses, OUI address masks, and
descriptive strings.
<DeviceA> display voice vlan oui
Oui Address Mask Description
0001-e300-0000 ffff-ff00-0000 Simens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
0011-2200-0000 ffff-ff00-0000 test
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3com phone
Introduction to Port To implement Layer 2 isolation, you can add different ports to different VLANs.
Isolation However, this will waste the limited VLAN resource. With port isolation, the ports
can be isolated within the same VLAN. Thus, you need only to add the ports to the
isolation group to implement Layer 2 isolation. This provides you with more secure
and flexible networking schemes.
Presently:
Port isolation is independent of the VLAN the port belongs to. For ports belonging
to different VLANs, Layer 2 data of each port is isolated. Within the same VLAN,
Layer 2 data can be forwarded between ports within the isolation group and ports
outside the isolation group.
Configuring Isolation
Groups
Adding a Port to the Follow these steps to add a port to the isolation group
Isolation Group
To do... Use the command... Remarks
Enter system view system-view -
n Refer to “Aggregation Port Group” on page 349 for information about port
groups.
Displaying and
Maintaining Isolation To do... Use the command... Remarks
Groups Display isolation group display port-isolate group Available in any view
isolation
Networking diagram
Internet
Eth1/0
Device
Eth1/1 Eth1/3
Eth1/2
Configuration procedure
# Add ports Ethernet 1/1, Ethernet 1/2 and Ethernet 1/3 to the isolation group.
<Device> system-view
[Device] interface ethernet 1/1
[Device-Ethernet1/1] port-isolate enable
[Device-Ethernet1/1] quit
[Device] interface ethernet 1/2
[Device-Ethernet1/2] port-isolate enable
[Device-Ethernet1/2] quit
[Device] interface ethernet 1/3
[Device-Ethernet1/3] port-isolate enable
n Currently, the dynamic route backup function is available to the following dialup
interfaces: dialer interfaces, PRI interfaces, BRI interfaces, serial interfaces
operating in the asynchronous mode, AM interface, and AUX interfaces.
Overview
Concept As a new way of route backup, the dynamic route backup function adopts dial
control center (DCC) to dynamically maintain dialup links, that is, the dynamic
route backup function implements route-based dialup backup.
The dynamic route backup function combines the backup function and the
routing function well, proving reliable connections and standard dial-on-demand
services.
Features The dynamic route backup function is mainly used to backup dynamic routes, and
moreover, it can also backup static routes and directly-connected routes.
The dynamic route backup function is not dedicated a specific interface or link,
and it is appropriate for implementations with multiple interfaces and multiple
routers.
With the dynamic route backup function enabled, the backup link will be started
automatically when the primary link disconnects, causing no dialup delay
(excluding the time for route convergence).
For BGP, you need to take the following measures to solve this problem:
■ Assign a higher IP address to the backup link that that to the primary link
Implementation Through configuring the network segment to be monitored, a backup link can be
enabled when the primary link fails. The dynamic route backup function monitors
routes and activates a backup link in the following sequence:
1 The system monitors whether routes to the monitored network segment need to
be updated, and checks whether there is at least one valid route to the monitored
network segment.
2 If there is at least one valid route to the monitored network segment, and the
route is originated from another interface with the dynamic route backup function
disabled, the primary link is considered to be connective.
3 Otherwise, the primary link is considered to be disabled and unavailable, and the
backup link will be activated for dialup.
4 After the backup link is activated, the dialup link will transfer communication data.
When the primary link restores, the backup link can be either disconnected
immediately or disconnected after the timer expires as configured.
Dynamic Route
Backup Configuration
Creating Dynamic Route You can create dynamic route backup groups in one of the following two ways:
Backup Groups
1 Create multiple dynamic route backup groups, which each monitors different
network segment. The logical relationship among these network segments is
“OR”, that is, the backup link will be activated when there is no valid route to one
of these network segments. For each dynamic route backup group, a link is dialed
or hanged on a dialup interface.
2 Create a multiple dynamic route backup group to monitor multiple network
segments. The logical relationship among these network segments is “AND”, that
is, the backup link will be activated when there is no valid route to any of these
network segments. When the backup link is to be activated, check whether the
dialer route command is enabled on the dialup interfaces of these monitored
network segments in sequence. The backup link is enabled on the first-checked
interface with the dialer route command enabled. Note that only one link can be
activated.
Table 18 Create dynamic route backup groups
n Before enabling the dynamic route backup function on a backup interface, make
sure that DCC has been enabled on the backup interface.
Configuring Backup Link In order to avoid route instability, you can disconnect the backup link after a
Disconnection Delay specified delay after the primary link is connected.
Table 20 Configure backup link disconnection delay
Dynamic Route
Backup Configuration
Example
Network diagram
Router B
X.25 X.25
S2/0 S2/1
S2/0 S2 /1
10.0 .0.1/8 BRI3 /0 BRI3/0 10 .0.0.2/8
Loop 1
20.0.0.1 /8 20.0.0.2/8 30.0.0 .0/8
ISDN
Router A Router C
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
[RouterA] rip
[RouterA-rip-1] network 10.0.0.0
[RouterA-rip-1] network 20.0.0.0
[RouterA-rip-1] import-route direct
[RouterA-rip-1] quit
# Configure to make the priority of routes on dialup interfaces lower than that of
serial interfaces.
<RouterB> system-view
[RouterB] x25 switching
<RouterC> system-view
[RouterC] dialer-rule 1 ip permit
[RouterC] rip
[RouterC-rip-1] network 10.0.0.0
[RouterC-rip-1] network 20.0.0.0
[RouterC-rip-1] network 30.0.0.0
[RouterC-rip-1] import-route direct
Network diagram
Router A S2 /0 S 2/0
Router B Loop 1
10 .0.0.1/8 10 .0.0.2/8 40.0.0.1/32
BRI3/0 BRI3/0
20 .0 .0.1/8 20.0 .0.2/8
ISDN
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.0.0.0 0.255.255.255
[RouterA-ospf-1-area-0.0.0.0] network 20.0.0.0 0.255.255.255
[RouterA-ospf-1-area-0.0.0.0] import-route direct
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
# Configure to make the priority of routes on dialup interfaces lower than that of
serial interfaces.
<RouterB> system-view
[RouterB] dialer-rule 1 ip permit
[RouterB] ospf
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 10.0.0.0 0.255.255.255
[RouterB-ospf-1-area-0.0.0.0] network 20.0.0.0 0.255.255.255
[RouterB-ospf-1-area-0.0.0.0] network 40.0.0.0 0.0.0.0
[RouterB-ospf-1-area-0.0.0.0] import-route direct
Network diagram
X.25
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
[RouterA] local-user userb
[RouterA-luser-userb] password simple userb
[RouterA-luser-userb] service-type ppp
[RouterA-luser-userb] quit
[RouterA] rip
[RouterA-rip-1] network 10.0.0.0
[RouterA-rip-1] network 20.0.0.0
[RouterA-rip-1] import-route direct
[RouterA-rip-1] quit
# Configure to make the priority of routes on dialup interfaces lower than that of
serial interfaces.
<RouterB> system-view
[RouterB] dialer-rule 1 ip permit
[RouterB] local-user usera
[RouterB-luser-usera] password simple usera
[RouterB-luser-usera] service-type ppp
[RouterB-luser-usera] quit
[RouterB] rip
[RouterB-rip-1] network 10.0.0.0
[RouterB-rip-1] network 20.0.0.0
[RouterB-rip-1] network 30.0.0.0
[RouterB-rip-1] import-route direct
Network diagram
Eth1/0
10 .0 .0.1/8
FR
n This network diagram just illustrates a simple implementation. In real practice, the
monitored network segments may be distributed on multiple devices.
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] dialer-rule 1 ip permit
[RouterA-Serial2/1:15] dialer-group 1
[RouterA-Serial2/1:15] dialer route ip 10.0.0.0 mask 8 660220
[RouterA-Serial2/1:15] standby routing-group 1
[RouterA-Serial2/1:15] quit
[RouterA] rip
[RouterA-rip-1] network 1.0.0.0
[RouterA-rip-1] network 2.0.0.0
[RouterA-rip-1] import-route direct
# Configure to make the priority of routes on dialup interfaces lower than that of
serial interfaces.
[RouterB] system
[RouterB] dialer-rule 1 ip permit
[RouterB] rip
[RouterB-rip-1] network 1.0.0.0
[RouterB-rip-1] network 2.0.0.0
[RouterB-rip-1] network 10.0.0.0
[RouterB-rip-1] network 11.0.0.0
[RouterB-rip-1] network 12.0.0.0
[RouterB-rip-1] import-route direct
n This section introduces basic configurations about logical interfaces. For the
configurations about the data link layer, network layer and some special features,
refer to the relevant sections in the Access Volume and IP Service Volume.
Logical Interface A logical interface (also known as virtual interface) refers to an interface that can
Overview implements data switching but does not exist physically. Logical interfaces include
dial interfaces, loopback interfaces, null interfaces, sub-interfaces, multilink
point-to-point protocol group (MP-group) interfaces, multilink frame relay (MFR)
interfaces, backup center logical channels, virtual templates (VTs), and so on.
Dialer Interface A dialer interface is designed for configuring dial control center (DCC) parameters.
A physical interface can inherit configuration information through binding itself to
a dialer interface. The following interfaces on a device support dialing:
asynchronous serial interfaces (including synchronous/asynchronous serial
interfaces operating in asynchronous mode), AUX interfaces, AM interfaces, ISDN
BRI interfaces and ISDN PRI interfaces.
n Refer to “DCC Configuration” on page 153 for more information about DCC.
Loopback Interface
Introduction to A loopback interface is a software-only virtual interface. The physical layer state
Loopback Interface and link layer protocols of a loopback interface are always up except when the
loopback interface is manually shut down. A loopback interface can be configured
with an IP address. For saving IP address resources, the IP address of an loopback
interface is coupled with a 32-bit mask. Routing protocols can be enabled on a
loopback interface, and a loopback interface is capable of sending and receiving
routing protocol packets.
Loopback interfaces have various uses, for example, the IP address of a loopback
interface can be used as the source addresses of all the IP packets that the local
device generates. As loopback interface addresses are stable and are unicast
addresses, they are usually used to identify devices. In some cases, configuring an
Because a loopback interface is always up, it can be used for some special
purposes. For example, if the router ID of a device is not available, some dynamic
routing protocol uses the highest loopback interface address of the device as the
router ID.
Configuring a Loopback
Table 21 Configure a loopback interface
Interface
Operation Command Description
Enter system view system-view -
Create a Loopback interface interface loopback -
and enter Loopback interface number
view
Shut down a loopback shutdown Optional
interface manually
Always in the up state by default
c CAUTION:
■ Only 32-bit subnet masks can be configured for Loopback interfaces.
■ Parameters such as IP addresses and IP routes can be configured on Loopback
interfaces. Refer to “IP Addressing Configuration” on page 623 for detailed
configurations.
Null Interface
Introduction to Null Null interfaces are completely software-like logical interfaces. Null interfaces are
Interface always up. However, they can neither forward data packets nor have IP addresses
or link layer protocols configured on them. With a null interface specified as the
next hop of a static route to a specific network segment, any packets routed to the
network segment are dropped. If you configure to send unwanted traffic to the
null interface of a device, the unwanted traffic will be filtered. In this way,
complicated ACL configurations are saved.
Configuring a Null
Table 22 Configure a null interface
Interface
Operation Command Description
Enter system view system-view -
Sub-interface
Introduction to Sub-interfaces are logical virtual interfaces configured on a primary interface. The
Sub-interface primary interface can be either a physical interface (such as a layer-3 Ethernet
interface) or a logical interface (such as an MFR interface). A sub-interface can
share the physical-layer parameters of the primary interface and also have its own
link-layer and network-layer parameters configured. Disabling or enabling an
sub-interface has no effect on the corresponding primary interface, but state
changes of the primary interface affect the sub-interfaces. A sub-interface can
operate properly only when the primary interface operates properly.
With the sub-interface feature enabled, you can configure multiple sub-interfaces
for a single physical interface of a device, thus improving the flexibility of
networking implementation.
You can use the reset command in user view to clear the statistics on the VLAN
associated with the specified sub-interface.
Operation Command
Display the information about a sub-interface display interface interface-type
interface-number.subnumber
Display the information about the VLAN of a display vlan interface interface-type
sub-interface interface-number.subnumber
n For more information about the display vlan interface command and the reset
command, refer to the display vlan command in “Introduction to VLAN” on page
487.
Configuring a WAN Configure sub-interfaces for a WAN interface with link-layer protocol
Sub-interfaces being frame relay
1 Create a sub-interface
Table 25 Create a sub-interface
■ Frame relay address mapping different from the that of the WAN interface (also
known as the primary interface)
■ IP addresses in a network segment different from the network segment that
the WAN interface resides
■ IPX network numbers and IPX operation parameters different from those of the
WAN interface
■ Virtual circuits corresponding to a sub-interface
On sub-interfaces of a WAN interface with link-layer protocol being X.25, you can
configure:
■ X.25 address mapping different from that of the WAN interface (also known as
the primary interface)
■ IP addresses in a network segment different from the network segment that
the WAN interface resides
■ IPX network numbers and IPX operation parameters different from those of the
WAN interface
■ Virtual circuits corresponding to a sub-interface
For the detailed configuration information, refer to “ATM and DSL Interface
Configuration” on page 71.
different switches but belonging to the same VLAN can intercommunicate with
each other.
■ Work station A can intercommunicate with work station D, and work station B
can intercommunicate with work station C, that is, devices connected to
different switches and belonging to different VLANs can intercommunicate
with each other.
Network diagram
Internet
Eth4/0.20
Router 4.0.0.1/8
VLAN 20 Switch B
Eth4/0.10
3.0.0.1/8
VLAN 10
Eth3/0.10 Eth3/0.20
1.0.0.1/8 2.0.0.1/8
VLAN 10 VLAN 20
Host C Host D
Switch A 3.3.3.3/8 4.4.4.4/8
VLAN 10 VLAN 20
Host A Host B
1.1.1.1/8 2.2.2.2/8
VLAN 10 VLAN 20
Configuration procedure
1 Configure Router:
<Router> system-view
[Router] interface ethernet 3/0.10
[Router-Ethernet3/0.10] ip address 1.0.0.1 255.0.0.0
[Router-Ethernet3/0.10] quit
[Router] interface ethernet 3/0.20
[Router-Ethernet3/0.20] ip address 2.0.0.1 255.0.0.0
[Router-Ethernet3/0.20] quit
[Router] interface ethernet 4/0.10
[Router-Ethernet4/0.10] ip address 3.0.0.1 255.0.0.0
[Router-Ethernet4/0.10] quit
[Router] interface ethernet 4/0.20
[Router-Ethernet4/0.20] ip address 4.0.0.1 255.0.0.0
[Router-Ethernet4/0.20] quit
Network diagram
LAN 2
2.2.0.0/16
S2/0
1.1.1.2/24
DLCI =50
S1/0.1
1.1.1.1/24 Router B
DLCI =50
LAN 1
2.1.0.0/16 FR
S1/0.2
1.1.2.1/24 Router C
S2/0
Router A DLCI =60 1.1.2.2/24
DLCI =60
LAN 3
2.3.0.0/16
Configuration procedure
1 Configure Router A
<Sysname> system-view
[Sysname] interface serial 1/0
[Sysname-Serial1/0] link-protocol fr
[Sysname-Serial1/0.1] fr dlci 50
[Sysname-fr-dlci-Serial1/0.1-50] quit
[Sysname-Serial1/0.1] quit
[Sysname-Serial1/0.2] fr dlci 60
[Sysname- fr-dlci-Serial1/0.2-60] quit
[Sysname-Serial1/0.2] quit
Configuring MP-group MP-group interfaces are used in multilink PPP (MP). MP-group interfaces are
Interfaces dedicated interfaces for MP and do not support other implementations. Refer to
“PPP and MP Configuration” on page 363 for more information about MP-group.
Table 28 Create an MP-group interface
Configuring MFR An MFR interface is a logical interface. An MFR interface is a bundle of physical
Interface frame relay links. Sub-interfaces can be configured for an MFR interface, thus
providing high-rate and broad-bandwidth links for a frame relay network. Refer to
“Frame Relay Configuration” on page 235 for detailed information.
Table 29 Create an MFR interface
n Refer to “Configuring Multilink Frame Relay” on page 258 for detailed information
about MFR interface parameters.
VT and VA Interface
Introduction to VT and A virtual template (VT) is a template used for configuring a virtual access (VA)
VA interface interface. VTs are mainly used in VPN and MP implementations.
When multiple PPP links are bundled into an MP, a VA interface is also necessary
for data exchange with the peer end. In this case, the system will also select a VT
so as to create a VA interface dynamically. Refer to “PPP and MP Configuration”
on page 363 for more information about MP.
Create a VT
Table 30 Create a VT
Table 30 Create a VT
n Before removing a VT, make sure that all the virtual interfaces derived from the VT
are removed and the VT is not being used.
Displaying and After the above configuration, you can use the display command in any view to
Maintaining VTs and VA view the configuration information about the VTs and VA interfaces, so as to verify
Interfaces the configuration.
Table 31 Display VTs and VA interfaces
Operation Command
Display the status of the display interface virtual-template number
specified VT
Display the status of the VA display virtual-access [ dialer dialer-number | vt
interface vt-number | user user-name | peer peer-address |
va-number ]*
Troubleshooting Before troubleshooting, you must determine the VT is used for creating virtual
interfaces for VPN or MP. Then, you can locate the VT failures in a specified
implementation.
Symptom
Virtual interfaces cannot be created.
Solution
The causes may be:
■ No IP address is configured for the VT. As a result, PPP negotiation fails, so the
VA interface cannot be brought up.
■ When PPP authentication parameters are incorrect, PPP negotiation fails if the
peer device is not the user defined by the local device. As a result, the VA
interface cannot be brought up.
■ If the IP address (or IP address pool) to be assigned to the peer is not configured
for the VT, the VA interface cannot provide IP addresses when the peer device
requires the local device to. In this case, the VA interface cannot be brought up.
Configuring VE
PPPoEoA is a structure of 3 layers: the top layer is PPP, the middle layer is PPP over
Ethernet (PPPoE), and the bottom layer is PPPoEoA. Note that the parameters for
PPPoE are configured through VE interfaces on the interface boards of the access
device. Refer to “ATM and DSL Interface Configuration” on page 71 for detailed
information.
Configuring VE When configuring a permanent virtual channel (PVC) to transfer PPPoEoA packets,
you must specify a VE interface corresponding to the PVC. Otherwise, PVC cannot
be configured. A VE interface corresponds to only one PVC bearing PPPoEoA. A VE
interface which has been associated with a PVC cannot be removed.
Table 32 Configure a VE Interface
CPOS Low-speed tributary signals are called channels when they are multiplexed to form
SDH signals. CPOS, the channelized POS interface, makes full use of SDH to
provide precise bandwidth division, reduce the number of low-speed physical
interfaces on devices, enhance their redistribution capacity, and improve the
access capacity of dedicated lines.
CPOS interfaces are mainly used to enhance the devices’ redistribution capacity for
low-speed access. CPOS interfaces are mainly of two rates: STM-1 (155 mbps) and
STM-16c (2.5 Gbps).
SDH Frame Structure The frame structure of SDH signal STM-N is described in the following part.
Low-speed tributary signals should distribute in one frame regularly and evenly for
the convenience of adding/dropping them in high-speed signal. ITU-T specifies
that STM-N frames adopt the structure of rectangle blocks in bytes, as illustrated
in the following figure:
9 x 270 x N (bytes)
1 Regenerator
2 section
3 overhead
4 AU-PTR
5 Payload
6 Multiplex
7 section
8 overhead
9
9xN 261 x N
The STM-N frame structure consists of three parts: section overhead (SOH), which
includes regenerator section overhead (RSOH) and multiplex section overhead
(MSOH); administration unit pointer (AU-PTR); and payload. AU-PTR is the pointer
that indicates the location of the first byte of payload in an STM-N frame so that
the receiving end can correctly extract payload.
Terms ■ Multiplex Unit: A basic SDH multiplex unit includes multiple containers (C-n),
virtual containers (VC-n), tributary units (TU-n), tributary unit groups (TUG-n),
administrative units (AU-n) and administrative unit groups (AUG-n), where n is
the hierarchical sequence number of unit level.
■ Container: Information structure unit that carries service signals at different
rates. G.709 defines the criteria for five standard containers: C-11, C-12, C-2,
C-3 and C-4.
■ Virtual container (VC): Information structure unit supporting channel layer
connection of SDH. It terminates an SDH channel. VC is divided into
lower-order and higher-order VCs. VC-4 and VC-3 in AU-3 are higher-order
virtual containers.
■ Tributary unit (TU) and tributary unit group (TUG): TU is the information
structure that provides adaptation between higher-order and lower-order
channel layers. TUG is a set of one or more TUs whose location is fixed in
higher-order VC payload.
Multiplexing E1/T1 In SDH multiplexing recommended by G.709, there are more than one path for a
Channels to Form STM-1 valid payload to be multiplexed to form STM-N. The following figure illustrates the
multiplexing process from E1 and T1 to STM-1.
x1 x1
STM-1 AUG-1 AU-4 VC-4
x3
x3 TUG-3
x1 x1
STM-1 AUG-1 AU-4 VC-4
x3
x3 TUG-3
Calculating E1/T1 Since CPOS interfaces adopt the byte interleaved multiplexing mode, the
Channel Sequence lower-order VCs are not arranged in order in a higher-order VC. To understand
Numbers how TU numbers are calculated, see the following example where E1 channels are
multiplexed to form STM-1 through the AU-4.
As shown in Figure 151, when the AU-4 path is used, the multiplexing structure
for 2 Mbps is 3-7-3. The formula for calculating the TU-12 sequence numbers of
different locations in the same VC-4 is as follows:
The two TU-12s are called adjacent, if they have the same TUG-3 number and
TUG-2 number but different TU-12 numbers with a discrepancy of 1.
TU-12 1
1 1
VC-4 TUG-3 TUG-2 TU-12 2
TU-12 3
TU-12 1
2
TUG-2 TU-12 2
. TU-12 3
2
.
. TU-12 1
TUG-3 7
TUG-2 TU-12 2
3
TUG-3 TU-12 3
You can calculate TU-12 numbers in the same way when the AU-3 path is used.
Overhead Byte SDH provides layered monitoring and management of precise division.
It provides monitoring at section and channel levels, where sections are subdivided
into regenerator and multiplex sections, and channels are subdivided into
higher-order and lower-order paths. These monitoring functions are implemented
using overhead bytes.
n SDH provides a variety of overhead bytes, but only those involved in CPOS
configuration are discussed in this section. For more information about overhead
bytes, refer to related books.
■ SOH
The regeneration section trace message J0 is included in RSOH to send the section
access point identifier repeatedly. Based on the identifier, the receiver can make
sure that it is in continuous connection with the sender. This byte can be any
character in the network of the same operator. If networks of two operators are
involved, however, the sending and receiving devices at network borders must use
the same J0 byte. With the j0 byte, operators can detect and troubleshoot faults in
advance or use less time to recover networks.
■ POH
The payload of an STM-N frame includes path overhead (POH), which monitors
low-speed tributary signals.
While SOH monitors the section layer, POH monitors the path layer. POH is divided
into higher-order path overhead and lower-order path overhead.
Similar to the J0 byte, the higher-order VC-N path trace byte J1 is included in the
higher-order path overhead to send the higher-order path access point identifier
repeatedly. Based on the identifier, the receiving end of the path can make sure
that it is in continuous connection with the specified sending end. The J1 byte at
the receiving and transmission ends should be matched.
The path signal label byte C2 is also included in the higher-order path overhead to
indicate the multiplexing structure of VC frames and the property of payload, for
instance, whether the path is carrying services, what type of services are carried,
and how they are mapped. The sender and receiver must use the same C2 byte.
CPOS Interface At present, some government agencies and enterprises use low-end and
Application Scenario mid-range devices to access transmission networks through E1/T1 leased lines.
Users who require bandwidth between E1 and T3 (44 Mbps), data centers for
example lease multiple E1/T1 lines.
The bandwidth of all these users is aggregated to one or more CPOS interfaces
through a transmission network, and then connected to a high-end device where
the low-end devices are uniquely identified by timeslots.
In actual applications, the connection between these low-end devices and the
CPOS interfaces likely involves more than one transmission networks and as such,
may require relay. This is similar to the scenario where low-end devices are
connected to a high-end device through one or multiple E1/T1 leased lines.
Transmission
network Internet
Router A
N x 2 Mbps
E1
Access
network N x 64 kbps
N x 64 kbps
N x 64 kbps
Displaying and
Maintaining CPOS To do... Use the command... Remarks
Interfaces Display information about display controller cpos Available in any view
channels on a specified or all [ cpos-number ]
CPOS interfaces
Display information about a display controller cpos Available in any view
specified E1 channel on a cpos-number e1 e1-number
CPOS interface
Display information about a display controller cpos Available in any view
specified T1 channel on a cpos-number t1 t1-number
CPOS interface
Display information about a display interface serial Available in any view
serial interface formed by interface-number/channel-nu
E1/T1 channels mber:set-number
Shut down the CPOS physical shutdown Available in CPOS interface
interface view
Bring the CPOS physical undo shutdown Available in CPOS interface
interface up. view
Shut down an E1 channel e1 e1-number shutdown Available in CPOS interface
view
Bring an E1 channel up undo e1 e1-number Available in CPOS interface
shutdown view
Shut down a T1 channel t1 t1-number shutdown Available in CPOS interface
view
Bring a T1 channel up undo t1 t1-number Available in CPOS interface
shutdown view
n ■ For those physical interfaces that are not connected to cables, shut down them
with the shutdown command to avoid anomalies resulted from interference.
■ As the command can disable the interface, use it with caution.
Solution:
The fault is very likely caused if the multiplex unit configurations on the SDH
transmission device mismatch the E1 channel numbers on the CPOS interface on
your device. This can result in timeslot inconsistency at the two ends of
transmission and as such, PPP negotiation failures and LCP anomalies.
■ Use the display controller cpos e1 command to view the multiplexing paths
of the E1 channels or calculate the multiplexing path as shown in section
“Calculating E1/T1 Channel Sequence Numbers” on page 541.
■ Check the configurations on the transmission devices against the calculating
result in the last step to make sure the same E1 multiplexing path is configured.
ARP Overview
ARP Function Address resolution protocol (ARP) is used to resolve an IP address into a data link
layer address.
An IP address is the address of a host at the network layer. To send a network layer
packet to a destination host, the device must know the data link layer address
(such as the MAC address) of the destination host. To this end, the IP address must
be resolved into the corresponding data link layer address.
n Unless otherwise stated, the data link layer addresses that appear in this chapter
refer to the 48-bit Ethernet MAC addresses.
Target
HardwareProtocol OP Sender hardware Sender protocol Target hardware protocol
type type address address address
address
2 2 1 1 2 6 4 6 4
■ Hardware type: This field specifies the type of a hardware address. The value
“1” represents an Ethernet address.
■ Protocol type: This field specifies the type of the protocol address to be
mapped. The hexadecimal value “0x0800” represents an IP address.
ARP Process Suppose that Host A and Host B are on the same subnet and that Host A sends a
message to Host B, as shown in Figure 156. The resolution process is as follows:
1 Host A looks in its ARP mapping table to see whether there is an ARP entry for
Host B. If Host A finds it, Host A uses the MAC address in the entry to encapsulate
the IP packet into a data link layer frame and sends the frame to Host B.
2 If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an
ARP request, in which the source IP address and source MAC address are
respectively the IP address and MAC address of Host A and the destination IP
address and MAC address are respectively the IP address of Host B and an all-zero
MAC address. Because the ARP request is sent in broadcast mode, all hosts on this
subnet can receive the request, but only the requested host (namely, Host B) will
process the request.
3 Host B compares its own IP address with the destination IP address in the ARP
request. If they are the same, Host B saves the source IP address and source MAC
address into its ARP mapping table, encapsulates its MAC address into an ARP
reply, and unicasts the reply to Host A.
4 After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP
mapping table for subsequent packet forwarding. Meanwhile, Host A
encapsulates the IP packet and sends it out.
Host A Host B
192.168.1.1 192.168.1.2
0002- 6779-0 f4c 00a 0-2470 -febd
When Host A and Host B are not on the same subnet, Host A first sends an ARP
request to the gateway. The destination IP address in the ARP request is the IP
address of the gateway. After obtaining the MAC address of the gateway from an
ARP reply, Host A encapsulates the packet and sends it to the gateway.
Subsequently, the gateway broadcasts the ARP request, in which the destination IP
address is the one of Host B. After obtaining the MAC address of Host B from
another ARP reply, the gateway sends the packet to Host B.
ARP Mapping Table After obtaining the destination MAC address, the device adds the IP-to-MAC
mapping into its own ARP mapping table. This mapping is used for forwarding
packets with the same destination in future.
An ARP mapping table contains ARP entries, which fall into two categories:
dynamic and static.
1 A dynamic entry is automatically created and maintained by ARP. It can get aged,
be updated by a new ARP packet, or be overwritten by a static ARP entry. When
the aging timer expires or the interface goes down, the corresponding dynamic
ARP entry will be removed.
2 A static ARP entry is manually configured and maintained. It cannot get aged or be
overwritten by a dynamic ARP entry. It can be permanent or non-permanent.
■ A permanent static ARP entry can be directly used to forward data. When
configuring a permanent static ARP entry, you must configure a VLAN and
outbound interface for the entry besides the IP address and MAC address.
■ A non-permanent static ARP entry cannot be directly used for forwarding data.
When configuring a non-permanent static ARP entry, you only need to
configure the IP address and MAC address. When forwarding IP packets, the
device sends an ARP request. If the source IP and MAC addresses in the
received ARP reply are the same as the configured IP and MAC addresses, the
device adds the interface receiving the ARP reply into the static ARP entry. Now
the entry can be used for forwarding IP packets.
Configuring ARP
Configuring a Static ARP A static ARP entry is effective when the device works normally. However, when a
Entry VLAN or VLAN interface to which a static ARP entry corresponds is deleted, the
entry, if permanent, will be deleted, and if non-permanent and resolved, will
become unresolved.
c CAUTION:
■ The vlan-id argument must be the ID of an existing VLAN which corresponds to
the ARP entries. In addition, the Ethernet interface following the argument
must belong to that VLAN. A VLAN interface must be created for the VLAN.
■ Before using the command with the vpn-instance keyword to configure a
permanent static ARP entry, you need to create a VPN instance and bind it to
the VLAN interface.
Configuring the Follow these steps to set the maximum number of ARP entries dynamically learned
Maximum Number of on an interface:
ARP Entries Dynamically
Learned on an Interface To do... Use the command... Remarks
Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Set the maximum number of arp max-learning-num Required
ARP entries dynamically number
1,024 by default
learned on an interface
Setting Aging Time for After dynamic ARP entries expire, the system will delete them from the ARP
Dynamic ARP Entries mapping table. You can adjust the aging time for dynamic ARP entries according
to the actual network condition.
Follow these steps to set aging time for dynamic ARP entries:
Enabling the ARP Entry The ARP entry check can control the device to learn multicast MAC addresses.
Check With the ARP entry check enabled, the device cannot learn any ARP entry with a
multicast MAC address. Configuring such a static ARP entry is not allowed either;
otherwise, the system prompts error information.
After the ARP entry check is disabled, the device can learn the ARP entry with a
multicast MAC address, and you can also configure such a static ARP entry on the
device.
Enabling the Support for When learning MAC addresses, if the device finds that the source IP address of an
ARP Requests from a ARP packet and the IP address of the inbound interface are not on the same
Natural Network subnet, the device will further judge whether these two IP addresses are on the
same natural network.
Follow these steps to enable the support for ARP requests from a natural network:
■ Set the maximum number of dynamic ARP entries that Ethernet 1/0 can learn
to 1,000.
■ Add a static ARP entry, with the IP address being 192.168.1.1/24, the MAC
address being 00e0-fc01-0000, and the outbound interface being Ethernet 1/0
of VLAN 10.
Configuration procedure
<Sysname> system-view
[Sysname] arp check enable
[Sysname] arp timer aging 10
[Sysname] naturemask-arp enable
[Sysname] vlan 10
[Sysname-vlan10] quit
[Sysname] interface vlan-interface 10
[Sysname- vlan-interface10] quit
[Sysname] interface ethernet 1/0
[Sysname-Ethernet1/0] port access vlan 10
[Sysname-Ethernet1/0] arp max-learning-num 1000
[Sysname-Ethernet1/0] quit
[Sysname] arp static 192.168.1.1 00e0-fc01-0000 10 ethernet1/0
Configuring
Gratuitous ARP
Introduction to A gratuitous ARP packet is a special ARP packet, in which the source IP address
Gratuitous ARP and destination IP address are both the IP address of the sender, the source MAC
address is the MAC address of the sender, and the destination MAC address is a
broadcast address.
A device receiving a gratuitous ARP packet can add the information carried in the
packet to its own dynamic ARP mapping table if it finds no corresponding ARP
entry for the ARP packet in the cache.
Configuring ARP
Source Suppression
Introduction to ARP If hosts on a network attack the device by sending large amounts of IP packets
Source Suppression whose IP addresses cannot be resolved, the following consequences will be
resulted in:
■ The device sends large amounts of ARP request messages to the destination
subnet, which increases the load of the destination subnet.
■ The device continuously resolves destination IP addresses, which increase the
load of the CPU.
To protect the device against this kind of attack, you can enable the ARP source
suppression function. With the function enabled, whenever the number of
packets with unresolvable IP addresses that a host on the network sends to the
device within five seconds exceeds the specified threshold, the device drops all
subsequent packets with the same source IP address in another five coming
seconds. This helps in protecting the device against the attack.
Configuring
Authorized ARP
Introduction to Authorized ARP entries are generated based on DHCP leases or security entries for
Authorized ARP DHCP clients.
Authorized ARP can prevent attacks from illegal clients, and allow only legal clients
to access network resources, thus enhancing product security. With authorized
ARP enabled, an interface is disabled from learning dynamic ARP entries.
Static ARP entries can overwrite authorized ARP entries, and authorized ARP
entries can overwrite dynamic ARP entries. But authorized ARP entries cannot
overwrite static ARP entries, and dynamic ARP entries cannot overwrite authorized
ARP entries. The aging mechanism of authorized ARP entries is independent from
that of dynamic ARP entries.
Network diagram
DHCP DHCP
server client
Eth1 /0
10 .1 .1.1/24 Eth1/0
Router A Router B
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] ip address 10.1.1.1 24
[RouterA-Ethernet1/0] quit
# Configure DHCP.
Network diagram
DHCP
relay agent
Eth1/0 Eth1/1
10 .1.1.2/24 10 .10 .1.1/24
Router B
DHCP DHCP
server Eth1 /0 Eth1/0 client
10 .1 .1.1/24
Router A Router C
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] ip address 10.1.1.1 24
[RouterA-Ethernet1/0] quit
# Configure DHCP.
# Enable DHCP.
<RouterB> system-view
[RouterB] dhcp enable
Displaying and
Maintaining ARP To do... Use the command... Remarks
Display the ARP entries in the display arp { { all | dynamic | Available in any view
ARP mapping table static } | vlan vlan-id |
interface interface-type
interface-number }
[ [ verbose ] [ | { begin |
exclude | include } string ] |
count ]
Display the ARP entries for a display arp ip-address Available in any view
specified IP address [ verbose ] [ | { begin |
exclude | include } string ]
Display the ARP entries for a display arp vpn-instance Available in any view
specified VPN instance vpn-instance-name [ | { begin
| exclude | include } string |
count ]
Display the aging time for display arp timer aging Available in any view
dynamic ARP entries
Display the configuration display arp Available in any view
information of ARP source source-suppression
suppression
Proxy ARP Overview For an ARP request of a host on a network to be forwarded to an interface that is
on the same network but isolated at Layer 2 or a host on another network, the
device connecting the two physical or virtual networks must be able to respond to
the request. This is achieved by proxy ARP.
In one of the following cases, you need to enable the local proxy ARP:
■ Devices connected to different isolated layer 2 ports in the same VLAN need to
implement layer 3 communication.
■ With the super VLAN function enabled, devices in different sub VLANs need to
implement layer 3 communication.
■ With the isolate-user-vlan function enabled, devices in different second VLANs
need to implement layer 3 communication.
Enabling Proxy ARP Follow these steps to enable proxy ARP in VLAN interface view/Ethernet interface
view or enable local proxy ARP in VLAN interface view:
Displaying and
Maintaining Proxy To do... Use the command... Remarks
ARP Display whether proxy ARP is display proxy-arp Available in any view
enabled [ interface interface-type
interface-number ]
Display whether local proxy display local-proxy-arp Available in any view
ARP is enabled [ interface interface-type
interface-number ]
Proxy ARP
Configuration
Examples
Network diagram
Host A Host B
192.168.10.100/16
0000.0c94.36aa
Subnet A
Eth1/0
192 .168 .10 .99 /24
Router
Eth1/1
192.168.20.99/24
Subnet B
Configuration procedure
1 Configure the IP address 192.168.10.99/24 for Ethernet 1/0 and
192.168.20.99/24 for Ethernet 1/1.
2 Configure ARP on the device to enable the communication between Host A and
Host D.
<Router> system-view
[Router] interface ethernet 1/0
[Router-Ethernet1/0] ip address 192.168.10.99 255.255.255.0
[Router-Ethernet1/0] proxy-arp enable
[Router-Ethernet1/0] quit
Network diagram
Figure 160 Network diagram for local proxy ARP between isolated ports
Router
Eth1/0
VLAN 2
Vlan -int2
192 .168 .10 .100 /16
VLAN 2
port-isolate group2
Eth1/2
uplink -port
Eth1/0
Eth1/1
n ■
■
The switch in this diagram is a distributed device.
The switch isolates all traffic in this configuration example, so you need to
configure local proxy ARP on VLAN-interface 2 of the router to enable the
communication between Host A and Host B. If the two ports (Ethernet 1/0 and
Ethernet 1/1) on the switch are isolated only at Layer 2, you can enable the
communication between the two hosts by configuring local proxy ARP directly
on VLAN-interface 2 of the switch.
Configuration procedure
1 Configure the Switch
# Add Ethernet 1/0, Ethernet 1/1 and Ethernet 1/2 to VLAN 2. Host A and Host B
are isolated and unable to exchange Layer 2 packets.
<Switch> system-view
[Switch] port-isolate group 2
[Switch] vlan 2
[Switch-vlan2] port ethernet 1/0
[Switch-vlan2] port ethernet 1/1
[Switch-vlan2] port ethernet 1/2
[Switch-vlan2] quit
<Router> system-view
[Router] vlan 2
[Router-vlan2] port ethernet 1/0
[Router-vlan2] interface vlan-interface 2
[Router-Vlan-interface2] ip address 192.168.10.100 255.255.0.0
Ping Host B on Host A to verify that Host B cannot be pinged, which indicates they
are isolated at Layer 2.
# Configure local proxy ARP to let Host A and Host B communicate at Layer 3.
Ping Host B on Host A to verify that Host B can be pinged, which indicates Layer 3
communication is implemented.
Introduction to DHCP The fast expansion and growing complexity of networks result in scarce IP
addresses assignable to hosts. Meanwhile, with the wide application of wireless
networks, the frequent movement of laptops across networks requires that the IP
addresses be changed accordingly. Therefore, related configurations on hosts
become more complex. Dynamic host configuration protocol (DHCP) was
introduced to solve these problems.
A typical DHCP application, as shown in Figure 161, includes a DHCP server and
multiple clients (PCs and laptops).
n When residing in a different subnet from the DHCP server, the DHCP client can get
the IP address and other configuration parameters from the server via a DHCP
relay agent. For information about the DHCP relay agent, refer to “Introduction to
DHCP Relay Agent” on page 589.
DHCP Address
Allocation
(1) DHCP-DISCOVER
(2) DHCP-OFFER
(3) DHCP-REQUEST
(4) DHCP-ACK
As shown in the figure above, a DHCP client obtains an IP address from a DHCP
server via four steps:
n ■ After the client receives the DHCP-ACK message, it will probe whether the IP
address assigned by the server is in use by broadcasting gratuitous ARP. If the
client receives no response within specified time, the client can use this IP
IP Address Lease The IP address dynamically allocated by a DHCP server to a client has a lease. After
Extension the lease duration elapses, the IP address will be reclaimed by the DHCP server. If
the client wants to use the IP address again, it has to extend the lease duration.
After the half lease duration elapses, the DHCP client will send the DHCP server a
DHCP-REQUEST unicast message to extend the lease duration. Upon availability of
the IP address, the DHCP server returns a DHCP-ACK unicast confirming that the
client’s lease duration has been extended, or a DHCP-NAK unicast denying the
request.
DHCP Message Format Figure 163 gives the DHCP message format, which is based on the BOOTP
message format and involves eight types. These types of messages have the same
format except that some fields have different values. The numbers in parentheses
indicate the size of each field in octets.
0 7 15 23 31
op (1) htype (1) hlen (1) hops (1)
xid (4)
ciaddr (4)
yiaddr (4)
siaddr (4)
giaddr (4)
chaddr (16)
sname (64)
file (128)
options (variable)
■ flags: The leftmost bit is defined as the BROADCAST (B) flag. This flag indicates
whether the DHCP server sends a reply back by unicast or broadcast. If this flag
is set to 0, the DHCP server sent a reply back by unicast; if this flag is set to 1,
the DHCP server sent a reply back by broadcast. The remaining bits of the flags
field are reserved.
■ ciaddr: Client IP address.
■ yiaddr: ’your’ (client) IP address, assigned by the server.
■ siaddr: Server IP address, from which the clients obtained configuration
parameters.
■ giaddr: The first relay agent IP address a request message traveled.
■ chaddr: Client hardware address.
■ sname: The server host name, from which the client obtained configuration
parameters.
■ file: Bootfile name and routing information, defined by the server to the client.
■ options: Optional parameters field that is variable in length, which includes the
message type, lease, DNS IP address, WINS IP address and so forth.
DHCP Options
DHCP Options Overview The DHCP message adopts the same format as the Bootstrap Protocol (BOOTP)
message for compatibility, but differs from it in the option field, which identifies
the new features of DHCP.
DHCP uses the option field in DHCP messages to carry control information and
network configuration parameters, implementing dynamic address allocation and
providing more network configuration information for clients.
0 7 15
Option type Option length
Value (variable)
■ Option 66: TFTP server name option. It specifies a TFTP server to be assigned to
the client.
■ Option 67: Bootfile name option. It specifies the bootfile name to be assigned
to the client.
■ Option 150: TFTP server IP address option. It specifies the TFTP server IP address
to be assigned to the client.
Self-Defined Options Some options, such as Option 43, have no unified definitions in RFC 2132. The
formats of some self-defined options are introduced as follows.
The DHCP client can obtain the preboot executive environment (PXE) server
address through Option 43, to further obtain the bootfile or other control
information from the PXE server.
0 7 15 23 31
Option type (0x2B) Option length Sub-option type (0x80) Sub-option length
...
For scalability sake, the PXE server address is configured as a sub-option of Option
43 so that the DHCP client can obtain more information through Option 43. The
value of the sub-option type is 0x80.
Figure 166 shows the format of the PXE server address list. Currently, the value of
the PXE server type can only be 0.
0 7 15
PXE server type (0x0000)
Server number
The administrator can locate the DHCP client to further implement security control
and accounting. The server supporting Option 82 can also use such information to
define individual assignment policies of IP address and other parameters for the
clients.
Option 82 has no unified definition. Its padding formats vary with vendors.
Currently the device supports two padding formats: normal and verbose.
The padding contents for sub-options in the normal padding format are:
■ sub-option 1: Padded with the VLAN ID and interface number of the interface
that received the client’s request. The following figure gives its format. The
value of the sub-option type is 1, and that of the circuit ID type is 0.
0 7 15 23 31
Sub-option type (0x01) Length (0x06) Circuit ID type (0x00) Length (0x04)
■ sub-option 2: Padded with the MAC address of the interface that received the
client’s request. The following figure gives its format. The value of the
sub-option type is 2, and that of the remote ID type is 0.
0 7 15 23 31
Sub-option type (0x02) Length (0x08) Remote ID type (0x00) Length (0x06)
MAC Address
The padding contents for sub-options in the verbose padding format are:
■ sub-option 1: Padded with the user-specified access node identifier (ID of the
device that adds Option 82 in DHCP messages), and type, number, PVC
identifier (used when the interface type is ATM), and VLAN ID of the interface
that received the client’s request. Its format is shown in the following figure.
n In the above figure, except that the VLAN ID field has a fixed length of 2 bytes, all
the other padding contents of sub-option 1 are length variable.
■ sub-option 2: Padded with the MAC address of the interface that received the
client’s request. It has the same format as that in normal padding format, as
shown in Figure 168.
Option 184
Option 184 is a reserved option, and parameters in the option can be defined as
needed. The device supports Option 184 carrying the voice related parameters, so
a DHCP client with voice functions can get an IP address along with specified voice
parameters from the DHCP server.
Introduction to DHCP
Server
The address pool database is organized as a tree. The root of the tree is the
address pool for natural networks, branches are address pools for subnets, and
leaves are addresses statically bound to clients. For the same level address pools, a
previously configured pool has a higher selection priority than a new one.
At the very beginning, subnetworks inherit network parameters and clients inherit
subnetwork parameters. Therefore, common parameters, the DNS server address
for example, should be configured at the highest (network or subnetwork) level of
the tree.
For example, two address pools are configured on the DHCP server. The ranges of
IP addresses that can be dynamically assigned are 1.1.1.0/24 and 1.1.1.0/25
respectively. If the IP address of the interface receiving DHCP requests is
1.1.1.1/25, the DHCP server will select IP addresses for clients from the 1.1.1.0/25
address pool. If no IP address is available in the 1.1.1.0/25 address pool, the DHCP
server will fail to assign addresses to clients. If the IP address of the interface
receiving DHCP requests is 1.1.1.130/25, the DHCP server will select IP addresses
for clients from the 1.1.1.0/24 address pool.
n Keep the IP addresses for dynamic allocation within the subnet where the
interface of the DHCP server resides to avoid wrong IP address allocation.
IP Address Allocation A DHCP server assigns an IP address to a client according to the following
Sequence sequence:
1 The IP address manually bound to the client’s MAC address or ID
2 The IP address that was ever assigned to the client
3 The IP address designated by the Option 50 field in a DHCP-DISCOVER message
4 The first IP address found in a proper DHCP address pool
5 The IP address that was a conflict or passed its lease duration
DHCP Server To configure the DHCP server feature, perform the tasks described in the following
Configuration Task sections:
List
Task Remarks
“Enabling DHCP” on page 575 Required
“Enabling the DHCP Server on an Interface” on page 575 Optional
“Configuring an Address Pool for the DHCP Server” on page 576 Required
“Configuring the DHCP Server Security Functions” on page 582 Optional
“Configuring the Handling Mode for Option 82” on page 584 Optional
Enabling the DHCP With the DHCP server enabled on an interface, upon receiving a client’s request,
Server on an Interface the DHCP server will assign an IP address from its address pool to the DHCP client.
n The subaddress keyword is valid only when the server and client are on the same
subnet. If a DHCP relay agent exists in between, regardless of subaddress, the
DHCP server will select an IP address from the address pool of the subnet which
contains the primary IP address of the DHCP relay agent’s interface (connected to
the client).
When the DHCP server and client are on the same subnet, the server will
■ With subaddress specified, assign an IP address from the address pool of the
subnet which the secondary IP address of the server’s interface connected to
the client belongs to, or assign from the first secondary IP address if several
secondary IP addresses exist. If no secondary IP address is configured for the
interface, the server is unable to assign an IP address to the client.
■ Without subaddress specified, assign an IP address from the address pool of
the subnet which the primary IP address of the server’s interface (connected to
the client) belongs to.
Configuring an
Address Pool for the
DHCP Server
Configuration Task List To configure an address pool, perform the tasks described in the following
sections:
Task Remarks
“Creating a DHCP Address Pool” on page 576 Required
“Configuring an Address “Configuring manual address Required to configure either
Allocation Mechanism” on allocation” on page 576 of the two
page 576
“Configuring dynamic
address allocation” on page
577
“Configuring a Domain Name Suffix for the Client” on page Optional
578
“Configuring DNS Servers for the Client” on page 578
“Configuring WINS Servers and NetBIOS Node Type for the
Client” on page 579
“Configuring the BIMS server Information for the Client” on
page 579
“Configuring Gateways for the Client” on page 580
“Configuring Option 184 Parameters for the Client with Voice
Service” on page 580
“Configuring the TFTP Server and Bootfile Name for the
Client” on page 581
“Configuring Self-Defined DHCP Options” on page 581
Creating a DHCP To create a DHCP address pool, use the following commands:
Address Pool
To do... Use the command... Remarks
Enter system view system-view -
Create a DHCP address pool dhcp server ip-pool Required
and enter its view pool-name
No DHCP address pool is
created by default.
Configuring an Address
Allocation Mechanism
c CAUTION: You can configure either the static binding or dynamic address
allocation for an address pool as needed.
When the client with the MAC address or ID requests an IP address, the DHCP
server will find the IP address from the binding for the client.
A DHCP address pool now supports only one static binding, which can be a
MAC-to-IP or ID-to-IP binding.
To configure the static binding in a DHCP address pool, use the following
commands:
To avoid address conflicts, the DHCP server excludes IP addresses used by the GW,
FTP server and so forth from dynamic allocation.
You can specify the lease duration for a DHCP address pool different from others,
and a DHCP address pool can only have the same lease duration. A lease does not
enjoy the inheritance attribute.
Configuring a Domain You can specify a domain name suffix in each DHCP address pool on the DHCP
Name Suffix for the server for the clients. With this suffix assigned, the client needs only input part of a
Client domain name, and the system will add the domain name suffix for name
resolution. For details about DNS, refer to “DNS Overview” on page 609.
To configure a domain name suffix in the DHCP address pool, use the following
commands:
Configuring DNS Servers When a DHCP client wants to access a host on the Internet via the host name, it
for the Client contacts a domain name system (DNS) server holding host name-to-IP address
mappings to get the host IP address. You can specify up to eight DNS servers in the
DHCP address pool.
To configure DNS servers in the DHCP address pool, use the following commands:
Configuring WINS A Microsoft DHCP client using NetBIOS protocol contacts a Windows Internet
Servers and NetBIOS Naming Service (WINS) server for name resolution. Therefore, the DHCP server
Node Type for the Client should assign a WINS server address when assigning an IP address to the client.
You need to specify in a DHCP address pool a NetBIOS node type for the client to
approach name resolution. There are four NetBIOS node types:
To configure WINS servers and NetBIOS node type in the DHCP address pool, use
the following commands:
n If b-node is specified for the client, you need to specify no WINS server address.
Configuring the BIMS A DHCP client performs regular software update and backup using configuration
server Information for files obtained from a branch intelligent management system (BIMS) server.
the Client Therefore, the DHCP server needs to offer DHCP clients the BIMS server IP address,
port number, shared key from the DHCP address pool.
To configure the BIMS server IP address, port number, and shared key in the DHCP
address pool, use the following commands:
Configuring Gateways DHCP clients that want to access hosts outside the local subnet request gateways
for the Client to forward data. You can specify gateways in each address pool for clients and the
DHCP server will assign gateway addresses while assigning an IP address to the
clients. Up to eight gateways can be specified in a DHCP address pool.
To configure the gateways in the DHCP address pool, use the following
commands:
Configuring Option 184 To assign voice calling parameters along with an IP address to DHCP clients with
Parameters for the voice service, you need to configure Option 184 on the DHCP server. For
Client with Voice Service information about Option 184, refer to “Option 184” on page 571.
If option 55 in the request from a DHCP client contains option 184, the DHCP
server will return parameters specified in option 184 to the client. The client then
can initiate a call using parameters in Option 184.
To configure option 184 parameters in the DHCP address pool, use the following
commands:
n Specify an IP address for the network calling processor before performing other
configuration.
Configuring the TFTP This task is to specify the IP address and name of a TFTP server and the bootfile
Server and Bootfile name in the DHCP address pool. The DHCP clients use these parameters to
Name for the Client contact the TFTP server, requesting the configuration file used for system
initialization, which is called autoconfiguration. The request process of the client is
described below:
1 When a router starts up without loading any configuration file, the system sets an
active interface (such as the interface of the default VLAN or a Layer 3 Ethernet
interface) as the DHCP client to request from the DHCP server parameters such as
an IP address and name of a TFTP server, and the bootfile name.
2 After getting related parameters, the DHCP client will send a TFTP request to
obtain the configuration file from the specified TFTP server for system initialization.
If the client cannot get such parameters, it will perform system initialization
without loading any configuration file.
To configure the IP address and name of the TFTP server and the bootfile name in
the DHCP address pool, use the following commands:
■ Define existing DHCP options. Some options have no unified definitions in RFC
2132; however, vendors can define such options as Option 43 as needed. The
self-defined DHCP option enables DHCP clients to obtain vendor-specific
information.
■ Expand existing DHCP options. When the current DHCP options cannot meet
the customer’s requirements (for example, you cannot use the dns-list
command to configure more than eight DNS server addresses), you can expand
these options.
To configure a self-defined DHCP option in the DHCP address pool, use the
following commands:
Corresponding
Option Name command Parameter
3 Router Option gateway-list ip-address
6 Domain Name Server Option dns-list ip-address
15 Domain Name domain-name ascii
44 NetBIOS over TCP/IP Name Server nbns-list ip-address
Option
46 NetBIOS over TCP/IP Node Type netbios-type hex
Option
51 IP Address Lease Time expired hex
58 Renewal (T1) Time Value expired hex
59 Rebinding (T2) Time Value expired hex
66 TFTP server name tftp-server ascii
67 Bootfile name bootfile-name ascii
43 Vendor Specific Information - hex
c CAUTION:
■ Be careful when configuring self-defined DHCP options because the
configuration of these options may affect the DHCP operation process.
■ When you use self-defined option (Option 51) to configure the IP address lease
duration, convert the lease duration into seconds in hexadecimal notation.
Configuring the DHCP This configuration is necessary to secure DHCP services on the DHCP server.
Server Security
Functions
Configuration Before performing this configuration, complete the following configuration on the
Prerequisites DHCP server:
■ Enable DHCP
■ Configure the DHCP address pool
Enabling Unauthorized There are unauthorized DHCP servers on networks, which reply DHCP clients with
DHCP Server Detection wrong IP addresses.
With this feature enabled, when receiving a DHCP message with the siaddr field
not being 0 from a client, the DHCP server will record the value of the siaddr field
in the message and the receiving interface. The administrator can use this
information to check out any DHCP unauthorized servers.
n With the unauthorized DHCP server detection enabled, the device puts a record
once for each DHCP server. The administrator needs to find unauthorized DHCP
servers from the log information.
Configuring IP Address To avoid IP address conflicts, the DHCP server checks whether the address to be
Conflict Detection assigned is in use via sending ping packets.
The DHCP server pings the IP address to be assigned using ICMP. If the server gets
a response within the specified period, the server will ping another IP address;
otherwise, the server will ping the IP addresses once again until the specified
number of ping packets are sent. If still no response, the server will assign the IP
address to the requesting client (The DHCP client probes the IP address by sending
gratuitous ARP packets).
Configuring the DHCP A DHCP server can work in cooperation with authorized ARP to block illegal
Server to Support clients, avoid learning incorrect ARP entries and guard against attacks such as
Authorized ARP MAC address spoofing. Only the clients that have valid leases on the DHCP server
are considered legal clients.
When authorized ARP is enabled, the ARP automatic learning function is disabled.
ARP entries can only be added by the authentication module, the DHCP server,
which notifies authorized ARP to add/delete/change authorized ARP entries when
adding/deleting/changing IP address leases. Thus, only the clients that have
obtained IP addresses from the DHCP server can access the network normally,
while other clients are considered illegal clients and are unable to access the
network.
Follow these steps to configure the DHCP server to support authorized ARP:
n ■
■
Authorized ARP can only be configured on Layer 3 interfaces.
When the working mode of the interface is changed from DHCP server to
DHCP relay agent, neither the IP address leases nor the authorized ARP entries
will be deleted. However, these ARP entries may conflict with the new static
entries generated on the DHCP relay agent; therefore, you are recommended
to delete the existing IP address leases when changing the interface working
mode to DHCP relay agent.
■ Disabling the DHCP server to support authorized ARP will not delete the IP
address leases, but will notify authorized ARP to delete the corresponding
authorized ARP entries.
■ For more information about authorized ARP, refer to “Configuring Authorized
ARP” on page 555.
Configuring the When the DHCP server receives a message with Option 82, if the server is
Handling Mode for configured to handle Option 82, it will return a response message carrying Option
Option 82 82 to assign an IP address to the requesting client.
If the server is configured to ignore Option 82, it will assign an IP address to the
client without adding Option 82 in the response message.
Configuration prerequisites
Before performing this configuration, complete the following configuration on the
DHCP server:
■ Enable DHCP
■ Configure the DHCP address pool
Displaying and
Maintaining the DHCP To do... Use the command... Remarks
Server Display information about IP display dhcp server conflict { all | ip Available in any
address conflicts ip-address } view
Display information about display dhcp server expired { all | ip
lease expiration ip-address | pool [ pool-name ] }
Display information about display dhcp server free-ip
assignable IP addresses
Display IP addresses excluded display dhcp server forbidden-ip
from dynamic allocation in
the DHCP address pool
Display information about display dhcp server ip-in-use { all | ip
bindings ip-address | pool [ pool-name ] }
Display information about display dhcp server statistics
DHCP server statistics
Display information about the display dhcp server tree { all | pool
address pool tree [ pool-name ] }
organization
Clear information about IP reset dhcp server conflict { all | ip Available in user
address conflicts ip-address } view
Clear information about reset dhcp server ip-in-use { all | ip
dynamic bindings ip-address | pool [ pool-name ] }
Clear information about reset dhcp server statistics
DHCP server statistics
n Using the save command does not save DHCP server lease information. Therefore,
when the system boots up or the reset dhcp server ip-in-use command is
executed, no lease information will be available in the configuration file. In this
case, the server will deny the request for lease extension from a client and the
client needs to request an IP address again.
DHCP Server
Configuration
Examples
■ The DHCP server and client are on the same subnet and perform direct
message delivery.
■ The DHCP server and client are not on the same subnet and communicate with
each other via a DHCP relay agent.
The DHCP server configuration for the two types is the same.
Network requirements
■ The DHCP server (Router A) assigns IP address to clients on the subnet
10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25.
■ The IP addresses of Ethernet1/1 and Ethernet1/2 on Router A are 10.1.1.1/25
and 10.1.1.129/25 respectively.
■ In the subnet 10.1.1.0/25, the address lease duration is ten days and twelve
hours, domain name suffix aabbcc.com, DNS server address 10.1.1.2, WINS
server address 10.1.1.4, and gateway address 10.1.1.126.
■ In the subnet 10.1.1.128/25, the address lease duration is five days, domain
name suffix aabbcc.com, DNS server address 10.1.1.2, and gateway address
10.1.1.254, and there is no WINS server address.
■ The domain name and DNS server address on the subnets 10.1.1.0/25 and
10.1.1.128/25 are the same. Therefore, a domain name and DNS server
address can be configured only for the subnet 10.1.1.0/24 and the subnet
10.1.1.128/25 can inherit the configuration of the subnet 10.1.1.0/24.
Network diagram
10.1.1 .4/25
Eth1 /1 Eth1/2
10.1.1.126 /25 10.1.1.1/25 10 .1.1.129/25 10.1.1 .254 /25
Router B
DNS server Client Client
Client
Configuration procedure
Specify IP addresses for interfaces (omitted).
# Enable DHCP
<RouterA> system-view
[RouterA] dhcp enable
# Exclude IP addresses from dynamic allocation (addresses of the DNS server, WINS
server, and gateways).
# Configure DHCP address pool 0 (address range, client domain name suffix and
DNS server address).
# Configure DHCP address pool 1 (address range, gateway, WINS server, and lease
duration).
# Configure DHCP address pool 2 (address range, gateway and lease duration).
Network diagram
Figure 171 Network diagram for self-defined option configuration (a router as the DHCP
server)
Eth1 /0
10 .1 .1.1/24 Eth1/0
Router A Router B
DHCP server DHCP client
Configuration procedure
1 Specify IP address for interface Ethernet 1/0 (omitted)
2 Configure the DHCP server
# Enable DHCP.
<RouterA> system-view
[RouterA] dhcp enable
Analysis
A host on the subnet may have the same IP address.
Solution
1 Disconnect the client’s network cable and ping the client’s IP address on another
host with a long timeout time to check whether there is a host using the same IP
address.
2 If a ping response is received, the IP address has been manually configured on the
host. Execute the dhcp server forbidden-ip command on the DHCP server to
exclude the IP address from dynamic allocation.
3 Connect the client’s network cable. Release the IP address and obtain another one
on the client. Take WINDOW XP as an example, run cmd to enter into DOS
window. Type ipconfig/release to relinquish the IP address and then
ipconfig/renew to obtain another IP address.
Introduction to DHCP
Relay Agent
Application Since DHCP clients request IP addresses via broadcast messages, the DHCP server
Environment and clients must be on the same subnet. Therefore, a DHCP server must be
available on each subnet. It is not practical.
DHCP relay agent solves the problem. Via a relay agent, DHCP clients
communicate with a DHCP server on another subnet to obtain configuration
parameters. Thus, DHCP clients on different subnets can contact the same DHCP
server for ease of centralized management and cost reduction.
Fundamentals Figure 172 shows a typical application of the DHCP relay agent.
IP network
No matter whether a relay agent exists or not, the DHCP server and client interact
with each other in a similar way (see “Dynamic IP Address Allocation Procedure”
on page 566). The following describes the forwarding process on the DHCP relay
agent.
DHCP-DISCOVER DHCP-DISCOVER
(broadcast) (unicast)
DHCP-OFFER
DHCP-OFFER (unicast)
DHCP-REQUEST DHCP-REQUEST
(broadcast) (unicast)
DHCP-ACK
DHCP-ACK (unicast)
As shown in the figure above, the DHCP relay agent works as follows:
DHCP Relay Agent Option 82 records the location information of the DHCP client. The administrator
Support for Option 82 can locate the DHCP client to further implement security control and accounting.
For more information, refer to “Relay agent option (Option 82)” on page 570.
If the DHCP relay agent supports Option 82, it will handle a client’s request
according to the contents defined in Option 82, if any. The handling strategies are
described in the table below.
If a reply returned by the DHCP server contains Option 82, the DHCP relay agent
will remove the Option 82 before forwarding the reply to the client.
If a client’s
requesting Handling Padding
message has... strategy format The DHCP relay agent will...
Option 82 Drop Random Drop the message.
Keep Random Forward the message without changing
Option 82.
Replace normal Forward the message after replacing the
original Option 82 with the Option 82
padded in normal format.
verbose Forward the message after replacing the
original Option 82 with the Option 82
padded in verbose format.
no Option 82 - normal Forward the message after adding the
Option 82 padded in normal format.
- verbose Forward the message after adding the
Option 82 padded in verbose format.
DHCP Relay Agent Complete the following tasks to configure the DHCP relay agent:
Configuration Task
List Task Remarks
“Enabling DHCP” on page 591 Required
“Enabling the DHCP Relay Agent on Interfaces” on page 591 Required
“Correlating a DHCP Server Group with Relay Agent Interfaces” on Required
page 592
“Configuring the DHCP Relay Agent to Send a DHCP-Release Request” Optional
on page 593
“Configuring the DHCP Relay Agent Security Functions” on page 593 Optional
“Configuring the DHCP Relay Agent to Support Option 82” on page Optional
595
Enabling the DHCP Relay With this task completed, upon receiving a DHCP request from an enabled
Agent on Interfaces interface, the relay agent will forward the request to a DHCP server for address
allocation.
To enable the DHCP relay agent on interfaces, use the following commands:
Correlating a DHCP To improve reliability, you can specify several DHCP servers as a group on the
Server Group with Relay DHCP relay agent and correlate a relay agent interface with the server group.
Agent Interfaces When the interface receives requesting messages from clients, the relay agent will
forward them to all the DHCP servers of the group.
To correlate a DHCP server group with relay agent interfaces, use the following
commands:
n ■ You can specify at most twenty DHCP server groups on the relay agent and at
most eight DHCP server addresses for each DHCP server group.
■ The IP addresses of DHCP servers and those of relay agent’s interfaces cannot
be on the same subnet. Otherwise, the client cannot obtain an IP address.
■ A DHCP server group can correlate with one or multiple DHCP relay agent
interfaces, while a relay agent interface can only correlate with one DHCP
server group. Using the dhcp relay server-select command repeatedly
overwrites the previous configuration. However, if the specified DHCP server
group does not exist, the interface still uses the previous correlation.
■ The group-id in the dhcp relay server-select command was specified by the
dhcp relay server-group command.
Configuring the DHCP Sometimes, you need to release a client’s IP address manually on the DHCP relay
Relay Agent to Send a agent. With this task completed, the DHCP relay agent can actively send a
DHCP-Release Request DHCP-RELEASE request that contains the client’s IP address to be released. Upon
receiving the DHCP-RELEASE request, the DHCP server then releases the IP address
for the client.
To configure the DHCP relay agent to send a DHCP-RELEASE request, use the
following commands:
Configuring the DHCP Creating static bindings and enable invalid IP address check
Relay Agent Security The DHCP relay agent can dynamically record clients’ IP-to-MAC bindings to
Functions generate a dynamic binding after clients got IP addresses. It also supports static
binding, which means you can manually configure IP-to-MAC bindings on the
DHCP relay agent, so that users can access external network using fixed IP
addresses.
For avoidance of invalid IP address configuration, you can configure the DHCP
relay agent to check whether a requesting client’s IP and MAC addresses match a
binding on it (both dynamic and static bindings). If not, the client cannot access
outside networks via the DHCP relay agent.
To create a static binding and enable invalid IP address check, use the following
commands:
■ When using the dhcp relay security static command to bind an interface to a
static binding entry, make sure that the interface is configured as a DHCP relay
agent; otherwise, address entry conflicts may occur.
The DHCP relay agent uses the IP address of a client and the MAC address of the
DHCP relay interface to regularly send a DHCP-REQUEST message to the DHCP
server.
■ If the server returns a DHCP-ACK message or does not return any message
within a specified interval, which means the IP address is assignable now, the
DHCP relay agent will update its bindings by aging out the binding entry of the
IP address.
■ If the server returns a DHCP-NAK message, which means the IP address is still
in use, the relay agent will not age it out.
When authorized ARP is enabled on the DHCP relay agent, the ARP automatic
learning function is disabled. ARP entries can only be added by the authentication
module, the DHCP relay agent, which notifies authorized ARP to
add/delete/change authorized ARP entries when adding/deleting/changing
dynamic IP-to-MAC bindings. Thus, only the clients that have passed the
authentication of the DHCP relay agent can access the network normally, while
other clients are considered illegal clients and unable to access the network.
Follow these steps to configure the DHCP relay agent to support authorized ARP:
n ■
■
Authorized ARP can only be configured on Layer 3 interfaces.
Disabling the DHCP relay agent to support authorized ARP will not delete
dynamic bindings, but will notify authorized ARP to delete the corresponding
authorized ARP entries.
■ Since the DHCP relay agent does not notify the authorized ARP module of the
static bindings, you need to configure the corresponding static ARP entries for
authorized ARP.
