System Description H3C S5120-EI Series Ethernet Switches. Table of Contents

Transcription

1 Table of Contents Table of Contents Chapter 1 Product Overview Preface System Features Service Features Chapter 2 Hardware Description S C-EI Ethernet Switch Appearance Front Panel Rear Panel Power Supply System Cooling System Description of S C-EI LEDs Description of Ports S C-EI Ethernet Switch Appearance Front Panel Rear Panel Power Supply System Cooling System Description of S C-EI LEDs Description of Ports S C-PWR-EI Ethernet Switch Appearance Front Panel Rear Panel Power Supply System Cooling System Description of S C-PWR-EI LEDs Description of Ports S C-PWR-EI Ethernet Switch Appearance Front Panel Rear Panel Power Supply System Cooling System Description of S C-PWR-EI LEDs Description of Ports i

2 Table of Contents 2.5 S P-EI Ethernet Switch Appearance Front Panel Rear Panel Power Supply System Cooling System Description of S P-EI LEDs Description of Ports S P-EI Ethernet Switch Appearance Front Panel Rear Panel Power Supply System Cooling System Description of S P-EI LEDs Description of Ports Optional Interface Modules One-port 10 Gbps XFP Module Dual-port 10GE XFP Module Dual-port 10GE CX4 Module for Short Haul Dual-port 10 GE SFP+ Interface Module Description of Extension Module LEDs CX4 Cable SFP+ Cable Chapter 3 Software Features Basic Features Link Aggregation Traffic Control DLDP Broadcast Storm Control VLAN GARP/GVRP QinQ Network Protocol Features ARP DHCP UDP Helper DNS OAM (802.3ah) Connectivity Fault Detection (802.1ag) NTP Routing Features ii

3 Table of Contents Static Route and Default Route Multicast Features IGMP Snooping Multicast VLAN STP/RSTP/MSTP STP/RSTP MSTP STP Protection IPv6 Features NDP Introduction to IPv6 DNS Ping IPv6 and Tracert IPv IPv6 Telnet IPv6 TFTP IPv6 Multicast Features MLD Snooping QACL Traffic Classification Priority Marking Traffic Policing/Bandwidth Assurance Traffic Statistics Traffic Mirroring Traffic Redirection Port Mirroring Queue Scheduling User Profile Centralized Management Features HGMP Security Features Terminal Access User Classification SSH Port Isolation IEEE 802.1x Authentication x EAD Fast Deployment IP Source Guard MAC address authentication MAC Address Learning Limit Binding of MAC Addresses to Ports MAC Address Black Hole AAA/RADIUS/HWTACACS Reliability Features Smart Link iii

4 Table of Contents Monitor Link RRPP IRF Physical Connections Easy Management Efficient Redundancy Backup Chapter 4 System Maintenance and Management Simple and Flexible Maintenance System System Configuration System Maintenance System Test and Diagnosis Software Upgrade imc NMS Topology Management Configuration Management Fault Management Performance Management Security Management Web-Based Network Management Chapter 5 Networking Applications Chapter 6 Guide to Purchase Purchasing the S5120-EI Series Supported Interface Modules Purchasing SFP Modules Purchasing XFP Optical Modules Purchasing the Short-haul 2-port 10-GE CX4 Module Purchasing the SFP+ Transceivers and SFP+ Cables iv

5 Chapter 1 Product Overview Chapter 1 Product Overview 1.1 Preface (hereinafter referred to as the S5120-EI series) are Gigabit Ethernet switching products developed by Hangzhou H3C Technology Co., Ltd. The S5120-EI series have abundant service features. They provide the IPv6 forwarding function and 10GE uplink interfaces (only S5120-C-EI series switches support). Through H3C-specific cluster management, you can streamline network management. The S5120-EI series are designed as access devices for intranets and metropolitan area networks (MANs). The S5120-C-EI series switches support the Intelligent Resilient Framework (IRF) technology. You can connect multiple S5120-C-EI switches through 10 GE ports to form a logical entity, thus to establish a new intelligent network with high reliability, expandability and manageability. The S5120-EI series include the following models: S C-EI S C-EI S C-PWR-EI S C-PWR-EI S P-EI S P-EI The feature-rich S5120-EI series support the following services: Broadband Internet access Access of MAN and intranet users Multimedia services, such as VOD Delay-sensitive voice services, such as VoIP Enhanced multicast, providing audio/video services over IPv4/IPv6 multicast The S5120-EI series feature the following advantages: Provides full-gigabit access ports Provides 10GE uplink ports(only S5120-C-EI series switches support) Supports jumbo frames Supports port security Supports Link Aggregation Control Protocol (LACP) Supports 4K VLANs Supports IPv4/IPv6 dual-stack and hardware forwarding 1-1

