Home> Support> Technical Documents>

S86E Implementation Cookbook V1.1

2017-02-01 View: 15726
Catalog
11.x项目配置指南模板

Configuration Guide

2.1       Initialization

2.1.1      Overview (Must Read)

For Standardization reason, we strongly suggest you to initialize every new switch following the steps below:

1. Hostnamemandatory)

2. Access a devicemandatory , see Chapter Installation and Device Management --->System Management) 

2.1. Assign management IP addressmandatory)

2.2. Set default gatewayoptional for layer 3 switchbut mandatory for layer 2 switch)

2.3. Telnetoptional)

2.4. SSHrecommended)

2.5. Web User interfaceoptional)

3. Logmandatory , and choose one)

3.1. Record log to FLASHrecommended)

3.2. Send log to serverrecommended)

4. Clockmandatory , and choose one)

4.1. Local clockrecommended)

4.2. NTPrecommended)

5. Configuring a portmandatory)

5.1. Port descriptionmandatory)

5.2. Speed, duplex and flowcontrol (optional)

5.3. Combo portoptional)

5.4. ACCESS or TRUNK port (mandatory)

5.5. Storm controlrecommended)

6. SNMPrecommended)

6.1. SNMPV1/V2recommended)

6.2. SNMPV3recommended)

7. SPANoptional)

7.1. Many to one mirrorOptional)

7.2. One to many mirrorOptional)

7.3. Flow-based mirrorOptional)

2.1.2      Hostname

Configuring Hostname

By default, system name is "Ruijie mostly, the example shows how to configure the system name:

Ruijie>en

Ruijie#configure terminal

Ruijie(config)#hostname Switch           ------>change name to "Switch"

Switch(config)#end

Switch#write                                        ------>save configuration

NoteWe suggest you to name a switch with these information physical location(AA), network location(BB) ,model(CC),serial number(DD), and the format is (AA_BB_CC_DD) , for example:

Ruijie(config)#hostname WLZX_Core_S8610_1

WLZX_Core_S8610_1(config)#

 

Verifying

Switch#show run

Building configuration...

Current configuration : 34129 bytes

 

version NOS_11.0_4_21

hostname hostname Switch

 

 

2.2       Log

2.2.1      Copying log to FLASH

I. Requirements

1. Copy logs with a severity higher than debugging in the flash ,then set size of each log file to 128Kbytes.

2. Set size of log buffer to 128Kbytes.

3. Record action when user logs in and operates.

4. Add system name , sequence number and time stamps to each log entry.

 

II. Network Topology

 

III. Configuration Tips

System doesn't copy logs from buffer to flash once finishing configuration, and it costs about half an hour to copy logs from buffer to flash , or the log buffer exceeds.

 

IV. Configuration Steps

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#logging file flash:syslog 6            ------>set log file name to "syslog" and system copies all logs with severity from 0 to 6 to flash

Ruijie(config)#logging file flash:syslog 131072 ------>set size of each log file in flash to 128K

Ruijie(config)#logging buffered 131072            ------>set log buffer size to 128K

Ruijie(config)#logging userinfo                          ------>record actions when user logs in

Ruijie(config)#logging userinfo command-log   ------>record actions when user operates commands

Ruijie(config)#service sysname                          ------>add system name to each log entry

Ruijie(config)#service sequence-numbers          ------>add sequence number to each log entry

Ruijie(config)#service timestamps                     ------>add time stamps to each log entry

Ruijie#wr

NoteWe suggest you to set log buffer size to 128K because the buffer size is too small by defaut.

If the 1st log file is full , system copies logs to 2nd log file , then the 3th log file ……there're 16 log files at most in the same time , and if all 16 log files are full ,the new log entry overwrites the old one , so Log file never takes up the whole flash room.

Enter "more flash:xxx" privilege EXEC command to display log entries and "delete flash:xxx" privilege EXEC command to delete log file in flash.

 

v. Verification

1. This example shows how to display logs in buffer

 

2. Enter "dir" privilege EXEC command to check log files in flash

 

3. This example shows how to display logs in flash

 

4. Enter "clear logging" privilege EXEC command to clear logs in buffer

 

 

2.2.2      Copying log to Server

I. Requirements

Copy logs with severity from 0 to 7 to syslog server.

 

II. Network Topology

 

III. Configuration Tips

Timestamps and sequence number features must be enabled before system copys logs to log server

 

IV. Configuration Steps

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#service sequence-numbers          ------>enable sequence number

Ruijie(config)#service timestamps                     ------>enable timestamps

Ruijie(config)#interface vlan 1

Ruijie(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0

Ruijie(config-if-VLAN 1)#exit

Ruijie(config)#logging server 192.168.1.2          ------>specify log server IP address

Ruijie(config)#logging source ip 192.168.1.1     ------>specify IP address on switch to communicate with log server

Ruijie(config)#logging trap 7        ------>copy all logs(severity from  0 to 7) to log server

Ruijie(config)#end

Ruijie#wr

 

V. Verification

This example shows how to verify the logs in a syslog server using "Kiwisyslog"

 

2.2.3      Log Filtering

Scenario

By default, the log information generated on the system can be output to various destinations. You can use the log filtering function to display required log information.

Features

1         The administrator can choose to hide some types of log information as required.

2         Generally, log information of all modules is displayed on the console or terminal. You can set log filter rules to enable log information printing on designated terminals or print only certain types of log information on designated terminals.

3         Two types of log information filtering are supported, including "contain only..." and "filter only...". Only one type of filtering is supported.

Working Principles & Configuration Details

Log filtering configuration mainly covers the filter rules, filter direction, and filter mode. During the configuration process:

1         If only the filter direction and filter mode are configured, the configuration does not take effect and log information is not filtered.

2         If only the filter rule is configured, the configuration takes effect. Log information in all directions is filtered and the filter mode is filter only.

1) Filter rule: sets the rule for filtering log information in global mode. Exact match and singular match are supported.

Filter rule in exact match mode: logging filter rule exact-match [ module module-name mnemonic mnemonic-name level level ]

Filter rule in singular match mode: logging filter rule single-match [ level level | mnemonic mnemonic-name | module module-name ]

Parameter description

exact-match      Indicates an exact-match filter based on all three filter options. In exact match mode, all three filter options, including log module name (module module-name), log level (level level), and mnemonic character (mnemonic mnemonic-name), must be selected.

single-match      Indicates a single-match filter based on all three filter options. In exact match mode, all three filter options, including log module name (module module-name), log level (level level), and mnemonic character (mnemonic mnemonic-name), must be selected.

module module-name        Indicates the name of the module about which the log information is to be filtered.

mnemonic mnemonic-name       Indicates the name of the mnemonic character for which the log information is to be filtered.

level level  Indicates the log level to be filtered.

 

Tips

1.      In some scenarios, you may want to filter out certain types of log information. You can use the exact match mode and specify the module name, mnemonic character name, and log level in configuring the filter rule.

2.      In some scenarios, you may want to filter out some types of log information. You can use the single match mode and specify the module name, mnemonic character name, or log level in configuring the filter rule.

3.      If the configuration of the module name, mnemonic character name, or log level in a single-match filter rule is the same as that in an exact-match filter rule, the single-match filter rule is assigned with higher priority than the exact-match filter rule.

Configuration example

1. Set the filter rule to exact match, module name to LOGIN, log level to 5, and mnemonic character to LOGOUT.

Ruijie(config)# logging filter rule exact-match module LOGIN mnemonic LOGOUT level 5

2. Set the filter rule to single-match and module name to SYS.

Ruijie(config)# logging filter rule single-match module SYS

 

FAQs

1. To filter logs 046188: *Aug 13 08:36:16: 401-C1&D1-RG-N18010 %SPANTREE-6-RCVDTCBPDU: (*2/M1) Received tc bpdu on port AggregatePort 256 on MST0

Command: ruijie(conifg)#logging filter rule exact-match module SPANTREE mnemonic RCVDTCBPDU level 6

2. To filter logs *Jul 30 12:35:51: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 185.94.111.1

Command: ruijie(conifg)#logging filter rule exact-match module SNMP mnemonic AUTHFAIL level 3

3. To filter logs %PARAM-6-CONFIG_SYNC: Sync'ing the startup configuration to the standby supervisor

Command: ruijie(config)#logging filter rule exact-match module PARAM mnemonic CONFIG_SYNC level 6

 

2) Filter direction: sets the direction for filtering log information in global mode.

logging filter direction { all | buffer | file | server | terminal }  //By default, the filter direction is set to all, that is, to filter log information in all directions.

default logging filter direction                      // The filter direction for the log information restoration command is all.

 

Parameter description

         all          Indicates to filter log information in all directions, including the console, virtual type terminal (VTY), log buffer area, log file, and log server.

         buffer        Indicates to filter logs sent to the log buffer area, that is the logs configured in the show logging command.

         file    Indicates to filter the logs sent to the log files.

         server       Indicates to filter the logs sent to the log server.

         terminal     Indicates to filter logs sent to the console and VTY (including via Telnet and SSH).

Tips

1.Generally, you may filter the logs meeting the filter rule in all directions (including to the console, VTY terminal, log buffer area, log file, and log server) after the log filter function is configured. In some cases, you may want to filter logs only for certain destinations. For example, you may need the logs filtered out for the terminal on the log file or log server. In these cases, you need to set log filter rules for the terminal direction.

2. You can set the filter direction to multiple destinations by separating each other with a vertical line "|" or only one destination.

 

3) Filter type: sets the log information filter type.  The configuration takes effect globally.

logging filter type { contains-only | filter-only }  //The default value is filter-only, indicating that only filter is used.

 

Parameter description

         contains-only     Indicates that only logs containing keywords specified in the filter rule are output.

         filter-only  Indicates that logs containing keywords specified in the filter rule are filtered out and not output.

 

Tips 

1. In some scenarios, a module may output too much log information that it may causes screen downpour on the terminal with few valuable information being displayed. In this case, you can use the filter-only mode to filter out undesired log information.

2. In some scenarios, you may want to check whether a certain type of log information is generated only. In this case, you can use the contain-only mode to output logs matching the filter rule to the terminal for observation.

3. In actual application, the two filter modes are mutually exclusive. Choose one filter mode only.

 

Configuration example

[Example 1]

[Requirement]

Assume there are following log information filtering requirements on the live network:

1. Set the filter direction to terminal and server.

2. Set the filter mode to filter-only.

3. Set the filter rule to single-match and module name to SYS.

2. Set the filter mode to filter-only.

3. Set the filter rule to single-match and module name to SYS.

3. Set the filter rule to single-match and module name to SYS.

[Configuration method]

Configure log information filter on the system.

Ruijie# configure terminal

Ruijie(config)# logging filter direction server

Ruijie(config)# logging filter direction terminal

Ruijie(config)# logging filter type filter-only

Ruijie(config)# logging filter rule single-match module SYS

 

[Verification method]

1. Run the show running-config | include logging command to check the parameter configuration.

2. Check the output log information on the system by entering and quitting the global configuration mode

Ruijie#configure

Enter configuration commands, one per line. End with CNTL/Z.

Ruijie(config)#exit

.

2.3       Clock

2.3.1      Local Clock

I. Requirements

System time plays a very important role for troubleshooting and logs .We suggest you to deploy local clock to a scenario in which there're only a few nodes with a small maintenance.

 

II. Configuration Steps

Ruijie>enable 

Ruijie#configure terminal                       ------>enter global configuration mode

Ruijie(config)#clock timezone beijing 8  ------>set timezone to UTC +8

Ruijie(config)#exit

Ruijie#clock set 18:00:00 12 3 2013     ------>set clock in format "hh:mm:ss month day year"

Ruijie(config)#end

Ruijie#write                                           ------>double confirm and save configuration

 

III. Verification

Ruijie#show clock                                                  

18:01:03 beijing Tue, Dec 3, 2013

2.3.2      NTP

Overview

 

Network Time Protocol (NTP) is designed for time synchronization on network devices. A device can synchronize its clock source and the server. Moreover, the NTP protocol can provide precise time correction (less than one millisecond on the LAN and dozens of milliseconds on the WAN, compared with the standard time) and prevent from attacks by means of encryption and confirmation.

To provide precise time, NTP needs precise time source, the Coordinated Universal Time (UTC). The NTP may obtain UTC from the atom clock, observatory, satellite or Internet. Thus, accurate and reliable time source is available.

To prevent the time server from malicious destroying, an authentication mechanism is used by the NTP to check whether the request of time correction really comes from the declared server, and check the path of returning data. This mechanism provides protection of anti-interference.

Ruijie switches support the NTP client and server. That is, the switch can not only synchronize the time of server, but also be the time server to synchronize the time of other switches. But when the switch works as the time server, it only support the unicast server mode.

 

I. Requirements

Switch synchronizes system clock to NTP Server in order to keep system clock more accurate.

 

II. Network Topology

 

III. Configuration Tips

1. Basic network routes setting

2. (Optional)Configuring a switch as NTP Server

3. Configuring a switch as NTP client

4. (Optional)Specifying a interface on switch to communicate with NTP Server

 

IV. Configuration Steps

NTP configuration without authentication

1. Basic network routes setting

Ensure that NTP client can communicate with the NTP server

 

2. (Optional) Configuring a switch as NTP Server

Note

Mostly NTP server is a particular server rather than a switch in production network. This example shows how to configure a switch as a NTP server:

Ruijie(config)#ntp master   

 

3. Configuring a switch as NTP client

Ruijie(config)#ntp server 192.168.2.1   ------>set NTP server IP address

Ruijie(config)#ntp update-calendar     ------>allow system to save clock in hardware even power interruption

 

4. (Optional) Specifying a interface on switch to communicate with NTP Server

Ruijie(config)#ntp server 192.168.1.2 source loopback 0   ------> specify interface loopback 0 to communicate with NTP Server

 

NTP configuration with authentication

1. Basic network routes setting

Ensure that NTP client can communicate with the NTP server

 

2. (Optional) Configuring a switch as NTP Server

Note

Mostly NTP server is a particular server rather than a switch in production network. This example shows how to configure a switch as a NTP server and how to configure NTP authentication on a switch NTP Server

 

Ruijie(config)#ntp master   

Ruijie(config)#ntp authenticate    ------>enable NTP authentication

Ruijie(config)#ntp authentication-key 6 md5 ruijie     ------>NTP key id is "6" , and password is "ruijie"

Ruijie(config)#ntp trusted-key 6    

 

3. Configuring a switch as NTP client

Ruijie(config)#ntp update-calendar      ------>allow system to save clock in hardware even power interruption

Ruijie(config)#ntp authenticate    ------>enable NTP authentication

Ruijie(config)#ntp authentication-key 6 md5 ruijie     ------>NTP key id is "6" , and password is "ruijie"

Ruijie(config)#ntp trusted-key 6  

Ruijie(config)#ntp server 192.168.2.1 key 6    ------>apply key id 6 to corresponding NTP server 192.168.2.1

 

4. (Optional) Specifying a interface on switch to communicate with NTP Server

Ruijie(config)#ntp server 192.168.1.2 source loopback 0       ------>specify interface loopback 0 to communicate with NTP Server

 

V. Verification

1. This example displays the clock on NTP server

 

2. This example displays the clock on NTP client before synchronization

 

3. This example displays NTP status on NTP client before synchronization

 

4. System returns a message after synchronizing successfully:

*Mar 12 10:55:04: %SYS-6-CLOCKUPDATE: System clock has been updated to 10:55:04 UTC Tue Mar 12 2013.

This example displays NTP status on NTP client before synchronization

 

 

2.4       Configuring a Layer 2 Port

2.4.1 Port Description

Function Overview

Port description is very important for daily maintenance and trouble shooting. We suggest you to use the format "Link-peer name-peer port" to define port description. For example:

Ruijie(config-if-GigabitEthernet 0/1)#description  Link-to-WLZX_Core_S8610_1-G1/2

 

I. Configuration Steps

Configuring port description on G0/1

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/1

Ruijie(config-if-GigabitEthernet 0/1)#description Link-to-Core-S8610_1-G2/3

Ruijie(config-if-GigabitEthernet 0/1)#end

Ruijie#write

 

II. Verification

Ruijie#show interfaces description

Interface                Status   Administrative Description

------------------------ -------- -------------- -----------

GigabitEthernet 0/1      down     up             Link-to-Core-S8610_1-G2/3

GigabitEthernet 0/2      down     up            

GigabitEthernet 0/3      down     up    

  

2.4.2 Speed, Duplex and Flow control

Overview

By default, speed and duplex negotiate automatically. You can also set speed and duplex manually to ensure that both ends of a link have the same speed and duplex .Usually we keep the default setting for flow control.

 

I. Configuration Steps

In the following example, the "speed" config-interface command with the keyword 100 is used to manually set speed on Giga0/24 to 100M

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#int gigabitEthernet 0/24

Ruijie(config-if-GigabitEthernet 0/24)#speed 100

Ruijie(config-if-GigabitEthernet 0/24)#end

Ruijie#write   

 

In the following example, the "duplex" command config-interface with the keyword full is used to manually set duplex on Giga0/24 to full duplex

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#int gigabitEthernet 0/24

Ruijie(config-if-GigabitEthernet 0/24)#duplex full   

Ruijie(config-if-GigabitEthernet 0/24)#end

Ruijie#write

 

This example shows how to disable flow control feature on Giga0/1

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/1

Ruijie(config-if-GigabitEthernet 0/1)#flowcontrol off

Ruijie(config-if-GigabitEthernet 0/1)#end

Ruijie#write

 

NoteBy default flow control feature is enabled, but different switches vary, and you can enter "show interface" privilege EXEC command to verify.

 

II. Verification

This example shows how to display interface status including duplex and speed.

2.4.3 Combo Port

I. Configuration Steps

Following example shows how to convert combo mode on Giga0/23 to fiber

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/23

Ruijie(config-if-GigabitEthernet 0/23)#medium-type fiber   ------>convert combo mode to fiber

Ruijie(config-if-GigabitEthernet 0/23)#end

Ruijie#write    ------>confirm and save

 

Following example shows how to convert combo mode on Giga0/23 to copper

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/23

Ruijie(config-if-GigabitEthernet 0/23)#medium-type copper     ------>convert combo mode to copper

Ruijie(config-if-GigabitEthernet 0/23)#end

Ruijie#write   

 

II. Verification

1. To display combo mode status , enter "show interface status" privilege EXEC command

Ruijie#show interfaces status

Interface                        Status    Vlan    Duplex   Speed     Type 

-------------------------------- --------  ------  -------  --------- ------

GigabitEthernet 0/22             down      1       Unknown  Unknown   copper

GigabitEthernet 0/23             up        1       Full     1000M     fiber

GigabitEthernet 0/24             down      1       Unknown  Unknown   copper

 

2. This example shows how to display the transceiver information of Giga0/23

Ruijie#show interfaces g0/23 transceiver

Transceiver Type    :  1000BASE-LX-SFP  

Connector Type      :  LC                          

Wavelength(nm)      :  1310                     

Transfer Distance   :                                

    SMF fiber

        -- 10km                         

    50/125 um OM2 fiber

        -- 550m

    62.5/125 um OM1 fiber

        -- 550m

Digital Diagnostic Monitoring  : NO        ------>This transceiver doesn't support DDM . DDM provides you the light intensity of receiving and sending direction.

Vendor Serial Number           : LP201093226676  

 

3. This example shows how to display the light intensity of a 10G transceiver which supports DDM

Ruijie#show interfaces tenGigabitEthernet 1/25 transceiver diagnosis

Current diagnostic parameters[AP:Average Power]:

Temp(Celsius)   Voltage(V)      Bias(mA)            RX power(dBm)       TX power(dBm)

26(OK)          3.26(OK)        5.22(OK)            -3.65(OK)[AP]       -2.09(OK)

 

4. This example shows how to display the transceiver alarm

Ruijie#show interfaces tenGigabitEthernet 1/25 transceiver alarm   ------> if the transceivers is plugged in , but the port doesn't come up , system returns the following warning message

RX power low

RX loss of signal

Module not ready

RX not ready

RX CDR loss of lock

 

Ruijie#show interfaces tenGigabitEthernet 1/25 transceiver alarm  ------>if the transceivers is plugged in and the port comes up , system returens no warning message

 

Ruijie transceivers specification

1. MINI-GBIC transceiver

 

MINI-GBIC cabling specification

 

2. 10G  XFP

 

3. 10G SFP+

 

2.4.4 Access or Trunk Port

NoteBy default , trunk port carries traffic for all vlans that is created , and we strongly recommend you to prune every trunk port to allow only the traffic of useful vlan pass through in case that unknown unicast ,broadcast and multicast packets floods through the overall network ,leading to a heavier CPU burden and useless consumption of system resource.

 

I. Configuration Steps

1.  Configuring access port

The following example shows how to configure interface F0/1 as an access port and assign interface F0/1 to VLAN 100

Ruijie>en

Ruijie#conf t

Ruijie(config)#interface fastEthernet 0/1

Ruijie(config-if)#switchport mode access

Ruijie(config-if)#switchport access vlan 100

Ruijie(config-if)#end

Ruijie#wr

 

NoteBy default, all ports are access mode and belongs to VLAN 1

Enter "show vlan" privilege EXEC command to verify that interface F0/1 belongs to VLAN 100

Ruijie# show vlan

VLAN Name                             Status    Ports    

---- -------------------------------- --------- -----------------------------------

   1 VLAN0001                         STATIC   Fa0/3, Fa0/4, Fa0/5           

                                                Fa0/6, Fa0/7, Fa0/8, Fa0/9           

                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13       

                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17       

                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21       

                                                Fa0/22, Fa0/23, Fa0/24, Fa0/25       

                                                Fa0/26, Fa0/27, Fa0/28, Fa0/29       

                                                Fa0/30, Fa0/31, Fa0/32, Fa0/33       

                                                Fa0/34, Fa0/35, Fa0/36, Fa0/37       

                                                Fa0/38, Fa0/39, Fa0/40, Fa0/41       

                                                Fa0/42, Fa0/43, Fa0/44, Fa0/45       

                                                Fa0/46, Fa0/47, Fa0/48, Gi0/49       

                                                Gi0/50                               

 100 VLAN0100                       STATIC    Fa0/1,Fa0/2

 

2.  Configuring trunk port

The following example shows how to configure interface G0/49 as a trunk port

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/49

Ruijie(config-if)#switchport mode trunk

Ruijie(config-if)#end

 

 In the following example, "show interface trunk" privilege EXEC command is used to verify all trunk port status

Ruijie# show interfaces trunk

Interface                      Mode   Native VLAN VLAN lists

------------------------ ------ ----------- ----------

FastEthernet 0/48            Off    1           ALL

GigabitEthernet 0/49     On     1           ALL     

GigabitEthernet 0/50       Off    1           ALL

 

3. Pruning a Trunk port (Mandatory)

This example shows how to prune a trunk port to carry traffic only for vlan 5, 10 and 20-30

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/1

Ruijie(config-if-GigabitEthernet 0/1)#switchport mode trunk

Ruijie(config-if-GigabitEthernet 0/1)#switchport trunk allowed vlan remove 1-4,6-9,11-19,31-4094  

Ruijie(config-if-GigabitEthernet 0/1)#end

Ruijie#wr

 

2.4.5 Storm Control

Overview

1. We suggest you to apply storm-control on edge port on access switch and Don't apply storm-control on uplink port.

2. If access switch doesn't support storm-control , we suggest you to apply storm-control on distribution switch.

3. The limitation of 100 pps to 300 pps for unknown unicast/broadcast/multicast packets is proper.

 

I. Configuration Steps

To configure storm control on a port with keyword level, perform this task:

Ruijie>enable

Ruijie#configure termina

Ruijie(config)#interface gigabitEthernet 0/1  

Ruijie(config-if-GigabitEthernet 0/1)#storm-control broadcast level 1    ------>storm-control limits the number of broadcast packets to 1% of the bandwidth that is 1G*1%=10M

Ruijie(config-if-GigabitEthernet 0/1)#storm-control unicast level 1         ------>storm-control limites the number of unknown unicast packets to 1% of the bandwidth that is 1G*1% =10M

Ruijie(config-if-GigabitEthernet 0/1)#storm-control multicast level 1    

 

To configure storm control on a port with keyword pps, perform this task:

Ruijie>enable

Ruijie#configure termina

Ruijie(config)#interface gigabitEthernet 0/1  

Ruijie(config-if-GigabitEthernet 0/1)#storm-control broadcast pps 200    ------>storm-control limits the number of broadcast packets to 200 packets per seconds

Ruijie(config-if-GigabitEthernet 0/1)#storm-control unicast pps 200      ------>storm-control limits the number of unknown unicast packets to 200 packets per seconds

Ruijie(config-if-GigabitEthernet 0/1)#storm-control multicast 200

Ruijie(config-if-GigabitEthernet 0/1)#end

 

II. Verification

Ruijie#show storm-control

Interface                 Broadcast Control Multicast Control Unicast Control Action

------------------------- ----------------- ----------------- --------------- --------

      GigabitEthernet 0/1           1     %           1     %         1     %     none

      GigabitEthernet 0/2          Disabled          Disabled        Disabled     none

      GigabitEthernet 0/3          Disabled          Disabled        Disabled     none

 

2.5        SNMP

2.5.1      SNMPV1/V2

Overview

SNMPAs the abbreviation of Simple Network Management Protocol, SNMP has been a network management standard (RFC1157) since the August, 1988. So far, the SNMP becomes the actual network management standard for the support from many manufacturers. It is applicable to the situation of interconnecting multiple systems from different manufacturers. Administrators can use the SNMP protocol to query information, configure network, locate failure and plan capacity for the nodes on the network. Network supervision and administration are the basic function of the SNMP protocol.

SNMP versions:

SNMPv1 The first formal version of the Simple Network Management Protocol, which is defined in RFC1157

SNMPv2C Community-based Administrative Framework for SNMPv2, an experimental Internet protocol defined in RFC1901.

SNMPv3 Offers the following security features by authenticating and encrypting packets:

1. Ensure that the data are not tampered during transmission

2. Ensure that the data come from a valid data source

3. Encrypt packets to ensure the data confidentiality

 

Both the SNMPv1 and SNMPv2C use a community-based security framework. They restrict administrator’s operations on the MIB by defining the host IP addresses and community string. With the Get Bulk retrieval mechanism, SNMPv2C sends more detailed error information type to the management station. Get Bulk allows you to obtain all the information or a great volume of data from the table at a time, and thus reducing the times of request and response. Moreover, SNMPv2C improves the capability of handing errors, including expanding error codes to distinguish different kinds of errors, which are represented by one error code in SNMPv1. Now, error types can be distinguished by error codes. Since there may be the management workstations supporting SNMPv1 and SNMPv2C in a network, the SNMP agent must be able to recognize both SNMPv1 and SNMPv2C messages, and return the corresponding version of messages.