■ For more information about authorized ARP, refer to “Configuring Authorized
ARP” on page 555.
With this feature enabled, upon receiving a DHCP message with the siaddr field (IP
address of the server assigning IP addresses to clients) not being 0 from a client,
the DHCP relay agent will record the value of the siaddr field and the information
on the interface receiving the DHCP message. The administrator can use this
information to check out any DHCP unauthorized servers.
n With the unauthorized DHCP server detection enabled, the device puts a record
once for each DHCP server. The administrator needs to find unauthorized DHCP
servers from the log information. After the recorded information of a DHCP server
is cleared, a new record will be put for the DHCP server.
Displaying and
Maintaining the DHCP To do... Use the command... Remarks
Relay Agent Display information about DHCP display dhcp relay { all | Available in any view
Configuration server groups correlated to a interface interface-type
specified or all interfaces interface-number }
Display information about bindings display dhcp relay security Available in any view
of DHCP relay agents [ ip-address | dynamic | static ]
Display statistics information about display dhcp relay security Available in any view
bindings of DHCP relay agents statistics
Display information about the display dhcp relay security Available in any view
refreshing interval for entries of tracker
dynamic IP-to-MAC bindings
Display information about the display dhcp relay Available in any view
configuration of a specified or all server-group { group-id | all }
DHCP server groups
Display packet statistics on relay display dhcp relay statistics Available in user view
agent [ server-group { group-id |
all } ]
Clear packet statistics from relay reset dhcp relay statistics Available in user view
agent [ server-group group-id ]
Network diagram
Figure 174 Network diagram for DHCP relay agent (on a router)
DHCP client DHCP client
Eth1 /1 Eth1/2
10 .10 .1 .1/24 10.1.1.2/24
Eth1 /0
10.1.1 .1/24
Router A Router B
DHCP relay agent DHCP server
Configuration procedure
# Enable DHCP.
<RouterA> system-view
[RouterA] dhcp enable
# Configure DHCP server group 1 with the DHCP server 10.1.1.1, and correlate
DHCP server group 1 with Ethernet1/1.
[RouterA-Ethernet1/1] quit
[RouterA] dhcp relay server-group 1 ip 10.1.1.1
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] dhcp relay server-select 1
Analysis
Some problems may occur with the DHCP relay agent or server configuration.
Enable debugging and execute the display command on the DHCP relay agent to
view the debugging information and interface state information for locating the
problem.
Solution
Check that:
■ The DHCP is enabled on the DHCP server and relay agent.
■ The address pool on the same subnet where DHCP clients reside is available on
the DHCP server.
■ The routes between the DHCP server and DHCP relay agent are reachable.
■ The relay agent interface connected to DHCP clients is correlated with correct
DHCP server group and IP addresses for the group members are correct.
Introduction to DHCP With the DHCP client enabled on an interface, the interface will use DHCP to
Client obtain configuration parameters such as an IP address from the DHCP server.
Enabling the DHCP Follow these steps to enable the DHCP client on an interface:
Client on an Interface
To do... Use the command... Remarks
Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Enable the DHCP client on the ip address dhcp-alloc Required
interface [ client-identifier mac
Disabled by default
interface-type
interface-number ]
Displaying and
Maintaining the DHCP To do... Use the command... Remarks
Client Display specified display dhcp client [ verbose ] Available in any view
configuration information [ interface interface-type
interface-number ]
Network diagram
See Figure 170.
Configuration procedure
The following is the configuration on Router B shown in Figure 170.
<RouterB> system-view
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address dhcp-alloc
n ■
■
The DHCP snooping is supported only on Layer 2 Ethernet interfaces.
DHCP Snooping supports no link aggregation. If a Layer 2 Ethernet interface is
added into an aggregation group, DHCP Snooping configuration on it will not
take effect. When the interface is removed from the group, DHCP Snooping
can take effect.
■ The DHCP snooping enabled device does not work if it is between the DHCP
relay agent and DHCP server, and it can work when it is between the DHCP
client and relay agent or between the DHCP client and server.
■ The DHCP Snooping enabled device cannot be a DHCP server or DHCP relay
agent.
■ You are not recommended to enable the DHCP client, BOOTP client, and DHCP
Snooping on the same device. Otherwise, DHCP Snooping entries may fail to
be generated, or the BOOTP client/DHCP client may fail to obtain an IP address.
c CAUTION: Only H3C MSR series routers equipped with 16-port or 24-port layer 2
interface cards support the DHCP Snooping function.
DHCP Snooping
Overview
Function of DHCP As a DHCP security feature, DHCP snooping can implement the following:
Snooping
Recording IP-to-MAC mappings of DHCP clients
For security sake, a network administrator needs to record the mapping between a
client’s IP address obtained from the DHCP server and the client’s MAC address.
DHCP snooping can meet the need.
Configuring DHCP Follow these steps to configure DHCP snooping basic functions:
Snooping Basic
Functions To do... Use the command... Remarks
Enter system view system-view -
Enable DHCP snooping dhcp-snooping Required
Disabled by default.
Enter Ethernet interface view interface interface-type -
interface-number
Specify the port as trusted dhcp-snooping trust Required
Untrusted by default.
n You must specify the ports connected to the valid DHCP servers as trusted to
ensure that DHCP clients can obtain valid IP addresses. The trusted port and the
port connected to the DHCP client must be in the same VLAN.
Displaying and
Maintaining DHCP To do... Use the command... Remarks
Snooping Display DHCP snooping address display dhcp-snooping Available in any view
binding information
Display information about trusted display dhcp-snooping trust
ports
Clear DHCP snooping address reset dhcp-snooping { all | ip Available in user view
binding information ip-address }
Network diagram
Switch A
DHCP server
Eth 1/ 1 Switch B
DHCP snooping
Eth 1/ 2 Eth1/ 3
Configuration procedure
# Enable DHCP snooping.
<SwitchB> system-view
[SwitchB] dhcp-snooping
Introduction to BOOTP
Client
BOOTP Application After you specify an interface of a device as a BOOTP client, the interface can use
BOOTP to get information (such as IP address) from the BOOTP server, which
simplifies your configuration.
Because you need to configure a parameter file for each client on the BOOTP
server, BOOTP usually runs under a relatively stable environment. If the network
changes frequently, Dynamic Host Configuration Protocol (DHCP) is applicable.
n Because a DHCP server can interact with a BOOTP client, you can use the DHCP
server to configure an IP address for the BOOTP client, without any BOOTP server.
Obtaining an IP Address
Dynamically
n A DHCP server can take the place of the BOOTP server in the following dynamic IP
address acquisition.
1 The BOOTP client broadcasts a BOOTP request, which contains its own MAC
address.
2 The BOOTP server receives the request and searches the configuration file for the
corresponding IP address according to the MAC address of the BOOTP client. The
BOOTP server then returns a BOOTP response to the BOOTP client.
3 The BOOTP client obtains the IP address from the received the response.
Protocols and Standards Some protocols and standards related to BOOTP include:
1 RFC 951: Bootstrap Protocol (BOOTP)
2 RFC 2132: DHCP Options and BOOTP Vendor Extensions
3 RFC 1542: Clarifications and Extensions for the Bootstrap Protocol
Displaying and
Maintaining BOOTP To do... Use the command... Remarks
Client Configuration Display related information on display bootp client Available in any view
a BOOTP client [ interface interface-type
interface-number ]
Network diagram
See Figure 170.
Configuration procedure
The following describes only the configuration on Router B serving as a client.
<RouterB> system-view
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address bootp-alloc
n To make the BOOTP client to obtain an IP address from the DHCP server, you need
to perform additional configurations on the DHCP server. For details, refer to
“DHCP Server Configuration Examples” on page 585.
n This document only covers IPv4 DNS configurations. For IPv6 DNS configuration
information, refer to “IPv6 Basics Configuration” on page 655.
DNS Overview Domain name system (DNS) is a distributed database used by TCP/IP applications
to translate domain names into corresponding IP addresses. With DNS, you can
use easy-to-remember domain names in some applications and let the DNS server
translate them into correct IP addresses.
There are two types of DNS services, “Static Domain Name Resolution” on page
609 and “Dynamic Domain Name Resolution” on page 609. Each time the DNS
server receives a name query it checks its static DNS database before looking up
the dynamic DNS database. Reduction of the searching time in the dynamic DNS
database would increase efficiency. Some frequently used addresses can be put in
the static DNS database.
Static Domain Name The static domain name resolution means setting up mappings between domain
Resolution names and IP addresses. IP addresses of the corresponding domain names can be
found in the static DNS database when you use applications such as telnet.
4 The DNS client returns the resolution result to the application after receiving a
response from the DNS server.
Request Request
User
program Resolver
Response Response
DNS server
Save Read
Cache
DNS client
Figure 176 shows the relationship between user program, DNS client, and DNS
server.
The resolver and cache comprise the DNS client. The user program and DNS client
can run on the same machine or different machines, while the DNS server and the
DNS client usually must run on different machines.
Dynamic domain name resolution allows the DNS client to store latest mappings
between domain names and IP addresses in the dynamic domain name cache.
There is no need to send a request to the DNS server for a repeated query next
time. The aged mappings are removed from the cache after some time, and latest
entries are required from the DNS server. The DNS server decides how long a
mapping is valid, and the DNS client gets the information from DNS messages.
DNS suffixes
The DNS client normally holds a list of suffixes which can be defined by users. It is
used when the name to be resolved is incomplete. The resolver can supply the
missing part. For example, a user can configure com as the suffix for aabbcc.com.
The user only needs to type aabbcc to get the IP address of aabbcc.com. The
resolver can add the suffix and delimiter before passing the name to the DNS
server.
■ If there is no dot in the domain name (for example, aabbcc), the resolver will
consider this as a host name and add a DNS suffix before query. The original
domain name (for example, aabbcc) is used if the query fails.
■ If there is a dot in the domain name (for example, www.aabbcc), the resolver
will directly use this domain name for query. If the query fails, the resolver adds
a DNS suffix for another query.
■ If the dot is at the end of the domain name (for example, aabbcc.com), the
resolver will consider it as a fully qualified domain name (FQDN) and return the
query result, success or a failure. Hence, the dot (.) at the end of the domain
name is called the terminating symbol.
n If an alias is configured for a domain name on the DNS server, the device can
resolve the alias into the IP address of the host.
As shown in Figure 177, the DNS client sends DNS requests to the DNS proxy,
which forwards the requests to the designated DNS server, and conveys the replies
from the DNS server to the client.
The DNS proxy simplifies network management. When the DNS server address is
changed, you only need to change the configuration on the DNS proxy instead of
on each DNS client.
DNS client
DNS proxy
IP network
DNS server
Configuring Static Follow these steps to configure static domain name resolution:
Domain Name
Resolution To do... Use the command... Remarks
Enter system view system-view --
n The IP address you last assign to the host name will overwrite the previous one if
there is any.
Configuring Dynamic Follow these steps to configure dynamic domain name resolution:
Domain Name
Resolution To do... Use the command... Remarks
Enter system view system-view -
Enable dynamic domain name dns resolve Required
resolution
Disabled by default
Configure an IP address for dns server ip-address Required
the DNS server
No IP address is configured for
the DNS server by default.
Configure DNS suffixes dns domain domain-name Optional
No DNS suffix is configured by
default
n You may configure up to six DNS servers and ten DNS suffixes.
Configuring the DNS Follow these steps to configure the DNS proxy:
Proxy
To do... Use the command... Remarks
Enter system view system-view -
Enable DNS proxy dns proxy enable Required
Disabled by default.
Displaying and
Maintaining DNS To do... Use the command... Remarks
Display the static DNS display ip host Available in any
database view
Display the DNS server display dns server [ dynamic ]
information
Display the DNS suffixes display dns domain [ dynamic ]
Display the information in the display dns dynamic-host
dynamic domain name cache
Display the DNS proxy table display dns proxy table
Clear the information in the reset dns dynamic-host Available in user
dynamic domain name cache view
DNS Configuration
Examples
Network diagram
10 .1 .1.2/24
10.1 .1.1/24
host.com
Device Host
Configuration procedure
# Configure a mapping between host name host.com and IP address 10.1.1.2.
<Sysname> system-view
[Sysname] ip host host.com 10.1.1.2
# Execute the ping host.com command to verify that the device can use the static
domain name resolution to get the IP address 10.1.1.2 corresponding to
host.com.
Network diagram
IP network
2.1.1.2 /16
2.1.1.1/16 1.1.1.1 /16 3.1.1 .1/16
host.com
Device
DNS server Host
DNS client
Configuration procedure
n ■ Before performing the following configuration, make sure that there is a route
between the device and the host, and configurations are done on both the
device and the host. For the IP addresses of the interfaces, see Figure 179.
■ This configuration may vary with different DNS servers. The following
configuration is performed on a Windows 2000 server.
1 Configure the DNS server
In Figure 180, right click Forward Lookup Zones, select New zone, and then
follow the instructions to create a new zone com.
In Figure 181, right click zone com, and then select New Host to bring up a
dialog box as shown in Figure 182. Enter host name host and IP address 3.1.1.1.
<Sysname> system-view
[Sysname] dns resolve
# Execute the ping host command on the device to verify that the
communication between the device and the host is normal and that the
corresponding destination IP address is 3.1.1.1.
Network diagram
Device B
DNS client 4.1.1 .1/24
DNS server
Device A
2.1.1.1 /24
DNS proxy
2.1.1 .2/24 1.1 .1.1/24
IP network
3.1.1 .1/24
host.com
Host
Configuration procedure
n Before performing the following configuration, assume that Device A, the DNS
server, and the host are reachable to each other and the IP addresses of the
interfaces are configured as shown in Figure 183.
1 Configure the DNS server
This configuration may vary with different DNS servers. When a Windows 2000
server acts as the DNS server, refer to “Dynamic Domain Name Resolution
Configuration Example” on page 613 for related configuration information.
<DeviceA> system-view
[DeviceA] dns server 4.1.1.1
<DeviceB> system-view
[DeviceB] dns resolve
# Execute the ping host.com command on Device B to verify that the host can be
pinged after the host’s IP address 3.1.1.1 is resolved.
Solution
■ Use the display dns dynamic-host command to check that the specified
domain name is in the cache.
■ If there is no defined domain name, check that dynamic domain name
resolution is enabled and the DNS client can communicate with the DNS server.
■ If the specified domain name is in the cache, but the IP address is incorrect,
check that the DNS client has the correct IP address of the DNS server.
■ Check the mapping between the domain name and IP address is correct on the
DNS server.
Introduction to IP The IP accounting feature implements the statistics of incoming and outgoing IP
Accounting packets on the router. These IP packets include those sent and forwarded by the
router normally as well as those denied by the firewall.
Each IP accounting rule consists of an IP address and its mask, namely, a subnet
address, which is the result of ANDing the IP address with its mask. IP packets are
sorted as follows:
Configuring IP
Accounting
Configuration Assign an IP address and mask to the interface on which the IP accounting feature
Prerequisites needs to be enabled. If necessary, configure a firewall on the interface.
IP Accounting
Configuration
Example
Network Requirements As shown in Figure 184, the router is connected to Host A and Host B through
Ethernet interfaces.
Eth 1/ 0 Eth1/1
1.1 .1. 2/ 24 2.2 .2. 1/ 24
# Enable IP accounting.
<Router> system-view
[Router] ip count enable
# Set the maximum number of accounting entries in the interior table to 100.
# Set the maximum number of accounting entries in the exterior table to 20.
# Configure static routes from Host A to Host B and from Host B to Host A. Ping
Host B from Host A.
Omitted.
n The two hosts can be replaced by other types of network devices such as routers.
Displaying and
Maintaining IP To do... Use the command... Remarks
Accounting Display the IP display ip count rule Available in any view
Configuration accounting rules
Display IP accounting display ip count { inbound-packets | Available in any view
information outbound-packets } { exterior |
firewall-denied | interior }
Clear IP accounting reset ip count { all | exterior | firewall | Available in user view
information interior }
n After you configure a new IP accounting rule, it is possible that some originally
rule-incompliant packets from a subnet comply with the new rule. Information
about these packets is then saved in the interior table. The exterior table, however,
may still contain information about these packets. Therefore, in some cases, the
interior and exterior tables contain statistics information about the IP packets from
the same subnet. The statistics information in the exterior table will be removed
when the aging time expires.
IP Addressing
Overview
IP Address Classes IP addressing uses a 32-bit address to identify each host on a network. An
example is 01010000100000001000000010000000 in binary. To make IP
addresses in 32-bit form easier to read, they are written in dotted decimal
notation, each being four octets in length, for example, 10.1.1.1 for the address
just mentioned.
■ Net-id: First several bits of the IP address defining a network, also known as
class bits.
■ Host-id: Identifies a host on a network.
For administration sake, IP addresses are divided into five classes. Which class an IP
address belongs to depends on the first one to four bits of the net-id, as shown in
the following figure (the blue part identifies the address class).
0 7 15 23 31
Class A 0 Net-id Host-id
Class E 1 1 1 1 Reserved
Table 34 describes the address ranges of these five classes. Currently, the first
three classes of IP addresses are used in quantities.
Special Case IP The following IP addresses are for special use, and they cannot be used as host IP
Addresses addresses:
■ IP address with an all-zero net ID: Identifies a host on the local network. For
example, IP address 0.0.0.16 indicates the host with a host ID of 16 on the
local network.
■ IP address with an all-zero host ID: Identifies a network.
■ IP address with an all-one host ID: Identifies a directed broadcast address. For
example, a packet with the destination address of 192.168.1.255 will be
broadcasted to all the hosts on the network 192.168.1.0.
Subnetting and Masking In 1980s, subnetting was developed to address the risk of IP address exhaustion
resulting from fast expansion of the Internet. The idea is to break a network down
into smaller networks called subnets by using some bits of the host-id to create a
subnet-id. To identify the boundary between the host-id and the combination of
net-id and subnet-id, masking is used. (When subnetting is not adopted, a mask
identifies the boundary between the host-id and the host-id.)
0 7 15 23 31
Class B address 1 0 Net-id Host-id
Mask 11111111111111110000000000000000
Mask 11111111111111111111111110000000
While allowing you to create multiple logical networks within a single Class A, B,
or C network, subnetting is transparent to the rest of the Internet. All these
networks still appear as one. As subnetting adds an additional level, subnet-id, to
the two-level hierarchy with IP addressing, IP routing now involves three steps:
delivery to the site, delivery to the subnet, and delivery to the host.
In the absence of subnetting, some special addresses such as the addresses with
the net-id of all zeros and the addresses with the host-id of all ones, are not
assignable to hosts. The same is true of subnetting. When designing your
network, you should note that subnetting is somewhat a tradeoff between
subnets and accommodated hosts. For example, a Class B network can
accommodate 65,534 (216 - 2. Of the two deducted Class B addresses, one with
an all-ones host-id is the broadcast address and the other with an all-zeros host-id
is the network address) hosts before being subnetted. After you break it down
into 512 (29) subnets by using the first 9 bits of the host-id for the subnet, you
have only 7 bits for the host-id and thus have only 126 (27 - 2) hosts in each
subnet. The maximum number of hosts is thus 64,512 (512 × 126), 1022 less after
the network is subnetted.
Class A, B, and C networks, before being subnetted, use these default masks (also
called natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively.
IP Unnumbered Logically, to enable IP on an interface, you must assign this interface a unique IP
address. Yet, you can borrow an IP address already configured on one of other
interfaces on your device instead. This is called IP unnumbered and the interface
borrowing the IP address is called IP unnumbered interface.
You may need to use IP unnumbered to save IP addresses either when available IP
addresses are inadequate or when an interface is brought up but for occasional
use.
Configuring IP Besides directly assigning an IP address to an interface, you may configure the
Addresses interface to obtain one through BOOTP, DHCP, or PPP address negotiation as
alternatives. If you change the way an interface obtains an IP address, from
manual assignment to BOOTP for example, the IP address obtained from BOOTP
will overwrite the old one manually assigned.
n ■
■
Support for IP address acquisition modes varies by device.
This chapter only covers how to assign an IP address manually. For other
approaches, refer to “DHCP Address Allocation” on page 566 and “PPP and MP
Configuration” on page 363.
Assigning an IP Address You may assign an interface multiple IP addresses, one primary and multiple
to an Interface secondaries, to connect multiple logical subnets on the same physical subnet.
c CAUTION:
■ The primary IP address you assigned to the interface can overwrite the old one
if there is any.
■ You cannot assign secondary IP addresses to an interface using BOOTP, DHCP,
or PPP address negotiation.
■ The primary and secondary IP addresses you assign to the interface can be
located on the same network segment. However, this should not violate the
rule that different physical interfaces on your device, a primary interface and its
subinterfaces, or the subinterfaces on a father interface must reside on
different network segments.
To enable the hosts on the two network segments to access the external network
through Router, and enable the hosts on the two network segments to
communicate with each other, do the following:
Network diagram
Eth1/0
172.16.1.1 /24
172 .16 .1 .2/24 172.16.2.1 /24 sub
172 .16.2.2/24
Host A
172.16.2.0/24
Configuration procedure
# Assign a primary IP address and a secondary IP address to Ethernet1/0.
<Router> system-view
[Router] interface ethernet 1/0
[Router-Ethernet1/0] ip address 172.16.1.1 255.255.255.0
[Router-Ethernet1/0] ip address 172.16.2.1 255.255.255.0 sub
# Use the ping command to verify the connectivity between the router and a host
on the subnet 172.16.1.0/24.
The information shown above indicates the router can communicate with the host
on the subnet 172.16.1.0/24.
# Use the ping command to verify the connectivity between the router and a host
on the subnet 172.16.2.0/24.
The information shown above indicates the router can communicate with the
hosts on the subnet 172.16.2.0/24.
# Use the ping command to verify the connectivity between the hosts on the
subnet 172.16.1.0/24 and hosts on subnet 172.16.2.0/24. Ping Host B on Host A
to verify that the ping operation is successful.
Configuring IP
Unnumbered
Configuration Assign a primary IP address to the interface from which you want to borrow the IP
Prerequisites address. Alternatively, you may configure the interface to obtain one through
BOOTP, DHCP, or PPP negotiation.
c CAUTION:
■ Serial, dial, POS, and ATM interfaces can borrow IP addresses from Layer 3
Ethernet interfaces or other interfaces.
■ Layer 3 Ethernet interfaces, tunnel interfaces and loopback interfaces cannot
borrow IP addresses of other interfaces, but other interfaces borrow IP
addresses of these interfaces.
■ One interface cannot borrow an IP address from an unnumbered interface.
■ Multiple interfaces can use the same unnumbered IP address.
■ The IP address of the borrowing interface always keeps consistent and varies
with that of the borrowed interface. That is, if an IP address is configured for
the borrowed interface, the IP address of the borrowing interface is the same
as that of the borrowed interface; if no IP address is configured for the
borrowed interface, no IP address is assigned for the borrowing interface.
Network diagram
DDN
S 2/1 S 2/1
Router A Router B
Eth1 / 1 Eth 1 /1
172 .16. 10 . 1/ 24 172 . 16. 20. 1/24
Configuration procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ip address 172.16.10.1 255.255.255.0
[RouterA-Ethernet1/1] quit
<RouterB> system-view
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address 172.16.20.1 255.255.255.0
[RouterB-Ethernet1/1] quit
Displaying and
Maintaining IP To do... Use the command... Remarks
Addressing Display information about a display ip interface Available in any view
specified or all L3 interfaces [ interface-type
interface-number ]
Display brief information display ip interface brief Available in any view
about a specified or all Layer 3 [ interface-type
interfaces interface-number ]
IP Performance In some network environments, you need to adjust the IP parameters to achieve
Overview best network performance. IP performance configuration includes:
■ Enabling the device to forward directed broadcasts
■ Configuring the maximum TCP segment size (MSS) of the interface
■ Enabling the SYN Cookie feature and protection against Naptha attack
■ Configuring TCP timers
■ Configuring the TCP buffer size
■ Enabling ICMP error packets sending
Enabling the Device to Directed broadcasts refer to broadcast packets sent to a specific network. In the
Forward Directed destination IP address of a directed broadcast, the network ID is a network-specific
Broadcasts number and the host ID is all ones. Enabling the device to receive and forward
directed broadcasts to a directly connected network will give hackers an
opportunity to attack the network. Therefore, the device is disabled from receiving
and forwarding directed broadcasts by default. However, you should enable the
feature when:
■ Using the UDP Helper function to convert broadcasts to unicasts and forward
them to a specified server.
■ Using the Wake on LAN function to forward directed broadcasts to a PC on the
remote network.
Enabling the Device to Follow these steps to enable the device to forward directed broadcasts:
Forward Directed
Broadcasts To do... Use the command... Remarks
Enter system view system-view -
Enter interface view interface interface-type -
interface-number
n ■ You can reference an ACL to forward only directed broadcasts permitted by the
ACL.
■ If you execute the ip forward-broadcast acl command on an interface
repeatedly, the last execution overwrites the previous one. If the command
executed last time does not include the acl acl-number, the ACL configured
previously will be removed.
Network diagram
Configuration procedure
■ Configure Router A
<RouterA> system-view
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] ip forward-broadcast
# Configure IP addresses for the interfaces Ethernet 1/1 and Ethernet 1/0.
<RouterB> system-view
[RouterB] ip route-static 1.1.1.1 24 2.2.2.2
# Set the IP address of the network interface card (NIC) connected to Router A to
1.1.1.1, the subnet mask to 255.255.255.0, and the gateway address to 1.1.1.2.
After the above configurations, if you ping the subnet broadcast address
(2.2.2.255) of interface Ethernet 1/0 of Router A on the host, the ping packets can
be received by interface Ethernet 1/0 of Router B. However, if you disable the ip
forward-broadcast command, the interface Ethernet 1/0 of Router B cannot
receive the ping packets.
Configuring TCP
Attributes
Configuring TCP MSS for An interface’s TCP MSS determines whether the TCP packets of the interface need
the Interface to be fragmented. If the size of a packet is smaller than the TCP MSS, the packet is
not fragmented; otherwise, it will be fragmented according to the TCP MSS.
n So far the interfaces that support this configuration include: Layer 3 Ethernet
interface, serial port, ATM interface, POS interface, dial port, Tunnel interface,
virtual Ethernet interface and virtual interface template.
Enabling the SYN Cookie As a general rule, the establishment of a TCP connection involves the following
Feature three handshakes:
1 The request originator sends a SYN message to the target server.
2 After receiving the SYN message, the target server establishes a TCP
semi-connection in the SYN_RECEIVED state, returns a SYN ACK message to the
originator, and waits for a response.
3 After receiving the SYN ACK message, the originator returns an ACK message.
Thus, the TCP connection is established.
Malicious attackers may mount SYN Flood attacks during TCP connection
establishment. They send SYN messages to the server to establish TCP
connections, but they never make any response to SYN ACK messages. As a result,
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP
connection request, the server directly returns a SYN ACK message, instead of
establishing a TCP semi-connection. Only after receiving an ACK message from
the client can the server establish a connection, and then enter the ESTABLISHED
state. In this way, large amounts of TCP semi-connections could be avoided to
prevent the server from SYN Flood attacks.
n ■ If the MD5 authentication is enabled, the SYN Cookie feature will not function.
After the MD5 authentication is disabled, the configured SYN Cookie feature
will be enabled automatically.
■ With the SYN Cookie feature enabled, only the MSS, instead of the window’s
zoom factor and timestamp, is negotiated during TCP connection
establishment.
Enabling Protection Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha
Against Naptha Attack attacks by using the six TCP connection states (CLOSING, ESTABLISHED,
FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood
attacks by using only the SYN_RECEIVED state.
The protection against Naptha attack reduces the risk of the server being attacked
by accelerating the aging of TCP connections in a state. After the protection
against Naptha attack is enabled, the device periodically checks the number of
TCP connections in each state. If it detects that the number of TCP connections in
a state exceeds the maximum number, it will accelerate the aging of TCP
connections in such a state.
n ■ With the protection against Naptha attack enabled, the device will periodically
check and record the number of TCP connections in each state.
■ With the protection against Naptha attack enabled, if the device detects that
the number of TCP connections in a state exceeds the maximum number, the
device will consider that there is a Naptha attack and accelerate the aging of
these TCP connections. The device will not stop accelerating the aging of TCP
connections until the number of TCP connection in such a state is less than
80% of the maximum number.
c CAUTION: The actual length of the finwait timer is determined by the following
formula: Actual length of the finwait timer = (Configured length of the finwait
timer - 75) + configured length of the synwait timer.
Configuring ICMP to Sending error packets is a major function of ICMP protocol. In case of network
Send Error Packets abnormalities, ICMP packets are usually sent by the network or transport layer
protocols to notify corresponding devices so as to facilitate control and
management.
A host may have only a default route to the default gateway in its routing table
after startup. The default gateway will send ICMP redirect packets to the source
host and notify it to reselect a correct next hop router to send the subsequent
packets, if the following conditions are satisfied:
ICMP redirect packets function simplifies host administration and enables a host to
gradually establish a sound routing table to find out the best route
If the device received an IP packet with a timeout error, it drops the packet and
sends an ICMP timeout packet to the source.
The device will send an ICMP timeout packet under the following conditions:
■ If the device finds the destination of a packet is not itself and the TTL field of
the packet is 1, it will send a “TTL timeout” ICMP error message.
■ When the device receives the first fragment of an IP datagram whose
destination is the device itself, it will start a timer. If the timer times out before
all the fragments of the datagram are received, the device will send a
“reassembly timeout” ICMP error packet.
3 Sending ICMP destination unreachable packets
If the device receives an IP packet with the destination unreachable, it will drop the
packet and send an ICMP destination unreachable error packet to the source.
■ If neither a route nor the default route for forwarding a packet is available, the
device will send a “network unreachable” ICMP error packet.
■ If the destination of a packet is local while the transport layer protocol of the
packet is not supported by the local device, the device sends a “protocol
unreachable” ICMP error packet to the source.
■ When receiving a packet with the destination being local and transport layer
protocol being UDP, if the packet’s port number does not match the running
process, the device will send the source a “port unreachable” ICMP error
packet.
■ If the source uses “strict source routing” to send packets, but the intermediate
device finds the next hop specified by the source is not directly connected, the
device will send the source a “source routing failure” ICMP error packet.
■ When forwarding a packet, if the MTU of the sending interface is smaller than
the packet but the packet has been set “Don’t Fragment”, the device will send
the source a “fragmentation needed and Don’t Fragment (DF)-set” ICMP error
packet.
To prevent such problems, you can disable the device from sending ICMP error
packets.
n ■ The device stops sending “network unreachable” and “source route failure”
ICMP error packets after sending ICMP destination unreachable packets is
disabled. However, other destination unreachable packets can be sent
normally.
■ The device stops sending “TTL timeout” ICMP error packets after sending ICMP
timeout packets is disabled. However, “reassembly timeout” error packets will
be sent normally.
Displaying and
Maintaining IP To do... Use the command... Remarks
Performance Display current TCP display tcp status Available in any
connection state view
Display TCP connection display tcp statistics
statistics
Display UDP statistics display udp statistics
Display statistics of IP packets display ip statistics
Display statistics of ICMP display icmp statistics
flows
Display socket information display ip socket [ socktype sock-type ]
[ task-id socket-id ]
Display FIB forward display fib [ | { begin | include |
information exclude } string | acl acl-number |
ip-prefix ip-prefix-name ]
Display FIB forward display fib ip-address1 [ { mask1 |
information matching the mask-length1 } [ ip-address2 { mask2 |
specified destination IP mask-length2 } | longer ] | longer ]
address
Display statistics about the FIB display fib statistics
items
Clear statistics of IP packets reset ip statistics Available in user
view
Clear statistics of TCP reset tcp statistics
connections
Clear statistics of UDP flows reset udp statistics
Introduction to IP Policy routing (also known as policy based routing) is a routing mechanism based
Unicast Policy Routing on the user-defined policies. Different from the traditional destination-based
routing mechanism, policy routing enables you to implement policies (based on
the source address, address length, and other criteria) that make packets flexibly
take different paths.
Policy routing involves system policy routing and interface policy routing:
As a rule, policy routing takes precedence over destination-based routing. That is,
policy routing is applied when packets match a policy, and otherwise,
destination-based routing is applied. However, if a default outgoing interface (next
hop) is configured, the destination-based routing takes precedence over policy
routing.
Configuring IP Unicast
Policy Routing
Defining a Policy A policy can consist of multiple nodes identified by node numbers. The smaller the
node number is, the higher the priority of the node’s policy is. A policy, which
consists of if-match clauses and apply clauses, is used to import a route to
forward IP packets.
When configuring policy nodes, you need to specify the match mode as permit or
deny:
A packet satisfying the match rules on a node will not go to the other nodes. If the
packet does not satisfy the match rules on any node, the packet will be forwarded
by means of looking up the routing table.
You can define two next hops or two outgoing interfaces at most for a policy. In
this way, packets are forwarded in turn from the two outgoing interfaces or two
next hops to achieve load sharing.
n You can use the apply output-interface command to configure two outgoing
interfaces or the apply ip-address next-hop command two next hops. If you
want to modify either of the two outgoing interfaces or next hops, you can
execute the apply output-interface interface-type interface-number command
or apply ip-address next-hop ip-address command to overwrite the earlier one.
If you want to modify the two outgoing interfaces or next hops, you can directly
specify two interfaces or next hops before executing the apply output-interface
or apply ip-address next-hop command.
Enabling System Policy Policy routing includes system policy routing and interface policy routing. In most
Routing cases, the interface policy routing is used for the consideration of ordinary
forwarding and security.
The system policy routing is used to route packets generated by the local device.
You can enable the interface policy routing and the system policy routing
respectively. Only one policy can be referenced when system policy routing is
enabled.
Enabling Interface Policy Interface policy routing is applied to packets arriving on an interface. Only one
Routing policy can be referenced when the policy routing is enabled on an interface.
Displaying and
Maintaining IP Unicast To do... Use the command... Remarks
Policy Routing Display information about display ip policy-based-route Available in any
Configuration system and interface policy view
routing
Display the setting display ip policy-based-route setup
information of policy routing { interface interface-type interface-number
| local | policy-name }
Display policy routing display ip policy-based-route statistics
statistics { interface interface-type interface-number
| local }
Display the information of display policy-based-route
policy routing based on a [ policy-name ]
specified policy
Clear the statistics of policy reset policy-based-route statistics Available in user
routing based on a specified [ policy-name ] view
policy
IP Unicast Policy
Routing Configuration
Examples
Network diagram
Figure 190 Network diagram for policy routing based on source address
Internet
Router
S2/ 0 S2/1
Eth1/ 0
Subnet A
10. 110 .0. 0/ 16
Host A Host B
Configuration procedure
# If the device supports the firewall function, set the default filtering mode of the
firewall to deny.
<Router> system-view
[Router] firewall default deny
# Define Node 5 of policy aaa so that TCP packets matching ACL 3101 are
forwarded to the interface Serial 2/0.
# Define Node 10 of policy aaa so that policy routing will not be applied to packets
matching ACL 3102 and these packets will be forwarded by means of looking up
the routing table.
Network diagram
Figure 191 Network diagram for policy routing based on packet size
60 윟 100 bytes
S 2 /0 S 2 /0
Router A 150 .1 .1 . 1/ 24 150 . 1 .1 .2 / 24 Router B
Eth 1 / 0 S2 /1 S 2 /1
192 .1 . 1 . 1/ 24 151 .1 .1. 1 / 24 151 . 1 .1 .2 / 24
Enable policy
routing on Eth 1/ 0
101 윟 1000 bytes
Configuration procedure
■ Configuration on Router A.
# Configure RIP.
<RouterA> system-view
[RouterA] rip
[RouterA-rip-1] network 192.1.1.0
[RouterA-rip-1] network 150.1.0.0
[RouterA-rip-1] network 151.1.0.0
[RouterA-rip-1] quit
# Forward IP packets with a size of 64 to 100 bytes to the next hop 150.1.1.2 and
those with a size of 101 to 1,000 bytes to the next hop 151.1.1.2.
[RouterA] rip
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ip address 150.1.1.1 255.255.255.0
[RouterA-Serial2/0] quit
[RouterA] interface serial 2/1
[RouterA-Serial2/1] ip address 151.1.1.1 255.255.255.0
[RouterA-Serial2/1] quit
[RouterA] policy-based-route lab1 permit node 10
[RouterA-policy-based-route] if-match packet-length 64 100
[RouterA-policy-based-route] apply ip-address next-hop 150.1.1.2
[RouterA-policy-based-route] quit
[RouterA] policy-based-route lab1 permit node 20
[RouterA-policy-based-route] if-match packet-length 101 1000
[RouterA-policy-based-route] apply ip-address next-hop 151.1.1.2
■ Configuration on Router B
# Configure RIP.
<RouterB> system-view
[RouterB] rip
[RouterB-rip-1] network 150.1.0.0
[RouterB-rip-1] network 151.1.0.0
[RouterB-rip-1] quit
[RouterB] interface serial 2/0
[RouterB-Serial2/0] ip address 150.1.1.2 255.255.255.0
[RouterB-Serial2/0] quit
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ip address 151.1.1.2 255.255.255.0
[RouterB-Serial2/1] quit
n UDP Helper can be currently configured on VLAN interfaces and Layer 3 Ethernet
interfaces (including subinterfaces) only.
Introduction to UDP Sometimes, a host needs to forward broadcasts to obtain network configuration
Helper information or request the names of other devices on the network. However, if the
server or the device to be requested is located in another broadcast domain, the
host cannot obtain such information through broadcast.
To solve this problem, the device provides the UDP Helper function to relay
specified UDP packets. In other words, UDP Helper functions as a relay agent that
converts UDP broadcast packets into unicast packets and forwards them to a
specified destination server.
With UDP Helper enabled, the device decides whether to forward a received UDP
broadcast according to the UDP destination port number of the packet.
■ If the destination port number of the packet matches the one pre-configured
on the device, the device modifies the destination IP address in the IP header,
and then sends the packet to the specified destination server.
■ If not, the device sends the packet to the upper layer protocol for processing.
By default, with UDP Helper enabled, the device forwards broadcast packets with
the six UDP destination port numbers listed in Table 35.
c CAUTION:
■ On the devices supporting the directed broadcast suppression function, the
receiving of directed broadcasts to a directly connected network is disabled by
default. As a result, UDP Helper is available only when the ip
forward-broadcast command is configured in system view. For details about
the ip forward-broadcast command, refer to “IP Performance Configuration”
on page 631.
■ The UDP Helper enabled device cannot forward DHCP broadcast packets. That
is to say, the UDP port number cannot be set to 67 or 68.
■ The dns, netbios-ds, netbios-ns, tacacs, tftp, and time keywords
correspond to the six default UDP port numbers. You can configure these
default UDP port numbers by specifying port numbers or the corresponding
parameters. For example, udp-helper port 53 and udp-helper port dns
specify the same UDP port number.
■ When you view the configuration information by using the display
current-configuration command, the UDP Helper configuration of the
default ports will not be displayed. UDP Helper configuration of these ports will
be displayed only after UDP Helper is disabled.
■ The configuration of all UDP ports (including the default ports) is removed if
you disable UDP Helper.
■ You can configure up to 256 UDP port numbers to enable the forwarding of
packets with these UDP port numbers.
■ You can configure up to 20 destination servers on an interface.
Displaying and
Maintaining UDP To do... Use the command... Remarks
Helper Displays the information of display udp-helper server Available in any view
forwarded UDP packets [ interface interface-type
interface-number ]
Network diagram
Eth1/0
Eth1 /0 Server
10.110. 1.1 /16
10.2.1 .1/ 16
IP network
Router A Router B
Configuration procedure
n The following configuration assumes that a route from Router A to the network
segment 10.2.0.0/16 is available.
<RouterA> system-view
[RouterA] udp-helper enable
# Enable the forwarding of broadcast packets with the UDP destination port
number 55.
# Specify the server with the IP address of 10.2.1.1 as the destination server to
which UDP packets are to be forwarded.
URPF Overview
Basic Concepts Unicast reverse path forwarding (URPF) protects a network against attacks based
on source address spoofing.
1.1.1.8/8 2.2.2.1/8
Source IP address : 2.2.2.1/8
Processing Flow URPF provides two types of check in common use: strict and loose. In addition, it
supports ACL check and default route check.
■ In loose approach, URPF does a reverse lookup for the outgoing interfaces of
the packet. As long as an outgoing interface exists (no matter whether the
outgoing interface is consistent with the incoming interface), the packet passes
the check. Otherwise, the packet is dropped.
2 If the source address is not found in the FIB table, URPF makes a decision based on
the configuration of default route (the one configured on the router that received
the packet) and the allow-default-route keyword.
■ If a default route is available but the allow-default-route keyword is not
configured, the packet is rejected no matter which check approach is taken.
■ If both a default route and the allow-default-route argument are configured,
URPF’s decision depends on check approach. In strict approach, URPF lets the
packet pass and be forwarded normally if the outgoing interface of the default
route is the interface where the packet is received, and otherwise rejects it. In
loose approach, URPF lets the packet pass and be forwarded directly.
3 The packet will come to ACL check if and only if it is rejected. If the packet passes
ACL check, it is forwarded as normal; otherwise, it is discarded.
Introduction to Fast Forwarding efficiency is a key index of the performance of a router. In an ordinary
Forwarding forwarding process, when a router receives a packet, it copies the packet from the
interface memory to the CPU. Then, the CPU searches the routing table for routes
matching the destination address to fix the best route and encapsulate the packet
into a proper link layer frame. Finally, the link layer frame is copied to the output
queue through direct memory access (DMA) for forwarding. The system bus will
be involved twice in this process and the forwarding of each packet will repeat this
process.
Displaying and
Maintaining Fast To do... Use the command... Remarks
Forwarding Display the information in the display ip fast-forwarding Available in any view
fast forwarding cache cache
Clear the information in the reset ip fast-forwarding Available in user view
fast-forwarding cache cache
IPv6 Overview Internet protocol version 6 (IPv6), also called IP next generation (IPng), was
designed by the Internet Engineering Task Force (IETF) as the successor to Internet
protocol version 4 (IPv4). The significant difference between IPv6 and IPv4 is that
IPv6 increases the IP address size from 32 bits to 128 bits.
addresses, the size of basic IPv6 headers is 40 bytes and is only twice that of IPv4
headers (excluding the Options field).
Figure 194 Comparison between IPv4 packet header format and basic IPv6 packet header
format
0 3 7 15 23 31 0 3 11 15 23 31
Traffic
Ver HL ToS Total length Ver Flow label
class
Next
Identification F Fragment offset Payload length Hop limit
header
TTL Protocol Header checksum
Options Padding
IPv4 header
In addition, a host can generate a link-local address on the basis of its own
link-layer address and the default prefix (FE80::/64) to communicate with other
hosts on the same link.
Built-in security
IPv6 uses IPSec as its standard extension header to provide end-to-end security.
This feature provides a standard for network security solutions and improves the
interoperability between different IPv6 applications.
QoS support
The Flow Label field in the IPv6 header allows the device to label packets in a flow
and provide special handling for these packets.
c CAUTION: The double-colon :: option can be used only once in an IPv6 address.
Otherwise, the device is unable to determine how many zeros that double-colons
represent when converting them to zeros to restore a 128-bit IPv6 address.
An IPv6 address consists of two parts: address prefix and interface ID. The address
prefix and the interface ID are respectively equivalent to the network ID and the
host ID in an IPv4 address.
The type of an IPv6 address is designated by the first several bits called format
prefix. Table 36 lists the mappings between address types and format prefixes.
Unicast address
There are several forms of unicast address assignment in IPv6, including
aggregatable global unicast address, link-local address, and site-local address.
■ The aggregatable global unicast address, equivalent to an IPv4 public address,
is provided for network service providers. This type of address allows efficient
route prefix aggregation to restrict the number of global routing entries.
■ The link-local address is used for communication between link-local nodes in
neighbor discovery and stateless autoconfiguration. Routers must not forward
any packets with link-local source or destination addresses to other links.
■ IPv6 unicast site-local addresses are similar to private IPv4 addresses. Routers
must not forward any packets with site-local source or destination addresses
outside of the site (equivalent to a private network).
■ Loopback address: The unicast address 0:0:0:0:0:0:0:1 (represented in the
shortest format as ::1) is called the loopback address and may never be
assigned to any physical interface. Like the loopback address in IPv4, it may be
used by a node to send an IPv6 packet to itself.
■ Unassigned address: The unicast address “::” is called the unassigned address
and may not be assigned to any node. Before acquiring a valid IPv6 address, a
node may fill this address in the source address field of an IPv6 packet, but may
not use it as a destination IPv6 address.
Multicast address
IPv6 multicast addresses listed in Table 37 are reserved for special purpose.
Table 37 Reserved IPv6 multicast addresses
Address Application
FF01::1 Node-local scope all-nodes multicast address
FF02::1 Link-local scope all-nodes multicast address
FF01::2 Node-local scope all-routers multicast address
FF02::2 Link-local scope all-routers multicast address
FF05::2 Site-local scope all-routers multicast address
Introduction to IPv6 IPv6 neighbor discovery protocol (NDP) uses five types of ICMPv6 messages to
Neighbor Discovery implement the following functions:
Protocol ■ “Address resolution” on page 660
Table 38 lists the types and functions of ICMPv6 messages used by the NDP.
Address resolution
Similar to the ARP function in IPv4, a node acquires the link-layer addresses of
neighbor nodes on the same link through NS and NA messages. Figure 196 shows
how node A acquires the link-layer address of node B.
Host A Host B
Host A Host B
2000::1
1 After started, a node sends an RS message to request the router for the address
prefix and other configuration information for the purpose of autoconfiguration.
2 The router returns an RA message containing information such as prefix
information option and flag bits. (The router also regularly sends an RA message.)
3 The node automatically configures an IPv6 address and other information for its
interface according to the address prefix and other configuration parameters in
the RA message.
n ■ In addition to an address prefix, the prefix information option also contains the
preferred lifetime and valid lifetime of the address prefix. After receiving a
periodic RA message, the node updates the preferred lifetime and valid lifetime
of the address prefix accordingly.
■ An automatically generated address is applicable within the valid lifetime and
will be removed when the valid lifetime times out.
Redirection
When a host is started, its routing table may contain only the default route to the
gateway. When certain conditions are satisfied, the gateway sends an ICMPv6
redirect message to the source host so that the host can select a better next hop to
forward packets (similar to the ICMP redirection function in IPv4).
The gateway will send an IPv6 ICMP redirect message when the following
conditions are satisfied:
IPv6 PMTU Discovery The links that a packet passes from the source to the destination may have
different MTUs. In IPv6, when the packet size exceeds the link MTU, the packet
will be fragmented at the source end so as to reduce the processing pressure of
the forwarding device and utilize network resources rationally.
The path MTU (PMTU) discovery mechanism is to find the minimum MTU of all
links in the path from the source to the destination. Figure 198 shows the working
procedure of the PMTU discovery.
Source
Packet with MTU = 1500
ICMP error: packet too big;
use MTU = 1350
Packet received
1 The source host uses its MTU to fragment packets and then sends them to the
destination host.
2 If the MTU supported by the forwarding interface is less than the packet size, the
forwarding device will discard the packet and return an ICMPv6 error packet
containing the interface MTU to the source host.
3 After receiving the ICMPv6 error packet, the source host uses the returned MTU to
fragment the packet again and then sends it.
4 Step 2 to step 3 are repeated until the destination host receives the packet. In this
way, the minimum MTU of all links in the path from the source host to the
destination host is determined.
Introduction to IPv6 DNS In the IPv6 network, a domain name system (DNS) supporting IPv6 converts
domain names into IPv6 addresses, instead of IPv4 addresses.
However, just like an IPv4 DNS, an IPv6 DNS also covers static domain name
resolution and dynamic domain name resolution. The function and
implementation of these two types of domain name resolution are the same as
those of an IPv4 DNS. For details, refer to “DNS Configuration” on page 609.
Usually, the DNS server connecting IPv4 and IPv6 networks not only contain A
records (IPv4 addresses), but also AAAA records (IPv6 addresses). The DNS server
can convert domain names into IPv4 addresses or IPv6 addresses. In this way, the
DNS server implements the functions of both IPv6 DNS and IPv4 DNS.
IPv6 Basics Complete the following tasks to perform IPv6 basics configuration:
Configuration Task
List Task Remarks
“Configuring Basic IPv6 Functions” on page 665 Required
“Configuring IPv6 NDP” on page 666 Optional
“Configuring PMTU Discovery” on page 670 Optional
“Configuring IPv6 TCP Properties” on page 671 Optional
“Configuring IPv6 FIB-Based Forwarding” on page 671 Optional
“Configuring ICMPv6 Packet Sending” on page 672 Optional
“Configuring IPv6 DNS” on page 673 Optional
Enabling the IPv6 Packet Before IPv6-related configurations, you need to enable the IPv6 packet forwarding
Forwarding Function function. Otherwise, an interface cannot forward IPv6 packets even if an IPv6
address is configured, resulting in communication failures in the IPv6 network.
Configuring an IPv6 IPv6 site-local addresses and aggregatable global unicast addresses can be
Unicast Address configured in either of the following ways:
■ EUI-64 format: When the EUI-64 format is adopted to form IPv6 addresses, the
IPv6 address prefix of an interface is the configured prefix, and the interface
identifier is derived from the link-layer address of the interface.
■ Manual configuration: IPv6 site-local addresses or aggregatable global unicast
addresses are configured manually.
Configuring a Static The IPv6 address of a neighbor node can be resolved into a link-layer address
Neighbor Entry dynamically through NS and NA messages or through a manually configured static
neighbor entry.
The device uniquely identifies a static neighbor entry according to the IPv6 address
and the Layer 3 interface ID. Currently, there are two configuration methods:
c CAUTION: You can adopt either of the two methods above to configure a static
neighbor entry for a VLAN interface.
■ After a static neighbor entry is configured by using the first method, the device
needs to resolve the corresponding Layer 2 port information of the VLAN
interface.
■ If you adopt the second method to configure a static neighbor entry, you
should ensure that the corresponding VLAN interface exists and that the layer 2
port specified by port-type port-number belongs to the VLAN specified by
vlan-id. After a static neighbor entry is configured, the device relates the VLAN
interface to an IPv6 address to uniquely identify a static neighbor entry.
Configuring the The device can dynamically acquire the link-layer address of a neighbor node and
Maximum Number of add it into the neighbor table through NS and NA messages. Too large a neighbor
Neighbors Dynamically table from which neighbor entries can be dynamically acquired may lead to the
Learned forwarding performance degradation of the device. Therefore, you can restrict the
size of the neighbor table by setting the maximum number of neighbors that an
interface can dynamically learn. When the number of dynamically learned
neighbors reaches the threshold, the interface will stop learning neighbor
information.
Configuring Parameters You can configure whether the interface sends an RA message, the interval for
Related to an RA sending RA messages, and parameters in RA messages. After receiving an RA
Message message, a host can use these parameters to perform corresponding operations.
Table 39 lists the configurable parameters in an RA message and their
descriptions.
Parameters Description
Cur hop limit When sending an IPv6 packet, a host uses the value of this parameter
to fill the Cur Hop Limit field in IPv6 headers. Meanwhile, the value of
this parameter is equal to the value of the Cur Hop Limit field in
response messages of the device.
Prefix information After receiving the prefix information advertised by the device, the
options hosts on the same link can perform stateless autoconfiguration
operations.
M flag This field determines whether hosts use the stateful autoconfiguration
to acquire IPv6 addresses.
If the M flag is set to 1, hosts use the stateful autoconfiguration to
acquire IPv6 addresses (for example, through a DHCP server).
Otherwise, hosts use the stateless autoconfiguration to acquire IPv6
addresses, that is, hosts configure IPv6 addresses according to their
own link-layer addresses and the prefix information issued by the
router.
O flag This field determines whether hosts use the stateful autoconfiguration
to acquire information other than IPv6 addresses.
If the O flag is set to 1, hosts use the stateful autoconfiguration to
acquire information other than IPv6 addresses (for example, through a
DHCP server). Otherwise, hosts use the stateless autoconfiguration to
acquire information other than IPv6 addresses.
Router lifetime This field is used to set the lifetime of the router that sends RA
messages to serve as the default router of hosts. According to the
router lifetime in the received RA messages, hosts determine whether
the router sending RA messages can serve as the default router.
Retrans timer If the device fails to receive a response message within the specified
time after sending an NS message, the device will retransmit the NS
message.
Reachable time If the neighbor reachability detection shows that a neighbor is
reachable, the device considers the neighbor is reachable within the
specified reachable time. If the device needs to send a packet to a
neighbor after the specified reachable time expires, the device will
reconfirm whether the neighbor is reachable.
n The values of the Retrans Timer field and the Reachable Time field configured for
an interface are sent to hosts via RA messages. Furthermore, this interface sends
NS messages at intervals of Retrans Timer and considers a neighbor reachable
within the time of Reachable Time.
c CAUTION: The maximum interval for sending RA messages should be less than or
equal to the router lifetime in RA messages. The minimum interval for sending RA
messages should be 0.75 times the maximum interval for sending RA messages or
less.
Configuring the Number An interface sends a neighbor solicitation (NS) message for DAD after acquiring an
of Attempts to Send an IPv6 address. If the interface does not receive a response within a specified time
NS Message for DAD (determined by the ipv6 nd ns retrans-timer command), it continues to send an
NS message. If it still does not receive a response after the number of attempts to
Follow these steps to configure the attempts to send an NS message for DAD:
Configuring PMTU
Discovery
Configuring the IPv6 routers do not support packet fragmentation. After an IPv6 router receives an
Interface MTU IPv6 packet, if the packet size is greater than the MTU of the forwarding interface,
the router will discard the packet. Meanwhile, the router sends the MTU to the
source host through an ICMPv6 packet - Packet Too Big message. The source host
fragments the packet according to the MTU and resends it. To reduce the extra
flow overhead resulting from packets being discarded, a proper interface MTU
should be configured according to the actual networking environment.
Configuring a Static You can configure a static PMTU for a specified destination IPv6 address. When a
PMTU for a Specified source host sends packets through an interface, it compares the interface MTU
IPv6 Address with the static PMTU of the specified destination IPv6 address. If the packet size is
larger than the smaller one between the two values, the host fragments the
packet according to the smaller value.
Configuring the Aging After the MTU of the path from the source host to the destination host is
Time for PMTU dynamically determined (refer to “IPv6 PMTU Discovery” on page 663), the source
host sends subsequent packets to the destination host on basis of this MTU. After
the aging time expires, the dynamically determined PMTU is removed and the
source host re-determines an MTU to send packets through the PMTU mechanism.
Configuring IPv6 TCP The TCP properties you can configure include:
Properties ■ synwait timer: When a SYN packet is sent, the synwait timer is triggered. If no
response packet is received before the synwait timer expires, the TCP
connection establishment fails.
■ finwait timer: When the TCP connection status is FIN_WAIT_2, the finwait
timer is triggered. If no packet is received before the finwait timer expires, the
TCP connection is terminated. If a FIN packet is received, the TCP connection
status becomes TIME_WAIT. If other packets are received, the finwait timer is
reset from the last received packet and the connection is terminated after the
finwait timer expires.
■ Size of the IPv6 TCP sending/receiving buffer.
Configuring IPv6 With the caching function of IPv6 FIB enabled, the device searches the FIB cache
FIB-Based Forwarding when forwarding packets, thus reducing the time in searching IP packets and
improving the forwarding efficiency.
In the load sharing mode of IPv6 FIB, the device can decide how to select an equal
cost multi-path (ECMP) route to forward packets. Currently, two load sharing
modes are supported:
■ Load sharing based on the HASH algorithm: A certain algorithm based on the
source IPv6 address and destination IPv6 address is adopted to select an ECMP
route to forward packets.
■ Load sharing based on polling: Each ECMP route is used in turn to forward
packets.
Configuring ICMPv6
Packet Sending
Configuring the If too many ICMPv6 error packets are sent within a short time in a network,
Maximum ICMPv6 Error network congestion may occur. To avoid network congestion, you can control the
Packets Sent in an maximum number of ICMPv6 error packets sent within a specified time, currently
Interval by adopting the token bucket algorithm.
You can set the capacity of a token bucket, namely, the number of tokens in the
bucket. In addition, you can set the update period of the token bucket, namely,
the interval for updating the number of tokens in the token bucket to the
configured capacity. One token allows one ICMPv6 error packet to be sent. Each
time an ICMPv6 error packet is sent, the number of tokens in a token bucket
decreases by one. If the number of ICMPv6 error packets successively sent exceeds
the capacity of the token bucket, subsequent ICMPv6 error packets cannot be sent
out until the number of tokens in the token bucket is updated and new tokens are
added to the bucket.
Follow these steps to configure the capacity and update period of the token
bucket:
Enable Sending of If hosts are capable of replying multicast echo requests, Host A can attack Host B
Multicast Echo Replies by sending an echo request with the source being Host B to a multicast address,
then all the hosts in the multicast group will send echo replies to Host B.
Therefore, to prevent such an attack, a device is disabled from replying multicast
echo requests by default.
Configuring Static IPv6 Configuring static IPv6 domain name resolution is to establish the mapping
Domain Name between host name and IPv6 address. When applying such applications as Telnet,
Resolution you can directly use a host name and the system will resolve the host name into an
IPv6 address. Each host name can correspond to only one IPv6 address.
Configuring Dynamic You can use the following command to enable the dynamic domain name
IPv6 Domain Name resolution function. In addition, you should configure a DNS server so that a query
Resolution request message can be sent to the correct server for resolution. The system can
support at most six DNS servers.
You can configure a DNS suffix so that you only need to enter part of a domain
name and the system can automatically add the preset suffix for address
resolution. The system can support at most 10 DNS suffixes.
n The dns resolve and dns domain commands are the same as those of IPv4 DNS.
For details about the commands, refer to “DNS Configuration” on page 609.
Displaying and
Maintaining IPv6 To do... Use the command... Remarks
Basics Configuration Display DNS suffix information display dns domain [ dynamic ] Available in
any view
Display IPv6 dynamic domain name display dns ipv6 dynamic-host
cache information.
Display IPv6 DNS server display dns ipv6 server [ dynamic ]
information
Display the IPv6 FIB entries display ipv6 fib [ ipv6-address ]
Display the total number of routes display ipv6 fibcache
in the IPv6 FIB cache
Display the mappings between display ipv6 host
host names and IPv6 addresses in
the static DNS database
Display the IPv6 information of an display ipv6 interface [ brief ]
interface [ interface-type [interface-number ] ]
Display neighbor information display ipv6 neighbors { ipv6-address |
all | dynamic | interface interface-type
interface-number | static | vlan vlan-id }
[ | { begin | exclude | include } string ]
Display the total number of display ipv6 neighbors { all | dynamic |
neighbor entries satisfying the interface interface-type
specified conditions interface-number | static | vlan vlan-id }
count
Display the PMTU information of display ipv6 pathmtu { ipv6-address |
an IPv6 address all | dynamic | static }
Display information related to a display ipv6 socket [ socktype
specified socket socket-type ] [ task-id socket-id ]
Display the statistics of IPv6 display ipv6 statistics
packets and ICMPv6 packets
Display the IPv6 TCP connection display tcp ipv6 statistics
statistics
n The display dns domain command is the same as the one of IPv4 DNS. For
details about the commands, refer to “DNS Configuration” on page 609.
Network diagram
Figure 199 Network diagram for IPv6 address configuration (on routers)
Router A Router B
Eth1 /0 Eth1/0
Configuration procedure
■ Configuration on Router A
<RouterA> system-view
[RouterA] ipv6
<RouterB> system-view
[RouterB] ipv6
Verification
# Display the IPv6 information of the interface on Router A.
[RouterA-Ethernet1/0] display ipv6 interface ethernet 1/0
Ethernet1/0 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1024
Global unicast address(es):
2001::20F:E2FF:FE00:1024, subnet is 2001::/64
3001::1, subnet is 3001::/64
4001::1, subnet is 4001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF00:0
FF02::1:FF00:1024
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
# From Router A, ping the link-local address, EUI-64 address, aggregatable global
unicast address, and automatically generated address of Router B. If the
configurations are correct, the above four types of IPv6 addresses can be pinged.
c CAUTION: When you ping a link-local address, you should use the “-i” parameter
to specify an interface for the link-local address.
<RouterA-Ethernet1/0> ping ipv6 FE80::20F:E2FF:FE00:2 -i ethernet 1/0
PING FE80::20F:E2FF:FE00:2 : 56 data bytes, press CTRL_C to break
Reply from FE80::20F:E2FF:FE00:2
bytes=56 Sequence=1 hop limit=64 time = 4 ms
Reply from FE80::20F:E2FF:FE00:2
bytes=56 Sequence=2 hop limit=64 time = 2 ms
Reply from FE80::20F:E2FF:FE00:2
bytes=56 Sequence=3 hop limit=64 time = 2 ms
Reply from FE80::20F:E2FF:FE00:2
bytes=56 Sequence=4 hop limit=64 time = 2 ms
Reply from FE80::20F:E2FF:FE00:2
bytes=56 Sequence=5 hop limit=64 time = 2 ms
--- FE80::20F:E2FF:FE00:2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/4 ms
<RouterA-Ethernet1/0> ping ipv6 2001::20F:E2FF:FE00:2
PING 2001::20F:E2FF:FE00:2 : 56 data bytes, press CTRL_C to break
Reply from 2001::20F:E2FF:FE00:2
bytes=56 Sequence=1 hop limit=64 time = 4 ms
Reply from 2001::20F:E2FF:FE00:2
bytes=56 Sequence=2 hop limit=64 time = 2 ms
Reply from 2001::20F:E2FF:FE00:2
bytes=56 Sequence=3 hop limit=64 time = 2 ms
Reply from 2001::20F:E2FF:FE00:2
bytes=56 Sequence=4 hop limit=64 time = 3 ms
Reply from 2001::20F:E2FF:FE00:2
bytes=56 Sequence=5 hop limit=64 time = 2 ms
Solution
■ Carry out the display current-configuration command in any view or the
display this command in system view to check that the IPv6 packet
forwarding function is enabled.
■ Carry out the display ipv6 interface command in any view to check that the
IPv6 address of the interface is correct and that the interface is up.
■ Carry out the debugging ipv6 packet command in user view to enable the
debugging for IPv6 packets and make judgment according to the debugging
information.
NAT-PT Overview The IPv6 application is a gradual process in which IPv4 networks and IPv6
networks will co-exist to communicate with each other for a long period of time.
The Network Address Translation - Protocol Translation (NAT-PT) realizes translation
between IPv4 and IPv6 addresses, implementing communications between IPv4
and IPv6 networks. For example, it can enable a host in an IPv6 network to access
the FTP server in an IPv4 network.
As shown in Figure 200, NAT-PT runs on the device on the border between IPv4
and IPv6 networks. The NAT-PT process is implemented on the device, which is
transparent to both IPv4 and IPv6 networks. Users between IPv6 networks and
IPv4 networks can communicate, without any change to host configurations of
the existing IPv4 networks.
■ The request and response packets of a same session must be translated by the
same NAT-PT device.
■ The Options field in the IPv4 packet header cannot be translated.
■ NAT-PT does not provide end-to-end security.
Currently, NAT-PT supports ICMP, DNS, FTP, and other protocols that employ the
network layer protocol but have no address information in the protocol messages.
NAT-PT Mechanism There are three NAT-PT mechanisms to realize the translation between IPv4 and
IPv6 addresses: “Static NAT-PT mapping” on page 680, “Dynamic NAT-PT
mapping” on page 680, and “NAPT-PT” on page 680.
For a dynamic mapping, an address pool needs to be created first. After that, an
available address is assigned from the address pool to accomplish the mapping
between one IPv6 address and one IPv4 address.
NAPT-PT
Network address port translation - protocol translation (NAPT-PT) realizes the IPv6
to IPv4 translation for TCP/UDP port numbers based on dynamic IP address
translation. With NAPT-PT, different IPv6 addresses can correspond to one IPv4
address. Different IPv6 hosts are distinguished by different port numbers so that
these IPv6 hosts can share one IPv4 address to accomplish the address translation.
1 A packet from an IPv6 host to an IPv4 host reaches the NAT-PT device. The NAT-PT
device translates the source IPv6 address of the packet into an IPv4 address
according to the static or dynamic IPv6-to-IPv4 mappings.
2 The NAT-PT device translates the destination address of the packet into an IPv4
address according to the IPv4-to-IPv6 mapping, if configured, on the IPv4 network
side. Without any mapping configured on the IPv4 network side, if the least
significant 32 bits of the destination IPv6 address in the packet can be directly
translated into a valid IPv4 address, the destination IPv6 address is translated into
an IPv4 address. Otherwise, the translation fails.
3 After the source and destination IPv6 addresses of the packet are translated into
IPv4 addresses, the NAT-PT device forwards the packet to an IPv4 host. Meanwhile,
the IPv6-to-IPv4 address mappings are stored in the NAT-PT device.
4 After packets originated from the IPv4 host to the IPv6 host arrive at the NAT-PT,
they swap the source and destination IPv4 addresses according to the stored
mappings to forward the packets to the IPv6 host.
NAT-PT Configuration To configure the NAT-PT feature, complete the tasks in the following sections:
Task List
Task Remarks
“Enabling NAT-PT” on page 682 Required
“Configuring a NAT-PT Prefix” on page 682 Optional
“Configuring Mappings for IPv4 Hosts Accessing IPv6 Hosts” on page Required
682
“Configuring Mappings for IPv6 Hosts Accessing IPv4 Hosts” on page Required
683
“Configuring the NAT-PT Session Timeout Time for Different Protocol Optional
Packets” on page 685
“Configuring the Maximum Number of Sessions” on page 686 Optional
“Configuring the ToS/Traffic Class Field in a Packet After NAT-PT” on Optional
page 686
Configuring NAT-PT
Configuration Before implementing NAT-PT, you must enable the IPv6 forwarding function on the
Prerequisites device and configure an IPv4 or IPv6 address as required on the interface that
requires NAT-PT.
Configuring a NAT-PT A NAT-PT prefix is used for configuring dynamic IPv4-to-IPv6 and IPv6-to-IPv4
Prefix mappings.
When a packet is sent from an IPv6 network to an IPv4 network, the NAT-PT device
receiving the packet will detect the prefix of the destination IPv6 address of the
packet. An IPv6-to-IPv4 translation will be performed only when the prefix is the
same as the configured one.
For dynamic IPv4-to-IPv6 mappings, if the source IPv4 address complies with the
specified ACL rule, a NAT-PT prefix will be added to translate the source IPv4
address into an IPv6 address.
c CAUTION:
■ The NAT-PT prefix must not be the same as the network address of the NAT-PT
enabled interface on the IPv6 network.
■ To delete a NAT-PT prefix that has been referenced by another command, you
need to cancel the reference configuration first.
Configuring Mappings Mappings for IPv4 hosts accessing IPv6 hosts refer to the IPv4-to-IPv6 NAT of
for IPv4 Hosts Accessing packets. When a packet is sent from an IPv4 network to an IPv6 network, the
IPv6 Hosts source IPv4 address is translated to an IPv6 address in accordance with the
configured mappings.
There are static and dynamic mappings for IPv4 hosts to access IPv6 hosts.
Follow these steps to configure mappings for IPv4 hosts accessing IPv6 hosts:
Use the
To do... command... Remarks
Enter system view system-view -
Configure Configure static mappings natpt v4bound Configure either
mappings for IPv4 for IPv4 hosts accessing IPv6 static { ipv4-address static mappings or
hosts accessing hosts ipv6-address | dynamic mappings
IPv6 hosts v6server protocol
protocol-type
ipv4-address
ipv4-port-number
ipv6-address
ipv6-port-number }
Configure dynamic natpt v4bound
mappings for IPv4 hosts dynamic acl
accessing IPv6 hosts number acl-number
prefix natpt-prefix
Configuring Mappings Mappings for IPv6 hosts accessing IPv4 hosts refer to the IPv6-to-IPv4 NAT of
for IPv6 Hosts Accessing packets. When a packet is sent from an IPv6 network to IPv4 network, the source
IPv4 Hosts IPv6 address is translated to an IPv4 address in accordance with the configured
mappings.
There are static and dynamic mappings for IPv6 hosts accessing IPv4 hosts.
If the source IPv6 address of a packet matches the specified IPv6 ACL, the source
IPv6 address will be translated into an IPv4 address of the specified address pool.
If the source IPv6 address of a packet matches the specified IPv6 ACL, the source
IPv6 address will be translated into an IPv4 address of the specified interface.
If the destination IPv6 address of a packet contains a NAT-PT prefix, the source IPv6
address will be translated into an IPv4 address of the specified address pool.
If the destination IPv6 address of a packet contains a NAT-PT prefix, the source IPv6
address will be translated into an IPv4 address of the specified interface.
Follow these steps to configure mappings for IPv6 hosts accessing IPv4 hosts:
Follow these steps to configure dynamic mapping for IPv6 hosts accessing IPv4
hosts:
Configuring the NAT-PT You can set the timeout time for NAT-PT sessions of different protocol packets
Session Timeout Time according to the actual conditions. NAT-PT will stop after the NAT-PT session of a
for Different Protocol specified protocol packet times out.
Packets
Follow these steps to configure NAT-PT session timeout time for different protocol
packets:
Configuring the You can set the maximum number of concurrent sessions that the system allows.
Maximum Number of When the number of concurrent sessions reaches the maximum number, no new
Sessions session will be established any longer.
Configuring the You can set the ToS/Traffic Class field in packets after NAT-PT to 0 or to the value
ToS/Traffic Class Field in of the corresponding Traffic Class/ToS field in packets before NAT-PT.
a Packet After NAT-PT
Follow these steps to set the ToS and Traffic Class fields in packets after NAT-PT:
Displaying and
Maintaining NAT-PT To do... Use the command... Remarks
Display all NAT-PT configuration display natpt all Available in any view
information
Display the configuration display natpt Available in any view
information of a NAT-PT address address-group
pool
Display the static and dynamic display natpt Available in any view
NAT-PT address mappings address-mapping
NAT-PT Configuration
Example
Network diagram
S 2/0 S 2/1
8 . 0. 0.1 /24 2001 ::1 /64
IPv4 network IPv 6 network
Configuration procedure
■ Configure Router A in the IPv4 network
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ip address 8.0.0.2 255.255.255.0
[RouterA-Serial2/0] quit
■ Configure Router C in the IPv6 network
<RouterC> system-view
[RouterC] ipv6
[RouterC] interface serial 2/0
[RouterC-Serial2/0] ipv6 address 2001::2/64
[RouterC-Serial2/0] quit
<RouterB> system-view
[RouterB] ipv6
[RouterB] interface serial 2/0
[RouterB-Serial2/0] ip address 8.0.0.1 255.255.255.0
[RouterB-Serial2/0] natpt enable
[RouterB-Serial2/0] quit
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ipv6 address 2001::1/64
[RouterB-Serial2/1] natpt enable
[RouterB-Serial2/1] quit
Verification
If you carry out the ping ipv6 3001::0800:0002 command on Router C after
completing the configurations above, you should receive a response packet.
At this time, you can see on Router B the established NAT-PT session.
Network diagram
Figure 203 Network diagram for NAT-PT (static IPv4-to-IPv6 and IPv6-to-IPv4 mappings)
Router B
Router A S2/ 0 S 2/0 Router C
8.0 .0. 2/ 24 2001::2 /64
S 2/0 S 2/1
8 .0. 0.1 /24 2001 ::1 /64
IPv4 network IPv6 network
Configuration procedure
■ Configure Router A in the IPv4 network
<RouterA> system-view
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ip address 8.0.0.2 255.255.255.0
[RouterA-Serial2/0] quit
[RouterA] ip route-static 0.0.0.0 0 serial 2/0
■ Configure Router C in the IPv6 network
<RouterC> system-view
[RouterC] ipv6
[RouterC] interface serial 2/0
[RouterC-Serial2/0] ipv6 address 2001::2/64
[RouterC-Serial2/0] quit
[RouterC] ipv6 route-static :: 0 serial 2/0
■ Configure Router B
<RouterB> system-view
[RouterB] ipv6
[RouterB] interface serial 2/0
[RouterB-Serial2/0] ip address 8.0.0.1 255.255.255.0
[RouterB-Serial2/0] natpt enable
[RouterB-Serial2/0] quit
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ipv6 address 2001::1/64
[RouterB-Serial2/1] natpt enable
[RouterB-Serial2/1] quit
Verification
After the above configurations, using the ping 8.0.0.5 command on Router A can
receive responses, and you can view the following NAT-PT session information on
Router B using the display command.
[RouterB] display natpt session all
NATPT Session Info:
No IPV6Source IPV4Source Pro
IPV6Destination IPV4Destination
1 3001::0005 ^ 0 8.0.0.2 ^ 0 ICMP
2001::0002 ^ 0 8.0.0.5 ^ 0
Using the ping ipv6 3001::5 command on Router C can receive response packets,
and you can view the following NAT-PT session information on Router B using the
display command.
Troubleshooting Symptom:
NAT-PT NAT-PT is abnormal.
Solution:
■ Enable debugging for NAT-PT.
■ Locate the fault according to the debugging information of the device, and
then make further judgments by using other commands. During debugging,
check whether the source address of a packet is translated correctly. If not, it is
possible that the address pool is configured incorrectly.
Dual Stack Overview Dual stack is the most direct approach to making IPv6 nodes compatible with IPv4
nodes. The best way for an IPv6 node to be compatible with an IPv4 node is to
maintain a complete IPv4 stack. A network node that supports both IPv4 and IPv6
is called a dual stack node. A dual stack node configured with an IPv4 address and
an IPv6 address can have both IPv4 and IPv6 packets transmitted.
For an upper layer application supporting both IPv4 and IPv6, either TCP or UDP
can be selected at the transport layer, while IPv6 stack is preferred at the network
layer. Figure 204 illustrates the IPv4/IPv6 dual stack in relation to the IPv4 stack.
Figure 204 IPv4/IPv6 dual stack in relation to IPv4 stack (on Ethernet)
Configuring Dual You must enable the IPv6 packet forwarding function before dual stack.
Stack Otherwise, the device cannot forward IPv6 packets even if IPv6 addresses are
configured for interfaces.
c CAUTION: For more information about IPv6 address, refer to “Introduction to IPv6
Address” on page 657.
Introduction to The expansion of Internet results in scarce IPv4 addresses. Although the
Tunneling technologies such as temporary IPv4 address allocation and network address
translation (NAT) relieve the problem of IPv4 address shortage to some extent, they
not only increase the overhead in address resolution and processing, but also lead
to high-level application failures. Furthermore, they will still face the problem that
IPv4 addresses will eventually be used up. Internet protocol version 6 (IPv6)
adopting the 128-bit addressing scheme completely solves the above problem.
Since significant improvements have been made in address space, security,
network management, mobility, and QoS, IPv6 becomes one of the core standards
for the next generation Internet protocol. IPv6 is compatible with all protocols
except IPv4 in the TCP/IP suite. Therefore, IPv6 can completely take the place of
IPv4.
Before IPv6 becomes the dominant protocol, the network using the IPv6 protocol
stack is expected to communicate with the Internet using IPv4. Therefore, an
IPv6-IPv4 interworking technology must be developed to ensure the smooth
transition from IPv4 to IPv6. In addition, the interworking technology should
provide efficient, seamless information transfer. The Internet Engineering Task
Force (IETF) set up the next generation transition (NGTRANS) working group to
study problems about IPv4-to-IPv6 transition and efficient, seamless IPv4-IPv6
interworking. Currently, multiple transition technologies and interworking
solutions are available. With their own characteristics, they are used to solve
communication problems in different transition stages under different
environments.
Currently, there are three major transition technologies: dual stack (RFC2893),
tunneling (RFC2893), and NAT-PT (RFC2766).
n ■ For related configuration about the dual protocol stack, refer to “Dual Stack
Configuration” on page 691.
■ For related configuration about NAT-PT, refer to “Configuring NAT-PT” on page
681.
■ In addition, the device supports IPv6 on the provider edge routers (6PE) - a
transition technology.
c CAUTION: The devices at both ends of an IPv6 over IPv4 tunnel must support
IPv4/IPv6 dual stack.
IPv 4 network
IPv6 network IPv 6 network
IPv6 over IPv4 tunnel
Dual stack router Dual stack router
The IPv6 over IPv4 tunnel processes packets in the following way:
1 A host in the IPv6 network sends an IPv6 packet to the device at the source end of
the tunnel.
2 After determining according to the routing table that the packet needs to be
forwarded through the tunnel, the device at the source end of the tunnel
encapsulates an IPv4 header in the IPv6 packet and forwards it through the
physical interface of the tunnel.
3 The encapsulated packet goes through the tunnel to reach the device at the
destination end of the tunnel. The device at the destination end decapsulates the
packet if the destination address of the encapsulated packet is the device itself.
4 The device at the destination end of the tunnel forwards the packet according to
the destination address in the decapsulated IPv6 packet. If the destination address
is the device itself, the device at the destination end forwards the IPv6 packet to
the upper-layer protocol for processing.
According to the way the IPv4 address of the tunnel destination is acquired,
tunnels are divided into configured tunnel and automatic tunnel.
■ If the tunnel destination is not the eventual destination of the IPv6 packet, the
device at the destination end of the tunnel (usually a router) will decapsulate
the IPv6 packet and forward it to the eventual destination after the IPv6 packet
reaches the tunnel destination. In this case, the IPv4 address of the tunnel
destination cannot be acquired from the destination address of the IPv6 packet
and it needs to be configured manually. Such a tunnel is called configured
tunnel.
■ If the tunnel destination is just the eventual destination of the IPv6 packet, an
IPv4 address can be embedded into an IPv6 address so that the IPv4 address of
the tunnel destination can automatically be acquired from the destination
address of the IPv6 packet. Such a tunnel is called automatic tunnel.
Type
According to the way an IPv6 packet is encapsulated, IPv6 over IPv4 tunnels are
divided into the following types:
■ IPv6 manually configured tunnel
■ Automatic IPv4-compatible IPv6 tunnel
■ 6to4 tunnel
■ ISATAP tunnel
■ IPv6-over-IPv4 GRE tunnel (GRE tunnel for short)
Among the above tunnels, the IPv6 manually configured tunnel and GRE tunnel
are configured tunnels, while the automatic IPv4 compatible IPv6 tunnel, 6to4
tunnel, and intra-site automatic tunnel address protocol (ISATAP) tunnel are
automatic tunnels.
3 6to4 tunnel
■ Ordinary 6to4 tunnel
Since the 16-bit subnet number of the 64-bit address prefix in 6to4 addresses can
be customized and the first 48 bits in the address prefix are fixed by a permanent
value and the IPv4 address of the tunnel source or destination, it is possible that
IPv6 packets can be forwarded by the tunnel. A 6to4 tunnel interconnects IPv6
networks and overcomes the limitations of an automatic IPv4-compatible IPv6
tunnel.
■ 6to4 relay
A 6to4 tunnel can connect networks whose address prefix is 2002::/16. However,
IPv6 network addresses with the prefix such as 2001::/16 may also be used in IPv6
networks. In order for these addresses to be reachable, a 6to4 router must be used
as a gateway to forward packets to IPv6 networks. Such a router is called 6to4
relay router. As shown in Figure 206, a static route must be configured on the
border routers in the 6to4 network and the next-hop address must be the 6to4
address of the 6to4 relay router. In this way, all packets destined for the IPv6
network will be forwarded to the 6to4 relay router, and then to the IPv6 network.
Thus, interworking between the 6to4 network (with the address prefix starting
with 2002) and the IPv6 network is realized.
6to4 router
6to4 network
Site 2
l
t un ne Router B
6to4 router 6to 4
4 ISATAP tunnel
With the application of the IPv6 technology, there will be more and more IPv6
hosts in the existing IPv4 network. The ISATAP tunneling technology provides a
satisfactory solution for IPv6 application. An ISATAP tunnel is a point-to-point
automatic tunnel. The destination of a tunnel can automatically be acquired from
the embedded IPv4 address in the destination address of an IPv6 packet. When an
ISATAP tunnel is used, the destination address of an IPv6 packet and the IPv6
address of a tunnel interface both adopt special addresses: ISATAP addresses. The
ISATAP address format is prefix(64bit):0:5EFE:ip-address. The ip-address is in the
form of a.b.c.d or abcd:efgh, where abcd:efgh represents a 32-bit source IPv4
address. Through the embedded IPv4 address, an ISATAP tunnel can automatically
be created to transfer IPv6 packets. The ISATAP tunnel is mainly used for
connections between IPv6 routers or between a host and an IPv6 router in the IPv4
network.
IPv 4 address:
2 .1. 1. 1/ 24
IPv6 network IPv4 network IPv 6 address:
ISATAP tunnel FE80 ::5EFE: 0201 :0101
3 FFE::5 EFE:0201 : 0101
IPv6 host ISATAP router IPv4/IPv6 host
5 GRE tunnel
IPv6 packets can be carried over GRE tunnels to pass through the IPv4 network by
using standard GRE protocol to encapsulate them. Like the IPv6 manually
configured tunnel, a GRE tunnel is a point-to-point link, too. Each link is a separate
tunnel. The GRE tunnel is mainly used for stable connections requiring regular
secure communication between border routers or between a host and a border
router. For related configurations, refer to “GRE Configuration” on page 1589.
IPv4 over IPv4 Tunnel Introduction to IPv4 over IPv4 tunneling protocol
IPv4 over IPv4 tunneling protocol (RFC1853) is developed for IP data packet
encapsulation so that data can be transferred from one IPv4 network to another
IPv4 network.
IPv 4 network
IPv4 network IPv 4 network
IPv4 tunnel
Router A Router B
1 The IP packet received from the IPv4 network interface is sent to the IP protocol
stack which checks the protocol number in the IP header.
2 If the protocol number is IPv4, the IP packet is sent to the tunnel module for
decapsulation
3 The decapsulated IP packet is sent back to the IP protocol stack for processing.
Host A Host B
1 The packet received from the IPv6 network interface is sent to the IPv6 module for
processing.
2 If the passenger protocol is IPv4 or IPv6, the packet is sent to the tunnel processing
module for decapsulation.
3 The decapsulated packet is sent to the corresponding protocol module for the
secondary route processing.
c CAUTION: GRE can realize the IPv4/IPv6 over IPv6 tunnel function. For related
configurations, refer to “GRE Configuration” on page 1589.
6PE Overview IPv6 on the provider edge routers (6PE) is a transition technology by which Internet
service providers (ISPs) can use existing IPv4 backbone networks to provide the
access capability for sparsely populated IPv6 networks.
The major concept of the 6PE is that the IPv6 routing information of users is
converted into IPv6 routing information with labels and is spread into IPv4
backbone networks of ISPs through internal border gateway protocol (IBGP)
sessions. When IPv6 packets are forwarded, traffic will be labeled after entering
tunnels of backbone networks. The tunnels can be GRE tunnels or MPLS LSPs.
CE IPv4/MPLS network CE
IBGP
IPv 6 network 6PE 6PE IPv6 network
Customer site Customer site
n “P” in the above figure refers to a backbone router in the network of a service
provider. P is not directly connected with a CE and is required to have the basic
MPLS capability.
When an ISP wants to utilize the existing IPv4/MPLS network to provide IPv6 traffic
switching capability through MPLS, only the PE routers need to be upgraded.
Therefore, it is undoubtedly a high efficient solution that ISPs use the 6PE
technology as an IPv6 transition mechanism. Furthermore, the operation risk of
the 6PE technology is very low.
Configuring an IPv6
Manually Configured
Tunnel
Configuration IP addresses are configured for interfaces such as VLAN interface, Ethernet
Prerequisites interface, and loopback interface on the device so that they can communicate.
These interfaces serve as the source interface of a tunnel interface to ensure that
the tunnel destination address is reachable.
Configuration Procedure Follow these steps to configure an IPv6 manually configured tunnel:
n For the configuration of MTU of IPv6 packets sent over a tunnel interface, refer to
the ipv6 mtu command in “Configuring the Interface MTU” on page 670.
c CAUTION:
■ After a tunnel interface is deleted, all the above features configured on the
tunnel interface will be deleted.
■ If the addresses of the tunnel interfaces at the two ends of a tunnel are not in
the same subnet, a forwarding route through the tunnel to the peer must be
configured so that the encapsulated packet can be forwarded normally. You
can configure static or dynamic routes. IP addresses must be configured at
both ends of the tunnel. For detailed configuration, refer to “Static Routing
and Dynamic Routing” on page 817.
■ When you configure a static route, you need to configure a route to the
destination address (the destination IPv6 address of the packet, instead of the
IPv4 address of the tunnel destination) and set the next-hop to the tunnel
interface number or network address at the local end of the tunnel. Such
configurations must be performed at both ends of the tunnel.
■ The destination address of a tunnel packet must not be within the subnet of
the tunnel interfaces.
■ Before configuring dynamic routes, you must enable the dynamic routing
protocol on the tunnel interfaces at both ends. For related configurations, refer
to “Static Routing and Dynamic Routing” on page 817.
■ The destination address of the route configured on the tunnel interface and
the address of the tunnel interface must not be in the same subnet.
Network diagram
IPv4 netwok
Router A Router B
Configuration procedure
The following example shows how to configure an IPv6 manually configured
tunnel between Router A and Router B. Before configuration, you must specify IP
addresses for the source and destination of the tunnel.
■ Configuration on Router A
<RouterA> system-view
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] ip address 192.168.100.1 255.255.255.0
[RouterA-Ethernet1/0] quit
[RouterA] ipv6
<RouterB> system-view
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] ip address 192.168.50.1 255.255.255.0
[RouterB-Ethernet1/0] quit
[RouterB] ipv6
Configuration verification
After the above configurations, display the status of the tunnel interfaces on
Router A and Router B, respectively:
[RouterA] display ipv6 interface tunnel 0
Tunnel0 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::C0A8:6401
Global unicast address(es):
3001::1, subnet is 3001::/64
Joined group address(es):
FF02::1:FFA8:6401
FF02::1:FF00:1
FF02::2
FF02::1
MTU is 1500 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
FF02::1:FFA8:3201
FF02::1:FF00:2
FF02::2
FF02::1
MTU is 1500 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
# Ping the IPv6 address of the peer tunnel interface from Router A:
Configuring
Automatic
IPv4-Compatible IPv6
Tunnel
Configuration IP addresses are configured for interfaces such as VLAN interface, Ethernet
Prerequisites interface, and loopback interface on the device so that they can communicate.
These interfaces serve as the source interface of the virtual tunnel interface to
ensure that the tunnel destination address is reachable.
Configuration Procedure Follow these steps to configure an automatic IPv4-compatible IPv6 tunnel:
n For the configuration of the MTU of IPv6 packets sent over a tunnel interface, refer
to the ipv6 mtu command in “Configuring the Interface MTU” on page 670.
c CAUTION:
■ Only one automatic tunnel can be created at the same tunnel source.
■ No destination address needs to be configured for an automatic
IPv4-compatible IPv6 tunnel.
■ If the addresses of the tunnel interfaces at the two ends of a tunnel are not in
the same subnet, a forwarding route through the tunnel to the peer must be
configured so that the encapsulated packet can be forwarded normally. You
can configure static or dynamic routes. For the detailed configuration, refer to
“Static Routing and Dynamic Routing” on page 817.
■ The automatic tunnel interfaces encapsulated with the same protocol cannot
share the same source IP address.
■ Automatic tunnels do not support dynamic routing.
■ When you configure a static route, you need to configure a route to the
destination address (the destination IP address of the packet, instead of the
IPv4 address of the tunnel destination) and set the next-hop to the tunnel
interface number or network address at the local end of the tunnel. Such a
route must be configured at both ends of the tunnel.
Network diagram
Configuration procedure
The following example shows how to configure an automatic IPv4-compatible IPv6
tunnel between Router A and Router B. No address needs to be specified for the
tunnel destination because the destination address can automatically be obtained
from the IPv4 address embedded in the IPv4-compatible IPv6 address.
■ Configuration on Router A
<RouterA> system-view
[RouterA] ipv6
<RouterB> system-view
[RouterB] ipv6
Configuration verification
After the above configurations, display the status of the tunnel interfaces on
Router A and Router B, respectively.
[RouterA] display ipv6 interface tunnel 0
Tunnel0 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::201:101
Global unicast address(es):
::2.1.1.1, subnet is ::/96
Joined group address(es):
FF02::1:FF01:101
FF02::2
FF02::1
MTU is 1500 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
# Ping the IPv4-compatible IPv6 address of the peer tunnel interface from Router
A.
Configuring 6to4
Tunnel
Configuration IP addresses are configured for interfaces such as VLAN interface, Ethernet
Prerequisites interface, and loopback interface on the device so that they can communicate.
These interfaces serve as the source interface of the tunnel to ensure that the
tunnel destination address is reachable.
n For the configuration of the MTU of IPv6 packets sent over a tunnel interface, refer
to the ipv6 mtu command in “Configuring the Interface MTU” on page 670.
c CAUTION:
■ Only one automatic tunnel can be configured at the same tunnel source.
■ No destination address needs to be configured for an automatic tunnel
because the destination address can automatically be obtained from the IPv4
address embedded in the IPv4-compatible IPv6 address.
■ If the addresses of the tunnel interfaces at the two ends of a tunnel are not in
the same subnet, a forwarding route through the tunnel to the peer must be
configured so that the encapsulated packet can be forwarded normally. You
can configure static or dynamic routes. For the detailed configuration, refer to
“Static Routing and Dynamic Routing” on page 817.
■ The automatic tunnel interfaces encapsulated with the same protocol cannot
share the same source IP address.
■ Automatic tunnels do not support dynamic routing.
■ When you configure a static route, you need to configure a route to the
destination address (the destination IP address of the packet, instead of the
IPv4 address of the tunnel destination) and set the next-hop to the tunnel
interface number or network address at the local end of the tunnel. Such a
route must be configured at both ends of the tunnel.
Network diagram
IPv4 netwok
6to4 router 6to4 router
Eth1/0 Eth1 /0
2.1 .1.1/24 5.1.1 .1/24
Eth1/1 Eth1/1
2002:0201 :0101 :1::1/64 2002 :0501 :0101 :1::1/64
Router A Router B
Host A Host B
2002:0201 :0101 :1::2/64 2002 :0501:0101 :1 ::2/64
Configuration procedure
The following example shows how to configure a 6to4 tunnel between border
routers on isolated IPv6 networks. After the IPv4 address 2.1.1.1 is converted into
an IPv6 address, the address prefix is 2002:0201:0101::/64. The configured static
route directs all traffic destined for the IPv6 address with the prefix 2002::/16 to
the tunnel interface of the 6to4 tunnel.
■ Configuration on Router A.
<RouterA> system-view
[RouterA] ipv6
<RouterB> system-view
[RouterB] ipv6
Configuration verification
After the above configuration, ping Host B from Host A or ping Host A from Host
B.
D:\>ping6 -s 2002:201:101:1::2 2002:501:101:1::2
Pinging 2002:501:101:1::2
from 2002:201:101:1::2 with 32 bytes of data:
Network diagram
IPv4 netwok
6to4 router 6to4 relay
Eth1/0 Eth1 /0
2.1 .1.1/24 6.1.1 .1/24
Eth1/1 Eth1/1
2002:0201 :0101 :1::1/64 2001 ::1/64
Router A Router B
Host A Host B
2002:0201 :0101 :1::2/64 2001 ::2 /16
Configuration procedure
The configuration on a 6to4 relay router is the same as that on an ordinary 6to4
router. However, a 6to4 relay router can be connected to not only a 6to4 network,
but also an IPv6 network.
In order for the 6to4 network connecting Router A to communicate with the IPv6
network connecting Router B, you need to configure a static route on Router A
and specify the next-hop address for the static route as the address of the
interface tunnel 0 of the 6to4 router.
■ Configuration on Router A
<RouterA> system-view
[RouterA] ipv6
<RouterB> system-view
[RouterB] ipv6
<RouterB> system-view
[RouterB] ipv6
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] ip address 6.1.1.1 255.255.255.0
[RouterB-Ethernet1/0] quit
Configuration verification
After the above configuration, ping Host B from Host A.
D:\>ping6 -s 2002:201:101:1::2 2001::2
Pinging 2001::2
from 2002:201:101:1::2 with 32 bytes of data:
Configuring ISATAP
Tunnel
Configuration IP addresses are configured for interfaces such as VLAN interface, Ethernet
Prerequisites interface, and loopback interface on the device so that they can communicate.
These interfaces serve as the source interface of the tunnel to ensure that the
tunnel destination address is reachable.
n For the configuration of the MTU of IPv6 packets sent over a tunnel interface, refer
to the ipv6 mtu command in “Configuring the Interface MTU” on page 670.
c CAUTION:
■ If the addresses of the tunnel interfaces at the two ends of a tunnel are not in
the same subnet, a forwarding route through the tunnel to the peer must be
configured so that the encapsulated packet can be forwarded normally. You
can configure static or dynamic routes. For the detailed configuration, refer to
“Static Routing and Dynamic Routing” on page 817.
■ The automatic tunnel interfaces encapsulated with the same protocol cannot
share the same source IP address.
■ Automatic tunnels do not support dynamic routing.
■ When you configure a static route, you need to configure a route to the
destination address (the destination IP address of the packet, instead of the
IPv4 address of the tunnel destination) and set the next-hop to the tunnel
interface number or network address at the local end of the tunnel. Such a
route must be configured at both ends of the tunnel.
Network diagram
Eth1/0 Eth1/1
3001 ::1 /64 2.1.1.1 /8
IPv6 network IPv4 network
Configuration procedure
The following example shows how to configure an ISATAP tunnel between the
router and the ISATAP host, which allows a separate ISATAP host to access the IPv6
network.
■ Configuration on the ISATAP router
<Router> system-view
[Router] ipv6
# Disable the RA suppression so that hosts can acquire information such as the
address prefix from the RA message released by the ISATAP router.
The specific configuration on the ISATAP host is related to its operating system.
The following example shows the configuration of the host running the Windows
XP.
C:\>ipv6 if 2
Interface 2: Automatic Tunneling Pseudo-Interface
{48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}
does not use Neighbor Discovery
does not use Router Discovery
routing preference 1
EUI-64 embedded IPv4 address: 0.0.0.0
router link-layer address: 0.0.0.0
preferred link-local fe80::5efe:2.1.1.2, life infinite
link MTU 1280 (true link MTU 65515)
current hop limit 128
reachable time 42500ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
After carrying out the above command, look at the information on the ISATAP
interface.
C:\>ipv6 if 2
Interface 2: Automatic Tunneling Pseudo-Interface
{48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}
does not use Neighbor Discovery
uses Router Discovery
routing preference 1
EUI-64 embedded IPv4 address: 2.1.1.2
router link-layer address: 2.1.1.1
preferred global 2001::5efe:2.1.1.2, life 29d23h59m46s/6d23h59m46s (
public)
preferred link-local fe80::5efe:2.1.1.2, life infinite
link MTU 1500 (true link MTU 65515)
current hop limit 255
reachable time 42500ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
# By comparison, it is found that the host acquires the address prefix 2001::/64
and automatically generates the address 2001::5efe:2.1.1.2. Meanwhile, “uses
Router Discovery” is displayed, indicating that the router discovery function is
enabled on the host. At this time, ping the IPv6 address of the tunnel interface of
the router. If the address is successfully pinged, an ISATAP tunnel is established.
Configuration verification
After the above configuration, the ISATAP host can access the host in the IPV6
network.
Configuration IP addresses are configured for interfaces such as VLAN interface, Ethernet
Prerequisites interface, and loopback interface on the device so that they can communicate.
These interfaces serve as the source interface of the tunnel to ensure that the
tunnel destination address is reachable.
Configuration Procedure Follow these steps to configure an IPv4 over IPv4 tunnel:
c CAUTION:
■ If the addresses of the tunnel interfaces at the two ends of a tunnel are not in
the same subnet, a forwarding route through the tunnel to the peer must be
configured so that the encapsulated packet can be forwarded normally. You
can configure static or dynamic routes. For the detailed configuration, refer to
“Static Routing and Dynamic Routing” on page 817.
■ Two or more tunnel interfaces using the same encapsulation protocol must
have different source and destination addresses.
■ If the tunnel interface is the source interface, the source address is the primary
IP address of the source interface.
■ Before configuring dynamic routes, you must enable the dynamic routing
protocol on the tunnel interfaces at both ends of the tunnel. Such a route must
be configured at both ends of the tunnel. For related configurations, refer to
related contents in “Static Routing and Dynamic Routing” on page 817.
Network diagram
Router A Router B
S2/0 S2/1
2.1.1 .1/24 3 .1.1.1/24
IPv4 netwok
Tunnel1 Tunnel 2
Eth1/0 10.1.2.1 /24 10 .1.2.2/24 Eth1/0
10.1 .1.1/24 10.1.3 .1/24
IPv4 IPv4
Group 1 Group 2
Configuration procedure
■ Configuration on Router A
<RouterA> system-view
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] ip address 10.1.1.1 255.255.255.0
[RouterA-Ethernet1/0] quit
# Configure an IPv4 address for Serial2/0 (the physical interface of the tunnel).
# Configure a source address for the interface tunnel 1 (IP address of Serial2/0).
# Configure a destination address for the interface tunnel 1 (IP address of Serial
2/1 of Router B).
# Configure a static route from Router A through the interface tunnel 1 to Group
2.
■ Configuration on Router B
<RouterB> system-view
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] ip address 10.1.3.1 255.255.255.0
[RouterB-Ethernet1/0] quit
# Configure an IPv4 address for Serial 2/1 (the physical interface of the tunnel).
# Configure the source address for the interface tunnel 2 (IP address of Serial 2/1).
# Configure a destination address for the interface tunnel 2 (IP address of Serial2/0
of Router A).
# Configure a static route from Router B through the interface tunnel 2 to Group
1.
Configuration verification
After the above configuration, display the status of the tunnel interfaces on Router
A and Router B, respectively.
[RouterA] display interface Tunnel1
Tunnel1 current state: UP
Line protocol current state: UP
Description: Tunnel1 Interface
The Maximum Transmit Unit is 64000
Internet Address is 10.1.2.1/24 Primary
Encapsulation is TUNNEL, aggregation ID not set
Tunnel source 192.13.2.1, destination 131.108.5.2
Tunnel protocol/transport IP/IP
Last 300 seconds input: 0 bytes/sec, 0 packets/sec
Last 300 seconds output: 0 bytes/sec, 0 packets/sec
# Ping the IPv4 address of the peer interface Ethernet1/0 from Router A.
Configuration IPv6 addresses are configured for interfaces such as VLAN interface, Ethernet
Prerequisites interface, and loopback interface on the device so that they can communicate.
These interfaces serve as the source interface of the tunnel to ensure that the
tunnel destination address is reachable.
Configuration Procedure Follow these steps to configure an IPv4 over IPv6 tunnel:
n For the configuration of the MTU of IPv6 packets sent over a tunnel interface, refer
to the ipv6 mtu command in “Configuring the Interface MTU” on page 670.
c CAUTION:
■ If the addresses of the tunnel interfaces at the two ends of a tunnel are not in
the same subnet, a forwarding route through the tunnel to the peer must be
configured so that the encapsulated packet can be forwarded normally. You
can configure static or dynamic routes. For the detailed configuration, refer to
“Static Routing and Dynamic Routing” on page 817. Two or more tunnel
interfaces using the same encapsulation protocol must have different source
and destination addresses.
■ If the tunnel interface is the source interface, the source address is the primary
IP address of the source interface.
■ Before configuring dynamic routes, you must enable the dynamic routing
protocol on the tunnel interfaces at both ends of the tunnel. Such a route must
be configured at both ends of the tunnel. For related configurations, refer to
“Static Routing and Dynamic Routing” on page 817.
Network diagram
Router A Router B
S2/0 S2/1
2002 ::1:1/64 2002 ::2:1/24
IPv6 network
Tunnel 1 Tunnel 2
Eth1/0 30.1.2.1/24 30.1 .2.2/24 Eth1 /0
30.1 .1.1/24 30 .1 .3.1/24
IPv4 IPv4
Group 1 Group 2
Configuration procedure
■ Configuration on Router A
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv6 address for Serial2/0 (the physical interface of the tunnel).
# Configure a source address for the interface tunnel 1 (IP address of Serial2/0).
# Configure a destination address for the interface tunnel 1 (IP address of Serial
2/1 of Router B).
# Configure a static route from Router A through the interface tunnel 1 to Group
2.
<RouterB> system-view
[RouterB] ipv6
# Configure an IPv6 address for Serial 2/1 (the physical interface of the tunnel).
# Configure the source address for the interface tunnel 2 (IP address of Serial 2/1).
# Configure a destination address for the interface tunnel 2 (IP address of Serial2/0
of Router A).
# Configure a static route from Router B through the interface tunnel 2 to Group
1.
Configuration verification
After the above configuration, display the status of the tunnel interfaces on Router
A and Router B, respectively.
[RouterA] display interface Tunnel1
Tunnel1 current state: UP
Line protocol current state: UP
# Ping the IPv4 address of the peer interface Ethernet1/0 from Router A.
Configuration IPv6 addresses are configured for interfaces such as VLAN interface, Ethernet
Prerequisites interface, and loopback interface on the device so that they can communicate.
These interfaces serve as the source interface of the tunnel to ensure that the
tunnel destination address is reachable.
Configuration Procedure Follow these steps to configure an IPv6 over IPv6 tunnel:
n For the configuration of the MTU of IPv6 packets sent over a tunnel interface, refer
to the ipv6 mtu command in “Configuring the Interface MTU” on page 670.
c CAUTION:
■ If the addresses of the tunnel interfaces at the two ends of a tunnel are not in
the same subnet, a forwarding route through the tunnel to the peer must be
configured so that the encapsulated packet can be forwarded normally. You
can configure static or dynamic routes. For the detailed configuration, refer to
“Static Routing and Dynamic Routing” on page 817. Two or more tunnel
interfaces using the same encapsulation protocol must have different source
and destination addresses.
■ If the tunnel interface is the source interface, the source address is the primary
IP address of the source interface.
■ Before configuring dynamic routes, you must enable the dynamic routing
protocol on the tunnel interfaces at both ends of the tunnel. Such a route must
be configured at both ends of the tunnel. For related configurations, refer to
“Static Routing and Dynamic Routing” on page 817.
■ Only the IPv6 over IPv6 tunnel has a maximum number of nested
encapsulations of a packet.
Network diagram
Router A Router B
S2 /0 S2/1
2002 ::11:1/64 2002::22:1/64
IPv6 network
Tunnel 1 Tunnel 2
Eth1 /0 2002 :2 ::1/64 2002 ::2:2/64 Eth1/0
2002:1::1/64 2002:3::1 /64
IPv6 IPv6
Group 1 Group 2
Configuration procedure
■ Configuration on Router A
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv6 address for Serial2/0 (the physical interface of the tunnel).
# Configure a source address for the interface tunnel 1 (IP address of Serial2/0).
# Configure a destination address for the interface tunnel 1 (IP address of Serial
2/1 of Router B).
# Configure a static route from Router A through the interface tunnel 1 to Group
2.
<RouterB> system-view
[RouterB] ipv6
# Configure an IPv6 address for Serial 2/1 (the physical interface of the tunnel).
# Configure a source address for the interface tunnel 2 (IP address of Serial 2/1).
# Configure a destination address for the interface tunnel 2 (IP address of Serial2/0
of Router A).
# Configure a static route from Router B through the interface tunnel 2 to Group
1.
Configuration verification
After the above configuration, display the status of the tunnel interfaces on Router
A and Router B, respectively.
[RouterA] display ipv6 interface Tunnel1
Tunnel1 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::100:1320
Global unicast address(es):
2002:2::1, subnet is 2002:2::/64
Joined group address(es):
FF02::1:FF00:1320
FF02::1:FF00:1
FF02::2
FF02::1
MTU is 1500 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
# Ping the IPv6 address of the peer interface Ethernet1/0 from Router A.
Displaying and
Maintaining Tunneling To do... Use the command... Remarks
Configuration Display information related to display interface tunnel Available in any view
a specified tunnel interface [ number ]
Display IPv6 information display ipv6 interface Available in any view
related to a specified tunnel tunnel number
interface
Troubleshooting Symptom: After the configuration of related parameters such as tunnel source
Tunneling address, tunnel destination address, and tunnel type, the tunnel interface is still
Configuration not up.
1 The common cause is that the physical interface of the tunnel source is not up.
Use the display interface tunnel or display ipv6 interface tunnel commands
to view whether the physical interface of the tunnel source is up or down. If the
physical interface is down, use the debugging tunnel event command in user
view to view the cause.
2 Another possible cause is that the tunnel destination is unreachable. Use the
display ipv6 routing-table or display ip routing-table command to view
whether the tunnel destination is reachable. If no routing entry is available for
tunnel communication in the routing table, configure related routes.
When configuring IPv6 unicast policy routing, go to these sections for information
you are interested in:
■ “Introduction to IPv6 Unicast Policy Routing” on page 731
■ “Configuring IPv6 Unicast Policy Routing” on page 731
■ “Displaying and Maintaining IPv6 Unicast Policy Routing Configuration” on
page 734
■ “IPv6 Unicast Policy Routing Configuration Examples” on page 734
Introduction to IPv6 Policy routing (also known as policy based routing) is a routing mechanism based
Unicast Policy Routing on the user-defined policies. Different from the traditional destination-based
routing mechanism, policy routing enables you to implement policies (based on
the source address, address length, and other criteria) that make packets flexibly
take different routes.
Policy routing involves system policy routing and interface policy routing:
In general, policy routing takes precedence over destination-based routing. That is,
policy routing is applied when packets match the policy, and otherwise,
destination-based routing is applied. However, if a default outgoing interface (next
hop) is configured, the destination-based routing takes precedence over policy
routing.
Configuring IPv6
Unicast Policy Routing
Defining an IPv6 Policy An IPv6 policy can consist of multiple nodes identified by node number. The
smaller a node number is, the higher the priority the node has. A policy, which
consists of if-match clauses and apply clauses, is used to route IPv6 packets.
An if-match clause defines what kind of packets can pass, and an apply clause
defines the action for forwarding permitted packets.
When configuring policy nodes, you need to specify the match mode as permit or
deny:
■ permit: Specifies the match mode as permit for a policy node. If a packet
satisfies all rules defined by if-match clauses on the policy node, the apply
clauses are executed. If not, the packet will go to the next policy node for a
match.
■ deny: Specifies the match mode as deny for a policy node. When a packet
satisfies all rules defined by if-match clauses on the policy node, the packet
will be denied and will not go to the next policy node for a match.
A packet satisfying the match rules on a node of a policy will not go to the other
nodes. If the packet does not satisfy the match rules of all nodes of the policy, the
packet cannot pass the policy and will be forwarded through the routing table.
You can define five next hops or five outgoing interfaces at most for an IPv6 policy,
implementing load balancing based on data steams.
n ■ If a policy node has neither if-match nor apply clauses configured, all packets
can pass it and will not match against any other node. The statistics of IPv6
unicast policy routing will not be changed, though.
■ If a policy node has if-match clauses but has no apply clauses configured, all
packets will match against these if-match clauses, while no apply clauses are
applicable to matched packets. The matched packets will not go to the next
node for a match. The statistics of IPv6 unicast policy routing will not be
changed, though.
■ If a policy node has no if-match but has apply clauses configured, all packets
can pass it, then are permitted or denied if the permit or deny keyword is
specified. They will not match against any other node. In this case, the statistics
of IPv6 unicast policy routing will be changed.
■ If a non existent ACL is referenced, the ACL based match rule will not take
effect.
■ If a local Ethernet interface, sub Ethernet interface or a Virtual-Template
interface is specified as the outgoing interface, packets can be forwarded
through the interface but the communication will fail, since the interface is a
broadcast interface. Therefore, you need to specify a next hop.
■ If the match mode of a policy node is deny, no apply clauses will be executed.
Packets that passed the match criteria are routed through the routing table, so
neither debug information nor statistics for the denied packets will be
available.
Enabling IPv6 System IPv6 system policy routing is used to route packets generated by the local device.
Policy Routing Only one policy can be referenced when system policy routing is enabled.
Enabling IPv6 Interface Interface policy routing is applied to packets arriving on an interface. Only one
Policy Routing policy can be referenced when policy routing is enabled on an interface.
Displaying and
Maintaining IPv6 To do... Use the command... Remarks
Unicast Policy Routing Display information about display ipv6 config Available in any view
Configuration configured IPv6 policy routing policy-based-route
[ policy-name ]
Display information about display ipv6
system policy routing and policy-based-route
interface policy routing
Display the configuration display ipv6
information of the IPv6 policy policy-based-route setup
routing { policy-name | interface
interface-type
interface-number | local }
Display the statistics of IPv6 display ipv6
policy routing policy-based-route
statistics { interface
interface-type
interface-number | local }
Network diagram
Figure 219 Network diagram for policy routing based on source address
Internet
Router
S2/0 S2/1
Eth1/0
Subnet A
10 ::110 /64
Host A Host B
Configuration procedure
# Define ACLs, making ACL 3001 match TCP packets, and ACL 3002 match IPv6
packets.
<Router> system-view
[Router] ipv6
[Router] acl ipv6 number 3001
[Router-acl6-adv-3001] rule permit tcp
[Router-acl6-adv-3001] quit
[Router] acl ipv6 number 3002
[Router-acl6-adv-3002] rule permit ipv6
[Router-acl6-adv-3002] quit
# Define Node 5 of policy aaa so that TCP packets are forwarded to the interface
Serial 2/0.
# Define Node 10 of policy aaa so that policy routing will not be applied to packets
matching ACL 3102 and these packets will be forwarded through the routing
table.
# Apply the policy aaa to the interface Ethernet 1/0 to enable policy routing.
Network diagram
Figure 220 Network diagram for policy routing based on packet size
60̚100bytes
S2/0 S2/0
Router A Router B
150::1/24 150::2/24
S2/1 S2/1
151::1/24 151::2/24
Enable policy
routing on Eth 1/0 101̚1000bytes
Configuration procedure
1 Configure Router A
# Configure RIPng.
<RouterA> system-view
[RouterA] ipv6
[RouterA] ripng 1
[RouterA-ripng-1] quit
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ipv6 address 150::1 64
[RouterA-Serial2/0] ripng 1 enable
[RouterA-Serial2/0] quit
[RouterA] interface serial 2/1
[RouterA-Serial2/1] ipv6 address 151::1 64
[RouterA-Serial2/1] ripng 1 enable
[RouterA-Serial2/1] quit
# Apply the policy lab1 to the interface Ethernet 1/0 to handle incoming packets.
# Forward IP packets with a size from 64 to 100 bytes to the next hop 150::2/64
and those with a size from 101 to 1,000 bytes to the next hop 151::2/64.
# Configure RIPng.
<RouterB> system-view
[RouterB] ipv6
[RouterB] ripng 1
[RouterB-ripng-1] quit
[RouterB] interface serial 2/0
[RouterB-Serial2/0] ipv6 address 150::2 64
[RouterB-Serial2/0] ripng 1 enable
[RouterB-Serial2/0] quit
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ipv6 address 151::2 64
[RouterB-Serial2/1] ripng 1 enable
[RouterB-Serial2/1] quit
Three types of terminal access are used in different applications: true type terminal
(TTY) access, Telnet terminal access, and remote terminal connection (RTC) access.
TTY terminal access and Telnet terminal access are used to help implement services
between a terminal and an FEP, with a router being the initiator, the FEP being the
receiver. The difference between them is the way of establishing a TCP connection
between the initiator and the receiver. RTC terminal access is used to monitor
terminal data. It is initiated by a router and received by another router. The
following describe the three types of terminal access:
router transports data transparently between the connected service terminal and
FEP to implement service interaction and processing.
The TTY terminal access solution implements the fixed terminal number function
and offers many enhanced functions such as dynamic multi-service switching,
real-time screen saving, terminal reset, and data encryption. Meanwhile, the FEP
provides professional terminal management software, enriching the system
functions while simplifying the management. In addition, the combination of TTY
terminal access and routers makes remote offices possible and implementation of
IP telephony more easy, offering a solution for establishing high-efficient networks
with diverse functions.
Telnet terminal access implements the following basic functions: up to eight VTYs
supported on a terminal, TTY terminal access or Telnet terminal access used by the
VTYs on a terminal, menu screen switching, VTY service fast switching, and
terminal screen saving.
In asynchronous RTC terminal access, the monitoring terminal at the data center
and the monitored terminal are each connected to a different router through an
asynchronous serial interface, and the routers exchange data with each other
through an IP network. Normally, the router connected to the monitoring device
acts as the terminal access initiator (the RTC client). The monitoring device is
always ready to initiate a connection request at any time to access the data on the
monitored device. The router connected to the monitored terminal acts as the
terminal access receiver (the RTC server) and is always ready to receive the
connection requests from the monitoring device and send monitored data in
response.
Typical Applications of Terminal access is widely used in the systems in which large numbers of FEPs are
Terminal Access deployed, such as banking, postal service, taxation, customs, and civil aviation.
This manual uses a banking system as an example to describe terminal access
TTY/Telnet receiver
FEP
Service terminal
TTY/Telnet
TTY/Telnet initiator
As shown in the figure above, the arrowhead of a dotted line indicates the
direction of an established TCP connection, from the initiator to the receiver.
The purple dotted line represents TTY/Telnet terminal access. The bank outlet is
connected to the FEP of the branch through Router A, which is capable of terminal
access, over an IP network. Banking services run on the FEP, and the information
entered by an employee at the bank outlet is sent to the FEP through Router A.
The FEP then sends the corresponding service display to the service terminal
through Router A, thereby implementing data exchange between the outlet and
the branch.
The orange dotted line represents RTC terminal access. Router B acts as an RTC
client and Router A the RTC server. Router B initiates monitoring requests and
Router A, upon receiving a monitoring request, sends the data from the monitored
terminal to the monitoring device through Router B, so as to implement terminal
monitoring.
Terminal Access Feature The following table lists the features of terminal access. “All” in this table means
List that all the terminal access types, including TTY, Telnet, and RTC (RTC client or RTC
server), support the feature.
If an FEP runs, the IP address of the router connected to the FEP needs to be
authenticated. Therefore, when the dial-up backup function is used in a wide area
network (WAN), if the primary link fails, the router begins to use the backup
interface. In that case, the IP address of the router is changed, and the
authentication fails if source IP address binding is not implemented. To avoid such
failures, configure source IP address binding on the router to use a fixed IP address
to establish a TCP connection with the FEP.
For security or some other reason, the actual IP address used in the upstream TCP
connection on the router may need to be hidden and another IP address needs to
be used. In that case, you also need to configure source IP address binding.
Make sure the FEP and the router’s IP address is reachable to each other.
Terminal menu
Terminal menu allows you to bring up the menu interface by pressing the menu
hotkey at the terminal. The menu interface displays the services provided by each
VTY on the terminal. By entering a service option, you can switch to the
corresponding service display. The menu interface displays:
TTY ACCESS SYSTEM
VERSION 3.0
In terminal access, each terminal is divided into eight virtual type terminals (VTYs)
logically, each of which can be configured to correspond to a service (also known
as an application). An operator of a terminal can press the VTY switching menu
hotkey to bring up the VTY switching menu and select a VTY to switch between
different services dynamically. This allows more flexible use of terminal access. In
addition, the VTY switching feature provides the screen saving function. When an
operator switches from service 1 to service 2, the operating interface of service 1 is
automatically saved. When the operator switches from service 2 back to service 1,
the original operating interface is automatically restored. If the original operating
interface is lost due to a fault, the operator can use the terminal redrawing
function to recover it.
VTY redrawing
You can set the VTY redrawing hotkey on the router. When a terminal does not
display the normal terminal interface for some reasons (for example, when illegible
characters appear after the terminal is turned off and then turned on), pressing
the terminal redrawing hotkey can restore the normal terminal interface.
Data encryption
Due to the extensive use of terminal access in banking systems, the requirements
of data security become higher and higher. The terminal access data encryption
function can be used to encrypt the data transmitted between the router and FEPs
to improve data security.
Figure 223 Data encryption procedure between the router and the FEP
One-to-one access
In one-to-one access, each terminal communicates with the FEP through a TCP
connection to achieve optimum communication quality and highest
communication speed under various link states. High terminal echo rates can still
be achieved over low-speed links through parameter adjustments. Frequent and
massive printing needs of users can also be satisfied in this mode.
Screen saving
Some types of terminals provide the screen saving function, enabling the terminals
to switch to the corresponding screen upon receiving the specified screen code,
such as E!10Q. When you perform VTY service fast switching, the router sends a
screen code to the terminal, which switches to the corresponding operation
interface after saving the current operation interface.
To save the screens of multiple VTYs, you need to set different screen codes for
these VTYs and make sure the number of screen codes supported by the terminal
is greater than the number of configured VTYs. Note that this function needs
terminal support. In addition, the screen codes that can be identified vary with
terminal types and the number of supported screen codes may also be different.
For details, refer to the corresponding terminal manuals.
Read blocking
Terminal data read blocking means that, if the router has not sent data received
from the terminal successfully, the router stops receiving data from the terminal
until all the data is sent successfully. Generally, you need to enable this function
only when the transmission rate between the router and the FEP is less than that
between the router and the terminal.
Terminal reset
In case the terminal fails to communicate with the receiver, you can press the
terminal reset hotkey on the terminal so that the initiating router will first
disconnect and then reestablish the TCP connection with the receiver.
Connectivity test
You can set the terminal test hotkey on the router. By pressing the test hotkey on
the terminal, you can test the connectivity between the terminal and the router
and the TCP connectivity between the terminal and the FEP.
You can set some parameters of TCP connection, including receive buffer size,
transmit buffer size, non-delay attribute, keepalive interval and transmission times.
Configuration Task You need to perform configuration on the initiator and the receiver respectively as
List required. RTC terminal access is initiated and received by routers. TTY terminal
access and Telnet terminal access are initiated by a router and received by a FEP.
Functionally, the configuration commands fall into three types: basic configuration
commands, advanced configuration commands, and display and maintenance
commands. Basic configuration commands are the commands that must be used
for normal operation of terminal access. Advanced configuration commands are
used for implementing the extended functions of terminal access. Display and
maintenance commands are used for displaying and debugging terminal access.
n ■ For details about the async mode flow command, refer to the async mode
command in “WAN Interface Configuration” on page 99.
■ After a template is applied on an interface, you need to set the flow control
mode of the user interface corresponding to the interface to software flow
control. You can use the display user-interface command to display the
associations between interfaces and user interfaces.
■ For details about the user-interface command, refer to the user-interface
command in “User Interface Configuration” on page 2155.
■ For details about the flow-control software command, refer to the
flow-control command in “User Interface Configuration” on page 2155.
n ■ If both the global source IP address and the source IP address for a VTY are
configured, the one for the VTY is used.
■ The TCP parameters must be configured before TCP connections are
established. If you configure the parameters after a TCP connection is
established, the TCP connection must be reestablished for the parameters to
take effect. Pressing the reset hotkey on the terminal can reestablish the TCP
connection.
■ Receive buffer size must be configured before the terminal template is applied.
If you configure the receive buffer size after a terminal template is applied, you
need to remove the application of the terminal template and apply the terminal
template again for the receive buffer size to take effect.
■ The ASCII value of the hotkey must be different from the ASCII value of any
other hotkey configured on the device. Otherwise, hotkey conflicts will occur.
For example, the hotkey value cannot be set to 17 or 19 because these two
values are used for the hotkeys of flow control. In addition, using the hotkey
may not get a response rapidly when the terminal displays too much data.
The receiver of TTY terminal access is an FEP. The main program of terminal access
at an FEP is the program ttyd (ttyd executable), which implements the data
exchange with the router-side programs. To configure your FEP, refer to the related
sections in “FEP Installation and Configuration” on page 771.
The router is connected to four terminals through its four asynchronous interfaces.
The source IP address to be bound is 2.2.2.1/32.
Network diagram
Configuration procedure
Perform the following configuration in one-to-one mode:
■ Configure the initiator (router).
<Sysname> system-view
[Sysname] rta server enable
■ # Create a template and enter template view.
[Sysname] rta template temp1
Suppose the terminals operate in the active terminal mode. Check whether the
pseudo terminal devices have been configured in the file inittab. Edit the file
/etc/inittab and see whether the following information is available. If not, add this
information.
C40:234:respawn:/etc/getty ttyp40 m
C41:234:respawn:/etc/getty ttyp41 m
C42:234:respawn:/etc/getty ttyp42 m
C43:234:respawn:/etc/getty ttyp43 m
After adding, execute the init q command to bring the configuration into effect.
# init q
The above are basic configurations. After verifying terminal connectivity to the
server, you can proceed with other configurations.
n ■ For details about the async mode flow command, refer to the async mode
command in “WAN Interface Configuration” on page 99.
■ After a template is applied on an interface, you need to set the flow control
mode of the user interface corresponding to the interface to software flow
control. You can use the display user-interface command to display the
associations between interfaces and user interfaces.
■ For details about the user-interface command, refer to the user-interface
command in “User Interface Configuration” on page 2155.
n ■ If both the global source IP address and the source IP address of a VTY are
configured, the one of the VTY is used.
■ The parameters for TCP connections must be configured before the TCP
connections are established. If you configure the parameters after a TCP
connection is established, the TCP connection must be reestablished for the
parameters to take effect. Pressing the reset hotkey on the terminal can
reestablish the TCP connection.
■ The receive buffer size must be configured before the terminal template is
applied. If you configure the receive buffer size after a terminal template is
applied, you need to remove the application of the terminal template and
apply the terminal template again for the receive buffer size to take effect.
■ The ASCII value of the hotkey must be different from the ASCII value of any
other hotkey configured on the device. Otherwise, hotkey conflicts will occur.
For example, the hotkey value cannot be set to 17 or 19 because these two
values are used for the hotkeys of flow control. In addition, using the hotkey
may not get a response rapidly when the terminal displays too much data.
The receiver of Telnet terminal access is an FEP. An FEP only needs to run the Telnet
server program and the corresponding application program; there is no need to
modify or compile the Unix kernel.
Network diagram
Configuration procedure
■ Configure the initiator.
<Sysname> system-view
[Sysname] rta server enable
# Configure VTY 0.
# Configure VTY 1.
After the above-mentioned configurations, you can see the following menu on
the terminal (You can enter an option on the display or exit by pressing <Esc>.):
The receivers of Telnet terminal access are FEPs. An FEP only needs to run the
Telnet server program and the corresponding application program; there is no
need to modify or compile the Unix kernel.
Follow these steps to perform basic RTC initiator (RTC client) configuration:
n ■ For details about the async mode flow command, refer to the async mode
command in “WAN Interface Configuration” on page 99.
■ After a template is applied on an interface, you need to set the flow control
mode of the user interface corresponding to the interface to software flow
control. You can use the display user-interface command to display the
associations between interfaces and user interfaces.
■ For details about the user-interface command, refer to the user-interface
command in “User Interface Configuration” on page 2155.
■ For details about the flow-control software command, refer to the
flow-control command in “User Interface Configuration” on page 2155.
Follow these steps to perform advanced RTC initiator (RTC Client) configuration
Follow these steps to perform basic RTC receiver (RTC server) configuration:
n ■ For details about the async mode flow command, refer to the async mode
command in “WAN Interface Configuration” on page 99.
■ After a template is applied on an interface, you need to set the flow control
mode of the user interface corresponding to the interface to software flow
control. You can use the display user-interface command to display the
associations between interfaces and user interfaces.
■ For details about the user-interface command, refer to the user-interface
command in “User Interface Configuration” on page 2155.
■ For details about the flow-control software command, refer to the
flow-control command in “User Interface Configuration” on page 2155.
Perform these steps to perform advanced RTC receiver (RTC server) configuration:
n ■ The port number specified for the VTY application on the RTC client must be
the same as the listening port number specified on the RTC server.
■ The terminal-number argument of the command vty rtc-server remote
configured on the RTC server must be the same as the terminal-number
argument of the command rta terminal configured on the RTC client;
otherwise, no TCP connection can be established
■ Each terminal of the RTC server corresponds to a different RTC client.
■ If not configured with the bind vpn-instance command, the RTC server can
accept connection requests from any VPNs.
■ The TCP parameters must be configured before a TCP connection is
established. If you configure the parameters after a TCP connection is
established, the TCP connection must be reestablished for the parameters to
take effect. Pressing the reset hotkey on the terminal can reestablish the TCP
connection.
■ The receive buffer size must be configured before a terminal template is
applied. If you configure the receive buffer size after a terminal template is
applied, you need to remove the application of the terminal template and
apply the terminal template again for the receive buffer size to take effect.
Network diagram
Figure 226 Network diagram for asynchronous RTC terminal access configuration
Configuration procedure
1 Configure the RTC server.
<Sysname> system-view
[Sysname] rta server enable
[Sysname-rta-template-rtcserver] quit
[Sysname] interface async 1/0
[Sysname-Async1/0] async mode flow
[Sysname-Async1/0] rta terminal rtcserver 1
2 Configure the RTC client.
<Sysname> system-view
[Sysname] rta server enable
Network diagram
Configuration procedure
1 Configure the RTC server.
# Configure MPLS L3VPN. For details, see “MPLS L3VPN Configuration” on page
1459.
# Configure MPLS L3VPN. For details, see “MPLS L3VPN Configuration” on page
1459.
Displaying and
Maintaining Terminal To do... Use the command... Remarks
Access Configuration Display specified terminal display rta { all | statistics | Available in any view
access information terminal-number { brief | detail
| statistics | vty-number } }
Clear the statistics of a reset rta statistics Available in user view
terminal terminal-number
To implement terminal access with an FEP as the receiver, the router-side program
serving as the initiator must work together with the FEP-side programs serving as
the server that receives connection requests from the initiator. This chapter covers
the installation, configuration, operation, and management of FEP-side programs.
■ ttyd (ttyd executable) program, which is the main program running at the FEP
side in terminal access. It exchanges data with the router-side program.
■ ttyadm terminal administration program, consisting of two executables:
ttyadmcmd and ttyadm. This program manages the ttyd program.
Installing and
Configuring SCO
OpenServer Server
To install the ttyd program, you need at least one console terminal. In SCO
OpenServer Unix, use a hotkey from <Alt+F1> to <Alt+F12> to switch between
console terminals.
To install and configure this program, you must log in as a super user as follows:
Step1: Press a hotkey to switch to a console, <Alt+F4> for example. The following
interface appears:
Insert the floppy disk into the floppy drive of the Unix server and then run the
mount command to mount the floppy drive.
# cp /mnt/ttyd /etc/ttyd
# cp /mnt/TTYADMCMD /etc/ttyadmcmd
# cp /mnt/TTYADM /etc/ttyadm
n File names are case-sensitive in Unix. Use the ls /mnt command to view the names
of the files before copying them.
n After completing the above-mentioned tasks, make sure you use the umount
command to unmount the floppy drive as follows:
# cd /
# umount /mnt
Using FTP
You can also use FTP to install the ttyd programs. The following describes the
installation procedure using FTP on a Windows system.
1 Place the ttyd programs in a directory
You must place the ttyd programs under a directory of the Windows system, for
example, c:tyd.
Open the DOS window. Run the ftp command under the directory c:tyd to
connect to the Unix server and log in as root. The following configuration example
assumes that the IP address of the FEP is 10.110.96.53:
C: tyd>ftp 10.110.96.53
Connected to 10.110.96.53.
220-
220 sco2 FTP server (Version 2.1WU(1)) ready.
User (10.110.96.53:(none)):User (10.110.96.53:(none)): root
331 Password required for root.
Password:
230 User root logged in.
ftp>
3 Enter the directory /etc of the Unix server, and transfer the programs ttyd and
ttyadmcmd to the Unix server in binary format (ttyd and ttyadmcmd are binary
executables).
ftp> cd /etc
ftp> bin
Transfer the program ttyadm to the Unix server in text format. Then, exit FTP.
ftp> ascii
ftp> put ttyadm
ftp> bye
4 On the Unix server, change the file modes of the programs to the executable
mode.
# chmod u+x /etc/ttyd /etc/ttyadm /etc/ttyadmcmd
Now, the ttyd, ttyadmcmd, and ttyadm programs are all installed.
Configuration Before configuration, you must determine the mappings between pseudo
Prerequisites terminals on the Unix server and ports on the router.
If the Unix system is connected with many terminals, the required resources may
exceed the default of the Unix system. In this case, you must modify the kernel
parameters of the Unix system.
The method for modifying the kernel of the SCO OpenServer Unix system is as
follows:
Before adding pseudo terminals, you must check whether the pseudo terminals
exist. For example, you can use the following command to check whether
ttyp50/ptyp50 devices exist. Generally, ttyp and ptyp devices are present in pairs
and each pair shares the same device number.
# ls -l /dev/ttyp50 /dev/ptyp50
If not, you must create pseudo terminals. To do so, use the scoadmin program as
follows.
1 Launch scoadmin.
# scoadmin
2 Select [Hardware/Kernel Manager].
3 Select [Tune Parameters...].
4 Enter 9 to select [TTY and console configuration].
5 Change the value of “NSPTTYS: number of pseudo-ttys on system.” to 256.
6 Compile the kernel and restart the server. Then, the maximum number of devices
becomes 256.
Select 7 (User and group configuration), and then change the [maximum number
of open files per process] field to 600.
Select 7 (User and group configuration), and then change the [maximum number
of processes available to user] field to 600.
Modifying System Check whether the pseudo terminals are configured in file inittab. Taking ttyp50
Configuration File as example, edit file /etc/inittab and check whether the following line is present:
inittab C50:234:respawn:/etc/getty ttyp50 m
If the line is absent, add it. In the sample line, C50 is the identifier of the line. Each
line in file inittab must have a unique identifier consisting of no more than four
characters. According to banking applications, pseudo terminals fall into two
categories: active terminal and dumb terminal. When an active terminal user logs
into the Unix server, the Unix server pushes the login interface to the terminal.
When a dumb terminal user logs into the Unix server, the Unix server does not
push the login interface to the terminal. In system configuration file inittab, the
third column of a line is “respawn” for an active terminal and “off” for a dumb
terminal.
After adding the line, execute the init q command to bring the configuration into
effect.
# init q
In addition, you can use the enable command to configure a pseudo terminal as
an active terminal, or use the disable command to configure a pseudo terminal as
a dumb terminal.
# enable ttyp50
Editing the ttyd The default ttyd configuration file is /etc/ttyd.conf. In a ttyd configuration file, you
Configuration File can define the listening port number and map the terminal numbers on the router
to the pseudo terminals on the Unix server. The following shows the format of ttyd
configuration file:
serverport 9010
mode 1
nodelay 1
screen 0
lang 1
logsep 1
debugpath /var/ttydlist
sendsize 512
readsize 300
noblock 1
ttyp30 10.110.96.44 1 accesstime 1 8:00-18:00
exit 1
compat 1
In the configuration file, the lines starting with a “#” are comment lines.
serverport 9010
TCP listening port for the ttyd process. By default, it is 9010. A Unix server can run
multiple ttyd processes, each of which must use a unique configuration file and a
unique listening port.
mode 1
Operating mode of the ttyd process. It can be 0 for many-to-one mode or 1 for
one-to-one mode. Currently, it must be set to 1.
nodelay 1
Specifies the ttyd process to support (with a value of 1) or not to support (with a
value of 0) the nodelay attribute. The default is 1, meaning that ttyd responds
instantly upon receiving data from the peer. On low speed lines, this can improve
the echoing speed.
screen 0
Specifies the ttyd process to support (with a value of 1) or not to support (with a
value of 0) the screen saving function. The default is 0.
lang 1
Specifies the language for prompting ttyd authentication failure. It can be 0 for
Chinese or 1 for English. The default is 0.
logsep 1
Specifies whether to save ttyd logs separately. It can be 1, meaning that a log file is
used for each terminal, or 0, meaning a log file is used for all the terminals. The
default is 1.
debugpath /var/ttydlist
Destination directory of the ttyd debugging file(s). It is /var/ttydlist by default.
autogetty 0
Specifies whether the ttyd program automatically calls the getty program. It can
be 0, meaning that, it is configured in the inittab system configuration file that the
system is responsible for calling the getty program, or 1, meaning the ttyd
program will call the getty program. In SCO UnixWare, this value must be set to 1.
Once you set a value of 1, you can no longer configure it in the /etc/inittab file;
otherwise, the program cannot operate normally.
sendsize 512
Maximum size of data that the ttyd program can put onto the network in one
operation (in bytes). The default is 512 bytes, and the recommended value is from
384 to 1,024 bytes. You can adjust this value based on the WAN link status.
readsize 300
Size of data that the ttyd program can read from a pseudo terminal in one
operation (in bytes). The default is 256 bytes, and the recommended value is from
200 to 384 bytes. You can adjust this value based on the WAN link status.
Note that the value of readsize must be less than that of sendsize.
determines which router and which terminal on the router a pseudo terminal
corresponds to. This guarantees terminal number fixing. For example, the above
sample entry shows that pseudo terminal ttyp30 on the Unix server corresponds to
the terminal connected to the asynchronous interface with a terminal number of 1
on router 10.110.96.44. The name of a pseudo terminal must be present in the
/dev directory and must start with tty. To configure pseudo terminal names not to
start with “tty”, you must use a full path name starting with “/dev/”.
To configure authentication and access periods at the same time, you need to
configure them in the same line and make sure the access period is configured
before the authentication. See the following example:
To configure authentication and access periods at the same time, you need to
configure them in the same line and make sure the access period is configured
before the authentication. See the following example:
exit 1
If “exit 1” is configured in the configuration file, terminating the connection using
the hotkey or the reset rta connection command will terminate the ttyd
program. When you re-log into the FEP, the login interface displays on the
terminal. If authentication is configured on the FEP, you need to enter the
password before performing any operation on the FEP. If neither exit 1 nor exit 0 is
configured, terminating the connection using the hotkey or the reset rta
connection command will not terminate the ttyd program. In this case, when you
re-log into the FEP, the login interface does not display on the terminal, and you
don’t need to pass the authentication for further operations on the FEP.
compat 1
Specifies to be compatible with the previous router versions, but some terminal
access features will not be available. The default is 0, indicating incompatibility
with the previous router versions.
The ttyd configuration file supports dynamic adding. That is, after ttyd is started,
the corresponding terminal configuration items can be added. The addition takes
effect after connection requests are initiated from the terminals connected to the
router or after the configuration file is refreshed with the ttyadm program,
without the need of restarting the ttyd program.
Addition takes effect automatically. For modification and deletion to take effect,
however, the configuration file must be refreshed.