 

I. Requirements

1. Only SNMP network manager (IP:192.168.1.2/24) can access switch SNMP service with community string "ruijie"

2. SNMP agent on switch sends SNMP trap to SNMP manager actively

3. SNMP manager can get basic information of switch ---location, contact method and chassis id

 

II. Network Topology

 

III. Configuration Tips

1. Set Read-Only community string and Read-Write community string on switch independently

2. Define ACL to allow authorized SNMP manager to access SNMP agent of switch only

3. Enable SNMP trap

4. Configure SNMP manager

 

IV. Configuration Steps

1.      Define an access-list named "abc" and an entry to permit IP address of SNMP manager

Ruijie(config)#ip access-list standard abc

Ruijie(config-std-nacl)#permit host 192.168.1.2 

Ruijie(config-std-nacl)#exit

 

2.      Set read-write community string to "ruijie" and read-only community string to "public" , then associate both community strings with ACL to allow only the SNMP manager to access SNMP agent  of switch only

Ruijie(config)#snmp-server community ruijie rw abc

Ruijie(config)#snmp-server community public ro abc   

 

3.      SNMP agent  on switch actively sends trap to SNMP network manager

Ruijie(config)#snmp-server host 192.168.1.2 traps ruijie         ------>by default , SNMP trap version is version 1

Ruijie(config)#snmp-server host 1.1.1.1 version 2c ruijie        ------>set SNMP trap version to version 2c

 

4.      Enable trap feature

Ruijie(config)#snmp-server enable traps 

 

5.      Set SNMP optional parameters

Set location

Ruijie(config)#snmp-server location fuzhou

 

 Set contact method

Ruijie(config)#snmp-server contact ruijie.com.cn

 

 Set chassis-id

Ruijie(config)#snmp-server chassis-id 1234567890

 

6.      Assign a management IP address to SVI 1

Ruijie(config)#interface vlan 1

Ruijie(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0

 

7.      Save configuration

Ruijie(config-if-VLAN 1)#end

Ruijie#wr

 

V. Verification

1. This example shows how to verify SNMP agent status

 

Following example provides how to disable SNMP agent if snmp agent issue leads to heavy load of CPU :

Ruijie(config)#no enable service snmp-agent

 

2. This examples shows how to display SNMP host information

 

3. This example shows how to access the SNMP agent in a SNMP manager using "Mib-Browser"

 

4. Other SNMP manager except for 192.168.1.2 cannot access SNMP agent at the same time.

2.5.2      SNMPV3

I. Requirements

1) The SNMP manager can access the SNMP agent on switch by applying user-based security model. The user name is "admin", authentication mode is MD5, authentication key is "ruijie", encryption algorithm is DES56, and the encryption key is "123"

2) User "admin" can read the MIB objects under System (1.3.6.1.2.1.1) node, and can only write MIB objects under SysContact (1.3.6.1.2.1.1.4.0) node.

3) The switch can actively send authentication and encryption messages to the SNMP manager  

 

II. Network Topology

 

III. Configuration Tips

1. Create MIB view and specify the included or excluded MIB objects.  

2. Create SNMP group and set the version to "v3"; specify the security level of this group, and configure the read-write permission of the view corresponding to this group. 

3. Create user name and associate the corresponding SNMP group name in order to further configure the user's permission to access MIB objects; meanwhile, configure the version number to "v3" and the corresponding authentication mode, authentication key, encryption algorithm and encryption key.  

4. Configure the address of SNMP manager, configure the version "3" and configure the security level to be adopted.  

 

IV. Configuration Steps

Configuring switch

Ruijie#configure terminal

Ruijie(config)#snmp-server view view1 1.3.6.1.2.1.1 include                        ------> Create a MIB view of "view1" and include the MIB object of 1.3.6.1.2.1.1

Ruijie(config)#snmp-server view view2 1.3.6.1.2.1.1.4.0 include                   ------> Create a MIB view of "view2" and include the MIB object of 1.3.6.1.2.1.1.4.0

Ruijie(config)#snmp-server group group1 v3 priv read view1 write view2    ------>Create a group named "g1" ,using SNMPv3 ; configure security level to "priv" ,and can read "view1"  and write "view2"

Ruijie(config)#snmp-server user admin group1 v3 auth md5 ruijie priv des56 ruijie123    ------>Create a user named "admin", which belongs to group "group1"; using SNMPv3 and authentication mode is "md5", authentication key is "ruijie", encryption mode is "DES56" and encryption key is "123".

Ruijie(config)#snmp-server host 192.168.1.2 traps version 3 priv admin      ------>Configure the SNMP server address as 192.168.1.2 , using SNMPv3,then configure security level to "priv" and associate the corresponding user name of "admin"

Ruijie(config)#snmp-server enable traps                                                       ------>Enable the Agent to actively send traps to NMS

Ruijie(config)#interface vlan 1

Ruijie(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0

Ruijie(config-if-VLAN 1)#end

 

Set SNMP optional parameters

Ruijie(config)#snmp-server location fuzhou

Ruijie(config)#snmp-server contact ruijie.com.cn         

Ruijie(config)#snmp-server chassis-id 1234567890 

Note If you don't create a new SNMP view, Ruijie switch uses the default SNMP view named "default" ,including MIB object of 1

 

Minimun SNMPv3 configuration example:

snmp-server group group1 v3 priv read default write default   

snmp-server user admin group1 v3 auth md5 ruijie priv des56 ruijie123   

snmp-server host 192.168.1.2 traps version 3 priv admin    

snmp-server enable traps   

 

V. Verification

1. This example shows how to verify SNMP agent status

 

Following example provides how to disable SNMP agent if snmp agent issue leads to heavy load of CPU :

Ruijie(config)#no enable service snmp-agent

 

2. Following examples show how to display snmp view, snmp group and snmp user individually

 

 

 

2.6        SPAN

2.6.1      Many to one mirror

Overview

With SPAN, you can analyze the communications between ports by copying a frame from one port to another port connected with a network analysis device or RMON analyzer. The SPAN mirrors all the packets sent/received at a port to a physical port for analysis.SPAN does not affect the exchange of packets between the source and destination ports. Instead, it copies the frames incoming/outgoing the source port to the destination port. However, the frames may be discarded on an overflowed destination port, for example, when a 100Mbps port monitors an 1000Mbps port.

 

I. Requirements

Core switch copies traffic of G0/1 and G0/2 on both directions to Monitor Server and Monitor Server can also visit Internet at the same time

 

II. Network Topology

 

III. Configuration Tips

Enter "monitor session" global configuration command with "switch" keyword to allow mirror destination port to forward additional traffic more than mirroring traffic

 

IV. Configuration Steps

Ruijie>enable                                     

Ruijie#configure terminal

Ruijie(config)#monitor session 1 source interface gigabitEthernet 0/1 both      ------>define G0/1 as source port in monitor session , and both traffic directions are monitored. If you want to monitor income or outcome traffic only , you can use keyword rx or tx instead of both , such as "monitor session 1 source interface gigabitEthernet 0/1 rx"

Ruijie(config)#monitor session 1 source interface gigabitEthernet 0/2 both    

Ruijie(config)#monitor session 1 destination interface gigabitEthernet 0/24 switch  

Ruijie(config)#end

Ruijie#wr

 

V. Verification

1. This example shows how to verify status of monitor session

 

2. This examples verifies that the Monitor Server can visit Internet while monitoring

2.6.2      One to Many Mirror

NoteOnly S8600E and N18000 series switch support one to many (or many to many) SPAN so far.

Tips: For those switches that do not support one to many SPAN, you can apply another fallback method as below:

1. Configure the ordinary many to one SPAN

2. Connect a HUB to the mirror destination port, so packets floods through the HUB

3. Connect your Monitor Server to the HUB.

HUB can also be a default setting switch. You must assign ports to the remote-vlan and disable the mac-learning feature (enter "no mac-address-learning" config-interface command) and storm-control feature.

 

I. Requirements

Core switch copies traffic of G4/1 and G4/2 on both directions to Monitor Server 1 connected to port G4/21 and  Monitor Server 2 connected to port G4/22

 

II. Network Topology

 

III. Configuration Tips

1) Create VLAN 100 as remote-vlan on switch

2) Define G4/1 and G4/2 as source port in monitor session, and both traffic directions are monitored

3) Create a mac-loopback port, assign this mac-loopback port to Remote vlan and define it as destination port in monitor session

4) Assign ports G4/21 and G4/22 to Remote vlan 100

 

Note

1) Utilize an unused port as mac-loopback port .You cannot connect cable to this port, even so switch puts link status of mac-loopback port to up status and port LED is green

2) Don't configure any other commands to the mac-loopback port and Don't specify  "switch" keyword when configuring monitor session (monitor session 1 destination remote vlan 100 interface gigabitEthernet 4/23  no switch keyword)

 

IV. Configuration Steps

1. Create VLAN 100 as remote-vlan on switch

Ruijie#configure terminal

Ruijie(config)#vlan 100   ------> VLan 100 must be dedicated for mirroring

Ruijie(config-vlan)#remote-span 

Ruijie(config-vlan)#exit

 

2. Define G4/1 and G4/2 as source port in monitor session, and both traffic directions are monitored

Ruijie(config)#monitor session 1 remote-source

Ruijie(config)#monitor session 1 source interface gigabitEthernet 4/1 both

Ruijie(config)#monitor session 1 source interface gigabitEthernet 4/2 both

 

3. Configure G4/23 as mac-loopback port, assign this mac-loopback port to Remote vlan and define it as destination port in monitor session

Ruijie(config)#interface gigabitEthernet 4/23

Ruijie(config-if-GigabitEthernet 4/23)#switchport access vlan 100

Ruijie(config-if-GigabitEthernet 4/23)#mac-loopback         ------>Don't configure any other commands or connect cable to this port

Ruijie(config-if-GigabitEthernet 4/23)#end

Ruijie(config)#monitor session 1 destination remote vlan 100 interface gigabitEthernet 4/23 switch

Ruijie# clear mac-address-table dynamic interface gigabitEthernet 4/23    ------> clear mac-address-table of this port when finish configuring

 

4. Assign ports G4/21 and G4/22 to Remote vlan 100

Ruijie(config)#interface range gigabitEthernet 4/21-22

Ruijie(config-if-range)#switchport access vlan 100

Ruijie(config-if-range)#end

Ruijie#wr

 

V. Verification

1. This example shows how to verify status of monitor session

 

 

2. This example shows how to display configuration of port G4/23

 

VI. Script

conf t

vlan 100

remote-span 

exit

monitor session 1 remote-source

monitor session 1 source interface gigabitEthernet 4/1 both

monitor session 1 source interface gigabitEthernet 4/2 both

monitor session 1 destination remote vlan 100 interface gigabitEthernet 4/23 switch

interface gigabitEthernet 4/23

switchport access vlan 100

mac-loopback

interface range gigabitEthernet 4/21-22

switchport access vlan 100

 

2.6.3      Flow-Based Mirroring

Scenario

Flow-based mirroring: During network troubleshooting, when the traffic on the port is high, a common mirroring analysis solution may lead to analysis failure due to limited PC performance, and it would be difficult for the system to capture required traffic packets (for example, a traffic packet of a certain MAC address, or a traffic packet originated by a designated IP address and destined for another designated IP address). In this case, you can use the flow-based mirroring analysis function. If the traffic on the port is too high for the monitoring server or log auditing server deployed on the network to carry out all the data analysis tasks, you can choose to capture specified traffic packets only.

Function Overview

Port mirroring: You can use the switched port analyzer (SPAN) to replicate packets on a specified port to the port that connects a network surveillance device on the switch for network monitoring and traffic analysis. You can monitor packets flow in and out of a source port through SPAN for fast and packet replication.

The SPAN does not change packet information or affect packet transmission. In addition, the SPAN does not have requirement on the media type for the source and destination ports. Port mirroring can be optical ports to electrical ports or electrical ports to optical ports. The SPAN has no requirement on the property of the source and destination ports. It supports mirroring from an access port to a trunk port or a trunk port to an access port.

Flow-based mirroring: You can define the desired types of traffic packets (for example, PPPOE packets, IP packets on a specified network segment, and HTTP packets on TCP 80) using the ACL. Ruijie switches provide rich ACL functions, and support traffic packet matching by L2 frame types, MAC addresses, IP addresses, TCP/UDP ports, and ACL80 (the first 80 bytes of a packet). The SPAN captures traffic packets on the source port according to the defined ACL, and mirrors the traffic packets to the destination port. Traffic packets not matching the defined ACL are not mirrored.

Note: The switch supports flow-based mirroring in the RX direction (inbound on the port) only. Monitoring on the TX (outbound on the port) direction or bi-direction are not supported.

I. Networking Requirements

1. The monitoring server monitors traffic consumption on the core server by users on the 192.168.10.0/24 network segment.

2. The monitoring server monitors the traffic from the core server to the access server.

II. Network Topology

III. Configuration Tips

1. On the core server, configure the ACL to allow users on the network segment 192.168.10.0/24.

2. On the core server, configure the port mirroring function. Set the g1/1 port that connects the access server as the source port of port mirroring and enable the ACL association.

3. Set the port connecting the monitoring server (port g1/24) as the destination port of port mirroring.

IV. Configuration Steps

Configure the core server.

Ruijie#configure terminal

Ruijie(config)#ip access-list extended ruijie          ------>Create ACL, named as ruijie

Ruijie(config-ext-nacl)#permit ip  192.168.10.0 0.0.0.255 any

Ruijie(config-ext-nacl)#exit

Ruijie(config)#monitor session 1 source interface gigabitEthernet 1/1 tx

Ruijie(config)#monitor session 1 source interface gigabitEthernet 1/1 rx acl ruijie   ------> Set the g1/1 port that connects the access server as the source port of port mirroring and enable the ACL association.

Ruijie(config)#monitor session 1 destination interface gigabitEthernet 1/24  switch         ------> Set the port connecting the monitoring server (port g1/24) as the destination port of port mirroring and enable switching on the mirroring destination port.

Ruijie(config)#end

Ruijie#wr

 

V. Verification

1. Check the port mirroring state.

Ruijie(config)#show monitor

sess-num: 1

span-type: LOCAL_SPAN

src-intf:

GigabitEthernet 1/1         frame-type Both

rx acl id 2900

acl name ruijie

dest-intf:

GigabitEthernet 1/24

mtp_switch on               ------> Allow mirroring port forwarding data stream

 

2. Check the ACL.

3. Capture

2.7        Featured commands

1.      switchport trunk allowed vlan only x-x

 

Previously in 10.x version, all vlans are able to pass through trunk port by default. Engineers have to remove all vlans first, then permit vlan one by one.

By command "switchport trunk allowed vlan only x-x", only allowed vlans are able to pass through trunk port, you don't need to remove all vlan anymore.

 

For example:

 

Ruijie(config-if-GigabitEthernet 1/1)#show this

Building configuration...

switchport mode trunk

switchport trunk allowed vlan only 1-2

end

 

 

2.      show this

 

Previously in 10.x version, engineers have to execute commands "show run " or "show run | include xxx" to check configurations.By command "show this", you can display configurations under current mode directly:

 

For example :

 

Ruijie(config)#int mgmt 0

 

Ruijie(config-if-Mgmt 0)#show this

 

Building configuration...

 

!

 

ip address 172.18.10.62 255.255.255.0

 

gateway 172.18.10.1

 

3.      show upgrade history

 

Previously in 10.x version, engineers have to rename firmware as "rgos.bin" before upgrading. In addition, there is no historical upgrade records.

Currently, you can give any name to firmware for convenient management purpose and system might record historical upgrade.

 

For example:

 

Ruijie#show upgrade history

 

Last Upgrade Information:

 

   Time:         2015-04-20 03:02:05

 

   Method:       LCOAL

 

   Package Name: N18000_RGOS11.0(2)B1_CM_install.bin

 

   Package Type: Distribution

 

4.      debug syslog limit

 

Previously in 10.x version, at worst, massive system logs printing might crash device after debug is enable.

By command "debug syslog limit time seconds numbers numbers ", system logs printing is limited,

 

For example:

Ruijie#debug syslog limit ?

 numbers  Syslog limited by numbers

 reset    Syslog reset limit statistics

 time     Syslog limited by time

 

 

5.      one key collection

 

Previously in 10.x version, usually engineers have to collect information multiple times while trouble shooting which might miss the best opportunity.

By one key collection, system collects all relevant information in one time.

 

 

For example :

 

Ruijie#debug support

Ruijie(support)#tech-support ?      

 console  Tech-support information to terminal

 package  Tech-support information to package

 

2.8       Typical Feature

2.8.1      VSU

Overview

VSU expands the Port Numbers

As figure shown below, when port number on a switch runs out, you can add one more switch to the VSU to expand port numbers

 

 

VSU expands Forwarding Capacity

As figure shown below, you can add one more switch to the VSU to expand the global forwarding capacity. For example, forwarding capacity of one switch is 128M pps, and the global forwarding capacity expands up to 256 M pps when two switches join in a VSU.

VSU expands Uplink Bandwidth

As figure shown below , you can add one more switch to VSU to expand uplink bandwidth to the core switch with the minimum impact for network topology and configuration. 

 

VSU simplifies the Network Topology

As the first figure shown below, this is a common scenario consisted of MSTP and VRRP features to ensure high available, and redundant ports are blocked to prevent loops.

As the second figure shown below, VSU reduces the complexity of network and enhance the utilization ratio of network resources. All ports are occupied in the same time.

Note:

In the traditional network, in order to strengthen network reliability, the core layer or distribution layer will generally configure two devices into the dual-core system to allow redundant standby, with neighboring devices connecting two links to reach the dual-core redundant system. Such typical traditional network architecture is shown in the following figure. The redundant network architecture increases the complexity of network design and operations, while the enormous standby links also reduce the utilization ratio of network resources and decrease the rate of return on investment.

VSU (Virtual Switching Unit) is a common network virtualization technology combining two switches into a single virtual switch, thus reducing the complexity of network and enhancing the utilization ratio of network resources. 

 

Role of Chassis

Each switch in a VSU are called VSU member and there're three VSU roles for VSU member based on different features:

1) ActiveThe active chassis controls the entire VSU system

2) Standby The standby chassis take charge of the control if the main chassis fails

 

VSU Domain ID

VSU Domain ID ranges from 1 to 255, and the default value is 100. Only VSU members with the same Domain ID can establish a VSU.

 

VSU Chassis ID

The value of Chassis id can be 1 or 2.The default value is 1.

In standalone mode, port number takes 2-dimension format (for example, GigabitEthernet 2/3) ; In VSU mode , port number takes 3-dimension format (for example , GigabitEthernet 1/2/3). 

The first number(GigabitEthernet1/2/3) indicates the chassis ID and the last two numbers (GigabitEthernet1/2/3) indicate the slot number and port number. So chassis ID of each VSU member must be different.

In addition, if two VSU chassises have the same chassis ID, VSU system recalculates a new chassis ID for them.

 

VSU Chassis Priority

The value of chassis priority ranges from 1 to 255, and the default value is 100. A higher priority indicates a higher priority to become the active chassis. 

In addition, chassis priority consists of configuring priority and running priority. Running priority doesn't change when administrator changes the configuring priority when VSU is running .Running priority changes when administrator saves configuration and reloads the VSU.

 

VSL

Since two chassis jointly forms a network entity in VSU system, they need to share control information and partial data streams. VSL (Virtual switching link) is a special link between two chassis for transmitting control information and data streams

The VSL acts as an aggregation port. Its member port count is unlimited, and these member ports can reside on line cards in different slots. For the VSLtransferred traffic, load balancing is performed among these member ports according to the traffic balancing algorithm. 

Currently, 10-GB or 40-GB ports can become member ports of the VSL, while 1-GB ports cannot. Besides, a line card can hold physical member ports of the VSL as well as common data service ports. 

 

VSL Interruption

As figure shown below, VSL Interruption occurs when the VSL fails and both VSU members disconnect

 

VSU Combination

As figure shown below, VSU Combination occurs when both VSU members with the same Domain ID establish a VSU 

 

Swtich Working Mode

Switch working mode includes: standalone mode and VSU mode, and the default mode is standalone mode

 

VSU VSL Connection medium

Different switch varies.

For example, you can only configure VSL on S8600E series switches on 10G/40G optical ports.

 

VSL Detection

VSL detection starts to detect peer chassis once VSU members boot and after VSL links come up, Topology Discovery begins.

 

Topology Discovery

VSU members acquire global VSU network topology by flooding VSU hello packets through VSL. VSU Hello packets carry topology information including chassis ID, priority, MAC, VSL port etc.

VSU Role Election starts when Topology Discovery completes.

 

VSU Role Election

The active chassis election mechanism operates as below:

Current host first

The higher priority first

The lower MAC address first

The slave chassis election mechanism is as follows:

The nearest to main first

The higher priority first

The lower MAC address first

After finishing election, active chassis floods Convergence packets to the overall VSU, then VSU establishment completes.

 

Dual Active Detection

    When VSL is disconnected, the slave chassis will be switched to main chassis. If the former main chassis is still running, then the existing two chassis will both become the main chassis. Since the configurations are completely same, a series of problems such IP address conflict will arise in the LAN. VSU must detect dual main chassis and take restoration measures.

 As shown in the figure above, when deploying the VSU system, you need to configure an independent physical link between chassis in addition to the VSL. The physical link is sued to transfer dual-main-chassis packets when the VSL is disconnected. It is called dual-main-chassis detection link. Ports connecting this link can be used to transfer only dual-main-chassis detection packets. You can run a CLI command to specify certain ports as the dual-main-chassis detection ports. 

    After dual main chassis are detected, generally, one chassis enters the recovery mode to avoid network abnormity. The VSU system supports the Bidirectional Forwarding Detection (BFD) and AP-based detection.

1) BFD based DetectionA port of BFD for dual main chassis must be a L3 physical port. Ports of other modes will not do. When you transform the port of BFD for dual main chassis from a L3 port into a port of other modes, the detection is automatically cleared and a prompt is displayed. Here, the extended BFD is used. That is, existing BFD configuration and display commands cannot be used to configure dual-main-chassis detection ports. 

2) AP based DetectionThe AP-based mechanism of detecting dual main chassis is similar as that based on BFD. When the VSL is disconnected and two main chassis occur, the two main chassis send private protocol packets to each other for detecting dual main chassis. The difference from BFD based detection is AP-based Detection configures on the AP links between VSU and one relay equipment as figure shown below, and this relay equipment shall support forward private detection packets.

Recovery mode

    When the main chassis is in the recovery mode, all services ports except the following ports must be disabled: 

    VSL port: when the main chassis in the recovery mode detects that the VSL is UP again, the chassis resets itself, and joins the VSU system in the hot standby mode, becoming the new slave chassis. 

    MGMT port: You can use this port to perform remote management no matter the main chassis is in the recovery mode or not. 

    Exception port: You can specify certain ports as exception ports, which will not be disabled when the main chassis enters the recovery mode. Exception port: You can specify certain ports as exception ports, which will not be disabled when the main chassis enters the recovery mode. To configure exception ports, run the dual-active exclude interface interface-name command. 

    In the dual-main-chassis mode or when a main chassis enters the recovery mode, the simplest recovery

Solution is to reconnect the VSL. If VSL is not reconnected, but the main chassis in the recovery mode is manually restarted, the system enters dual-main-chassis state again when after the restart succeeds. 

 

2.8.1.1          Configuring basic VSU

1.      Configuring active and standby VSU members

Active switch

Switch1# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch1(config)# switch virtual domain 1

Switch1(config-vs-domain)# switch 1

Switch1(config-vs-domain)# switch 1 priority 200    ------>Priority is 100 by default , switch with the higher priority becomes the active chassis

Switch1(config-vs-domain)# exit

Switch1(config)# vsl-aggregateport 1         ------>VSL is the heartbeat and traffic channel between 2 VSU members. You must configure at least 2 pair of VSL

Switch1(config-vsl-ap-1)# port-member interface TenGigabitEthernet 2/1           

Switch1(config-vsl-ap-1)# port-member interface TenGigabitEthernet 2/2

Switch1(config-vsl-ap-1)# exit

 

Standby switch

Switch2# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch2(config)# switch virtual domain 1  ------>domain ID must be the same to that of active chassis

Switch2(config-vs-domain)# switch 2     ------>switch ID must be different from that of active chassis

Switch2(config-vs-domain)# switch 2 priority 150

Switch2(config-vs-domain)# exit

Switch2(config)# vsl-aggregateport 1  

Switch2(config-vsl-ap-1)# port-member interface TenGigabitEthernet 2/1      

Switch2(config-vsl-ap-1)# port-member interface TenGigabitEthernet 2/2

Switch2(config-vsl-ap-1)# exit

 

2. Connect VSL cable and confirm that links come up

3. Save configuration and convert both VSU members to virtual mode at the same time

Active switch

Switch1# wr

Switch1# switch convert mode virtual         ------>convert switch working mode from standalone mode to virtual mode

Are you sure to convert switch to virtual mode[yes/no]yes

Do you want to recovery“config.text”from“virtual_switch.text”[yes/no]no  

 

Standby switch

Switch2# wr

Switch2# switch convert mode virtual 

Are you sure to convert switch to virtual mode[yes/no]yes

Do you want to recovery“config.text”from“virtual_switch.text”[yes/no]no

 

Both VSU members reloads automatically

 

Attention: Be patient and it costs about 10 minutes to finish building VSU.

System prints logs continuously during next 10 minutes as below if VSL links failed or peer switch doesn't reload yet:

*Aug 6 13:17:17: %VSU-5-RRP_TOPO_INIT: Topology initializing, please wait for a moment

*Aug 6 13:18:17: %VSU-5-RRP_TOPO_INIT: Topology initializing, please wait for a moment.

 

4. Verification

1. When VSU completes, you can manage VSU on active chassis.

2. You can identify the active switch by viewing the Primary LED on the front main board which is solid green

3. When VSU completes, you can no longer manage VSU on standby chassis through console port by default.

Ruijie# show switch virtual  

Switch_id      Domain_id       Priority         Position        Status     Role

---------- ----------- ---------- ---------- -------- ---------

1(1)        1(1)              200(200)     LOCAL     OK        ACTIVE ------>active

2(2)                    1(1)             150(150)      REMOTE    OK           STANDBY------>standby

 

Ruijie#sh version slot

Dev Slot  Configured Module Online Module  User Status   Software Status --- ----  -----------------   -----  --------------

1 1     none           none

1 2 M8606-24SFP/12GT M8606-24SFP/12GT installed none

1 3 M8606-2XFP M8606-2XFP uninstalled  cannot startup

1 4 M8606-24GT/12SFP M8606-24GT/12SFP installed ok

1 M1 M8606-CM   M8606-CM                 master

1   M2

 

2.8.1.2      Configuring VSU optimization

Overview

1.      When VSL is disconnected, the standby chassis will be switched to active chassis. If the former active chassis is still running, then the existing two chassis will both become the active chassis. Since the configurations are completely same, a series of problems such IP address conflict will arise in the LAN. VSU must detect dual-active chassis and take restoration measures.