Normally, you need to configure items 1, 2, 4, 9, 11, 12, and 13 as required and
use defaults for other items.
n When too many terminals are configured in a configuration file, the file is liable to
be modified improperly. Therefore, you are recommended to configure multiple
configuration files on a Unix server with many pseudo terminals, so that a
configuration error does not affect too many applications.
Modifying Route In terminal access, the router is usually connected to the Unix server through
Configuration File WANs and therefore located on an IP subnet different from that of the Unix server,
in which case you must configure a route on the Unix server. The following
example shows how to do so:
# route add 10.110.96.0 -netmask 255.255.255.0 63.1.1.250
In the example above, 10.110.96.0 is the destination subnet, with the subnet
mask of 255.255.255.0 and the next hop IP address of 63.1.1.250.
# /etc/ttyd
If you do not specify any parameters for the command, the default configuration
file /etc/ttyd.conf is used. To specify another configuration file, you must enter file
in the following format:
# /etc/ttyd /etc/ttyd9020.conf
A Unix server can run multiple ttyd programs, each of which must use a unique
configuration file and a unique listening port.
You can enter the following command to view the version of ttyd.
# /etc/ttyd -h
Terminating ttyd
The ttyd program operates in multi-process mode. After you launch the program,
you may find multiple ttyd processes. You can enter this command to view
information about processes:
# ps -ef | grep ttyd
■ Process 8309 is the first ttyd process launched, for its parent process is 1.
■ Processes 8312 and 8313 correspond to asynchronous interfaces with the
terminal numbers of 6 and 7 on router 10.110.96.44 respectively, and their
parent process is process 8309.
■ All processes use the default configuration file /etc/ttyd.conf.
■ You can use the kill 8309 command to kill the ttyd process 8309 and all its
child processes, that is, all the processes mentioned above.
■ You can use the kill 8312 command to kill the ttyd child processes
corresponding to the pseudo terminal ttyp40.
You are recommended to use the kill command, rather than the kill -9 command,
to kill ttyd processes.
/etc/ttyd /etc/ttyd.conf
;;
’stop’)
Installing and Using ttyd A terminal administration program named ttyadm is provided for managing ttyd
Administration Program easily on a Unix server. It consists of two executable files: ttyadmcmd and ttyadm.
ttyadm ttyadm is a shell program and can be modified as needed and run without
compilation, greatly facilitating maintenance. You can use this tool to manage ttyd
processes, without the need of entering complex commands manually. You can
also add your own shell commands into the ttyadm program as desired.
c CAUTION: The programs ttyadm, ttyd, and ttyadmcmd must be placed under the
same directory.
After logging into the Unix server as root, enter /etc/ttyadm at the prompt to
launch ttyd administration program. The following main interface appears:
******************************
ttyd Administration Program
******************************
Main menu
1 - Process management
2 - View TCP connections.
3 - View system resources.
4 - View router status.
5 - View statistics.
6 - Edit ttyd configuration file.
0 - Exit
Enter:
You can select a function by entering the corresponding number displayed on the
screen. The following describe each of the functions.
Process management
In the main interface, select option 1 to enter the process management submenu.
Then, you can manage ttyd processes by selecting the corresponding options.
******************************
ttyd Administration Program
******************************
Process management
1 - Start ttyd.
2 - Display ttyd processes.
From the process management submenu, select option 1 and you will be
prompted to enter the directory of the configuration file. The screen displays the
following information:
Here, you can enter the configuration file directory of the ttyd program to be
started. The default is /etc/ttyd.conf. If you press <Enter> directly, the ttyd program
will be started directly. The operation is the same as entering /etc/ttyd
/etc/ttyd.conf at the prompt. If you press <Enter> after entering the configuration
file name, this operation is the same as entering "/etc/ttyd configuration file
name" at the prompt.
From the process management submenu, select option 2 to display the ttyd
processes running in the system. The screen displays the following information:
Main process:
Process No. Port No. Debugging level Number of bytes received from socket
Number of bytes received from tty
12674 9998 0 2 57
6108 9022 3 8 69
Child process:
Process NO. Parent process No. tty device name Router IP Port No.
Terminal No. Debugging level
12676 12674 ttyp55 10.110.96.44 1219 6 0
From the process management submenu, select option 3 to display all the ttyd
processes running in the system. Then, you can terminate a ttyd process by
entering its process number. If you enter the process number of a ttyd main
process, all the ttyd child processes of that main process will be terminated as well.
Here is an example:
Main process:
Process No. Port No. Debugging level Number of bytes received from socket
Number of bytes received from tty
12674 9998 0 2 57
6108 9022 3 8 69
Child process:
Process NO. Main process No. tty device name Router IP Port No. T
erminal No. Debugging level
12676 12674 ttyp55 10.110.96.44 1219 6 0
Enter process NO.: 6108
From the process management submenu, select option 4 to display the following
information:
Here, you can terminate all the ttyd processes associated with a router by entering
the corresponding router IP address. This makes operation more convenient
because you can terminate multiple processes at one time.
From the process management submenu, select option 5 to display the following
information:
Here, you can terminate the ttyd process associated with a terminal by entering
the corresponding terminal name. This makes operation more convenient because
you do not need to query the number of the process before terminating it.
When a system fault occurs, you may need to determine the cause by viewing the
system logs. The system creates a log file for each main ttyd process and child
process. The output directory of the ttyd debugging file(s) is /var/ttydlist by default.
The debugging file of the main ttyd process is named in the format of
ttydxxxx.log, where xxxx is the number for the listening port of the main process.
The debugging file of a child process is named in the format of ttypxx.log, where
ttypxx is the name of the ttyp device corresponding to the child process.
The default log output level is level 0; that is, only error information will be output.
To view more detailed log information, you need to adjust the log output levels.
After the log output level is set to a higher one, the debugging information that is
displayed at all the lower levels will also be output.
From the process management submenu, select option 6 to display the following
information:
Here, after you enter the process number or terminal name and press <Enter>, the
system will prompt you to enter the new log output level by displaying the
following information:
Here, the log output level for the corresponding ttyd process will be updated after
you enter the new log output level and press <Enter>.
c CAUTION:
■ When you change the log output level for a process, you can specify a main
process by providing the process number only, but you can specify a child
process either by providing the child process number or the pseudo terminal
device name corresponding to the child process.
■ If the size of a log file exceeds 1 MB, when its corresponding ttyd process starts
the next time, it will be cleared by the ttyd program and the logging will start
all over again. Therefore, save debugging logs in time.
7 Refresh the ttyd configuration file.
From the process management submenu, select option 7 to display the following
information:
Here, when you enter the corresponding listening port number, the configuration
of the ttyd process corresponding to the configuration file is automatically
refreshed.
From the process management submenu, selection option 8 to return to the main
menu.
Enter:
1 Display CPU resources.
From the system resource submenu, select option 1 to display the CPU resources in
the system. This operation is the same as executing the sar -u 1 5 command. The
following displays:
From the system resource submenu, select option 2 to display the memory
resources in the system. This operation is the same as executing the sar -r 1 5
command. The following displays:
From the system resource submenu, select 3 to display the stream resources in the
system. The following displays:
streams allocation:
config alloc free total max fail
stream 4096 134 3962 10692 135 0
queues 566 271 295 21387 273 0
mblks 2319 445 1874 761868 2149 1
buffer headers 2746 1279 1467 52307 2654 0
class 1, 64 bytes 192 9 183 240804 172 0
class 2, 128 bytes 192 0 192 234865 168 0
class 3, 256 bytes 304 9 295 96179 292 0
class 4, 512 bytes 32 0 32 26368 32 0
class 5, 1024 bytes 32 0 32 2734 29 0
class 6, 2048 bytes 274 182 92 6460 273 0
class 7, 4096 bytes 171 170 1 185 171 0
class 8, 8192 bytes 5 0 5 70 5 0
class 9, 16384 bytes 2 0 2 3 2 0
class 10, 32768 bytes 0 0 0 0 0 0
class 11, 65536 bytes 0 0 0 0 0 0
class 12, 131072 bytes 0 0 0 0 0 0
class 13, 262144 bytes 0 0 0 0 0 0
class 14, 524288 bytes 0 0 0 0 0 0
total configured streams memory: 8000.00KB
streams memory in use: 1103.09KB
maximum streams memory used: 1569.64KB
4 Return to the main menu.
From the system resource submenu, selection option 0 to return to the main
menu.
Enter:
1 Display brief tty information.
From the router status submenu, select option 1 to display the brief information of
TTYs on the corresponding router. The following displays:
From the router status submenu, select option 2 to display detailed information of
TTYs on the corresponding router. Following is part of the screen display:
From the router status submenu, select option 3 to display the APP summary on
the corresponding router. The following displays:
From the router status submenu, select option 4 to display detailed APP
information on the corresponding router. Following is part of the screen display:
From the router status submenu, selection option 0 to return to the main menu.
Displaying statistics
On the main interface, select option 5 to display the following:
Terminals in use: ttyp55
Enter terminal name:
Enter a terminal name to display all the statistics about the terminal. The following
displays:
Process ID. Parent process No. tty device name Router IP Port No.
Terminal No. Debugging level
12676 12674 ttyp55 10.110.96.44 1219 6 0
Statistics:
Total number of packets read from socket: 3
Total number of bytes read from socket: 4
Number of bytes last read from socket: 1
Time when socket was last read?2002-07-15 13:59:43
Total number of packets written to socket: 2
Total number of bytes written to socket: 116
Number of bytes last written to socket: 58
Time when socket was last written to? 2002-07-15 13:59:44
Total number of packets read from pty: 2
Total number of bytes read from pty: 116
Number of bytes last read from pty: 58
Time when pty was last read?2002-07-15 13:59:44
Total number of packets written to pty: 2
Total number of bytes written to pty: 2
Number of bytes last written to pty: 1
Time when pty was last written to? 2002-07-15 13:59:43
Installing and
Configuring SCO
UnixWare Server
Using FTP
Refer to “Using FTP” on page 772.
■ You can also increase the number of pseudo terminals by installing programs
acp and update as follows:
1 Change the value of kernel parameter NUMSCOPT to 256.
# /etc/conf/bin/idtune NUMSCOPT 256
2 Install the acp package, which is in the first disk for SCO UnixWare. Select a
terminal number of 256 during installation.
# pkgadd -d cdrom1 acp
3 Install the update package, which is in the second disk for SCO UnixWare.
# pkgadd -d cdrom1 update711
After installation, the system rebuilds the kernel and reboots automatically.
Modifying System Locate the line starting with “9600:” in file /etc/ttydefs. If the echoctl option is
Configuration File present, set it to -echoctl. If Chinese cannot be used normally, add the -istrip
ttydefs option to the line. For example:
9600: 9600 sane imaxbel iexten -echoctl echoke -istrip -tabs ::: 4800
n To run ttyd on the SCO UnixWare system, you do not need to configure pseudo
terminal related parameters in file /etc/inittab.
Editing ttyd Refer to “Editing the ttyd Configuration File” on page 775.
Configuration File
Modifying Route The terminal access router is usually connected to the Unix server through WANs
Configuration File and therefore located on an IP segment different from that of the Unix server, in
which case you must configure a route on the Unix server.
In the example above, 10.110.96.0 is the destination subnet, with the subnet
mask of 255.255.255.0 and the nexthop IP address of 63.1.1.250.
Installing and Using ttyd Refer to “Installing and Using ttyd Administration Program ttyadm” on page 780
Administration Program
ttyadm
Installing and
Configuring SUN OS
Server
Using FTP
Refer to “Using FTP” on page 772.
After modification, you must reboot the server to bring your configuration into
effect. You do not need to change other system kernel parameters.
Modifying System Follow these steps to modify the system configuration file inittab:
Configuration File
inittab
1 Check whether a pseudo terminal has been configured in the inittab configuration
file.
Take the device ttyp50 as an example. Edit the file /etc/inittab and check whether
this file contains the following line:
T1:234:respawn:/etc/getty ttyp50
If the line is absent, add it. In the sample line, T1 is the identifier of the line. Each
line in the file inittab must have a unique identifier consisting of no more than two
characters. In system configuration file inittab, the third column of a line is
“respawn” for an active terminal and off for a dumb terminal.
Editing the ttyd Refer to “Editing the ttyd Configuration File” on page 775.
Configuration File
Modifying Route The terminal access router is usually connected to the Unix server through WANs
Configuration File and therefore located on an IP segment different from that of the Unix server, in
which case you must configure a route on the Unix server.
Installing and Using ttyd Refer to “Installing and Using ttyd Administration Program ttyadm” on page 780.
Administration Program
ttyadm
Installing and
Configuring IBM AIX
Server
Using FTP
Refer to “Using FTP” on page 772.
n Adding pseudo terminals on the IBM AIX server does not require reboot.
After entering the menu interface, select the [system management] to open the
submenu.
After modification, you must reboot the server to bring your configuration into
effect. You do not need to change other system kernel parameters.
Modifying System
Configuration File
inittab
1 Check whether the pseudo terminal has been configured in the inittab
configuration file.
Take the device ttyA6 as an example. Edit the file /etc/inittab and check whether
this file contains the following line:
ttyA6:234:respawn:/usr/sbin/getty /dev/ttyA6
If the line is absent, add it. In the sample line, ttyA6 is the identifier of the line.
Each line in file inittab must have a unique identifier consisting of no more than
four characters. In system configuration file inittab, the third column of a line is
“respawn” for an active terminal and “off” for a dumb terminal.
Editing the ttyd Refer to “Editing the ttyd Configuration File” on page 775.
Configuration File
Modifying Route The terminal access router is usually connected to the Unix server through WANs
Configuration File and therefore located on an IP segment different from that of the Unix server, in
which case you must configure a route on the Unix server.
ttyd:23:wait:/etc/ttyd /etc/ttyd.conf
Installing and Using ttyd Refer to “Installing and Using ttyd Administration Program ttyadm” on page 780.
Administration Program
ttyadm
Installing and
Configuring HP-UX
Server
Using FTP
Refer to “Using FTP” on page 772.
Now, the number of pseudo terminals is 256 in the directories /dev/pty and
/dev/ptym.
# ln /dev/pty/ttyy0 /dev/ttyy0
# ln /dev/ptym/ptyy0 /dev/ptyy0
After entering the menu interface, select [kernel configuration] to enter the
submenu, and then select [configurable parameters] and change the value of
[nproc] to 2000.
After modification, you must reboot the server to bring your configuration into
effect. You do not need to change other system kernel parameters.
Modifying System
Configuration File
inittab
1 Check whether the pseudo terminal has been configured in the inittab
configuration file.
Take the device ttypa as an example. Edit the file /etc/inittab and check whether
this file contains the following line:
If the line is absent, add it. In the sample line, pa is the identifier of the line. Each
line in file inittab must have a unique identifier consisting of no more than four
characters. In system configuration file inittab, the third column of a line is
“respawn” for an active terminal and “off” for a dumb terminal.
Editing ttyd Refer to “Editing the ttyd Configuration File” on page 775.
Configuration File
Modifying Route The terminal access router is usually connected to the Unix server through WANs
Configuration File and therefore located on an IP segment different from that of the Unix server, in
which case you must configure a route on the Unix server.
/etc/ttyd /etc/ttyd.conf
;;
’stop_msg’)
Installing and Using ttyd Refer to “Installing and Using ttyd Administration Program ttyadm” on page 780.
Administration Program
ttyadm
Installing and
Configuring Red Hat
Linux Server
Using FTP
Refer to “Using FTP” on page 772.
Modifying System
Configuration File
inittab
1 Check whether the pseudo terminal has been configured in the inittab
configuration file.
Take the device ttypa as an example. Edit the file /etc/inittab and check whether
this file contains the following line:
If the line is absent, add it. In the sample line, pa is the identifier of the line. Each
line in file inittab must have a unique identifier consisting of no more than four
characters. In system configuration file inittab, the third column of a line is
“respawn” for an active terminal and “off” for a dumb terminal.
The available pseudo terminals include ttyxy, where the value of “x” ranges from a
to e and p to z and that of “y” ranges from hexadecimal 0 to f. Examples are
ttyp6, ttypa, ttyz1, and ttyz9.
To start ttyd before the system starts the file /etc/inittab, you must edit the file
/etc/rc.d/rc.sysinit; otherwise, the system will prompt a message similar to "" INIT:"
Id "v0" respawning too fast, disabled for 5 minutes" and it may take a while
before the login window appears. No such problems will occur if all these devices
present in the file inittab have been opened by ttyd. Append the following
contents to line 30 in the file /etc/rc.d/rc.sysinit:
......
# Start the graphical boot, if necessary
if [ "$BOOTUP" = "graphical" ]; then
if [ -x /usr/bin/rhgb ]; then
/usr/bin/rhgb
else
export BOOTUP=color
fi
fi
#start ttyd
/root/ttydp/ttyd /root/ttydp/tty9000.conf
/root/ttydp/ttyd /root/ttydp/tty9001.conf
sleep 10
last=0
for i in ‘LC_ALL=C grep ’^[0-9]*.*respawn:/sbin/mingetty’ /etc/initt
ab | sed ’s/
^.* tty([0-9][0-9]*).*/1/g’‘; do
......
Editing the ttyd Refer to “Editing the ttyd Configuration File” on page 775.
Configuration File
Modifying Route The terminal access router is usually connected to the Unix server through WANs
Configuration File and therefore located on an IP segment different from that of the Unix server, in
which case you must configure a route on the Unix server.
In the example above, 10.110.96.0 is the destination subnet, with the subnet
mask of 255.255.255.0 and the gateway (a router) IP address of 63.1.1.250.
Installing and Using ttyd Refer to “Installing and Using ttyd Administration Program ttyadm” on page 780.
Administration Program
ttyadm
Prompts on Terminals
No. Prompt Description
1 (TTY tty-number: vty-number Creating a socket failed because, for example, no
starting connect to server fail!) WAN IP address is configured on the router.
2 (TTY tty-number: vty-number The router failed to establish a TCP connection to
fail to connect server-name!) the Unix server because, for example, the Unix
server is turned on but ttyd is not running.
3 (TTY tty-number: vty-number The corresponding entries in the ttyd configuration
authentication failed or file of the Unix server may be wrong, or the ttyd
server-name no response) listening port on the Unix server and the application
port on the router are different.
4 (TTY tty-number: vty-number The TCP connection established between the Unix
peer socket close, fail to server and the router is down. This may occur when
connect server-name!) you close ttyd on the Unix server or turn off the
Unix server.
5 (TTY tty-number: vty-number Normally, the router should be able to establish a
connecting with TCP connection to the Unix server quickly. If the
server-name...) system prompts that the connection is still not
established after a long time, the Unix server may
be off or some other problems may have occurred.
Press a key on the terminal to initiate a new
connection.
6 (TTY tty-number: vty-number A TCP connection is established between the router
success to connect with and the Unix server.
server-name)
7 (TTY tty-number: vty-number The status of the socket on the router changes
link error with server-name when the router is establishing a TCP connection or
while sending) sending data to the Unix server.
9 (TTY tty-number:%d break The router just tore down a TCP connection and is
and reconnect with reestablishing another TCP connection to the Unix
server-name) server. This message appears when a terminal user
presses the terminal reset hotkey.
10 (Out of time range, access When terminal access periods are configured in the
forbidden!) ttyd configuration file on the Unix server, this
message appears if a terminal tries to access the
Unix server during forbidden periods.
11 (authentication failed, fail to Authentication of a terminal failed. The
open pty device!) corresponding pseudo terminal on the Unix server
cannot be opened.
12 (authentication failed, too Authentication of a terminal failed. The TCP
many tcp links!) connection number established by the ttyd program
on the Unix server has reached the upper limit.
13 (authentication failed, invalid The source IP address of the TCP connection
IP address!) corresponding to the terminal is not consistent with
the IP address configured in the ttyd configuration
file on the Unix server.
Refer to “Prompts on Terminals” on page 799 or “Check whether the router and
Unix server can ping each other” on page 802 for detailed information.
Refer to “Check whether the cable connecting the terminal to the router is OK”
on page 800.
Now, you can enter the test hotkey on the terminal. If the physical connectivity
between the terminal and router is correct, the terminal screen will display
“Terminal to Router test OK!” if you have set the language type to English on the
Unix server. This means the connectivity between the terminal and the
asynchronous serial interface of the router is correct and they can exchange data
with each other normally. Refer to “Check whether the router and Unix server can
ping each other” on page 802. If the TCP connection between the terminal and
the Unix server is correct, the terminal screen displays “Terminal to Unix test OK!”.
This means a TCP connection has been established between the application used
by the terminal and the ttyd program on the UNIX server, and the terminal can
communicate with the server normally. Refer to “For an active terminal, verify the
configuration of system file inittab” on page 804.
If the terminal displays nothing on its screen, verify that the cable connection is
correct. Different models of terminals have different pin assignments with their
primary serial interfaces, so a certain type of converter may be required.
In terminal access, 8ASE and 16ASE modules and their cables are used the most
frequently. The connection cables for the 8ASE/16ASE modules have 8/16
asynchronous serial interfaces, namely 8AS/16AS cables, which fall into three
types: 8AS/16AS cable (DB-25/DB-9), 8AS/16AS cable (RJ-45 for telecom), and
8AS/16AS cable (RJ-45 for banks). “Telecom” means that the 8AS/16AS (RJ-45)
cables, which are blue, are for telecom carriers. “Bank” means that the 8AS/16AS
(RJ-45) cables which are white and labeled with “Dumb Terminal” are used for
terminal access in banks.
Serial
interfa RJ-45 (for Signal Signal
ce DB-25 DB-9 telecom/banks) Signal direction description
Asynchr 5 8 8/7 CTS І Clear to send
onous
6 6 7/3 DSR І Data set ready
serial
interfac 3 2 6/5 RxD І Receive data
e
7 5 5/4 GND - Logical ground
8 1 4/1 DCD І Data carrier detect
2 3 3/6 TxD Ðü Transmit data
20 4 2/2 DTR Ðü Data terminal
ready
4 7 1/8 RTS Ðü Request to send
Terminal access converters are exclusively used for 8AS cables (RJ-45 for banks)
and 16AS cables (RJ-45 for banks) to connect to terminals. One end of the cable is
an RJ-45 receptacle for connecting to a standard network cable, and the other end
is a DB-25 receptacle for connecting to a terminal. The following table describes
the pins of the terminal access converter.
When a 3-wire asynchronous serial interface cable is used, since dsr/dtr and flow
control signal lines are absent, you must use the undo detect dsr-dtr and
flow-control none (or flow-control software inbound) commands on the
asynchronous serial interface, to not detect the dsr/dtr signals so that the
asynchronous interface automatically enters the up state, and to not detect
hardware flow control signals by adopting software flow control or no flow
control.
When a 5-wire asynchronous serial interface cable is used, since flow control
signal lines are absent, you must use the flow-control none or flow-control
software inbound command on the asynchronous interface, to not detect
hardware flow control signals by adopting software flow control or no flow
control instead.
When a 8-wire asynchronous serial interface cable is used, all the required signal
lines are available; therefore, you do not need to configure the above-mentioned
commands on the asynchronous interface.
Check whether the router and Unix server can ping each other
1 If yes
The WAN line between the router and the Unix server functions well, and the
criterion is satisfied for the router to establish a TCP connection to the server. Refer
to “Check whether the main ttyd process and its child processes are present” on
page 803.
2 If not
Check the configuration of the WAN interface of the router, the WAN line
provided by the ISP, and the router related parameters on the router and server.
Check whether the main ttyd process and its child processes are present
Use the process management function provided by the ttyd administration
program or the ps -ef | grep ttyd command to check whether the main ttyd
process and its child processes are present.
1 The ttyd main process does not exist.
# /etc/ttyd
If you do not specify any parameters for the command, the default configuration
file /etc/ttyd.conf is used. To specify another configuration file, you must enter a
file name in the following format:
# /etc/ttyd /etc/ttyd9020.conf
2 The main ttyd process exits but none of its child processes does.
3 The ttyd program has been started, but no TCP connection has been established
between the router and the Unix server. First, verify that the connection modes set
on the router and the FEP are the same, for example, both in the one-to-one
mode. Then, check whether it is because the terminal authentication failed or
opening the pseudo terminal failed. Refer to the “Verify the configuration of the
router and the ttyd configuration of the server are correct and consistent.” on
page 803 or “Prompts on Terminals” on page 799. The main ttyd process and its
child processes exist.
The ttyd program has been started, and a TCP connection has been established
between the router and the Unix server. Refer to “Check whether the router has
established a TCP connection with the Unix server” on page 803.
Verify the configuration of the router and the ttyd configuration of the
server are correct and consistent.
■ Verify router configuration is correct.
■ Verify the configuration file ttyd.conf on the Unix server is correct.
■ Verify either the one-to-one or many-to-one mode is configured on both sides.
■ Verify the port numbers configured on both sides are consistent.
■ Verify the IP address and terminal number configured in ttyd.conf and those on
the router are consistent.
■ If source IP address binding is configured on the router, verify the source IP
address can be pinged through from the Unix server
Check whether the router has established a TCP connection with the Unix
server
1 Verify TCP connectivity using the terminal connectivity test hotkey
Now, you can press the test hotkey on the terminal. If the TCP connection
between the terminal and the Unix server is correct, the terminal screen displays
“Terminal to Unix test OK!”. This means a TCP connection has been established
between the application used by the terminal and the ttyd program on the UNIX
server, and the terminal can communicate with the server normally. Refer to “For
an active terminal, verify the configuration of system file inittab” on page 804 for
detailed information.
If the terminal does not display “Terminal to Unix test OK!”, no TCP connection
has been established between the application used by the terminal and the ttyd
program on the Unix server, or the corresponding pseudo terminal on the Unix
server is not operating normally. Refer to “View the debugging information of the
router and ttyd program of the server” on page 805 for detailed information.
First, confirm the pseudo terminal ttypxx on the Unix server corresponding to the
terminal by using the configuration file ttyd.conf. Then, execute the following
command on the Unix server:
This command sends the string 123456789 to the terminal ttypxx (xx indicates the
terminal index).
If the string appears on the terminal, a TCP connection has been established
between the application used by the terminal and the ttyd program on the Unix
server, and the terminal can communicate with the server normally. Refer to “For
an active terminal, verify the configuration of system file inittab” on page 804 for
detailed information.
If the string does not appear on the terminal, no TCP connection has been
established between the application used by the terminal and the ttyd program on
the Unix server, or the corresponding pseudo terminal on the Unix server is not
operating normally. Refer to the “View the debugging information of the router
and ttyd program of the server” on page 805 for detailed information.
First, find in the configuration file ttyd.conf on the Unix server the pseudo terminal
that corresponds to the terminal, ttyp50 for example. Then, edit the file
/etc/inittab and check whether the file contains the following line:
C50:234:respawn:/etc/getty ttyp50 m
# init q
You can also use the enable command to configure a pseudo terminal as an
active terminal, or use the disable command to configure a pseudo terminal as a
dumb terminal.
# enable ttyp50
2 The inittab system file configuration is correct.
X. Refer to the “View the debugging information of the router and ttyd program
of the server” on page 805.
Check whether the banking service process has activated the pseudo terminal. If
not, activate it. If yes, refer to the “View the debugging information of the router
and ttyd program of the server” on page 805.
View the debugging information of the router and ttyd program of the
server
A debugging file is created for each main ttyd process and child process. By
default, the destination directory of the ttyd debugging file(s) is /var/ttydlist. You
can change this directory in the configuration file ttyd.conf. The debugging file of
the main ttyd process is named in the format of ttydxxxx.log, where xxxx is the
number of the listening port of the main process. The debugging file of a child
process is named in the format of ttypxx.log, where ttypxx is the name of the ttyp
device for the child process.
The following analyses the common ttyd debugging information and provides
some solutions.
Cause: The ttyd configuration file contains no configuration for the router.
Solution: Configure the IP address of the router in the ttyd configuration file, and
then press <Enter> on the terminal.
Cause: Too many TCP connections have been established on the Unix server so
that new TCP connection requests cannot be accepted.
6 Fail: the swap is not enough to store the data, so some data is discarded
Cause: Data from the router is not written into the PTY device (pseudo terminal),
making the buffer full and subsequent data discarded. Typically, this is because the
PTY device is not operating normally.
Cause: The user was accessing the Unix server out of the defined periods.
Cause: Failed to open device pty5. The value of the errno parameter tells the
cause.
Cause: Another process is using the listening port number specified in the ttyd
configuration file.
Cause: Too many main ttyd processes are started up on the Unix server.
Cause: Failed to create a device used by the ttyd process. This is usually resulted
from Unix system resource problems.
If you cannot locate the problem, save the debugging information of both the
router and the Unix server and send it to a customer service engineer to locate it.
If the new pseudo terminal is an active terminal, make sure that you have enabled
it. If it is a dumb terminal, configure the terminal in the configuration file of the
banking service.
3 Use the process management function of the ttyd administration program or the
kill command to kill the ttyd child process corresponding to the original terminal,
or run the ttyd administration program and use the menu for refreshing
configuration file to refresh ttyd program configuration.
If the new pseudo terminal is a dumb terminal, activate this terminal in the
banking service process.
You can view system resources utilization by using the ttyd administration program
or the following command:
# netstat -m
streams allocation:
config alloc free total max fail
stream 4096 134 3962 10692 135 0
queues 566 271 295 21387 273 0
mblks 2319 445 1874 761868 2149 1
buffer headers 2746 1279 1467 52307 2654 0
class 1, 64 bytes 192 9 183 240804 172 0
class 2, 128 bytes 192 0 192 234865 168 0
class 3, 256 bytes 304 9 295 96179 292 0
class 4, 512 bytes 32 0 32 26368 32 0
class 5, 1024 bytes 32 0 32 2734 29 0
class 6, 2048 bytes 274 182 92 6460 273 0
class 7, 4096 bytes 171 170 1 185 171 0
class 8, 8192 bytes 5 0 5 70 5 0
class 9, 16384 bytes 2 0 2 3 2 0
class 10, 32768 bytes 0 0 0 0 0 0
class 11, 65536 bytes 0 0 0 0 0 0
class 12, 131072 bytes 0 0 0 0 0 0
class 13, 262144 bytes 0 0 0 0 0 0
class 14, 524288 bytes 0 0 0 0 0 0
total configured streams memory: 8000.00KB
streams memory in use: 1103.09KB
maximum streams memory used: 1569.64KB
A value of 1 for the fail column means the system stream resources are insufficient
and you need to increase stream resources by modifying the Unix server kernel.
You can follow these steps to modify system stream resources (taking SCO
OpenServer Unix 5.0x as an example):
5 Under the [Configuration tunables] title, Select [12 Streams] to enter the level 4
interface.
6 Set the [NSTRPAGES] field to 2000 (the default is 500).
7 Exit to the level 2 interface and select [Relink Kernel] to recompile the kernel.
8 Exit scoadmin and reboot the Unix server.
After reboot, the change takes effect. You can use the netstat -m command to
view current system stream resources. The last but three line of command output
will show that the total configured streams memory is changed from 2,048 KB to
8,000 KB.
3 Modify 6-character pseudo terminal names to 5-character ones with the following
commands:
# mv /dev/ttyp30 /dev/ttya0
# mv /dev/ptyp30 /dev/ptya0
4 Modify attributes of the pseudo terminals with the following commands:
# chmod 666 /dev/ttya0
# chmod 666 /dev/ptya0
5 Synchronize with the following command:
# sync
6 For active terminals, add corresponding pseudo terminal configuration in system
file inittab by using the following command:
a0:234:respawn:/etc/getty ttya0 m
7 Add configuration entry for pseudo terminal ttya0 in the banking service
configuration file.
8 Restart the ttyd program.
■ The terminal has baud rates different from those of the asynchronous interface.
■ The corresponding device is not configured in file inittab.
■ The router and the Unix server use different application modes, for example,
the Unix server may use the many-to-one mode and the router may use the
one-to-one mode. Note that the router only supports the one-to-one mode
currently.
Solution:
■ For the first case, you may check the UNIX server log for a message similar to
"open ptyp10 failed: I/O error. In such a case, execute the following command
on the Unix server:
# ps -ef | grep ttyp10
■ For the second case, you must reconfigure the baud rates to be consistent.
■ For the third case, you must configure the corresponding device in file inittab.
■ For the fourth case, you must configure the router and the Unix server to use
the same application mode.
If the rate is not high, open the ttyd configuration file to examine whether the
sendsize and readsize options are properly configured. For low speed WAN links
(at 9,600 bps for example), the two options must be modified accordingly.
If other configurations are all correct but the log shows that some pseudo
terminals cannot be opened, check whether the terminals are under directory /dev.
If not, try to use another existent pseudo terminal or create the pseudo terminal. If
yes, check whether a process is using the pseudo terminal.
Check whether the application mode is many-to-one, which may cause data for
terminals to fall into confusion. Upgrade to a router version supporting
one-to-one mode and switch to one-to-one application mode.
The terminal cannot display the login interface after configuration and no
error message is logged on the Unix server
Check the configuration file to see whether the same application mode is
configured on the router and the Unix server. This problem occurs if the Unix
server uses the many-to-one mode and the router uses one-to-one mode.
The terminal connected to a credit card (IC card) swipe reader does not
work
Check the hardware versions of the interface modules using the display version
command.
First, check the hardware versions of the interface modules. 8AS modules have
two hardware versions: 1.x and 2.x. 8AS modules with a hardware version of 1.x
do not support card swiping and those with a hardware version of 2.x do. No such
problems happen to any other interface modules.
IP Routing and
Routing Table
Routing Routing in the Internet is achieved through routers. Upon receiving a packet, a
router finds an optimal route based on the destination address and forwards the
packet to the next router in the path until the packet reaches the last router, which
forwards the packet to the intended destination host.
■ Direct routes: Routes discovered by data link protocols, also known as interface
routes.
■ Static routes: Routes that are manually configured.
■ Dynamic routes: Routes that are discovered dynamically by routing protocols.
■ IP address of the next hop: Specifies the address of the next router on the path.
If only the outbound interface is configured, its address will be the IP address of
the next hop.
■ Priority for the route. Routes to the same destination but having different
nexthops may have different priorities and be found by various routing
protocols or manually configured. The optimal route is the one with the highest
priority (with the smallest metric).
To prevent the routing table from getting too large, you can configure a default
route. All packets without matching entry in the routing table will be forwarded
through the default route.
In Figure 229, the IP address on each cloud represents the address of the network.
Router G resides in three networks and therefore has three IP addresses for its
three physical interfaces. Its routing table is shown on the right of the network
topology.
Router A Router F
17.0.0.1 17.0.0.0 17.0.0.3
16.0.0.2 11.0.0.2
17.0.0.2
Router D
16.0.0.0 11.0.0.0
14.0.0.3
16.0.0.1 11.0.0.1
14.0.0.2 14.0.0.4
Router B 14.0.0.0 Router G
15.0.0.2 12.0.0.1
Router E 14.0.0.1
15.0.0.0 12.0.0.0
13.0.0.2
15.0.0.1 12.0.0.2
13.0.0.3 13.0.0.1
13.0.0.0
Router C Router H
Destination Network Nexthop Interface
11.0.0.0 11.0.0.1 2
12.0.0.0 12.0.0.1 1
13.0.0.0 12.0.0.2 1
14.0.0.0 14.0.0.4 3
15.0.0.0 14.0.0.2 3
16.0.0.0 14.0.0.2 3
17.0.0.0 11.0.0.2 2
Routing Protocol
Overview
Static Routing and Static routing is easy to configure and requires less system resources. It works well
Dynamic Routing in small, stable networks with simple topologies. Its major drawback is that you
must perform routing configuration again whenever the network topology
changes; it cannot adjust to network changes by itself.
Dynamic routing is based on dynamic routing protocols, which can detect network
topology changes and recalculate the routes accordingly. Therefore, dynamic
routing is suitable for large networks. Its disadvantages are that it is complicated
to configure, and that it not only imposes higher requirements on the system, but
also eats away a certain amount of network resources.
Classification of Dynamic routing protocols can be classified based on the following standards:
Dynamic Routing
Protocols
Operational scope
■ Interior gateway protocols (IGPs): Work within an autonomous system, typically
includes RIP, OSPF, and IS-IS.
■ Exterior gateway protocols (EGPs): Work between autonomous systems. The
most popular one is BGP.
n An autonomous system refers to a group of routers that share the same routing
policy and work under the same administration.
Routing algorithm
■ Distance-vector protocols: Includes mainly RIP and BGP. BGP is also considered
a path-vector protocol.
■ Link-state protocols: Includes mainly OSPF and IS-IS.
The main differences between the above two types of routing algorithms lie in the
way routes are discovered and calculated.
Version of IP protocol
IPv4 routing protocols: RIP, OSPF, BGP and IS-IS.
Routing Protocols and Different routing protocols may find different routes to the same destination.
Routing Priority However, not all of those routes are optimal. In fact, at a particular moment, only
one protocol can uniquely determine the current optimal routing to the
destination. For the purpose of route selection, each routing protocol (including
static routes) is assigned a priority. The route found by the routing protocol with
the highest priority is preferred.
The following table lists some routing protocols and the default priorities for
routes found by them.
n ■
■
The smaller the priority value, the higher the priority.
The priority for a direct route is always 0, which you cannot change. Any other
type of routes can have their priorities manually configured. 256 represents a
route from an untrustworthy source.
■ Each static route can be configured with a different priority.
■ IPv4 and IPv6 routes have their own respective routing tables.
A given routing protocol may find several routes with the same metric to the same
destination, and if this protocol has the highest priority among all the active
protocols, these routes will be considered valid routes for load balancing.
Route backup
Route backup can help improve network reliability. With route backup, you can
configure multiple routes to the same destination, expecting the one with the
highest priority to be the main route and all the rest backup routes.
Under normal circumstances, packets are forwarded through the main route.
When the main route goes down, the route with the highest priority among the
backup routes is selected to forward packets. When the main route recovers, the
route selection process is performed again and the main route is selected again to
forward packets.
Route Recursion The nexthops of some BGP routes (except EBGP routes), static routes configured
with nexthops, and multi-hop RIP routes may not be directly connected. To
forward the packets, the outgoing interface to reach the nexthop must be
available. Route recursion is used to find the directly connected outgoing interface
based on the nexthop information of the route. Link-state routing protocols, such
as OSPF and IS-IS, do not need route recursion because they obtain nexthop
information through route calculation.
Sharing of Routing As different routing protocols use different algorithms to calculate routes, they
Information may find different routes. In a large network with multiple routing protocols, it is
required for routing protocols to share their routing information. Each routing
protocol has its own route redistribution mechanism. For detailed information,
refer to “Routing Policy Configuration” on page 991.
n Bandwidth-based non-balanced load sharing does not support the load sharing of
flows. Therefore, you have to disable fast forwarding on the corresponding
outbound and inbound interfaces.
Configuring the Load Follow these steps to configure interface load sharing bandwidth:
Sharing Bandwidth for
an Interface To do... Use the command... Remarks
Enter interface view interface interface-type -
interface-number
Configure the load sharing loadbandwidth bandwidth Optional
bandwidth for the interface
The default is the physical
bandwidth of the interface.
Displaying and
Maintaining a Routing To do... Use the command... Remarks
Table Display brief information display ip routing-table Available in any view
about the active routes in the [ vpn-instance vpn-instance-name ]
routing table [ verbose | | { begin | exclude |
include } regular-expression ]
Display information about display ip routing-table ip-address Available in any view
routes to the specified [ mask-length | mask ]
destination [ longer-match ] [ verbose ]
Display information about display ip routing-table ip-address1 Available in any view
routes with destination { mask-length | mask } ip-address2
addresses in the specified { mask-length | mask } [ verbose ]
range
Display information about display ip routing-table acl Available in any view
routes permitted by an IPv4 acl-number [ verbose ]
basic ACL
Display routing information display ip routing-table ip-prefix Available in any view
permitted by an IPv4 prefix list ip-prefix-name [ verbose ]
Display routes of a routing display ip routing-table protocol Available in any view
protocol protocol [ inactive | verbose ]
Display statistics about the display ip routing-table Available in any view
routing table or a VPN routing [ vpn-instance vpn-instance-name ]
table statistics
Display statistics about display loadsharing ip address Available in any view
bandwidth-based load ip-address mask
sharing
Clear statistics for the routing reset ip routing-table statistics Available in user view
table or a VPN routing table protocol [ vpn-instance
vpn-instance-name ] { all | protocol }
Display brief IPv6 routing display ipv6 routing-table Available in any view
table information
Display verbose IPv6 routing display ipv6 routing-table verbose Available in any view
table information
Display routing information display ipv6 routing-table Available in any view
for a specified destination ipv6-address prefix-length
IPv6 address [ longer-match ] [ verbose ]
Display routing information display ipv6 routing-table acl Available in any view
permitted by an IPv6 ACL acl6-number [ verbose ]
Display routing information display ipv6 routing-table Available in any view
permitted by an IPv6 prefix list ipv6-prefix ipv6-prefix-name
[ verbose ]
Display IPv6 routing display ipv6 routing-table protocol Available in any view
information of a routing protocol [ inactive | verbose ]
protocol
Display IPv6 routing statistics display ipv6 routing-table statistics Available in any view
Display IPv6 routing display ipv6 routing-table Available in any view
information for an IPv6 ipv6-address1 prefix-length1
address range ipv6-address2 prefix-length2
[ verbose ]
Clear specified IPv6 routing reset ipv6 routing-table statistics Available in user view
table statistics protocol { all | protocol }
Configuration
Example
# The display shows that packets are load-shared according to their default
bandwidths.
Specify bandwidths fpr the three interfaces on Router A and observe the load
sharing.
Network diagram
Router A Eth1 /0
Router B
ATM 1/0
IP network
Serial 2 /0
Serial 2/0
Configuration procedure
1 Configure Router A
<Sysname> system-view
[Sysname] interface ethernet 0/0
[Sysname-Ethernet0/0] loadbandwidth 200
[Sysname-Ethernet0/0] quit
[Sysname] interface Atm 1/0
[Sysname-Atm 1/0] loadbandwidth 100
[Sysname-Atm 1/0] quit
[Sysname] interface serial 2/0
[Sysname-serial 2/0] loadbandwidth 300
[Sysname-serial 2/0] quit
# The display shows that packets are load-shared according to the specified
interface bandwidths.
When configuring BGP, go to these sections for information you are interested in:
BGP Overview Three early versions of BGP are BGP-1 (RFC1105), BGP-2 (RFC1163) and BGP-3
(RFC1267). The current version in use is BGP-4 (RFC1771). BGP-4 is rapidly
becoming the defacto Internet exterior routing protocol standard and is commonly
used between ISPs.
A router advertising BGP messages is called a BGP speaker, which exchanges new
routing information with other BGP speakers. When a BGP speaker receives a new
route or a route better than the current one from another AS, it will advertise the
route to all the other BGP speakers in the local AS.
BGP speakers call each other peers, and several associated peers form a peer
group.
BGP is called IBGP when it runs within an AS and is called EBGP when it runs
between ASs.
16 bytes
Marker
Length Type
2 bytes 1 bytes
■ Marker: The 16-octet field is used for BGP authentication calculation. If no
authentication information is available, then the Marker must be all ones.
■ Length: The 2-octet unsigned integer indicates the total length of the message.
■ Type: This 1-octet unsigned integer indicates the type code of the message. The
following type codes are defined: 1-Open 2-Update 3-Notification 4-Keepalive
5-Route-refresh. The former four are defined in RFC1771, the latter one
defined in RFC2918.
Open
After a TCP connection is established, the first message sent by each side is an
Open message for peer relationship establishment. The Open message contains
the following fields:
0 7 15 31
Version
My Autonomous System
Hold Time
BGP Identifier
Optional Parameters
■ Version: This 1-octet unsigned integer indicates the protocol version number of
the message. The current BGP version number is 4.
■ My Autonomous System: This 2-octet unsigned integer indicates the
Autonomous System number of the sender.
■ Hold Time: When establishing peer relationship, two parties negotiate an
identical Hold time. If no Keepalive or Update is received from a peer after the
Hold time elapses, the BGP connection is considered down.
■ BGP Identifier: In IP address format, identifying the BGP router
■ Opt Parm Len (Optional Parameters Length): Length of optional parameters, set
to 0 if no optional parameter is available
Update
Update message is used to exchange routing information between peers. It can
advertise a feasible route or remove multiple unfeasible routes. Its format is shown
below:
0 15 31
Unfeasible Routes Length
Withdrawn Routes(Variable)
Path Attributes(Variable)
NLRI(Variable)
Each Update message can advertise a group of feasible routes with similar
attributes, which are contained in the Network Layer Reachable Information field.
The Path Attributes field carries attributes of these routes that are used by BGP for
routing. Each message can also carry multiple withdrawn routes in the Withdrawn
Routes field.
■ Unfeasible Routes Length: The total length of the Withdrawn Routes field in
octets. A value of 0 indicates neither route is being withdrawn from service,
nor Withdrawn Routes field is present in this Update message.
■ Withdrawn Routes: This is a variable length field that contains a list of IP
prefixes of routes that are being withdrawn from service.
■ Total Path Attribute Length: Total length of the Path Attributes field in octets. A
value of 0 indicates that no Network Layer Reachability Information field is
present in this Update message.
■ Path Attributes: List of path attributes related to NLRI. Each path attribute is a
triple <attribute type, attribute length, attribute value> of variable length. BGP
uses these attributes to avoid routing loops, perform routing and protocol
extension.
■ NLRI (Network Layer Reachability Information): Reachability information is
encoded as one or more 2-tuples of the form <length, prefix>.
Notification
A Notification message is sent when an error is detected. The BGP connection is
closed immediately after sending it. Notification message format is shown below:
0 7 15 31
Error Code Error SubCode
Data
Keepalive
Keepalive messages are sent between peers to maintain connectivity. Its format
contains only the message header.
Route-refresh
A route-refresh message is sent to a peer to request the resending of the specified
address family routing information. Its format is shown below:
0 15 23 31
The usage of each BGP path attributes is described in the following table.
Name Category
ORIGIN Well-known mandatory
AS_PATH Well-known mandatory
NEXT_HOP Well-known mandatory
LOCAL_PREF Well-known discretionary
ATOMIC_AGGREGATE Well-known discretionary
AGGREGATOR Optional transitive
COMMUNITY Optional transitive
MULTI_EXIT_DISC (MED) Optional non-transitive
ORIGINATOR_ID Optional non-transitive
CLUSTER_LIST Optional non-transitive
■ IGP: Has the highest priority. Routes added to the BGP routing table using the
network command have the IGP attribute.
■ EGP: Has the second highest priority. Routes obtained via EGP have the EGP
attribute.
■ incomplete: Has the lowest priority. The source of routes with this attribute is
unknown, which does not mean such routes are unavailable. The routes
redistributed from other routing protocols have the incomplete attribute.
2 AS_PATH
determine ASs to route massages back. The number of the AS closest with the
receiver’s AS is leftmost, as shown below:
8.0.0.0
AS 10
D=8.0.0.0 D=8.0.0.0
(10) (10)
AS 20 AS 40
D=8.0.0.0 D=8.0.0.0
(20,10) (40,10)
D=8.0.0.0
(30,20,10)
AS 30 AS 50
In general, a BGP router does not receive routes containing the local AS number to
avoid routing loops.
AS_PATH attribute can be used for route selection and filtering. BGP gives priority
to the route with the shortest AS_PATH length if other factors are the same. As
shown in the above figure, the BGP router in AS 50 gives priority to the route
passing AS 40 for sending information to the destination 8.0.0.0.
In some applications, you can apply a routing policy to control BGP route selection
by modifying the AS path length.
By configuring an AS path filtering list, you can filter routes based on AS numbers
contained in the AS_PATH attribute.
3 NEXT_HOP
Different from IGP, the NEXT_HOP attribute of BGP may not be the IP address of a
neighboring router. It involves three types of values, as shown in Figure 237.
D=8.0.0.0
NEXT_HOP=1.1.1.1
AS 200 AS 100
1.1.1.1/24
1.1.2.1/24 EBGP
8.0.0.0
EBGP
D=8.0.0.0
NEXT_HOP=1.1.2.1
AS 300
IBGP
D=8.0.0.0
NEXT_HOP=1.1.2.1
4 MED (MULTI_EXIT_DISC)
The MED attribute is exchanged between two neighboring ASs, each of which will
not advertise the attribute to any other AS.
Similar with metrics used by IGP, MED is used to determine the best route for
traffic going into an AS. When a BGP router obtains multiple routes to the same
destination but with different next hops, it considers the route with the smallest
MED value the best route if other conditions are the same. As shown below, traffic
from AS 10 to AS 20 travels through Router B that is selected according to MED.
MED=0
Router B
2.1.1.1
D=9.0.0.0
NEXT_HOP=2.1.1.1 IBGP
MED=0 9.0.0.0
EBGP
Router A IBGP Router D
EBGP
D=9.0.0.0
NEXT_HOP=3.1.1.1 IBGP
MED=100 3.1.1.1
AS 10 Router C
MED=100 AS 20
This attribute is exchanged between IBGP peers only, thus not advertised to any
other AS. It indicates the priority of a BGP router.
LOCAL_PREF is used to determine the best route for traffic leaving the local AS.
When a BGP router obtains from several IBGP peers multiple routes to the same
destination but with different next hops, it considers the route with the highest
LOCAL_PREF value as the best route. As shown below, traffic from AS 20 to AS 10
travels through Router C that is selected according to LOCAL_PREF.
LOCAL_PREF=100
Router B
2.1.1.1
EBGP IBGP
8.0.0.0 NEXT_HOP=2.1.1.1
LOCAL_PREF=100
Router A IBGP Router D
EBGP
D=8.0.0.0
NEXT_HOP=3.1.1.1
IBGP LOCAL_PREF=200
AS 10
3.1.1.1
Router C AS 20
LOCAL_PREF=200
6 COMMUNITY
The COMMUNITY attribute is used to simplify routing policy usage and ease
management and maintenance. It is a collection of destination addresses having
identical attributes, without physical boundaries in between, having nothing to do
with local AS. Well known community attributes include:
■ Internet: By default, all routes belong to the Internet community. Routes with
this attribute can be advertised to all BGP peers.
■ No_Export: After received, routes with this attribute cannot be advertised out
the local AS or out the local confederation but can be advertised to other sub
ASs in the confederation (for confederation information, refer to “Settlements
for Problems Caused by Large Scale BGP Networks” on page 835).
■ No_Advertise: After received, routes with this attribute cannot be advertised to
other BGP peers.
■ No_Export_Subconfed: After received, routes with this attribute cannot be
advertised out the local AS or other ASs in the local confederation.
Currently, the system supports BGP load balancing based on route recursion,
namely if reliable routes are load balanced (suppose three next hop addresses),
BGP generates the same number of next hops to forward packets. Note that BGP
load balancing based on route recursion is always enabled by the system rather
than configured using command.
BGP differs from IGP in the implementation of load balancing in the following:
■ IGP routing protocols such as RIP, OSPF compute metrics of routes, and then
implement load balancing on routes with the same metric and to the same
destination. The route selection criterion is metric.
■ BGP has no route computation algorithm, so it cannot implement load
balancing according to metrics of routes. However, BGP has abundant route
selection rules, through which, it selects available routes for load balancing and
adds load balancing to route selection rules.
n ■ BGP implements load balancing only on routes that have the same AS_PATH
attribute, ORIGIN attribute, LOCAL_PREF and MED.
■ BGP load balancing is applicable between EBGPs, IBGPs and between
confederations.
■ If multiple routes to the same destination are available, BGP selects routes for
load balancing according to the configured maximum number of load
balanced routes.
AS 100
Router A Router B
Router C
Router E Router D
AS 200
In the above figure, Router D and Router E are IBGP peers of Router C. Router A
and Router B both advertise a route destined for the same destination to Router C.
If load balancing is configured and the two routes have the same AS_PATH
attribute, ORIGIN attribute, LOCAL_PREF and MED, Router C adds both the two
routes to its route table for load balancing. After that, Router C forwards routes to
Router D and Router E only once, with AS_PATH unchanged, NEXT_HOP changed
to Router C’s address. Other BGP transitive attributes apply according to route
selection rules.
IBGP and IGP The routing Information synchronization between IBGP and IGP is for avoidance of
Information giving wrong directions to routers outside of the local AS.
Synchronization
If a non-BGP router works in an AS, a packet forwarded via the router may be
discarded due to unreachable destination. As shown in Figure 241, Router E
learned a route 8.0.0.0/8 from Router D via BGP. Then Router E sends a packet to
Router A through Router D, which finds from its routing table that Router B is the
next hop (configured using the peer next-hop-local command). Since Router D
learned the route to Router B via IGP, it forwards the packet to Router C using
route recursion. Router C has no idea about the route 8.0.0.0/8, so it discards the
packet.
AS 10 AS 30
Router B Router D
AS 20
Currently, the system supports both manual and automatic summarization. The
latter provides for controlling the attribute of a summary route and deciding
whether to advertise the route.
Route dampening
BGP route dampening is used to solve the issue of route instability such as route
flaps, that is, a route comes up and disappears in the routing table frequently.
When a route flap occurs, the routing protocol sends an update to its neighbor,
and then the neighbor needs to recalculate routes and modify the routing table.
Therefore, frequent route flaps consume large bandwidth and CPU resources even
affect normal operation of the network.
In most cases, BGP is used in complex networks, where route changes are very
frequent. To solve the problem caused by route flaps, BGP uses route dampening
to suppress unstable routes.
BGP route dampening uses a penalty value to judge the stability of a route. The
bigger the value, the less stable the route. Each time a route flap occurs (the state
change of a route from active to inactive is a route flap), BGP adds a penalty value
(1000, which is a fixed number and cannot be changed) to the route. When the
penalty value of the route exceeds the suppress value, the route is suppressed,
that is, it is neither added into the routing table, nor advertised to other BGP
peers.
The penalty value of the suppressed route will reduce to half of the suppress value
after a period of time. This period is called Half-life. When the value decreases to
the reusable threshold value, the route is added into the routing table and
advertised to other BGP peers in update packets.
Penalty
Value
Suppress
Threshold
Reusable
Threshold
Suppress Time
Time
Half-life
Peer group
A peer group is a collection of peers with the same attributes. When a peer joins
the peer group, the peer obtains the same configuration as the peer group. If
configuration of the peer group is changed, configuration of group members is
also changed.
There are many peers in a large BGP network. Some of these peers may be
configured with identical commands. The peer group feature simplifies
configuration of this kind.
When a peer is added into a peer group, the peer enjoys the same route update
policy as the peer group, improving route distribution efficiency.
c CAUTION: If an option is configured both for a peer and for the peer group, the
latest configuration takes effect.
Community
A peer group makes peers in it enjoy the same policy, while a community makes a
group of BGP routers in several ASs enjoy the same policy. Community is a path
attribute and advertised between BGP peers, without being limited by AS.
A BGP router can modify the community attribute for a route before sending it to
other peers.
Besides using the well-known community attribute, you can define the extended
community attribute using a community list to help define a routing policy.
Route reflector
IBGP peers should be fully meshed to maintain connectivity. Suppose there are n
routers in an AS, the number of IBGP connections is n(n-1)/2. If there are many
IBGP peers, most network and CPU resources will be consumed.
Using route reflectors can solve the issue. In an AS, a router acts as a route
reflector, and other routers act as clients connecting to the route reflector. The
route reflector forwards (reflects) routing information between clients. BGP
connections between clients need not be established.
The router neither a route reflector nor a client is a non-client, which has to
establish connections to the route reflector and all non-clients, as shown below.
Route
Reflector Non-Client
IBGP IBGP
Client
The route reflector and clients form a cluster. In some cases, you can configure
more than one route reflector in a cluster to improve network reliability and
prevent single point failure, as shown in the following figure. The configured route
reflectors must have the same Cluster_ID to avoid routing loops.
Route Route
Reflector1 Reflector2
IBGP
Cluster
When clients of a route reflector are fully meshed, route reflection is unnecessary
because it consumes more bandwidth resources. The system supports using
related commands to disable route reflection in this case.
n After route reflection is disabled between clients, routes between clients and
non-clients can still be reflected.
Confederation
Confederation is another method to deal with growing IBGP connections in ASs. It
splits an AS into multiple sub ASs. In each sub AS, IBGP peers are fully meshed,
and EBGP connections are established between sub ASs, as shown below:
AS 65002 AS 65003
EBGP EBGP
EBGP
IBGP
AS 65004
AS 200
From the perspective of a non-confederation speaker, it needs not know sub ASs
in the confederation. The ID of the confederation is the number of the AS, in the
above figure, AS 200 is the confederation ID.
In large-scale BGP networks, both route reflector and confederation can be used.
BGP GR
1 To establish a BGP session with a peer, a BGP GR Restarter sends an OPEN message
with GR capability to the peer.
2 Upon receipt of this message, the peer is aware that the sending router is capable
of Graceful Restart, and sends an OPEN message with GR Capability to the GR
Restarter to establish a GR session. If neither party has the GR capability, the
session established between them will not be GR capable.
3 The GR session between the GR Restarter and its peer goes down when the GR
Restarter restarts BGP. The GR capable peer will mark all routes associated with the
GR Restarter as stale. However, during the configured GR Time, it still uses these
routes for packet forwarding, ensuring that no packet will be lost when routing
information from its peer is recollected.
4 After the restart, the GR Restarter will reestablish a GR session with its peer and
send a new GR message notifying the completion of restart. Routing information
is exchanged between them for the GR Restarter to create a new routing table
and forwarding table with stale routing information removed. Thus the BGP
routing convergence is complete.
MP-BGP Overview
The legacy BGP-4 supports IPv4, but does not support some other network layer
protocols like IPv6.
The above two attributes are both Optional non-transitive, so BGP speakers not
supporting multi-protocol ignore the two attributes, not forwarding them to
peers.
Address family
MP-BGP employs address family to differentiate network layer protocols. For
address family values, refer to RFC 1700 (Assigned Numbers). Currently, the
system supports multiple MP-BGP extensions, including VPN extension, IPv6
extension. Different extensions are configured in respective address family view.
n ■ For information about the VPN extension application, refer to “MPLS L3VPN
Configuration” on page 1459.
■ For information about the IPv6 extension application, refer to “IPv6 BGP
Configuration” on page 1015.
■ This chapter gives no detailed commands related to any specific extension
application in MP-BGP address family view.
BGP Configuration To configure BGP, perform the tasks described in the following sections:
Task List
Task Description
“Configuring BGP Basic Functions” on page 841 Required
“Controlling Route Distribution and “Configuring BGP Route Optional
Reception” on page 843 Redistribution” on page
843
“Configuring BGP Route Optional
Summarization” on page
843
“Advertising a Default Optional
Route to a Peer or Peer
Group” on page 844
“Configuring BGP Route Optional
Distribution Policy” on
page 844
“Configuring BGP Route Optional
Reception Policy” on page
845
“Enabling BGP and IGP Optional
Route Synchronization”
on page 846
“Configuring BGP Route Optional
Dampening” on page
846
“Configuring BGP Routing Attributes” on page 846 Required
“Tuning and Optimizing BGP Networks” on page 849 Required
“Configuring a Large Scale BGP “Configuring BGP Peer Optional
Network” on page 851 Groups” on page 851
“Configuring BGP Optional
Community” on page
852
“Configuring a BGP Optional
Route Reflector” on page
853
“Configuring a BGP Optional
Confederation” on page
853
“Configuring BGP Graceful Restart” on page 853 Optional
n ■
■
This section does not differentiate between BGP and MP-BGP.
Since BGP employs TCP, you need to specify IP addresses of peers, which may
not be neighboring routers.
■ Using logical links can also establish BGP peer relationships.
■ In general, IP addresses of loopback interfaces are used to improve stability of
BGP connections.
Prerequisites The neighboring nodes are accessible to each other at the network layer.
Configuration Procedure To configure BGP basic functions, use the following commands:
c CAUTION:
■ It is required to specify for a BGP router a router ID, a 32-bit unsigned integer
and the unique identifier of the router in the AS.
■ You can specify a router ID manually. If not, the system selects an IP address as
the router ID. The selection sequence is the highest IP address among loopback
interface addresses; if not available, then the highest IP address of interfaces. It
is recommended to specify a loopback interface address as the router ID to
enhance network reliability. Only when the interface with the selected Router
ID or the manual Router ID is deleted will the system select another ID for the
router.
■ You need to create a peer group before configuring it. Refer to “Configuring
BGP Peer Groups” on page 851 for creating a peer group.
■ To establish multiple BGP connections between two devices, you need to
specify on the local router the respective source interfaces for establishing TCP
connections to the peers on the peering BGP router; otherwise, the local BGP
router may fail to establish TCP connections to the peers when using the
outbound interfaces of the best routes as the source interfaces.
■ In general, direct physical links should be available between EBGP peers. If not,
you can use the peer ebgp-max-hop command to establish a TCP connection
over multiple hops between two peers. You need not use this command for
directly connected EBGP peers, which employ loopback interfaces for peer
relationship establishment.
■ If you both reference a routing policy and use the peer { group-name |
ip-address } preferred-value value command to set a preferred value for
routes from a peer, the routing policy sets a non-zero preferred value for routes
matching it. Other routes not matching the routing policy uses the value set
with the command. If the preferred value in the routing policy is zero, the
routes matching it will also use the value set with the command. For
information about using a routing policy to set a preferred value, refer to the
command peer { group-name | ip-address } route-policy route-policy-name
{ export | import } in this document, and the command apply
preferred-value preferred-value in “Routing Policy Configuration” on page
991.
Controlling Route
Distribution and
Reception
Prerequisites Before configuring this task, you have completed BGP basic configuration.
Configuring BGP Route BGP can advertise the routing information of the local AS to peering ASs, but it
Redistribution redistributes routing information from IGP into BGP routing table rather than
self-finding. During route redistribution, BGP can filter routing information
according to different routing protocols.
Configuring BGP Route To reduce the routing table size on medium and large BGP networks, you need to
Summarization configure route summarization on peers. BGP supports two summarization types:
automatic and manual.
■ Automatic summarization: Summarizes redistributed IGP subnets. With the
feature configured, BGP advertises only summary natural networks rather than
subnets. The default route and routes imported using the network command
can not be summarized.
■ Manual summarization: Summarizes BGP local routes. The manual summary
routes have higher priority than automatic ones.
Advertising a Default To advertise a default route to a peer or peer group, use the following commands:
Route to a Peer or Peer
Group To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number -
Advertise a default route to a peer { group-name | Required
peer or peer group ip-address }
Not advertised by default
default-route-advertise
[ route-policy
route-policy-name ]
Configuring BGP Route To configure BGP route distribution policy, use the following commands:
Distribution Policy
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number -
Configuring BGP Route To configure BGP routing reception policy, use the following commands:
Reception Policy
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number -
Filter incoming routes filter-policy { acl-number | Required to choose any;
ip-prefix ip-prefix-name }
No inbound filtering is
import
configured by default;
Reference a routing policy to peer { group-name |
You can configure a filtering
filter routes from a peer/peer ip-address } route-policy
policy as needed;
group policy-name import
If several filtering policies are
Reference an ACL to filter peer { group-name |
configured, they are applied
routing information from a ip-address } filter-policy
in the following sequence:
peer/peer group acl-number import
■ filter-policy import
Reference an AS path ACL to peer { group-name |
filter routing information from ip-address } as-path-acl ■ peer filter-policy import
a peer/peer group as-path-acl-number import
■ peer as-path-acl import
Reference an IP prefix list to peer { group-name |
■ peer ip-prefix import
filter routing information from ip-address } ip-prefix
a peer/peer group ip-prefix-name import ■ peer route-policy import
Only routes passing the first
policy, can they go through
the next; and only routes
passing all the configured
policies, can they be received.
Specify the maximum number peer { group-name | The number is unlimited by
of routes that can be received ip-address } route-limit limit default.
from a peer/peer group [ percentage ]
c CAUTION:
■ Only routes permitted by the specified filter policy can be added into the local
BGP routing table.
■ Members of a peer group can have different inbound route filter policies from
the peer group.
Enabling BGP and IGP By default, when a BGP router receives an IBGP route, it only checks the
Route Synchronization reachability of the route’s next hop before advertisement. With BGP and IGP
synchronization configured, the BGP router cannot advertise the route to EBGP
peers unless the route is also available in the IGP routing table.
Configuring BGP Route Through configuring BGP route dampening, you can suppress unstable routes to
Dampening neither add them to the local routing table nor advertise them to BGP peers.
n Using this command dampens only routes from EBGP peers rather than IBGP
peers.
Configuring BGP
Routing Attributes
Prerequisites Before configuring this task, you have configured BGP basic functions.
Configuration Procedure You can use BGP route attributes to adjust BGP route selection policy.
c CAUTION:
■ Using a routing policy can set a preference for routes meeting its filtering
conditions. Routes not meeting the conditions use the default preference.
■ If other conditions are identical, the route with the smallest MED value is
selected as the best external route of the AS.
■ Using the peer next-hop-local command can specify the router as the next
hop for a peer/peer group. If BGP load balancing is configured, the router
specify itself as the next hop for routes to a peer/peer group regardless of
whether the peer next-hop-local command is configured.
■ In a “third party next hop” network, that is, the two EBGP peers reside in a
common broadcast subnet, the BGP router does not specify itself as the next
hop for routes to the EBGP peer, unless the peer next-hop-local command is
configured.
■ In general, BGP checks whether the AS_PATH attribute of a route from a peer
contains the local AS number. If so, it discards the route to avoid routing loops.
■ You can specify a fake AS number to hide the real one as needed. The fake AS
number applies to EBGP peers only, that is, EBGP peers in other ASs can only
find the fake AS number.
When establishing a BGP connection, the two parties compare their holdtime
values, taking the shorter one as the common holdtime.
After modifying a route selection policy, you have to reset BGP connections to
make the new one take effect, causing a short time disconnection. The current
BGP implementation supports the route-refresh capability. With this capability
enabled on all BGP routers in a network, when a policy is modified on a router, the
router advertises a route-refresh message to its peers, which then resend their
routing information to the router. Therefore, the local router can perform dynamic
route update and apply the new policy without tearing down BGP connections.
BGP employs TCP as the transport protocol. To enhance security, you can
configure BGP to perform MD5 authentication when establishing a TCP
connection. BGP MD5 authentication is not for BGP packets. It is used to set
passwords for TCP connections. If the authentication fails, the TCP connection can
not be established.
Prerequisites Before configuring this task, you have configured BGP basic functions
Configuration Procedure To tune and optimize BGP networks, use the following commands:
c CAUTION:
■ The maximum keepalive interval should be 1/3 of the holdtime and no less
than 1 second. The holdtime is no less than 3 seconds unless it is set to 0.
■ The intervals set with the peer timer command are preferred to those set with
the timer command.
■ Use of the peer keep-all-routes command saves all routing updates from the
peer regardless of whether the filtering policy is configured. The system uses
these updates to rebuild the routing table after a soft reset is triggered.
■ Performing BGP soft reset can refresh the routing table and apply the new
policy without tearing down BGP sessions.
■ BGP soft reset requires all routers in the network have the route-refresh
capability. If not, you need use the peer keep-all-routes command to keep all
routing information from a BGP peer to perform soft reset.
■ Configured in BGP view, MD5 authentication also applies to the MP-BGP
VPNv4 extension, because the same TCP connection is used.
Configuring a Large In a large-scale BGP network, configuration and maintenance become difficult due
Scale BGP Network to so many peers. In this case, configuring peer groups makes management easier
and improves route distribution efficiency. Peer group includes IBGP peer group,
where peers belong to the same AS, and EBGP peer group, where peers belong to
different ASs. If peers in an EBGP group belong to the same external AS, the EBGP
peer group is a pure EBGP peer group, and if not, a mixed EBGP peer group.
Configuring a BGP community can also help simplify routing policy management,
and a community has much larger management range than a peer group by
controlling routing policies of multiple BGP routers.
To guarantee connectivity between IBGP peers, you need to make them fully
meshed, but it becomes unpractical when there are too many IBGP peers. Using a
route reflector or confederation can solve it. In a large-scale AS, both of them can
be used.
Configuration Before configuring this task, you have made network layer accessible on peering
Prerequisites nodes.
c CAUTION:
■ You need not specify the AS number when creating an IBGP peer group.
■ If there are peers in a peer group, you can neither change the AS number of
the group nor use the undo command to remove the AS number
■ You need specify the AS number for each peer in a mixed EBGP peer group
respectively.
c CAUTION:
■ When configuring BGP community, you need to configure a routing policy to
define the community attribute, and apply the routing policy to route
advertisement.
■ For routing policy configuration, refer to “Routing Policy Configuration” on
page 991.
Configuring a BGP Route To configure a BGP route reflector, use the following commands:
Reflector
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number -
Configure the router as a route peer { group-name | Required
reflector and specify a peer/peer ip-address } reflect-client
Not configured by default
group as its client
Enable route reflection between reflect between-clients Optional
clients
Enabled by default
Configure the cluster ID of the reflector cluster-id Optional
route reflector cluster-id
By default, a route reflector
uses its router ID as the
cluster ID
c CAUTION:
■ In general, it is not required to make clients of a route reflector fully meshed.
The route reflector forwards routing information between clients. If clients are
fully meshed, you can disable route reflection between clients to reduce
routing costs.
■ In general, a cluster has only one route reflector, and the router ID is used to
identify the cluster. You can configure multiple route reflectors to improve
network stability. In this case, you need to specify the same cluster ID for these
route reflectors to avoid routing loops.
c CAUTION:
■ A confederation contains 32 sub ASs at most. The as-number of a sub AS takes
effect in the confederation only.
■ If routers not compliant with RFC 3065 exist in the confederation, you can use
the confederation nonstandard command to make the local router
compatible with these routers.
Configuring BGP Follow these steps to configure GR on the GR Restarter and the GR Helper:
Graceful Restart
n One device can act as both the GR Restarter and GR Helper at the same time.
n ■ In general, the maximum time allowed for the peer to reestablish a BGP session
should be less than the Holdtime carried in the OPEN message.
■ The End-of-RIB marker can be used to indicate that the updated routing
information has been sent.
Displaying and
Maintaining BGP
Configuration
Displaying BGP
Configuration To do... Use the command... Remarks
Display peer group display bgp group [ group-name ] Available in
information any view
Display advertised BGP display bgp network
routing information
Display AS path information display bgp paths [ as-regular-expression ]
Display BGP peer/peer group display bgp peer [ ip-address { log-info |
information verbose } | group-name log-info | verbose ]
Display BGP routing display bgp routing-table [ ip-address [ { mask
information | mask-length } [ longer-prefixes ] ] ]
Display routing information display bgp routing-table as-path-acl
matching the AS path ACL as-path-acl-number
Display BGP CIDR routing display bgp routing-table cidr
information
Display BGP routing display bgp routing-table community
information matching the [ aa:nn&<1-13> ] [ no-advertise | no-export |
specified BGP community no-export-subconfed ]* [ whole-match ]
Display routing information display bgp routing-table community-list
matching a BGP community { basic-community-list-number [ whole-match ]
list | adv-community-list-number }&<1-16>
Display BGP dampened display bgp routing-table dampened
routing information
Display BGP dampening display bgp routing-table dampening
parameter information parameter
Display BGP routing display bgp routing-table
information originating from different-origin-as
different ASs
Display BGP routing flap display bgp routing-table flap-info
statistics [ regular-expression as-regular-expression |
as-path-acl as-path-acl-number | ip-address
[ { mask | mask-length } [ longer-match ] ] ]
Display routing information to display bgp routing-table peer ip-address
or from a peer { advertised-routes | received-routes }
[ network-address [ mask | mask-length ] |
statistic ]
Display routing information display bgp routing-table
matching a regular expression regular-expression as-regular-expression
Display BGP routing statistics display bgp routing-table statistic
Resetting BGP
Connections To do... Use the command... Remarks
Reset all BGP connections reset bgp all Available in
user view
Reset the BGP connections to an AS reset bgp as-number
Reset the BGP connection to a peer reset bgp ip-address
[ flap-info ]
Reset all EBGP connections reset bgp external
Reset the BGP connections to a peer reset bgp group group-name
group
Reset all IBGP connections reset bgp internal
Reset all IPv4 unicast BGP connections reset bgp ipv4 all
Clearing BGP
Information To do... Use the command... Remarks
Clear dampening routing reset bgp dampening [ ip-address [ mask Available in user
information and release | mask-length ] ] view
suppressed routes
Clear route flap information reset bgp flap-info [ regexp
as-path-regexp | as-path-acl
as-path-acl-number | ip-address [ mask |
mask-length ] ]
BGP Typical
Configuration
Examples
Network diagram
S 2/2 S2 /1
Eth1/0 9.1.3.1 /24 9.1.2.2/24
8.1.1 .1/8
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure IBGP connections
# Configure Router B.
<RouterB> system-view
[RouterB] bgp 65009
[RouterB-bgp] router-id 2.2.2.2
[RouterB-bgp] peer 9.1.1.2 as-number 65009
[RouterB-bgp] peer 9.1.3.2 as-number 65009
[RouterB-bgp] quit
# Configure Router C.
<RouterC> system-view
[RouterC] bgp 65009
[RouterC-bgp] router-id 3.3.3.3
[RouterC-bgp] peer 9.1.3.1 as-number 65009
[RouterC-bgp] peer 9.1.2.2 as-number 65009
[RouterC-bgp] quit
# Configure Router D.
<RouterD> system-view
[RouterD] bgp 65009
[RouterD-bgp] router-id 4.4.4.4
[RouterD-bgp] peer 9.1.1.1 as-number 65009
[RouterD-bgp] peer 9.1.2.1 as-number 65009
[RouterD-bgp] quit
3 Configure the EBGP connection
# Configure Router A.
<RouterA> system-view
[RouterA] bgp 65008
[RouterA-bgp] router-id 1.1.1.1
[RouterA-bgp] peer 200.1.1.1 as-number 65009
# Configure Router B.
You can find Router B has established BGP connections to other routers.
n From above outputs, you can find Router A learned no route to AS65009, and
Router C learned network 8.0.0.0 but the next hop 200.1.1.2 is unreachable, thus
the route is invalid.
4 Redistribute direct routes
# Configure Router B.
You can find the route 8.0.0.0 becomes valid with the next hop as Router A.
Network diagram
Figure 247 Network diagram for BGP and IGP interaction configuration
Eth1/0
8.1.1.1/24
AS 65009
S2/1
3.1.1.2 /24
Router A
S2 /1 Eth1/0
S 2/0 S2 /0 9.1.2.1/24
3.1.1 .1/24 9.1.1.1/24 9.1.1 .2/24
AS 65008
Router B Router C
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure OSPF (omitted)
3 Configure the EBGP connection
# Configure Router A.
<RouterA> system-view
[RouterA] bgp 65008
[RouterA-bgp] router-id 1.1.1.1
[RouterA-bgp] peer 3.1.1.1 as-number 65009
# Configure Router B.
<RouterB> system-view
[RouterB] bgp 65009
[RouterB-bgp] router-id 2.2.2.2
[RouterB-bgp] peer 3.1.1.2 as-number 65008
[RouterB-bgp] quit
4 Configure BGP and IGP interaction
[RouterB] ospf
[RouterB-ospf-1] import-route bgp
[RouterB-ospf-1] quit
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/37/47 ms
As shown in the figure below, all routers run BGP, and Router A resides in AS
65008, Router B and Router C in AS 65009. Between Router A and Router B,
Router A and Router C are EBGP connections, and between Router B and Router C
is an IBGP connection.
Network diagram
Router B AS 65009
AS 65008 S 2/0
200.1.1.1 /24 Eth1 /0
S2/0 9 .1.1.1/24
Eth1/0 200.1.1.2 /24 EBGP
8 .1.1.1/8 IBGP
Eth1 /0
S2/1 EBGP
9 .1.1.2/24
200.1.2 .2/24
Router A S 2/1
200.1.2.1 /24
Router C
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure BGP connections
# Configure Router A.
<RouterA> system-view
[RouterA] bgp 65008
[RouterA-bgp] router-id 1.1.1.1
[RouterA-bgp] peer 200.1.1.1 as-number 65009
[RouterA-bgp] peer 200.1.2.1 as-number 65009
[RouterA-bgp] network 8.0.0.0 255.0.0.0
[RouterA-bgp] quit
# Configure Router B.
<RouterB> system-view
[RouterB] bgp 65009
[RouterB-bgp] router-id 2.2.2.2
[RouterB-bgp] peer 200.1.1.2 as-number 65008
[RouterB-bgp] peer 9.1.1.2 as-number 65009
[RouterB-bgp] network 9.1.1.0 255.255.255.0
[RouterB-bgp] quit
# Configure Router C.
<RouterC> system-view
[RouterC] bgp 65009
[RouterC-bgp] router-id 3.3.3.3
[RouterC-bgp] peer 200.1.2.2 as-number 65008
[RouterC-bgp] peer 9.1.1.1 as-number 65009
[RouterC-bgp] network 9.1.1.0 255.255.255.0
[RouterC-bgp] quit
From the above output, you can find two routes to the destination 9.1.1.0/24 are
available, and the route with the next hop 200.1.1.1 is the best route because
Router B has a smaller router ID than Router C.
# Configure Router A.
From the above output, you can find two routes to the destination 9.1.1.0/24 are
available, and both of them are best routes.
From the above information, you can find the route with the next hop 200.1.2.1 is
the best route, because its MED (0) is smaller than the MED (100) of the other
route with the next hop 200.1.1.1 (Router B).
Network diagram
Eth1/0
9.1.1.1 /24
S2 /1
AS 10
200 .1.2 .1/24
Router A
EBGP
S2/1
200.1.2.2/24
S2/2
200.1.3.1/24 EBGP
AS 20 AS 30
S2/2
200.1.3.2/24
Router B Router C
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure EBGP connections.
# Configure Router A.
<RouterA> system-view
[RouterA] bgp 10
[RouterA-bgp] router-id 1.1.1.1
[RouterA-bgp] peer 200.1.2.2 as-number 20
[RouterA-bgp] network 9.1.1.0 255.255.255.0
[RouterA-bgp] quit
# Configure Router B.
<RouterB> system-view
[RouterB] bgp 20
[RouterB-bgp] router-id 2.2.2.2
[RouterB-bgp] peer 200.1.2.1 as-number 10
[RouterB-bgp] peer 200.1.3.2 as-number 30
[RouterB-bgp] quit
# Configure Router C.
<RouterC> system-view
[RouterC] bgp 30
[RouterC-bgp] router-id 3.3.3.3
[RouterC-bgp] peer 200.1.3.1 as-number 20
[RouterC-bgp] quit
[RouterA] bgp 10
[RouterA-bgp] peer 200.1.2.2 route-policy comm_policy export
[RouterA-bgp] peer 200.1.2.2 advertise-community
You can find the configured community attribute in the above output. At this
time, the route to the destination 9.1.1.0/24 is not available in the routing table of
Router C.
Network diagram
Route
Reflector
Eth1/0
S2/1 S 2/0
1.1.1.1/8
193 .1 .1.1/24 194 .1.1 .1/24
S2/0 Router C
192.1.1.1 /24
Router A
S2/0 S2 /1 S2/0
192 .1 .1.2/24 193 .1 .1.2/24 194 .1.1.2/24
AS 100
AS 200 Router D
Router B
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure BGP connections (omitted)
# Configure Router A
<RouterA> system-view
[RouterA] bgp 100
[RouterA-bgp] peer 192.1.1.2 as-number 200
# Configure Router B
<RouterB> system-view
[RouterB] bgp 200
[RouterB-bgp] peer 192.1.1.1 as-number 100
[RouterB-bgp] peer 193.1.1.1 as-number 200
[RouterB-bgp] peer 193.1.1.1 next-hop-local
[RouterB-bgp] quit
# Configure Router C
<RouterC> system-view
[RouterC] bgp 200
[RouterC-bgp] peer 193.1.1.2 as-number 200
[RouterC-bgp] peer 194.1.1.2 as-number 200
[RouterC-bgp] quit
# Configure Router D
<RouterD> system-view
[RouterD] bgp 200
[RouterD-bgp] peer 194.1.1.1 as-number 200
[RouterD-bgp] quit
3 Configure route reflector
# Configure Router C
Network diagram
Router B Router C
Eth1/0
Eth1/0
Eth1/0 AS 65002
S2/0 AS 65003
Router F
Eth1/0
AS 100 Eth1/1
S2/1
Eth1/0
Router A Eth1/2
Eth1/3 Eth1/1 Router D
AS 65001
Eth1/0 Eth1 /1
Router E
AS 200
Device Interface IP address Device Interface IP address
Router A S2/1 200.1.1.1/24 Router D Eth1/0 10.1.3.2/24
Eth1/0 10.1.1.1/24 Eth1/1 10.1.5.1/24
Eth1/1 10.1.2.1/24 Router E Eth1/0 10.1.4.2/24
Eth1/2 10.1.3.1/24 Eth1/1 10.1.5.2/24
Eth1/3 10.1.4.1/24 Router F Eth1/0 9.1.1.1/24
Router B Eth1/0 10.1.1.2/24 S2/0 200.1.1.2/24
Router C Eth1/0 10.1.2.2/24
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure BGP confederation
# Configure Router A.
<RouterA> system-view
[RouterA] bgp 65001
[RouterA-bgp] router-id 1.1.1.1
[RouterA-bgp] confederation id 200
[RouterA-bgp] confederation peer-as 65002 65003
[RouterA-bgp] peer 10.1.1.2 as-number 65002
[RouterA-bgp] peer 10.1.1.2 next-hop-local
[RouterA-bgp] peer 10.1.2.2 as-number 65003
[RouterA-bgp] peer 10.1.2.2 next-hop-local
[RouterA-bgp] quit
# Configure Router B.
<RouterB> system-view
[RouterB] bgp 65002
[RouterB-bgp] router-id 2.2.2.2
[RouterB-bgp] confederation id 200
[RouterB-bgp] confederation peer-as 65001 65003
[RouterB-bgp] peer 10.1.1.1 as-number 65001
[RouterB-bgp] quit
# Configure Router C.
<RouterC> system-view
[RouterC] bgp 65003
[RouterC-bgp] router-id 3.3.3.3
[RouterC-bgp] confederation id 200
[RouterC-bgp] confederation peer-as 65001 65002
[RouterC-bgp] peer 10.1.2.1 as-number 65001
[RouterC-bgp] quit
3 Configure IBGP connections in AS 65001.
# Configure Router A.
# Configure Router D.
<RouterD> system-view
[RouterD] bgp 65001
[RouterD-bgp] router-id 4.4.4.4
[RouterD-bgp] confederation id 200
[RouterD-bgp] confederation 200
[RouterD-bgp] peer 10.1.3.1 as-number 65001
[RouterD-bgp] peer 10.1.5.2 as-number 65001
[RouterD-bgp] quit
# Configure Router E.
<RouterE> system-view
[RouterE] bgp 65001
[RouterE-bgp] router-id 5.5.5.5
# Configure Router A.
# Configure Router F.
<RouterF> system-view
[RouterF] bgp 100
[RouterF-bgp] router-id 6.6.6.6
[RouterF-bgp] peer 200.1.1.1 as-number 200
[RouterF-bgp] network 9.1.1.0 255.255.255.0
[RouterF-bgp] quit
5 Verify the configuration.
Network diagram
AS 200
Eth1/0 Router B
S2/1
S2/0
S2/0
S2/1
Router D
S2/1 S2/0
Router A
Router C
Device Interface IP address Device Interface IP address
Router A Eth1/0 1.0.0.0/8 Router D S2/0 195.1.1.1/24
S2/0 192.1.1.1/24 S2/1 194.1.1.1/24
S2/1 193.1.1.1/24 Router C S2/0 195.1.1.2/24
Router B S2/0 192.1.1.2/24 S2/1 193.1.1.2/24
S2/1 194.1.1.2/24
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure OSPF on routers B, C and D
# Configure Router B
<RouterB> system-view
[RouterB] ospf
[RouterB-ospf] area 0
[RouterB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# Configure Router C
<RouterC> system-view
[RouterC] ospf
[RouterC-ospf] area 0
[RouterC-ospf-1-area-0.0.0.0] network 193.1.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
# Configure Router D
<RouterD> system-view
[RouterD] ospf
[RouterD-ospf] area 0
[RouterD-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255
[RouterD-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255
[RouterD-ospf-1-area-0.0.0.0] quit
[RouterD-ospf-1] quit
3 Configure BGP connections
# Configure Router A
<RouterA> system-view
[RouterA] bgp 100
[RouterA-bgp] peer 192.1.1.2 as-number 200
[RouterA-bgp] peer 193.1.1.2 as-number 200
# Configure Router B
# Configure Router C
# Configure Router D
# Define routing policy apply_med_50 that sets the MED value of route 1.0.0.0/8
to 50, and routing policy apply_med_100 that sets the MED value of route
1.0.0.0/8 to 100.
■ Specify different local priorities for route 1.0.0.0/8 on Router B and C to make
Router D give priority to the route learned from Router C.
# Define routing policy localpref on Router C to set the local priority of route
1.0.0.0/8 to 200 (the default is 100).
# Apply the routing policy localpref to the route from the peer at 193.1.1.1 on
Router C.
Troubleshooting BGP
Configuration
Analysis
To become BGP peers, any two routers need to establish a TCP session using port
179 and exchange open messages successfully.
Processing steps
1 Use the display current-configuration command to verify the peer’s AS number.
2 Use the display bgp peer command to verify the peer’s IP address.
3 If the loopback interface is used, check whether the peer connect-interface
command is configured.
4 If the peer is a non-direct EBGP peer, check whether the peer ebgp-max-hop
command is configured.
The IS-IS routing protocol has been modified and extended in RFC 1195 by the
International Engineer Task Force (IETF) for application in both TCP/IP and OSI
reference models, and the new one is called Integrated IS-IS or Dual IS-IS.
■ Link State Protocol Data Unit (LSP). Each IS can generate an LSP which contains
all the link state information of the IS. Each IS collects all the LSPs in the local
area to generate its own LSDB.
■ Network Protocol Data Unit (NPDU). An NPDU is a network layer protocol
packet in ISO, which is equivalent to an IP packet in TCP/IP.
■ Designated IS. On a broadcast network, the designated intermediate system is
also known as the designated IS or a pseudonode.
■ Network service access point (NSAP). The NSAP is the ISO network layer
address. It identifies an abstract network service access point and describes the
network address in the ISO reference model.
As shown in Figure 253, the NSAP address consists of the Initial Domain Part (IDP)
and the Domain Specific Part (DSP). The IDP is equal to the network ID of the IP
address, and the DSP is equal to the subnet and host IDs.
The IDP, defined by ISO, includes the Authority and Format Identifier (AFI) and the
Initial Domain Identifier (IDI).
The DSP includes the High Order DSP (HODSP), the System ID and SEL, where the
HODSP identifies the area, the System ID identifies the host, and the SEL indicates
the type of service.
The length of IDP and DSP is variable. The length of the NSAP address varies from
8 bytes to 20 bytes.
IDP DSP
Area address
2 Area address
The area address is composed of the IDP and the HODSP of the DSP, which identify
the area and the routing domain. Different routing domains cannot have the same
area address.
Generally, a router only needs one area address, and all nodes in the same routing
domain must share the same area address. However, a router can have three area
addresses at most to support smooth area merging, partitioning and switching.
3 System ID
The system ID identifies the host or router uniquely. It has a fixed length of 48 bits
(6 bytes).
The system ID is used in cooperation with the Router ID in practical. For example, a
router uses the IP address 168.10.1.1 of the Loopback 0 as the Router ID, the
system ID in IS-IS can be obtained in the following way:
■ Extend each decimal number of the IP address to 3 digits by adding 0s from the
left, like 168.010.001.001;
■ Divide the extended IP address into 3 sections with 4 digits in each section to
get the System ID 1680.1000.1001.
There are other methods to define a system ID. Just make sure it can uniquely
identify a host or router.
4 SEL
The NSAP Selector (SEL), sometimes present in N-SEL, is similar with the protocol
identifier in IP. Different transport layer protocols use different SELs. All SELs in IP
are 00.
5 Routing method
Since the area is explicitly defined in the address structure, the Level-1 router can
easily recognize the packets sent out of the area. These packets are forwarded to
the Level-2 router.
The Level-1 router makes routing decisions based on the system ID. If the
destination is not in the area, the packet is forwarded to the nearest Level-1-2
router.
The Level-2 router routes packets across areas according to the area address.
NET
The Network Entity Title (NET) is an NSAP with SEL of 0. It indicates the network
layer information of the IS itself, where SEL=0 means no transport layer
information. Therefore, the length of NET is equal to NSAP, in the range 8 bytes to
20 bytes.
Generally, a router only needs one NET, but it can have three NETs at most for
smooth area merging and partitioning. When you configure multiple NETs, make
sure their system IDs are the same.
The Level-1 router only establishes the neighbor relationship with Level-1 and
Level-1-2 routers in the same area. The LSDB maintained by the Level-1 router
contains the local area routing information. It directs the packets out of the area to
the nearest Level-1-2 router.
2 Level-2 router
The Level-2 router establishes the neighbor relationships with the Level-2 and
Level-1-2 routers in the same or in different areas. It maintains a Level-2 LSDB
which contains inter area routing information. All the Level-2 and Level-1-2
routers form the backbone in a routing domain. The backbone must be physically
contiguous. Only Level-2 routers can directly communicate with routers outside
the routing domain.
3 Level-1-2 router
A router with both Level-1 and Level-2 router functions is called a Level-1-2 router.
It can establish the Level-1 neighbor relationship with the Level-1 and Level-1-2
routers in the same area, or establish Level-2 neighbor relationship with the
Level-2 and Level-1-2 routers in different areas. A Level-1 router must be
connected to other areas via a Level-1-2 router. The Level-1-2 router maintains
two LSDBs, where the Level-1 LSDB is for routing within the area, and the Level-2
LSDB is for routing between areas.
n ■ The Level-1 routers in different areas can not establish the neighbor
relationship.
■ The neighbor relationship establishment of Level-2 routers has nothing to do
with area.
Figure 254 shows a network topology running the IS-IS protocol. Area 1 is a set of
Level-2 routers, called backbone network. The other four areas are non-backbone
networks connected to the backbone through Level-1-2 routers.
Area 3
Area 2
L1/L2 L1/L2
L1 L2 L2
Area 1
L2 L2
Area 5
L1/L2 L1/L2 L1
Area 4
L1 L1 L1 L1
Figure 255 shows another network topology running the IS-IS protocol. The
Level-1-2 routers connect the Level-1 and Level-2 routers, and also form the IS-IS
backbone together with the Level-2 routers. There is no area defined as the
backbone in this topology. The backbone is composed of all contiguous Level-2
and Level-1-2 routers which can reside in different areas.
Area 1
L2
L1
Area 4
Area 2
L1/L2
L1 L1/L2 L1
Area 3
L2
Both the IS-IS Level-1 and Level-2 routers use the SPF algorithm to generate the
Shortest Path Tree (SPT).
By having this function, you can prevent the Level-1 hello packets from
propagating to the Level-2 backbone through the Lever-1-2 router. This can result
in bandwidth saving.
Route leaking
An IS-IS routing domain is comprised of only one Level-2 area and multiple Level-1
areas. A Level-1 area is connected with the Level-2 area rather than other Level-1
areas.
The routing information of the Level-1 area is sent to the Level-2 area through the
Level-1-2 router. Therefore, the Level-2 router knows the routing information of
the entire IS-IS routing domain but does not share the information with the
Level-1 area by default.
Since the Level-1 router simply sends the routing information for destinations
outside the area to the nearest Level-1-2 router, this may cause a problem that the
best path cannot be selected.
To solve this problem, route leaking was introduced. The Level-2 router can
advertise the Level-2 routing information to a specified Level-1 area. By having the
routing information of other areas, the Level-1 router can make a better routing
choice for the packets destined outside the area.
n For the Non-Broadcast Multi-Access (NBMA) network, such as ATM, you need to
configure point-to-point or broadcast network on its configured subinterfaces.
IS-IS does not run on Point to Multipoint (P2MP) links.
The Level-1 and Level-2 DISs are selected respectively. You can assign different
priorities for different level DIS selections. The higher a router’s priority is, the more
likelihood the router becomes the DIS. If there are multiple routers with the same
highest DIS priority, the one with the highest SNPA (Subnetwork Point of
Attachment) address (which is the MAC address on a broadcast network) will be
selected. A router can be the DIS for different levels.
As shown in Figure 256, the same level routers and non-DIS routers on the same
network segment can establish adjacencies. This is different from OSPF.
L1/L2 L1/L2
L2 adjacencies
L1 L2
L1 adjacencies DIS DIS
The DIS creates and updates pseudonodes as well as their LSP to describe all
routers on the network.
The pseudonode emulates a virtual node on the broadcast network. It is not a real
router. In IS-IS, it is identified by the system ID and one byte Circuit ID (a non zero
value) of the DIS.
Using pseudonodes can reduce LSPs, the resources used by SPF and simplify the
network topology.
n On IS-IS broadcast networks, all routers are adjacent with each other. The DIS is
responsible for the synchronization of their LSDBs.
PDU common header PDU specific header Variable length fields (CLV)
No. of Octets
Intradomain routing protocol discriminator 1
Length indicator 1
Version/Protocol ID extension 1
ID length 1
R R R PDU type 1
Version 1
Reserved 1
Hello
The hello packet is used by routers to establish and maintain the neighbor
relationship. It is also called IS-to-IS hello PDU (IIH). For broadcast network, the
Level-1 router uses the Level-1 LAN IIH; and the Level-2 router uses the Level-2
LAN IIH. The P2P IIH is used on point-to-point network.
Figure 259 illustrates the hello packet format in broadcast networks, where the
blue fields are the common header.
No. of Octets
Intradomain routing protocol discriminator 1
Length indicator 1
Version/Protocol ID extension 1
ID length 1
R R R PDU type 1
Version 1
Reserved 1
Reserved/Circuit type 1
Source ID ID length
Holding time 2
PDU length 2
R Priority 1
LAN ID ID length+1
■ Reserved/Circuit Type: The first 6 bits are reserved with value 0. The last 2 bits
indicates router types: 00 means reserved, 01 indicates L1, 10 indicates L2, and
11 indicates L1/2.
■ Source ID: The system ID of the router advertising the hello packet.
■ Holding Time: If no hello packets are received from a neighbor within the
holding time, the neighbor is considered dead.
■ PDU Length: The total length of the PDU in bytes.
■ Priority: DIS priority.
■ LAN ID: Includes the system ID and one byte pseudonode ID.
Figure 260 shows the hello packet format on the point-to-point network.
No. of Octets
Intradomain routing protocol discriminator 1
Length indicator 1
Version/Protocol ID extension 1
ID length 1
R R R PDU type 1
Version 1
Reserved 1
Source ID ID length
Holding time 2
PDU length 2
Local Circuit ID 1
Instead of the priority and LAN ID fields in the LAN IIH, the P2P IIH has a Local
Circuit ID field.
Two types of LSPs have the same format, as shown in Figure 261.
No. of Octets
Intradomain routing protocol discriminator 1
Length indicator 1
Version/Protocol ID extension 1
ID length 1
R R R PDU type 1
Version 1
Reserved 1
Remaining lifetime 2
LSP ID ID length+2
Sequence number 4
Checksum 2
P ATT OL IS type 1
Router D Router E
Router B
SNP format
The Sequence Number PDU (SNP) confirms the latest received LSPs. It is similar to
the Acknowledge packet, but more efficient.
SNP contains Complete SNP (CSNP) and Partial SNP (PSNP), which are further
divided into Level-1 CSNP, Level-2 CSNP, Level-1 PSNP and Level-2 PSNP.
CSNP covers the summary of all LSPs in the LSDB to synchronize the LSDB between
neighboring routers. On broadcast networks, CSNP is sent by the DIS periodically
(10s by default). On point-to-point networks, CSNP is only sent during the first
adjacency establishment.
No. of Octets
Intradomain routing protocol discriminator 1
Length indicator 1
Version/Protocol ID extension 1
ID length 1
R R R PDU type 1
Version 1
Reserved 1
Source ID ID length+1
PSNP only contains the sequence numbers of one or multiple latest received LSPs.
It can acknowledge multiple LSPs at one time. When LSDBs are not synchronized,
a PSNP is used to request new LSPs from neighbors.
No. of Octets
Intradomain routing protocol discriminator 1
Length indicator 1
Version/Protocol ID extension 1
ID length 1
R R R PDU type 1
Version 1
Reserved 1
Source ID ID length+1
Variable length fields
CLV
The variable fields of PDU are composed of multiple Code-Length-Value (CLV)
triplets. Figure 265 shows the CLV format.
No. of Octets
Code 1
Length 1
Value Length
Code 1 to 10 of CLV are defined in ISO 10589 (code 3 and 5 are not shown in the
table), and others are defined in RFC 1195.
For routers supporting VPN, each IS-IS process is associated with a designated VPN
instance. Thus, the VPN instance is also associated with interfaces corresponding
to the process.
After an IS-IS GR Restarter restarts IS-IS, it needs to complete the following two
tasks to synchronize the LSDB with its neighbors.
After the restart, the GR Restarter will send an OSPF GR signal to its neighbors to
keep the adjacencies. After receiving the responses from neighbors, the GR
Restarter can restore the neighbor table.
After reestablishing neighborships, the GR Restarter will synchronize the LSDB and
exchange routing information with all adjacent GR capable neighbors. After that,
the GR Restarter will update its own routing table and forwarding table based on
the new routing information and remove the stale routes. In this way, the IS-IS
routing convergence is complete.
IS-IS TE
IS-IS Traffic Engineering (TE) creates and maintains the Label Switched Path (LSP).
When creating the Constraint-based Routed LSP (CR LSP), MPLS needs to get the
traffic attribute information of all links in the local area. The Traffic Engineering
information of links is obtained from IS-IS.
Management tag
Management tag carries the management information of the IP address prefixes
and BGP community attribute. It controls the redistribution from other routing
protocols.
(0 for a common LSP or non-zero for a Pseudonode LSP), and LSP Number (LSP
fragment number) of the node or pseudo node that generated the LSP. The 1-byte
LSP Number field, allowing a maximum of only 256 fragments to be generated by
an IS-IS router, limits the amount of link information that the IS-IS router can
advertise.
The LSP fragment extension feature allows an IS-IS router to generate more LSP
fragments. Up to 50 additional virtual systems can be configured on the router,
with each virtual system capable of generating 256 LSP fragments, to enable the
IS-IS router to generate up to 13056 LSP fragments.
1 Terms
■ Originating System
It is the router actually running IS-IS. After LSP fragment extension is enabled,
additional virtual systems can be configured for the router. Originating system is
the actual IS-IS process that originally runs.
■ System-ID
■ Additional System-ID
It is the additional virtual system ID configured for the IS-IS router after LSP
fragment extension is enabled. Each additional system ID can generate 256 LSP
fragments. Both the additional system ID and the system ID must be unique in the
entire routing domain.
■ Virtual System
Virtual System is identified by the additional system ID and generates extended LSP
fragments
■ Original LSP
It is the LSP generated by the originating system. The system ID in its LSP ID field is
the system ID of the originating system.
■ Extended LSP
It is the LSP generated by a virtual system. The system ID in its LSP ID field is the
virtual system ID.
After additional system IDs are configured, an IS-IS router can advertise more link
state information in extended LSP fragments. Each virtual system can be
considered as a virtual router. An extended LSP fragment is advertised by a virtual
system identified by additional system ID.
2 Operation modes
The LSP fragment extension feature operates in two modes on an IS-IS router:
The operation mode of LSP fragment extension is configured based on area and
routing level. Mode-1 is backward-compatible and allows the routers supporting
LSP fragment extension and those not supporting this feature to interoperate with
each other, but it restricts the link state information in the extended fragments.
Mode-2 does not restrict the link state information in the extended fragments.
Mode-2 is recommended in a network where all the routers that are in the same
area and at the same routing level support LSP fragment extension.
This mechanism also provides the mapping between a host name and the DIS of a
broadcast network, which is announced in a dynamic host name TLV of a
pseudonode LSP.
A host name is intuitively easier to remember than a system ID. After enabling this
feature on the router, you can see the host names instead of system IDs after using
the display command.
IS-IS Configuration The following table describes the IS-IS configuration tasks.
Task List
Configuration Task Remarks
“Configuring IS-IS Basic Functions” on page 893 Required
“Configuring IS-IS Routing “Specifying a Priority for IS-IS” Optional
Information Control” on on page 894
page 894
“Configuring IS-IS Link Cost” Required
on page 895
“Configuring the Maximum Optional
Number of Load Balanced
Routes” on page 896
“Configuring IS-IS Route Optional
Summarization” on page 896
“Advertising a Default Route” Optional
on page 897
“Configuring Inbound Route Optional
Filtering” on page 897
“Configuring Route Optional
Redistribution” on page 897
“Configuring IS-IS Route Optional
Leaking” on page 898
Configuring IS-IS
Routing Information
Control
Specifying a Priority for A router can run multiple routing protocols. When a route to the same destination
IS-IS is learned by multiple routing protocols, the one with the highest protocol priority
wins. You can reference a routing policy to specify a priority for specific routes. For
information about routing policy, refer to “Routing Policy Configuration” on page
991.
Configuring IS-IS Link There are three ways to configure the interface link cost, in descending order of
Cost interface costs:
■ Interface cost: Assign a link cost for a single interface.
■ Global cost: Assign a link cost for all interfaces.
■ Automatically calculated cost: Calculate the link cost based on the bandwidth
of an interface.
n In the case no interface cost is specified in interface view or system view and
automatic cost calculation is enabled
■ When the cost style is wide or wide-compatible, IS-IS automatically
calculates the interface cost based on the interface bandwidth, using the
formula: interface cost = bandwidth reference value/interface bandwidth, and
the maximum calculated cost is 16777214.
■ When the cost style is narrow, narrow-compatible, or compatible, if the
interface is a loopback interface, the cost value is 0; otherwise, the cost value is
automatically calculated as follows: if the interface bandwidth is in the range of
1 M to 10 M, the interface cost is 60; if the interface bandwidth is in the range
of 11 M to 100 M, the interface cost is 50; if the interface bandwidth is in the
range of 101 M to 155 M, the interface cost is 40; if the interface bandwidth is
in the range of 156 M to 622 M, the interface cost is 30; if the interface
bandwidth is in the range of 623 M to 2500 M, the interface cost is 20, and
the default interface cost of 10 is used for any other bandwidths.
Configuring the If there are more than one equal cost routes to the same destination, the traffic
Maximum Number of can be load balanced to enhance path efficiency.
Load Balanced Routes
Follow these steps to configure the maximum number of load balanced routes:
Configuring IS-IS Route This task is to configure a summary route, so routes falling into the network range
Summarization of the summary route are summarized with one route for advertisement. Doing so
can reduce the size of routing tables, as well as the LSP and LSDB generated by the
router itself. Both IS-IS and redistributed routes can be summarized.
n The cost of the summary route is the lowest cost among those summarized routes.
n The default route is only advertised to routers at the same level. You can use a
routing policy to generate the default route only when a local routing entry is
matched by the policy.
Configuring Route Follow these steps to configure IS-IS route redistribution from other routing
Redistribution protocols:
Configuring IS-IS Route With this feature enabled, the Level-1-2 router can advertise both Level-1 and
Leaking Level-2 area routing information to the Level-1 router.
n ■ If a filter policy is specified, only routes passing it can be advertised into Level-1
area.
■ You can specify a routing policy in the import-route isis level-2 into level-1
command to filter routes from Level-2 to Level-1. Other routing policies
specified for route reception and redistribution does not affect the route
leaking.
Tuning and
Optimizing IS-IS
Network
Configuring a DIS On an IS-IS broadcast network, a router should be selected as the DIS at a specific
Priority for an Interface level, Level-1 or Level-2. You can specify a DIS priority at a level for an interface.
The bigger the interface’s priority value, the more likelihood it becomes the DIS.
n If multiple routers in the broadcast network have the same highest DIS priority, the
router with the highest MAC address becomes the DIS. This rule applies even all
routers’ DIS priority is 0.
Configuring IS-IS Timers Follow these steps to configure the IS-IS timers:
n ■ On the broadcast link, you can specify different intervals for Level-1 and Level-2
hello packets; if no level is specified, the interval applies to both Level-1 and
Level-2 hello packets, but only takes effect on the level of the current process;
if a level is specified, it applies to hello packets at this level. The point-to-point
link does not distinguish between Level-1 and Level-2 hello packets, so you
need not specify a level.
■ Hello packets are used to establish and maintain neighbor relationships. If no
hello packets are received from a neighbor within the time for receiving the
specified hello packets, the neighbor is considered dead.
■ CSNPs are sent by the DIS on a broadcast network for LSDB synchronization. If
no level is included, the specified CSNP interval applies to both Level-1 and
Level-2 of the current IS-IS process. If a level is specified, it applies to the level.
Disabling an Interface Follow these steps to disable an interface from sending hello packets:
from Sending/Receiving
IS-IS Hello Packets To do... Use the command... Remarks
Enter system view system-view --
Enter interface view interface interface-type --
interface-number
Disable the interface from isis silent Required
sending and receiving hello
Not disabled by default
packets
Configuring LSP An IS-IS router periodically advertises all the local LSPs to maintain the LSP
Parameters synchronization in the entire area.
An LSP is given an aging time when generated by the router. When the LSP is
received by another router, its aging time begins to decrease. If the receiving
router does not get the update for the LSP within the aging time, the LSP will be
deleted from the LSDB.
The router will discard an LSP with incorrect checksum. You can configure the
router to ignore the incorrect checksum, which means an LSP will be processed
even with an incorrect LSP checksum.
On the NBMA network, the router will flood a new LSP received from an interface
to other interfaces. This can cause the LSP reflooding on the high connectivity
networks. To avoid this problem, you can make a mesh group of interfaces. The
interface in this group will only flood the new LSP to interfaces outside the mesh
group.
Configuring SPF When the LSDB changes in an IS-IS network, a routing calculation starts. If the
Parameters changes happen frequently, it will take a lot of system resources. You can set the
interval for SPF calculation for efficiency consideration.
The SPF calculation may occupy the CPU for a long time when the routing entries
are too many (more than 150 thousand). You can split the SPF calculation time
into multiple durations with a default interval of 10s in between.
Configuring Dynamic Follow these steps to configure the dynamic host name mapping:
Host Name Mapping
To do... Use the command... Remarks
Enter system view system-view --
Enter IS-IS view isis [ process-id ] --
[ vpn-instance
vpn-instance-name ]
Assign a local host name is-name sys-name Required
No name is assigned by
default.
This command also enables
the mapping between the
local system ID and host name
Assign a remote host name is-name map sys-id Optional
and create a mapping map-sys-name
One system ID only maps to
between the host name and a
one name.
system ID
No name is assigned by
default
Return to system view quit --
Enter interface view interface interface-type --
interface-number
Assign a DIS name for the isis dis-name symbolic-name Optional
local network
Not assigned by default
This command is only
applicable on the router with
dynamic host name mapping
enabled.
It is invalid on point-to-point
links.
n The local host name on the local IS overwrites the remote host name on the
remote IS.
Configuring IS-IS For area authentication, the area authentication password is encapsulated into the
Authentication Level-1 LSP, CSNP, and PSNP packets. On area authentication enabled routers in
the same area, the authentication mode and password must be same.
Configuring LSDB When the overload tag is set on a router, other routers will not send packets to the
Overload Tag router except for the packets destined to the network directly connected to the
router.
The overload tag can be used for troubleshooting as well. You can temporarily
isolate a router from the IS-IS network by setting the overload tag.
n With this feature enabled, the state information of the adjacency is displayed on
the configuration terminal.
Enabling an Interface to Follow these steps to enable an interface to send small hello packets (without the
Send Small Hello Packets padding field):
Configuring IS-IS GR An ISIS restart may cause the termination of the adjacencies between a restarting
router and its neighbors, resulting in a transient network disconnection.
IS-IS Graceful Restart can help to solve this problem by notifying its neighbors its
restarting state to allow them to reestablish the adjacency without removing it.
The IS-IS Graceful Restart provides the following features:
■ When restarting ISIS, a Graceful Restart capable device will resend connection
requests to its neighbors instead of terminating their adjacencies.
■ Graceful Restart minimizes network disruption caused by LSDB synchronization
before LSP packets generation.
■ When a router starts for the first time, it sets the overload bit in LSP packets
before LSDB synchronization is complete, which ensures no routing loop is
created.
The Graceful Restart interval on a router is used as the holdtime in the IS-IS Hello
PDUs so that its neighbors can maintain the adjacencies within the interval after
the router restarts.
n A device can act as both a GR Restarter and GR Helper at the same time.
Displaying and
Maintaining IS-IS To do... Use the command... Remarks
Configuration Display brief IS-IS information display isis brief [ process-id | Available in any view
vpn-instance vpn-instance-name ]
Display the status of the display isis debug-switches Available in any view
debug switch { process-id | vpn-instance
vpn-instance-name }
Display information about display isis interface [ [ traffic-eng | Available in any view
IS-IS enabled interfaces verbose ] * | tunnel ] [ process-id |
vpn-instance vpn-instance-name ]
Display IS-IS license display isis license Available in any view
information
Display IS-IS LSDB information display isis lsdb [ [ l1 | l2 | level-1 | Available in any view
level-2 ] | [ lsp-id LSPID | lsp-name
lspname ] | local | verbose ] *
[ process-id | vpn-instance
vpn-instance-name ]
Display IS-IS mesh group display isis mesh-group [ process-id Available in any view
information | vpn-instance vpn-instance-name ]
Display the display isis name-table [ process-id | Available in any view
host-name-to-system-ID vpn-instance vpn-instance-name ]
mapping table
IS-IS Configuration
Example
Router A and Router B are Level-1 routers, Router D is a Level-2 router, and Router
C is a Level-1-2 router connecting two areas. Router A, Router B, and Router C are
in area 10, while Router D is in area 20.
Network diagram
Router A
L1
S2/0
10.1 .1.2/24
S2/1
S2/2 Eth1/0
10.1 .1.1/24
192.168.0.1/24 172 .16 .1.1/16
S2/0 S2/0
10 .1.2.1/24 1 92.168.0.2/24
Router C Router D
L1/L2 L2
S 2/0
1 0.1 .2.2/24 Area 20
Router B Area 10
L1
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure IS-IS
# Configure Router A
<RouterA> system-view
[RouterA] isis 1
[RouterA-isis-1] is-level level-1
[RouterA-isis-1] network-entity 10.0000.0000.0001.00
[RouterA-isis-1] quit
[RouterA] interface serial 2/0
[RouterA-Serial2/0] isis enable 1
[RouterA-Serial2/0] quit
# Configure Router B
<RouterB> system-view
[RouterB] isis 1
[RouterB-isis-1] is-level level-1
[RouterB-isis-1] network-entity 10.0000.0000.0002.00
[RouterB-isis-1] quit
[RouterB] interface serial 2/0
[RouterB-Serial2/0] isis enable 1
[RouterB-Serial2/0] quit
# Configure Router C.
<RouterC> system-view
[RouterC] isis 1
[RouterC-isis-1] network-entity 10.0000.0000.0003.00
[RouterC-isis-1] quit
[RouterC] interface serial 2/0
[RouterC-Serial2/0] isis enable 1
[RouterC-Serial2/0] quit
[RouterC] interface serial 2/1
[RouterC-Serial2/1] isis enable 1
[RouterC-Serial2/1] quit
[RouterC] interface serial 2/2
[RouterC-Serial2/2] isis enable 1
[RouterC-Serial2/2] quit
# Configure Router D
<RouterD> system-view
[RouterD] isis 1
[RouterD-isis-1] is-level level-2
[RouterD-isis-1] network-entity 20.0000.0000.0004.00
[RouterD-isis-1] quit
[RouterD] interface ethernet 1/0
[RouterD-Ethernet1/0] isis enable 1
[RouterD-Ethernet1/0] quit
[RouterD] interface serial 2/0
[RouterD-Serial2/0] ip address 192.168.0.2 255.255.255.0
[RouterD-Serial2/0] isis enable 1
[RouterD-Serial2/0] quit
# Display the IS-IS LSDB information of each router to check the integrity of the
LSP.
------------------------------------------------------------------------
0000.0000.0003.00-00 0x00000007 0xbb56 910 100 0/0/0
0000.0000.0004.00-00* 0x00000005 0xd086 791 84 0/0/0
# Display the IS-IS routing information of each router. The routing table of Level-1
routers must contain a default route with the next hop being the Level-1-2 router.
The routing table of Level-2 router must contain all routes of Level-1 and Level-2.
Change the DIS priority of Router A to make it selected as the Level-1-2 DIS router.
Network diagram
Router A Router B
L1/L2 L1/L2
Eth1/0 Eth1/0
10 .1.1.1/24 10.1.1.2/24
Eth1/0 Eth1/0
10.1.1.3/24 10 .1.1.4/24
Router C Router D
L1 L2
Configuration procedure
1 Configure an IP address for each interface (omitted)
2 Enable IS-IS
# Configure Router A.
<RouterA> system-view
[RouterA] isis 1
[RouterA-isis-1] network-entity 10.0000.0000.0001.00
[RouterA-isis-1] quit
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] isis enable 1
[RouterA-Ethernet1/0] quit
# Configure Router B.
<RouterB> system-view
[RouterB] isis 1
[RouterB-isis-1] network-entity 10.0000.0000.0002.00
[RouterB-isis-1] quit
# Configure Router C.
<RouterC> system-view
[RouterC] isis 1
[RouterC-isis-1] network-entity 10.0000.0000.0003.00
[RouterC-isis-1] is-level level-1
[RouterC-isis-1] quit
[RouterC] interface ethernet 1/0
[RouterC-Ethernet1/0] isis enable 1
[RouterC-Ethernet1/0] quit
# Configure Router D.
<RouterD> system-view
[RouterD] isis 1
[RouterD-isis-1] network-entity 10.0000.0000.0004.00
[RouterD-isis-1] is-level level-2
[RouterD-isis-1] quit
[RouterD] interface ethernet 1/0
[RouterD-Ethernet1/0] isis enable 1
[RouterD-Ethernet1/0] quit
n By using the default DIS priority, Router C is the Level-1 DIS, and Router D is the
Level-2 DIS. The pseudonodes of Level-1 and Level-2 are 0000.0000.0003.01 and
0000.0000.0004.01 respectively.
3 Configure the DIS priority of Router A.
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] isis dis-priority 100
n After the DIS priority configuration, you can see Router A is the DIS for Level-1-2,
and the pseudonode is 0000.0000.0001.01.
Network diagram
GR restarter
Router A
Eth1/0
10 .0.0.1/24
Eth1/0 Eth1/0
10.0.0 .2/24 10 .0.0.3/24
Router B Router C
GR helper GR helper
Configuration Procedure
1 Configure IP addresses of the interfaces on each router and configure IS-IS.
Follow Figure 268 to configure the IP address and subnet mask of each interface
on the router. The configuration procedure is omitted.
Configure IS-IS on the routers, ensuring that Router A, Router B and Router C can
communicate with each other at layer 3 and dynamic route update can be
implemented among them with IS-IS. The configuration procedure is omitted here.
# Enable IS-IS Graceful Restart on Router A and configure the Graceful Restart
interval.
<RouterA> system-view
[RouterA] isis 1
[RouterA-isis-1] graceful-restart
[RouterA-isis-1] graceful-restart interval 150
[RouterA-isis-1] return
The configurations for Router B and Router C are similar and therefore are omitted
here.
After Router A establishes adjacencies with Router B and Router C, they begin to
exchange routing information. Restart IS-IS on Router A, which enters into the
restart state and sends connection requests to its neighbors through the Graceful
Restart mechanism to synchronize the LSDB. Using the display isis
graceful-restart status command can display the IS-IS GR status on Router A.
# Restart Router A.
--------------------------------------------------------------------
IS-IS(1) Level-1 Restart Status
Restart Interval: 150
SA Bit Supported
Total Number of Interfaces = 1
Restart Status: RESTARTING
Number of LSPs Awaited: 3
T3 Timer Status:
Remaining Time: 239
T2 Timer Status:
Remaining Time: 59
When configuring OSPF, go to these sections for information you are interested in:
Introduction to OSPF
■ Scope: Supports networks of various sizes and can support several hundred
routers.
■ Fast convergence: Transmits update packets instantly after network topology
changes for routing information synchronization in the AS.
■ Loop-free: Computes routes with the Shortest Path Tree algorithm according to
the collected link states, so no loop routes are generated.
■ Area partition: Allows an AS to be split into different areas for ease of
management and the routing information transmitted between areas is
summarized to reduce network bandwidth consumption.
■ Equal-cost multi-route: Supports multiple equal-cost routes to a destination.
■ Routing hierarchy: Supports a four-level routing hierarchy that prioritizes the
routes into intra-area, inter-area, external type-1, and external type-2 routes.
■ Authentication: Supports interface-based packet authentication to guarantee
the security of packet exchange.
Router ID
To run OSPF, a router must have a Router ID, which is a 32-bit unsigned integer,
the unique identifier of the router in the AS.
■ If the loopback interfaces are configured, select the highest IP address among
them.
■ If no loopback interface is configured, select the highest IP address among
addresses of active interfaces on the router.
OSPF packets
OSPF uses five types of packets:
■ Hello Packet: Periodically sent to find and maintain neighbors, containing the
values of some timers, information about DR, BDR and known neighbors.
■ DD packet (Database Description Packet): Describes the digest of each LSA in
the LSDB, exchanged between two routers for data synchronization.
■ LSR (Link State Request) Packet: Requests needed LSAs from the peer. After
exchanging the DD packets, the two routers know which LSAs of the neighbor
routers are missing from the local LSDBs. In this case, they send LSR packets,
requesting the missing LSAs. The packets contain the digests of the missing
LSAs.
■ LSU (Link State Update) Packet: Transmits the needed LSAs to the peer router.
■ LSAck (Link State Acknowledgment) Packet: Acknowledges received LSU
packets. It contains the Headers of LSAs requiring acknowledgement (a packet
can acknowledge multiple LSAs).
LSA types
OSPF sends routing information in LSAs, which, as defined in RFC 2328, have the
following types:
■ Router LSA: Type-1 LSA, originated by all routers, flooded throughout a single
area only. This LSA describes the collected states of the router’s interfaces to an
area.
■ Network LSA: Type-2 LSA, originated for broadcast and NBMA networks by the
Designated Router, flooded throughout a single area only. This LSA contains
the list of routers connected to the network.
■ Network Summary LSA: Type-3 LSA, originated by ABRs (Area Border Routers),
and flooded throughout the LSA’s associated area. Each summary-LSA
describes a route to a destination outside the area, yet still inside the AS (an
inter-area route).
■ ASBR Summary LSA: Type-4 LSA, originated by ABRs and flooded throughout
the LSA’s associated area. Type 4 summary-LSAs describe routes to ASBR
(Autonomous System Boundary Router).
■ AS External LSA: Type-5 LSA, originated by ASBRs, and flooded throughout the
AS (except Stub and NSSA areas). Each AS-external-LSA describes a route to
another Autonomous System.
■ NSSA LSA: Type-7 LSA, as defined in RFC 1587, originated by ASBRs in NSSAs
(Not-So-Stubby Areas) and flooded throughout a single NSSA. NSSA LSAs
describe routes to other ASs.
■ Opaque LSA: A proposed type of LSA, the format of which consists of a
standard LSA header and application specific information. Opaque LSAs are
used by the OSPF protocol or by some application to distribute information into
the OSPF routing domain. The opaque LSA includes three types, Type 9, Type
10 and Type 11, which are used to flood into different areas. The Type 9
opaque LSA is flooded into the local subnet, the Type 10 is flooded into the
local area, and the Type 11 is flooded throughout the whole AS.
To solve this problem, OSPF splits an AS into multiple areas, which are identified by
area ID. The boundaries between areas are routers rather than links. A network
segment (or a link) can only reside in one area, in other words, an OSPF interface
must be specified to belong to its attached area, as shown in the figure below.
Area 4
Area 1
Area 0
Area 2
Area 3
After area partition, area border routers perform route summarization to reduce
the number of LSAs advertised to other areas and minimize the effect of topology
changes.
Classification of Routers
The OSPF router falls into four types according to the position in the AS:
1 Internal Router
An area border router belongs to more than two areas, one of which must be the
backbone area. It connects the backbone area to a non-backbone area. The
connection between an area border router and the backbone area can be physical
or logical.
3 Backbone Router
RIP
IS-IS
ASBR
Area 1
Area 4
Backbone Router
Internal
Router
ABR
Area 3
Area 2
A virtual link is established between two area border routers via a non-backbone
area and is configured on both ABRs to take effect. The area that provides the
non-backbone area internal route for the virtual link is a “transit area”.
In the following figure, Area 2 has no direct physical link to the backbone area 0.
Configuring a virtual link between ABRs can connect Area 2 to the backbone area.
Transit Area
Virtual Link
Area 0 ABR ABR Area 2
Area 1
Area 1
Virtual Link
R1 R2
Area 0
The virtual link between the two ABRs acts as a point-to-point connection.
Therefore, you can configure interface parameters such as hello packet interval on
the virtual link as they are configured on physical interfaces.
The two ABRs on the virtual link exchange OSPF packets with each other directly,
the OSPF routers in between simply convey these OSPF packets as normal IP
packets.
You can also configure the stub area as a Totally Stub area, where the ABR
advertises neither the routes of other areas nor the external routes.
Stub area configuration is optional, and not every area is qualified to be a stub
area. In general, a stub area resides on the border of the AS.
The ABR in a stub area generates a default route into the area.
■ A (totally) stub area cannot have an ASBR because AS external routes cannot
be distributed into the stub area.
■ Virtual links cannot transit (totally) stub areas.
NSSA area
Similar to a stub area, an NSSA area imports no AS external LSA (type5 LSA) but
can import type7 LSAs that are generated by the ASBR and distributed throughout
the NSSA area. When traveling to the NSSA ABR, type7 LSAs are translated into
type5 LSAs by the ABR for advertisement to other areas.
In the following figure, the OSPF AS contains three areas: Area 1, Area 2 and Area
0. The other two ASs employ the RIP protocol. Area 1 is an NSSA area, and the
ASBR in it translates RIP routes into type7 LSAs and advertises them throughout
Area 1. When these LSAs travel to the NSSA ABR, the ABR translates type7 LSAs to
type5 LSAs for advertisement to Area 0 and Area 2.
On the left of the figure, RIP routes are translated into type5 LSAs by the ASBR of
Area 2 and distributed into the OSPF AS. However, Area 1 is an NSSA area, so
these type5 LSAs cannot travel to Area 1.
RIP RIP
NSSA
Type 5 Type 5
Route summarization
Route summarization: An ABR or ASBR summarizes routes with the same prefix
with a single route and distribute it to other areas.
Via route summarization, routing information across areas and the size of routing
tables on routers will be reduced, improving calculation speed of routers.
For example, as shown in the following figure, in Area 1 are three internal routes
19.1.1.0/24, 19.1.2.0/24, and 19.1.3.0/24. By configuring route summarization
on Router A, the three routes are summarized with the route 19.1.0.0/16 that is
advertised into Area 0.
Router A
19.1.0.0/16
19.1.1.0/24
19.1.2.0/24
Area 0 ABR Router B 19.1.3.0/24
ABR
ĂĂ
Area 1
If this feature is configured an on ABR, the ABR will summarize type5 LSAs
translated from type7 LSAs.
Route types
OSPF prioritize routes into four levels:
■ Intra-area route
■ Inter-area route
■ type1 external route
■ type2 external route
The intra-area and inter-area routes describe the network topology of the AS,
while external routes describe routes to destinations outside the AS. OSPF
classifies external routes into two types: type1 and type2.
A type1 external route is an IGP route, such as a RIP or static route, which has high
credibility and whose cost is comparable with the cost of an OSPF internal route.
The cost from a router to the destination of the type1 external route= the cost
from the router to the corresponding ASBR+ the cost from the ASBR to the
destination of the external route.
A type2 external route is an EGP route, which has low credibility, so OSPF
considers the cost from the ASBR to the destination of the type2 external route is
much bigger than the cost from the ASBR to an OSPF internal router. Therefore,
the cost from the internal router to the destination of the type2 external route=
the cost from the ASBR to the destination of the type2 external route. If two
routes to the same destination have the same cost, then take the cost from the
router to the ASBR into consideration.
You need to perform some special configuration on NBMA interfaces. Since these
interfaces cannot broadcast hello packets for neighbor location, you need to
specify neighbors manually and configure whether the neighbors have the DR
election right.
An NBMA network is fully meshed, which means any two routers in the NBMA
network have a direct virtual link for communication. If direct connections are not
available between some routers, the type of interfaces associated should be
configured as P2MP, or as P2P for interfaces with only one neighbor.
■ NBMA networks are fully meshed, non-broadcast and multi access. P2MP
networks are not required to be fully meshed.
■ It is required to elect the DR and BDR on NBMA networks, while DR and BDR
are not available on P2MP networks.
■ NBMA is the default network type, while P2MP is a conversion from other
network types such as NBMA in general.
■ On NBMA networks, packets are unicast, and neighbors are configured
manually on routers. On P2MP networks, packets are multicast.
If the DR fails to work, routers on the network have to elect another DR and
synchronize information with the new DR. It is time-consuming and prone to
routing calculation errors. The Backup Designated Router (BDR) was introduced to
reduce the synchronization period.
The BDR is elected along with the DR and establishes adjacencies for routing
information exchange with all other routers. When the DR fails, the BDR will
Other routers, also known as DRothers establish no adjacency with each other and
exchange no routing information, thus, reducing the number of adjacencies on
broadcast and NBMA networks.
In the following figure, real lines are Ethernet physical links, and dashed lines
represent adjacencies. With the DR and BDR in the network, only seven
adjacencies are enough.
DR BDR
DR/BDR election
The DR and BDR in a network are elected by all routers rather than configured
manually. The DR priority of an interface determines its qualification for DR/BDR
election. Interfaces attached to the network and having priorities higher than ‘0"
are election candidates.
The election votes are hello packets. Each router sends the DR elected by itself in a
hello packet to all the other routers. If two routers on the network declare
themselves as the DR, the router with the higher DR priority wins. If DR priorities
are the same, the router with the higher Router ID wins. In addition, a router with
the priority 0 cannot become the DR/BDR.
Note that:
OSPF Packet Formats OSPF packets are directly encapsulated into IP packets. OSPF has the IP protocol
number 89. The OSPF packet format, taking a LSU packet as an example, is shown
below.
IP header OSPF packet header Number of LSAs LSA header LSA Data
0 7 15 31
Version Type Packet length
Router ID
Area ID
Checksum AuType
Authentication
Authentication
Hello packet
A router sends hello packets periodically to neighbors to find and maintain
neighbor relationships and to elect DR/BDR, including information about values of
timers, DR, BDR and neighbors already known. The format is shown below:
0 7 15 31
Version 1 Packet length
Router ID
Area ID
Checksum AuType
Authentication
Authentication
Network Mask
HelloInterval Options Rtr Pri
RouterDeadInterval
Designatedrouter
Backup designated router
Neighbor
...
Neighbor
Major fields:
■ Network Mask: The network mask associated with the router’s sending
interface. If two routers have different network masks, they cannot become
neighbors.
■ HelloInterval: The interval between the router’s hello packets. If two routers
have different intervals, they cannot become neighbors.
■ Rtr Pri: Router priority. A value of 0 means the router cannot become the
DR/BDR.
■ RouterDeadInterval: The time value before declaring a silent router down. If
two routers have different time values of this kind, they cannot become
neighbors.
■ Designated Router: IP address of the DR interface.
■ Backup Designated Router: IP address of the BDR interface
■ Neighbor: Router ID of the neighbor router.
DD packet
Two routers exchange Database Description (DD) packets describing their LSDBs
for database synchronization, contents in DD packets including the header of each
LSA (uniquely representing a LSA). The LSA header occupies small part of an LSA,
so reducing traffic between routers. The recipient checks whether the LSA is
available using the LSA header.
0 7 15 31
Version 2 Packet length
Router ID
Area ID
Checksum AuType
Authentication
Authentication
M
Interface MTU Options 0 0 0 0 0 I M
S
DD sequence number
LSA header
...
LSA header
Major fields:
■ Interface MTU: The size in bytes of the largest IP datagram that can be sent out
the associated interface, without fragmentation.
■ I (Initial) The Init bit, which is set to 1 if the packet is the first packet in the
sequence of Database Description Packets, and set to 0 if not.
■ M (More): The More bit, which is set to 0 if the packet is the last packet in the
sequence of DD packets, and set to 1 if more DD Packets are to follow.
■ MS (Master/Slave): The Master/Slave bit. When set to 1, it indicates that the
router is the master during the Database Exchange process. Otherwise, the
router is the slave.
■ DD Sequence Number: Used to sequence the collection of Database
Description Packets for ensuring reliability and intactness of DD packets
between the master and slave. The initial value is set by the master. The DD
sequence number then increments until the complete database description has
been sent.
LSR packet
After exchanging DD packets, any two routers know which LSAs of the peer
routers are missing from the local LSDBs. In this case, they send LSR (Link State
Request) packets, requesting the missing LSAs. The packets contain the digests of
the missing LSAs. Figure 280 shows the LSR packet format.
0 7 15 31
Version 3 Packet length
Router ID
Area ID
Checksum AuType
Authentication
Authentication
LS type
Link state ID
Advertising router
...
Major fields:
■ LS type: The type number of the LSA to be requested, type 1 for example
indicates the Router LSA
■ Link State ID: Determined by LSA type
■ Advertising Router: The ID of the router that sent the LSA
LSU packet
LSU (Link State Update) packets are used to send the requested LSAs to peers, and
each packet carries a collection of LSAs. The LSU packet format is shown below.
0 7 15 31
Version 4 Packet length
Router ID
Area ID
Checksum AuType
Authentication
Authentication
Number of LSAs
LSA
...
LSA
LSAck packet
LSAack (Link State Acknowledgment) packets are used to acknowledge received
LSU packets, contents including LSA headers to describe the corresponding LSAs.
Multiple LSAs can be acknowledged in a single Link State Acknowledgment
packet. The following figure gives its format.
0 7 15 31
Version 5 Packet length
Router ID
Area ID
Checksum AuType
Authentication
Authentication
LSA header
...
LSA header
0 7 15 31
LS age Options LS type
Linke state ID
Advertising Router
LS sequence number
LS checksum Length
Major fields:
■ LS age: The time in seconds elapsed since the LSA was originated. A LSA ages
in the LSDB (added 1 per second), but does not in transmission.
■ LS type: The type of the LSA
■ Link State ID: The contents of this field depend on the LSA’s type
■ LS sequence number: Used by other routers to judge new and old LSAs.
■ LS checksum: Checksum of the LSA except the LS age field
■ Length: The length in bytes of the LSA, including the LSA header
Formats of LSAs
1 Router LSA
0 7 15 31
LS age Options 1
Linke state ID
Advertising Router
LS sequence number
LS checksum Length
0 V E B 0 # links
Link ID
Link data
...
Link ID
Link data
...
Major fields:
■ Link State ID: The ID of the router that originated the LSA.
■ V (Virtual Link): Set to 1 if the router that originated the LSA is a virtual link
endpoint.
■ E (External): Set to 1 if the router that originated the LSA is an ASBR.
■ B (Border): Set to 1 if the router that originated the LSA is an ABR.
■ # links: The number of router links (interfaces) to the area, described in the
LSA.
■ Link ID: Determined by Link type.
■ Link Data: Determined by Link type.
■ Type: Link type. A value of 1 indicates a point-to-point link to a remote router;
a value of 2 indicates a link to a transit network; a value of 3 indicates a link to
a stub network; a value of 4 indicates a virtual link.
■ #TOS: The number of different TOS metrics given for this link.
■ metric: The cost of using this router link.
■ TOS: IP Type of Service that this metric refers to.
■ TOS metric: TOS-specific metric information.
2 Network LSA
0 7 15 31
LS age Options 2
Linke state ID
Advertising Router
LS sequence number
LS checksum Length
Network mask
Attached router
...
Major fields:
Network summary LSAs (type3 LSAs) and ASBR summary LSAs (type4 LSAs) are
originated by ABRs. Other than the difference in the Link State ID field, the format
of type 3 and 4 summary-LSAs is identical.
0 7 15 31
LS age Options 3or4
Linke state ID
Advertising Router
LS sequence number
LS checksum Length
Network mask
0 metric
TOS TOS metric
...
Major fields:
■ Link State ID: For a type3 LSA, it is an IP address outside the area; for a type 4
LSA, it is the router ID of an ASBR outside the area.
■ Network Mask: The network mask for the type 3 LSA; set to 0.0.0.0 for the
type4 LSA
■ metric: The metric to the destination
n A type3 LSA can be used to advertise a default route, having the Link State ID and
Network Mask set to 0.0.0.0.
4 AS external LSA
0 7 15 31
LS age Options 5
Linke state ID
Advertising Router
LS sequence number
LS checksum Length
Network mask
E 0 Metric
Forwarding address
...
Major fields:
An NSSA external LSA originates from the ASBR in a NSSA and is flooded in the
NSSA area only. It has the same format as the AS external LSA.
0 7 15 31
LS age Options 7
Linke state ID
Advertising Router
LS sequence number
LS checksum Length
Network mask
E TOS Metric
Forwarding address
...
Authentication
OSPF supports authentication on packets. Only packets that pass the
authentication are received. If hello packets cannot pass authentication, no
neighbor relationship can be established.
The authentication type for interfaces attached to a single area must be identical.
Authentication types include non-authentication, plaintext authentication and
MD5 ciphertext authentication. The authentication password for interfaces
attached to a network segment must be identical.
After an OSPF GR Restarter restarts OSPF, it needs to perform the following two
tasks in order to re-synchronize its LSDB with its neighbors.
After the restart, the GR Restarter will send an OSPF GR signal to its neighbors that
will not reset their adjacencies with it. In this way, the GR Restarter can restore the
neighbor table upon receiving the responses from neighbors.
After reestablishing neighborships, the GR Restarter will synchronize the LSDB and
exchange routing information with all adjacent GR-capable neighbors. After that,
the GR Restarter will update its own routing table and forwarding table based on
the new routing information and remove the stale routes. In this way, the OSPF
routing convergence is complete.
TE and DS-TETE
OSPF Traffic Engineering (TE) provides for the establishment and maintenance of
Label Switch Paths (LSPs) of TE.
When establishing Constraint-based Routed LSPs (CR LSPs), MPLS obtains the TE
information of links in the area via OSPF.
OSPF has a new LSA, Opaque LSA, which can be used for carrying TE information.
■ If Forwarding Adjacency is enabled only, OSPF can also use an LSP as the
outbound interface for a destination
■ If LGP Shortcut is enabled only, only the router enabled with it can use LSPs for
routing.