        

2.      After enable dual-active detection , system detects dual-active via control packets between BFD dedicated link and puts one chassis which has lower priority into recovery mode ,all port ,except for VSL port, MGMT port and exception port that administrator specifies (reserved for telnet), are mandatory shutdown

 

When dual-active occurs, dual-active detection ensures the stability and high availability of your network. (you must use redundant connection to connect other switches to VSU . In addition, you must connect one link to the active chassis, the other to standby chassis)

 

I. Configuration Steps

1. Configuring Dual-active Detections

Ruijie(config)# interface gi2/4/2

Ruijie(config-if)# no switchport ------>BFD detection must be applid on a Layer 3 port

Ruijie(config-if)# exit

Ruijie(config)# interface gi1/4/2

Ruijie(config-if)# no switchport 

Ruijie (config-if)# exit

 

Ruijie (config)# switch virtual domain 1

Ruijie(config-vs-domain)# dual-active detection bfd ------>enable BFD feature

Ruijie(config-vs-domain)# dual-active pair interface gi1/4/2 interface gi2/4/2    ------>configure a pair of BFD detection ports

Ruijie(config-vs-domain)# dual-active exclude interface  ten1/1/2   ------>configure the exception port

Ruijie(config-vs-domain)# dual-active exclude interface  ten2/1/2  

 

2.8.1.3      Configuring AP in VSU

Overview

Inter-chassis aggregate port (AP) group includes member ports of two VSU chassis. Inter-chassis AP can connect to all devices (such as server, switch and router) supporting port aggregation function.

Inter-chassis AP allows load balancing of inter-chassis data streams. For example, when data streams enter from main chassis into VSU system, VSU will give preference to member ports located in the main chassis. This feature guarantees that some unnecessary data streams are not transmitted over VSL, thus reducing the load pressure of VSL.

The following figure shows the typical application of AP in a VSU.

 

I. Configuration Steps

1. Configuring layer 3 AP on VSU:

Ruijie(config)#interface aggregateport 2

Ruijie(config-if-AggregatePort 2)#no switchport

Ruijie(config-if-AggregatePort 2)#description link-to-xxxx

Ruijie(config-if-AggregatePort 2)#ip add 172.16.1.6 255.255.255.252

Ruijie(config-if-AggregatePort 2)#exit

Ruijie(config)#interface ten 1/3/1

Ruijie(config-if-TengabitEthernet 1/3/1)#no switchport

Ruijie(config-if-TengabitEthernet 1/3/1)#description linktoyyyy

Ruijie(config-if-TengabitEthernet 1/3/1)#port-group 2

Ruijie(config-if-TengabitEthernet 1/3/1)#exit

Ruijie(config)#interface ten 2/3/1

Ruijie(config-if-TengabitEthernet 2/3/1)#no switchport

Ruijie(config-if-TengabitEthernet 2/3/1)#description link-to-yyyy

Ruijie(config-if-TengabitEthernet 2/3/1)#port-group 2

Ruijie(config-if-TengabitEthernet 2/3/1)#exit

 

2.      Configuring layer 2 AP on VSU:

Ruijie(config)#interface aggregateport 4

Ruijie(config-if-AggregatePort 4)#switchport mode trunk

Ruijie(config-if-AggregatePort 4)#switchport trunk allowed vlan remove xxxx ----->prune trunk port based on requirement

Ruijie(config-if-AggregatePort 4)#description linktoxxxx

Ruijie(config-if-AggregatePort 4)#exit

Ruijie(config)#interface gigabitEthernet 1/4/1

Ruijie(config-if-GigabitEthernet 1/4/1)#port-group 4

Ruijie(config-if-GigabitEthernet 1/4/1)#description link-to-yyyy

Ruijie(config-if-GigabitEthernet 1/4/1)#exit

Ruijie(config)#interface gigabitEthernet 2/4/1

Ruijie(config-if-GigabitEthernet 2/4/1)#port-group 4

Ruijie(config-if-GigabitEthernet 2/4/1)#description link-to-yyyy

Ruijie(config-if-GigabitEthernet 2/4/1)#exit

 

2.8.1.4      Verifying VSU

 

2.8.2      1X-Web Authentication

2.8.2.1      Secure Channel, Authentication-Free, and Emergency Channel

Features

Secure channel: Generally, after 1X authentication is deployed, data packets from unauthenticated user ports are discarded. The secure channel allows users access designated websites unauthenticated. It can be deployed to facilitate client distribution, backdoor reservation for leaders and terminals that do not support authentication (for example, printers and all-purpose terminals).

Emergency channel: In an 1X authentication scenario with only one Radius server, all users fail to access the Internet once the Radius server fails, services will be seriously affected. In that case, authentication configuration must be cancelled on all the ports one by one to recover services. If an emergency channel is deployed, the switch allows users access the Internet without authentication when authentication fails multiple times or the Radius server is considered dead.

I. Networking Requirements

1. The 1X function is enabled on the core server for resource access authentication on managed users.

2. Authenticated users can access all resources while unauthenticated users can access only certain Intranet resources.

3. Authentication-free access to intranet resources is enabled for some users (PC2).

4. When the active Radius server fails to function normally, user authentication is switched to the backup Radius server. When both active and standby Radius servers fail, managed users can access resources without authentication (through an emergency channel).

II. Network Topology

III. Configuration Tips

1. On the core server, enable AAA and configure the Radius server and key associated parameters.

2. On the Radius server, configure the related parameters. (In this example, the SAM is used as the Radius server.)

3. Configure a professional ACL to implement server access before user authentication.

4. The core switch, managed users, and the Radius server can be on different network segments, so long as the core switch can properly communicate with the Radius server and the clients can reach the controlled ports on the core switch via the access switch.

5. Configure the parameters for the communication between the switch and the Radius server to deploy an emergency channel.

 

IV. Configuration Steps

Configure the core server.

1.      Basic dot1x configuration

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#aaa new-model    ------>trun on aaa switch

Ruijie(config)#radius-server host 192.168.33.244   ------>configure radius server

Ruijie(config)#radius-server host 192.168.33.245   ------>configure backup radius server

Ruijie(config)#radius-server key ruijie      ------>configure radius key

Ruijie(config)#aaa authentication dot1x ruijie group radius  none  ------> Define an IEEE802.1x authentication method list.

Ruijie(config)#aaa accounting network ruijie start-stop group radius   ------> Define the AAA network accounting method list.

Ruijie(config)#aaa accounting update periodic 15   ------> Set the account update function.

Ruijie(config)#dot1x authentication ruijie        ------> 802.1X to select the authentication method list

Ruijie(config)#dot1x accounting ruijie            ------> 802.1X to select the accounting method list

Ruijie(config)#interface gigabitEthernet 1/2

Ruijie(config-if-GigabitEthernet 1/2)#switchport mode trunk

Ruijie(config-if-GigabitEthernet 1/2)#dot1x port-control auto       ------> Enable 802.1X authentication on the interface

Ruijie(config-if-GigabitEthernet 1/2)#ip add 192.168.33.161 255.255.255.0    ------> configure switch ip address

Ruijie(config-if-GigabitEthernet 1/2)#end

Ruijie#write   ------> save configuration

 

2.      Enable the secure channel function

Ruijie(config)#expert access-list extended ruijie

Ruijie(config-exp-nacl)#permit arp any any any any any  ------>make the ip and arp packets free authentication

Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.61 any ------> To allow access to the home page of the site before authentication

Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.62 any ------> To allow access to the home page of the site before authentication

Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.244 any ------> To allow access to the home page of the site before authentication

Ruijie(config-exp-nacl)#permit host 192.168.33.163 host 001a.a9c4.062f any any------> This host implements authentication free

Ruijie(config-exp-nacl)#exit

Ruijie(config)#security global access-group ruijie

 

1x free authentication description

There are two ways to achieve user authentication: (1) configure the security channel to put the IP or MAC address; 2, configure the free VLAN authentication will be the corresponding VLAN users free of authentication

Plan 1Configure security channelthere are three methods

 

Method 1permit host ip address

expert access-list extended no1x

10 permit arp any any  any any any

20  permit ip host 192.168.1.23 any anyany   ------->permit host ip address

security global access-group no1x

 

method 2permit host mac address

expert access-list extended no1x

10 permit arp any any  any any any

30 permit ip any host 0010.123c.513d any any   ------->permit hots mac address

security global access-group no1x

 

method 3permit ip+mac

expert access-list extended no1x

10 permit arp any any  any any any

40  permit ip host 192.168.1.23 host 0010.123c.513d any any   ------->permit ip and mac address

security global access-group no1x

 

Plan 2Configure direct-vlan

Configuration commanddirect-vlan 1-20// direct-vlan can take effect on both 1x authentication and web authentication

 

 

Notes:

If the secure channel (in priority over 1x authentication) is enabled, user ARP packets must be allowed to pass. In this way, users can communicate with the gateway. As the secure channel has higher priority, the anti ARP spoofing function will become invalid.

Solution: Do not permit all ARP packets. Permit only ARP packets destined for the gateway. In this way, ARP check is implemented and ARP spoofing among users are prevented. However, ARP spoofing is not completely prevented, because users can still spoof another user on the gateway.

Ruijie(config)#expert access-list extended permit1x

Ruijie(config-exp-nacl)#permit ip any any host 192.168.1.254 any           ------> To allow access to the home page of the site before authentication

Ruijie(config-exp-nacl)#permit arp any any any any any   ------> Allow ARP message interaction between a user and a gateway

Ruijie(config)#security global access-group permit1x

Ruijie(config-exp-nacl)#permit arp any any any any host 192.168.33.1 

 

3. You can change the time parameter between the switch and the Radius server to switch the authentication method. For example, the configuration "aaa authentication dot1x ruijie group radius  none" indicates that authentication by the active Radius server is implemented first, is switched to the backup Radius server if the active Radius server does not respond in a specified period, and is switched to none authentication mode if both the active and backup Radius servers fail to respond.

Ruijie(config)#radius-server timeout 2       ------> Specify the waiting time before the router resend request (2 s by default)

Ruijie(config)#radius-server retransmit 2   ------> Specify the times of sending requests before the router confirms Radius invalid (3 by default)

Ruijie(config)#radius-server dead-criteria time 6 tries 3     ------>define the dead-criteria time and tries of the server

Ruijie(config)#radius-server deadtime 5     ------> Specify the waiting time before the server is considered dead in case of no response to the request sent by the device (5 minutes by default).

Ruijie(config)#dot1x timeout server-timeout 20  

 

dot1x timeout indicates the timeout period of 1x authentication. The parameter is independent from the Radius timeout period (radius timeout*). However, radius timeout* (retransmit+1) must be smaller than dot1x timeout server-timeout. Otherwise, the emergency channel does not take effect. In this example, 2*(2+1)=6s, which is smaller than 20s, and therefore, the emergency channel is effective.

 

V. Verification

1. Before authentication, users can access the resources inside the secure channel, but can not access the resources inside the non secure channel

The same can also be verified, the security channel is free to authenticate users of IP and MAC, the user can also communicate properly.

 

2When the radius server hangs, the user can achieve escape function

image006

Check the user info.

 

3. open debug radius event, you can see the entire process of an escape function

Ruijie#debug radius event

Ruijie#*Mar 16 18:07:20: %7: [radius] aaa req authentication to group radius

*Mar 16 18:07:20: %7:  __rds_add_attr  type = 24 len = 0

*Mar 16 18:07:20: %7: [radius] 16 send

*Mar 16 18:07:20: %7: pkt len 676 code 1 id 16

*Mar 16 18:07:20: %7: calcu msg auth ok

*Mar 16 18:07:20: %7: [radius] radius access requests(12).   ------> sent access-request for the first time

*Mar 16 18:07:22: %7: [radius] user 16 retry

*Mar 16 18:07:22: %7: [radius] 16 send

*Mar 16 18:07:22: %7: pkt len 676 code 1 id 16

*Mar 16 18:07:22: %7: calcu msg auth ok

*Mar 16 18:07:22: %7: [radius] radius access requests retransmissions(18) timeout(18). ------>timeout for the first time after 2 seconds

*Mar 16 18:07:24: %7: [radius] user 16 retry

*Mar 16 18:07:24: %7: [radius] 16 send

*Mar 16 18:07:24: %7: pkt len 676 code 1 id 16

*Mar 16 18:07:24: %7: calcu msg auth ok

*Mar 16 18:07:24: %7: [radius] radius access requests retransmissions(19) timeout(19).   ------> timeout for the second time after 4 seconds

*Mar 16 18:07:26: %7: [radius] user 16 retry

*Mar 16 18:07:26: %7: [rds_user] rds delete user, state 2, atype 0

*Mar 16 18:07:26: %7: [rds_user] rds free user id 7, pkid 16   ------> timeout for the third time after 6 seconds

*Mar 16 18:07:26: %AAA-7-FAILOVER: Failing over from 'dot1x' for client 0021.cccf.6f70 on Interface GigabitEthernet 0/1.

*Mar 16 18:07:26: %7: [radius] aaa req accounting to group radius

*Mar 16 18:07:26: %7: [accounting] acct len 116

*Mar 16 18:07:26: %7:  __rds_add_attr  type = 25 len = 0

*Mar 16 18:07:26: %7: [radius] 17 send

*Mar 16 18:07:26: %7: [radius] radius acc requests(5) and pending(3).

*Mar 16 18:07:28: %7: [radius] user 17 retry

*Mar 16 18:07:28: %7: [radius] 17 send

*Mar 16 18:07:28: %7: [radius] radius acc retransmissions(5) timeout(5).

*Mar 16 18:07:30: %7: [radius] user 17 retry

*Mar 16 18:07:30: %7: [radius] 17 send

*Mar 16 18:07:30: %7: [radius] radius acc retransmissions(6) timeout(6).

*Mar 16 18:07:32: %7: [radius] user 17 retry

*Mar 16 18:07:32: %7: [rds_user] rds delete user, state 2, atype 2

*Mar 16 18:07:32: %7: [rds_user] rds free user id 7, pkid 17

 

2.8.3      MSTP+VRRP

2.8.3.1      MSTP+VRRP Overview

Two common deployment patterns of MSTP+VRRP

1. MSTP with single instance:

As figure shown below, SW1 is the root bridge for MSTP instance 0 to which all vlans are mapped and master VRRP gateway for all vlans. This deployment patterns of MSTP is almost the same to RSTP.

 

Merit Easier maintenance and implementation

DemeritSW2 is the second root and backup VRRP gateway which doesn't forward any traffic .It is a waste of network resource.

 

2. MSTP with Multiple instances:

As figure shown below, SW1 is the root bridge for MSTP instance 1 and secondary root for instance

2. SW2 is Root Bridge for MSTP instance 2 and secondary root for instance 1. MSTP instance 1 includes VLAN 10, 60 and 80 and instance 2 includes VLAN 20, 30 and 70.

SW1 is the master VRRP gateway for VLAN 10, 60 and 80 and the backup VRRP gateway for VLAN 20, 30 and 70. SW2 is the master VRRP gateway for VLAN 20, 30 and 70 and the backup gateway for VLAN 10, 60 and 80.

 

MeritFully occupy network resource

DemeritMore complicated configuration and maintenance than MSTP with single instance

 

2.8.3.2      Configuring MSTP with single instance

Note:

The deployment pattern of "MSTP + VRRP" is replaced by deployment pattern of VSU day by day and we suggest you to apply VSU if possible. Even so, deployment pattern of "MSTP + VRRP" is still a fallback method to ensure a redundant and reliable network if core and distribution switches don't support VSU

We suggest you to remove some interconnection links first to avoid a Layer 2 loop

 

I. Network Topology

 

SW1 is the master VRRP gateway for users on all vlans, and SW2 is the backup VRRP gateway for users on all vlans. Connect SW1 and SW2 through an Aggregate port to ensure reliability and configure this AP as Trunk port.

The IP address of SW1 on VLANs from 10 to 80 are 192.168.10.1 to 192.168.80.1 , and IP address of SW2 on VLANs from 10 to 80 are 192.168.10.2 to 192.168.80.2 , and VRRP IP address are 192.168.10.254 to 192.168.80.254.

 

II. Configuration Steps

Configuring SW1

Ruijie#config terminal

Ruijie(config)#spanning-tree mst 0 priority 0   ------>instance id=0 , priority=0(The lower the number, the more likely the switch will be chosen as the root bridge) by default , all vlans are mapped to instance 0 .

Ruijie(config)#spanning-tree        ------>enable STP feature and the default STP mode is MSTP

Ruijie(config)#e  xit

 

Configure MSTP

 

Configuring AP

Ruijie#config terminal

Ruijie(config)#interface aggregateport 1

Ruijie(config-if-AggregatePort 1)#switchport mode trunk

Ruijie(config-if-AggregatePort 1)#exit

Ruijie(config)#interface tengigabitEthernet 3/1                       

Ruijie(config-if-TenGigabitEthernet 3/1)#port-group 1

Ruijie(config-if-TenGigabitEthernet 3/1)#exit

Ruijie(config)#interface tengigabitEthernet 3/2     

Ruijie(config-if-TenGigabitEthernet 3/2)#port-group 1

Ruijie(config-if-TenGigabitEthernet 3/2)#exit

 

Ruijie(config)#interface range gigabitEthernet 1/1-5  

Ruijie(config-if-range)#switchport mode trunk      ----->don't forget to prune trunk port

 

Configuring VRRP

Ruijie(config)#vlan 10

Ruijie(config)#inter vlan 10

Ruijie(config-if-VLAN 10)#ip address 192.168.10.1 255.255.255.0

Ruijie(config-if-VLAN 10)#vrrp 10 ip 192.168.10.254

Ruijie(config-if-VLAN 10)#vrrp 10 priority 120            ------> vrrp group id=10 , priority value=120 (the bigger the number , the more likely the switch will be chosen as the  master ,and default value is 100)

Ruijie(config-if-VLAN 10)#exit

 

Ruijie(config)#vlan 20

Ruijie(config)#inter vlan 20

Ruijie(config-if-VLAN 20)#ip address 192.168.20.1 255.255.255.0

Ruijie(config-if-VLAN 20)#vrrp 20 ip 192.168.20.254

Ruijie(config-if-VLAN 20)#vrrp 20 priority 120

Ruijie(config-if-VLAN 20)#exit

 

...........configuration of VLAN 30 ~ VLAN 70 are omitted............

 

Ruijie(config)#vlan 80

Ruijie(config)#inter vlan 80

Ruijie(config-if-VLAN 80)#ip address 192.168.80.1 255.255.255.0

Ruijie(config-if-VLAN 80)#vrrp 80 ip 192.168.80.254

Ruijie(config-if-VLAN 80)#vrrp 80 priority 120

Ruijie(config-if-VLAN 80)#exit

 

Configuring SW2

Ruijie#config terminal

Ruijie(config)#spanning-tree mst 0 priority 4096   ------>instance id=0 , priority=4096(The lower the number, the more likely the switch will be chosen as the root bridge) by default , all vlans are mapped to instance 0

 

Ruijie(config)#spanning-tree        ------>enable STP feature and default mode is MSTP

Ruijie(config)#exit

 

Configuring AP

Ruijie#config terminal

Ruijie(config)#interface aggregateport 1

Ruijie(config-if-AggregatePort 1)#switchport mode trunk

Ruijie(config-if-AggregatePort 1)#exit

Ruijie(config)#interface tengigabitEthernet 3/1                       

Ruijie(config-if-TenGigabitEthernet 3/1)#port-group 1

Ruijie(config-if-TenGigabitEthernet 3/1)#exit

Ruijie(config)#interface tengigabitEthernet 3/2              

Ruijie(config-if-TenGigabitEthernet 3/2)#port-group 1

Ruijie(config-if-TenGigabitEthernet 3/2)#exit

Ruijie(config)#interface range gigabitEthernet 1/1-5  

Ruijie(config-if-range)#switchport mode trunk  ----->don't forget to prune trunk port

 

Configuring VRRP

Ruijie(config)#vlan 10

Ruijie(config)#inter vlan 10

Ruijie(config-if-VLAN 10)#ip address 192.168.10.2 255.255.255.0

Ruijie(config-if-VLAN 10)#vrrp 10 ip 192.168.10.254         ------>vrrp group id=10 , priority value remains default setting(the bigger the number , the more likely the switch will be chosen as the  master ,and default value is 100)

Ruijie(config-if-VLAN 10)#exit

 

Ruijie(config)#vlan 20

Ruijie(config)#inter vlan 20

Ruijie(config-if-VLAN 20)#ip address 192.168.20.2 255.255.255.0

Ruijie(config-if-VLAN 20)#vrrp 20 ip 192.168.20.254

Ruijie(config-if-VLAN 20)#exit

 

...........configuration of VLAN 30 ~ VLAN 70 are omitted............

 

Ruijie(config)#vlan 80

Ruijie(config)#inter vlan 80

Ruijie(config-if-VLAN 80)#ip address 192.168.80.2 255.255.255.0

Ruijie(config-if-VLAN 80)#vrrp 80 ip 192.168.80.254

Ruijie(config-if-VLAN 80)#exit

 

Configuring SW11SW12S13S14S15S16

Ruijie#config terminal

Ruijie(config)#interface range gigabitEthernet 0/25-26  

Ruijie(config-if-range)#switchport mode trunk

Ruijie(config-if-range)#exit

 

Ruijie(config)#spanning-tree   ------>enable STP feature and default mode is MSTP

Ruijie(config)#exit

 

If we want to manully conduct MSTP to put G0/25 on SW11 and SW12 in forwarding state , we can assign a higher cost value to G0/26  , then MSTP blocks G0/26. (If a loop occurs, MST uses the path cost when selecting an interface to place into the forwarding state. A lower path cost represents higher-speed transmission)

Ruijie(config)#interface gi0/26

Ruijie(config-if-GiagaEthernet 0/26)#spanning-tree cost 200000    ------>the default value is derived from the media speed of the interface , and the cost value of an 1000M port is 20000

Ruijie(config-if-GiagaEthernet 0/26)#exit

 

Connectting cable and verifying status of STP and VRRP

1.  This example displays that SW1 is the root bridge

SW1

Ruijie#show spanning-tree

StpVersion : MSTP

SysStpStatus : ENABLED

MaxAge : 20

HelloTime : 2

ForwardDelay : 15

BridgeMaxAge : 20

BridgeHelloTime : 2

BridgeForwardDelay : 15

MaxHops: 20

TxHoldCount : 3

PathCostMethod : Long

BPDUGuard : Disabled

BPDUFilter : Disabled

LoopGuardDef  : Disabled

 

###### mst 0 vlans map : ALL

BridgeAddr : 1414.4b19.ecc0 ------>local MAC address

Priority: 0

TimeSinceTopologyChange : 12d:0h:19m:46s

TopologyChanges : 0

DesignatedRoot : 0.1414.4b19.ecc0  ------>root MAC address

RootCost : 0  

RootPort : 0

CistRegionRoot : 0.1414.4b19.ecc0

CistPathCost : 0 

 

2. This example displays that SW1 is the VRRP master

Ruijie#show vrrp 10

VLAN 10 - Group 10

  State is Master        

  Virtual IP address is 192.168.10.254 configured

  Virtual MAC address is 0000.5e00.010a

  Advertisement interval is 1 sec

  Preemption is enabled

    min delay is 0 sec

  Priority is 120

  Master Router is 192.168.10.1 (local), priority is 120

  Master Advertisement interval is 1 sec

  Master Down interval is 3.53 sec

 

Ruijie#show vrrp brief

Interface             Grp  Pri   timer   Own  Pre   State   Master addr                               Group addr                             

 

VLAN 10               10   120   3.53    -    P     Master  192.168.10.1                              192.168.10.254                         

 

VLAN 20               20   120   3.53    -    P     Master  192.168.20.1                              192.168.20.254                         

 

VLAN 30               30   120   3.53    -    P     Master  192.168.30.1                              192.168.30.254                         

 

VLAN 40               40   120   3.53    -    P     Master  192.168.40.1                              192.168.40.254                         

 

VLAN 50               50   120   3.53    -    P     Master   192.168.50.1                              192.168.50.254                      

 

VLAN 60               60   120   3.53    -    P     Master  192.168.60.1                              192.168.60.254                         

 

VLAN 70               70   120   3.53    -    P     Master  192.168.70.1                              192.168.70.254                         

 

VLAN 80               80   120   3.53    -    P     Master   192.168.80.1                              192.168.80.254  

 

3. This example displays that SW1 is the root bridge on SW2

SW2:

Ruijie#show spanning-tree

StpVersion : MSTP

SysStpStatus : ENABLED

MaxAge : 20

HelloTime : 2

ForwardDelay : 15

BridgeMaxAge : 20

BridgeHelloTime : 2

BridgeForwardDelay : 15

MaxHops: 20

TxHoldCount : 3

PathCostMethod : Long

BPDUGuard : Disabled

BPDUFilter : Disabled

LoopGuardDef  : Disabled

 

###### mst 0 vlans map : ALL

BridgeAddr : 00d0.f834.ea70   ------>SW2 MAC address

Priority: 4096

TimeSinceTopologyChange : 0d:0h:9m:2s

TopologyChanges : 6

DesignatedRoot : 0000.1414.4b19.ecc0  ------> root MAC address(SW1)

RootCost : 0

RootPort : 3

CistRegionRoot : 0000.1414.4b19.ecc0

CistPathCost : 20000

 

4. This example displays that SW2 is the VRRP Backup

CistPathCost : 20000 Ruijie#show vrrp 10

VLAN 10 - Group 10

  State is Backup       

  Virtual IP address is 192.168.10.254 configured

  Virtual MAC address is 0000.5e00.010a

  Advertisement interval is 1 sec

  Preemption is enabled

    min delay is 0 sec

  Priority is 100

  Master Router is 192.168.10.1 , priority is 120

  Master Advertisement interval is 1 sec

  Master Down interval is 3 sec

 

5. This exmaple displays how to verify root bridge on SW11 and SW12 and whether MSTP has blocked G0/26 as per design.

Ruijie#show spanning-tree summary

Spanning tree enabled protocol mstp

MST 0 vlans map : ALL

  Root ID    Priority    0

             Address     1414.4b19.ecc0 ------>root bridge MAC address

             this bridge is root

             Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

 

  Bridge ID  Priority    32768

             Address     00d0.f8b5.0a0b  ------>local MAC address

             Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

 

Interface        Role Sts Cost       Prio     Type  OperEdge

---------------- ---- --- ---------- -------- ----- ---------------

Gi0/25          Root FWD 200000     128      P2p   False         ------>root port

Gi0/26                  Altn BLK 200000     128      P2p     ------>blocked port

 

When you connect Ruijie switch to other vendors, pay attention to spanning-tree compatibility:

1.     When you connect Ruijie to Cisco, you must double confirm whether Cisco firmware supports standard MSTP .  So far, Cisco switch with firmware 12.25(SE) and above supports standard MSTP , but any other older firmware doesn't  ,so the old firmware that runs nonstandard MSTP has compatibility issue .So you must upgrade switch to version 12.25(SE) and above.If Cisco switch is too old to upgrade to version 12.25(SE) and above, you can disable STP and enable BPDU bridge mode to bypass all bpdu packets. To enable BPDU bridge mode, perform this task:

Ruijie(config)#no spanning-tree

Ruijie(config)#bridge-frame forwarding protocol bpdu

 

2.     We suggest you to configure completely the same MSTP name, revision, instance mapping when you enable MSTP on Ruijie and other vendors switch to prevent STP compatibility issue. You can also enable RSTP because RSTP has better compatibility.