VPN
OSPF supports multi-instance, which can run on PEs in VPN networks.
In BGP MPLS VPN networks, multiple sites in the same VPN can use OSPF as the
internal routing protocol, but they are treated as different ASs. An OSPF route
learned by a site will be forwarded to another site as an external route, which
leads to heavy OSPF routing traffic and management issues.
Configuring area IDs on PEs can differentiate VPNs. Sites in the same VPN are
considered as directly connected. PE routers then exchange OSPF routing
information like on a dedicated line, thus network management and OSPF
operation efficiency are improved.
n For configuration of this feature, refer to “BGP Configuration” on page 825 and
“MPLS Basics Configuration” on page 1311.
In general, BGP peers exchange routing information on the MPLS VPN backbone
using the BGP extended community attribute. OSPF running on a PE at the other
end utilizes this information to originate a type3 summary LSA as an inter-area
route between the PE and CE.
n For sham link configuration, refer to “BGP Configuration” on page 825 and “MPLS
Basics Configuration” on page 1311.
Task Description
“Configuring OSPF Routing “Configuring OSPF Route Optional
Information Control” on Summarization” on page 943
page 942
“Configuring OSPF Inbound Optional
Route Filtering” on page 943
“Configuring ABR Type3 LSA Optional
Filtering” on page 943
“Configuring OSPF Link Cost” Optional
on page 944
“Configuring the Maximum Optional
Number of OSPF Routes” on
page 944
“Configuring the Maximum Optional
Number of Load-balanced
Routes” on page 944
“Configuring OSPF Priority” Optional
on page 945
“Configuring OSPF Route Optional
Redistribution” on page 945
“Configuring OSPF Network “Configuring OSPF Packet Optional
Optimization” on page 946 Timers” on page 946
“Configuring LSA Optional
Transmission Delay Time” on
page 947
“Configuring SPF Calculation Optional
Interval” on page 948
“Configuring LSA Minimum Optional
Repeat Arrival Interval” on
page 948
“Configuring LSA Generation Optional
Interval” on page 948
“Disabling Interfaces from Optional
Sending OSPF Packets” on
page 949
“Configuring Stub Routers” Optional
on page 949
“Configuring OSPF Optional
Authentication” on page 950
“Adding Interface MTU into Optional
DD Packets” on page 950
“Configuring the Maximum Optional
Number of External LSAs in
LSDB” on page 951
“Making External Route Optional
Selection Rules Defined in
RFC1583 Compatible” on
page 951
“Logging Neighbor State Optional
Changes” on page 951
“Enabling the Advertisement Optional
and Reception of Opaque
LSAs” on page 952
Task Description
“Configuring OSPF Graceful “Configuring the OSPF GR Optional
Restart” on page 952 Restarter” on page 952
“Configuring the OSPF GR Optional
Helper” on page 953
“Triggering OSPF Graceful Optional
Restart” on page 953
Configuring OSPF You need to enable OSPF, specify an interface and area ID first before performing
Basic Functions other tasks.
Prerequisites Before configuring OSPF, you have configured the link layer protocol, and IP
addresses for interfaces, making neighboring nodes accessible with each other at
the network layer.
Configuration Procedure To ensure OSPF stability, you need to decide on router IDs and configure them
manually. Any two routers in an AS must have different IDs. In practice, the ID of a
router is the IP address of one of its interfaces.
The system supports OSPF multi-process. When a router runs multiple OSPF
processes, you need to specify an ID for each process, which takes effect locally
and has no interference on packet exchange between routers. Therefore, two
routers having different process IDs can exchange packets.
The system supports OSPF multi-instance. You can configure an OSPF process to
run in a specified VPN instance to configure an association between the two.
The configurations for routers in an area are performed on the area basis. Wrong
configurations may cause communication failures, even routing information block
or routing loops between neighboring routers.
Configuring OSPF Splitting an OSPF AS into multiple areas reduces the number of LSAs on networks
Area Parameters and extends OSPF application. For those non-backbone areas residing on the AS
boundary, you can configure them as Stub areas to further reduce the size of
routing tables on routers in these areas and the number of LSAs.
A stub area cannot redistribute routes, thus introducing the concept of NSSA,
where type 7 LSAs (NSSA External LSAs) are advertised. Type 7 LSAs originate from
the ASBR in a NSSA area. When arriving at the ABR in the NSSA area, these LSAs
will be translated into type 5 LSAs for advertisement to other areas.
If necessary physical links are not available for this connectivity maintenance, you
can configure virtual links to solve it.
n ■
■
It is required to use the stub command on routers attached to a stub area.
It is required to use the nssa command on routers attached to an NSSA area.
■ Using the default-cost command only takes effect on the ABR of a stub area
or the ABR/ASBR of an NSSA area.
Configuring OSPF OSPF classifies networks into four types upon link layer protocols. Since an NBMA
Network Types network must be fully meshed, namely, any two routers in the network must have
a virtual link in between. In most cases, however, the requirement cannot be
satisfied, so you need to change the network type using commands.
For routers having no direct link in between, you can configure related interfaces
as the P2MP mode. If a router in the NBMA network has only a single peer, you
can also configure associated interfaces as the P2P mode.
In addition, when configuring broadcast and NBMA networks, you can specify for
interfaces router priorities for DR/BDR election. In practice, routers having higher
reliability should become the DR/BDR.
Configuring the OSPF Follow these steps to configure the OSPF network type for an interface:
Network Type for an
Interface To do... Use the command... Remarks
Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Configure the network ospf network-type Optional
type { broadcast | nbma | p2mp |
Not configured by default
p2p }
The network type of an interface
depends on the media type of
the interface
■ If the two interfaces on a link are both configured as the broadcast, NBMA or
P2MP type, they cannot establish neighbor relationship unless they are on the
same network segment.
Configuring an NBMA For NBMA interfaces that cannot broadcast hello packets to find neighbors, you
Neighbor need to specify IP addresses and DR priorities of neighbors manually.
Configuring a Router For broadcast or NBMA interfaces, you can configure router priorities for DR/BDR
Priority for an OSPF election.
Interface
Follow these steps to configure a router priority for an OSPF interface:
n The DR priority configured with the ospf dr-priority command and the one with
the peer command have the following differences
■ The former is for actual DR election.
■ The latter is to indicate whether a neighbor has election right or not. If you
configure the DR priority for a neighbor as 0, the local router will consider the
neighbor has no election right, thus no hello packet is sent to this neighbor,
reducing the number of hello packets for DR/BDR election on networks.
However, if the local router is the DR or BDR, it will send a hello packet to the
neighbor with priority 0 for adjacency relationship establishment.
Configuring OSPF This section is to configure management for OSPF routing information
Routing Information advertisement and reception, and route redistribution from other protocols.
Control
Configuring OSPF Follow these steps to configure OSPF to filter received routes:
Inbound Route Filtering
To do... Use the command... Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id | router-id -
router-id | vpn-instance
instance-name ]*
Configure to filter filter-policy { acl-number | Required
received routes ip-prefix ip-prefix-name | gateway
Not configured by default
ip-prefix-name } import
Configuring ABR Type3 Follow these steps to configure type 3 LSA filtering on an ABR:
LSA Filtering
Configuring OSPF Link Follow these steps to configure the link cost for an interface:
Cost
To do... Use the command... Remarks
Enter system view system-view -
Enter interface view interface interface-type -
interface-number
Configure the cost value of ospf cost value Optional
the interface
By default, an interface
computes its cost according to
the baud rate.
n If the cost value is not configured for an interface, OSPF computes the interface
cost value automatically: Interface value= Bandwidth reference value/Interface
bandwidth. If the calculated cost value is greater than 65535, the maximum cost
will be 65535.
Configuring the Follow these steps to configure the maximum number of routes:
Maximum Number of
OSPF Routes To do... Use the command... Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id | router-id router-id | -
vpn-instance instance-name ] *
Configure the maximum maximum-routes { external | inter | Optional
number of OSPF routes intra } number
Configuring the If several routes with the same cost to the same destination are available,
Maximum Number of configuring them as load-balanced routes can improve link utilization.
Load-balanced Routes
Configuring OSPF A router may run multiple routing protocols. The router sets a priority for each
Priority protocol, when a route found by several routing protocols, the route found by the
protocol with the highest priority will be selected.
Configuring OSPF Route Follow these steps to configure OSPF route redistribution:
Redistribution
To do... Use the command... Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id | router-id router-id -
| vpn-instance instance-name ] *
Configure OSPF to import-route protocol [ process-id | Required
redistribute routes from other allow-ibgp ] [ cost cost | type type |
Not configured by
protocols tag tag | route-policy
default
route-policy-name ]*
Configure OSPF to filter filter-policy { acl-number | ip-prefix Optional
redistributed routes before ip-prefix-name } export [ protocol
Not configured by
advertisement [ process-id ] ]
default
Redistribute a default route default-route-advertise [ always | Optional
cost cost | type type | route-policy
Not redistributed by
route-policy-name ]*
default
default-route-advertise summary
cost cost
Configuring OSPF You can optimize your OSPF network in the following ways:
Network Optimization ■ Change values of OSPF packet timers to adjust the OSPF network convergence
speed and network load. On low speed links, you need to consider the delay
time for sending LSAs on interfaces.
■ Change the interval for SPF calculation to reduce resource consumption caused
by frequent network changes.
■ Configure OSPF authentication to meet high security requirements of some
mission-critical networks.
■ Configure OSPF network management functions, such as binding OSPF MIB
with a process, sending trap information and collecting log information.
Configuring OSPF Packet You can configure the following timers on OSPF interfaces as needed:
Timers ■ Hello timer: Interval for sending hello packets, must be identical on OSPF
neighbors. The longer the interval, the lower convergence speed and smaller
network load.
■ Poll timer: Interval for sending hello packets to the neighbor that is down on
the NBMA network.
■ Dead timer: Interval within which if the interface receives no hello packet from
the neighbor, it declares the neighbor is down.
n ■ The hello and dead intervals restore to default values after you change the
network type for an interface.
■ The dead interval should be at least four times the hello interval on an
interface.
■ The poll interval is at least four times the hello interval.
■ The retransmission interval should not be so small for avoidance of unnecessary
LSA retransmissions. In general, this value is bigger than the round-trip time of
a packet between two adjacencies.
Configuring LSA Since OSPF packets need time for traveling on links, extending LSA age time with
Transmission Delay Time some delay time is necessary, especially for low speed links.
Follow these steps to configure the LSA transmission delay time on an interface:
Configuring SPF Link State Database changes lead to SPF calculations. When an OSPF network
Calculation Interval changes frequently, a large amount of network resources will be occupied,
reducing working efficiency of routers. You can adjust the SPF calculation interval
for the network to reduce negative influence.
n With this command configured, when network changes are not frequent, SPF
calculation applies at the minimum-interval. If network changes become frequent,
SPF calculation interval is incremented by incremental-interval•2n-2 (n is the
number of calculation times) each time a calculation occurs, up to the
maximum-interval.
Configuring LSA When an interface receives an LSA that is the same with the previously received
Minimum Repeat Arrival LSA within a specified interval, the LSA minimum repeat arrival interval, the
Interval interface will discard the LSA.
Follow these steps to configure the LSA minimum repeat arrival interval:
Configuring LSA With this feature configured, you can protect network resources and routers from
Generation Interval being over consumed due to frequent network changes.
n With this command configured, when network changes are not frequent, LSAs
are generated at the minimum-interval. If network changes become frequent, LSA
generation interval is incremented by incremental-interval•2n-2 (n is the number of
generation times) each time a generation occurs, up to the maximum-interval.
Disabling Interfaces Follow these steps to disable an interface from sending routing information to
from Sending OSPF other routers:
Packets
To do... Use the command... Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id | router-id -
router-id | vpn-instance
instance-name ] *
Disable interfaces from silent-interface { all | Optional
sending OSPF packets interface-type interface-number }
Not disabled by default
n ■ Different OSPF processes can disable the same interface from sending OSPF
packets. Use of the silent-interface command disables only the interfaces
associated with the current process rather than interfaces associated with other
processes.
■ After an OSPF interface is set to silent, other interfaces on the router can still
advertise direct routes of the interface in router LSAs, but no OSPF packet can
be advertised for the interface to find a neighbor. This configuration can
enhance adaptability of OSPF networking and reduce resource consumption.
Configuring Stub A stub router is used for traffic control. It informs other OSPF routers not to use it
Routers to forward data, but they can have a route to the stub router.
The router LSAs from the stub router may contain different link type values. A
value of 3 means a link to the stub network, so the cost of the link remains
unchanged. A value of 1, 2 or 4 means a point-to-point link, a link to a transit
network or a virtual link, in such cases, a maximum cost value of 65535 is used.
Thus, other neighbors find the links to the stub router have such big costs, they
will not send packets to the stub router for forwarding as long as there is a route
with a smaller cost.
Configuring OSPF By supporting packet authentication, OSPF receives packets that pass the
Authentication authentication only, so failed packets cannot establish neighboring relationship.
n The authentication mode and password for all interfaces attached to the same
area must be identical.
Adding Interface MTU Generally, when an interface sends a DD packet, it adds 0 into the Interface MTU
into DD Packets field of the DD packet rather than the interface MTU.
Configuring the Follow these steps to configure the maximum number of external LSAs in the Link
Maximum Number of State Database:
External LSAs in LSDB
To do... Use the command... Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id | router-id -
router-id | vpn-instance
instance-name ] *
Specify the maximum number lsdb-overflow-limit number Optional
of external LSAs in the LSDB
No limitation by default
Making External Route The selection of an external route from multiple LSAs defined in RFC2328 is
Selection Rules Defined different from the one defined in RFC1583.
in RFC1583 Compatible
Follow these steps to make external route selection rules defined in RFC1583
compatible:
Logging Neighbor State Follow these steps to log neighbor state changes
Changes
To do... Use the command... Remarks
Enter system view system-view -
Enter OSPF view ospf [ process-id | router-id router-id | -
vpn-instance instance-name ] *
Enable the logging of log-peer-change Optional
neighbor state
Enabled by default
changes
Enabling the With this feature enabled, the OSPF router can receive and advertise the Type 9,
Advertisement and Type 10 and Type 11 opaque LSAs.
Reception of Opaque
LSAs Follow these steps to enable the advertisement and reception of opaque LSAs:
Configuring OSPF
Graceful Restart
n One device can act as both a GR Restarter and a GR Helper at the same time.
Configuring the OSPF GR You can configure the IETF standard or non IETF standard OSPF Graceful Restart
Restarter capability on a GR Restarter.
Configuring the OSPF GR Follow these steps to configure the OSPF GR Helper:
Helper
To do... Use the command... Remarks
Enter system view system-view -
Enable OSPF and enter its ospf [ process-id | router-id Required
view router-id | vpn-instance
Disabled by default
instance-name ] *
Configure for which OSPF graceful-restart help Optional
neighbors the current { acl-number | prefix prefix-list }
The router can server as a
router can serve as a GR
GR Helper for any OSPF
Helper
neighbor by default.
Triggering OSPF Graceful Performing main/backup switchover on a distributed device with two PDUs, or
Restart performing the following configuration on an OSPF router will trigger OSPF
Graceful Restart. Ensure that these routers are enabled with the following
capabilities first:
■ LLS (link local signaling)
■ OOB (out of band re-synchronization)
■ Opaque LSA advertisement
■ IETF GR capability
Displaying and
Maintaining OSPF To do... Use the command... Remarks
Configuration Display OSPF brief display ospf [ process-id ] brief Available in
information any view
Display OSPF statistics display ospf [ process-id ] cumulative
Display Link State display ospf [ process-id ] lsdb [ brief | [ { ase |
Database information router | network | summary | asbr | nssa |
opaque-link | opaque-area | opaque-as }
[ link-state-id ] ] [ originate-router
advertising-router-id | self-originate ] ]
Display OSPF neighbor display ospf [ process-id ] peer [ verbose |
information [ interface-type interface-number ]
[ neighbor-id ] ]
Display neighbor statistics display ospf [ process-id ] peer statistics
of OSPF areas
Display next hop display ospf [ process-id ] nexthop
information
Display routing table display ospf [ process-id ] routing [ interface
information interface-type interface-number ] [ nexthop
nexthop-address ]
Display virtual link display ospf [ process-id ] vlink
information
Display OSPF request display ospf [ process-id ] request-queue
queue information [ interface-type interface-number ] [ neighbor-id ]
Display OSPF display ospf [ process-id ] retrans-queue
retransmission queue [ interface-type interface-number ] [ neighbor-id ]
information
Display OSPF ABR and display ospf [ process-id ] abr-asbr
ASBR information
Display OSPF interface display ospf [ process-id ] interface [ all |
information interface-type interface-number ]
Display OSPF error display ospf [ process-id ] error
information
Display OSPF ASBR display ospf [ process-id ] asbr-summary
summarization information [ ip-address { mask | mask-length } ]
Reset OSPF counters reset ospf [ process-id ] counters [ neighbor Available in
[ interface-type interface-number ] [ router-id ] ] user view
Reset an OSPF process reset ospf [ process-id ] process
[ graceful-restart ]
Remove redistributed reset ospf [ process-id ] redistribution
routes
OSPF Configuration
Examples
After configuration, all routers can learn routes to every network segment in the
AS.
Network diagram
Eth1/0
Area 1 Eth1/0 Area 2
10.2.1.2/24 10.3.1.2/24
Eth1/1 Eth1/0
Router C 10.4.1.1/24 10 .5.1.1/24 Router D
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure OSPF basic functions
# Configure RouterA
<RouterA> system-view
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] area 1
[RouterA-ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.1] quit
[RouterA-ospf-1] quit
# Configure RouterB
<RouterB> system-view
[RouterB] ospf
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] area 2
# Configure RouterC
<RouterC> system-view
[RouterC] ospf
[RouterC-ospf-1] area 1
[RouterC-ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.1] network 10.4.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.1] quit
[RouterC-ospf-1] quit
# Configure RouterD
<RouterD> system-view
[RouterD] ospf
[RouterD-ospf-1] area 2
[RouterD-ospf-1-area-0.0.0.2] network 10.3.1.0 0.0.0.255
[RouterD-ospf-1-area-0.0.0.2] network 10.5.1.0 0.0.0.255
[RouterD-ospf-1-area-0.0.0.2] quit
[RouterD-ospf-1] quit
3 Verify the above configuration
# Display OSPF neighbors information on Router A.[RouterA] display ospf peer
verbose
OSPF Process 1 with Router ID 10.2.1.1
Neighbors
Neighbors
Total Nets: 5
Intra Area: 3 Inter Area: 2 ASE: 0 NSSA: 0
Total Nets: 5
Intra Area: 2 Inter Area: 3 ASE: 0 NSSA: 0
It is required to configure Area1 as a Stub area, reducing LSAs to this area without
route reachability interference.
Network diagram
Eth1/0 Eth1/0
Area 1 Area 2 10.3.1.2/24
10.2.1.2 /24
Stub
ASBR
Eth1/1 Eth1/0
10.4.1.1/24 10 .5.1.1/24
Router C Router D
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure OSPF basic functions (in the previous example)
3 Configure RouterD to redistribute static routes
[RouterD] ip route-static 3.1.3.1 24 Ethernet 1/2 9.1.1.1
[RouterD] ospf
[RouterD-ospf-1] import-route static
[RouterD-ospf-1] quit
Total Nets: 6
Intra Area: 2 Inter Area: 3 ASE: 1 NSSA: 0
n In the above output, since RouterC resides in a normal OSPF area, its routing table
contains an external route.
4 Configure Area1 as a Stub area
# Configure RouterA
[RouterA] ospf
[RouterA-ospf-1] area 1
[RouterA-ospf-1-area-0.0.0.1] stub
[RouterA-ospf-1-area-0.0.0.1] quit
[RouterA-ospf-1] quit
# Configure RouterC
[RouterC] ospf
[RouterC-ospf-1] stub-router
[RouterC-ospf-1] area 1
[RouterC-ospf-1-area-0.0.0.1] stub
[RouterC-ospf-1-area-0.0.0.1] quit
[RouterC-ospf-1] quit
Total Nets: 6
Intra Area: 2 Inter Area: 4 ASE: 0 NSSA: 0
n After the area where RouterC resides is configured as a Stub area, a default route
takes the place of the external route.
[RouterA] ospf
[RouterA-ospf-1] area 1
[RouterA-ospf-1-area-0.0.0.1] stub no-summary
[RouterA-ospf-1-area-0.0.0.1] quit
Total Nets: 3
Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0
n After this configuration, routing table entries on the stub router are further
reduced, containing only one default external route.
Network diagram
Configuration procedure
1 Configure IP addresses for interfaces (omitted).
2 Configuring OSPF basic functions (refer to “Configuring OSPF Basic Functions” on
page 939).
3 Configure Area1 as NSSA area.
# Configure RouterA
[RouterA] ospf
[RouterA-ospf-1] area 1
[RouterA-ospf-1-area-0.0.0.1] nssa default-route-advertise no-summary
[RouterA-ospf-1-area-0.0.0.1] quit
# Configure RouterC
[RouterC] ospf
[RouterC-ospf-1] area 1
[RouterC-ospf-1-area-0.0.0.1] nssa
[RouterC-ospf-1-area-0.0.0.1] quit
[RouterC-ospf-1] quit
Total Nets: 3
Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0
Total Nets: 6
Intra Area: 2 Inter Area: 3 ASE: 1 NSSA: 0
n You can see on RouterD an external route imported from the NSSA area.
Network diagram
Router A Router B
Eth1/0 Eth1/0
192.168 .1.1/24 192.168.1.2/24
Eth1/0 Eth1/0
192 .1 68.1.3 /24 192 .1 68.1.4 /24
Router C Router D
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure OSPF basic functions
# Configure RouterA
<RouterA> system-view
[RouterA] router id 1.1.1.1
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
# Configure RouterB
<RouterB> system-view
[RouterB] router id 2.2.2.2
[RouterB] ospf
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# Configure RouterC
<RouterC> system-view
[RouterC] router id 3.3.3.3
[RouterC] ospf
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
# Configure RouterD
<RouterD> system-view
[RouterD] router id 4.4.4.4
[RouterD] ospf
[RouterD-ospf-1] area 0
[RouterD-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[RouterD-ospf-1-area-0.0.0.0] quit
[RouterD-ospf-1] quit
# Configure RouterA
# Configure RouterB
# Configure RouterC
n In the above output, you can find the priority configuration does not take effect
immediately.
4 Restart the OSPF process (omitted)
n The full neighbor state means Router D has established the adjacency with the
router. The 2-way neighbor state means the two routers are neither the DR nor
the BDR, and they do not exchange LSAs.
Area: 0.0.0.0
IP Address type State Cost Pri DR BDR
192.168.1.1 Broadcast DR 1 100 192.168.1.1 192.168.1.3
Area: 0.0.0.0
IP Address type State Cost Pri DR BDR
192.168.1.2 Broadcast DROther 1 0 192.168.1.1 192.168.1.3
n The interface state DROther means the interface is not the DR/BDR.
Network diagram
Area 0 Area 2
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure OSPF basic functions
# Configure RouterA
<RouterA> system-view
[RouterA] ospf 1 router-id 1.1.1.1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.0.0.0 0.255.255.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] area 1
[RouterA-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.1] quit
# Configure RouterB
<RouterB> system-view
[RouterB] ospf 1 router-id 2.2.2.2
[RouterB-ospf-1] area 1
[RouterB-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.1] quit
[RouterB-ospf-1] area 2
[RouterB-ospf-1-area-0.0.0.2] network 172.16.0.0 0.0.255.255
[RouterB-ospf-1-area-0.0.0.2] quit
Total Nets: 2
Intra Area: 2 Inter Area: 0 ASE: 0 NSSA: 0
n Since Area 2 has no direct connection to Area 0, the OSPF routing table of Router
A has no route to Area 2.
3 Configure a virtual link
# Configure Router A.
[RouterA] ospf
[RouterA-ospf-1] area 1
[RouterA-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2
[RouterA-ospf-1-area-0.0.0.1] quit
[RouterA-ospf-1] quit
# Configure Router B.
[RouterB] ospf 1
[RouterB-ospf-1] area 1
[RouterB-ospf-1-area-0.0.0.1] vlink-peer 1.1.1.1
[RouterB-ospf-1-area-0.0.0.1] quit
Total Nets: 3
Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0
Network diagram
Router A
Eth1/0
192 .1 .1.1/24
Eth1/0 Eth1/0
192.1.1.2 /24 192 .1.1.3/24
Router B Router C
GR helper GR helper
Router ID: 2.2.2.2 Router ID: 3.3.3.3
Configuration Procedure
1 Configure Router A
<RouterA> system-view
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] ip address 192.1.1.1 255.255.255.0
[RouterA-Ethernet1/0] quit
[RouterA] router id 1.1.1.1
[RouterA] ospf 100
[RouterA-ospf-100] enable link-local-signaling
[RouterA-ospf-100] enable out-of-band-resynchronization
[RouterA-ospf-100] graceful-restart
[RouterA-ospf-100] area 0
[RouterA-ospf-100-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[RouterA-ospf-100-area-0.0.0.0] return
2 Configure Router B
<RouterB> system-view
[RouterB] acl number 2000
[RouterB-acl-basic-2000] rule 10 permit source 192.1.1.1 0.0.0.0
[RouterB-acl-basic-2000] quit
# Perform OSPF Graceful Restart on Router A if all routers function properly after
the above configurations.
Troubleshooting OSPF
Configuration
Analysis
If the physical link and lower layer protocols work well, check OSPF parameters
configured on interfaces. Two neighbors must have the same parameters, such as
the area ID, network segment and mask (a P2P or virtual link may have different
network segments and masks), network type. If the network type is broadcast or
NBMA, at least one interface must have a router priority higher than 0.
Solution
1 Display OSPF neighbor information using the display ospf peer command.
2 Display OSPF interface information using the display ospf interface command.
3 Ping the neighbor router’s IP address to check connectivity.
4 Check OSPF timers. The dead interval on an interface must be at least four times
the hello interval.
Analysis
The backbone area must maintain connectivity to all other areas. If a router
connects to more than one area, at least one area must be connected to the
backbone. The backbone cannot be configured as a Stub area.
In a Stub area, all routers cannot receive external routes, and all interfaces
connected to the Stub area must be associated with the Stub area.
Solution
1 Use the display ospf peer command to display neighbors.
2 Use the display ospf interface command to display OSPF interface information.
3 Use the display ospf lsdb command to display the Link State Database to check
its integrity.
4 Display information about area configuration using the display
current-configuration configuration ospf command. If more than two areas
are configured, at least one area is connected to the backbone.
5 In a Stub area, all routers are configured with the stub command. In an NSSA
area, all interfaces are configured with the nssa command.
6 If a virtual link is configured, use the display ospf vlink command to check the
state of the virtual link.
RIP Overview RIP is a simple Interior Gateway Protocol (IGP), mainly used in small-sized
networks, such as academic networks and simple structured LANs. RIP is not
applicable to complex networks.
RIP uses a hop count to measure the distance to a destination. The hop count is
known as metric. The hop count from a router to its directly connected network is
0. The hop count of a network reachable through one router is 1. To limit
convergence time, the range of RIP metric value is from 0 to 15. A metric value of
16 (or bigger) is considered infinite, which means the destination network is
unreachable. That is why RIP is not suitable for large-scaled networks.
RIP prevents routing loops by implementing the split horizon and poison reverse
functions.
■ Route time: Time elapsed since the routing entry was last updated. The time is
reset to 0 every time the routing entry is updated.
■ Route tag: Identifies a route, used in routing policy to flexibly control routes.
For information about routing policy, refer to “Routing Policy Configuration”
on page 991.
RIP timers
RIP employs four timers, Update, Timeout, Suppress, and Garbage-Collect.
■ The update timer defines the interval between routing updates.
■ The timeout timer defines the route aging time. If no update for a route is
received after the aging time elapses, the metric of the route is set to 16 in the
routing table.
■ The suppress timer defines how long a RIP route stays in the suppressed state.
When the metric of a route is 16, the route enters the suppressed state. In the
suppressed state, only routes which come from the same neighbor and whose
metric is less than 16 will be received by the router to replace unreachable
routes.
■ The garbage-collect timer defines the interval from when the metric of a route
becomes 16 to when it is deleted from the routing table. During the
Garbage-Collect timer length, RIP advertises the route with the routing metric
set to 16. If no update is announced for that route after the Garbage-Collect
timer expires, the route will be deleted from the routing table.
4 RIP ages out routes by adopting an aging mechanism to keep only valid routes.
RIP-2 is a Classless Routing Protocol. Compared with RIP-1, RIP-2 has the following
advantages.
■ Supporting route tags. The route tag is used in routing policies to flexibly
control routes.
■ Supporting masks, route summarization and classless inter-domain routing
(CIDR).
■ Supporting designated next hop to select the best next hop on broadcast
networks.
■ Supporting multicast routing update to reduce resource consumption.
■ Supporting Plain text authentication and MD5 authentication to enhance
security.
0 7 15 31
Header Command Version Must be zero
AFI Must be zero
IP address
Route
Entries Must be zero
Must be zero
Metric
0 7 15 31
Header Command Version Unused
AFI Route tag
IP address
Route
Entries Subnet mask
Next hop
Metric
RIP-2 authentication
RIP-2 sets the AFI field of the first route entry to 0xFFFF to identify authentication
information. See Figure 297.
0 7 15 31
Command Version Unused
n ■ RFC 1723 only defines plain text authentication. For information about MD5
authentication, refer to RFC2082 “RIP-2 MD5 Authentication”.
■ With RIPv1, you can configure the authentication mode in interface view.
However, the configuration will not take effect because RIPv1 does not support
authentication.
TRIP Triggered RIP (TRIP), a RIP extension on WAN, is mainly used in dial-up network.
Working mechanism
Routing information is sent in triggered updates rather than periodic broadcasts to
reduce the routing management cost the WAN.
■ Only when data in the routing table changes or the next hop is unreachable, a
routing update message is sent.
■ Since the periodic update delivery is canceled, an acknowledgement and
retransmission mechanism is required to guarantee successful updates
transmission on WAN.
Message types
RIP use three new types of message which are identified by the value of the
Command filed.
■ Update Request (type value 9): Requests needed routes from the peer.
■ Update Response (type value 10): Contains the routes requested by the peer.
■ Update Acknowledge (type value 11): Acknowledges received Update
Response messages.
receiving no Update Acknowledge after the upper limit for sending Update
Responses is reached, the router considers the neighbor unreachable.
RIP Features Supported The current implementation supports the following RIP features.
■ RIP-1 and RIP-2
■ RIP Multi-instance. This means that RIP can serve as an internal VPN routing
protocol, running between CE and PE on the BGP/MPLS VPN network. For
related information, refer to “BGP Configuration” on page 825 and “MPLS
Basics Configuration” on page 1311.
■ TRIP
n ■ If you make some RIP configurations in interface view before enabling RIP,
those configurations will take effect after RIP is enabled.
■ RIP runs only on the interfaces residing on the specified networks. Therefore,
you need specify the network after enabling RIP to validate RIP on a specific
interface.
■ You can enable RIP on all interfaces using the command network 0.0.0.0.
Configuring RIP In some complex network environments, you need to configure advanced RIP
Advanced Functions functions.
■ Configure an IP address for each interface, and make sure all routers are
reachable.
■ Configure basic RIP functions
Configuring an An additional routing metric can be added to the metric of a RIP route, namely,
Additional Routing the inbound and outbound additional metric.
Metric
The outbound additional metric is added to the metric of a sent route, the route’s
metric in the routing table is not changed.
The inbound additional metric is added to the metric of a received route before
the route is added into the routing table, so the route’s metric is changed.
Configuring RIP-2 Route The route summarization means that subnet routes in a natural network are
Summarization summarized with a natural network that is sent to other networks. This function
can reduce the size of routing tables.
Disabling Host Route Sometimes a router may receive many host routes from the same network, which
Reception are not helpful for routing and occupy a large amount of network resources. In
this case, you can disable RIP from receiving host routes to save network resources.
n RIPv2 can be disabled from receiving host routes, but RIPv1 cannot.
Advertising a Default You can configure RIP to advertise a default route with the specified metric to RIP
Route neighbors.
n The router enabled to advertise a default route does not receive default routes
from RIP neighbors.
Configuring Route filtering is supported by the router. You can filter routes by configuring the
Inbound/Outbound inbound and outbound route filtering policies via referencing an ACL and IP prefix
Route Filtering Policies list. You can also specify to receive only routes from a specified neighbor.
n ■ Using the filter-policy import command filters incoming routes. Routes not
passing the filtering will be neither installed into the routing table nor
advertised to neighbors.
■ Using the filter-policy export command filters outgoing routes, including
routes redistributed with the import-route command.
Configuring a Priority Multiple IGP protocols may run in a router. If you want RIP routes to have a higher
for RIP priority than those learned from other routing protocols, you should assign RIP a
smaller priority value to influence optimal route selection.
Configuring RIP Route Follow these steps to configure RIP route redistribution:
Redistribution
To do... Use the command... Remarks
Enter system view system-view --
Enter RIP view rip [ process-id ] --
[ vpn-instance
vpn-instance-name ]
Configure a default metric for default-cost value Optional
redistributed routes
The default metric of a
redistributed route is 0 by
default.
Redistribute routes from other import-route protocol Required
protocols or processes [ process-id ] [ allow-ibgp ]
By default, RIP does not
[ cost cost | route-policy
redistribute any other
route-policy-name | tag tag ]
protocol route.
*
Finish the following tasks before configuring the RIP network optimization.
n Based on the network performance, you should make RIP timers of RIP routers
identical to each other to avoid unnecessary traffic or route oscillation.
n If both the split horizon and poison reverse are configured, only the poison reverse
function takes effect.
information, refer to “Frame Relay Configuration” on page 235 and “X.25 and
LAPB Configuration” on page 283.
■ Disabling the split horizon function on a point-to-point link does not take
effect.
Configuring the Follow these steps to configure the maximum number of load balanced routes:
Maximum Number of
Load Balanced Routes To do... Use the command... Remarks
Enter system view system-view --
Enter RIP view rip [ process-id ] [ vpn-instance --
vpn-instance-name ]
Configure the maximum number of maximum load-balancing number Optional
load balanced routes
Enabling CheckZero Some fields in the RIP-1 message must be zero. These fields are called zero fields.
Field Check on RIPv1 You can enable the zero field check on received RIP-1 messages. If any such field
Messages contains a non-zero value, the RIP-1 message will not be processed. If you are sure
that all messages are trusty, you can disable the zero field check to save the CPU
processing time.
In addition, you can enable the source IP address validation on received messages.
For the message received on an Ethernet interface, RIP compares the source IP
address of the message with the IP address of the interface. If they are not in the
same network segment, RIP discards the message. For a message received on a
serial interface, RIP checks whether the source address of the message is the IP
address of the peer interface. If not, RIP discards the message.
Enabling Source IP You can enable source IP address check on incoming RIP updates.
Address Check on ■ For a message received on an Ethernet interface, RIP compares the source IP
Incoming RIP Updates address of the message with the IP address of the interface. If they are not in
the same network segment, RIP discards the message.
■ For a message received on a serial interface, RIP checks whether the source
address of the message is the IP address of the peer interface. If not, RIP
discards the message.
Follow these steps to enable source IP address check on incoming RIP updates:
n The source IP address check feature should be disabled if the RIP neighbor is not
directly connected.
Configuring RIP-2 RIP-2 supports two authentication modes: plain text and MD5.
Message Authentication
In plain text authentication, the authentication information is sent with the RIP
message, which cannot meet high security needs.
Configuring a RIP Usually, RIP sends messages to broadcast or multicast addresses. On non broadcast
Neighbor or multicast links, you need to manually specify a RIP neighbor. If the specified
neighbor is not directly connected, you must disable the source address check on
update messages.
n You need not use the peer ip-address command when the neighbor is directly
connected; otherwise the neighbor may receive both the unicast and multicast (or
broadcast) of the same routing information.
Configuring TRIP In a connection oriented network, a router may establish connections to multiple
remote devices. In a WAN, links are created and removed as needed. In such
applications, a link created between two nodes for data transmission is temporary
and infrequently.
Enable TRIP
Follow these steps to enable TRIP:
For two routers on an analog dial-up link, the difference between retransmission
intervals on the two ends must be bigger than 50 seconds; otherwise, they can
not become TRIP neighbors.
The maximum retransmission time (upper limit × interval) for a packet cannot be
n too long lest when its neighbor is down, the router still resends the packet.
Displaying and
Maintaining RIP To do... Use the command... Remarks
Configuration Display RIP current status and display rip [ process-id | vpn-instance Available in any
configuration information vpn-instance-name ] view
Display all active routes in RIP display rip process-id database
database
Clear the statistics of a RIP reset rip process-id statistics Available in user
process view
RIP Configuration
Example
Network diagram
Configuration procedure
1 Configure an IP address for each interface (Omitted)
2 Configure basic RIP functions
# Configure Router A.
<RouterA> system-view
[RouterA] rip
[RouterA-rip-1] network 1.0.0.0
[RouterA-rip-1] network 2.0.0.0
[RouterA-rip-1] network 3.0.0.0
# Configure Router B.
<RouterB> system-view
[RouterB] rip
[RouterB-rip-1] network 1.0.0.0
[RouterB-rip-1] network 10.0.0.0
From the routing table, you can see RIP-1 uses natural mask to advertise routing
information.
[RouterA] rip
[RouterA-rip-1] version 2
[RouterA-rip-1] undo summary
[RouterB] rip
[RouterB-rip-1] version 2
[RouterB-rip-1] undo summary
From the routing table, you can see RIP-2 uses classless subnet mask.
n Since RIP-1 routing information has a long aging time, it will still exist before being
aged out after RIP-2 is configured.
Network diagram
Eth1/1 Eth1/2
2.1.1.1/24 Eth1 /0 Eth1 /1 5.1.1.1 /24
1 .1.1.1/24 3 .1.1.1/24
Eth1/0 Eth1/0 Eth1/1
1.1 .1.2/24 3.1 .1.2/24 Router C 4.1.1 .1/24
Router A Router B
Configuration procedure
1 Configure an IP address for each interface (omitted)
2 Configure RIP basic functions
<RouterA> system-view
[RouterA] rip 100
[RouterA-rip-100] network 1.0.0.0
[RouterA-rip-100] network 2.0.0.0
[RouterA-rip-100] version 2
[RouterA-rip-100] undo summary
[RouterA-rip-100] quit
# Enable RIP 100 and RIP 200, configure RIP version as 2 on Router B.
<RouterB> system-view
[RouterB] rip 100
[RouterB-rip-100] network 1.0.0.0
[RouterB-rip-100] version 2
[RouterB-rip-100] undo summary
[RouterB-rip-100] quit
[RouterB] rip 200
[RouterB-rip-200] network 3.0.0.0
[RouterB-rip-200] version 2
[RouterB-rip-200] undo summary
[RouterB-rip-200] quit
<RouterC> system-view
[RouterC] rip 200
[RouterC-rip-200] network 3.0.0.0
[RouterC-rip-200] network 4.0.0.0
[RouterC-rip-200] network 5.0.0.0
[RouterC-rip-200] version 2
[RouterC-rip-200] undo summary
# Configure RIP processes 100 and 200 to redistribute routes from each other on
Router B.
# On Router B, define ACL 2000 and reference it to a filtering policy to filter routes
redistributed from RIP 200.
Troubleshooting RIP
Configuration
Analysis:
After enabling RIP, you must use the network command to enable corresponding
interfaces. Make sure no interfaces are disabled from handling RIP messages.
Solution:
Analysis:
In the RIP network, make sure all the same timers within the whole network are
identical and relationships between timers are reasonable. For example, the
timeout timer value should be larger than the update timer value.
Solution:
■ Use the display rip command to check the configuration of RIP timers
■ Use the timers command to adjust timers properly.
When configuring routing policy, go to these sections for information you are
interested in:
n Routing policy described in this chapter contains both IPv4 routing policy and IPv6
routing policy. Configurations of the two are similar, and differences are described
in related sections.
Introduction to
Routing Policy
Routing Policy and A routing policy is used on the router for route inspection, filtering, attributes
Policy Routing modifying when routes are received, advertised, or redistributed.
This chapter describes only routing policy configuration and usage, refer to “IP
Unicast Policy Routing Configuration” on page 639 for policy routing information.
When distributing or receiving routing information, a router can apply some policy
to filter routing information. For example, a router handles only routing
information that matches some criteria, or a routing protocol redistributes from
other protocols only routes matching some criteria and modifies some attributes
of these routes to satisfy its needs.
To implement a routing policy, you need define a set of match criteria according to
attributes in routing information, such as destination address, advertising router’s
address and so on. The match criteria can be set beforehand and then apply them
to a routing policy for route distribution, reception and redistribution.
Filters Routing protocols can use six filters: ACL, IP prefix list, AS path ACL, community
list, extended community list and routing policy.
ACL
ACL involves IPv4 ACL and IPv6 ACL. When defining an ACL, you can specify IP
addresses and subnets to match destinations or next hops of routing information.
IP prefix list
IP prefix list involves IPv4 and IPv6 prefix list.
IP prefix list plays a role similar to ACL, but it is more flexible than ACL and easier
to understand. When an IP prefix list is applied to filtering routing information, its
matching object is the destination address of routing information. Moreover, you
can specify the gateway option to indicate that only routing information
advertised by certain routers will be received. For gateway option information,
refer to “RIP Configuration” on page 971 and “OSPF Configuration” on page 917.
An IP prefix list is identified by name. Each IP prefix list can comprise multiple
items, and each item, which is identified by an index number, can specify a
matching range in network prefix format. The index number indicates the
matching sequence of items in the IP prefix list.
The filtering relation among items is logical OR. During matching, the router
compares the packet with the items in the ascending order. If one item is matched,
the IP prefix list filter is passed, and the packet will not go to the next item.
AS-path ACL
AS path ACL is only applicable to BGP. There is an AS-path field in the BGP packet.
An AS path ACL specifies matching conditions according to the AS-path field.
Community list
Community list only applies to BGP. The BGP packet contains a community
attribute field to identify a community. A community list specifies matching
conditions based on the community attribute.
Routing policy
A routing policy is used to match against some attributes in given routing
information and modify the attributes of the information if match conditions are
satisfied. It can reference the above mentioned filters to define its own match
criteria.
A routing policy can comprise multiple nodes. Each node is a match unit, and the
system compares each node to a packet in ascending order of node sequence
numbers.
Each node comprises a list of if-match and apply clauses. The if-match clauses
define the match criteria. The matching objects are some attributes of routing
information. The different if-match clauses on a node is in logical AND
relationship. Only when the matching conditions specified by all the if-match
clauses on the node are satisfied, can routing information pass the node. The
apply clauses specify the actions performed after the node is passed, concerning
the attribute settings for routing information.
The filter relation among different route policy nodes is logical OR. Once a node is
matched, the routing policy is passed and the packet will not go through the next
node.
Routing Policy To configure a routing policy, perform the tasks described in the following
Configuration Task sections:
List
Task
“Defining Filtering Lists” on page “Defining an IP-prefix List” on page 993
993
“Defining an AS Path ACL” on page 995
“Defining a Community List” on page 995
“Defining an Extended Community List” on page 995
“Configuring a Routing Policy” on “Creating a Routing Policy” on page 996
page 996
“Defining if-match Clauses for the Routing Policy” on
page 996
“Defining apply Clauses for the Routing Policy” on page
998
During matching, the system compares the route to each item identified by index
number in the ascending order. If one item matches, the route passes the IP-prefix
list, without needing to match against the next item.
n If all items are set to the deny mode, no routes can pass the IPv4 prefix list.
Therefore, you need to define the permit 0.0.0.0 0 less-equal 32 item following
multiple deny mode items to allow other IPv4 routing information to pass.
<Sysname> system-view
[Sysname] ip ipv6-prefix abc index 10 deny 10.1.0.0 16
[Sysname] ip ipv6-prefix abc index 20 deny 10.2.0.0 16
[Sysname] ip ipv6-prefix abc index 30 deny 10.3.0.0 16
[Sysname] ip ipv6-prefix abc index 40 permit 0.0.0.0 0 less-equal 32
During matching, the system compares the route to each item in the ascending
order of index number. If one item is matched, the route passes the IP-prefix list,
without needing to match the next item.
n If all items are set to the deny mode, no routes can pass the IPv6 prefix list.
Therefore, you need to define the permit :: 0 less-equal 128 item following
multiple deny mode items to allow other IPv6 routing information to pass.
<Sysname> system-view
[Sysname] ip ip-prefix abc index 10 deny 2000:1:: 48
[Sysname] ip ip-prefix abc index 20 deny 2000:2:: 48
[Sysname] ip ip-prefix abc index 30 deny 2000:3:: 16
[Sysname] ip ip-prefix abc index 40 permit :: 0 less-equal 128
Defining an AS Path ACL You can define multiple items for an AS path ACL that is identified by number.
During matching, the relation between items is logical OR, that is, if the route
matches one of these items, it passes the AS path ACL.
Defining a Community You can define multiple items for a community list that is identified by number.
List During matching, the relation between items is logic OR, that is, if routing
information matches one of these items, it passes the community list.
Use the
To do... command... Remarks
Enter system view system-view -
Define a community Define a basic community ip community-list Required to define
list list basic-comm-list-num either;
{ deny | permit }
Not defined by
[ community-number
default
-list ] [ internet |
no-advertise |
no-export |
no-export-subconf
ed ] *
Define an advanced ip community-list
community list adv-comm-list-num
{ deny | permit }
regular-expression
Defining an Extended You can define multiple items for an extended community list that is identified by
Community List number. During matching, the relation between items is logic OR, that is, if
routing information matches one of these items, it passes the extended
community list.
Configuring a Routing A routing policy is used to filter routing information according to some attributes,
Policy and modify some attributes of the routing information that matches the routing
policy. Match criteria can be configured using filters above mentioned.
■ if-match clauses: Define the match criteria that routing information must
satisfy. The matching objects are some attributes of routing information.
■ apply clauses: Specify the actions performed after specified match criteria are
satisfied, concerning attribute settings for passed routing information.
n ■ If a node has the permit keyword specified, routing information meeting the
node’s conditions will be handled using the apply clauses of this node, without
needing to match against the next node. If routing information does not meet
the node’s conditions, it will go to the next node for a match.
■ If a node has the deny keyword specified, routing information matching all the
if-match clauses of the node can neither pass the node nor go to the next
node. If route information cannot meet any if-match clause of the node, it will
go to the next node for a match.
■ When a routing policy is defined with more than one node, at least one node
should be configured with the permit keyword. If the routing policy is used to
filter routing information, routing information that does not meet any node’s
conditions cannot pass the routing policy. If all nodes of the routing policy are
set using the deny keyword, no routing information can pass it.
Defining if-match To define if-match clauses for a route-policy, use the following command:
Clauses for the Routing
Policy Use the
To do... command... Remarks
Enter system view system-view -
Use the
To do... command... Remarks
Enter routing policy view route-policy Required
route-policy-name
{ permit | deny }
node node-number
Define match criteria Match IPv4 routes having if-match acl Optional
for IPv4 routes destinations specified in acl-number
Not configured by
the ACL
default
Match IPv4 routes having if-match ip-prefix
destinations specified in ip-prefix-name
the IP prefix list
Match IPv4 routes having if-match ip Optional
next hops or sources { next-hop |
Not configured by
specified in the ACL or IP route-source } { acl
default
prefix list acl-number |
ip-prefix
ip-prefix-name }
Match IPv6 routes having the next hop or source if-match ipv6 Optional
specified in the ACL or IP prefix list { address |
Not configured by
next-hop |
default
route-source } { acl
acl-number |
prefix-list
ipv6-prefix-name }
Match routes having AS path attributes specified if-match as-path Optional
in the AS path ACL(s) as-path-acl-number&
Not configured by
<1-16>
default
Match routes having community attributes in the if-match Optional
specified community list(s) community
Not configured by
{ basic-community-lis
default
t-number
[ whole-match ] |
adv-community-list-n
umber }&<1-16>
Match routes having the specified cost if-match cost value Optional
Not configured by
default
Match BGP routes having extended attributes if-match Optional
contained in the extended community list(s) extcommunity
Not configured by
ext-comm-list-numb
default
er&<1-16>
Match routes having specified outbound if-match interface Optional
interface(s) { interface-type
Not configured by
interface-number }&
default
<1-16>
Match routes having MPLS label if-match mpls-label Optional
Not configured by
default
Use the
To do... command... Remarks
Match routes having the specified route type if-match Optional
route-type
Not configured by
{ internal |
default
external-type1 |
external-type2 |
external-type1or2 |
is-is-level-1 |
is-is-level-2 |
nssa-external-type
1|
nssa-external-type
2|
nssa-external-type
1or2 } *
Match RIP, OSPF, or IS-IS routes having the if-match tag value Optional
specified tag value
Not configured by
default
Defining apply Clauses To define apply clauses for a route-policy, use the following command:
for the Routing Policy
To do... Use the command... Remarks
Enter system view system-view -
Create a routing policy and route-policy Required
enter its view route-policy-name { permit |
Not created by default
deny } node node-number
Set AS_Path attribute for BGP apply as-path Optional
routes as-number&<1-10>
Not set by default
[ replace ]
Delete community attributes of apply comm-list Optional
BGP routing information comm-list-number delete
Not configured by default
according to the community list
Set community attribute for apply community { none | Optional
BGP routes additive |
Not set by default
{ community-number&<1-16
> | aa:nn&<1-16> | internet
| no-export-subconfed |
no-export | no-advertise }
* [ additive ] }
Set a cost for routes apply cost [ + | - ] value Optional
Not set by default
n ■ The difference between IPv4 and IPv6 apply clauses is the command of setting
the next hop for routing information.
■ The apply ip-address next-hop and apply ipv6 next-hop commands do
not apply to redistributed IPv4 and IPv6 routes respectively.
Displaying and
Maintaining the To do... Use the command... Remarks
Routing Policy Display BGP AS path ACL display ip as-path [ as-path-number ] Available in any
information view
Display BGP community list display ip community-list
information [ basic-community-list-number |
adv-community-list-number ]
Display BGP extended display ip extcommunity-list
community list information [ ext-comm-list-number ]
Display IPv4 prefix list display ip ip-prefix [ ip-prefix-name ]
statistics
Display IPv6 prefix list display ip ipv6-prefix
statistics [ ipv6-prefix-name ]
Display routing policy display route-policy
information [ route-policy-name ]
Clear IPv4 prefix list statistics reset ip ip-prefix [ ip-prefix-name ] Available in user
view
Clear IPv6 prefix statistics reset ip ipv6-prefix [ ipv6-prefix-name ]
Routing Policy
Configuration
Example
Network diagram
Figure 300 Network diagram for routing policy application to route redistribution
OSPF IS-IS
S2 /0 S2/1
192 .168 .1 .2/24 192 .168 .2 .2/24
Router B
Eth1/0
172 .17 .1 .1/24
S2 /1 S2/1
192 .168 .1.1 /24 192.168 .2.1/24 Eth1/1
172 .17 .2 .1/24
Router A Router C
Eth1/2
172 .17 .3 .1/24
Configuration procedure
1 Configure IP addresses for interfaces (omitted)
2 Configure IS-IS
# Configure Router C.
<RouterC> system-view
[RouterC] isis
[RouterC-isis-1] is-level level-2
[RouterC-isis-1] network-entity 10.0000.0000.0001.00
[RouterC-isis-1] quit
[RouterC] interface serial 2/1
[RouterC-Serial2/1] isis enable
[RouterC-Serial2/1] quit
[RouterC] interface ethernet 1/0
[RouterC-Ethernet1/0] isis enable
[RouterC-Ethernet1/0] quit
[RouterC] interface ethernet 1/1
[RouterC-Ethernet1/1] isis enable
[RouterC-Ethernet1/1] quit
[RouterC] interface ethernet 1/2
[RouterC-Ethernet1/2] isis enable
[RouterC-Ethernet1/2] quit
# Configure Router B.
[RouterB] isis
[RouterB-isis-1] is-level level-2
[RouterB-isis-1] network-entity 10.0000.0000.0002.00
[RouterB-isis-1] quit
[RouterB] interface serial 2/1
[RouterB-Serial2/1] isis enable
[RouterB-Serial2/1] quit
3 Configure OSPF and route redistribution.
<RouterA> system-view
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
[RouterB] ospf
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] import-route isis 1
[RouterB-ospf-1] quit
#Displaying OSPF routing table on Router A, you can find redistributed routes.
Total Nets: 5
Intra Area: 1 Inter Area: 0 ASE: 4 NSSA: 0
# Configure an IP prefix list with the name prefix-a to allow 172.17.1.0/24 to pass.
[RouterB] ospf
[RouterB-ospf-1] import-route isis 1 route-policy isis2ospf
[RouterB-ospf-1] quit
# Displaying OSPF routing table information on Router A, you can find the route
cost to the destination 172.17.1.0/24 is 100, and the tag of the route
172.17.2.0/24 is 20, other external routes have no change.
Total Nets: 5
Intra Area: 1 Inter Area: 0 ASE: 4 NSSA: 0
Network diagram
Figure 301 Network diagram for routing policy application to route redistribution
20::/32
30::/32
40::/32
S 2/1
11::1 /32 S2/0 S 2/0
10::1/32 10::2 /32
Router A Router B
Configuration procedure
1 Configure Router A.
# Configure IPv6 addresses for interfaces Serial 2/0 and Serial 2/1 and enable PPP.
<RouterA> system-view
[RouterA] ipv6
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ipv6 address 10::1 32
[RouterA-Serial2/0] link-protocol ppp
[RouterA-Serial2/0] quit
[RouterA] interface serial 2/1
[RouterA-Serial2/1] ipv6 address 11::1 32
[RouterA-Serial2/1] link-protocol ppp
[RouterA-Serial2/1] quit
# Enable RIPng and apply routing policy static3ripng to filter redistributed static
routes on Router A.
[RouterA] ripng
[RouterA-ripng-1] import-route static route-policy static2ripng
2 Configure Router B.
# Configure the IPv6 address for Serial 2/0 and enable PPP.
<RouterB> system-view
[RouterB] ipv6
[RouterB] interface serial 2/0
[RouterB-Serial2/0] ipv6 address 10::2 32
[RouterB-Serial2/0] link-protocol ppp
# Enable RIPng.
[RouterB] ripng
Troubleshooting
Routing Policy
Configuration
Processing procedure
1 Use the display ip ip-prefix command to display IP prefix list information.
2 Use the display route-policy command to display routing policy information.
Processing procedure
1 Use the display ip ipv6-prefix command to display IP prefix list information.
2 Use the display route-policy command to display routing policy information.
Introduction
Static Route A static route is a special route that is manually configured by the network
administrator. If a network’s topology is simple, you only need to configure static
routes for network interconnection. The proper configuration and usage of static
routes can improve network performance and ensure bandwidth for important
network applications.
The disadvantage of using static routes is that they cannot adapt to network
topology changes. If a fault or a topological change occurs to the network, the
routes will be unavailable and the network breaks. In this case, the network
administrator has to modify the static routes manually.
Default Route A router selects the default route only when it cannot find any matching entry in
the routing table.
■ If the destination address of a packet fails to match any entry in the routing
table, the router selects the default route to forward the packet.
■ If there is no default route and the destination address of the packet fails to
match any entry in the routing table, the packet will be discarded and an ICMP
packet will be sent to the source to report that the destination or the network
is unreachable.
You can create the default route with both destination and mask being 0.0.0.0,
and some dynamic routing protocols, such as OSPF, RIP and IS-IS, can also
generate the default route.
Application Before configuring a static route, you need to know the following concepts:
Environment of Static
Routing
1 Destination address and mask
While configuring a static route, you can specify either the output interface or the
next hop address depending on the specific occasion. The next hop address can
not be a local interface IP address; otherwise, the route configuration will not take
effect.
In fact, all the route entries must have a next hop address. When forwarding a
packet, a router first searches the routing table for the route to the destination
address of the packet. The system can find the corresponding link layer address
and forward the packet only after the next hop address is specified.
You can configure different preferences for different static routes so that route
management policies can be applied more flexibly. For example, specifying the
same preference for different routes to the same destination enables load sharing,
while specifying different preferences for these routes enables route backup.
Configuring a Static
Route
Configuration Before configuring a static route, you need to finish the following tasks:
Prerequisites ■ Configure the physical parameters for related interfaces
n ■ When configuring a static route, the static route does not take effect if you
specify the next hop address first and then configure it as the IP address of a
local interface, such as Ethernet interface and VLAN interface.
■ If you do not specify the preference when configuring a static route, the
default preference will be used. Reconfiguring the default preference applies
only to newly created static routes.
■ You can flexibly control static routes by configuring tag values and using the
tag values in the routing policy.
■ If the destination IP address and mask are both configured as 0.0.0.0 with the
ip route-static command, the route is the default route.
Detecting Reachability If a static route fails due to a topology change or a fault, the connection will be
of the Static Route’s interrupted. To improve network stability, the system needs to detect reachability
Nexthop of the static route’s next hop and switch to a backup route once the next hop is
unreachable. The following method is used to detect reachability of the static
route’s next hop.
Detecting Nexthop If you specify the nexthop but not outgoing interface when configuring a static
Reachability Through route, you can associate the static route with a track entry to check the static route
Track validity. When the track entry is positive, the static route’s nexthop is reachable
and the static route takes effect; when the track entry is negative, the static route’s
nexthop is unreachable and the static route is invalid. For details about track, refer
to “Track Configuration” on page 2207.
Network requirements
To detect the reachability of a static route’s nexthop through a Track entry, you
need to create a Track first. For detailed Track configuration procedure, refer to
“Track Configuration” on page 2207.
Configuration procedure
Follow these steps to detect the reachability of a static route’s nexthop through
Track:
n ■ To configure this feature for an existing static route, simply associate the static
route with a track entry. For a non-existent static route, configure it and
associate it with a Track entry.
■ If the track module uses NQA to detect the reachability of the private network
static route’s nexthop, the VPN instance number of the static route’s nexthop
must be identical to that configured in the NQA test group.
■ If a static route needs route recursion, the associated track entry must monitor
the nexthop of the recursive route instead of that of the static route;
otherwise, a valid route may be mistakenly considered invalid
Displaying and
Maintaining Static To do... Use the command... Remarks
Routes View the current display current-configuration Available in any
configuration information view
View the brief information of display ip routing-table
the IP routing table
View the detailed information display ip routing-table verbose
of the IP routing table
View information of static display ip routing-table protocol
routes static [ inactive | verbose ]
Delete all the static routes delete [ vpn-instance Available In system
vpn-instance-name ] static-routes all view
Network diagram
Host B
1.1.6.2/24
Eth1/2
1.1.6 .1/24
Eth1 /0 Eth1/1
1.1.4 .2/30 1.1.5 .5/30
Router B
Eth1/1 Eth1 /1
1.1.4.1/30 1 .1.5.6/30
Eth1/0 Eth1/0
1.1.2.3/24 1.1.3 .1/24
Host A Router A Router C Host C
1.1.2.2/24 1.1.3.2/24
Configuration procedure
1 Configuring IP addresses for interfaces (omitted)
2 Configuring static routes
<RouterA> system-view
<RouterB> system-view
[RouterB] ip route-static 1.1.2.0 255.255.255.0 1.1.4.1
[RouterB] ip route-static 1.1.3.0 255.255.255.0 1.1.5.6
<RouterC> system-view
[RouterC] ip route-static 0.0.0.0 0.0.0.0 1.1.5.5
3 Configure the hosts
The default gateways for the three hosts Host A, Host B and Host C are 1.1.2.3,
1.1.6.1 and 1.1.3.1 respectively. The detailed configuration procedure is omitted.
n This chapter describes only configuration for IPv6 BGP. For BGP related
information, refer to “BGP Configuration” on page 825.
When configuring IPv6 BGP, go to these sections for information you are
interested in:
IPv6 BGP Overview BGP-4 manages only IPv4 routing information, thus other network layer protocols
such as IPv6 are not supported.
To implement IPv6 support, IPv6 BGP puts IPv6 network layer information into the
attributes of Network Layer Reachable Information (NLRI) and NEXT_HOP.
IPv6 BGP utilizes BGP multiprotocol extensions for application in IPv6 networks.
The original messaging and routing mechanisms of BGP are not changed.
Task Remarks
“IPv6 BGP Configuration” “Configuring IPv6 BGP Optional
on page 1015 Timers” on page 1025
“Configuring IPv6 BGP Soft Optional
Reset” on page 1026
“Configuring the Maximum Optional
Number of Load-Balanced
Routes” on page 1026
“IPv6 BGP Configuration” “Configuring IPv6 BGP Peer Optional
on page 1015 Group” on page 1027
“Configuring IPv6 BGP Optional
Community” on page 1028
“Configuring an IPv6 BGP Optional
Route Reflector” on page
1029
“Configuring 6PE” on page “Configuring Basic 6PE Required
1029 Capabilities” on page 1030
“Configuring Optional 6PE Optional
Capabilities” on page 1031
n You need create a peer group before configuring basic functions for it. For related
information, refer to “Configuring IPv6 BGP Peer Group” on page 1027.
Advertising a Local IPv6 Follow these steps to advertise a local route into the routing table:
Route
To do... Use the command... Remarks
Enter system view system-view -
Configuring a Preferred Follow these steps to configure a preferred value for routes received from a
Value for Routes from a peer/peer group:
Peer/Peer Group
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Enter IPv6 address family view ipv6-family -
Configure a preferred value for routes peer { ipv6-group-name | Optional
received from a peer/peer group ipv6-address }
By default, the
preferred-value value
preferred value is 0.
c CAUTION: If you both reference a routing policy and use the command peer
{ ipv6-group-name | ipv6-address } preferred-value value to set a preferred value
for routes from a peer, the routing policy sets a non-zero preferred value for
routes matching it. Other routes not matching the routing policy uses the value set
with the command. If the preferred value in the routing policy is zero, the routes
matching it will also use the value set with the command. For information about
using a routing policy to set a preferred value, refer to the command peer
{ group-name | ipv4-address | ipv6-address } route-policy route-policy-name
{ import | export } in this document, and the command apply preferred-value
preferred-value in “Routing Policy Configuration” on page 991.
Specifying a Local Follow these steps to specify a local update source interface connected to a peer:
Update Source Interface
to a Peer/Peer Group To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Enter IPv6 address family view ipv6-family -
Specify the source interface peer { ipv6-group-name | Required
for establishing TCP ipv6-address }
By default, IPv6 BGP uses the
connections to a BGP peer or connect-interface
outbound interface of the
peer group interface-type
best route to the BGP peer as
interface-number
the source interface for
establishing a TCP
connection.
n ■ To improve stability and reliability, you can specify the local interface of an IPv6
BGP connection as loopback interface. By doing so, a connection failure upon
redundancy availability will not affect IPv6 BGP connection.
■ To establish multiple BGP connections to an IPv6 BGP router, you need to
specify on the local router the respective source interfaces for establishing TCP
connections to the peers on the peering BGP router; otherwise, the local BGP
router may fail to establish TCP connections to the peers when using the
outbound interfaces of the best routes as the source interfaces.
Configuring a Non Direct Follow these steps to configure an EBGP connection to a peer not directly
EBGP Connection to a connected:
Peer/Peer Group
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Enter IPv6 address family view ipv6-family -
Configure a non direct EBGP peer { ipv6-group-name | Required
connection to a peer/peer ipv6-address } ebgp-max-hop
Not configured by
group [ hop-count ]
default
c CAUTION: In general, direct links should be available between EBGP peers. If not,
you can use the peer ebgp-max-hop command to establish a multi-hop TCP
connection in between. However, you need not use this command for direct EBGP
connection with loopback interfaces.
Configuring Description Follow these steps to configure description for a peer/peer group:
for a Peer/Peer Group
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Enter IPv6 address family view ipv6-family -
Configure description for a peer { ipv6-group-name | Optional
peer/peer group ipv6-address } description
Not configured by default
description-text
n The peer group for which to configure description must have been created.
Establishing No Session Follow these steps to disable session establishment to a peer/peer group:
to a Peer/Peer Group
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Enter IPv6 address family view ipv6-family -
Disable session establishment peer { ipv6-group-name | Optional
to a peer/peer group ipv6-address } ignore
Not disabled by default
Logging Session State Follow these steps to log on the session and event information of a peer/peer
and Event Information group:
of a Peer/Peer Group
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Controlling Route The task includes routing information filtering, routing policy application and route
Distribution and dampening.
Reception
■ ACL number
■ Routing policy names on both distribution and reception directions
■ Route dampening parameters: half-life, threshold values
Configuring IPv6 BGP Follow these steps to configure IPv6 BGP route redistribution and filtering:
Route Redistribution
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number -
Enter IPv6 address family view ipv6-family -
Enable default route default-route imported Optional
redistribution into the IPv6
Not enabled by default
BGP routing table
Enable route redistribution import-route protocol Required
from another routing protocol [ process-id ] [ med
Not enabled by default
med-value | route-policy
route-policy-name ]*
Advertising a Default Follow these steps to advertise default route to a peer/peer group:
Route to a Peer/Peer
Group To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Configuring Route Follow these steps to configure policies for route distribution:
Distribution Policy
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Enter IPv6 address family view ipv6-family -
Configure outbound route filter-policy { acl6-number | Required
filtering ipv6-prefix ipv6-prefix-name }
Not configured by
export [ protocol process-id ]
default
Apply a routing policy to peer { ipv6-group-name | Required
routes advertised to a ipv6-address } route-policy
Not applied by default
peer/peer group route-policy-name export
Specify an IPv6 ACL to filer peer { ipv6-group-name | Required
routes advertised to a ipv6-address } filter-policy
Not specified by default
peer/peer group acl6-number export
Specify an AS path ACL to filer peer { ipv6-group-name | Required
routes advertised to a ipv6-address } as-path-acl
Not specified by default
peer/peer group as-path-acl-number export
Specify an IPv6 prefix list to peer { ipv6-group-name | Required
filer routes advertised to a ipv6-address } ipv6-prefix
Not specified by default
peer/peer group ipv6-prefix-name export
n ■ Members of a peer group must have the same outbound route policy with the
peer group.
■ IPv6 BGP advertises routes passing the specified policy to peers. Using the
protocol argument can filter only the specified protocol routes. If no protocol
specified, IPv6 BGP filters all routes to be advertised, including redistributed
routes and routes imported using the network command.
n ■ Only routes passing the specified policy can be added into the local IPv6 BGP
routing table.
■ Members of a peer group can have different inbound route policies.
Configuring IPv6 BGP With this feature enabled and when a non-BGP router is responsible for
and IGP Route forwarding packets in an AS, IPv6 BGP speakers in the AS cannot advertise routing
Synchronization information to outside ASs unless all routers in the AS know the latest routing
information.
By default, when a BGP router receives an IBGP route, it only checks the
reachability of the route’s next hop before advertisement. If the synchronization
feature is configured, only the IBGP route is advertised by IGP can the route be
advertised to EBGP peers.
Follow these steps to configure IPv6 BGP and IGP route synchronization:
Configuring IPv6 BGP This section describes how to use IPv6 BGP route attributes to modify BGP routing
Route Attributes policy. These attributes are:
■ IPv6 BGP protocol preference
■ Default LOCAL_PREF attribute
■ MED attribute
■ NEXT_HOP attribute
■ AS_PATH attribute
Configuring IPv6 BGP Follow these steps to configure IPv6 BGP preference and default LOCAL_PREF and
Preference and Default NEXT_HOP attributes:
LOCAL_PREF and
NEXT_HOP Attributes To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Enter IPv6 address family view ipv6-family -
Configure preference values preference Optional
for IPv6 BGP external, internal, { external-preference
The default preference values
local routes internal-preference
of external, internal and local
local-preference |
routes are 255, 255, 130
route-policy
respectively
route-policy-name }
Configure the default value default local-preference Optional
for local preference value
The value defaults to 100
Advertise routes to a peer { ipv6-group-name | Required
peer/peer group with the local ipv6-address }
By default, the feature is
router as the next hop next-hop-local
available for routes advertised
to the EBGP peer/peer group,
but not available to the IBGP
peer/peer group
n ■ To make sure an IBGP peer can find the correct next hop, you can configure
routes advertised to the peer to use the local router as the next hop. If BGP
load balancing is configured, the local router specifies itself as the next hop of
outbound routes to a peer/peer group regardless of whether the peer
next-hop-local command is configured.
■ In a “third party next hop” network, that is, the two EBGP peers reside in a
common broadcast subnet, the router does not specify itself as the next hop
for routes to the EBGP peer by default, unless the peer next-hop-local
command is configured.
Configuring the MED Follow these steps to configure the MED attribute:
Attribute
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Enter IPv6 address family view ipv6-family -
Configure a default MED default med med-value Optional
value
Defaults to 0
Enable to compare MED compare-different-as-med Optional
values of routes from different
Not enabled by default
EBGP peers
Prioritize MED values of routes bestroute compare-med Optional
from each AS
Not configured by default
Prioritize MED values of routes bestroute Optional
from confederation peers med-confederation
Not configured by default
Adjusting and This section describes configurations of IPv6 BGP timers, IPv6 BGP connection soft
Optimizing IPv6 BGP reset and the maximum number of load balanced routes.
Networks ■ IPv6 BGP timers
After establishing an IPv6 BGP connection, two routers send keepalive messages
periodically to each other to keep the connection. If a router receives no keepalive
message from the peer after the holdtime elapses, it tears down the connection.
When establishing an IPv6 BGP connection, the two parties compare their
holdtime values, taking the shorter one as the common holdtime. If the holdtime
is 0, neither keepalive massage is sent, nor holdtime is checked.
After modifying a route selection policy, you have to reset IPv6 BGP connections to
make the new one take effect, causing a short time disconnection. The current
IPv6 BGP implementation supports the route-refresh feature that enables dynamic
IPv6 BGP routing table refresh without needing to disconnect IPv6 BGP links.
With this feature enabled on all IPv6 BGP routers in a network, when a routing
policy modified on a router, the router advertises a route-refresh message to its
peers, which then send their routing information back to the router. Therefore, the
local router can perform dynamic routing information update and apply the new
policy without tearing down connections.
Configuring IPv6 BGP Follow these steps to configure IPv6 BGP timers:
Timers
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Enter IPv6 address family view ipv6-family -
Configure IPv6 Specify timer keepalive keepalive Optional
BGP timers keepalive hold holdtime
The keepalive interval
interval and
defaults to 60 seconds,
holdtime
holdtime defaults to 180
Configure peer { ipv6-group-name | seconds.
keepalive ipv6-address } timer
interval and keepalive keepalive hold
holdtime for a holdtime
peer/peer group
n ■ Timers configured using the timer command have lower priority than timers
configured using the peer timer command.
■ The holdtime interval must be at least three times the keepalive interval.
n If the peer keep-all-routes command is used, all routes from the peer/peer
group will be saved regardless of whether filtering policy available. These routes
will be used to generate IPv6 BGP routes after soft-reset is performed.
Configuring the Follow these steps to configure the maximum number of load balanced routes:
Maximum Number of
Load-Balanced Routes To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Enter IPv6 address family view ipv6-family -
Configure the maximum balance number Required
number of load balanced
By default, no load balancing
routes
is enabled.
Configuring a Large In a large-scale IPv6 BGP network, configuration and maintenance become no
Scale IPv6 BGP convenient due to too many peers. In this case, configuring peer groups makes
Network management easier and improves route distribution efficiency. Peer group includes
IBGP peer group, where peers belong to the same AS, and EBGP peer group,
where peers belong to different ASs. If peers in an EBGP group belong to the same
external AS, the EBGP peer group is a pure EBGP peer group, and if not, a mixed
EBGP peer group.
In a peer group, all members enjoy a common policy. Using the community
attribute can make a set of IPv6 BGP routers in multiple ASs enjoy the same policy,
because sending of community between IPv6 BGP peers is not limited by AS.
To guarantee connectivity between IBGP peers, you need to make them fully
meshed, but it becomes unpractical when there are too many IBGP peers. Using
route reflectors or confederation can solve it. In a large-scale AS, both of them can
be used.
n ■ To create a pure EBGP peer group, you need to specify an AS number for the
peer group.
■ If a peer was added into an EBGP peer group, you cannot specify any AS
number for the peer group.
n When creating a mixed EBGP peer group, you need to create a peer and specify its
AS number that can be different from AS numbers of other peers, but you cannot
specify AS number for the EBGP peer group.
n ■ When configuring IPv6 BGP community, you need to configure a routing policy
to define the community attribute, and apply the routing policy to route
advertisement.
■ For routing policy configuration, refer to “Routing Policy Configuration” on
page 991.
Configuring an IPv6 BGP Follow these steps to configure an IPv6 BGP route reflector:
Route Reflector
To do... Use the command... Remarks
Enter system view system-view -
Enter BGP view bgp as-number Required
Enter IPv6 address family view ipv6-family -
Configure the router as a peer { ipv6-group-name | Required
route reflector and specify a ipv6-address } reflect-client
Not configured by default
peer/peer group as a client
Enable route reflection reflect between-clients Optional
between clients
Enabled by default
Configure the cluster ID of reflector cluster-id cluster-id Optional
the route reflector
By default, a route reflector
uses its router ID as the cluster
ID
Configuring 6PE IPv6 Provider Edge (6PE) is a transition technology with which Internet service
providers (ISPs) can use existing IPv4 backbone networks to provide access
capability for sparsely populated IPv6 networks, allowing customer edge (CE)
routers in these isolated IPv6 networks to communicate with IPv4 PE routers.
IPv6 routing information from users is converted into IPv6 routing information
with labels and then is flooded into IPv4 backbone networks of ISPs through
internal border gateway protocol (IBGP) sessions. When IPv6 packets are
forwarded, they will be labeled when entering tunnels of backbone networks. The
tunnels can be GRE tunnels or MPLS LSPs.
IGPs running on ISP networks can be OSPF or IS-IS. Static routing, IGP, or EBGP can
be used between CE and 6PE.
CE IPv4/MPLS network CE
IBGP
IPv6 network 6PE 6PE IPv6 network
Customer site Customer site
n The P (Provider) router in the above figure refers to a backbone router in the
network of a service provider. P is not directly connected with a CE and is required
to have the basic MPLS capability.
When an ISP wants to utilize the existing IPv4/MPLS network to provide IPv6 traffic
switching capability through MPLS, only the PE routers need to be upgraded.
Therefore, it is undoubtedly a high efficient solution that ISPs use the 6PE
technology as an IPv6 transition mechanism. Furthermore, the operation risk of
the 6PE technology is very low.
Configuring Basic 6PE Follow these steps to configure the 6PE basic capabilities:
Capabilities
To do... Use the command... Remarks
Enter system view system-view -
Enable BGP and enter BGP bgp as-number Required
view
Not enabled by default
Configuring Optional Follow these steps to configure the 6PE optional capabilities:
6PE Capabilities
To do... Use the command... Remarks
Enter system view system-view -
Enable BGP and enter BGP bgp as-number Required
view
Not enabled by default
Specify the AS number for the peer { group-name | Required
6PE peer or peer group ipv4-address } as-number
Not specified by default
as-number
Enter IPv6 address family view ipv6-family -
Enable the 6PE peer or peer peer { group-name | Required
group ipv4-address } enable
Not enabled by default
Advertise community attribute peer { group-name | Optional
to the 6PE peer or peer group ipv4-address }
Not advertised by default
advertise-community
Advertise extended peer { group-name | Optional
community attribute to the ipv4-address }
Not advertised by default
6PE peer or peer group advertise-ext-community
Allow the local AS number to peer { group-name | Optional
appear in routes from the ipv4-address } allow-as-loop
Not allowed by default
peer or peer group and [ number ]
specify the repeat times
Specify an AS path ACL to peer { group-name | Optional
filter routes from or to the 6PE ipv4-address } as-path-acl
Not configured by default
peer or peer group as-path-acl-number { import |
export }
Advertise a default route to peer { group-name | Optional
the 6PE peer or peer group ipv4-address }
Not advertised by default
default-route-advertise
[ route-policy
route-policy-name ]
Configure an inbound or peer { group-name | Optional
outbound IPv6 ACL based ipv4-address } filter-policy
Not configured by default
filtering policy for the 6PE acl6-number { import |
peer or peer group export }
Add an 6PE peer to an peer ipv4-address group Optional
existing peer group group-name [ as-number
Not added by default
as-number ]
Configure an inbound or peer { group-name | Optional
outbound IPv6 prefix list ipv4-address } ipv6-prefix
Not configured by default
based filtering policy for the ipv6-prefix-name { import |
6PE peer or peer group export }
Displaying and
Maintaining IPv6 BGP
Configuration
Displaying BGP
To do... Use the command... Remarks
Display peer group display bgp ipv6 group [ ipv6-group-name ] Available in
information any view
Display IPv6 BGP advertised display bgp ipv6 network
routing information
Display AS path information display bgp ipv6 paths
[ as-regular-expression ]
Display BGP peer/peer group display bgp ipv6 peer [ group-name log-info
information | ipv4-address verbose | ipv6-address { log-info
| verbose } ]
Display IPv6 BGP routing table display bgp ipv6 routing-table [ ipv6-address
information prefix-length ]
Display routing information display bgp ipv6 routing-table as-path-acl
matched by a AS path ACL as-path-acl-number
Display IPv6 BGP community display bgp ipv6 routing-table community
routing information [ aa:nn<1-13> ] [ no-advertise | no-export |
no-export-subconfed ]* [ whole-match ]
Display routing information display bgp ipv6 routing-table
matched by an IPv6 BGP community-list { basic-community-list-number
community list [ whole-match ] |
adv-community-list-number }&<1-16>
Display BGP dampened display bgp ipv6 routing-table dampened
routing information
Display BGP dampening display bgp ipv6 routing-table dampening
parameter information parameter
Display routing information display bgp ipv6 routing-table
originated from different ASs different-origin-as
Display routing flap statistics display bgp ipv6 routing-table flap-info
[ regular-expression as-regular-expression |
as-path-acl as-path-acl-number |
network-address [ prefix-length
[ longer-match ] ] ]
Display IPv6 label routing display bgp ipv6 routing-table label
information
Display routing information to display bgp ipv6 routing-table peer
or from an IPv4 or IPv6 peer { ipv4-address | ipv6-address }
{ advertised-routes | received-routes }
[ network-address prefix-length | statistic ]
Display routing information display bgp ipv6 routing-table
matched by a regular regular-expression as-regular-expression
expression
Display IPv6 BGP routing display bgp ipv6 routing-table statistic
statistics
IPv6 BGP
Configuration
Examples
n Some IPv6 BGP configuration examples are similar to those of BGP, so refer to
“BGP Configuration” on page 825 for related information.
Network diagram
AS 65009
S2/2 S2/1
9:3::2/64 9:2::1/64
Router C
S2/1
Router A 10::2/64 S2 /1
S2 /2 9:2::2 /64
S2 /1 9:3::1 /64
10::1/64
AS 65008 S2 /0 S2/0
9:1::1/64 9:1::2/64
Router B Router D
Configuration procedure
1 Configure IPv6 addresses for interfaces (omitted)
2 Configure IBGP connections
# Configure Router B.
<RouterB> system-view
[RouterB] ipv6
[RouterB] bgp 65009
[RouterB-bgp] router-id 2.2.2.2
[RouterB-bgp] ipv6-family
[RouterB-bgp-af-ipv6] peer 9:1::2 as-number 65009
[RouterB-bgp-af-ipv6] peer 9:3::2 as-number 65009
[RouterB-bgp-af-ipv6] quit
[RouterB-bgp] quit
# Configure Router C.
<RouterC> system-view
[RouterC] ipv6
[RouterC] bgp 65009
[RouterC-bgp] router-id 3.3.3.3
[RouterC-bgp] ipv6-family
[RouterC-bgp-af-ipv6] peer 9:3::1 as-number 65009
[RouterC-bgp-af-ipv6] peer 9:2::2 as-number 65009
[RouterC-bgp-af-ipv6] quit
[RouterC-bgp] quit
# Configure Router D.
<RouterD> system-view
[RouterD] ipv6
[RouterD] bgp 65009
[RouterD-bgp] router-id 4.4.4.4
[RouterD-bgp] ipv6-family
[RouterD-bgp-af-ipv6] peer 9:1::1 as-number 65009
[RouterD-bgp-af-ipv6] peer 9:2::1 as-number 65009
[RouterD-bgp-af-ipv6] quit
[RouterD-bgp] quit
3 Configure the EBGP connection
# Configure Router A.
<RouterA> system-view
[RouterA] ipv6
[RouterA] bgp 65008
[RouterA-bgp] router-id 1.1.1.1
[RouterA-bgp] ipv6-family
[RouterA-bgp-af-ipv6] peer 10::1 as-number 65009
[RouterA-bgp-af-ipv6] quit
[RouterA-bgp] quit
# Configure Router B.
Router B and Router D need not establish an IBGP connection because Router C
reflects updates between them.
Network diagram
Figure 305 Network diagram for IPv6 BGP route reflector configuration
Route AS 200
Reflector
S 2/2 S2/1
101::1 /96 102::1 /96
S 2/1
Router C
100 ::1/96
Router A IBGP IBGP
S 2/1 S2 /0 S 2/0
100::2 /96 101 ::2/96 102::2/96
AS 100
Router B Router D
Configuration procedure
1 Configure IPv6 addresses for interfaces (omitted)
2 Configure IPv6 BGP basic functions
# Configure Router A.
<RouterA> system-view
[RouterA] ipv6
[RouterA] bgp 100
[RouterA-bgp] router-id 1.1.1.1
[RouterA-bgp] ipv6-family
[RouterA-bgp-af-ipv6] peer 100::2 as-number 200
[RouterA-bgp-af-ipv6] network 1:: 64
# Configure Router B
<RouterB> system-view
[RouterB] ipv6
[RouterB] bgp 200
[RouterB-bgp] router-id 2.2.2.2
[RouterB-bgp] ipv6-family
[RouterB-bgp-af-ipv6] peer 100::1 as-number 100
[RouterB-bgp-af-ipv6] peer 101::1 as-number 200
[RouterB-bgp-af-ipv6] peer 101::1 next-hop-local
# Configure Router C.
<RouterC> system-view
[RouterC] ipv6
[RouterC] bgp 200
[RouterC-bgp] router-id 3.3.3.3
[RouterC-bgp] ipv6-family
[RouterC-bgp-af-ipv6] peer 101::2 as-number 200
[RouterC-bgp-af-ipv6] peer 102::2 as-number 200
# Configure Router D.
<RouterD> system-view
[RouterD] ipv6
[RouterD] bgp 200
[RouterD-bgp] router-id 4.4.4.4
[RouterD-bgp] ipv6-family
[RouterD-bgp-af-ipv6] peer 102::1 as-number 200
3 Configure route reflector
Use the display bgp ipv6 routing-table command on Router B and Router D
respectively, you can find both of them have learned the network 1::/64.
■ Connect the two IPv6 networks through the IPv4/MPLS network with the 6PE
feature.
Network diagram
Loop 0 Loop 0
2.2.2.2/32 3.3.3.3/32
2::2 /128 3::3/128
S 2/1 S2/1
1 .1.1.1/16 1 .1.1.2/16
S2 /0 S2 /0
CE 1 CE 2
Configuration procedure
1 Configure CE 1
<CE1> system-view
[CE1] ipv6
<PE1> system-view
[PE1] ipv6
[PE1] mpls lsr-id 2.2.2.2
[PE1] mpls
[PE1-mpls] lsp-trigger all
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure IBGP, enable the peer’s 6PE capabilities, and redistribute IPv6 direct
and static routes.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 1.1.0.0 0.0.255.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
[PE1]
3 Configure PE 2
<PE2> system-view
[PE2] ipv6
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] lsp-trigger all
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
# Configure IBGP, enable the peer’s 6PE capabilities, and redistribute IPv6 direct
and static routes.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 1.1.0.0 0.0.255.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
[PE1]
4 Configure CE 2
<CE2> system-view
[CE2] ipv6
[CE2] interface serial 2/0
[CE2-Serial2/0] ipv6 address auto link-local
[CE2-Serial2/0] quit
[CE2] interface loopback 0
[CE2-LoopBack0] ipv6 address 4::4/128
[CE2-LoopBack0] quit
After the above configuration, you can ping through the IPv6 address 4::4 of CE 2
from CE 1.
Troubleshooting IPv6
BGP Configuration
Analysis
To become IPv6 BGP peers, any two routers need to establish a TCP session using
port 179 and exchange open messages successfully.
Processing steps
1 Use the display current-configuration command to verify the peer’s AS number.
2 Use the display bgp ipv6 peer command to verify the peer’s IPv6 address.
3 If the loopback interface is used, check whether the peer connect-interface
command is configured.
4 If the peer is not directly connected, check whether the peer ebgp-max-hop
command is configured.
5 Check whether a route to the peer is available in the routing table.
6 Use the ping command to check connectivity.
7 Use the display tcp ipv6 status command to check the TCP connection.
8 Check whether an ACL for disabling TCP port 179 is configured.
TLV is a variable field in the Link State PDU or Link State Packet (LSP). The two TLVs
are:
NLPID is an 8-bit field with a value of 142 (0x8E), which indicates the network
layer protocol packet. If the IS-IS router supports IPv6, the advertised routing
information must be marked with the NLPID.
n You can implement IPv6 inter-networking through configuring IPv6 IS-IS in IPv6
network environment.
■ Enable IS-IS
Configuration Procedure Follow these steps to configure the basic functions of IPv6 IS-IS:
Configuration You need to complete the IPv6 IS-IS basic function configuration before
Prerequisites configuring this task.
Configuration Procedure Follow these steps to configure IPv6 IS-IS routing information control:
n ■ The ipv6 filter-policy export command, usually used in combination with the
ipv6 import-route command, filters redistributed routes when advertising
them to other routers. If no protocol is specified, routes redistributed from all
routing protocol are filtered before advertisement. If a protocol is specified,
only routes redistributed from the routing protocol are filtered for
advertisement.
■ For information about ACL, refer to “Configuring ACLs” on page 1881.
■ For information about routing policy and IPv6 prefix list, refer to “Routing
Policy Configuration” on page 991.
Displaying and
Maintaining IPv6 IS-IS To do... Use the command... Remarks
Display brief IPv6 IS-IS display isis brief Available in any view
information
Display the status of the display isis debug-switches Available in any view
debug switches { process-id | vpn-instance
vpn-instance-name }
Display IS-IS enabled interface display isis interface [ verbose ] Available in any view
information [ process-id | vpn-instance
vpn-instance-name ]
Display IS-IS license display isis license Available in any view
information
Display LSDB information display isis lsdb [ [ l1 | l2 | level-1 | Available in any view
level-2 ] | [ [ lsp-id lsp-id | lsp-name
lspname | local ] | verbose ] * ] *
[ process-id | vpn-instance
vpn-instance-name ]
Display IS-IS mesh group display isis mesh-group [ process-id Available in any view
information | vpn-instance vpn-instance-name ]
Display the mapping table display isis name-table [ process-id | Available in any view
between the host name and vpn-instance vpn-instance-name ]
system ID
Display IS-IS neighbor display isis peer [ verbose ] Available in any view
information [ process-id | vpn-instance
vpn-instance-name]
Display IPv6 IS-IS routing display isis route ipv6 [ [ level-1 | Available in any view
information level-2 ] | verbose ] * [ process-id ]
Display SPF log information display isis spf-log [ process-id | Available in any view
vpn-instance vpn-instance-name ]
Router A and Router B are Level-1 routers, Router D is a Level-2 router, and Router
C is a Level-1-2 router. Router A, Router B, and Router C belong to area 10, while
Router D is in area 20.
Network diagram
Router A
L1
S 2/0
2001:1::2 /64
S 2/1 Eth1/0
S2/2 2001 :4 ::1/64
2001:1::1 /64
2001 :3::1/64
S 2/0 S 2/0
2001 :3::2 /64
2001:2::1 /64 Router D
Router C
L2
L1/L2
S2 /0 Area 20
2001 :2::2/64
Router B
Area 10
L1
Configuration procedure
1 Configure IPv6 addresses for interfaces (omitted)
2 Configure IPv6 IS-IS
# Configure Router A.
<RouterA> system-view
[RouterA] isis 1
[RouterA-isis-1] is-level level-1
[RouterA-isis-1] network-entity 10.0000.0000.0001.00
[RouterA-isis-1] ipv6 enable
[RouterA-isis-1] quit
[RouterA] interface serial 2/0
[RouterA-Serial2/0] isis ipv6 enable 1
[RouterA-Serial2/0] quit
# Configure Router B.
<RouterB> system-view
[RouterB] isis 1
[RouterB-isis-1] is-level level-1
[RouterB-isis-1] network-entity 10.0000.0000.0002.00
[RouterB-isis-1] ipv6 enable
[RouterB-isis-1] quit
[RouterB] interface serial 2/0
[RouterB-Serial2/0] isis ipv6 enable 1
[RouterB-Serial2/0] quit
# Configure Router C.
<RouterC> system-view
[RouterC] isis 1
[RouterC-isis-1] network-entity 10.0000.0000.0003.00
[RouterC-isis-1] ipv6 enable
[RouterC-isis-1] quit
[RouterC] interface serial 2/0
[RouterC-Serial2/0] isis ipv6 enable 1
[RouterC-Serial2/0] quit
[RouterC] interface serial 2/1
[RouterC-Serial2/1] isis ipv6 enable 1
[RouterC-Serial2/1] quit
[RouterC] interface serial 2/2
[RouterC-Serial2/2] isis ipv6 enable 1
[RouterC-Serial2/2] quit
# Configure Router D.
<RouterD> system-view
[RouterD] isis 1
[RouterD-isis-1] is-level level-2
[RouterD-isis-1] network-entity 20.0000.0000.0004.00
[RouterD-isis-1] ipv6 enable
[RouterD-isis-1] quit
[RouterD] interface serial 2/0
[RouterD-Serial2/0] isis ipv6 enable 1
[RouterD-Serial2/0] quit
[RouterD] interface ethernet 1/0
[RouterD-Ethernet1/0] isis ipv6 enable 1
[RouterD-Ethernet1/0] quit
Introduction to
OSPFv3
OSPFv3 Overview OSPFv3 is OSPF (Open Shortest Path First) version 3 for short, supporting IPv6 and
compliant with RFC2740 (OSPF for IPv6).
OSPFv3 Packets OSPFv3 has also five types of packets: hello, DD, LSR, LSU, and LSAck.
The five packets have the same packet header, which different from the OSPFv2
packet header is only 16 bytes in length, has no authentication field, but is added
with an Instance ID field to support multi-instance per link.
0 15 31
Version # Type Packet length
Router ID
Area ID
Checksum Instance ID 0
Major fields:
OSPFv3 LSA Types OSPFv3 sends routing information in LSAs, which as defined in RFC2740 have the
following types:
■ Router-LSAs: Originated by all routers. This LSA describes the collected states of
the router’s interfaces to an area. Flooded throughout a single area only.
■ Network-LSAs: Originated for broadcast and NBMA networks by the
Designated Router. This LSA contains the list of routers connected to the
network. Flooded throughout a single area only.
■ Inter-Area-Prefix-LSAs: Similar to Type 3 LSA of OSPFv2, originated by ABRs
(Area Border Routers), and flooded throughout the LSA’s associated area. Each
Inter-Area-Prefix-LSA describes a route with IPv6 address prefix to a destination
outside the area, yet still inside the AS (an inter-area route).
■ Inter-Area-Router-LSAs: Similar to Type 4 LSA of OSPFv2, originated by ABRs
and flooded throughout the LSA’s associated area. Each Inter-Area-Router-LSA
describes a route to ASBR (Autonomous System Boundary Router).
■ AS-external-LSAs: Originated by ASBRs, and flooded throughout the AS
(except Stub and NSSA areas). Each AS-external-LSA describes a route to
another Autonomous System. A default route can be described by an AS
external LSA.
■ Link-LSAs: A router originates a separate Link-LSA for each attached link.
Link-LSAs have link-local flooding scope. Each Link-LSA describes the IPv6
address prefix of the link and Link-local address of the router,
■ Intra-Area-Prefix-LSAs: Each Intra-Area-Prefix-LSA contains IPv6 prefix
information on a router, stub area or transit area information, and has area
flooding scope. It was introduced because Router-LSAs and Network-LSAs
contain no address information now.
If a router receives no hello packet from a neighbor after a period, it will declare
the peer is down. The period is called dead interval.
After sending an LSA to its adjacency, a router waits for an acknowledgment from
the adjacency. If no response is received after retransmission interval elapses, the
router will send again the LSA. The retransmission interval must be longer than the
round-trip time of the LSA in between.
SPF timer
Whenever LSDB changes, SPF recalculation happens. If recalculations become so
frequent, a large amount of resources will be occupied, reducing operation
efficiency of routers. You can adjust SPF calculation interval and delay time to
protect networks from being overloaded due to frequent changes.
IPv6 OSPFv3 To configure OSPFv3, perform the tasks described in the following sections:
Configuration Task
List Task Description
“Configuring OSPFv3 Basic Functions” on page 1052 Required
“Configuring OSPFv3 Area Parameters” “Configuring an OSPFv3 Optional
on page 1053 Stub Area” on page
1053
“Configuring OSPFv3 Optional
Virtual Links” on page
1054
Task Description
“Configuring OSPFv3 Routing “Configuring OSPFv3 Optional
Information Management” on page Route Summarization”
1054 on page 1054
“Configuring OSPFv3 Optional
Inbound Route Filtering”
on page 1054
“Configuring Link Costs Optional
for OSPFv3 Interfaces”
on page 1055
“Configuring the Optional
Maximum Number of
OSPFv3 Load-balanced
Routes” on page 1055
“Configuring a Priority Optional
for OSPFv3” on page
1055
“Configuring OSPFv3 Optional
Route Redistribution” on
page 1056
“Tuning and Optimizing an OSPFv3 “Configuring OSPFv3 Optional
Network” on page 1056 Timers” on page 1056
“Configuring the DR Optional
Priority for an Interface”
on page 1057
“Ignoring MTU Check Optional
for DD Packets” on page
1057
“Disabling Interfaces Optional
from Sending OSPFv3
Packets” on page 1058
“Enabling the Logging Optional
on Neighbor State
Changes” on page 1058
Configuring OSPFv3
Basic Functions
Prerequisites ■ Make neighboring nodes accessible with each other at network layer.
■ Enable IPv6 packet forwarding
Configuring OSPFv3 To configure OSPFv3 basic functions, use the following commands:
Basic Functions
To do... Use the command... Remarks
Enter system view system-view -
Enable OSPFv3 and enter its ospfv3 [ process-id ] Required
view
Specify a router ID router-id router-id Required
Enter interface view interface interface-type -
interface-number
Configuring OSPFv3 The stub area and virtual link support of OSPFv3 has the same principle and
Area Parameters application environments with OSPFv2.
Configuring an OSPFv3 To configure an OSPFv3 stub area, use the following commands:
Stub Area
To do... Use the command... Remarks
Enter system view system-view -
Enter OSPFv3 view ospfv3 [ process-id ] -
Enter OSPFv3 area view area area-id -
Configure the area as a stub stub [ no-summary ] Required
area
Not configured by default
Configure the default route default-cost value Optional
cost of sending a packet to
Defaults to 1
the stub area
■ If you use the stub command with the keyword no-summary on an ABR, the
ABR distributes a default summary LSA into the area rather than generating an
AS-external-LSA or Inter-Area-Prefix-LSA. The stub area of this kind is also
known as totally stub area.
Configuring OSPFv3 You can configure virtual links to maintain connectivity between non-backbone
Virtual Links areas and the backbone, or in the backbone itself.
n Both ends of a virtual link are ABRs that are configured with the vlink-peer
command.
Configuring OSPFv3 To configure route summarization between areas, use the following command on
Route Summarization an ABR:
Configuring OSPFv3 You can configure OSPFv3 to filter routes that are computed from received LSAs
Inbound Route Filtering according to some rules.
n Use of the filter-policy import command can only filter routes computed by
OSPFv3. Only routes not filtered can be added into the local routing table.
Configuring Link Costs You can configure OSPFv3 link costs for interfaces to adjust routing calculation.
for OSPFv3 Interfaces
To configure the link cost for an OSPFv3 interface, use the following commands:
Configuring the If multiple routes to a destination are available, using load balancing to send IPv6
Maximum Number of packets on these routes in turn can improve link utility. To configure the maximum
OSPFv3 Load-balanced number of load-balanced routes, use the following commands:
Routes
To do... Use the command... Remarks
Enter system view system-view -
Enter OSPFv3 view ospfv3 [ process-id ] -
Specify the maximum number of maximum load-balancing maximum Optional
load-balanced routes
Configuring a Priority A router may run multiple routing protocols. The system assigns a priority for each
for OSPFv3 protocol. When these routing protocols find the same route, the route found by
the protocol with the highest priority is selected.
Configuring OSPFv3 To configure OSPFv3 route redistribution, use the following commands:
Route Redistribution
To do... Use the command... Remarks
Enter system view system-view -
Enter OSPFv3 view ospfv3 [ process-id ] -
Specify a default cost for default cost value Optional
redistributed routes
Defaults to 1
Redistribute routes from import-route { isisv6 process-id | Required
other protocols, including ospfv3 process-id | ripng process-id |
Not configured by
from other OSPFv3 bgp4+ [ allow-ibgp ] | direct | static }
default
processes [ cost value | type type | route-policy
route-policy-name ] *
Configure to filter filter-policy { acl6-number | ipv6-prefix Optional
redistributed routes ipv6-prefix-name } export [ isisv6
Not configured by
process-id | ospfv3 process-id | ripng
default
process-id | bgp4+ | direct | static ]
Tuning and This section describes configurations of OSPFv3 timers, interface DR priority, MTU
Optimizing an OSPFv3 check ignorance for DD packets, disabling interfaces from sending OSPFv3
Network packets.
OSPFv3 timers:
For a broadcast network, you can configure DR priorities for interfaces to affect
DR/BDR election.
By disabling an interface from sending OSPFv3 packets, you can make other
routers on the network obtain no information from the interface.
Configuring the DR To configure the DR priority for an interface, use the following commands:
Priority for an Interface
To do... Use the command... Remarks
Enter system view system-view -
Enter interface view interface interface-type interface-number -
Configure the DR ospfv3 dr-priority priority [ instance Optional
priority instance-id ]
Defaults to 1
Ignoring MTU Check for When LSAs are few in DD packets, it is unnecessary to check MTU in DD packets in
DD Packets order to improve efficiency.
Disabling Interfaces To disable interfaces from sending OSPFv3 packets, use the following commands:
from Sending OSPFv3
Packets To do... Use the command... Remarks
Enter system view system-view -
Enter OSPFv3 view ospfv3 [ process-id ] -
Disable interfaces from silent-interface Required
sending OSPFv3 packets { interface-type
Not disabled by default
interface-number | all }
n ■ Multiple processes can disable the same interface from sending OSPFv3
packets. Using the silent-interface command disables only the interfaces
associated with the current process rather than interfaces associated with other
processes.
■ After an OSPF interface is set to silent, direct routes of the interface can still be
advertised in Intra-Area-Prefix-LSAs via other interfaces, but other OSPFv3
packets cannot be advertised. Therefore, no neighboring relationship can be
established on the interface. This feature can enhance the adaptability of
OSPFv3 networking.
Enabling the Logging on To enable the logging on neighbor state changes, use the following commands:
Neighbor State Changes
To do... Use the command... Remarks
Enter system view system-view -
Enter OSPFv3 view ospfv3 [ process-id ] -
Enable the logging on log-peer-change Required
neighbor state changes
Enabled by default
Displaying and
Maintaining OSPFv3 To do... Use the command... Remarks
Display OSPFv3 debugging display debugging ospfv3 Available in
state information any view
Display OSPFv3 process brief display ospfv3 [ process-id ]
information
Display OSPFv3 interface display ospfv3 interface [ interface-type
information interface-number | statistic ]
Display OSPFv3 LSDB display ospfv3 [ process-id ] lsdb [ [ external |
information inter-prefix | inter-router | intra-prefix | link
| network | router ] [ link-state-id ]
[ originate-router router-id ] | total ]
Display LSA statistics in display ospfv3 lsdb statistic
OSPFv3 LSDB
Display OSPFv3 neighbor display ospfv3 [ process-id ] [ area area-id ]
information peer [ [ interface-type interface-number ]
[ verbose ] | peer-router-id ]
Display OSPFv3 neighbor display ospfv3 peer statistic
statistics
Display OSPFv3 routing table display ospfv3 [ process-id ] routing
information [ ipv6-address prefix-length |
ipv6-address/prefix-length | abr-routes |
asbr-routes | all | statistics ]
Display OSPFv3 area topology display ospfv3 [ process-id ] topology [ area
information area-id ]
Display OSPFv3 virtual link display ospfv3 [ process-id ] vlink
information
Display OSPFv3 next hop display ospfv3 [ process-id ] next-hop
information
Display OSPFv3 link state display ospfv3 [ process-id ] request-list
request list information [ statistics ]
Display OSPFv3 link state display ospfv3 [ process-id ] retrans-list
retransmission list [ statistics ]
information
Display OSPFv3 statistics display ospfv3 statistic
OSPFv3 Configuration
Examples
It is required to configure Area 2 as a stub area, reducing LSAs into the area
without affecting route reachability.
Network diagram
OSPFv3
Router B Area 0 Router C
S2/0
2001 ::1/64
S2/0
S2/1 2001 ::2/64 S2/1
2001 :1 ::1/64 2001 :2::1/64
OSPFv3
S2/1 OSPFv3 S2/1
Area 1 2001 :2::2/64
2001 :1::2 /64 Area 2
Eth1/0
2001 :3 ::1/64 Stub
Router A Router D
Configuration procedure
1 Configure IPv6 addresses for interfaces (omitted)
2 Configure OSPFv3 basic functions
# Configure Router A
<RouterA> system-view
[RouterA] ipv6
[RouterA] ospfv3 1
[RouterA-ospfv3-1] router-id 1.1.1.1
[RouterA-ospfv3-1] quit
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] ospfv3 1 area 1
[RouterA-Ethernet1/0] quit
[RouterA] interface serial 2/1
[RouterA-Serial2/1] ospfv3 1 area 1
[RouterA-Serial2/1] quit
# Configure Router B
<RouterB> system-view
[RouterB] ipv6
[RouterB] ospfv3 1
[RouterB-ospf-1] router-id 2.2.2.2
[RouterB-ospf-1] quit
[RouterB] interface serial 2/0
[RouterB-Serial2/0] ospfv3 1 area 0
[RouterB-Serial2/0] quit
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ospfv3 1 area 1
[RouterB-Serial2/1] quit
# Configure Router C
<RouterC> system-view
[RouterC] ipv6
[RouterC] ospfv3 1
[RouterC-ospfv3-1] router-id 3.3.3.3
[RouterC-ospfv3-1] quit
# Configure Router D
<RouterD> system-view
[RouterD] ipv6
[RouterD] ospfv3 1
[RouterD-ospfv3-1] router-id 4.4.4.4
[RouterD-ospfv3-1] quit
[RouterD] interface serial 2/1
[RouterD-Serial2/1] ospfv3 1 area 2
[RouterD-Serial2/1] quit
*Destination: 2001:1::/64
Type : IA Cost : 3
NextHop : FE80::F40D:0:93D0:1 Interface: S2/1
*Destination: 2001:2::/64
Type : I Cost : 1
NextHop : directly-connected Interface: S2/1
*Destination: 2001:3::/64
Type : IA Cost : 4
NextHop : FE80::F40D:0:93D0:1 Interface: S2/1
# Configure Router D
[RouterD] ospfv3
[RouterD-ospfv3-1] area 2
[RouterD-ospfv3-1-area-0.0.0.2] stub
# Configure Router C, with the default route cost to the stub area being 10.
[RouterC] ospfv3
[RouterC-ospfv3-1] area 2
[RouterC-ospfv3-1-area-0.0.0.2] stub
[RouterC-ospfv3-1-area-0.0.0.2] default-cost 10
# Display OSPFv3 routing table information on Router D. You can find a default
route is added, whose cost is the cost of the directly connected route plus the
configured cost.
*Destination: 2001::/64
Type : IA Cost : 2
NextHop : FE80::F40D:0:93D0:1 Interface: S2/1
*Destination: 2001:1::/64
Type : IA Cost : 3
NextHop : FE80::F40D:0:93D0:1 Interface: S2/1
*Destination: 2001:2::/64
Type : I Cost : 1
NextHop : directly-connected Interface: S2/1
*Destination: 2001:3::/64
Type : IA Cost : 4
NextHop : FE80::F40D:0:93D0:1 Interface: S2/1
# Display OSPFv3 routing table information on Router D. You can find routing
entries are reduced. All non-directly connected routes are removed except the
default route.
*Destination: 2001:2::/64
Type : I Cost : 1
NextHop : directly-connected Interface: S2/1
Network diagram
Router A Router B
Eth1/0 Eth1/0
2001 ::1/64 2001 ::2/64
Eth1/0 Eth1/0
2001 ::3/64 2001::4/64
Router C Router D
Configuration procedure
1 Configure IPv6 addresses for interfaces (omitted)
2 Configure OSPFv3 basic functions
# Configure Router A
<RouterA> system-view
[RouterA] ipv6
[RouterA] ospfv3
[RouterA-ospfv3-1] router-id 1.1.1.1
[RouterA-ospfv3-1] quit
[RouterA] interface ethernet 1/0
# Configure Router B.
<RouterB> system-view
[RouterB] ipv6
[RouterB] ospfv3
[RouterB-ospfv3-1] router-id 2.2.2.2
[RouterB-ospfv3-1] quit
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] ospfv3 1 area 0
[RouterB-Ethernet1/0] quit
# Configure Router C.
<RouterC> system-view
[RouterC] ipv6
[RouterC] ospfv3
[RouterC-ospfv3-1] router-id 3.3.3.3
[RouterC-ospfv3-1] quit
[RouterC] interface ethernet 1/0
[RouterC-Ethernet1/0] ospfv3 1 area 0
[RouterC-Ethernet1/0] quit
# Configure Router D.
<RouterD> system-view
[RouterD] ipv6
[RouterD] ospfv3
[RouterD-ospfv3-1] router-id 4.4.4.4
[RouterD-ospfv3-1] quit
[RouterD] interface ethernet 1/0
[RouterD-Ethernet1/0] ospfv3 1 area 0
[RouterD-Ethernet1/0] quit
# Display neighbor information on Router A. You can find routers have the same
default DR priority 1. In this case, the router with the highest Router ID is elected
as the DR, so Router D is the DR, Router C is the BDR.
# Display neighbor information on Router A. You can find DR priorities have been
updated, but DR and BDR are not changed.
# Display neighbor information on Router D. You can find Router D is still the DR.
# Display neighbor information on Router A. You can find Router C becomes the
BDR.
# Display neighbor information on Router D. You can find Router A becomes the
DR.
Troubleshooting
OSPFv3 Configuration
Analysis
If the physical link and lower protocol work well, check OSPF parameters
configured on interfaces. The two neighboring interfaces must have the same
parameters, such as the area ID, network segment and mask, network type. If the
network type is broadcast, at least one interface must have a DR priority higher
than 0.
Process steps
1 Display neighbor information using the display ospfv3 peer command.
2 Display OSPFv3 interface information using the display ospfv3 interface
command.
3 Ping the neighbor router’s IP address to check connectivity.
4 Check OSPF timers. The dead interval on an interface must be at least four times
the hello interval.
5 On a broadcast network, at least one interface must have a DR priority higher than
0.
Analysis
The backbone area must maintain connectivity to all other areas. If a router
connects to more than one area, at least one area must be connected to the
backbone. The backbone cannot be configured as a Stub area.
In a Stub area, all routers cannot receive external routes, and all interfaces
connected to the Stub area must be associated with the Stub area.
Process steps
1 Use the display ospfv3 peer command to display OSPFv3 neighbors.
2 Use the display ospfv3 interface command to display OSPFv3 interface
information.
3 Use the display ospfv3 lsdb command to display Link State Database
information to check integrity.
4 Display information about area configuration using the display
current-configuration configuration command. If more than two areas are
configured, at least one area is connected to the backbone.
5 In a Stub area, all routers are configured with the stub command.
6 If a virtual link is configured, use the display ospf vlink command to check the
neighbor state.
Introduction to RIPng RIP next generation (RIPng) is an extension of RIP-2 for IPv4. Most RIP concepts are
applicable in RIPng.
■ UDP port number: RIPng uses UDP port 521 for sending and receiving routing
information.
■ Multicast address: RIPng uses FF02:9 as the link-local multicast address.
■ Destination Prefix: 128-bit destination address prefix.
■ Next hop: IPv6 address in 128-bit.
■ Source address: RIPng uses FE80::/10 as the link-local source address
RIPng Working RIPng is a routing protocol based on the distance vector (D-V) algorithm. RIPng
Mechanism uses UDP packets to exchange routing information through port 521.
RIPng uses a hop count to measure the distance to a destination. The hop count is
referred to as metric or cost. The hop count from a router to a directly connected
network is 0. The hop count between two directly connected routers is 1. When
the hop count is greater than or equal to 16, the destination network or host is
unreachable.
By default, the routing update is sent every 30 seconds. If the router receives no
routing updates from a neighbor after 180 seconds, the routes learned from the
neighbor are considered as unreachable. After another 240 seconds, if no routing
update is received, the router will remove these routes from the routing table.
RIPng supports Split Horizon and Poison Reverse to prevent routing loops, and
route redistribution.
Each RIPng router maintains a routing database, including route entries of all
reachable destinations. A route entry contains the following information:
0 7 15 31
Command Version Must be zero
Route table entry 1 (20 octets)
Ă
RTE format
There are two types of RTE in RIPng.
■ Next hop RTE: Defines the IPv6 address of a next hop
■ IPv6 prefix RTE: Describes the destination IPv6 address, route tag, prefix length
and metric in the RIPng routing table.
0 7 15 31
IPv6 next hop address is the IPv6 address of the next hop.
0 7 15 31
The receiving RIPng router processes RTEs in the request. If there is only one RTE
with the IPv6 prefix and prefix length both being 0, and with a metric value of 16,
the RIPng router will respond with the entire routing table information in response
messages. If there are multiple RTEs in the request message, the RIPng router will
examine each RTE, update its metric, and send the requested routing information
to the requesting router in the response packet.
Response packet
The response packet containing the local routing table information is generated
as:
■ A response to a request
■ An update periodically
■ A trigged update caused by route change
After receiving a response, a router checks the validity of the response before
adding the route to its routing table, such as whether the source IPv6 address is
the link-local address, whether the port number is correct. The response packet
failed the check will be discarded.
Configuring RIPng In this section, you are presented with the information to configure the basic
Basic Functions RIPng features.
You need to enable RIPng first before configuring other tasks, but it is not
necessary for RIPng related interface configurations, such as assigning an IPv6
address.
Configuration Procedure Follow these steps to configure the basic RIPng functions:
n If RIPng is not enabled on an interface, the interface will not send and receive any
RIPng route.
■ Configure an IPv6 address on each interface, and make sure all nodes are
reachable.
■ Configure RIPng basic functions
■ Define an IPv6 ACL before using it for route filtering. Refer to “Configuring
ACLs” on page 1881 for related information.
■ Define an IPv6 address prefix list before using it for route filtering. Refer to
“Routing Policy Configuration” on page 991 for related information.
The outbound additional metric is added to the metric of a sent route, the route’s
metric in the routing table is not changed.
The inbound additional metric is added to the metric of a received route before
the route is added into the routing table, so the route’s metric is changed.
Configuring RIPng Route Follow these steps to configure RIPng route summarization:
Summarization
To do... Use the command... Remarks
Enter system view system-view --
Enter interface view interface interface-type --
interface-number
Advertise a summary IPv6 ripng summary-address ipv6-address Required
prefix prefix-length
n With this feature enabled, a default route is advertised via the specified interface
regardless of whether the default route is available in the local IPv6 routing table.
Configuring a RIPng You can reference a configured IPv6 ACL or prefix list to filter received/advertised
Route Filtering Policy routing information as needed. For filtering outbound routes, you can also specify
a routing protocol from which to filter routing information redistributed.
Configuring the RIPng Any routing protocol has its own protocol priority used for optimal route selection.
Priority You can set a priority for RIPng manually. The smaller the value is, the higher the
priority is.
Configuring RIPng Route Follow these steps to configure RIPng route redistribution:
Redistribution
To do... Use the command... Remarks
Enter system view system-view --
Enter RIPng view ripng [ process-id ] --
Configure a default routing default cost cost Optional
metric for redistributed routes
By default, the default metric
of redistribute routes is 0.
Redistribute routes from import-route protocol Required
another routing protocol [ process-id ] [ allow-ibgp ]
By default, RIPng does not
[ cost cost | route-policy
redistribute any other
route-policy-name ] *
protocol route.
Optimizing the RIPng This section describes how to adjust and optimize the performance of the RIPng
Network network as well as applications under special network environments. Before
adjusting and optimizing the RIPng network, complete the following tasks:
■ Configure a network layer address for each interface
■ Configure the basic RIPng functions
Configuring RIPng You can adjust RIPng timers to optimize the performance of the RIPng network.
Timers
Follow these steps to configure RIPng timers:
n When adjusting RIPng timers, you should consider the network performance and
perform unified configurations on routers running RIPng to avoid unnecessary
network traffic increase or route oscillation.
n If both the split horizon and poison reverse are configured, only the poison reverse
function takes effect.
n ■ Generally, you are recommended to enable the split horizon to prevent routing
loops.
■ In Frame Relay, X.25 and other non-broadcast multi-access (NBMA) networks,
split horizon should be disabled if multiple VCs are configured on the primary
interface and secondary interfaces to ensure route advertisement. For detailed
information, refer to “Frame Relay Configuration” on page 235 and “X.25 and
LAPB Configuration” on page 283.
Configuring Zero Field Some fields in RIPng packet headers must be zero. These fields are called zero
Check fields. You can enable the zero field check on RIPng packets. If any such field
contains a non-zero value, the entire RIPng packet will be discarded. If you are sure
that all packets are trusty, you can disable the zero field check to save the CPU
processing time.
Configuring the Follow these steps to configure the maximum number of RIPng load balanced
Maximum Number of routes with equal cost:
Load Balanced Routes
To do... Use the command... Remarks
Enter system view system-view --
Enter RIPng view ripng [ process-id ] --
Configure the maximum number of maximum load-balancing number Optional
load balanced routes
Displaying and
Maintaining RIPng To do... Use the command... Remarks
Display configuration display ripng [ process-id ] Available in any view
information of a RIPng
process
Display routes in the RIPng display ripng process-id Available in any view
database database
Network diagram
Eth1/2
RIPng 4::1/64
Eth1/1
2::1/64 Eth1/0 Eth1/1 Eth1/1
1::1/64 3::1/64 5::1/64
Eth1/0 Eth1 /0
1::2/64 3 ::2/64
Router A Router B Router C
Configuration procedure
1 Configure the IPv6 address for each interface (Omitted)
2 Configure basic RIPng functions
# Configure Router A.
<RouterA> system-view
[RouterA] ripng 1
[RouterA-ripng-1] quit
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] ripng 1 enable
[RouterA-Ethernet1/0] quit
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ripng 1 enable
[RouterA-Ethernet1/1] quit
# Configure Router B.
<RouterB> system-view
[RouterB] ripng 1
[RouterB-ripng-1] quit
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] ripng 1 enable
[RouterB- Ethernet1/0] quit
[RouterB] interface ethernet1/1
[RouterB- Ethernet1/1] ripng 1 enable
[RouterB- Ethernet1/1] quit
# Configure Router C.
<RouterB> system-view
[RouterC] ripng 1
[RouterC-ripng-1] quit
[RouterC] interface ethernet 1/0
[RouterC-Ethernet1/0] ripng 1 enable
[RouterC-Ethernet1/0] quit
[RouterC] interface ethernet 1/1
[RouterC-Ethernet1/1] ripng 1 enable
[RouterC-Ethernet1/1] quit
[RouterC] interface ethernet 1/2
[RouterC-Ethernet1/2] ripng 1 enable
[RouterC-Ethernet1/2] quit
Dest 5::/64,
via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 5 Sec
[RouterA] display ripng 1 route
Route Flags: A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------
When configuring IPv6 Static Routing, go to these sections for information you are
interested in:
■ “Introduction to IPv6 Static Routing” on page 1081
■ “Configuring an IPv6 Static Route” on page 1081
■ “Displaying and Maintaining IPv6 Static Routes” on page 1082
■ “IPv6 Static Routing Configuration Example” on page 1082
Introduction to IPv6 Static routes are special routes that are manually configured by network
Static Routing administrators. They work well in simple networks. Configuring and using them
properly can improve the performance of networks and guarantee enough
bandwidth for important applications.
However, static routes also have shortcomings: any topology changes could result
in unavailable routes, requiring the network administrator to manually configure
and modify the static routes.
Features of IPv6 Static Similar to IPv4 static routes, IPv6 static routes work well in simple IPv6 network
Routes environments.
Their major difference lies in the destination and next hop addresses. IPv6 static
routes use IPv6 addresses whereas IPv4 static routes use IPv4 addresses. Currently,
IPv6 static routes do not support VPN instance.
Default IPv6 Route The IPv6 static route that has the destination address configured as “::/0”
(indicating a prefix length of 0) is the default IPv6 route. If the destination address
of an IPv6 packet does not match any entry in the routing table, this default route
will be used to forward the packet.
Configuring an IPv6 In small IPv6 networks, IPv6 static routes can be used to forward packets. In
Static Route comparison to dynamic routes, it helps to save network bandwidth.
Configuring an IPv6
Static Route To do... Use the commands... Remarks
Enter system view System-view -
Configure an IPv6 static route ipv6 route-static ipv6-address Required
with the output interface prefix-length [ interface-type
The default
being a broadcast or NBMA interface-number ] nexthop-address
preference of IPv6
interface [ preference preference-value ]
static routes is 60.
Configure an IPv6 static route ipv6 route-static ipv6-address
with the output interface prefix-length { interface-type
being a point-to-point interface-number | nexthop-address }
interface [ preference preference-value ]
n While configuring a static route, you can configure either the output interface or
the next-hop address depending on the situations
■ If the output interface is a broadcast interface, such as an Ethernet interface, a
VLAN interface, or an NBMA interface (such as an X.25 interface or frame relay
interface), then the next hop address must be specified.
■ If the output interface is a point-to-point interface (such as a serial port), you
can specify either the output interface or the next hop address, but not both.
Displaying and
Maintaining IPv6 To do... Use the command... Remarks
Static Routes Display IPv6 static route display ipv6 routing-table protocol static Available in any
information [ inactive | verbose ] view
Remove all IPv6 static delete ipv6 static-routes all Available in system
routes view
n Using the undo ipv6 route-static command can delete a single IPv6 static route,
while using the delete ipv6 static-routes all command deletes all IPv6 static
routes including the default route.
Network diagram
Host B 2::2/64
Eth1 /0
2::1/64
S2/0 S2/1
Router B
S2/0 S2/0
Eth1/0 Eth1/0
1::1/64 3::1/64
Host A 1 ::2/64 Router A Router C
Host C 3::2/64
Configuration procedure
1 Configure IPv6 addresses for all interfaces (Omitted).
2 Configure IPv6 static routes.
<RouterA> system-view
[RouterA] ipv6 route-static :: 0 serial 2/0
<RouterB> system-view
[RouterB] ipv6 route-static 1:: 64 serial 2/0
[RouterB] ipv6 route-static 3:: 64 serial 2/1
<RouterC> system-view
[RouterC] ipv6 route-static :: 0 serial 2/0
3 Configure the IPv6 addresses of hosts and gateways.
Configure the IPv6 addresses of all the hosts based upon the network diagram,
configure the default gateway of Host A as 1::1, that of Host B as 2::1, and that of
Host C as 3::1.
n This manual chiefly focuses on the IP multicast technology and device operations.
Unless otherwise stated, the term “multicast” in this document refers to IP
multicast.
Introduction to As a technique coexisting with unicast and broadcast, the multicast technique
Multicast effectively addresses the issue of point-to-multipoint data transmission. By
allowing high-efficiency point-to-multipoint data transmission over a network,
multicast greatly saves network bandwidth and reduces network load.
With the multicast technology, a network operator can easily provide new
value-added services, such as live Webcasting, Web TV, distance learning,
telemedicine, Web radio, real-time videoconferencing, and other bandwidth- and
time-critical information services.
Comparison of Unicast
Information In unicast, the information source sends a separate copy of information to each
Transmission Techniques host that needs the information, as shown in Figure 316.
Host A
Receiver
Host B
Source
Host C
Server
Receiver
Host D
Receiver
Packets for Host B
Packets for Host D Host E
Packets for Host E
Assume that Hosts B, D and E need this information. The information source
establishes a separate transmission channel for each of these hosts.
In unicast transmission, the traffic over the network is proportional to the number
of hosts that need the information. If a large number of users need the
information, the information source needs to send a copy of the same information
to each of these users. This means a tremendous pressure on the information
source and the network bandwidth.
As we can see from the information transmission process, unicast is not suitable
for batch transmission of information.
Broadcast
In broadcast, the information source sends information to all hosts on the
network, even if some hosts do not need the information, as shown in Figure 317.
Host A
Receiver
Host B
Source
Host C
Server
Receiver
Host D
Receiver
Assume that only Hosts B, D, and E need the information. If the information
source broadcasts the information, Hosts A and C also receive it. In addition to
information security issues, this also causes traffic flooding on the same network.
Multicast
As discussed above, the unicast and broadcast techniques are unable to provide
point-to-multipoint data transmissions with the minimum network consumption.
The multicast technique has solved this problem. When some hosts on the
network need multicast information, the multicast source (Source in the figure)
sends only one copy of the information. Multicast distribution trees are built for
the multicast packets through multicast routing protocols, and the packets are
replicated only on nodes where the trees branch, as shown in Figure 318:
Host A
Receiver
Host B
Source
Host C
Server
Receiver
Host D
Receiver
Assume that Hosts B, D and E need the information. To receive the information
correctly, these hosts need to join a receiver set, which is known as a multicast
group. The routers on the network duplicate and forward the information based
on the distribution of the receivers in this set. Finally, the information is correctly
delivered to Hosts B, D, and E.
■ Over unicast: As multicast traffic flows to the node the farthest possible from
the source before it is replicated and distributed, an increase of the number of
hosts will not remarkably add to the network load.
■ Over broadcast: As multicast data is sent only to the receivers that need it,
multicast uses the network bandwidth reasonably and brings no waste of
network resources, and enhances network security.
For a better understanding of the multicast concept, you can assimilate multicast
transmission to the transmission of TV programs, as shown in Table 43.
Applications of multicast
Applications of the multicast technique include:
■ Multimedia and streaming applications, such as Web TV, Web radio, and
real-time video/audio conferencing.
■ Communication for training and cooperative operations, such as distance
learning and telemedicine.
■ Data warehouse and financial applications (stock quotes).
■ Any other point-to-multiple-point data distribution application.
Multicast Models Based on how the receivers treat the multicast sources, there are two multicast
models:
ASM model
In the ASM model, any sender can send information to a multicast group as a
multicast source and numbers of receivers can join a multicast group identified by
a group address and obtain multicast information addressed to that multicast
group. In this model, receivers are not aware of the position of multicast sources in
advance. However, they can join or leave the multicast group at any time.
SSM model
In the practical life, users may be interested in the multicast data from only certain
multicast sources. The SSM model provides a transmission service that allows users
to specify the multicast sources they are interested in at the client side.
The radical difference between the SSM model and the ASM model is that in the
SSM model, receivers already know the locations of the multicast sources by some
other means. In addition, the SSM model uses a multicast address range that is
different from that of the ASM model, and dedicated multicast forwarding paths
are established between receivers and the specified multicast sources.
Multicast Addresses To allow communication between multicast sources and multicast group
members, network-layer multicast addresses, namely, multicast IP addresses must
be provided. In addition, a technique must be available to map multicast IP
addresses to link-layer multicast MAC addresses.
Address Description
224.0.0.1 All systems on this subnet, including hosts and routers
224.0.0.2 All multicast routers on this subnet
224.0.0.3 Unassigned
224.0.0.4 Distance vector multicast routing protocol (DVMRP) routers
224.0.0.5 Open shortest path first (OSPF) routers
224.0.0.6 OSPF designated routers/backup designated routers
224.0.0.7 Shared tree (ST) routers
224.0.0.8 ST hosts
224.0.0.9 Routing information protocol version 2 (RIPv2) routers
224.0.0.11 Mobile agents
224.0.0.12 Dynamic host configuration protocol (DHCP) server/relay agent
224.0.0.13 All protocol independent multicast (PIM) routers
224.0.0.14 Resource reservation protocol (RSVP) encapsulation
224.0.0.15 All core-based tree (CBT) routers
224.0.0.16 Designated subnetwork bandwidth management (SBM)
224.0.0.17 All SBMs
224.0.0.18 Virtual router redundancy protocol (VRRP)
0 7 11 15 31
0xFF Flags Scope
Value Meaning
0, 3, F Reserved
1 Node-local scope
2 Link-local scope
4 Admin-local scope
5 Site-local scope
6, 7, 9 through D Unassigned
8 Organization-local scope
E Global scope
As defined by IANA, the high-order 24 bits of an IPv4 multicast MAC address are
0x01005e, bit 25 is 0x0, and the low-order 23 bits are the low-order 23 bits of a
multicast IPv4 address. The IPv4-to-MAC mapping relation is shown in Figure 320.
5 bits lost
XXXX X
32-bit IPv4 address 1110 XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Ă 23 bits Ă
mapped
48-bit MAC address
0000 0001 0000 0000 0101 1110 0XXX XXXX XXXX XXXX XXXX XXXX
The high-order four bits of a multicast IPv4 address are 1110, indicating that this
address is a multicast address, and only 23 bits of the remaining 28 bits are
mapped to a MAC address, so five bits of the multicast IPv4 address are lost. As a
result, 32 multicast IPv4 addresses map to the same MAC address. Therefore, in
Layer 2 multicast forwarding, a device may receive some multicast data addressed
for other IPv4 multicast groups, and such redundant data needs to be filtered by
the upper layer.
The high-order 16 bits of an IPv6 multicast MAC address are 0x3333, and the
low-order 32 bits are the low-order 32 bits of a multicast IPv6 address. Figure 321
shows an example of mapping an IPv6 multicast address, FF1E::F30E:0101, to a
MAC address.
Ă 32 bits Ă
mapped
16-bit MAC
address prefix
Multicast Protocols
This section provides only general descriptions about applications and functions of
the Layer 2 and Layer 3 multicast protocols in a network. For details of these
protocols, refer to “MPLS L2VPN Configuration” on page 1425 and “MPLS L3VPN
Configuration” on page 1459.
Currently, the MSR series routers do not support IGMP Snooping, multicast VLAN,
IPv6 multicast VLAN and MLD Snooping.
Receiver AS 1 Receiver AS 2
IGMP/MLD
IGMP/MLD
PIM/IPv6 PIM
PIM/IPv6 PIM
MSDP
IGMP/MLD
Source Receiver
In the ASM model, multicast routes come in intra-domain routes and inter-domain
routes.
on the forwarding mechanism, PIM comes in two modes - dense mode (often
referred to as PIM-DM) and sparse mode (often referred to as PIM-SM).
■ An inter-domain multicast routing protocol is used for delivery of multicast
information between two ASs. So far, mature solutions include multicast
source discovery protocol (MSDP).
For the SSM model, multicast routes are not divided into inter-domain routes and
intra-domain routes. Since receivers know the position of the multicast source,
channels established through PIM-SM are sufficient for multicast information
transport.
Source
Multicast VLAN
/IPv6 Multicast VLAN
IGMP Snooping
/MLD Snooping
Receiver Receiver
Multicast Packet In a multicast model, a multicast source sends information to a host group, which
Forwarding is identified by a multicast group address in the destination address field of IP
Mechanism multicast packets. Therefore, to deliver multicast packets to receivers located in
different parts of the network, multicast routers on the forwarding path usually
need to forward multicast packets received on one incoming interface to multiple
outgoing interfaces. Compared with a unicast model, a multicast model is more
complex in the following aspects.
■ To ensure multicast packet transmission in the network, unicast routing tables
or multicast routing tables specially provided for multicast must be used as
guidance for multicast forwarding.
■ To process the same multicast information from different peers received on
different interfaces of the same device, every multicast packet is subject to a
reverse path forwarding (RPF) check on the incoming interface. The result of
the RPF check determines whether the packet will be forwarded or discarded.
The RPF check mechanism is the basis for most multicast routing protocols to
implement multicast forwarding.
n For details about the RPF mechanism, refer to “RPF Mechanism” on page 1097 or
“RPF Mechanism” on page 1209.
Introduction to the VPN networks need to be isolated from one another and from the public network.
Multi-Instance Concept As shown in Figure 324, VPN A and VPN B separately access the public network
through PE devices.
VPN A
CE a2
CE b2 CE b3
PE 2
VPN B VPN B
CE b1
CE a1 CE a3
PE 1 Public network PE 3
VPN A VPN A
■ The P device belongs to the public network. The CE devices belong to their
respective VPNs. Each CE device serves its own network and maintains only one
set of forwarding mechanism.
■ The PE devices interface with the public network and the VPN networks,
serving multiple networks at the same time. On each PE device, the
information for different networks must be strictly distinguished and a separate
forwarding mechanism must be maintained for each network. On a PE device,
a set of software and hardware that serves the same network forms an
instance. Multiple instances exist on a PE device at the same time, and an
instance resides on different PE devices.
Multi-Instance VPN instances are implemented by the PE devices in a VPNs network. A PE device
Application in Multicast supports the public instance and multiple VPN instances at the same time, and
runs an independent multicast service in each instance. A PE device has the
following characteristics:
■ It maintains a set of independent multicast forwarding mechanism for each
instance, including various multicast protocols, a list of PIM neighbors and a
multicast routing table per instance. Each instance searches its own forwarding
table or routing table to forward multicast data.
■ It guarantees the isolation between different VPN instances.
■ It implements information exchange and data conversion between the public
instance and VPN instances.
n ■ Only one set of unified multicast service runs on a non-PE device. It is called
public instance.
■ The configuration made in VPN instance view only takes effect on the VPN
instance interface only. An interface that does not belong to any VPN instance
is called public instance interface.
■ For more information about multicast VPN, refer to “Multicast VPN
Configuration” on page 1279.
Introduction to Multicast In multicast implementations, multicast routing and forwarding are implemented
Routing and Forwarding by three types of tables:
■ Each multicast routing protocol has its own multicast routing table, such as PIM
routing table.
■ The information of different multicast routing protocols forms a general
multicast routing table.
■ The multicast forwarding table is directly used to control the forwarding of
multicast packets.
A multicast forwarding table consists of a set of (S, G) entries, each indicating the
routing information for delivering multicast data from a multicast source to a
multicast group. If a router supports multiple multicast protocols, its multicast
routing table will include routes generated by multiple protocols. The router
chooses the optimal route from the multicast routing table based on the
configured multicast routing and forwarding policy and installs the route entry
into its multicast forwarding table.
RPF Mechanism When creating multicast routing table entries, a multicast routing protocol uses
the reverse path forwarding (RPF) mechanism to ensure multicast data delivery
along the correct path.
The RPF mechanism enables routers to correctly forward multicast packets based
on the multicast route configuration. In addition, the RPF mechanism also helps
avoid data loops caused by various reasons.
RPF check
The basis for an RPF check is a unicast route or a multicast static route. A unicast
routing table contains the shortest path to each destination subnet, while a
multicast static routing table lists the RPF routing information defined by the user
through static configuration. A multicast routing protocol does not independently
maintain any type of unicast route; instead, it relies on the existing unicast routing
information or multicast static routes in creating multicast routing entries.
When performing an RPF check, a router searches its unicast routing table and
multicast static routing table at the same time. The specific process is as follows:
1 The router first chooses an optimal route from the unicast routing table and
multicast static routing table:
■ The router automatically chooses an optimal unicast route by searching its
unicast routing table, using the IP address of the “packet source” as the
destination address. The outgoing interface in the corresponding routing entry
is the RPF interface and the next hop is the RPF neighbor. The router considers
the path along which the packet from the RPF neighbor arrived on the RPF
interface to be the shortest path that leads back to the source.
■ The router automatically chooses an optimal multicast static route by searching
its multicast static routing table, using the IP address of the “packet source” as
the destination address. The corresponding routing entry explicitly defines the
RPF interface and the RPF neighbor.
2 Then, the router selects one from these two optimal routes as the RPF route. The
selection is as follows:
■ If configured to use the longest match principle, the router selects the longest
match route from the two; if these two routes have the same mask, the route
selects the route with a higher priority; if the two routes have the same priority,
the router selects the multicast static route.
■ If not configured to use the longest match principle, the router selects the
route with a higher priority; if the two routes have the same priority, the router
selects the multicast static route.
For details about the concepts of SPT, RPT and BSR, refer to “PIM Configuration”
on page 1161.
Assume that unicast routes exist in the network and no multicast static routes
have been configured on Router C, as shown in Figure 325. Multicast packets
travel along the SPT from the multicast source to the receivers.
Receiver
Router B
POS 5/1
POS5/0
Source
means that the interface on which the packet actually arrived is not the RPF
interface. The RPF check fails and the packet is discarded.
■ A multicast packet from Source arrives on POS5/1 of Router C, and the
corresponding forwarding entry does not exist in the multicast forwarding
table of Router C. The router performs an RPF check, and finds in its unicast
routing table that the outgoing interface to 192.168.0.0/24 is the interface on
which the packet actually arrived. The RPF check succeeds and the packet is
forwarded.
Multicast static route If the topology structure of a multicast network is the same as that of a unicast
network, receivers can receive multicast data via unicast routes. However, the
topology structure of a multicast network may differ from that of a unicast
network, and some routers may support only unicast but not multicast. In this
case, you can configure multicast static routes to provide multicast transmission
paths that are different from those for unicast traffic. Note the following two
points:
■ A multicast static route only affects RPF checks, instead of guiding multicast
forwarding, so it is also called an RPF static route.
■ A multicast static route is effective on the multicast router on which it is
configured, and will not be broadcast throughout the network or injected to
other routers.
A multicast static route is an important basis for RPF checks. With a multicast static
route configured on a router, the router searches the unicast routing table and the
multicast static routing table simultaneously in a RPF check, chooses the optimal
unicast RPF route and the optimal multicast static route respectively from the
routing tables, and uses one of them as the RPF route after comparison.