 

2.8.3.3      Configuring MSTP with multiple instances

Note:

The deployment pattern of "MSTP + VRRP" is replaced by deployment pattern of VSU day by day and we suggest you to apply VSU if possible. Even so, deployment pattern of "MSTP + VRRP" is still a fallback method to ensure a redundant and reliable network if core and distribution switches don't support VSU

We suggest you to remove some interconnection links first to avoid a Layer 2 loop

 

I. Network Topology

 

SW1 is the master VRRP gateway for users on vlan 10,20,30,40,60,and 70,and backup VRRP for servers on vlan 50 and 80.SW2 is the master VRRP gateway for servers on vlans 50 and 80 , and backup VRRP for users on vlan 10,20,30,40,60 and 70. Connect SW1 and SW2 through an Aggregate port to ensure reliability and configure this AP as Trunk port.

The IP address of SW1 on VLANs from 10 to 80 are 192.168.10.1 to 192.168.80.1 , and IP address of SW2 on VLANs from 10 to 80 are 192.168.10.2 to 192.168.80.2 , and VRRP IP address are 192.168.10.254 to 192.168.80.254.

 

II. Configuration Steps

Configuring SW1

Configuring MSTP

Ruijie#config terminal

Ruijie(config)#vlan range 10,20,30,40,50,60,70,80

Ruijie(config-vlan-range)#exit

Ruijie(config)#spanning-tree mst configuration   ------>enter mst configuration mode

Ruijie(config-mst)#name ruijie      ------>switches in a same MSTP area must have the same instance name

Ruijie(config-mst)#instance 1 vlan 10,20,30,40,60,70   ----->map vlan 10,20,30,40,60,70 to instance 1 , and switches in a same MSTP area must have the same mapping

Ruijie(config-mst)#instance 2 vlan 50,80   -----> map vlan 50,80 to instance 2 , and switches in a same MSTP area must have the same mapping

Ruijie(config-mst)#exit

Ruijie(config)#spanning-tree mst 0 priority 0   ----->By default , instance 0 exists ,and any other vlans that haven't mapped to an instance are mapped to instance 0. SW1 is the root bridge for instance 0

Ruijie(config)#spanning-tree mst 1 priority 0   ----->SW1 is the root bridge in instance 1

Ruijie(config)#spanning-tree mst 2 priority 4096    ----->SW1 is the secondary bridge in instance 2

Ruijie(config)#spanning-tree   ------>enable STP feature

 

Configuring AP

Ruijie#config terminal

Ruijie(config)#interface aggregateport 1

Ruijie(config-if-AggregatePort 1)#switchport mode trunk

Ruijie(config-if-AggregatePort 1)#exit

Ruijie(config)#interface tengigabitEthernet 3/1       

Ruijie(config-if-TenGigabitEthernet 3/1)#port-group 1

Ruijie(config-if-TenGigabitEthernet 3/1)#exit

Ruijie(config)#interface tengigabitEthernet 3/2     

Ruijie(config-if-TenGigabitEthernet 3/2)#port-group 1

Ruijie(config-if-TenGigabitEthernet 3/2)#exit

Ruijie(config)#interface range gigabitEthernet 1/1-5  

Ruijie(config-if-range)#switchport mode trunk        ----->don't forget to prune trunk port

 

Configuring VRRP

Ruijie(config)#vlan 10

Ruijie(config)#inter vlan 10

Ruijie(config-if-VLAN 10)#ip address 192.168.10.1 255.255.255.0

Ruijie(config-if-VLAN 10)#vrrp 10 ip 192.168.10.254

Ruijie(config-if-VLAN 10)#vrrp 10 priority 120            ------>vrrp group id=10 , priority value =120(the bigger the number , the more likely the switch will be chosen as the  master ,and default value is 100)

Ruijie(config-if-VLAN 10)#exit

 

Ruijie(config)#vlan 20

Ruijie(config)#inter vlan 20

Ruijie(config-if-VLAN 20)#ip address 192.168.20.1 255.255.255.0

Ruijie(config-if-VLAN 20)#vrrp 20 ip 192.168.20.254

Ruijie(config-if-VLAN 20)#vrrp 20 priority 120

Ruijie(config-if-VLAN 20)#exit

 

...........Configuration of VLAN 30,40,60,70 are omitted............

 

VRRP primary gateway of VLAN 50,80 is SW2 which is the root bridge of instance 2

Ruijie(config)#vlan 50

Ruijie(config)#inter vlan 50

Ruijie(config-if-VLAN 50)#ip address 192.168.50.1 255.255.255.0 

Ruijie(config-if-VLAN 50)#vrrp 50 ip 192.168.50.254       ------>vrrp group id=50 , priority value remains default setting(the bigger the number , the more likely the switch will be chosen as the  master ,and default value is 100)

Ruijie(config-if-VLAN 50)#exit

 

Ruijie(config)#vlan 80

Ruijie(config)#inter vlan 80

Ruijie(config-if-VLAN 80)#ip address 192.168.80.1 255.255.255.0

Ruijie(config-if-VLAN 80)#vrrp 80 ip 192.168.80.254             ------>vrrp group id=80 , priority value remains default setting(the bigger the number , the more likely the switch will be chosen as the  master ,and default value is 100)

Ruijie(config-if-VLAN 80)#exit

 

Configuring SW2

Configuring MSTP

Ruijie#config terminal

Ruijie(config)#vlan range 10,20,30,40,50,60,70,80

Ruijie(config-vlan-range)#exit

Ruijie(config)#spanning-tree mst configuration   ------>enter mst configuration mode

Ruijie(config-mst)#name ruijie      ------>switches in a same MSTP area must have the same instance name

Ruijie(config-mst)#instance 1 vlan 10,20,30,40,60,70   ----->map vlan 10,20,30,40,60,70 to instance 1 , and switches in a same MSTP area must have the same mapping

Ruijie(config-mst)#instance 2 vlan 50,80   ----->map vlan 50,80 to instance 2 , and switches in a same MSTP area must have the same mapping

Ruijie(config-mst)#exit

Ruijie(config)#spanning-tree mst 0 priority 4096    ----->By default , instance 0 exists ,and any other vlans that haven't mapped to an instance are mapped to instance 0. SW2 is the secondary root bridge in instance 0

Ruijie(config)#spanning-tree mst 1 priority 4096----->SW2 is the secondary root bridge in instance 1

Ruijie(config)#spanning-tree mst 2 priority 0         ----->SW2 is the root bridge in instance 2

Ruijie(config)#spanning-tree   ------>enable STP feature

 

Configuring AP

Ruijie#config terminal

Ruijie(config)#interface aggregateport 1

Ruijie(config-if-AggregatePort 1)#switchport mode trunk

Ruijie(config-if-AggregatePort 1)#exit

Ruijie(config)#interface tengigabitEthernet 3/1              

Ruijie(config-if-TenGigabitEthernet 3/1)#port-group 1

Ruijie(config-if-TenGigabitEthernet 3/1)#exit

Ruijie(config)#interface tengigabitEthernet 3/2     

Ruijie(config-if-TenGigabitEthernet 3/2)#port-group 1

Ruijie(config-if-TenGigabitEthernet 3/2)#exit

 

Ruijie(config)#interface range gigabitEthernet 1/1-5 

Ruijie(config-if-range)#switchport mode trunk   ----->don't forget to prune trunk port

 

Configuring VRRP

VRRP backup gateway of VLAN 10,20,30,40,60,70 is SW2 which is the backup bridge of instance 1

Ruijie(config)#vlan 10

Ruijie(config)#inter vlan 10

Ruijie(config-if-VLAN 10)#ip address 192.168.10.2 255.255.255.0

Ruijie(config-if-VLAN 10)#vrrp 10 ip 192.168.10.254          ------>vrrp group id=10 , priority value remains default setting(the bigger the number , the more likely the switch will be chosen as the  master ,and default value is 100) .

Ruijie(config-if-VLAN 10)#exit

 

Ruijie(config)#vlan 20

Ruijie(config)#inter vlan 20

Ruijie(config-if-VLAN 20)#ip address 192.168.20.2 255.255.255.0

Ruijie(config-if-VLAN 20)#vrrp 20 ip 192.168.20.254              ------>vrrp group id=20 , priority value remains default setting(the bigger the number , the more likely the switch will be chosen as the  master ,and default value is 100) .

Ruijie(config-if-VLAN 20)#exit

 

...........Configuration of VLAN 30,40,60,70 are omitted............

 

Ruijie(config)#vlan 50

Ruijie(config)#inter vlan 50

Ruijie(config-if-VLAN 50)#ip address 192.168.50.2 255.255.255.0 

Ruijie(config-if-VLAN 50)#vrrp 50 ip 192.168.50.254      

Ruijie(config-if-VLAN 50)#vrrp 50 priority 120            ------>vrrp group id=50 , priority value =120(the bigger the number , the more likely the switch will be chosen as the  master ,and default value is 100)

Ruijie(config-if-VLAN 50)#exit

Ruijie(config)#vlan 80

Ruijie(config)#inter vlan 80

Ruijie(config-if-VLAN 80)#ip address 192.168.80.2 255.255.255.0

Ruijie(config-if-VLAN 80)#vrrp 80 ip 192.168.80.254            

Ruijie(config-if-VLAN 80)#vrrp 80 priority 120            ------>vrrp group id=80 , priority value =120(the bigger the number , the more likely the switch will be chosen as the  master ,and default value is 100)

Ruijie(config-if-VLAN 80)#exit

 

Configuring SW11SW12S13S14S15S16

Ruijie#config terminal

Ruijie(config)#interface range gigabitEthernet 0/25-26  

Ruijie(config-if-range)#switchport mode trunk

Ruijie(config-if-range)#exit

Ruijie(config)#vlan range 10,20,30,40,50,60,70,80

Ruijie(config-vlan-range)#exit

Ruijie(config)#spanning-tree mst configuration  

Ruijie(config-mst)#name ruijie     

Ruijie(config-mst)#instance 1 vlan 10,20,30,40,60,70  

Ruijie(config-mst)#instance 2 vlan 50,80  

Ruijie(config-mst)#exit

Ruijie(config)#spanning-tree  

 

Connectting cables and verifying status of MSTP and VRRP

1.  This example displays that SW1 is the root bridge in instance 0 and 1, and SW2 is the root bridge in instance 2.

SW1

RuijieSW1#show spanning-tree summary

Spanning tree enabled protocol mstp

MST 0 vlans map : 1-9, 11-19, 21-29, 31-39, 41-49, 51-59, 61-69, 71-79, 81-4094

  Root ID    Priority    0

            Address     1414.4b5a.198c   ------> MAC address of Root bridge in instance 0

             this bridge is root

             Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

  Bridge ID  Priority    0

             Address     1414.4b5a.198c        ------>local MAC address

             Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

Interface        Role Sts Cost       Prio     OperEdge Type

---------------- ---- --- ---------- -------- -------- ----------------

Ag1              Desg FWD 19000      128      False    P2p                            

Gi0/1            Desg FWD 20000      128      False    P2p                            

 

MST 1 vlans map : 10, 20, 30, 40, 60, 70

  Region Root Priority   0

             Address     1414.4b5a.198c ------>MAC address of Root bridge in instance 1

             this bridge is region root

  Bridge ID  Priority    0

             Address     1414.4b5a.198c           ------>local MAC address

      Interface        Role Sts Cost       Prio     OperEdge Type

---------------- ---- --- ---------- -------- -------- ----------------

Ag1              Desg FWD 19000      128      False    P2p                            

Gi0/1            Desg FWD 20000      128      False    P2p                            

 

MST 2 vlans map : 50, 80

  Region Root Priority   0

             Address     1414.4b5a.18d4          ------>MAC address of Root bridge in instance 2

             this bridge is region root

 

  Bridge ID  Priority    4096

             Address     1414.4b5a.198c         

Interface        Role Sts Cost       Prio     OperEdge Type

---------------- ---- --- ---------- -------- -------- ----------------

Ag1              Root FWD 19000      128      False    P2p                            

Gi0/1            Desg FWD 20000      128      False    P2p   

 

SW2

Ruijie#show spanning-tree summary

Spanning tree enabled protocol mstp

MST 0 vlans map : 1-9, 11-19, 21-29, 31-39, 41-49, 51-59, 61-69, 71-79, 81-4094

  Root ID    Priority    0

             Address     1414.4b5a.198c        ------>MAC address of Root bridge which is SW1 in instance 0

             this bridge is root

             Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

  Bridge ID  Priority    4096        

             Address     1414.4b5a.18d4          ------>local MAC address

             Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

Interface        Role Sts Cost       Prio     OperEdge Type

---------------- ---- --- ---------- -------- -------- ----------------

Ag1              Root FWD 19000      128      False    P2p                             

Gi2/0/1          Desg FWD 20000      128      False    P2p                            

 

MST 1 vlans map : 10, 20, 30, 40, 60, 70

  Region Root Priority   0

             Address     1414.4b5a.198c ------>MAC address of Root bridge in instance 1

             this bridge is region root

  Bridge ID  Priority    4096

             Address     1414.4b5a.18d4 ------>local MAC address

    

Interface        Role Sts Cost       Prio     OperEdge Type

---------------- ---- --- ---------- -------- -------- ----------------

Ag1              Root FWD 19000      128      False    P2p                            

Gi2/0/1          Desg FWD 20000      128      False    P2p                            

 

MST 2 vlans map : 50, 80

  Region Root Priority   0

             Address     1414.4b5a.18d4       ------>MAC address of Root bridge in instance 2

             this bridge is region root     

  Bridge ID  Priority    0

             Address     1414.4b5a.18d4 ------>local MAC address

Interface        Role Sts Cost       Prio     OperEdge Type

---------------- ---- --- ---------- -------- -------- ----------------

Ag1              Desg FWD 19000      128      False    P2p                            

Gi2/0/1          Desg FWD 20000      128      False    P2p  

 

2. This example displays that SW1 is the master on vlan 10,20,30,40,60 and 70 , and the backup on vlan 50 and 80. SW2 is the master on vlan 50 and 80, and the backup on vlan 10,20,30,40,60 and 70.

 

SW1

Ruijie#show vrrp brief

Interface             Grp  Pri   timer   Own  Pre   State   Master addr                               Group addr                             

 

VLAN 10               10   120   3.53    -    P     Master  192.168.10.1                              192.168.10.254                         

 

VLAN 20               20   120   3.53    -    P     Master  192.168.20.1                              192.168.20.254                         

 

VLAN 30               30   120   3.53    -    P     Master  192.168.30.1                              192.168.30.254                         

 

VLAN 40               40   120   3.53    -    P     Master  192.168.40.1                              192.168.40.254                         

 

VLAN 50               50   100   3.60    -    P     Backup  192.168.50.2                              192.168.50.254       

 

VLAN 60               60   120   3.53    -    P     Master  192.168.60.1                              192.168.60.254                         

 

VLAN 70               70   120   3.53    -    P     Master  192.168.70.1                              192.168.70.254                         

 

VLAN 80               80   100   3.60    -    P     Backup  192.168.80.2                              192.168.80.254         

 

SW2:

RuijieSW2#show vrrp brief

 

Interface             Grp  Pri   timer   Own  Pre   State   Master addr                               Group addr                             

 

VLAN 10               10   100   3.60    -    P     Backup  192.168.10.1                              192.168.10.254                         

 

VLAN 20               20   100   3.60    -    P     Backup  192.168.20.1                              192.168.20.254                         

 

VLAN 30               30   100   3.60    -    P     Backup  192.168.30.1                              192.168.30.254                          

 

VLAN 40               40   100   3.60    -    P     Backup  192.168.40.1                              192.168.40.254                         

 

VLAN 50               50   120   3.53    -    P     Master  192.168.50.2                              192.168.50.254      

 

VLAN 60               60   100   3.60    -    P     Backup  192.168.60.1                              192.168.60.254                         

 

VLAN 70               70   100   3.60    -    P     Backup  192.168.70.1                              192.168.70.254                         

 

VLAN 80               80   120   3.53    -    P     Master  192.168.80.2                              192.168.80.254

 

 

3. This exmaple displays how to verify root bridge on access switches and whether MSTP has blocked some ports to prevent a loop.

Ruijie#show spanning-tree summary

Spanning tree enabled protocol mstp

MST 0 vlans map : 1-9, 11-19, 21-29, 31-39, 41-49, 51-59, 61-69, 71-79, 81-4094

  Root ID    Priority    0

             Address     1414.4b5a.198c

             this bridge is root

             Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

 

  Bridge ID  Priority    32768

             Address     001a.a9c4.05f2

             Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

Interface        Role Sts Cost       Prio     Type  OperEdge

---------------- ---- --- ---------- -------- ----- ---------------

Gi0/24           Altn BLK 20000      128      P2p   False          ------>one Blocked port

Gi0/23           Root FWD 20000      128      P2p   False          ------>one Root port

 

MST 1 vlans map : 10, 20, 30, 40, 60, 70

  Region Root Priority   0

             Address     1414.4b5a.198c ------>MAC address of Root bridge which is SW1 in instance 1

             this bridge is region root

  Bridge ID  Priority    32768

             Address     001a.a9c4.05f2

     Interface        Role Sts Cost       Prio     Type  OperEdge

---------------- ---- --- ---------- -------- ----- ---------------

Gi0/24           Altn BLK 20000      128      P2p   False          ------>one Blocked port

Gi0/23           Root FWD 20000      128      P2p   False          ------>one Root port

 

MST 2 vlans map : 50, 80

  Region Root Priority   0

             Address     1414.4b5a.18d4            ------>MAC address of Root bridge which is SW2 in instance 2

 

             this bridge is region root

  Bridge ID  Priority    32768

             Address     001a.a9c4.05f2

Interface        Role Sts Cost       Prio     Type  OperEdge

---------------- ---- --- ---------- -------- ----- ---------------

Gi0/24           Root FWD 20000      128      P2p   False          ------>one Blocked port

Gi0/23           Altn BLK 20000      128      P2p   False          ------>one Root port

 

When you connect Ruijie switch to other vendors, pay attention to spanning-tree compatibility:

1.     When you connect Ruijie to Cisco, you must double confirm whether Cisco firmware supports standard MSTP.  So far, Cisco switch with firmware 12.25(SE) and above supports standard MSTP , but any other older firmware doesn't  ,so the old firmware that runs nonstandard MSTP has capatibility issue .So you must upgrade switch to version 12.25(SE) and above.If Cisco switch is too old to upgrade to version 12.25(SE) and above, you can disable STP and enable BPDU bridge mode to bypass all bpdu packets.To enable BPDU bridge mode, perform this task:

Ruijie(config)#no spanning-tree

Ruijie(config)#bridge-frame forwarding protocol bpdu

 

2.     We suggest you to configure completely the same MSTP name , revision , instance mapping when you enable MSTP on Ruijie and other vendors switch to prevent STP compatibility issue. You can also enable RSTP because RSTP has better compatibility.

 

2.8.3.4          Configuring Spanning tree optimization

I. Network Topology

2.8.3.5          Verifying MSTP+VRRP

I. Network Topology

2.8.4          ARP Spoofing Protection

Overview

ARPAddress Resolution Protocol) provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, host B wants to send information to host A but does not have the MAC address of host A in its ARP cache. In ARP terms, host B is the sender and host A is the target.

To get the MAC address of host A, host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of host A. All hosts within the broadcast domain receive the ARP request, and host A responds with its MAC address.

 

 

Feature

ARP itself does not check the validity of incoming ARP packets, a drawback of ARP. In this way, attackers can launch ARP spoofing attacks easily by exploiting the drawback of the protocol. The most typical one is the man in the middle attack, which is described as follows:

As shown in the diagram, devices A, B and C are connected to Ruijie device and located in the same subnet. Their IP and MAC addresses are respectively represented by (IPA, MACA), (IPB, MACB) and (IPC, MACC). When device A needs to communicate with device B in the network layer, device A broadcasts an ARP request in the subnet to query the MAC value of device B. Upon receiving this ARP request packet, device B updates its ARP buffer using IPA and MACA, and sends an ARP response. Upon receiving this response, device A updates its ARP buffer using IPB and MACB.

With this model, device C will cause the corresponding relationship of ARP entries in device A and device B incorrect. The policy is to broadcast ARP response to the network continuously. The IP address in this response is IPA/IPB, and the MAC address is MACC. Then, ARP entries (IPB and MACC) will exist in device A, and ARP entries (IPA and MACC) exist in device B. Communication between device A and device B is changed to communication with device C, which is unknown to devices A and B. Device C acts as an intermediary and it just modifies the received packets appropriately and forwards to another device. This is the well-known man in the middle attack.

2.8.4.1          Scenario of static IP address assignment

Scenario

Port IP&MAC binding + ARP-checkIn a network without 802.1x authentication, you can manually bind IP&MAC address of users to a security entry on each port on a switch and enable ARP-check feature globablly to prevent ARP spoofing.Users connected to a switch port can pass through the port verification and have access to network only when IP&MAC address of the users are totally the same to the security entry on the port.

 

Merit:  This is a very strict method to control all users in your network and switches verify each ARP packet in hardware without consuming CPU resource

 

Demerit:  You must collect IP&MAC address of each users and the port numbers to which every users connect on each switch, so this method cost you plenty of time to collect information and configure switches and it is also not flexible if users move their physical location very often.

     

I. Requirements

Administrator assign IP address to users manually, and configure "port-security + ARP-check" method on switches to defend against ARP spoofing.

 

II. Network Topology

 

III. Configuration Tips

1. You must enable port-security on port connected to users, not uplink port

2. You must enable ARP-check on port connected to users, not uplink port

 

IV. Configuration Steps

Configuring core switch

Assign IP address to vlan 10 which is user gateway

Ruijie(config)#interface vlan 10

Ruijie(config-if-VLAN 10)#ip address 192.168.1.254 255.255.255.0

Ruijie(config-if-VLAN 10)#end

Ruijie#wr

 

Configuring access switch

Ruijie>enable  

Ruijie#configure terminal

Ruijie(config)#interface fastEthernet 0/1                                   

Ruijie(config-if-FastEthernet 0/1)#switchport port-security binding 0021.CCCF.6F70 vlan 10 192.168.1.1  

------> bind static IP address 192.168.1.1 and MAC address 0021.CCCF.6F70 on VLAN 10 to security entry on F0/1

Ruijie(config-if-FastEthernet 0/1)#switchport port-security   ------>enable port-security

Ruijie(config-if-FastEthernet 0/1)#arp-check                        ------>enable arp-check

Ruijie(config-if-FastEthernet 0/1)#exit

 

Ruijie(config)#interfac fastEthernet 0/2

Ruijie(config-if-FastEthernet 0/2)# switchport port-security binding 0023.5abd.1975 vlan 10 192.168.1.2 

 ------>bind static IP address 192.168.1.2 and MAC address 0023.5abd.1975  on  VLAN 10 to security entry on F0/2

Ruijie(config-if-FastEthernet 0/2)#switchport port-security   ------>enable port-security

Ruijie(config-if-FastEthernet 0/2)#arp-check                         ------>enable arp-check

Ruijie#write                   

 

Ruijie(config)#interfac fastEthernet 0/3

Ruijie(config-if-FastEthernet 0/3)# switchport port-security binding 192.168.1.3 

------>you can also bind onlly static IP address 192.168.1.3 to security entry on F0/3 in order to be more flexible but lower security

Ruijie(config-if-FastEthernet 0/3)#switchport port-security  

Ruijie(config-if-FastEthernet 0/3)#arp-check                         

Ruijie#write      

 

V. Verification

1) How to display security entry on each port

2) How to display status of ARP-check

 

Scenario

Global IP&MAC binding+ ARP-checkIn a network without 802.1x authentication, you can manually bind IP&MAC address of users to global security table on a switch and enable ARP-check feature globablly to prevent ARP spoofing.Users connected to a switch port can pass through the global verification and have access to network only when IP&MAC address of the users are totally the same to the global security table on the switch

 

Merit: This is a less strict method to control all users in your network than solution 1, and switches verify each ARP packet in hardware without consuming CPU resource

 

Demerit:  You must collect IP&MAC address of each users on each switch, so this method cost you plenty of time to collect information and configure switches.

 

I. Requirements

Administrator assign static IP address to users, and configures "port-security + ARP-check" method on switches to prevent ARP spoofing

 

II. Network Topology

 

III. Configuration Tips

1. Bind IP&MAC address of users to global security table

2. Configure uplink port as trusted port on which all packets can pass through without validation

3. Enable address-bind feature globally

4. Enable arp-check feature globally

 

IV. Configuration Steps

Configuring core switch

Manually assign IP address to Vlan 10 which is user gateway

Ruijie(config)#interface vlan 10

Ruijie(config-if-VLAN 10)#ip address 192.168.1.254 255.255.255.0

Ruijie(config-if-VLAN 10)#end

Ruijie#wr   

 

Configuring access switch

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#address-bind 192.168.1.1 0021.cccf.6f70  ------>bind IP 192.168.1.1 and MAC address 0021.cccf.6f70 to global security table 

Ruijie(config)#address-bind 192.168.1.2 0023.5abd.1975 ------>bind IP 192.168.1.2 and MAC address 0023.5abd.1975 to global security table 

Ruijie(config)#address-bind uplink gigabitEthernet 0/25   ------>configure uplink port G0/25 as trusted port on which all packets can pass through without validation

Ruijie(config)#address-bind install ------>enable address-bind

Ruijie(config)#interface range fastEthernet 0/1-2

Ruijie(config-if-range)#arp-check ------>enable arp-check

Ruijie(config-if-range)#end

Ruijie#write        

 

Note

If users want to use IPv6 address to visit network, you must enable IPv6 capatible mode on switch that have address-bind enabled. Perform this task:

Ruijie(config)#address-bind ipv6-mode ?

  compatible  IPV6 compatible mode  ------>campatible mode ,allow binding users to visit network via IPv6 address

  loose       IPV6 loose mode               ------>loose mode , allow all IPv6 users to visit network unlimitedly

  strict      IPV6 strict mode      (default: strict)------>strict mode , even binding users can't visit network via IPv6 address, this is the default mode

Ruijie(config)#address-bind ipv6-mode compatible   

 

V. Verification

1. How to display global security table 

2. How to display trusted port 

3. How to verify ARP-check table

 

Scenario

802.1X authentication+ ARP-checkIn a network that have 802.1x authentication enabled,users must be running 802.1X-compliant client software ,such as Ruijie supplicant SU and SA . Switch collects IP&MAC address when communicates with 802.1X-compliant client software and write these information into global security table.ARP-check validate each users based on thie global security table to prevent ARP spoofing.

 

Merit: This is the simplest method for you to configure switch and maintenance

 

Demerit : You must build your network with Ruijie 802.1X-compliant client software SU/SA and a Radius Server (for example ,Ruijie SAM)and it consumes more hardware resource because it costs switch one more security entry in hardware when a user pass the authentication .

      

I. Requirements

Administrator assigns static IP address to user and enable 802.1x authentication through the overall network with Ruijie SU/SA and SAM to prevent ARP spoofing.

 

II. Network Topology

 

 

III. Configuration Tips

1. Enable basic dot1x authentication function on access switch

2. Modify authorization mode to "supplicant mode"

3. Enable arp-check on port connected to users

 

IV. Configuration Steps

Configuring access switch

1) Configure dot1x authentication on switch

For complete information about 802.1x configuration ,see switch configuration guide , such as RG-S8600E Series Switches RGOS Configuration Guide

 

2) Configure authorization mode in "supplicant mode"

Ruijie(config)#aaa authorization ip-auth-mode supplicant

 

Note       If users want to use IPv6 address to visit network, you must enable IPv6 capatible mode on switch that have address-bind enabled. Perform this task:

Ruijie(config)#address-bind ipv6-mode ?

  compatible  IPV6 compatible mode  ------>campatible mode ,allow binding users to visit network via IPv6 address

  loose       IPV6 loose mode               ------>loose mode , allow all IPv6 users to visit network unlimitedly

  strict      IPV6 strict mode      (default: strict)------>strict mode , even binding users can't visit network via IPv6 address, this is the default mode

Ruijie(config)#address-bind ipv6-mode compatible

 

3)      Enable arp-check

Ruijie(config)#interface range g0/1-2

Ruijie(config-if-range)#arp-check      

Ruijie(config-if-range)#end

Ruijie#write

 

V. Verification

Ruijie(config)#show interfaces gigabitEthernet 0/1 arp-check list

 

2.8.4.2          Scenario of dynamic IP address assignment(DHCP)

Scenario

DHCP Snooping with ARP-check:This solution can prevents ARP spoofing in the network in which DHCP server assign IP address to users .You can also enable 802.1x authentication or web authentication or you can disable any authentications in your network.

Merit: Very simple configuration and easy maintenance.

Demerit: DHCP snooping and ARP-check are enforced in hardware , so this method is is not applied if there are insufficient hardware resources available on switch.How many users the switch can carry depend on its specification.

 

When switch hardware recources are insufficient , system returns the following syslog :      

%SECURITY-3-TCAM_RESOURCE_LIMIT: TCAM resource is temporary not available.

 

I. Requirements

DHCP server assigns IP address to users ,and administrator uses "DHCP Snooping with ARP-check" to prevent ARP spoofing.

 

II. Network Topology

 

 

III. Configuration Tips

1. Core switch acts as DHCP server

2. Enable DHCP Snooping on access switch and configure uplink port as DHCP Snooping trusted port.

3. Enable ARP-check on ports connected to user

 

IV. Configuration Steps

Configuring core switch

1. Enable DHCP service

Ruijie(config)#service dhcp

 

2. Manually Assign IP address to vlan 1 which is user gateway

Ruijie(config)#interface vlan 1

Ruijie(config-if-VLAN 1)#ip address 192.168.1.254 255.255.255.0

Ruijie(config-if-VLAN 1)#exit

 

3. Create DHCP IP address pool

Ruijie(config)#ip dhcp pool vlan1

Ruijie(dhcp-config)#network 192.168.1.0 255.255.255.0      ------>network subnet

Ruijie(dhcp-config)#dns-server 218.85.157.99                     ------>DNS Server

Ruijie(dhcp-config)#default-router 192.168.1.254                ------>specify user gateway

Ruijie(dhcp-config)#end

Ruijie#wr

 

Configuring access switch

1. Enable DHCP Snooping

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#ip dhcp snooping    

 

2. Configure the port connected to DHCP server as DHCP Snooping trusted port.

Ruijie(config)#interface gigabitEthernet 0/49

Ruijie(config-GigabitEthernet 0/49)#ip dhcp snooping trust    ------>By default , all ports are DHCP Snooping untrusted port. Only trusted port can forward DHCP Offer and Ack packets

 

Note

If users want to use IPv6 address to visit network, you must enable IPv6 capatible mode on switch that have address-bind enabled. Perform this task

Ruijie(config)#address-bind ipv6-mode ?

  compatible  IPV6 compatible mode  ------>campatible mode ,allow binding users to visit network via IPv6 address

  loose       IPV6 loose mode               ------>loose mode , allow all IPv6 users to visit network unlimitedly

  strict      IPV6 strict mode      (default: strict)------>strict mode , even binding users can't visit network via IPv6 address, this is the default mode

Ruijie(config)#address-bind ipv6-mode compatible

 

3.  Enable arp-check

Ruijie(config)#interface range fastEthernet 0/1-2                     

Ruijie(config-if-range)#arp-check                                             

 

V. Verification

 

2.  How to display NIC information on a station, click " Start -> Run -> cmd -> ipconfig/all " 

 

3. How to display DHCP snooping table on a access switch

 

4. How to display ARP-Check table

 

Scenario

DHCP Snooping with DAI(Dynamic ARP inspection): This solution can prevents ARP spoofing in the network in which DHCP server assign IP address to users .You can also enable 802.1x authentication or web authentication or you can disable any authentications in your network.

 

Merit: Very simple configuration and easy maintenance. DAI is enfored in CPU, but ARP-check is enforced in hardware.

 

Demerit: When a access switch carries more than 50 users, we recommend you to use solution 1 in case CPU resources is insufficient.

 

I. Requirements

DHCP server assigns IP address to users ,and administrator uses "DHCP Snooping with DAI" to prevent ARP spoofing.

 

II. Network Topology

III. Configuration Tips

1. Core switch acts as DHCP server

2. Enable DHCP Snooping on access switch and configure uplink port as DHCP Snooping trusted port.

3. Enable DAI on access switch and configure uplink port as DAI trusted port.

4. Fine tune CPP and NFPP parameters and prune trunk port

 

IV. Configuration Steps

Configuring core switch

1. Enable DHCP service

Ruijie(config)#service dhcp                                           

 

2. Manually Assign IP address to vlan 1 which is user gateway

Ruijie(config)#interface vlan 1

Ruijie(config-if-VLAN 1)#ip address 192.168.1.254 255.255.255.0

Ruijie(config-if-VLAN 1)#exit                                      

 

3. Create DHCP IP address pool

Ruijie(config)#ip dhcp pool vlan1

Ruijie(dhcp-config)#network 192.168.1.0 255.255.255.0      ------>network segment

Ruijie(dhcp-config)#dns-server 218.85.157.99                     ------>DNS server

Ruijie(dhcp-config)#default-router 192.168.1.254                ------>specify user gateway

Ruijie(dhcp-config)#end

Ruijie#wr                                

 

Configuring access switch

1. Enable DHCP Snooping

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#ip dhcp snooping                            

 

2.  Configure the port connected to DHCP server as DHCP Snooping trusted port

Ruijie(config)#interface gigabitEthernet 0/49

Ruijie(config-GigabitEthernet 0/49)#ip dhcp snooping trust    ------>By default , all ports are DHCP snooping untrust ports. Only trusted port can forward DHCP Offer and Ack packets

 

3. Enable DAI in VLAN 1

Ruijie(config)#ip arp inspection vlan 1                      ------>DAI inspects VLAN 1

 

4 . Configure the uplink port as DAI trusted port

Ruijie(config)#int gigabitEthernet 0/25

Ruijie(config-if-GigabitEthernet 0/25)#ip arp inspection trust    

 

Configuring DAI optimization (Mandatory)

When DAI is enabled, switch forwards all ARP packets to CPU to validate, and you must configure the following optimization.

1. Prune trunk port on uplink port on access switch

This example shows how to prune trunk port G0/25 and this port can carry traffic for VLAN 1 and VLAN 9 only:

Ruijie(config-if-GigabitEthernet 0/25)#switchport trunk  allowed vlan remove 2-8,10-4094    

For complete information, see Initialization --->Configuring a Layer 2 Port ---> Access or Trunk port

 

2. Disable NFPP on the uplink port on access switch, otherwise if the number of ARP packets sent from Core switch to access switch exceeds the default NFPP rate-limit threshold, NFPP will drop the exceeding arp packets which would be users'

Ruijie(config)#int g0/25

Ruijie(config-if-GigabitEthernet 0/25)#no nfpp arp-guard enable   

Ruijie(config-if-GigabitEthernet 0/25)#no nfpp dhcp-guard enable

Ruijie(config-if-GigabitEthernet 0/25)#no nfpp dhcpv6-guard enable 

 Ruijie(config-if-GigabitEthernet 0/25)#no nfpp icmp-guard enable    

Ruijie(config-if-GigabitEthernet 0/25)#no nfpp ip-guard  enable        

Ruijie(config-if-GigabitEthernet 0/25)#no nfpp nd-guard  enable        

Ruijie(config-if-GigabitEthernet 0/25)#exit

Ruijie(config)# 

 

3. Increase CPP arp rate-limit threshold to 500PPS (180PPS by default) in case that CPP drops the exceeding packets.

Ruijie(config)#cpu-protect type arp pps 500

 

V. Verification

1. How to display DAI status

2. How to display DHCP Snooping binding table

 

Scenario

802.1X authentication with ARP-checkIn a network that have 802.1x authentication enabled,users must be running 802.1X-compliant client software ,such as Ruijie supplicant SU and SA and DHCP server assigns IP address to users before authentication.

 

MeritThis is the simplest method for you to configure switch and maintenance

Demerit : You must build your network with Ruijie 802.1X-compliant client software SU/SA and a Radius Server (for example ,Ruijie SAM)and it consumes more hardware resource because it costs switch one more security entry in hardware when a user pass the authentication .In addition , you must configure a global security tunnel to bypass DHCP packets because users must acquire IP address before 802.1X authentication

 

I. Requirements

DHCP Server assigns IP address to users ,then administrator uses "802.1X authentication+ ARP-check" to prevent ARP spoofing.

 

II. Network Topology

 

 

III. Configuration Tips

1. Enable basic dot1x authentication on access switch

2. Configure a global security tunnel to bypass DHCP packets

3. Modify authorization mode to "supplicant mode"

4. Enable arp-check on port connected to users

 

IV. Configuration Steps

Configuring access switch

1. Configure dot1x authentication on switch

 For complete information about 802.1x configuration ,see switch configuration guide , such as RG-S8600E Series Switches RGOS Configuration Guide

 

2. Configure a global security tunnel to bypass DHCP packets

Ruijie(config)#expert access-list extended dhcp

Ruijie(config-exp-nacl)#permit udp any any any any eq bootps      ------>bypass DHCP packets

Ruijie(config-exp-nacl)#

Ruijie(config)#security global access-group dhcp

 

3. Modify authorization mode to "supplicant mode"

Ruijie(config)#aaa authorization ip-auth-mode supplicant  

 

Note

If users want to use IPv6 address to visit network, you must enable IPv6 capatible mode on switch that have address-bind enabled. Perform this task:

Ruijie(config)#address-bind ipv6-mode ?

  compatible  IPV6 compatible mode  ------>campatible mode ,allow binding users to visit network via IPv6 address

  loose       IPV6 loose mode               ------>loose mode , allow all IPv6 users to visit network unlimitedly

  strict      IPV6 strict mode      (default: strict)------>strict mode , even binding users can't visit network via IPv6 address, this is the default mode

Ruijie(config)#address-bind ipv6-mode compatible

 

4. Enable arp-check

Ruijie(config)#interface range g0/1-2

Ruijie(config-if-range)#arp-check     

Ruijie(config-if-range)#end

Ruijie#write

 

V. Verification

Ruijie(config)#show interfaces gigabitEthernet 0/1 arp-check list

2.8.5      VSD

Scenario

As the data center network expands, the service type is varied, and network management becomes more complicated, higher requirements are raised on service isolation, safety, and reliability of the network. With the rapid development of hardware and maturity of the multi-frame, clustered, and distributed routing and switching system, the service processing capability of a single physical network device has reached a new level. It is urgent to make full use of the powerful service processing capability of a single physical device, adapt to the current service requirements, and realize smooth evolution of future expansion. Network device virtualization is a perfect method. It provides an easier virtualization means for network users. It is not limited to specific services or channels but serves to provide virtualization of the entire device.

Function Overview

The Virtual Switch Device (VSD) is a network system virtualization technology which divides a physical device into multiple logical devices. Each logical device is called a VSD. Each VSD has independent hardware and software resources, including independent interface resources, CPU resources, independently-maintained routing table and forwarding table, and its own administrator and configuration file. For users, each VSD is an independent device.

By VSDx technology, a physical device can be virtualized to multiple logical devices, as shown in the following figure. A physical device can carry multiple network nodes in the logical topology to maximize utilization of available resources and reduce network operation costs. Different VSs can be deployed with different services to isolate services from failures, improving safety and reliability of the network.

 

 

VSD Management

Out-of-band management is management through the mgmt interface. Inband management is management through an Ethernet physical interface.

 

 

I. Requirements

To carry multiple users on a network device, isolate management, simplify operation and maintenance, and isolate services, a network device with good performance is virtualized to multiple logical devices, making full use of device resources and ensuring strong scalability of the network. Services of virtual devices are managed independently of each other.

 

II. Network Topology

 

 

III. Configuration Tips

Install a VSD license.

Ruijie# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Ruijie(config)# license install usb0:/LIC-VSD00000002328406.lic----> VSD function need license

Success to install license file, service name: LIC-N18000-VSD.

 

Create VSD A.

Ruijie# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Ruijie(config)# vsd VSDA

Ruijie(config-vsd)# allocate int gi 1/1

Moving ports will cause all config associated to them in source vsd to be removed. Are you sure

to move the ports? [yes] yes

Entire port-group is not present in the command. Missing ports will be included automatically

Ruijie(config-vsd)#

Create VSD B.

Ruijie# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Ruijie(config)# vsd VSDB

Ruijie(config-vsd)# allocate int gi 2/1

Moving ports will cause all config associated to them in source vsd to be removed. Are you sure

to move the ports? [yes] yes

Entire port-group is not present in the command. Missing ports will be included automatically

Ruijie(config-vsd)#

 

 

Create VSD C.

Ruijie# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Ruijie(config)# vsd VSDC

Ruijie(config-vsd)# allocate int gi 3/1

Moving ports will cause all config associated to them in source vsd to be removed. Are you sure

to move the ports? [yes] yes

Entire port-group is not present in the command. Missing ports will be included automatically

Ruijie(config-vsd)#

Manage VSDs.

Configure VSD functions based on actual service planning requirements. (Omitted)

 

IV. Configuration Steps

Install a VSD license.

Create VSD A.

 

V. Verification

View division details of line cards on the VSD interface.

Ruijie-N18K#show vsd all

vsd_id: 0

vsd_name: Ruijie

vsd mac address: 00d0.f876.9888

interface:

interface:

GigabitEthernet 4/1                            GigabitEthernet 4/2                          

GigabitEthernet 4/3                            GigabitEthernet 4/4                           

GigabitEthernet 4/5                            GigabitEthernet 4/6                          

GigabitEthernet 4/7                            GigabitEthernet 4/8                          

GigabitEthernet 4/9                            GigabitEthernet 4/10                          

GigabitEthernet 4/11                           GigabitEthernet 4/12                         

GigabitEthernet 4/13                           GigabitEthernet 4/14                         

GigabitEthernet 4/15                           GigabitEthernet 4/16                         

GigabitEthernet 4/17                           GigabitEthernet 4/18                         

GigabitEthernet 4/19                           GigabitEthernet 4/20                         

GigabitEthernet 4/21                           GigabitEthernet 4/22                         

GigabitEthernet 4/23                           GigabitEthernet 4/24                          

GigabitEthernet 4/25                           GigabitEthernet 4/26                         

GigabitEthernet 4/27                           GigabitEthernet 4/28                         

GigabitEthernet 4/29                           GigabitEthernet 4/30                          

GigabitEthernet 4/31                           GigabitEthernet 4/32                         

GigabitEthernet 4/33                           GigabitEthernet 4/34                          

GigabitEthernet 4/35                           GigabitEthernet 4/36                         

GigabitEthernet 4/37                           GigabitEthernet 4/38                         

GigabitEthernet 4/39                           GigabitEthernet 4/40                         

GigabitEthernet 4/41                           GigabitEthernet 4/42                         

GigabitEthernet 4/43                           GigabitEthernet 4/44

GigabitEthernet 4/45                           GigabitEthernet 4/46                         

GigabitEthernet 4/47                           GigabitEthernet 4/48                       

slot:

slot 4

vsd_id: 1

vsd_name: VSDA

vsd mac address: 00d0.f876.988a

interface:

GigabitEthernet 1/1                            GigabitEthernet 1/2                          

GigabitEthernet 1/3                            GigabitEthernet 1/4                           

GigabitEthernet 1/5                            GigabitEthernet 1/6                          

GigabitEthernet 1/7                            GigabitEthernet 1/8                           

GigabitEthernet 1/9                            GigabitEthernet 1/10                         

GigabitEthernet 1/11                           GigabitEthernet 1/12                         

GigabitEthernet 1/13                           GigabitEthernet 1/14                         

GigabitEthernet 1/15                           GigabitEthernet 1/16                         

GigabitEthernet 1/17                           GigabitEthernet 1/18                         

GigabitEthernet 1/19                           GigabitEthernet 1/20                         

GigabitEthernet 1/21                           GigabitEthernet 1/22                         

GigabitEthernet 1/23                           GigabitEthernet 1/24                         

GigabitEthernet 1/25                           GigabitEthernet 1/26                         

GigabitEthernet 1/27                           GigabitEthernet 1/28                           

GigabitEthernet 1/29                           GigabitEthernet 1/30                         

GigabitEthernet 1/31                           GigabitEthernet 1/32                         

GigabitEthernet 1/33                           GigabitEthernet 1/34                         

GigabitEthernet 1/35                           GigabitEthernet 1/36                         

GigabitEthernet 1/37                           GigabitEthernet 1/38                         

GigabitEthernet 1/39                           GigabitEthernet 1/40                         

GigabitEthernet 1/41                           GigabitEthernet 1/42                         

GigabitEthernet 1/43                           GigabitEthernet 1/44

GigabitEthernet 1/45                           GigabitEthernet 1/46                         

GigabitEthernet 1/47                           GigabitEthernet 1/48

slot:

slot 1

vsd_id: 2

vsd_name: VSDB

vsd mac address: 00d0.f876.988c

interface:

GigabitEthernet 2/1                            GigabitEthernet 2/2                           

GigabitEthernet 2/3                            GigabitEthernet 2/4                          

GigabitEthernet 2/5                            GigabitEthernet 2/6                          

GigabitEthernet 2/7                            GigabitEthernet 2/8                          

GigabitEthernet 2/9                            GigabitEthernet 2/10                         

GigabitEthernet 2/11                           GigabitEthernet 2/12                          

GigabitEthernet 2/13                           GigabitEthernet 2/14                         

GigabitEthernet 2/15                           GigabitEthernet 2/16                         

GigabitEthernet 2/17                           GigabitEthernet 2/18                         

GigabitEthernet 2/19                           GigabitEthernet 2/20                         

GigabitEthernet 2/21                           GigabitEthernet 2/22                          

GigabitEthernet 2/23                           GigabitEthernet 2/24                         

GigabitEthernet 2/25                           GigabitEthernet 2/26                          

GigabitEthernet 2/27                           GigabitEthernet 2/28                         

GigabitEthernet 2/29                           GigabitEthernet 2/30                         

GigabitEthernet 2/31                           GigabitEthernet 2/32                         

GigabitEthernet 2/33                           GigabitEthernet 2/34                         

GigabitEthernet 2/35                           GigabitEthernet 2/36                          

GigabitEthernet 2/37                           GigabitEthernet 2/38                          

GigabitEthernet 2/39                           GigabitEthernet 2/40                         

GigabitEthernet 2/41                           GigabitEthernet 2/42                         

GigabitEthernet 2/43                           GigabitEthernet 2/44

GigabitEthernet 2/45                           GigabitEthernet 2/46                          

GigabitEthernet 2/47                           GigabitEthernet 2/48

slot:

slot 2

vsd_id: 3

vsd_name: VSDC

vsd mac address: 00d0.f876.988d

interface:

GigabitEthernet 3/1                            GigabitEthernet 3/2                          

GigabitEthernet 3/3                            GigabitEthernet 3/4                          

GigabitEthernet 3/5                            GigabitEthernet 3/6                           

GigabitEthernet 3/7                            GigabitEthernet 3/8                          

GigabitEthernet 3/9                            GigabitEthernet 3/10                          

GigabitEthernet 3/11                           GigabitEthernet 3/12                         

GigabitEthernet 3/13                           GigabitEthernet 3/14                         

GigabitEthernet 3/15                           GigabitEthernet 3/16                         

GigabitEthernet 3/17                           GigabitEthernet 3/18                         

GigabitEthernet 3/19                           GigabitEthernet 3/20                          

GigabitEthernet 3/21                           GigabitEthernet 3/22                         

GigabitEthernet 3/23                           GigabitEthernet 3/24                         

GigabitEthernet 3/25                           GigabitEthernet 3/26                         

GigabitEthernet 3/27                           GigabitEthernet 3/28                         

GigabitEthernet 3/29                           GigabitEthernet 3/30                         

GigabitEthernet 3/31                           GigabitEthernet 3/32                         

GigabitEthernet 3/33                           GigabitEthernet 3/34                         

GigabitEthernet 3/35                           GigabitEthernet 3/36                         

GigabitEthernet 3/37                           GigabitEthernet 3/38                          

GigabitEthernet 3/39                           GigabitEthernet 3/40                         

GigabitEthernet 3/41                           GigabitEthernet 3/42                         

GigabitEthernet 3/43                           GigabitEthernet 3/44

GigabitEthernet 3/45                           GigabitEthernet 3/46                         

GigabitEthernet 3/47                           GigabitEthernet 3/48

slot:

slot 3

 

 

Verify VSD login and management modes.

Ruijie# switchto vsd VSDA

***********************************************************************

Ruijie General Operating System Software

Copyright (c) 1998-2013s by Ruijie Networks.

All Rights Reserved.

Neither Decompiling Nor Reverse Engineering Shall Be Allowed.

***********************************************************************

Ruijie-VSDA> enable

Ruijie-VSDA#conf

Enter configuration commands, one per line.  End with CNTL/Z.

Ruijie-VSDA(config)#int mgmt 0

Ruijie-VSDA(config-if-Mgmt 0)#ip address 10.1.1.10 255.255.255.0

Ruijie-VSDA(config-if-Mgmt 0)#end   

Ruijie-VSDA#switchback

 

Ruijie# switchto vsd VSDB

***********************************************************************

Ruijie General Operating System Software

Copyright (c) 1998-2013s by Ruijie Networks.

All Rights Reserved.

Neither Decompiling Nor Reverse Engineering Shall Be Allowed.

***********************************************************************

Ruijie-VSDB> enable

Ruijie-VSDB#conf

Enter configuration commands, one per line.  End with CNTL/Z.

Ruijie-VSDB(config)#int mgm

Ruijie-VSDB(config)#int mgmt 0

Ruijie-VSDB(config-if-Mgmt 0)#ip address 10.1.1.20 255.255.255.0

Ruijie-VSDB(config-if-Mgmt 0)#end

Ruijie-VSDB#switchback

 

Ruijie# switchto vsd VSDC

***********************************************************************

Ruijie General Operating System Software

Copyright (c) 1998-2013s by Ruijie Networks.

All Rights Reserved.

Neither Decompiling Nor Reverse Engineering Shall Be Allowed.

***********************************************************************

Ruijie-VSDC> enable

Ruijie-VSDC#conf

Enter configuration commands, one per line.  End with CNTL/Z.

Ruijie-VSDC(config)#int mgm

Ruijie-VSDC(config)#int mgmt 0

Ruijie-VSDC(config-if-Mgmt 0)#ip address 10.1.1.30 255.255.255.0

Ruijie-VSDC(config-if-Mgmt 0)#end

Ruijie-VSDC#switchback

 

2.9       Common Feature

2.9.1      Ethernet Switching

2.9.1.1      Aggregate Port

Scenario

Multiple physical links can be bound into a logical link, called an aggregate port (herein after referred to as AP).Ruijie devices provide the AP function that complies with the IEEE802.3ad standard. This function can be used to expand link bandwidth and improve reliability. AP function supports traffic balancing that evenly allocating the traffic toevery member link. AP function also supports link backup. When a link member in an AP is disconnected, the system will automatically allocate the traffic of the member link to other active member links in the AP, except for the broadcast or multicast packets it received.

 

Dynamic mode and Static mode

1) If you configure aggregate port mode to static on a port,the port is converted to aggregate port without negotiating.

2) If you configure aggregate port mode to dynamic with LACP (Link Aggregation Control Protocol), the port negotiates with the the other end of the link whether to be a aggregate port.

 

Aggregate ports consists of three modes:  Active, Passive and Static.

The port in active mode sends the LACP packets actively to the peer

The port in passive mode only responds when it receives LACP packets from the peer.

The port in static mode is converted to aggregate port without sending any LACP packets.

 

The following table describes the matching of different modes

 

Aggregate Port Load Balancing

Traffic can be evenly distributed on the member links of an AP according to the features such as source MAC address, destination MAC address, combination of source MAC address and destination MAC address, source IP address, destination IP address, and combination of source IP address and destination IP address.

NoteBy default , the load balancing method is src-dst-mac.

 

This example shows how to configure load balance

Ruijie(config)#aggregateport load-balance ?

  dst-ip             Destination IP address

  dst-mac            Destination MAC address

  help               Help information

  mpls-label         Mpls label

  src-dst-ip         Source and destination IP address

  src-dst-ip-l4port  Source and destination IP address, source and

                     destination L4port

  src-dst-mac        Source and destination MAC address

  src-ip             Source IP address

  src-mac            Source MAC address

  src-port           Source port

  Ruijie(config)#aggregateport load-balance   src-dst-ip  ------>recommended

 

Attention:

1. You must configure the same speed,duplex and media-type on both ends of AP.You cannot put a copper port and a optical port in the same AP.

2. You can only put L2 port in a L2 AP and L3 port in a L3 AP. You cannot change the port from L2 to L3 , or from L3 to L2 after you put the ports in a AP.