POS5 /1
192 .168 .0 .1/24 Router A Router C
As shown in Figure 326, when no multicast static route is configured, Router C’s
RPF neighbor on the path back to Source is Router A and the multicast
information from Source travels along the path from Router A to Router C, which
is the unicast route between the two routers; with a static route configured on
Router C and Router B as Router C’s RPF neighbor on the path back to Source, the
multicast information from Source travels from Router A to Router B and then to
Router C.
Multicast Traceroute The multicast traceroute utility is used to trace the path that a multicast stream
passes from the multicast source to the last-hop router.
Application of GRE There may be routers that do not support multicast protocols in a network. As
Tunnel in Multicast multicast traffic from a multicast source is forwarded hop by hop by multicast
Forwarding routers along the forwarding tree, when the multicast traffic is forwarded to a
next hop router that does not support IP multicast, the forwarding path is blocked.
In this case, you can enable multicast traffic forwarding across the unicast subnet
where the non-multicast-capable router resides by establishing a generic routing
encapsulation (GRE) tunnel between the routers at both ends of the unicast
subnet.
For details about GRE tunneling, refer to “GRE Configuration” on page 1589.
GRE tunnel
Source Router A Router B Receiver
Unicast router
Unicast router
As shown in Figure 327, with a GRE tunnel established between Router A and
Router B, Router A encapsulates multicast data in unicast IP packets, which are
then forwarded by unicast routers to Router B across the GRE tunnel. Then, Router
B strips off the unicast IP header and continues forwarding the multicast data
down towards the receivers.
However, if unicast static routes are configured across the tunnel, any unicast
packet can be transmitted through the tunnel. If you wish the tunnel to be
dedicated to multicast traffic delivery, you can configure a multicast static route
across the tunnel, so that unicast packets cannot be transmitted through this
tunnel.
Configuration Task Complete these tasks to configure multicast routing and forwarding:
List
Task Remarks
“Enabling IP Multicast Routing” on page 1103 Required
“Configuring Multicast Static Routes” on page 1103 Optional
“Configuring a Multicast Routing Policy” on page 1104 Optional
“Configuring Multicast Forwarding Range” on page Optional
1104
“Configuring Multicast Forwarding Table Size” on page Optional
1105
“Tracing a Multicast Path” on page 1106 Optional
Configuring Multicast
Routing and
Forwarding
Configuration Before configuring multicast routing and forwarding, complete the following
Prerequisites tasks:
■ Configure a unicast routing protocol so that all devices in the domain are
interoperable at the network layer.
■ Enable PIM (PIM-DM or PIM-SM).
Before configuring multicast routing and forwarding, prepare the following data:
For details about primary and secondary IP addresses, refer to “IP Addressing
Configuration” on page 623.
Configuring Multicast Based on the application environment, a multicast static route has the following
Static Routes two functions:
■ Changing an RPF route. If the multicast topology structure is the same as the
unicast topology in a network, the delivery path of multicast traffic is the same
as in unicast. By configuring a multicast static route, you can change the RPF
route so as to create a transmission path that is different from the unicast
traffic transmission path.
■ Creating an RPF route. When a unicast route is interrupted, multicast traffic
forwarding is stopped due to lack of an RPF route. By configuring a multicast
static route, you can create an RPF route so that a multicast routing entry is
created to guide multicast traffic forwarding.
Configuring a Multicast If multiple unicast routes with the same cost exist to the same multicast source,
Routing Policy you can configure the router to determine the RPF route based on the longest
match (that is, by mask length).
With the load splitting feature enabled, multicast traffic will be evenly distributed
among the equal-cost routes.
Configuring Multicast Multicast packets do not travel without a boundary in a network. The multicast
Forwarding Range data corresponding to each multicast group must be transmitted within a definite
scope. Presently, you can define a multicast forwarding range by:
You can configure the minimum TTL required for a multicast packet to be
forwarded on all interfaces that support multicast forwarding. Before being
forwarded from an interface, every multicast packet (including multicast packet
from the local device) is subject to a TTL check:
■ If the TTL value of the packet (already decremented by 1 on this router) is larger
than the minimum TTL value configured on the interface, the packet will be
forwarded.
■ If the TTL value of the packet is smaller than or equal to the minimum TTL value
configured on the interface, the packet will be discarded.
Configuring Multicast Too many multicast routing entries can exhaust the router’s memory and thus
Forwarding Table Size result in lower router performance. Therefore, the number of multicast routing
entries should be limited. You can set a limit on the number of entries in the
multicast routing table based on the actual networking situation and the
performance requirements. In any case, the number of route entries must not
exceed the maximum number allowed by the system.
Tracing a Multicast Path You can run the mtracert command to trace the path down which the multicast
traffic from a given multicast source flows to the last-hop router for
troubleshooting purposes.
Displaying and
Maintaining Multicast To do... Use the command... Remarks
Routing and View the multicast display multicast boundary [ vpn-instance Available in any
Forwarding boundary vpn-instance-name | all-instance ] [ group-address view
information [ mask | mask-length ] ] [ interface interface-type
interface-number ]
c CAUTION:
■ The reset command clears the information in the multicast routing table or the
multicast forwarding table, and thus may cause failure of multicast
transmission.
■ When a routing entry is deleted from the multicast routing table, the
corresponding forwarding entry will also be deleted from the multicast
forwarding table.
■ When a forwarding entry is deleted from the multicast forwarding table, the
corresponding route entry will also be deleted from the multicast routing table.
Configuration
Examples
Network diagram
Router C
Eth1/1 Eth1 /0
40 .1 .1.1/24 20 .1 .1.2/24
Router A Router B
Eth1/2 Eth1/2
30.1.1.2/24 30.1.1.1 /24
Eth 1/0 Eth1/0
50.1.1.1 /24 10.1.1.1/24
Source Receiver
Configuration procedure
1 Configure interface IP addresses and enable unicast routing on each router
Configure the IP address and subnet mask for each interface as per Figure 328.
The detailed configuration steps are omitted here.
<RouterB> system-view
[RouterB] multicast routing-enable
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] igmp enable
[RouterB-Ethernet1/0] pim dm
[RouterB-Ethernet1/0] quit
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] pim dm
[RouterB-Ethernet1/1] quit
[RouterB] interface ethernet 1/2
[RouterB-Ethernet1/2] pim dm
[RouterB-Ethernet1/2] quit
<RouterA> system-view
[RouterA] multicast routing-enable
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] pim dm
[RouterA-Ethernet1/0] quit
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] pim dm
[RouterA-Ethernet1/1] quit
[RouterA] interface ethernet 1/2
[RouterA-Ethernet1/2] pim dm
[RouterA-Ethernet1/2] quit
# Use the display multicast rpf-info command to view the RPF route to Source
on Router B.
# Use the display multicast rpf-info command to view the information about
the RPF route to Source on Router B.
As shown above, the RPF route on Router B has changed. It is now the configured
multicast static route, and the RPF neighbor is now Router C.
Network diagram
PIM-DM
OSPF domain
Router A Router B Router C
Eth1 /1 Eth1/2 Eth1 /1
30 .1 .1.2/24 30 .1 .1.1/24 20.1.1 .1/24
Eth1 /1
20 .1 .1.2/24
Eth1/0 Eth1/0 Eth1/0
50.1.1 .1/24 40 .1.1.1/24 10.1.1.1 /24
Configuration procedure
1 Configure the interface IP addresses and unicast routing protocol for each router
Configure the IP address and subnet mask for each interface as per Figure 329.
The detailed configuration steps are omitted here.
<RouterC> system-view
[RouterC] multicast routing-enable
[RouterC] interface ethernet 1/0
[RouterC-Ethernet1/0] igmp enable
[RouterC-Ethernet1/0] pim dm
[RouterC-Ethernet1/0] quit
[RouterC] interface ethernet 1/1
[RouterC-Ethernet1/1] pim dm
[RouterC-Ethernet1/1] quit
<RouterA> system-view
[RouterA] multicast routing-enable
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] pim dm
[RouterA-Ethernet1/0] quit
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] pim dm
[RouterA-Ethernet1/1] quit
# Use the display multicast rpf-info command to view the information of the
RPF route to Source 2 on Router B and Router C.
# Use the display multicast rpf-info command to view the RPF routes to Source
2 on Router B and Router C.
As shown above, the RPF routes to Source 2 exist on Router B and Router C. The
source is the configured static route.
Troubleshooting
Multicast Routing and
Forwarding
Analysis
■ If the multicast static route is not configured or updated correctly to match the
current network conditions, the route entry and the configuration information
of multicast static routes do not exist in the multicast routing table.
■ If the optimal route is found, the multicast static route may also fail.
Solution
1 In the configuration, you can use the display multicast routing-table static
config command to view the detailed configuration information of multicast
static routes to verify that the multicast static route has been correctly configured
and the route entry exists.
2 In the configuration, you can use the display multicast routing-table static
command to view the information of multicast static routes to verify that the
multicast static route has been correctly configured and the route entry exists in
the multicast routing table.
3 Check the next hop interface type of the multicast static route. If the interface is
not a point-to-point interface, be sure to specify the next hop address to configure
the outgoing interface when you configure the multicast static route.
4 Check that the multicast static route matches the specified routing protocol. If a
protocol was specified when the multicast static route was configured, enter the
display ip routing-table command to check if an identical route was added by
the protocol.
5 Check that the multicast static route matches the specified routing policy. If a
routing policy was specified when the multicast static route was configured, enter
the display route-policy command to check the configured routing policy.
Analysis
■ When a router receives a multicast packet, it decrements the TTL value of the
multicast packet by 1 and recalculates the checksum value. The router then
forwards the packet to all outgoing interfaces. If the multicast minimum-ttl
command is configured on the outgoing interfaces, the TTL value of the packet
must be larger than the configured minimum TTL value; otherwise, the packet
will be discarded.
■ If a multicast forwarding boundary has been configured through the multicast
boundary command, any multicast packet will be kept from crossing the
boundary.
Solution
1 Use the display pim routing-table command to check whether the
corresponding (S, G) entries exist on the router. If so, the router has received the
multicast data; otherwise, the router has not received the data.
2 Enter the display multicast minimum-ttl command to check the configured
minimum TTL value required for multicast packets to be forwarded. Use the undo
multicast minimum-ttl command on the concerned interfaces to restore the
required minimum TTL value to the system default, or configure multicast packets
to be sent with a higher TTL value from the multicast source.
3 Use the display multicast boundary command to view the multicast boundary
information on the interfaces. Use the multicast boundary command to change
the multicast forwarding boundary setting.
4 In the case of PIM-SM, use the display current-configuration command to
check the BSR and RP information.
IGMP Overview As a TCP/IP protocol responsible for IP multicast group member management, the
Internet Group Management Protocol (IGMP) is used by IP hosts to establish and
maintain their multicast group memberships to immediately neighboring multicast
routers.
All IGMP versions support the Any-Source Multicast (ASM) model. In addition,
IGMPv3 can be directly used to implement the Source-Specific Multicast (SSM)
model.
n For more information about the ASM and SSM models, see “Multicast Models” on
page 1088.
Work Mechanism of IGMPv1 manages multicast group memberships mainly based on the query and
IGMPv1 response mechanism.
Of multiple multicast routers on the same subnet, all the routers can hear IGMP
membership report messages (often referred to as reports) from hosts, but only
one router is needed for sending IGMP query messages (often referred to as
queries). So, a querier election mechanism is required to determine which router
will act as the IGMP querier on the subnet.
n For more information about DR, refer to “PIM Configuration” on page 1161.
DR
Router A Router B
Ethernet
Query
Report
Assume that Host B and Host C are expected to receive multicast data addressed
to multicast group G1, while Host A is expected to receive multicast data
addressed to G2, as shown in Figure 330. The basic process that the hosts join the
multicast groups is as follows:
1 The IGMP querier (Router B in the figure) periodically multicasts IGMP queries
(with the destination address of 224.0.0.1) to all hosts and routers on the local
subnet.
2 Upon receiving a query message, Host B or Host C (the delay timer of whichever
expires first) sends an IGMP report to the multicast group address of G1, to
announce its interest in G1. Assume it is Host B that sends the report message.
3 Host C, which is on the same subnet, hears the report from Host B for joining G1.
Upon hearing the report, Host C will suppress itself from sending a report message
for the same multicast group, because the IGMP routers (Router A and Router B)
already know that at least one host on the local subnet is interested in G1. This
mechanism, known as IGMP report suppression, helps reduce traffic over the local
subnet.
4 At the same time, because Host A is interested in G2, it sends a report to the
multicast group address of G2.
5 Through the above-mentioned query/report process, the IGMP routers learn that
members of G1 and G2 are attached to the local subnet, and generate (*, G1) and
(*, G2) multicast forwarding entries, which will be the basis for subsequent
multicast forwarding, where * represents any multicast source.
6 When the multicast data addressed to G1 or G2 reaches an IGMP router, because
the (*, G1) and (*, G2) multicast forwarding entries exist on the IGMP router, the
router forwards the multicast data to the local subnet, and then the receivers on
the subnet receive the data.
As IGMPv1 does not specifically define a Leave Group mechanism, upon leaving a
multicast group, an IGMPv1 host stops sending reports with the destination
address being the address of that multicast group. If no member of a multicast
group exists on the subnet, the IGMP router will not receive any report addressed
to that multicast group, so the routers will delete the multicast forwarding entries
for that multicast group after a period of time.
Enhancements in Compared with IGMPv1, IGMPv2 has introduced a querier election mechanism
IGMPv2 and a leave-group mechanism.
1 Initially, every IGMPv2 router assumes itself as the querier and sends IGMP general
query messages (often referred to as general queries) to all hosts and routers on
the local subnet (the destination address is 224.0.0.1).
2 Upon hearing a general query, every IGMPv2 router compares the source IP
address of the query message with its own interface address. After comparison,
the router with the lowest IP address wins the querier election and all other
IGMPv2 routers become non-queriers.
3 All the non-queriers start a timer, known as “other querier present timer”. If a
router receives an IGMP query from the querier before the timer expires, it resets
this timer; otherwise, it assumes the querier to have timed out and initiates a new
querier election process.
1 This host sends a Leave Group message (often referred to as leave message) to all
routers (the destination address is 224.0.0.2) on the local subnet.
2 Upon receiving the leave message, the querier sends a configurable number of
group-specific queries to the group being left. The destination address field and
group address field of the message are both filled with the address of the
multicast group being queried.
3 Up receiving a group-specific query, one of the other members of that group, if
any, will respond with a membership report within the maximum response time
set in the query.
4 If the querier receives a membership report from any member of the group within
the maximum response time, it will maintain the memberships of the group;
otherwise, the querier will assume that the group has no longer any member on
the subnet and will stop maintaining the memberships of the group.
Enhancements in Built upon and being compatible with IGMPv1 and IGMPv2, IGMPv3 provides
IGMPv3 hosts with enhanced control capabilities and provides enhancements of query and
report messages.
As shown in Figure 331, the network comprises two multicast sources, Source 1
(S1) and Source 2 (S2), both of which can send multicast data to multicast group
G. Host B is interested only in the multicast data that Source 1 sends to G but not
in the data from Source 2.
Source 1
Host A
Receiver
Host B
Source 2
Host C
Packets (S1,G)
Packets (S2,G)
In the case of IGMPv1 or IGMPv2, Host B cannot select multicast sources when it
joins multicast group G. Therefore, multicast streams from both Source 1 and
Source 2 will flow to Host B whether it needs them or not.
When IGMPv3 is running between the hosts and routers, Host B can explicitly
express its interest in the multicast data Source 1 sends to multicast group G
(denoted as (S1, G)), rather than the multicast data Source 2 sends to multicast
group G (denoted as (S2, G)). Thus, only multicast data from Source 1 will be
delivered to Host B.
IGMPv3 supports not only general queries (feature of IGMPv1) and group-specific
queries (feature of IGMPv2), but also group-and-source-specific queries.
■ A general query does not carry a group address, nor a source address;
■ A group-specific query carries a group address, but no source address;
■ A group-and-source-specific query carries a group address and one or more
source addresses.
2 Reports containing multiple group records
■ IS_IN: The source filtering mode is Include, namely, the report sender requests
the multicast data from only the sources defined in the specified multicast
source list. If the specified multicast source list is empty, this means that the
report sender has left the reported multicast group.
■ IS_EX: The source filtering mode is Exclude, namely, the report sender requests
the multicast data from any sources but those defined in the specified multicast
source list.
■ TO_IN: The filtering mode has changed from Exclude to Include.
■ TO_EX: The filtering mode has changed from Include to Exclude.
■ ALLOW: The Source Address fields in this Group Record contain a list of the
additional sources that the system wishes to hear from, for packets sent to the
specified multicast address. If the change was to an Include source list, these
are the addresses that were added to the list; if the change was to an Exclude
source list, these are the addresses that were deleted from the list.
■ BLOCK: indicates that the Source Address fields in this Group Record contain a
list of the sources that the system no longer wishes to hear from, for packets
sent to the specified multicast address. If the change was to an Include source
list, these are the addresses that were deleted from the list; if the change was
to an Exclude source list, these are the addresses that were added to the list.
Multi-Instance IGMP While IGMP collects group memberships on a per-interface base, IGMP in a VPN
instance handles protocol packets based on the VPN instance on the interface.
Upon receiving an IGMP packet, the router determines the instance to which the
message belongs and handles the message within the instance. If it is necessary to
exchange information with another multicast protocol, the router informs the
other multicast protocol only within the VPN instance.
Protocols and Standards The following documents describe different IGMP versions:
■ RFC 1112: Host Extensions for IP Multicasting
■ RFC 2236: Internet Group Management Protocol, Version 2
■ RFC 3376: Internet Group Management Protocol, Version 3
Task Description
“Configuring Basic Functions of “Enabling IGMP” on page Required
IGMP” on page 1120 1120
“Configuring IGMP Versions” Optional
on page 1121
“Configuring a Static Optional
Member of a Multicast
Group” on page 1122
“Configuring a Multicast Optional
Group Filter” on page 1122
“Adjusting IGMP Performance” “Configuring IGMP Message Optional
on page 1123 Options” on page 1123
“Configuring IGMP Query Optional
and Response Parameters” on
page 1124
“Configuring IGMP Fast Optional
Leave Processing” on page
1126
Configuring Basic
Functions of IGMP
Configuration Before configuring the basic functions of IGMP, complete the following tasks:
Prerequisites ■ Configure any unicast routing protocol so that all devices in the domain are
interoperable at the network layer.
■ Configure PIM-DM or PIM-SM
Before configuring the basic functions of IGMP, prepare the following data:
■ IGMP version
■ Multicast group and multicast source addresses for static group member
configuration
■ ACL rule for multicast group filtering
Enabling IGMP First, IGMP must be enabled on the interface on which the multicast group
memberships are to be established and maintained.
Configuring IGMP Because the protocol packets of different IGMP versions vary in structure and type,
Versions the same IGMP version should be configured for all routers on the same subnet
before IGMP can work properly.
Configuring a Static After an interface is configured as a static member of a multicast group, it will act
Member of a Multicast as a virtual member of the multicast group to receive multicast data addressed to
Group that multicast group for the purpose of testing multicast data forwarding.
Configuring a Multicast To restrict the hosts on the network attached to an interface from joining certain
Group Filter multicast groups, you can set an ACL rule on the interface as a packet filter that
limits the range of multicast groups the interface serves.
Adjusting IGMP
Performance
Configuring IGMP As there are IGMP group-specific and group-and-source-specific queries, and
Message Options multicast groups change dynamically, a device cannot join all multicast groups.
Therefore, when receiving a multicast packet but unable to locate the outgoing
interface for the destination multicast group, an IGMP router needs to leverage
the Router-Alert option to pass the multicast packet to the upper-layer protocol for
processing. For details about Router-Alert, refer to RFC 2113.
■ For the consideration of compatibility, the device does not check the
Router-Alert option, namely it processes all the IGMP messages it received. In
this case, IGMP messages are directly passed to the upper layer protocol, no
matter whether the IGMP messages carry the Router-Alert option or not.
■ To enhance the device performance and avoid unnecessary costs, and also for
the consideration of protocol security, you can configure the device to discard
IGMP messages that do not carry the Router-Alert option.
Configuring IGMP Query The IGMP querier periodically sends IGMP general queries at the “IGMP query
and Response interval” to determine whether any multicast group member exists on the
Parameters network. You can tune the IGMP general query interval based on actual condition
of the network.
On startup, the IGMP querier sends “startup query count” IGMP general queries
at the “startup query interval”, which is 1/4 of the “IGMP query interval”. Upon
receiving an IGMP leave message, the IGMP querier sends “last member query
count” IGMP group-specific queries at the “IGMP last member query interval”.
Both startup query count and last member query count are set to the IGMP querier
robustness variable.
An appropriate setting of the maximum response time for IGMP queries allows
hosts to respond to queries quickly and avoids bursts of IGMP traffic on the
■ For IGMP general queries, you can configure the maximum response time to fill
their Max Response time field.
■ For IGMP group-specific queries, you can configure the IGMP last member
query interval to fill their Max Response time field. Namely, for IGMP
group-specific queries, the maximum response time equals the IGMP last
member query interval.
When multiple multicast routers exist on the same subnet, the IGMP querier is
responsible for sending IGMP queries. If a non-querier router receives no IGMP
query from the querier within the “other querier present interval”, it will assume
the querier to have expired and a new querier election process is launched;
otherwise, the non-querier router will reset its “other querier present timer”.
c CAUTION:
■ Make sure that the other querier present interval is greater than the IGMP
query interval; otherwise the IGMP querier may change frequently on the
network.
■ Make sure that the IGMP query interval is greater than the maximum response
time for IGMP general queries; otherwise, multicast group members may be
wrongly removed.
■ The configurations of the maximum response time for IGMP general queries,
the IGMP last member query interval and the IGMP other querier present
interval are effective only for IGMPv2 or IGMPv3.
Configuring IGMP Fast In some applications, such as ADSL dial-up networking, only one multicast receiver
Leave Processing host is attached to a port of the IGMP querier. To allow fast response to the leave
messages of the host when it switches frequently from one multicast group to
another, you can enable IGMP fast leave processing on the IGMP querier.
With the fast leave processing enabled, after receiving an IGMP leave message
from a host, the IGMP querier directly sends a leave notification to the upstream
without sending IGMP group-specific queries. Thus, the leave latency is reduced
on one hand, and the network bandwidth is saved on the other hand.
c CAUTION: The IGMP fast leave feature is effective only if the device is running
IGMPv2 or IGMPv3.
Displaying and
Maintaining IGMP To do... Use the command... Remarks
View IGMP multicast display igmp [ vpn-instance Available in any
group information vpn-instance-name | all-instance ] group view
[ group-address | interface interface-type
interface-number ] [ static | verbose ]
View routing display igmp [ vpn-instance Available in any
information in the IGMP vpn-instance-name | all-instance ] view
routing table routing-table [ source-address [ mask { mask
| mask-length } ] | group-address [ mask { mask
| mask-length } ] ] *
Clear IGMP forwarding reset igmp [ vpn-instance Available in user
entries vpn-instance-name | all-instance ] group { all view
| interface interface-type interface-number
{ all | group-address [ mask { mask |
mask-length } ] [ source-address [ mask { mask
| mask-length } ] ] } }
n The reset igmp group command cannot clear the IGMP forwarding entries of
static joins.
Network diagram
Host A
POS 5/0 N1
Eth1/0
10 .110 .1.1/24
Ethernet
Router A
Host B
Querier
Eth1/0
POS 5/0
10 .110 .2.1/24 Receiver
Router B Host C
Eth1/0
N2
10 .110 .2.2/24
POS 5/0
Ethernet
Router C Host D
Configuration procedure
1 Configure the IP addresses of the router interfaces and configure a unicast routing
protocol
Configure the IP address and subnet mask of each interface as per Figure 332. The
detailed configuration steps are omitted here.
Configure the OSPF protocol for interoperation among the routers. Ensure the
network-layer interoperation among Router A, Router B and Router C on the PIM
network and dynamic update of routing information among the routers through a
unicast routing protocol. The detailed configuration steps are omitted here.
<RouterA> system-view
[RouterA] multicast routing-enable
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] igmp enable
[RouterA-Ethernet1/0] igmp version 3
[RouterA-Ethernet1/0] pim dm
[RouterA-Ethernet1/0] quit
<RouterB> system-view
[RouterB] multicast routing-enable
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] igmp enable
[RouterB-Ethernet1/0] igmp version 2
[RouterB-Ethernet1/0] pim dm
[RouterB-Ethernet1/0] quit
<RouterC> system-view
[RouterC] multicast routing-enable
[RouterC] interface ethernet 1/0
[RouterC-Ethernet1/0] igmp enable
[RouterC-Ethernet1/0] igmp version 2
[RouterC-Ethernet1/0] pim dm
[RouterC-Ethernet1/0] quit
3 Verify the configuration
Use the display igmp interface command to view the IGMP configuration and
operation status on each router interface. For example:
Troubleshooting IGMP
No Membership Symptom
Information on the When a host sends a report for joining multicast group G, there is no membership
Receiver-Side Router information of the multicast group G on the router closest to that host.
Analysis
■ The correctness of networking and interface connections directly affects the
generation of group membership information.
■ Multicast routing must be enabled on the router.
■ If the igmp group-policy command has been configured on the interface, the
interface cannot receive report messages that fail to pass filtering.
Solution
1 Check that the networking is correct and interface connections are correct.
2 Check that the interfaces and the host are on the same subnet. Use the display
current-configuration interface command to view the IP address of the
interface.
3 Check that multicast routing is enabled. Carry out the display
current-configuration command to check whether the multicast
routing-enable command has been executed. If not, carry out the multicast
routing-enable command in system view to enable IP multicast routing. In
addition, check that IGMP is enabled on the corresponding interfaces.
4 Check that the interface is in normal state and the correct IP address has been
configured. Carry out the display igmp interface command to view the interface
information. If no interface information is output, this means the interface is
abnormal. Typically this is because the shutdown command has been executed
on the interface, or the interface connection is incorrect, or no correct IP address
has been configured on the interface.
5 Check that no ACL rule has been configured to restrict the host from joining the
multicast group G. Carry out the display current-configuration interface
command to check whether the igmp group-policy command has been
executed. If the host is restricted from joining the multicast group G, the ACL rule
must be modified to allow receiving the reports for the multicast group G.
Inconsistent Symptom
Memberships on Different memberships are maintained on different IGMP routers on the same
Routers on the Same subnet.
Subnet
Analysis
■ A router running IGMP maintains multiple parameters for each interface, and
these parameters influence one another, forming very complicated
relationships. Inconsistent IGMP interface parameter configurations for routers
on the same subnet will surely result in inconsistency of memberships.
■ In addition, although an IGMP routers is compatible with a host that is running
a different IGMP version, all routers on the same subnet must run the same
version of IGMP. Inconsistent IGMP versions running on routers on the same
subnet will also lead to inconsistency of IGMP memberships.
Solution
1 Check the IGMP configuration. Carry out the display current-configuration
command to view the IGMP configuration information on the interfaces.
2 Carry out the display igmp interface command on all routers on the same
subnet to check the IGMP-related timer settings. Make sure that the settings are
consistent on all the routers.
3 Use the display igmp interface command to check whether all the routers on
the same subnet are running the same version of IGMP.
n For details about the concepts of designated router (DR), bootstrap router (BSR),
candidate-BSR (C-BSR), rendezvous point (RP), candidate RP (C-RP), shortest path
tree (SPT) and rendezvous point tree (RPT) mentioned in this manual, refer to “PIM
Configuration” on page 1161.
MSDP Overview
Introduction to MSDP Multicast source discovery protocol (MSDP) is an inter-domain multicast solution
developed to address the interconnection of protocol independent multicast
sparse mode (PIM-SM) domains. It is used to discover multicast source information
in other PIM-SM domains.
In the basic PIM-SM mode, a multicast source registers only with the RP in the local
PIM-SM domain, and the multicast source information of a domain is isolated
from that of another domain. As a result, the RP is aware of the source
information only within the local domain and a multicast distribution tree is built
only within the local domain to deliver multicast data from a local multicast source
to local receivers. If there is a mechanism that allows RPs of different PIM-SM
domains to share their multicast source information, the local RP will be able to
join multicast sources in other domains and multicast data can be transmitted
among different domains.
MSDP achieves this objective. By establishing MSDP peer relationships among RPs
of different PIM-SM domains, source active (SA) messages can be forwarded
among domains and the multicast source information can be shared.
c CAUTION:
■ MSDP is applicable only if the intra-domain multicast protocol is PIM-SM.
■ MSDP is meaningful only for the any-source multicast (ASM) model.
PIM-SM 1
PIM-SM 2
Router A Router B
Source
RP 2
RP 1
PIM-SM 3
As shown in Figure 333, an MSDP peer can be created on any PIM-SM router.
MSDP peers created on PIM-SM routers that assume different roles function
differently.
will assume the role of common PIM-SM routers on the “MSDP interconnection
map”.
Receiver
DR 2
MSDP peers
Multicast packets
SA message
Join message RP 2
PIM-SM 2
Register message
DR 1
Source
PIM-SM 4
RP 1 RP 3
PIM-SM 1 PIM-SM 3
1 When the multicast source in PIM-SM 1 sends the first multicast packet to
multicast group G, DR 1 encapsulates the multicast data within a register message
and sends the register message to RP 1. Then, RP 1 gets aware of the information
related to the multicast source.
2 As the source-side RP, RP 1 creates SA messages and periodically sends the SA
messages to its MSDP peer. An SA message contains the source address (S), the
multicast group address (G), and the address of the RP which has created this SA
message (namely RP 1).
3 On MSDP peers, each SA message is subject to a reverse path forwarding (RPF)
check and multicast policy-based filtering, so that only SA messages that have
arrived along the correct path and passed the filtering are received and forwarded.
This avoids delivery loops of SA messages. In addition, you can configure MSDP
peers into an MSDP mesh group so as to avoid flooding of SA messages between
MSDP peers.
4 SA messages are forwarded from one MSDP peer to another, and finally the
information of the multicast source traverses all PIM-SM domains with MSDP
peers (PIM-SM 2 and PIM-SM 3 in this example).
5 Upon receiving the SA message create by RP 1, RP 2 in PIM-SM 2 checks whether
there are any receivers for the multicast group in the domain.
■ If so, the RPT for the multicast group G is maintained between RP 2 and the
receivers. RP 2 creates an (S, G) entry, and sends an (S, G) join message hop by
hop towards DR 1 at the multicast source side, so that it can directly join the
SPT rooted at the source over other PIM-SM domains. Then, the multicast data
can flow along the SPT to RP 2 and is forwarded by RP 2 to the receivers along
the RPT. Upon receiving the multicast traffic, the DR at the receiver side (DR 2)
decides whether to initiate an RPT-to-SPT switchover process.
■ If no receivers for the group exist in the domain, RP 2 does dot create an (S, G)
entry and does join the SPT rooted at the source.
n ■ An MSDP mesh group refers to a group of MSDP peers that have MSDP
peering relationships among one another and share the same group name is
used on all the members of an MSDP mesh group.
■ When using MSDP for inter-domain multicasting, once an RP receives
information form a multicast source, it no longer relies on RPs in other PIM-SM
domains. The receivers can override the RPs in other domains and directly join
the multicast source based SPT.
n If only one MSDP peer exists in a PIM-SM domain, this PIM-SM domain is also
called a stub domain. For example, AS 4 in Figure 335 is a stub domain. The MSDP
peer in a stub domain can have multiple remote MSDP peers at the same time.
You can configure one or more remote MSDP peers as static RPF peers. When an
RP receives an SA message from a static RPF peer, the RP accepts the SA message
and forwards it to other peers without performing an RPF check.
Source
RP 1
RP 5 RP 9 RP 8
(7)
AS 1
(1)
(3)
AS 5
(2) (4)
Mesh group (6)
AS 3
RP 2 RP 3
AS 2 (3) (5)
Because the source-side RP address carried in the SA message is the same as the
MSDP peer address, which means that the MSDP peer where the SA is from is the
RP that has created the SA message, RP 2 accepts the SA message and forwards it
to its other MSDP peer (RP 3).
Because the SA message is from an MSDP peer (RP 2) in the same AS, and the
MSDP peer is the next hop on the optimal path to the source-side RP, RP 3 accepts
the message and forwards it to other peers (RP 4 and RP 5).
Because the SA message is from an MSDP peer (RP 3) in the same mesh group, RP
4 and RP 5 both accept the SA message, but they do not forward the message to
other members in the mesh group; instead, they forward it to other MSDP peers
(RP 6 in this example) out of the mesh group.
Although RP 4 and RP 5 are in the same SA (AS 3) and both are MSDP peers of RP
6, because RP 5 has a higher IP address, RP 6 accepts only the SA message from RP
5.
Because the SA message is from a static RPF peer (RP 6), RP 7 accepts the SA
message and forwards it to other peer (RP 8).
An EBGP route exists between two MSDP peers in different ASs. Because the SA
message is from an MSDP peer (RP 7) in a different AS, and the MSDP peer is the
next hop on the EBGP route to the source-side RP, RP 8 accepts the message and
forwards it to its other peer (RP 9).
SA messages from other paths than described above will not be accepted nor
forwarded by MSDP peers.
RP 1 RP 2
Router A Router B
Source Receiver
PIM-SM
MSDP peers
SA message
1 The multicast source registers with the nearest RP. In this example, Source registers
with RP 1, with its multicast data encapsulated in the register message. When the
register message arrives to RP 1, RP 1 decapsulates the message.
2 Receivers send join messages to the nearest RP to join in the RPT rooted as this RP.
In this example, Receiver joins the RPT rooted at RP 2.
3 RPs share the registered multicast information by means of SA messages. In this
example, RP 1 creates an SA message and sends it to RP 2, with the multicast data
c CAUTION:
■ Be sure to configure a 32-bit subnet mask (255.255.255.255) for the Anycast
RP address, namely configure the Anycast RP address into a host address.
■ An MSDP peer address must be different from the Anycast RP address.
Multi-Instance MSDP MSDP peering relationship can be built between multicast-enabled interfaces that
belong to the same instance. Through exchanges of SA messages between MSDP
peers, the MSDP mechanism makes VPN multicast transmission between different
PIM-SM domains possible.
Task Remarks
“Configuring an MSDP Peer “Configuring MSDP Peer Optional
Connection” on page 1140 Description” on page 1140
“Configuring an MSDP Optional
Mesh Group” on page 1140
“Configuring MSDP Peer Optional
Connection Control” on
page 1141
“Configuring SA Messages” on “Configuring SA Message Optional
page 1141 Content” on page 1142
“Configuring SA Request Optional
Messages” on page 1142
“Configuring an SA Optional
Message Filtering Rule” on
page 1143
“Configuring SA Message Optional
Cache” on page 1144
Configuring Basic
Functions of MSDP
n All the configuration tasks shall be implemented on RPs in PIM-SM domains, and
each of these RPs acts as an MSDP peer.
Configuration Before configuring the basic functions of MSDP, complete the following tasks:
Prerequisites ■ Configure any unicast routing protocol so that all devices in the domain are
interoperable at the network layer.
■ Configuring PIM-SM to enable intra-domain multicast forwarding.
Before configuring the basic functions of MSDP, prepare the following data:
Creating an MSDP Peer An MSDP peering relationship is identified by an address pair, namely the address
Connection of the local MSDP peer and that of the remote MSDP peer. An MSDP peer
connection must be created on both devices that are a pair of MSDP peers.
n If an interface of the router is shared by an MSDP peer and a BGP peer at the same
time, we recommend that you configuration the same IP address for the MSDP
peer and BGP peer.
Configuring a Static RPF Configuring static RPF peers avoids RPF check of SA messages.
Peer
Follow these steps to configure a static RPF peer:
n If only one MSDP peer is configured on a router, this MSDP will be registered as a
static RPF peer.
Configuring an MSDP
Peer Connection
Configuration Before configuring MSDP peer connection, complete the following tasks:
Prerequisites ■ Configuring any unicast routing protocol so that all devices in the domain are
interoperable at the network layer
■ Configuring basic functions of MSDP
Configuring MSDP Peer With the MSDP peer description information, the administrator can easily
Description distinguish different MSDP peers and thus better manage MSDP peers.
Configuring an MSDP An AS may contain multiple MSDP peers. You can use the MSDP mesh group
Mesh Group mechanism to avoid SA message flooding among these MSDP peers and optimize
the multicast traffic.
On one hand, an MSDP peer in an MSDP mesh group forwards SA messages from
outside the mesh group that have passed the RPF check to the other members in
the mesh group; on the other hand, a mesh group member accepts SA messages
from inside the group without performing an RPF check, and does not forward the
message within the mesh group either. This mechanism not only avoids SA
flooding but also simplifies the RPF check mechanism, because BGP is not needed
to run between these MSDP peers.
By configuring the same mesh group name for multiple MSDP peers, you can
create a mesh group with these MSDP peers.
n ■ Before grouping multiple routers into an MSDP mesh group, make sure that
these routers are interconnected with one another.
■ If you configure more than one mesh group name on an MSDP peer, only the
last configuration is effective.
Configuring MSDP Peer MSDP peers are interconnected over TCP (port number 639). You can flexibly
Connection Control control sessions between MSDP peers by manually deactivating and reactivating
the MSDP peering connections. When the connection between two MSDP peers is
deactivated, SA messages will no longer be delivered between them, and the TCP
connection is closed without any connection setup retry, but the configuration
information will remain unchanged.
When a new MSDP peer is created, or when a previously deactivated MSDP peer
connection is reactivated, or when a previously failed MSDP peer attempts to
resume operation, a TCP connection is required. You can flexibly adjust the interval
between MSDP peering connection retries.
Configuring SA
Messages
Configuring SA Message Some multicast sources send multicast data at an interval longer than the aging
Content time of (S, G) entries. In this case, the source-side DR has to encapsulate multicast
data packet by packet in register messages and send them to the source-side RP.
The source-side RP transmits the (S, G) information to the remote RP through SA
messages. Then the remote RP joins the source-side DR and builds an SPT. Since
the (S, G) entries have timed out, remote receivers can never receive the multicast
data from the multicast source.
Configuring SA Request By default, upon receiving a new Join message, a router does not send an SA
Messages request message to its designated MSDP peer; instead, it waits for the next SA
message from its MSDP peer. This will cause the receiver to delay obtaining
multicast source information. To enable a new receiver to get the currently active
multicast source information as early as possible, you can configure routers to
c CAUTION: Before you can enable the device to send SA requests, be sure to
disable the SA message cache mechanism.
Configuring an SA By configuring an SA message creation rule, you can enable the router to filter the
Message Filtering Rule (S, G) entries to be advertised when creating an SA message, so that the
propagation of messages of multicast sources is controlled.
Configuring SA Message To reduce the time spent in obtaining the multicast source information, you can
Cache have SA messages cached on the router. However, the more SA messages are
cached, the larger memory space of the router is used.
With the SA cache mechanism enabled, when receiving a new Join message, the
router will not send an SA request message to its MSDP peer; instead, it acts as
follows:
■ If there is no SA message in the cache, the router will wait for the SA message
sent by its MSDP peer in the next cycle;
■ If there is an SA message in the cache, the router will obtain the information of
all active sources directly from the SA message and join the corresponding SPT.
To protect the router against denial of service (DoS) attacks, you can configure the
maximum number of SA messages the route can cache.
Displaying and
Maintaining MSDP To do... Use the command... Remarks
View the brief information display msdp [ vpn-instance Available in any
of MSDP peers vpn-instance-name | all-instance ] brief view
[ state { connect | down | listen | shutdown
| up } ]
View the detailed display msdp [ vpn-instance Available in any
information about the vpn-instance-name | all-instance ] view
status of MSDP peers peer-status [ peer-address ]
View the (S, G) entry display msdp [ vpn-instance Available in any
information in the MSDP vpn-instance-name | all-instance ] sa-cache view
cache [ group-address | source-address | as-number ]
*
View the number of SA display msdp [ vpn-instance Available in any
messages in the MSDP vpn-instance-name | all-instance ] sa-count view
cache [ as-number ]
MSDP Configuration
Examples
Network diagram
Figure 337 Network diagram for configuration leveraging a BGP route (on routers)
Source 1
Receiver
0 /
h1
Eth1/1 S 2/0
Et
PIM-SM 1 PIM-SM 2
MSDP peers
Device Interface IP address Device Interface IP address
Router C Eth1/0 10.110.1.1/24 Router D Eth1/0 10.110.4.1/24
Eth1/1 10.110.2.1/24 S2/0 192.168.3.1/24
POS5/0 192.168.1.1/24 POS5/0 192.168.1.2/24
Loop0 1.1.1.1/32 Loop0 2.2.2.2/32
Router F Eth1/0 10.110.3.1/24
S2/0 192.168.3.2/24
Loop0 3.3.3.3/32
Configuration procedure
1 Configure the interface IP addresses and unicast routing protocol for each router
Configure the IP address and subnet mask for each interface as per Figure 337.
Detailed configuration steps are omitted.
<RouterC> system-view
[RouterC] multicast routing-enable
[RouterC] interface ethernet 1/0
[RouterC-Ethernet1/0] pim sm
[RouterC-Ethernet1/0] quit
[RouterC] interface ethernet 1/1
[RouterC-Ethernet1/1] pim sm
[RouterC-Ethernet1/1] quit
[RouterC] interface pos 5/0
[RouterC-Pos5/0] pim sm
4 Configure inter-AS BGP and configure mutual route redistribution between BGP
and OSPF
[RouterC] ospf 1
[RouterC-ospf-1] import-route bgp
[RouterC-ospf-1] quit
Carry out the display bgp peer command to view the BGP peering relationships
between the routers. For example:
To view the BGP routing table information on the routers, use the display bgp
routing-table command. For example:
[RouterC] msdp
[RouterC-msdp] peer 192.168.1.2 connect-interface pos 5/0
[RouterC-msdp] quit
[RouterD] msdp
[RouterD-msdp] peer 192.168.1.1 connect-interface pos 5/0
[RouterD-msdp] peer 192.168.3.2 connect-interface serial 2/0
[RouterD-msdp] quit
[RouterF] msdp
[RouterF-msdp] peer 192.168.3.1 connect-interface serial 2/0
[RouterF-msdp] quit
Network diagram
Source 1 Source 2
Router A Router C Router E
S2
PO
/0
/0
S5
S2
/0
S5
PO
/1
PO
/0
S5
S5
Receiver 1 Receiver 2
/0
S2
PO
/0
S2
/0
Router B Router D
Eth1/0 Eth1/0
Lo
20
0
Lo
op
op
op
o
Lo
p0
Lo
20
Loop 10 Loop 10
PIM-SM
MSDP peers
Device Interface IP address Device Interface IP address
Source 1 - 10.110.5.100/24 Router C POS5/0 192.168.1.2/24
Source 2 - 10.110.6.100/24 POS5/1 192.168.2.2/24
Router A S2/0 10.110.2.2/24 Router D Eth1/0 10.110.3.1/24
Router B Eth1/0 10.110.1.1/24 S2/0 10.110.4.1/24
S2/0 10.110.2.1/24 POS5/0 192.168.2.1/24
POS5/0 192.168.1.1/24 Loop0 2.2.2.2/32
Loop0 1.1.1.1/32 Loop10 4.4.4.4/32
Loop10 3.3.3.3/32 Loop20 10.1.1.1/32
Loop20 10.1.1.1/32 Router E S2/0 10.110.4.2/24
Configuration procedure
1 Configure the interface IP addresses and unicast routing protocol for each router
Configure the IP address and subnet mask for each interface as per Figure 338.
Detailed configuration steps are omitted.
<RouterB> system-view
[RouterB] multicast routing-enable
[RouterB] interface ethernet 1/0
[RouterB-Ethernet1/0] igmp enable
[RouterB-Ethernet1/0] pim sm
[RouterB-Ethernet1/0] quit
[RouterB] interface serial 2/0
[RouterB-Serial2/0] pim sm
[RouterB-Serial2/0] quit
[RouterB] interface pos 5/0
[RouterB-Pos5/0] pim sm
[RouterB-Pos5/0] quit
3 Configure the position of interface Loopback 10, Loopback 20, C-BSR, and C-RP.
You can use the display msdp brief command to view the brief information of
MSDP peering relationships between the routers.
To view the PIM routing information on each router, use the display pim
routing-table command.
(*, 225.1.1.1)
RP: 10.1.1.1 (local)
Protocol: pim-sm, Flag: WC
UpTime: 00:15:04
Upstream interface: Register
Upstream neighbor: NULL
RPF prime neighbor: NULL
Downstream interface(s) information:
Total number of downstreams: 1
1: Ethernet1/0
Protocol: igmp, UpTime: 00:15:04, Expires: -
(10.110.5.100, 225.1.1.1)
RP: 10.1.1.1 (local)
Protocol: pim-sm, Flag: SPT 2MSDP ACT
UpTime: 00:46:28
Upstream interface: Serial2/0
Upstream neighbor: 10.110.2.2
RPF prime neighbor: 10.110.2.2
Downstream interface(s) information:
Total number of downstreams: 1
1: Ethernet1/0
Protocol: pim-sm, UpTime: - , Expires: -
Receiver 1 has left multicast group G, and Source 1 has stopped sending multicast
data to multicast group G. When Source 2 (10.110.6.100/24) sends multicast data
to G, Receiver 2 joins G. By comparing the PIM routing information displayed on
Router B with that displayed on Router D, you can see that Router D acts now as
the RP for Source 2 and Receiver 2.
(*, 225.1.1.1)
RP: 10.1.1.1 (local)
Protocol: pim-sm, Flag: WC
UpTime: 00:12:07
Upstream interface: Register
Upstream neighbor: NULL
RPF prime neighbor: NULL
Downstream interface(s) information:
Total number of downstreams: 1
1: Ethernet1/0
Protocol: igmp, UpTime: 00:12:07, Expires: -
(10.110.6.100, 225.1.1.1)
RP: 10.1.1.1 (local)
Protocol: pim-sm, Flag: SPT 2MSDP ACT
UpTime: 00:40:22
Upstream interface: Serial2/0
Upstream neighbor: 10.110.4.2
RPF prime neighbor: 10.110.4.2
Downstream interface(s) information:
Total number of downstreams: 1
1: Ethernet1/0
Protocol: pim-sm, UpTime: - , Expires: -
Network diagram
Figure 339 Network diagram for static RPF peer configuration (on routers)
AS 100 AS 200
Receiver
Receiver
Loop 0
Router G
Source 1
0
/ Router F
S2
Router A
Source 3
PIM-SM 3
Receiver
Router B
0
Router D Router E
/
S2
Loop 0 Loop 0
Source 2
PIM-SM 2
PIM-SM 1
Configuration procedure
1 Configure the interface IP addresses and unicast routing protocol for each router
Configure the IP address and subnet mask for each interface as per Figure 339.
Detailed configuration steps are omitted.
Configure EBGP among Router C, Router D, Router C and Router F, and configure
mutual route redistribution between BGP and OSPF. Detailed configuration steps
are omitted.
<RouterC> system-view
[RouterC] multicast routing-enable
[RouterC] interface pos 5/0
[RouterC-Pos5/0] pim sm
[RouterC-Pos5/0] quit
[RouterC] interface serial 2/0
[RouterC-Serial2/0] pim sm
# Configure Router D and Router F as MSDP peers and static RPF peers of Router
C.
Carry out the display bgp peer command to view the BGP peering relationships
between the routers. If the command gives no output information, a BGP peering
relationship has not been established between the routers.
Troubleshooting
MSDP
Analysis
■ A TCP connection-based MSDP peering relationship is established between the
local interface address and the MSDP peer after the configuration.
■ The TCP connection setup will fail if there is an inconsistency between the local
interface address and the MSDP peer address configured on the router.
■ If no route is available between the MSDP peers, the TCP connection setup will
also fail.
Solution
1 Check that a route is available between the routers. Carry out the display ip
routing-table command to check whether the unicast route between the routers
is correct.
2 Check that a unicast route is available between the two routers that will become
MSDP peers to each other.
3 Verify the interface address consistency between the MSDP peers. Use the display
current-configuration command to verify that the local interface address and
the MSDP peer address of the remote router are the same.
Analysis
■ The import-source command is used to control sending (S, G) entries through
SA messages to MSDP peers. If this command is executed without the
acl-number argument, all the (S, G) entries will be filtered off, namely no (S, G)
entries of the local domain will be advertised.
■ If the import-source command is not executed, the system will advertise all
the (S, G) entries of the local domain. If MSDP fails to send (S, G) entries
through SA messages, check whether the import-source command has been
correctly configured.
Solution
1 Check that a route is available between the routers. Carry out the display ip
routing-table command to check whether the unicast route between the routers
is correct.
2 Check that a unicast route is available between the two routers that will become
MSDP peers to each other.
3 Check configuration of the import-source command and its acl-number
argument and make sure that ACL rule can filter appropriate (S, G) entries.
Analysis
■ In the Anycast RP application, RPs in the same PIM-SM domain are configured
to be MSDP peers to achieve load balancing among the RPs.
■ An MSDP peer address must be different from the anycast RP address, and the
C-BSR and C-RP must be configured on different devices or interfaces.
■ If the originating-rp command is executed, MSDP will replace the RP address
in the SA messages with the address of the interface specified in the command.
■ When an MSDP peer receives an SA message, it performs RPF check on the
message. If the MSDP peer finds that the remote RP address is the same as the
local RP address, it will discard the SA message.
Solution
1 Check that a route is available between the routers. Carry out the display ip
routing-table command to check whether the unicast route between the routers
is correct.
2 Check that a unicast route is available between the two routers that will become
MSDP peer to each other.
3 Check the configuration of the originating-rp command. In the Anycast RP
application environment, be sure to use the originating-rp command to
configure the RP address in the SA messages, which must be the local interface
address.
4 Verify that the C-BSR address is different from the anycast RP address.
Introduction to PIM-DM PIM-DM is a type of dense mode multicast protocol. It uses the “push mode” for
multicast forwarding, and is suitable for small-sized networks with densely
distributed multicast members.
■ PIM-DM assumes that at least one multicast group member exists on each
subnet of a network, and therefore multicast data is flooded to all nodes on
the network. Then, branches without multicast forwarding are pruned from
the forwarding tree, leaving only those branches that contain receivers. This
“flood and prune” process takes place periodically, that is, pruned branches
resume multicast forwarding when the pruned state times out and then data is
re-flooded down these branches, and then are pruned again.
■ When a new receiver on a previously pruned branch joins a multicast group, to
reduce the join latency, PIM-DM uses a graft mechanism to resume data
forwarding to that branch.
Neighbor discovery
In a PIM domain, a PIM router discovers PIM neighbors, maintains PIM neighboring
relationships with other routers, and builds and maintains SPTs by periodically
multicasting hello messages to all other PIM routers (224.0.0.13).
n Every activated interface on a router sends hello messages periodically, and thus
learns the PIM neighboring information pertinent to the interface.
SPT establishment
The process of building an SPT is the process of “flood and prune”.
1 In a PIM-DM domain, when a multicast source S sends multicast data to a
multicast group G, the multicast packet is first flooded throughout the domain:
The router first performs RPF check on the multicast packet. If the packet passes
the RPF check, the router creates an (S, G) entry and forwards the data to all
downstream nodes in the network. In the flooding process, an (S, G) entry is
created on all the routers in the PIM-DM domain.
2 Then, nodes without receivers downstream are pruned: A router having no
receivers downstream sends a prune message to the upstream node to tell the
upstream node to delete the corresponding interface from the outgoing interface
list in the (S, G) entry and stop forwarding subsequent packets addressed to that
multicast group down to this node.
A prune process is first initiated by a leaf router. As shown in Figure 340, a router
without any receiver attached to it (the router connected with Host A, for
example) sends a prune message, and this prune process goes on until only
necessary branches are left in the PIM-DM domain. These branches constitute the
SPT.
Host A
Source Receiver
Server Host B
Receiver
SPT
Prune message
Multicast packets
Host C
The “flood and prune” process takes place periodically. A pruned state timeout
mechanism is provided. A pruned branch restarts multicast forwarding when the
pruned state times out and then is pruned again when it no longer has any
multicast receiver.
Graft
When a host attached to a pruned node joins a multicast group, to reduce the join
latency, PIM-DM uses a graft mechanism to resume data forwarding to that
branch. The process is as follows:
1 The node that needs to receive multicast data sends a graft message hop by hop
toward the source, as a request to join the SPT again.
2 Upon receiving this graft message, the upstream node puts the interface on which
the graft was received into the forwarding state and responds with a graft-ack
message to the graft sender.
3 If the node that sent a graft message does not receive a graft-ack message from its
upstream node, it will keep sending graft messages at a configurable interval until
it receives an acknowledgment from its upstream node.
Assert
If multiple multicast routers exist on a multi-access subnet, duplicate packets may
flow to the same subnet. To shut off duplicate flows, the assert mechanism is used
for election of a single multicast forwarder on a multi-access network.
Router A Router B
Ethernet
Assert message
Multicast packets Receiver
Router C
As shown in Figure 341, after Router A and Router B receive an (S, G) packet from
the upstream node, they both forward the packet to the local subnet. As a result,
the downstream node Router C receives two identical multicast packets, and both
Router A and Router B, on their own local interface, receive a duplicate packet
forwarded by the other. Upon detecting this condition, both routers send an assert
message to all PIM routers (224.0.0.13) through the interface on which the packet
was received. The assert message contains the following information: the
multicast source address (S), the multicast group address (G), and the preference
and metric of the unicast route to the source. By comparing these parameters,
either Router A or Router B becomes the unique forwarder of the subsequent (S,
G) packets on the multi-access subnet. The comparison process is as follows:
1 The router with a higher unicast route preference to the source wins;
2 If both routers have the same unicast route preference to the source, the router
with a smaller metric to the source wins;
3 If there is a tie in route metric to the source, the router with a higher IP address of
the local interface wins.
Introduction to PIM-SM PIM-DM uses the “flood and prune” principle to build SPTs for multicast data
distribution. Although an SPT has the shortest path, it is built with a low efficiency.
Therefore the PIM-DM mode is not suitable for large- and medium-sized networks.
PIM-SM is a type of sparse mode multicast protocol. It uses the “pull mode” for
multicast forwarding, and is suitable for large- and medium-sized networks with
sparsely and widely distributed multicast group members.
■ PIM-SM assumes that no hosts need to receive multicast data. In the PIM-SM
mode, routers must specifically request a particular multicast stream before the
data is forwarded to them. The core task for PIM-SM to implement multicast
forwarding is to build and maintain rendezvous point trees (RPTs). An RPT is
rooted at a router in the PIM domain as the common node, or rendezvous
point (RP), through which the multicast data travels along the RPT and reaches
the receivers.
n Multicast traffic is duplicated only where the distribution tree branches, and this
process automatically repeats until the multicast traffic reaches the receivers.
Neighbor discovery
PIM-SM uses exactly the same neighbor discovery mechanism as PIM-DM does.
Refer to “Neighbor discovery” on page 1162.
DR election
PIM-SM also uses hello messages to elect a designated router (DR) for a
multi-access network. The elected DR will be the only multicast forwarder on this
multi-access network.
Receiver
Ethernet
Ethernet
DR
DR RP
Source
Receiver
Hello message
Register message
Join message
1 Routers on the multi-access network send hello messages to one another. The
hello messages contain the router priority for DR election. The router with the
highest DR priority will become the DR.
2 In the case of a tie in the router priority, or if any router in the network does not
support carrying the DR-election priority in hello messages, The router with the
highest IP address will win the DR election.
When the DR fails, a timeout in receiving hello message triggers a new DR election
process among the other routers.
RP discovery
The RP is the core of a PIM-SM domain. For a small-sized, simple network, one RP
is enough for forwarding information throughout the network, and the position of
the RP can be statically specified on each router in the PIM-SM domain. In most
cases, however, a PIM-SM network covers a wide area and a huge amount of
multicast traffic needs to be forwarded through the RP. To lessen the RP burden
and optimize the topological structure of the RPT, each multicast group should
have its own RP. Therefore, a bootstrap mechanism is needed for dynamic RP
election. For this purpose, a bootstrap router (BSR) should be configured.
A PIM-SM domain (or an administratively scoped region) can have only one BSR,
but can have multiple candidate-BSRs (C-BSRs). Once the BSR fails, a new BSR is
automatically elected from the C-BSRs through the bootstrap mechanism to avoid
service interruption. Similarly, multiple C-RPs can be configured in a PIM-SM
Figure 343 shows the positions of C-RPs and the BSR in the network.
PIM-SM
BSR
C-RP
C-RP C-BSR
C-RP
BSR message
Advertisement message
RPT building
Host A
Source Receiver
RP DR
Server Host B
DR
Receiver
RPT
Join message
Multicast packets
Host C
1 When a receiver joins a multicast group G, it uses an IGMP message to inform the
directly connected DR.
2 Upon getting the receiver information, the DR sends a join message, which is hop
by hop forwarded to the RP corresponding to the multicast group.
3 The routers along the path from the DR to the RP form an RPT branch. Each router
on this branch generates a (*, G) entry in its forwarding table. The * means any
multicast source. The RP is the root, while the DRs are the leaves, of the RPT.
The multicast data addressed to the multicast group G flows through the RP,
reaches the corresponding DR along the established RPT, and finally is delivered to
the receiver.
Host A
Source Receiver
DR RP
Server Host B
Receiver
SPT
Join message
Register message
Host C
Multicast packets
As shown in Figure 345, the multicast source registers with the RP as follows:
1 When the multicast source S sends the first multicast packet to a multicast group
G, the DR directly connected with the multicast source, upon receiving the
multicast packet, encapsulates the packet in a PIM register message, and sends
the message to the corresponding RP by unicast.
2 When the RP receives the register message, it extracts the multicast packet from
the register message and forwards the multicast packet down the RPT, and it
sends an (S, G) join message hop by hop toward the multicast source. Thus, the
routers along the path from the RP to the multicast source constitute an SPT
branch. Each router on this branch generates an (S, G) entry in its forwarding
table. The multicast source is the root, while the RP is the leaf, of the SPT.
3 The subsequent multicast data from the multicast source travels along the
established SPT to the RP, and then the RP forwards the data along the RPT to the
receivers. When the multicast traffic arrives at the RP along the SPT, the RP sends a
register-stop message to the source-side DR by unicast to stop the source
registration process.
After the RPT-to-SPT switchover, multicast data can be directly sent from the
source to the receivers. PIM-SM builds SPTs through RPT-to-SPT switchover more
economically than PIM-DM does through the “flood and prune” mechanism.
Assert
PIM-SM uses exactly the same assert mechanism as PIM-DM does. Refer to
“Assert” on page 1163.
Relationship between BSR admin-scope regions and the global scope zone
A better understanding of the global scope zone and BSR admin-scope regions
should be based on two aspects: geographical space and group address range.
1 Geographical space
BSR admin-scope regions are logical regions specific to particular multicast groups,
and each BSR admin-scope region must be geographically independent of every
other one, as shown in Figure 346.
Figure 346 Relationship between BSR admin-scope regions and the global scope zone in
geographic space
C-RP BSR
BSR 1 BSR 3
C-RP BSR
Global
BSR admin-scope regions are geographically separated from one another. Namely,
a router must not serve different BSR admin-scope regions. In other words,
different BSR admin-scope regions contain different routers, whereas the global
scope zone covers all routers in the PIM-SM domain.
Each BSR admin-scope region serves specific multicast groups. Usually, these
addresses have no intersections; however, they may overlap one another.
Figure 347 Relationship between BSR admin-scope regions and the global scope zone in
group address ranges
BSR 1 BSR 3
G1 address G3 address
Global BSR 2
In Figure 347, the group address ranges of admin-scope-scope regions BSR1 and
BSR2 have no intersection, whereas the group address range of BSR3 is a subset of
the address range of BSR1. The group address range of the global scope zone
covers all the group addresses other than those of all the BSR admin-scope
regions. That is, the group address range of the global scope zone is G-G1-G2. In
other words, there is a supplementary relationship between the global scope zone
and all the BSR admin-scope regions in terms of group address ranges.
Relationships between BSR admin-scope regions and the global scope zone are as
follows:
■ The global scope zone and each BSR admin-scope region have their own C-RPs
and BSR. These devices are effective only in their respective admin-scope
regions. Namely, the BSR election and RP election are implemented
independently within each admin-scope region.
■ Each BSR admin-scope region has its own boundary. The multicast information
(such as C-RP-Adv messages and BSR bootstrap messages) can be transmitted
only within the domain.
■ Likewise, the multicast information in the global scope zone cannot enter any
BSR admin-cope region.
■ In terms of multicast information propagation, BSR admin-scope regions are
independent of one another and each BSR admin-scope region is independent
of the global scope zone, and no overlapping is allowed between any two BSR
admin-scope regions.
SSM Model The source-specific multicast (SSM) model and the any-source multicast (ASM)
Implementation in PIM model are two opposite models. Presently, the ASM model includes the PIM-DM
and PIM-SM modes. The SSM model can be implemented by leveraging part of
the PIM-SM technique.
The SSM model provides a solution for source-specific multicast. It maintains the
relationships between hosts and routers through IGMPv3.
Compared with the ASM model, the SSM model only needs the support of
IGMPv3 and some subsets of PIM-SM. The operation mechanism of PIM-SSM can
be summarized as follows:
■ Neighbor discovery
■ DR election
■ SPT building
Neighbor discovery
PIM-SSM uses the same neighbor discovery mechanism as in PIM-DM and
PIM-SM. Refer to “Neighbor discovery” on page 1162.
DR election
PIM-SSM uses the same DR election mechanism as in PIM-SM. Refer to “DR
election” on page 1165.
Construction of SPT
Whether to build an RPT for PIM-SM or an SPT for PIM-SSM depends on whether
the multicast group the receiver is to join falls in the SSM group address range
(SSM group address range reserved by IANA is 232.0.0.0/8).
Host A
Source Receiver
RP DR
Server Host B
DR
Receiver
SPT
Subscribe message
Multicast packets
Host C
As shown in Figure 348, Host B and Host C are multicast information receivers.
They send IGMPv3 report messages denoted as (Include S, G) to the respective DRs
to express their interest in the information of the specific multicast source S. If they
need information from other sources than S, they send an (Exclude S, G) report.
No matter what the description is, the position of multicast source S is explicitly
specified for receivers.
The DR that has received the report first checks whether the group address in this
message falls in the SSM group address range:
■ If so, the DR sends a subscribe message for channel subscription hop by hop
toward the multicast source S. An (Include S, G) or (Exclude S, G) entry is
created on all routers on the path from the DR to the source. Thus, an SPT is
built in the network, with the source S as its root and receivers as its leaves.
This SPT is the transmission channel in PIM-SSM.
■ If not, the PIM-SM process is followed: the DR needs to send a (*, G) join
message to the RP, and a multicast source registration process is needed.
n In PIM-SSM, the “channel” concept is used to refer to a multicast group, and the
“channel subscription” concept is used to refer to a join message.
Multi-Instance PIM A multicast router running multiple instances maintains an independent set of PIM
neighbor table, multicast routing table, BSR information and RP-set information
for each instance. To the outside, the router appears to be a group of multicast
routers, each running PIM independently from the others.
Upon receiving a multicast protocol packet, the multicast router determines the
VPN instance this protocol packet belongs to and passes the packet to PIM
Configuring PIM-DM
Enabling PIM-DM With PIM-DM enabled, a router sends hello messages periodically to discover PIM
neighbors and processes messages from PIM neighbors. When deploying a
c CAUTION:
■ All the interfaces in the same VPN instance on the same device must work in
the same PIM mode.
■ PIM-DM cannot be used for multicast groups in the SSM group grange.
Enabling State Refresh An interface without the state refresh capability cannot forward state refresh
messages.
A router may receive multiple state refresh messages within a short time, of which
some may be duplicated messages. To keep a router from receiving such
duplicated messages, you can configure the time the router must wait before
receiving the next state refresh message. If a new state refresh message is received
within the waiting time, the router will discard it; if this timer times out, the router
will accept a new state refresh message, refresh its own PIM state, and reset the
waiting timer.
Configuring PIM-DM In PIM-DM, graft is the only type of message that uses the acknowledgment
Graft Retry Period mechanism. In a PIM-DM domain, if a router does not receive a graft-ack message
from the upstream router within the specified time after it sends a graft message,
the router keeps sending new graft messages at a configurable interval, namely
graft retry period, until it receives a graft-ack from the upstream router.
Configuring PIM-SM
Enabling PIM-SM With PIM-SM enabled, a router sends hello messages periodically to discover PIM
neighbors and processes messages from PIM neighbors. When deploying a
PIM-SM domain, you are recommended to enable PIM-SM on all interfaces of
non-border routers (border routers are PIM-enabled routers located on the
boundary of BSR admin-scope regions).
c CAUTION: All the interfaces in the same VPN instance on the same router must
work in the same PIM mode.
Configuring a BSR
About the Hash mask length and C-BSR priority for RP selection calculation
■ You can configure these parameters at three levels: global configuration level,
global scope level, and BSR admin-scope level.
■ By default, the global scope parameters and BSR admin-scope parameters are
those configured at the global configuration level.
■ Parameters configured at the global scope level or BSR admin-scope level have
higher priority than those configured at the global configuration level.
■ Initially, every C-BSR assumes itself to be the BSR of this PIM-SM domain, and
uses its interface IP address as the BSR address to send bootstrap messages.
■ When a C-BSR receives the bootstrap message of another C-BSR, it first
compares its own priority with the other C-BSR’s priority carried in the
message. The C-BSR with a higher priority wins. If there is a tie in the priority,
the C-BSR with a higher IP address wins. The loser uses the winner’s BSR
address to replace its own BSR address and no longer assumes itself to be the
BSR, while the winner keeps its own BSR address and continues assuming itself
to be the BSR.
maliciously replaced, preventive measures are taken specific to the following two
situations:
1 Some malicious hosts intend to fool routers by forging BSR messages and change
the RP mapping relationship. Such attacks often occur on border routers. Because
a BSR is inside the network whereas hosts are outside the network, you can
protect a BSR against attacks from external hosts by enabling border routers to
perform neighbor check and RPF check on BSR messages and discard unwanted
messages.
2 When a router in the network is controlled by an attacker or when an illegal router
is present in the network, the attacker can configure such a router to be a C-BSR
and make it win BSR election so as to gain the right of advertising RP information
in the network. After being configured as a C-BSR, a router automatically floods
the network with BSR messages. As a BSR message has a TTL value of 1, the whole
network will not be affected as long as the neighbor router discards these BSR
messages. Therefore, if a legal BSR address range is configured on all routers in the
entire network, all routers will discard BSR messages from out of the legal address
range, and thus this kind of attacks can be prevented.
In a network divided into BSR admin-scope regions, BSRs are elected from
multitudinous C-BSRs to serve different multicast groups. The C-RPs in a BSR
admin-scope region send C-RP-Adv messages to only the corresponding BSR. The
BSR summarizes the advertisement messages into an RP-set and advertises it to all
the routers in the BSR admin-scope region. All the routers use the same algorithm
to get the RP addresses corresponding to specific multicast groups.
c CAUTION: In configuration, make sure that the bootstrap interval is smaller than
the bootstrap timeout time.
Configuring a static RP
If there is only one dynamic RP in a network, manually configuring a static RP can
avoid communication interruption due to single-point failures and avoid frequent
message exchange between C-RPs and the BSR. To enable a static RP to work
normally, you must perform this configuration on all the devices in the PIM-SM
domain and specify the same RP address.
To do... Use