3. Ruijie switch supports to put 8 ports in a AP at most

5. When you finish configuring AP , you can enter "interface aggregateport x/x" command to manage the AP.You can no longer manage the AP member independently.

Layer 2 Aggregate Port (Static and Dynamic)

I. Requirements

Enable Layer 2 AP on the ports between two Core switches to expand inter-connection bandwidth and ensure a high available network. Use src-mac load balance method.

 

II. Network Topology

 

III. Configuration Tips

1. Put AP members ports in a specified AP

2. Configure AP as Trunk

3. Modify load balance method

 

IV. Configuration Steps

Static mode:

SW1

SW1>enable

SW1#configure terminal

SW1(config)#interface range gigabitEthernet 0/1-2     ------>configure a range of interfaces with the same command

SW1(config-if-range)#port-group 1                             ------>put G0/1 and G0/2 in AP 1 in static mode

SW1(config-if-range)#exit

SW1(config)#interface aggregateport 1                       

SW1(config-if-AggregatePort 1)#switchport mode trunk  ------>configure AP 1 as Trunk

SW1(config-if-AggregatePort 1)#exit

SW1(config)#aggregateport load-balance src-mac        ------>modify load balance method to Src-MAC. By default, it is Src-Dst-MAC.

SW1(config)#exit

SW1#wr

 

SW2

SW2>enable

SW2#configure terminal

SW2(config)#interface range gigabitEthernet 0/1-2

SW2(config-if-range)#port-group 1

SW2(config-if-range)#exit

SW2(config)#interface aggregateport 1

SW2(config-if-AggregatePort 1)#switchport mode trunk

SW2(config-if-AggregatePort 1)#exit

SW2(config)#aggregateport load-balance src-mac

SW2(config)#exit

SW2#wr

 

Dynamic mode:

SW1(config)#interface range gigabitEthernet 0/1-2    

SW1(config-if-range)#port-group 1 mode active                            ------>put G0/1 and G0/2 in AP 1 in dynamic mode

SW1(config-if-range)#exit

SW1(config)#interface aggregateport 1                       

SW1(config-if-AggregatePort 1)#switchport mode trunk                ------>configure AP 1 as Trunk

SW1(config-if-AggregatePort 1)#exit

SW2 is the same.

 

3. This example shows how to configure L2 AP in static mode when connect Ruijie a switch to a Cisco switch

Cisco

interface Port-channel1

switchport mode access

interface FastEthernet0/1

switchport mode access

channel-group 1 mode on

interface FastEthernet0/2

switchport mode access

channel-group 1 mode on

 

Ruijie :

interface AggregatePort 1

interface FastEthernet 0/1

port-group 1

interface FastEthernet 0/2

port-group 1

 

4. This example shows how to configure L2 AP in dynamic mode when connect Ruijie a switch to a Cisco switch

Cisco

interface Port-channel1

switchport mode access

interface FastEthernet0/1

switchport mode access

channel-group 1 mode active

interface FastEthernet0/2

switchport mode access

channel-group 1 mode active

 

Ruijie :

interface FastEthernet 0/1

port-group 1 mode active

interface FastEthernet 0/2

port-group 1 mode active

 interface AggregatePort 1

 

V. Verification

1. How to display status of aggregate port

 

2. How to display information of AP 1

 

3. How to display the load balance method

Layer 3 Aggregate Port (Static and Dynamic)

I. Requirements

Enable Layer 3 AP on the ports between two Core switches to expand inter-connection bandwidth and ensure a high available network. Use src-dst-IP load balance method.

 

II. Network Topology

 

III. Configuration Tips

1. First, you must create a AP and convert it to a L3 AP, then assign a IP address to it.

2. Convert AP members to L3 ports.

3. Put the AP members in the AP

4. Modify load balance method

NoteYou must follow the tips above step by step ,otherwise you could fail to configure L3 AP.

 

IV. Configuration Steps

SW1

SW1>enable

SW1#configure terminal

SW1(config)#interface aggregateport 1

SW1(config-if-AggregatePort 1)#no switchport                                    ------>convert AP 1 from L2 to L3

SW1(config-if-AggregatePort 1)#ip address 1.1.1.1 255.255.255.0 

SW1(config-if-AggregatePort 1)#exit

SW1(config)#interface range gigabitEthernet 0/23-24                          ------>configure a range of interfaces with the same commands

SW1(config-if-range)#no switchport                                                    ------>convert AP members to layer 3

SW1(config-if-range)#medium-type fiber

SW1(config-if-range)#port-group 1 mode active                                  ------>put G0/23 and G0/24 in AP 1 in active mode

SW1(config-if-range)#exit

SW1(config)#aggregateport load-balance src-dst-ip                    ------>put G0/23 and G0/24 in AP 1 in active mode

 

------------------------------------------------------------------------------------------

or

SW1(config-if-range)#port-group 1                                                    ------>put G0/23 and G0/24 in AP 1 in static mode

SW1(config-if-range)#end

 

SW2

SW2>enable

SW2#configure terminal

SW2(config)#interface aggregateport 1

SW2(config-if-AggregatePort 1)#no switchport

SW2(config-if-AggregatePort 1)#ip address 1.1.1.2 255.255.255.0

SW2(config-if-AggregatePort 1)#exit

SW2(config)#interface range gigabitEthernet 0/23-24

SW2(config-if-range)#no switchport

SW2(config-if-range)#medium-type fiber

SW2(config-if-range)#port-group 1 mode active

SW2(config-if-range)#end

SW2(config)#aggregateport load-balance src-dst-ip

 

----------------------------------------------------------------------------------------

or

SW2(config-if-range)#port-group 1

SW2(config-if-range)#end

 

V. Verification

1. When both ends negotiate to join a AP successfully, system returens the following message:

*Dec 17 13:23:52: %LLDP-4-ERRDETECT: Link aggregation for the port GigabitEthernet 0/23 may not match with one for the neighbor port.

*Dec 17 13:23:52: %LLDP-4-ERRDETECT: Link aggregation for the port GigabitEthernet 0/24 may not match with one for the neighbor port.

*Dec 17 13:23:59: %LACP-5-ATTACH: Interface GigabitEthernet 0/23 attached to AggregatePort 1.

*Dec 17 13:23:59: %LACP-5-ATTACH: Interface GigabitEthernet 0/24 attached to AggregatePort 1.

*Dec 17 13:24:00: %LACP-5-BUNDLE: Interface GigabitEthernet 0/23 joined AggregatePort 1.

*Dec 17 13:24:00: %LACP-5-BUNDLE: Interface GigabitEthernet 0/24 joined AggregatePort 1.

*Dec 17 13:24:02: %LINK-3-UPDOWN: Interface AggregatePort 1, changed state to up.

*Dec 17 13:24:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface AggregatePort 1, changed state to up.

 

2. How to display status of all AP

3. How to display information of AP 1

 

2.9.1.2      Super VLAN

Scenario

The Super VLAN function economizes IP address resources, segregates broadcast storms, reduces virus attacks, and controls L2 access on the ports. The function is suitable for extensive L2 structure environments with large numbers of users and VLANs and all IP addresses on a same network segment, where L2 segmentation and mutual access between certain VLANs (ARP aging for corresponding sub VLANs) are required. Common application scenarios include broadband access in hotels and residential areas and campus networks run cooperatively by telecom carriers and colleges. In these scenarios, each room or household uses one VLAN, which is segregated from each other. However, due to limited IP address resources, it is impossible to allocate each VLAN with a network segment. A group of VLANs needs to share one network segment. For example, if VLAN 10 is allocated with the network segment 10.10.10.0/24, the household may only use one or two IP addresses, and in this case, over 200 IP addresses are wasted. In addition, unified IP addresses facilitate network management for network maintenance personnel.

The Super VLAN solution is suitable for small- and medium-sized networks that require L2/L3 segmentation. Super VLAN is a function provided by an L3 switch and is implemented on the L3 network. Private VLAN is a function provided by an L2 switch. Compared with Private VLAN, super VLAN features simpler configuration and yet lower access control flexibility. To query temporarily offline users within a Super VLAN, the gateway needs to initiate a broadcast within each sub-VLAN, and the process may consume large CPU resources on the device.

 

I. Networking Requirements

Core switch A serves as the user gateway and is connected to the access devices Switch B, Switch C, and Switch D through the Trunk ports. L2 network segmentation is implemented through VLAN setup for access users. All VLAN users share one IP gateway for L3 communication and Internet access.

 

II. Network Topology

III. Configuration Tips

1. On the access devices (Switch B, Switch C, and Switch D), configure only common VLANs (VLAN 10, VLAN 20, and VLAN 30 in this example).

2. On the user gateway device, create a Super VLAN and set the VLAN 10, VLAN 20, and VLAN30 of the access devices as sub VLANs.

3. Set the SVI port for the Super VLAN and specify IP address ranges for each sub VLAN.

IV. Configuration Steps

On the core server, perform the following steps:

1. Create VLAN 2, VLAN 10, VLAN 20, and VLAN 30.

Ruijie#configure terminal

Ruijie(config)#vlan 2

Ruijie(config-vlan)#exit

Ruijie(config)#vlan 10

Ruijie(config-vlan)#exit

Ruijie(config)#vlan 20

Ruijie(config-vlan)#exit

Ruijie(config)#vlan 30

Ruijie(config-vlan)#exit

 

2. Set VLAN 2 as the Super VLAN and VLAN 10, VLAN 20, and VLAN 30 as its sub VLANs.

Ruijie(config)#vlan 2

Ruijie(config-vlan)#supervlan  ----->configure Vlan2 as Super vlan

Ruijie(config-vlan)#subvlan 10,20,30   -----> SVI port could not如果某个be added to subvlan, need to execute command no  interface vlan vlan-id  to remove SVI port before adding to subvlan

Ruijie(config-vlan)#exit

On a non-simplified network (gateway mode), Super VLAN broadcast packets are replicated to all its sub VLANs. Therefore, if a Super VLAN is configured with too many sub VLANs, the performance is undermined. Considering the packet forwarding performance, it is recommended that a Super VLAN is configured with no more than 200 sub VLANs.

3. Set the L3 virtual interface for the Super VLAN 2. The users of the sub VLANs of the Super VLAN 2 communicate through the configured interface.

Ruijie(config)#interface vlan 2    ----->configure svi interface

Ruijie(config-if-VLAN 2)#ip address 192.168.1.1 255.255.255.0

 

4. Set the IP address range of the sub VLAN 10 to 192.168.1.10 to 192.168.1.50, that of sub VLAN 20 to 192.168.1.60 to 192.168.1.100, and that of sub VLAN 30 to 192.168.1.110 to 192.168.1.150.

Ruijie(config)#vlan 10

Ruijie(config-vlan)#subvlan-address-range 192.168.1.10 192.168.1.50

Ruijie(config-vlan)#exit

Ruijie(config)#vlan 20

Ruijie(config-vlan)#subvlan-address-range 192.168.1.60 192.168.1.100

Ruijie(config-vlan)#exit

Ruijie(config)#vlan 30

Ruijie(config-vlan)#subvlan-address-range 192.168.1.110 192.168.1.150

 

5. Set the ports Gi 1/1, Gi 1/5, and Gi 1/9 as the Trunk ports for connecting Switch B, Switch C, and Switch D.

Ruijie(config)#interface range gigabitEthernet 1/1,1/5,1/9

Ruijie(config-if-range)#switchport mode trunk

 

6. Save the configurations.

Ruijie(config-if-range)#end

Ruijie#write

 

Note:

1. By default, the Super VLAN agent APR function is enabled on the switch. In this case, users can access each other between sub VLANs. To prevent access between sub VLANs, disable the agent function of the Super VLAN.

Ruijie(config)#vlan 2 

Ruijie(config-vlan)#no proxy-arp

Ruijie(config-vlan)#end

 

2. In a DHCP environment, you do not have to specify the IP address range for a sub VLAN.

In this case, the IP addresses are randomly allocated within one sub VLAN. The VLAN of the port connecting the access switch determines the home sub VLAN of a PC.

Ruijie(config)#vlan 10

Ruijie(config-vlan)#subvlan-address-range 192.168.1.10 192.168.1.50

Ruijie(config-vlan)#vlan 20

Ruijie(config-vlan)#subvlan-address-range 192.168.1.60 192.168.1.100

Ruijie(config-vlan)#vlan 30

Ruijie(config-vlan)#subvlan-address-range 192.168.1.110 192.168.1.150

 

3. Disable broadcast storm prevention on the connecting port of the access switch.

When a user on another network segment accesses a user in the Super VLAN, if the user device does not exist, the switch sends ARP requests to all sub VLANs of the Super VLAN, as the Super VLAN does not obtain the ARP information during query when resolving the user device ARP before forwarding the IP packet to the designated user device. In this case, If the Super VLAN is configured with many sub VLANs, the Super VLAN has to send a large number of ARP packets.

In a DHCP environment, if there are too many sub VLANs in the Super VLAN, the number of broadcast packets sent on each sub VLAN is great as well, because the broadcast packet is replicated on each sub VLAN.

In this case, if the broadcast storm prevention function is enabled on corresponding port on the access switch, some broadcast packets, including DHCP packets or ARP packets, are discarded. To prevent this, you are recommended to disable the broadcast storm prevention function for the port on the access switch. For details, see Storm Control.

4. A Super VLAN is subject to the following restrictions:
a. A Super VLAN does not have physical interfaces as its direct member. A Super VLAN is configured with only sub VLANs and a sub VLAN contains physical interfaces.

b. A Super VLAN cannot be configured as a sub VLAN of another Super VLAN.

c. VLAN 1 cannot be configured as a Super VLAN.

d. A sub VLAN cannot be configured as a network interface and cannot be allocated with an IP address.

V. Verification

Check the Super VLAN.

Ruijie#show supervlan

supervlan id  supervlan arp-proxy  subvlan id  subvlan arp-proxy    subvlan ip range

------------  -------------------    -----------  -----------------------------------------------------

2                 ON10ON192.168.1.10 - 192.168.1.50

20ON192.168.1.60 - 192.168.1.100

                              30ON192.168.1.110 - 192.168.1.150

 

2.9.1.3      QinQ

Scenario

Business users of a network service provider usually have special requirements on the number of supported VLANs and the VLAN ID. The VLAN scope required by one user of a service provider may overlap with the VLAN scope required another user. In addition, the switching channels of VLANs of different users may mix up on the core network of the service provider. However, if each user is specified with a VLAN scope, the user configuration will be restricted and the number of VLANs will easily exceed the limit 4096 defined in the 802.1Q. Utilizing the IEEE 802.1Q Tunneling function, the service provider can use one VLAN (service provider VLAN) to support multiple VLAN users. The user VLANs is reserved. In this case, even if the users of a network service provider are of the same VLAN, they are segregated on the internal network of the service provider. The tunneling function extends the VLAN scope by using double tags. The maximum number of VLANs provided a tunnel port (a port that supports IEEE 802.1Q Tunneling) reaches 4K*4K. When configuring a tunnel, you can assign a VLAN to the tunnel port as its dedicated VLAN. In this case, the cascaded user networks require only one service provider VLAN. The user traffic is packed into double-tag frames by the service provider VLAN during transmission on the service provider network. The two layers of tags of QinQ packets are transmitted on the carrier network. The internal tags are transmitted transparently, featuring simplicity and practicability. It can serve an extension of core MPLS VPN in Metro Ethernet VPN and become an end-to-end VPN technology.

As shown in Figure 1, the packets from Network A’s VLAN 1001 are added with the outer VLAN tag 1005 before entering the ISP’s network. Hence, the packets carry with two tags and be propagated in the ISP’s network by the outer VLAN tag 1005. The outer VLAN tag 1005 will be stripped when the packets leave the ISP’s network. In Network B, the packets are propagated by VLAN tag 1001.

Figure 1-1 QinQ sketch map

 

The following figure illustrates the course of adding two tags. The ingress of edge device is dot1q-tunnle port (or abbreviated as tunnel port). All frames entering the edge device are considered to be untagged, no matter whether are really untagged or tagged with 802.1Q tag, and then are encapsulated with the tag of ISP. VLAN ID is the default VLAN of tunnel port.

Figure 1-2 Double-Tag packet structure

Capture the message format as follows

image006 

Note

1.      N18000-CB products do not support the flexible QinQ function or the VLAN MAPPING function. N18000-CB products support 3 TPIDs in the global configuration mode, namely, 0x8100, 0x8100, and 0x8100.

2. N18000-ED/DB products support 4 TPID values in the global configuration mode, namely, 0x8100 and 3 any values.

 

QinQ Port

Ruijie has brought in two new bridge interfaces, Dot1q-Tunnel and Uplink, in QinQ implement. The following figure shows the application model:

In the preceding figure, the customer bridged LAN connects to the provider bridged network through the Customer Bridge (CB) and the Provider Bridge (PB). The service provider provides different services and links to different customers. Data are forwarded on the customer bridged LAN with C-TAGs and are added with (or stripped of) S-TAGs on the customer network port for transmission on the service provider network. Data forwarding on the provider bridged network is transparent compared with data transmission on the customer bridged LAN.

 

Tunnel Port

Utilizing the IEEE 802.1Q Tunneling function, the service provider can use one VLAN (service provider VLAN) to support multiple VLAN users. The user VLANs is reserved. In this case, even if the users of a network service provider are of the same VLAN, they are segregated on the internal network of the service provider. The tunneling function extends the VLAN scope by using double tags. The port that supports IEEE 802.1Q Tunneling is called a tunnel port. When configuring a tunnel, you can assign a VLAN to the tunnel port as its dedicated VLAN. In this case, the cascaded user networks require only one service provider VLAN. The user traffic is packed into double-tag frames by the service provider VLAN during transmission on the service provider network.

 

Uplink port

Uplink port essentially is a special trunk port. The difference is that the packets outputted from the uplink port are tagged, but the packets outputted from the trunk port (when they are forwarded from native VLAN) are untagged. A typical example is the port of a user network connecting to an ISP network.

 

QinQ Classification

Basic QinQ

Basic QinQ is enabled based on port. When tunnel port is configured, the device will add the VLAN tag of the default VLAN of the tunnel port to the packet arriving the tunnel port. If the packet is already of a VLAN tag, this means it has two tags. Basic QinQ is simple, but the encapsulation of outer VLAN tag is not flexible enough.

 

Flexible QinQ

Flexible QinQ can flexibly encapsulate different outer VLAN tags for different flows by flow classification method like user VLAN tag, MAC address, IP protocol, source address, destination address, priority or port number of application program.

 

You can:

n Add outer VLAN tag by inner VLAN tag

n Modify inner VLAN tag by outer VLAN tag

n Modify outer VLAN tag by inner VLAN tag

n Add outer VLAN tag by ACL

n Modify outer VLAN tag by ACL

n Modify inner VLAN tag by ACL

 

Restriction of QinQ Configuration

 

The following restrictions apply to QinQ configuration:

n The routed ports cannot be configured as tunnel ports.

n The 802.1x function cannot be enabled on the port configured as a tunnel port.

n Port security cannot be enabled on the port configured as a tunnel port.

n For the ACL applied on the tunnel port, the inner keyword is necessary to match the VID of user tag.

n It is recommended to configure the egress of user network connecting the ISP network as uplink port as well. If the TPID of ISP tag is set on the QinQ-enabled port of the user network, the TPID of ISP tag of uplink port should be set with the same value.

n QinQ does not support hot backup.

n The MTU of a port is 1500 bytes by default. A packet will be increased by 4 bytes when it is added with outer VLAN tag. It is recommended to increase the MTU value of ports in ISP network at an appropriate extent, or at least 1504 bytes.

n Once QinQ is enabled on a port, to enable IGMP Snooping, you need set SVGL sharing mode or otherwise IGMP Snooping does not function on the port with QinQ enabled.

 

2.9.1.3.1      Basic QinQ

I. Networking Requirements

Customer PCs on VLAN 10 and VLAN 20 are connected to the access switch. The Trunk port of the access switch is connected to the convergence switch. The convergence switch requires basic QinQ functions and adds external tag VLAN 1000 to tagged data stream forwarded by access users.

II. Network Topology

III. Configuration Tips

1. On the convergence switch, set the port that connects the carrier network as an uplink port and configure the QinQ function on the port that connects the access switch.

2. On the access switch, create the related VLANs, set the port that connects users as an access port and the port that connects the convergence switch as a trunk port.

IV. Configuration Steps

On the convergence switch, perform the following steps:

1.      Create the external VLAN 1000.

Ruijie#configure terminal

Ruijie(config)#vlan 1000

Ruijie(config-vlan)#exit

Ruijie(config)#

 

2. Enable the basic QinQ functions on the port that connects the access switch.

Ruijie(config)#interface gigabitEthernet 1/1

Ruijie(config-if-GigabitEthernet 1/1)#switchport mode dot1q-tunnel ----->configure interface G1/1 as dot1q-tunnel

Ruijie(config-if-GigabitEthernet 1/1)#switchport dot1q-tunnel native vlan 1000  ----->configure vid of dot1q-tunnel as 1000

Ruijie(config-if-GigabitEthernet 1/1)#switchport dot1q-tunnel allowed vlan add untagged 1000

 

3. Set the port that connects the carrier network as an uplink port.

Ruijie(config)# interface gigabitEthernet 1/2

Ruijie(config-if-GigabitEthernet 1/2)#switchport mode uplink

 

4. On the uplink port, modify the TPID value of output packets to a value identifiable by a third-party devices, which is 0x9100. (This step is optional. The default TPID for Ruijie devices is 0x8100.) The TPIDs for devices vary with manufactures. For example, the default TPID for Huawei devices is 0x9100. To interconnect with Huawei devices, you need to change the TPID to 0x9100.

Ruijie(config-if-GigabitEthernet 1/2)#frame-tag tpid 9100

 

On the access switch, perform the following steps:

Ruijie(config)#vlan range 10,20 

Ruijie(config-vlan-range)#exit

Ruijie(config)#interface range f0/1-12

Ruijie(config-if-range)#switchport access vlan 10

Ruijie(config-if-range)#exit

Ruijie(config)#interface range f0/13-24

Ruijie(config-if-range)#switchport access vlan 20

Ruijie(config-if-range)#exit

Ruijie(config-if-GigabitEthernet 0/25)#switchport mode trunk

Ruijie(config-if-GigabitEthernet 0/25)#end

 

Note:

1. In a QinQ configuration model, if the uplink port connects edge devices to the service provider network is a Trunk port or Hybrid port, do not set the native VLAN of the Trunk port or Hybrid port to the default VLAN of the tunnel port, because when a packet is output on the Trunk port or Hybrid port, the tag containing its native VLAN ID is removed from the packet.

2. When the QinQ function is enabled, the device encapsulates user packets with the external VLAN tag, rather than forwarding the packets based on the original VLAN specified in the packets. Therefore, you do not have to create VLANs for users on the device. (The configuration of user VLANs has no influence on the network.)

3. An uplink port is a special Trunk port. The difference is that packets sent from an uplink port are tagged, while packets sent from an Trunk port are untagged if they are forwarded by the native VLAN.

4. In basic QinQ configuration, the port adds external tags no matter to the received packets no matter whether they are tagged or not. If the received packet has a VLAN tag, the packet becomes a double-tag packet. If the received packet does not have a VLAN tag, the packet becomes a packet with a default VLAN tag.

5. The basic QinQ function does not support the identification and retention of management VLAN tags without adding external tags during packet forwarding.

6. At present, all Ruijie switches do not support the termination of QinQ tags. That is, the two layers of tags cannot be resolved on one switch. To resolve two layers of tags, you need to add a switch.

V. Verification

1. Check whether the QinQ function is enabled on the port.

2. Check the TPID value on the port.

 

2.9.1.3.2      Flexible QinQ - VID-Based QinQ

I. Networking Requirements

1. The convergence switch implements flexible QinQ based on the user VLAN tag classification. Add data streams from user VLAN 101 to user VLAN 200 with external tags VLAN 101 and data streams from user VLAN 201 to user VLAN 300 with external tags VLAN 201.

2. Manage the access switches. The management VLAN is 500. Data streams from the VLAN are forwarded without adding external tags and their original tags are retained.

II. Network Topology

III. Configuration Tips

1. On the convergence switch, configure user VLAN tag-based flexible QinQ on the port that connects the floor distribution switch.

Flexible QinQ planning on user VLAN tag-based data stream tagging with external VLANs

Device

Service

User VLAN Tag

External VLAN Tag

Classification Rules

Convergence switch

Internet access service for users

101-200

101

User VLAN scope

Convergence switch

Internet access service for users

201-300

201

User VLAN scope

2. Set the management VLAN on the floor distribution switch to a native VLAN and the management VLAN on the access switch to the native VLAN of dot1q-tunnel.

IV. Configuration Steps

On the convergence switch, perform the following steps:

1. Create ISP VLANs 101 and 201 to identify different service data types.

Ruijie#configure terminal

Ruijie(config)#vlan 101

Ruijie(config-vlan)#exit

Ruijie(config)#vlan 201

Ruijie(config-vlan)#exit

Ruijie(config)#vlan 500

Ruijie(config-vlan)#exit

 

2. On the downlink port of the convergence switch, configure the flexible QinQ function for adding external VLAN tags based on the user VLAN.

Ruijie(config)#interface  gigabitEthernet 1/1

Ruijie(config-if-gigabitEthernet 1/1)# switchport mode dot1q-tunnel   

Ruijie(config-if-gigabitEthernet 1/1)# switchport dot1q-tunnel allowed vlan add untagged 101,201,500   

Ruijie(config-if-gigabitEthernet 1/1)# dot1q outer-vid 101 register inner-vid 101-200    

Ruijie(config-if-gigabitEthernet 1/1)# dot1q outer-vid 201 register inner-vid 201-300   

Ruijie(config-if-gigabitEthernet 1/1)# switchport dot1q-tunnel native vlan 500    

Ruijie(config)# interface gigabitEthernet 1/2

Ruijie(config-if-GigabitEthernet 1/2)#switchport mode uplink

 

On the access switch, perform the following steps:

1. Create the user VLANs based on the user ports and configure the management VLAN and management IP address.

2. Set the uplink port as a Trunk port and set the native VLAN to VLAN 500.

Ruijie(config)# interface gigabitEthernet 0/25

Ruijie(config-if-GigabitEthernet 0/25)#switchport mode trunk

Ruijie(config-if-GigabitEthernet 0/25)#switchport trunk native vlan 500

Ruijie(config-if-GigabitEthernet 0/25)#end

 

Note:

1. An uplink port is a special Trunk port. The difference is that packets sent from an uplink port are tagged. while packets sent from an Trunk port are untagged if they are forwarded by the native VLAN.

2. The flexible QinQ function allows the retention of management VLAN tags without adding external tags during packet forwarding.

3. At present, all Ruijie switches do not support the termination of QinQ tags. That is, the two layers of tags cannot be resolved on one switch. To resolve two layers of tags, you need to add a switch.

4. An external tag can be the same as or different from the internal tag. (For example, in the example, the internal tags ranges from 101 to 200 and the external tag is 101.)

5. If the customer has two management VLANs, and tags of both management VLANs in the data streams are to be retained without adding the streams with external tags, do as follows:

1. Network topology

2. Customer requirement

The customer has two management VLANs. One is the wireless AP management VLAN 400 and the other is the access switch management VLAN 500. Data streams with tags of either of the two VLAN are to be forwarded directly without being added with external tags.

For data streams tagged with user VLANs, add external tags VLAN 1000.

3. Run the switch configuration commands.

The convergence switch configuration commands are as follows:

vlan 400

vlan 500

vlan 1000     

interface GigabitEthernet 1/1                                            

switchport mode dot1q-tunnel  

switchport dot1q-tunnel allowed vlan add tagged 400 

switchport dot1q-tunnel allowed vlan add untagged 500,1000  

switchport dot1q-tunnel native vlan 500  

dot1q outer-vid 400 register inner-vid 400 

dot1q outer-vid 1000 register inner-vid 10,20  

interface GigabitEthernet 1/2

switchport mode hybrid

switchport hybrid allowed vlan add untagged 400

 

Tagged packet forwarding

1. Packets tagged with the switch management VLAN 500 are processed in an original manner. The uplink port on the access switch removes the VLAN 500 tag. The convergence switch then adds the VLAN 500 tag and forwards the packet through the uplink port to the ISP network. In the reverse direction, the dotq-tunnel port removes the VLAN 500 tag and forwards the packet to the access switch.

2. Packets tagged with the wireless AP management VLAN 400 are processed in a different manner. When the wireless AP management VLAN data streams reach the access switch, the data streams with VLAN 400 tags are forwarded directly to the dot1q-tunnel port on the convergence switch and are added with another VLAN 400 tag. Then, each AP management data packet has two VLAN 400 tags. When the double-tagged wireless AP management VLAN data streams are forwarded from the uplink port, their external tags are removed and the data streams contain only one layers of tags. This is because the uplink port is set as a Hybrid port and VLAN 400 is set to untag. The data streams returning from the ISP network contain one layer of VLAN 400 tags and the VLAN 400 tags are not removed before forwarding due to the configuration switchport dot1q-tunnel allowed vlan add tagged 400.

4. On the access switch, do as follows:

Create the user VLANs based on the user ports and configure the management VLAN and management IP address.

Set the uplink port as a Trunk port and set the native VLAN to VLAN 500.

Ruijie(config)# interface gigabitEthernet 0/25

Ruijie(config-if-GigabitEthernet 0/25)#switchport mode trunk

Ruijie(config-if-GigabitEthernet 0/25)#switchport trunk native vlan 500

Ruijie(config-if-GigabitEthernet 0/25)#end

 

V. Verification

1. Check that the configurations are correct. Check whether the downlink port is a dot1q-tunnel port, whether the VLAN in the external tag is added to the approved VLAN list on the port, whether the mapping policy on the port is correct, and whether the uplink port configuration is correct.

Ruijie#show running-config interface gigabitEthernet 1/1

interface GigabitEthernet 1/1

switchport mode dot1q-tunnel

switchport dot1q-tunnel allowed vlan add untagged 101,201,500

dot1q outer-vid 101 register inner-vid 101-200

dot1q outer-vid 201 register inner-vid 201-300

switchport dot1q-tunnel native vlan 500

spanning-tree bpdufilter enable

 

Ruijie#show running-config interface gigabitEthernet 1/2

interface GigabitEthernet 1/2

switchport mode uplink

 

2. Check the QinQ configuration on the port of the device again. The check items are the same as that of step 1.

Ruijie#show interfaces dot1q-tunnel

 

========Interface Gi1/1========

Native vlan: 500

Allowed vlan list:1,101,201,500

Tagged vlan list:

 

3. Check the mapping policies of internal tags and external tags and ensure that the VLANs in theexternal tags map correct to the VLANs in the internal tags.

Ruijie#show registration-table

Ports     Type             Outer-VID    Inner-VID-list  

------    ----------     ----------  --------------

Gi1/1     Add-outer       101          101-200

Gi1/1     Add-outer       201          201-300

 

2.9.1.3.3      Flexible QinQ - Stream-based QinQ

I. Networking Requirements

1. The convergence switch implements flexible QinQ based on the user data stream classification.       For user data streams of the network segment 192.168.10.0/24, add external tags VLAN 1000.For user data streams of the network segment 192.168.20.0/24, add external tags VLAN 1001.

2. Manage the access switches. The management VLAN is 500. Data streams from the VLAN are forwarded without adding external tags and their original tags are retained.

II. Network Topology

III. Configuration Tips

1. On the access switch, configure the user data stream-based flexible QinQ on the port that connects the floor distribution switch. For user data streams of the network segment 192.168.10.0/24, add external tags VLAN 1000.For user data streams of the network segment 192.168.20.0/24, add external tags VLAN 1001.

2. Set the management VLAN on the floor distribution switch to a native VLAN and the management VLAN on the access switch to the native VLAN of dot1q-tunnel.

3. At present, all Ruijie switches do not support the termination of QinQ tags. That is, the two layers of tags cannot be resolved on one switch. To resolve two layers of tags, you need to add a switch.

IV. Configuration Steps

On the convergence switch, perform the following steps:

1. Create ISP VLANs 1000 and 1001 to identify different service data types.

Ruijie#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Ruijie(config)#vlan 1000

Ruijie(config-vlan)#exit

Ruijie(config)#vlan 1001

Ruijie(config-vlan)#exit

Ruijie(config)#vlan 500

Ruijie(config-vlan)#exit

 

2. Create the user data stream-based ACL.

Ruijie(config)#ip access-list standard vlan10

Ruijie(config-std-nacl)#permit 192.168.10.0 0.0.0.255

Ruijie(config-std-nacl)#exit

Ruijie(config)#ip access-list standard vlan20

Ruijie(config-std-nacl)#permit 192.168.20.0 0.0.0.255

Ruijie(config-std-nacl)#exit

Ruijie(config)#

 

3. Enable the data-stream based flexible QinQ function on the convergence switch.

Ruijie(config)#interface gigabitEthernet 1/1

Ruijie(config-if-GigabitEthernet 1/1)# switchport mode dot1q-tunnel

Ruijie(config-if-GigabitEthernet 1/1)# switchport dot1q-tunnel allowed vlan add untagged 1000,1001,500 

Ruijie(config-if-GigabitEthernet 1/1)# traffic-redirect access-group vlan10 nested-vlan 1000 in 

Ruijie(config-if-GigabitEthernet 1/1)#  traffic-redirect access-group vlan20 nested-vlan 1001 in 

Ruijie(config-if-GigabitEthernet 1/1)#  switchport dot1q-tunnel native vlan 500

 

4. Configure the uplink port.

Ruijie(config)# interface gigabitEthernet 1/2

Ruijie(config-if-GigabitEthernet 1/2)#switchport mode uplink

 

On the access switch, perform the following steps:

1. Create the user VLANs based on the user ports and configure the management VLAN and management IP address.

2. Set the uplink port as a Trunk port and set the native VLAN to VLAN 500.

Ruijie(config)# interface gigabitEthernet 0/25

Ruijie(config-if-GigabitEthernet 0/25)#switchport mode trunk

Ruijie(config-if-GigabitEthernet 0/25)#switchport trunk native vlan 500

Ruijie(config-if-GigabitEthernet 0/25)#end

 

V. Verification

1. Check that the configurations are correct. Check whether the downlink port is a dot1q-tunnel port, whether the VLAN in the external tag is added to the approved VLAN list on the port, whether the mapping policy on the port is correct, and whether the uplink port configuration is correct.

Ruijie#show running-config interface gigabitEthernet 1/1

interface GigabitEthernet 1/1

switchport mode dot1q-tunnel

switchport dot1q-tunnel allowed vlan add untagged 500,1000-1001

switchport dot1q-tunnel native vlan 500

traffic-redirect access-group vlan10 nested-vlan 1000 in

traffic-redirect access-group vlan20 nested-vlan 1001 in

spanning-tree bpdufilter enable

 

Ruijie#show running-config interface gigabitEthernet 1/2

interface GigabitEthernet 1/2

switchport mode uplink

 

2. Check the QinQ configuration on the port of the device again. The check items are the same as that of step 1.

Ruijie#show interfaces dot1q-tunnel

========Interface Gi1/1========

Native vlan: 500

Allowed vlan list:1,1000,1001,500

Tagged vlan list:

 

3. Check whether the ACL is correct.

4. Check the mapping policies for stream-based tagging.

Ruijie#show traffic-redirect

PortsTypeVID  Match-filter

------------ ----------- ---- ------------

Gi1/1Nested-vid  1000 vlan10    

Gi1/1Nested-vid  1001 vlan20

 

2.9.2      IP addressing and Application

2.9.2.1      DHCP Server

Scenario

The DHCP (Dynamic Host Configuration Protocol), specified in RFC 2131, provides configuration parameters for hosts over the Internet. The DHCP works in the client/server mode. The DHCP server assigns IP addresses for the hosts dynamically and provides configuration parameters.

 

The DHCP assigns IP address in three ways:

Assign IP addresses automatically. The DHCP server assigns permanent IP addresses to the clients;

Assign IP addresses dynamically. The DHCP server assigns IPaddresses that will expire after a period of time to the clients (or the clients can release the addresses by themselves);

Configure IP addresses manually. Network administrators specify IP addresses and send the specified IP addresses to the clients through the DHCP.

Among the above mentioned three methods, only dynamic assignment allows reuse of the IP address that the client does not need any more.

The format of DHCP message is based on that of BOOTP (Bootstrap Protocol) message. Hence, it is necessary for the device to be able to act as the BOOTP relay agent and interact with the BOOTP client and the DHCP server. The function of BOOTP relay agent eliminates the need of deploying a DHCP server in every physical network. The DHCP is detailed in RFC 2131 and RFC 2132.

 

The DHCP protocol is widely used to dynamically assign reusable network resources, for example, IP addresses. A DHCP client sends DISCOVER broadcast packets to a DHCP server. After receiving the DISCOVER packets, the DHCP server will assign resources, e.g. IP addresses, by a certain policy in OFFER packets sent to the client. Once receiving the OFFER packets, the DHCP client verifies the availability of the resource. If the resource is available, it will send a REQUEST packet; otherwise, it will re-send the DISCOVER packet. Once the server receives the REQUEST packet, it will verify whether the IP address or other limited resource can be assigned. If so, the server will send an ACK packet; otherwise, it will send a NAK packet. Once the DHCP client receives the ACK packet, it will start using the resource assigned by the server; if the NAK packet is received, the client may re-send the DISCOVER packet.

 

 

Generally, common switch support to allocate at most 2000 IP address. S86E support to allocate at most 8000 IP address.

 

I. Requirements

All users are on Vlan 10 and their gateway is on Core switch. Core switch acts as DHCP Server and assigns IP address to all users.

 

II. Network Topology

 

III. Configuration Tips

1. Assign ports connected to users on access switch to Vlan 10

2. Configure Core switch as DHCP Server and it assigns IP address to users.

3. DHCP Server allocates IP gateway (itself) , DNS server and lease(24H by default) to users.

 

IV. Configuration Steps

Core switch

1. Enable DHCP service

Ruijie(config)#service dhcp        ------>DHCP service is disabled by default.

 

2. Assign IP address to Vlan 10

Ruijie(config)#interface vlan 10

Ruijie(config-if-VLAN 10)#ip address 192.168.1.254 255.255.255.0

Ruijie(config-if-VLAN 10)#exit

 

3. Create DHCP pool and configure DHCP parameters ---gateway , DNS , subnets.

Ruijie(config)#ip dhcp pool vlan10

Ruijie(dhcp-config)#network 192.168.1.0 255.255.255.0      ------>Network subnets

Ruijie(dhcp-config)#dns-server 218.85.157.99                     ------>DNS server

Ruijie(dhcp-config)#default-router 192.168.1.254                ------>User Gateway

Ruijie(dhcp-config)#end

Ruijie#wr

 

Access switch

Assign ports connected to users to Vlan 10

Ruijie(config)#int range fastEthernet 0/1-2

Ruijie(config-if-range)#switchport access vlan 10

 

V. Verification

1. How to display DHCP assignments

 

2. To display NIC information on a stationexecute "run-------->cmd-------->ipconfig /all"

 

2.9.2.2      DHCP Relay

 

Overview

The DHCP relay agent forwards DHCP packets between the DHCP server and the DHCP clients. When the DHCP clients and the server are not located in the same subnet, a DHCP relay agent must be available for forwarding the DHCP request and response messages. Data forwarding by the DHCP relay agent is different from general forwarding. In general forwarding, IP packets are unaltered and the transmission is transparent. However, upon receiving a DHCP message, the DHCP relay agent regenerates and forwards a DHCP message.

From the perspective of the DHCP client, the DHCP relay agent works like a DHCP server. From the perspective of the DHCP server, the DHCP relay agent works like a DHCP client. 

 

The DHCP relay forwards the DHCP request packet received in the form of unicast to the DHCP server, at the same time, forwards the DHCP response packet received to the DHCPclient. The DHCP relay serves as a forwarding station, responsible for the communication between the DHCP clients and the DHCP servers at different network segments. In this way, only one DHCP server can dynamically manage IP addresses at multiple segments, that is, the DHCP dynamic IP management in the Client-Relay-Server mode, as shown below:

 

     

 

I. Requirements

Distribution switch is the user gateway which have enabled DHCP relay. Core switch acts as DHCP Server.Connect core switch and distribution switch through Layer 3 link.

 

II. Network Topology

 

III. Configuration Tips

1. Enable DHCP relay on distribution switch

2. Enable DHCP Service on Core switch

 

IV. Configuration Steps

Core switch

1. Convert the port connected to distribtuion switch to L3 port and assign a IP address to it.

Ruijie(config)#interface gigabitEthernet 0/24

Ruijie(config-if-GigabitEthernet 0/24)#no switchport

Ruijie(config-if-GigabitEthernet 0/24)#ip address 172.16.1.1 255.255.255.252

Ruijie(config-if-GigabitEthernet 0/24)#exit

 

2. Configure a static route.

Ruijie(config)#ip route 192.168.1.0 255.255.255.0 172.16.1.2

 

3. Enable DHCP service

Ruijie(config)#service dhcp        ------>DHCP service is disabled by default.

 

4. Create DHCP pool and configure DHCP parameters ---gateway , DNS , subnets

Ruijie(config)#ip dhcp pool vlan10

Ruijie(dhcp-config)#network 192.168.1.0 255.255.255.0      ------>Network subnet

Ruijie(dhcp-config)#dns-server 218.85.157.99                     ------>DNS Server

Ruijie(dhcp-config)#default-router 192.168.1.254                ------>User Gateway

Ruijie(dhcp-config)#exit

 

5. Save configuration

Ruijie(config)#end

Ruijie#wr

 

Aggregation switch

1. Assign IP address to Vlan 10 and SVI 10 is user gateway

Ruijie(config)#interface vlan 10

Ruijie(config-if-VLAN 10)#ip address 192.168.1.254 255.255.255.0

Ruijie(config-if-VLAN 10)#exit

 

2. Convert port connected to Core switch to layer 3 port and assign IP address to it

Ruijie(config)#interface gigabitEthernet 0/24

Ruijie(config-if-GigabitEthernet 0/24)#no switchport

Ruijie(config-if-GigabitEthernet 0/24)#ip address 172.16.1.2 255.255.255.252

Ruijie(config-if-GigabitEthernet 0/24)#exit

 

3. Configure default route

Ruijie(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1

 

4. Enable DHCP service

Ruijie(config)#service dhcp                                          ------>DHCP service is disabled by default

 

5. Enable DHCP relay

Ruijie(config)#ip helper-address 172.16.1.1                 ------>172.16.1.1 is the DHCP Server

 

6. Save configuration

Ruijie(config)#end

Ruijie#wr

 

V. Verification

1. How to display DHCP assignments

 

2. To display NIC information on a stationexecute "run-------->cmd-------->ipconfig /all"

 

3. How to display status of DHCP relay

 

2.9.2.3      GRE Tunnel

Function Overview

Generic Routing Encapsulation (GRE) is a protocol that encapsulates data packets of certain network layer protocols (for example, IP and IPX) so that encapsulated data packets can be transmitted in another network layer protocol (IP). The path where the encapsulated data packets are transmitted on the network are called a GRE tunnel. A GRE tunnel is a virtual point-to-point connection, with the devices on its two end encapsulating and decapsulating the data packets.

I. Networking Requirements

Switch A and Switch B are connected to each other over the Internet. The two subnets Group 1 and Group 2 of the private network that runs the IP are connected to each other through a GRE tunnel between two switches.

II. Network Topology

III. Configuration Tips

The configuration of a GRE tunnel covers the following:

1. Tunnel interface No.

2. Tunnel mode (GRE IP mode in this example)

3. Source address of the tunnel

4. Destination address of the tunnel

5. Route of the tunnel

Note: If the addresses of the tunnel interfaces at the two ends of the tunnel are not in the same network segment, configure the forwarding route of the tunnel from the one end to the remote end so that the encapsulated packets can be forwarded properly. You can configure a static route or a dynamic one. Configure the route on both ends of the tunnel. For two or more tunnel interfaces complying with the same encapsulation protocol, do not use the same source address or destination address. If the source address is configured in the source interface format for the tunnel interface, the source address is the main IP address of the source interface.

IV. Configuration Steps

Note: The IPv4 packet route between Switch A and Switch B is configured and reachable.

1. On Switch A, configure the following items:

Interface that connects the IPv4 external network

SwitchA#configureterminal

SwitchA(config)#interface GigabitEthernet 2/1

SwitchA(config-if)#ip address 2.2.2.1 255.255.255.0

 

Interface that connects the IPv4 internal network

SwitchA#configure terminal

SwitchA(config)#interface GigabitEthernet 2/2

SwitchA(config-if)#ip address 1.1.1.1 255.255.255.0

 

Interface of the GRE IP tunnel

SwitchA#configure terminal

SwitchA(config)#interface Tunnel 100

SwitchA(config-if-Tunnel 100)#tunnel mode gre ip

SwitchA(config-if-Tunnel 100)#ip address 5.5.5.4 255.255.255.0

SwitchA(config-if-Tunnel 100)#tunnel source 2.2.2.1

SwitchA(config-if-Tunnel 100)#tunnel destination 2.2.2.2

 

Route for entering the tunnel

SwitchA#configureterminal

SwitchA(config)#ip route 3.3.3.0 tunnel 100

 

2. On Switch B, configure the following items:

SwitchB#configure terminal

SwitchB(config)#interface GigabitEthernet 2/1

SwitchB(config-if)#ip address 2.2.2.2 255.255.255.0

SwitchB#configure terminal

SwitchB(config)#interface GigabitEthernet 2/2

SwitchB(config-if)#ip address 3.3.3.1  255.255.255.0

SwitchB#configure terminal

SwitchB(config)#interface Tunnel 100

SwitchB(config-if-Tunnel 100)#tunnel mode gre ip

SwitchB(config-if-Tunnel 100)#ip address 5.5.5.5 255.255.255.0

SwitchB(config-if-Tunnel 100)#tunnel source 2.2.2.2

SwitchB(config-if-Tunnel 100)#tunnel destination 2.2.2.1

SwitchB#configure terminal

SwitchB(config)#ip route 1.1.1.0 tunnel 100

 

V. Verification

1. Check the tunnel interface status on Switch A and Switch B.

SwitchA#show interface tunnel 100

Index(dec):9 (hex):9

Tunnel 100 is UP  , line protocol is UP

  Hardware is Tunnel

  Interface address is: 5.5.5.4/24

  Interface IPv6 address is:

    No IPv6 address

  MTU 1476 bytes, BW 9 Kbit

  Encapsulation protocol is Tunnel, loopback not set

Keepalive interval is 10 sec ,retries 0.

  Carrier delay is 2 sec

Tunnel attributes:

  Tunnel source 2.2.2.1, destination 2.2.2.2, routable

  Tunnel TOS/Traffic Class not set, Tunnel TTL 254

  Tunnel config nested limit is 4, current nested number is 0

  Tunnel protocol/transport is greip

  Tunnel transport VPN is no set

    Key disabled, Sequencing disabled

Checksumming of packets disabled

 RX packets

  Drop reason(Down: 0, Checksum error: 0, sequence error: 0, routing: 0)

 TX packets

  Drop reason(Too big: 0, Payload Type error: 0, Nested-limit: 0)

Rxload is 1/255, Txload is 1/255

   10 seconds input rate 0 bits/sec, 0 packets/sec

   10 seconds output rate 0 bits/sec, 0 packets/sec

    0 packets input, 0 bytes, 0 no buffer, 0 dropped

    Received 0 broadcasts, 0 runts, 0 giants

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort

    0 packets output, 0 bytes, 0 underruns , 0 dropped

0 output errors, 0 collisions, 0 interface resets

 

SwitchB#show interface tunnel 100

Index(dec):9 (hex):9

Tunnel 100 is UP  , line protocol is UP  

  Hardware is Tunnel

  Interface address is: 5.5.5.5/24

  Interface IPv6 address is:

    No IPv6 address

  MTU 1476 bytes, BW 9 Kbit

  Encapsulation protocol is Tunnel, loopback not set

Keepalive interval is 10 sec ,retries 0.

  Carrier delay is 2 sec

Tunnel attributes:

  Tunnel source 2.2.2.2, destination 2.2.2.1, routable

  Tunnel TOS/Traffic Class not set, Tunnel TTL 254

  Tunnel config nested limit is 4, current nested number is 0

  Tunnel protocol/transport is greip

  Tunnel transport VPN is no set

    Key disabled, Sequencing disabled

Checksumming of packets disabled

 RX packets

  Drop reason(Down: 0, Checksum error: 0, sequence error: 0, routing: 0)

 TX packets

  Drop reason(Too big: 0, Payload Type error: 0, Nested-limit: 0)

Rxload is 1/255, Txload is 1/255

   10 seconds input rate 0 bits/sec, 0 packets/sec

   10 seconds output rate 0 bits/sec, 0 packets/sec

    0 packets input, 0 bytes, 0 no buffer, 0 dropped

    Received 0 broadcasts, 0 runts, 0 giants

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort

    0 packets output, 0 bytes, 0 underruns , 0 dropped

0 output errors, 0 collisions, 0 interface resets

 

2. Ping to the IPv4 address of the remote interface on Switch A.

SwitchA#ping2.2.2.2

Sending 5, 100-byte ICMP Echoes to 2.2.2.2, timeout is 2 seconds:

< press Ctrl+C to break >

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10ms

 

 

2.9.3      IP Routing

2.9.3.1      Static Routes

Overview

Static routes are manually configured so that the packets can be sent to the specified destination network go through the specified route.  Static routes can be very important if the switch don't support dynamic routing protocol(RIP,OSPF etc.) and are useful for specifying a gateway of last resort to which all unroutable packets are sent.

 

I. Requirements    

Configure the switch with static routes and ensure that users in network 1 can communicate with users in network  2

 

II. Network Topology

    

 

III. Configuration Tips    

1. Assign IP addresses to SW1 and SW2

     2. Configure Static Routes on SW1

     3. Configure Static Routes on SW2

     4. Save Configuration

 

 

IV. Configuration Steps   

1. Assign IP address to SW1

Ruijie>enable                

  Ruijie#configure terminal    

  Ruijie(config)#interface fastethernet 0/1

 Ruijie(config-if-FastEthernet 0/1)#no switchport

  Ruijie(config-if-FastEthernet 0/1)#ip address 192.168.1.254 255.255.255.0

  Ruijie(config-if-FastEthernet 0/1)#interface GigabitEthernet 0/25

  Ruijie(config-if-GigabitEthernet 0/25)#no switchport

  Ruijie(config-if-GigabitEthernet 0/25)#ip address 192.168.3.1 255.255.255.0

  Ruijie(config-if-GigabitEthernet 0/25)#exit

 

    2. Assign IP address to SW2

Ruijie>enable                

Ruijie#configure terminal    

Ruijie(config)#interface fastethernet 0/1

Ruijie(config-if-FastEthernet 0/1)#no switchport

Ruijie(config-if-FastEthernet 0/1)#ip address 192.168.2.254 255.255.255.0

Ruijie(config-if-FastEthernet 0/1)#interface GigabitEthernet 0/25

Ruijie(config-if-GigabitEthernet 0/25)#no switchport

Ruijie(config-if-GigabitEthernet 0/25)#ip address 192.168.3.2 255.255.255.0

Ruijie(config-if-GigabitEthernet 0/25)#exit

 

    3. Configure Static Routes on SW1

Note

1.When you configure static routes , there're two ways to specify next hop.You can specify an IP address ,or you can specify a local outgoing interface.

2.We suggest you to use IP address as next hop

Ruijie(config)#ip route 192.168.2.0 255.255.255.0 192.168.3.2   -----> configure static routes to destination subnet 192.168.2.0/24 and nexthop is 192.168.3.2

 

4. Configure Static Routes on SW2

Ruijie(config)#ip route 192.168.1.0 255.255.255.0 192.168.3.1   ----->configure static routes to destination subnet 192.168.1.0/24 and nexthop is 192.168.3.1

 

5. Save Configuration     

Ruijie(config)#end         

Ruijie#write 

 

V. Verification

1. You can use "ping" on a station in network 1 to verify network connectivity

"run"-->"cmd"-->"ping x.x.x.x" (x.x.x.x is a host in network 2)

 

2. How to display ip routing table

Ruijie#show ip route

Codes:  C - connected, S - static, R - RIP, B - BGP

        O - OSPF, IA - OSPF inter area

        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1 - OSPF external type 1, E2 - OSPF external type 2

        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia - IS-IS inter area, * - candidate default

Gateway of last resort is no set

S    192.168.2.0/24 [1/0] via 192.168.3.2

C    192.168.3.0/24 is directly connected, GigabitEthernet 0/25

C    192.168.3.1/32 is local host.

C    192.168.1.0/24 is directly connected, FastEthernet 0/1

C    192.168.1.254/32 is local host.     

 

Scenario

Information about Floating Static Routes

If there're two WAN accesses to two different service providers on your network, you can configure two static routes for each service provider and one route can be floating static route to ensure a backup or redundant path.

You must configure a floating static route with a higher administrative distance than the primary route that it backs up

 

I. Requirements 

1. There're two accesses to the same destination on switch.

  2. Switch switches to the backup route(through G0/26) when the primary route (through G0/25)comes down.

 

II. Network Topology

   

 

III. Configuration Tips

1. Assign IP address to SW1 and SW2

2. Configure Floating Static Routes with higher administrator distance than the route it backs up

 

IV. Configuration Steps   

1. Assign IP address to SW1

Ruijie>enable                

Ruijie#configure terminal    

Ruijie(config)#interface fastethernet 0/1

Ruijie(config-if-FastEthernet 0/1)#no switchport

Ruijie(config-if-FastEthernet 0/1)#ip address 192.168.1.254 255.255.255.0

Ruijie(config-if-FastEthernet 0/1)#interface GigabitEthernet 0/26

Ruijie(config-if-GigabitEthernet 0/26)#ip address 192.168.4.1 255.255.255.0

Ruijie(config-if-GigabitEthernet 0/26)#interface GigabitEthernet 0/25

Ruijie(config-if-GigabitEthernet 0/25)#ip address 192.168.3.1 255.255.255.0

Ruijie(config-if-GigabitEthernet 0/25)#exit

 

    2. Assign IP address to SW2

Ruijie>enable                

Ruijie#configure terminal    

Ruijie(config)#interface fastethernet 0/1

Ruijie(config-if-FastEthernet 0/1)#ip address 192.168.2.254 255.255.255.0

Ruijie(config-if-FastEthernet 0/1)#interface GigabitEthernet 0/26

Ruijie(config-if-GigabitEthernet 0/26)#no switchport

Ruijie(config-if-GigabitEthernet 0/26)#ip address 192.168.4.2 255.255.255.0

Ruijie(config-if-GigabitEthernet 0/26)#interface GigabitEthernet 0/25

Ruijie(config-if-GigabitEthernet 0/25)#no switchport

Ruijie(config-if-GigabitEthernet 0/25)#ip address 192.168.3.2 255.255.255.0

Ruijie(config-if-GigabitEthernet 0/25)#exit        

 

    3. Configure Static Routes on SW1

Note

1. When you configure static routes , there're two ways to specify next hop.You can specify an IP address ,or you can specify a local outgoing interface.

2. We suggest you to use IP address as next hop

Ruijie(config)#ip route 192.168.2.0 255.255.255.0 192.168.3.2         ---->configure static routes to destination subnet 192.168.2.0/24 and nexthop is 192.168.3.2

Ruijie(config)#ip route 192.168.2.0 255.255.255.0 192.168.4.2 10    ---->configure floating static routes to destination subnet 192.168.2.0/24 with administrtor distance 10 and nexthop is 192.168.4.2 (by default , the administrator distance is 1.The smaller the number , the more likely the route will be installed in the ip route table)     

 

    4. Configure Static Routes on SW2

Ruijie(config)#ip route 192.168.1.0 255.255.255.0 192.168.3.1   ---->configure static routes to destination subnet 192.168.1.0/24 and nexthop is 192.168.3.1

  Ruijie(config)#ip route 192.168.1.0 255.255.255.0 192.168.4.1 10   ---->configure floating static routes to destination subnet 192.168.1.0/24 with administrtor distance 10 and nexthop is 192.168.4.1 (by default , the administrator distance is 1.The smaller the number , the more likely the route will be installed in the ip route table)       

Ruijie(config)#end         

Ruijie#write        ---->confirm and save

 

V. Verification

1. This example displays the ip route table on SW1 when port G0/25 comes up

SW1

Ruijie#show ip route

Codes:  C - connected, S - static, R - RIP, B - BGP

        O - OSPF, IA - OSPF inter area

        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1 - OSPF external type 1, E2 - OSPF external type 2

        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia - IS-IS inter area, * - candidate default

Gateway of last resort is no set

S    192.168.2.0/24 [1/0] via 192.168.3.2       

C    192.168.4.0/24 is directly connected, GigabitEthernet 0/26

C    192.168.4.1/32 is local host.

C    192.168.3.0/24 is directly connected, GigabitEthernet 0/25

C    192.168.3.1/32 is local host.

C    192.168.1.0/24 is directly connected, FastEthernet 0/1

C    192.168.1.1/32 is local host.

 

2. This example displays the ip route table on SW1 after removing the cable on port G0/25. The floating route has been installed in ip route table.

SW1

Ruijie#sho ip route

Codes:  C - connected, S - static, R - RIP, B - BGP

        O - OSPF, IA - OSPF inter area

        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1 - OSPF external type 1, E2 - OSPF external type 2

        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia - IS-IS inter area, * - candidate default

Gateway of last resort is no set

S    192.168.2.0/24 [10/0] via 192.168.4.2    

C    192.168.4.0/24 is directly connected, GigabitEthernet 0/26

C    192.168.4.1/32 is local host.

C    192.168.1.0/24 is directly connected, FastEthernet 0/1

C    192.168.1.1/32 is local host.

 

2.9.3.2      RIP

Overview

The RIP (Routing Information Protocol) is a relatively old routing protocol, which is widely used in small or homogeneous networks. The RIP uses the distance-vector algorithm, and so is a distance-vector protocol. The RIPv1 is defined in RFC 1058 and the RIPv2 is defined in RFC 2453. Ruijie RGOS supports both two versions.

The RIP exchanges the routing information by using the UDP packets, with the UDP port number to be 520. Usually, RIPv1 packets are broadcast packets, while RIPv2 packetsare multicast packets with the multicast address of 224.0.0.9. The RIP sends the update packet at the interval of 30 seconds. If the device has not received the route update packets from the peer within 180 seconds, it will mark all the routes from that device unreachable. After that, the device will delete these routes from its routing table if it still has not received any update packets from the peer within 120s.

The RIP measures the distanceto the destination in hop, known as route metric. As specified in the RIP, Zero hop exists when the router directly connects to the network. One hop exists when the router connects to the network through one device and so on. Up to 16 hops are supported in a network.

Note: We suggest you to build your network with OSPF rathan than RIP if possible.

 

I. Requirements

Configure the switch with RIP and ensure that users in network 1 can communicate with users in network 2

        

II. Network Topology

III. Configuration Tips

1. Assign IP address to R1, SW2 and SW3.

2. Initialize RIP process and define the corresponding interface on which RIP runs

 

IV. Configuration Steps

1. Assign IP addresses to R1, SW2 and SW3

Ruijie(config)#hostname R1

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet 0/0)#exit

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip address 10.1.1.1 255.255.255.0

R1(config-GigabitEthernet 0/1)#exit

 

Ruijie(config)#hostname SW2

SW2(config)#interface gigabitEthernet 0/25

SW2(config-if-GigabitEthernet 0/25)#no switchport

SW2(config-if-GigabitEthernet 0/25)#ip address 192.168.1.2 255.255.255.0

SW2(config-if-GigabitEthernet 0/25)#exit

SW2(config)#interface gigabitEthernet 0/26

SW2(config-if-GigabitEthernet 0/26)#no switchport

SW2(config-if-GigabitEthernet 0/26)#ip address 192.168.2.1 255.255.255.0

SW2(config-if-GigabitEthernet 0/26)#exit

 

Ruijie(config)#hostname SW3

SW3(config)#interface gigabitEthernet 0/26

SW3(config-if-GigabitEthernet 0/26)#no switchport

SW3(config-if-GigabitEthernet 0/26)#ip address 10.4.1.1 255.255.255.0

SW3(config-if-GigabitEthernet 0/26)#exit

SW3(config)#interface fastEthernet 0/1

SW3(config-if-FastEthernet 0/1)#no switchport

SW3(config-if-FastEthernet 0/1)#ip address 192.168.2.2 255.255.255.0

SW3(config-if-FastEthernet 0/1)#exit

 

2. Initialize RIP process and define the the corresponding interface on which RIP runs

Note

1. There're two RIP version : version 1 and version 2. RIPv2 utilizes multicast to propagate routing update instead of broadcast which RIPv1 utilizes.In addistion , RIPv2 routing update carries routing mask information which RIPv1 doesn't carry.

2. When you enter "network" command in RIP configuration mode to define interfaces on RIP , you can only define classful ip address range ,such as 10.0.0.0/8 or 172.16.0.0/16 ,and all interfaces belongs to the classful ip address range are defined on RIP.

3)By default,RIP auto summary is enabled and the switch auto summarizes subprefixes when crossing classful network boundaries.We suggest you to disable auto summary and summarize routes manually in case that switch learns incorrect routes when crossing incontinuous network.

R1(config)#router rip

R1(config-router)#version 2                         ----->specify RIP version 2

R1(config-router)#no auto-summary           ----->disable auto-summary

R1(config-router)#network 192.168.1.0       ----->define ip address range 192.168.1.0 on RIP

R1(config-router)#network 10.0.0.0

R1(config-router)#exit

 

SW2(config)#router rip

SW2(config-router)#version 2

SW2(config-router)#no auto-summary

SW2(config-router)#network 192.168.1.0

SW2(config-router)#network 192.168.2.0

SW2(config-router)#exit

 

SW3(config)#router rip

SW3(config-router)#version 2

SW3(config-router)#no auto-summary

SW3(config-router)#network 192.168.2.0

SW3(config-router)#network 10.0.0.0

SW3(config-router)#exit

 

V. Verification

This example shows how to display IP route table and RIP routing information is propagated all over the network correctly

2.9.3.3      OSPF

Overview

 

OSPF (Open Shortest Path First) is an internal gateway routing protocol based on link status developed by the IETF OSPF work group. OSPF, a routing protocol specific for IP, directly runs on the IPlayer. Its protocol number is 89. OSPF packets are exchanged in multicast form using the multicast address 224.0.0.5 (for all OSPF routers) and 224.0.0.6 (for specified routers).

Note: we recommend that you can give priority to OSPF to build your network

 

I. Requirements

Use OSFP to build your network and every node in the network can communicate with each other.

 

II. Network Topology

 

III. Configuration Tips

1. Assign IP addresss to R1, R2 SW3 and SW4

2. Initialize OSPF process on all devices and define corresponding interfaces which OSPF runs and define the area ID for those interfaces.

3. (Optional) Modify network type on interfaces that have OSPF enabled

 

IV. Configuration Steps

1. Assign IP addresss to R1, R2 SW3 and SW4

Ruijie(config)#hostname R1

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet 0/0)#exit

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip address 10.1.1.1 255.255.255.0

R1(config-GigabitEthernet 0/1)#exit

R1(config)#interface loopback 0                                             ----->configure IP address of Loopback 0 as OSPF Router-id

R1(config-if-Loopback 0)#ip address 1.1.1.1 255.255.255.255 

R1(config-if-Loopback 0)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface fastEthernet 0/0

R2(config-if-FastEthernet 0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet 0/0)#exit

R2(config)#interface fastEthernet 0/1

R2(config-if-FastEthernet 0/1)#ip address 192.168.2.1 255.255.255.0

R2(config-if-FastEthernet 0/1)#exit

R2(config)#interface loopback 0

R2(config-if-Loopback 0)#ip address 2.2.2.2 255.255.255.255

R2(config-if-Loopback 0)#exit

 

Ruijie(config)#hostname SW3

SW3(config)#interface GigabitEthernet 0/26

SW3(config-if-GigabitEthernet 0/26)#no switchport

SW3(config-if-GigabitEthernet 0/26)#ip address 192.168.2.2 255.255.255.0

SW3(config-if-GigabitEthernet 0/26)#exit

SW3(config)#interface GigabitEthernet 0/25

SW3(config-if-GigabitEthernet 0/25)#no switchport

SW3(config-if-GigabitEthernet 0/25)#ip address 192.168.3.1 255.255.255.0

SW3(config-if-GigabitEthernet 0/25)#exit

SW3(config)#interface loopback 0

SW3(config-if-Loopback 0)#ip address 3.3.3.3 255.255.255.255

SW3(config-if-Loopback 0)#exit

 

Ruijie(config)#hostname SW4

SW4(config)#interface gigabitEthernet 0/25

SW4(config-if-GigabitEthernet 0/25)#no switchport

SW4(config-if-GigabitEthernet 0/25)#ip address 192.168.3.2 255.255.255.0

SW4(config-if-GigabitEthernet 0/25)#exit

SW4(config)#interface gigabitEthernet 0/1

SW4(config-if-GigabitEthernet 0/1)#no switchport

SW4(config-if-GigabitEthernet 0/1)#ip address 10.4.1.1 255.255.255.0

SW4(config-if-GigabitEthernet 0/1)#exit

SW4(config)#interface loopback 0

SW4(config-if-Loopback 0)#ip address 4.4.4.4 255.255.255.255

SW4(config-if-Loopback 0)#exit

 

2. Initialize OSPF process on all devices and define corresponding interfaces which OSPF runs and define the area ID for those interfaces.

Note

1) OSPF doesn't propagate process ID to neighbor ,so process ID can be different in a OSPF area.

2)OSPF detects peer neighbor area ID in hello packet while establishing OSPF neighbor.  OSPF area ID of OSPF neighbor must match.

R1(config)#router ospf 1                                                 ----->enable OSPF globally , and process ID is 1

R1(config-router)#network 192.168.1.1 0.0.0.0 area 1     ----->OSPF area 1 runs on interface 192.168.1.1

R1(config-router)#network 10.1.1.1 0.0.0.0 area 1

R1(config-router)#exit

 

R2(config)#router ospf 1

R2(config-router)#network 192.168.1.2 0.0.0.0 area 1

R2(config-router)#network 192.168.2.1 0.0.0.0 area 0

R2(config-router)#exit

 

SW3(config)#router ospf 1

SW3(config-router)#network 192.168.2.2 0.0.0.0 area 0

SW3(config-router)#network 192.168.3.1 0.0.0.0 area 2

SW3(config-router)#exit

 

SW4(config)#router ospf 1

SW4(config-router)#network 192.168.3.2 0.0.0.0 area 2

SW4(config-router)#network 10.4.1.1 0.0.0.0 area 2

SW4(config-router)#exit

 

3. (Optional)Modify network type on interfaces that have OSPF enabled

NoteBy default , OSPF interface network type is broadcast in Ethernet and it costs about 40 seconds to elect DR/BDR . We recommend that you modify network type to point-to-point type in Ethernet to accelerate OSPF neighbor convergence.

R2(config)#interface fastEthernet 0/1

R2(config-if-FastEthernet 0/1)#ip ospf network point-to-point        ----->modify OSPF interface network type to point-to-point  you must configure both OSPF peers at the same time)

R2(config-if-FastEthernet 0/1)#exit

 

SW3(config)#interface fastEthernet 0/1

SW3(config-if-FastEthernet 0/1)#ip ospf network point-to-point

SW3(config-if-FastEthernet 0/1)#exit

 

V. Verification

1. How to display OSPF neighbor table

2. How to display IP route table

 

Redistribution

Overview

To support the routers to run multiple routing protocol processes, Ruijie product provides the function for redistributing the route information from one routing process to another routing process .For example, you can redistribute the routes in the OSPF routing area to the RIP routing area, or those in the RIP routing area to the OSPF routing area. Routes can be redistributed among all the IP routing protocols.

 

I. Requirements

Redistribute static route into OSPF process.All nodes in OSPF area can communicate with nodes in 10.1.2.0/24

 

II. Network Topology

III. Configuration Tips

1. Assign IP address and initialize OSPF process

2. Configure a static route on SW1 pointing to subnet 10.1.2.0/24

3. Redistribute static route into OSPF process

 

IV. Configuration Steps

1. Assign IP addresss and initialize OSPF process

 see  Chapter OSPF ---->  Configuring  basic OSPF

 

2. Configure a static route on SW1 pointing to subnet 10.1.2.0/24

SW1(config)#ip route 10.1.2.0 255.255.255.0 192.168.11.2

 

3. Redistribute static route into OSPF

Note:

1)      This example shows the OSPF redistribution commands:

SW1(config)#router ospf 1

SW1(config-router)#redistribute ?

  bgp        Border Gateway Protocol (BGP)

  connected  Connected

  ospf       Open Shortest Path First (OSPF)

  rip        Routing Information Protocol (RIP)

  static     Static routes

 

 

2)      There are 2 types of redistributing external routes --- type 1 and type 2. The caculation method for route metic of Type 1 and Type 2 is different.

a. The metric of type 1 is the addition of the external cost and the internal cost used to reach that route. A type 1 route is always preferred over a type 2 route for the same destination.

b. The metric of a type 2 route is always the external cost, irrespective of the interior cost to reach that route. By default, the redistributed external routes is type 2

SW1(config)#router ospf 1

SW1(config-router)#redistribute static metric-type ?

  1  Set OSPF External Type 1 metrics     

  2  Set OSPF External Type 2 metrics

 

3)  Only the routes that has been installed in IP route table can be redistribute into OSPF process.You can use "show ip route" EXEC command to verify it.

4)  You must add keyword "subnets" when you redistribute routes into OSPF , otherwise only classful routes will be redistributed.

 

This example shows how to redistribute static route into OSPF process.

SW1(config)#router ospf 1

SW1(config-router)#redistribute static subnets                           ----->redistribute static routes

SW1(config-router)#exit

 

V. Verification

How to display IP route table and verify the reditributed routes

 

Summary

Overview

You can configure OSPF summary to reduce route numbers, decrease load of device resources.

Note: You can enable OSPF summary on ABR and ASBR ONLY

 

I. Requirements

Configure OSPF summary to reduce routes number on SW1

 

II. Network Topology

 

III. Configuration Tips

You can configure OSPF summary on ABR(area border router) or ASBR(Autonomous System Border Router).

 

IV. Configuration Steps

1. Assign IP addresses and initial OSPF process

see  Chapter OSPF ---->  Configuring basic OSPF

 

2. Redistribute static routes that pointing to subnet 10.1.2.0/24 into OSPF on SW1

see  Chapter OSPF ----> Redistribution

 

3. Configure OSPF inter-area summary

This example specifies one summary route to be advertised by the ABR to other areas for all subnets on network 10.4.0.0/16

SW3(config)#router ospf 1

SW3(config-router)#area 2 range 10.4.0.0 255.255.0.0    ----->summarised internal routes(2 indicates the identifier of the area about which routes are to be summarized)

SW3(config-router)#exit

 

4. External routes summary

This example specifies one summary route to be advertised by the ASBR to other areas for all subnets on network 10.1.0.0/16

SW1(config)#router ospf 1

SW1(config-router)#summary-address 10.1.0.0 255.255.0.0      ----->summarise external routes

SW1(config-router)#exi

 

V. Verification

How to display IP route table and verify summarised routes

 

Stub area

Overview

If an area is the OSPF leaf area (not a backbone area or Transit area) and no routes are imported on the devices in the area, configure the area to a STUB area. The STUB area can learn only three kinds of routes: inter-area routes, ABR advertised default routes, and routes from other areas. Without a large number of external routes, the routing tables of the devices in the STUB area are small, which reduce device resources. The devices in the STUB area are medium and low end devices.

 

Routers in Stub area don't propagate class 4 and class 5 LSA(external routes), so this action reduces the size of LSA database and route table . ABR of stub area also creates a class 3 inter-area (O *IA) default route automatically to ensure nodes in stub area can communicate with nodes in other areas.

 

I. Requirements

1. Configure area 2 as a Stub Area to filter class 4 and class 5 LSA.

2. Configure area 2 as a Totally Stub Area to filter class3, 4 and 5 LSA.

 

II. Network Topology

III. Configuration Tips

1. ABR of a Stub area filters class 4 and 5 LSA and creates a class 3 default route

2. ABR of a Totally Stub area filters class 3,4 and 5 LSA and creates a class 3 default route .

3. You cannot redistribute routes into a stub area.

 

IV. Configuration Steps

1. Configuring Stub area

1.1. Assign IP addresses and configure initial OSPF

see Chapter OSPF ----> Configuring basic OSPF

 

1.2. Configure a static route on SW1 and redistribute the static route into OSPF

see Chapter OSPF ----> Redistribution

 

1.3. Configuring area 2 as Stub area

Note

1) You must configure all routes in Stub area with the "stub" command

2) You cannot configure  area 0 as Stub area.

SW3(config)#router ospf 1

SW3(config-router)#area 2 stub      ----->specify SW3 in stub area 2

SW3(config-router)#exit

 

R4(config)#router ospf 1

R4(config-router)#area 2 stub

R4(config-router)#exit

 

2. Configuring Totally stub area

2.1. Assign IP addresses and configure basic OSPF parameters

see Chapter OSPF ----> Configuring basic OSPF

 

2.2. Configuring a static route on SW1 and redistribute static route into OSPF

see Chapter OSPF ----> Redistribution

 

2.3. Configuring area 2 as Totally Stub area

NoteYou must configure all routes in Totally Stub area with the "stub no-summary" command

SW3(config)#router ospf 1

SW3(config-router)#area 2 stub no-summary   ----->specify SW3 in Totally Stub area 2

SW3(config-router)#exit

 

R4(config)#router ospf 1

R4(config-router)#area 2 stub

R4(config-router)#exit

 

V. Verification

1. In a stub area, display IP route table and verify that no external route is installed and ABR creates a class-3 default route.

2. In a Totally stub area , display IP route table and verify that no inter-area route and external route are intalled and ABR creates a class-3 default route.

NSSA area

Overview

Routers in NSSA (not so stub area) don't propagate class 4 and class 5 LSA, so this action reduces the size of LSA database and route table. In addition, you can redistribute routes into a NSSA.

 

I. Requirements

1. Configure area 2 as a NSSA to filter class 4 and 5 LSA ,then redistribute external static routes into NSSA.

2. Configure area 2 as a Totally Stub Area to filter class 3 , 4 and 5 LSA , then redistribute external static routes into Totally NSSA Area.

 

II. Network Topology

 

III. Configuration Tips

1. ABR of a NSSA filters class 4 and 5 LSA,,but doesn't creates a class 3 default route

2. ABR of a Totally NSSA filters class 3,4 and 5 LSA and creates a class 3 default route .

3. You can redistribute routes into a NSSA or totally NSSA.

 

IV. Configuration Steps

1. Configuring NSSA area

1.1. Assign IP addresss and configure basic OSPF parameters

 see  Chapter OSPF ---->  Configuring basic OSPF

 

1.2   Configure static routes on SW1 and R4 ,then redistribute static routes into OSPF

 see Chapter OSPF ----> Redistribution

 

1.3  Configure Area 2 as NSSA

Note

1) You must configure all routes in NSSA with the "nssa" command

2) You cannot configure  area 0 as Stub area.

R3(config)#router ospf 1     

R3(config-router)#area 2 nssa     ---->specify R3 in NSSA area 2

R3(config-router)#exit

 

R4(config)#router ospf 1

R4(config-router)#area 2 nssa

R4(config-router)#exit

 

2. Configuring Totally NSSA area

2.1  Assign IP addresss and configure basic OSPF parameters

see  Chapter OSPF ---->  Configuring basic OSPF

 

2.2  Configure static routes on SW1 and R4 ,then redistribute static routes into OSPF

see Chapter OSPF ----> Redistribution

 

2.3  Configure Area 2 as Totally NSSA area

Note

You must configure all routes in totally NSSA with the "nssa no-summary" command

R3(config)#router ospf 1                         

R3(config-router)#area 2 nssa no-summary   -----> specify R3 in totally NSSA area 2

R3(config-router)#exit

 

R4(config)#router ospf 1s

R4(config-router)#area 2 nssa

R4(config-router)#exit

 

V. Verification

1. In NSSA , display IP route table and verify that no external route (O E1 and O E2)is installed and ABR doesn't creates a class-3 default route.In addition ,you can redistribute routes into NSSA in the format (O N1 and O N2)

 

2. In totally NSSA , display IP route table and verify that no external route (O E1 and O E2) ,or inter-area route(O IA)are installed and ABR creates a class-3 default route.In addition ,you can redistribute routes into totally NSSA in the format (O N1 and O N2)

2.9.3.4      BGP

2.9.3.4.1      Basic iBGP Configuration

Scenario

External gateway protocols such as the BGP are mainly applied on large-scale networks for the transmission of large-quantity IGP routes. In addition, the BGP flexibly provides some properties for routing control. Major scenarios include networks of telecom operators and secondary or tertiary ISPs, provincial backbone networks of financial industries, and municipal e-government networks. Generally, the BGP is not independently deployed in these scenarios, but is deployed together with the MPLS in BGP + MPLS VPN networking mode. The iBGP is a routing protocol used in BGP connection setup between devices connected to the same AS.

I. Networking Requirements

1. Switch 1, Switch 2, and Switch 3 are switches of AS123. Switch 1 and Switch 2 are configured as iBGP neighbors, and Switch 2 and Switch 3 are configured as iBGP neighbors.

2. The route information is delivered to the neighbor over the iBGP.

II. Network Topology

III. Configuration Tips

1. Determine the source address for BGP neighbor update.

Note:

1) If the eBGP neighbor is on the edge of the AS, it is recommended that adirect-connection interface is used as the update source address. In this case, you do not have to setup an IGP route between the update source addresses.

2) If the iBGP neighbor is inside the AS, it is recommended that a loopback address be used as the update source address. A loopback address is more reliable (which will not cause BGP neighbor turbulence at a physical circuit failure). Generally, IGP routes between update source addresses are deployed within the AS.

2. The iBGP features horizontal segregation. That is, the route learned from one iBGP neighbor are not delivered to another iBGP neighbor (but will be delivered to an eBGP neighbor).

IV. Configuration Steps

Note:

Rename the devices as SW1, SW2, and SW3 according to the preceding topology and perform the following configurations:

1. Configure the basic IP addresses for the devices on the network.

Ruijie(config)#hostname SW1

SW1(config)#interface gigabitEthernet 1/2

SW1(config-if-GigabitEthernet 1/2)#no switchport

SW1(config-if-GigabitEthernet 1/2)#ip address 192.168.1.1 255.255.255.0

SW1(config-if-GigabitEthernet 1/2)#exit

SW1(config)#interface gigabitEthernet 1/1

SW1(config-if-GigabitEthernet 1/1)#no switchport

SW1(config-if-GigabitEthernet 1/1)#ip address 10.1.1.1 255.255.255.0

SW1(config-if-GigabitEthernet 1/1)#exit

SW1(config)#interface loopback 0      

SW1(config-if-Loopback 0)#ip address 1.1.1.1 255.255.255.255

SW1(config-if-Loopback 0)#exit

 

Ruijie(config)#hostname SW2

SW2(config)#interface gigabitEthernet 1/1

SW2(config-if-GigabitEthernet 1/1)#no switchport

SW2(config-if-GigabitEthernet 1/1)#ip address 192.168.1.2 255.255.255.0

SW2(config-if-GigabitEthernet 1/1)#exit

SW2(config)#interface gigabitEthernet 1/2

SW2(config-if-GigabitEthernet 1/2)#no switchport

SW2(config-if-GigabitEthernet 1/2)#ip address 192.168.2.1 255.255.255.0

SW2(config-if-GigabitEthernet 1/2)#exit

SW2(config)#interface loopback 0

SW2(config-if-Loopback 0)#ip address 2.2.2.2 255.255.255.255

SW2(config-if-Loopback 0)#exit

 

Ruijie(config)#hostname SW3

SW3(config)#interface gigabitEthernet 1/1

SW3(config-if-GigabitEthernet 1/1)#no switchport

SW3(config-if-GigabitEthe