6 Chapter 1 Product Overview Supports abundant QoS/ACL functions Supports QinQ Supports port- and flow-based mirroring Supports RSPAN Supports IRF (only S5120-C-EI series switches support) 1.2 System Features Table 1-1 System features of the S5120-EI series Item S C-EI S C-EI S C-P WR-EI S C -PWR-EI S P-EI S P-EI Dimensio ns (height width depth) mm ( in.) mm ( in.) mm ( in.) Weight <4.5 kg (9.9 lb.) <5 kg (11.0 lb.) <7 kg (15.4 lb.) <7.5 kg (16.5 lb.) <4.5 kg (9.9 lb.) <5 kg (11.0 lb.) Console port One Console port GE ports on the front panel 24 10/100/ 1,000 M electrica l ports 4 Gigabit SFP Combo ports 48 10/100/ 1,000 M electric al ports 4 Gigabit SFP Combo ports 24 10/100/ 1,00 0M electric al ports 4 Gigabit SFP Combo ports 48 10/100/1,0 00 M electrical ports 4 Gigabit SFP Combo ports 24 10/100/1,0 00 M electrical ports 4 Gigabit SFP Combo ports 48 10/100/1,0 00 M electrical ports 4 Gigabit SFP Combo ports Optional modules One-port 10 GE XFP interface module Dual-port 10 GE XFP interface module Short-haul dual-port 10GE CX4 interface module Dual-port 10 GE SFP+ interface module Not supported Volt age AC DC Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz to 63 Hz Rated voltage range: 10.8 VDC to 13.2 VDC Rated voltage range: -52 VDC to 55 VDC Rated voltage range: 10.8 VDC to 13.2 VDC 1-2

7 Chapter 1 Product Overview Item S C-EI S C-EI S C-P WR-EI S C -PWR-EI S P-EI S P-EI Power consumpti on 36 W 55 W 55 W 78 W 35 W 54 W Power consumpti on (full configurati on) 103 W 145 W 495 W, with 125 W of system power consum ption and 370 W of PoE power 550 W when RPS is not connected, with 180 W of system power consumptio n and 370 W of PoE power 920 W when RPS is connected, with 180 W of system power consumptio n and 740 W of PoE power 62 W 110 W Operating temperatu re Relative humidity (noncond ensing) 0 C to 45 C (32 F to 113 F) 10% to 90% Table 1-2 Correspondence between Combo SFP ports and electrical ports Model S C-EI S C-PWR-EI S P-EI S C-EI S C-PWR-EI Combo SFP port Corresponding electrical port 1-3

8 Chapter 1 Product Overview Model Combo SFP port Corresponding electrical port S P-EI Note: Any of the four Combo ports and its corresponding 10/100/1000Base-T autosensing Ethernet port cannot be used at the same time 1.3 Service Features The S5120-EI series feature the following advantages: Table 1-3 Service features of the S5120-EI series Feature S C-EI S C-EI S C-PWR -EI S C-PWR-EI S P-EI S P-EI W ir e s p e e d L 2 s wi tc hi n g Switch ing capaci ty (Full duplex ) Packet forwar ding rate 128 Gbps 95.2 Mpps 176 Gbps Mpps 128 Gbps 95.2 Mpps 176 Gbps 48 Gbps 96 Gbps Mpps 35.7 Mpps 71.4 Mpps Power over Ethernet Link aggregatio n Not supported Supported Not supported Aggregation of GE ports Aggregation of 10GE ports (S P-EI and S P-EI do not support) Dynamic link aggregation Static link aggregation Supports up to 128 aggregation groups, each supporting up to eight GE ports or four 10GE ports 1-4

9 Chapter 1 Product Overview Feature S C-EI S C-EI S C-PWR -EI S C-PWR-EI S P-EI S P-EI Flow control Jumbo Frame MAC address table VLAN ARP ND VLAN virtual interface DHCP UDP Helper DNS IPv4 route IPv6 route IEEE 802.3x flow control and back pressure Supports maximum frame size of 9 KB 16K MAC addresses 1024 static MAC addresses Blackhole MAC addresses MAC address learning limit on a port Port-based VLANs (4,094 VLANs) QinQ and selective QinQ Voice VLAN Protocol-based VLANs GVRP MAC-based VLANs IP subnet-based VLANs 256 entries 256 static entries Gratuitous ARP Standard proxy ARP and local proxy ARP ARP Detection 256 entries 256 static entries 8 DHCP Client DHCP Snooping DHCP Relay UDP Helper Dynamic domain name resolution Dynamic domain name resolution client IPv4/IPv6 addresses 32 static routes 32 static routes 1-5

10 Chapter 1 Product Overview Feature S C-EI S C-EI S C-PWR -EI S C-PWR-EI S P-EI S P-EI IPv4 multicast IPv6 multicast Broadcast/ multicast/u nicast storm control MSTP RRPP Smart link Monitor link QoS/ACL Mirroring Remote mirroring IGMP (Internet Group Management Protocol) Snooping v1/v2/v3 Multicast VLAN 1024 multicast groups Unknown multicast packets dropping MLD Snooping v1/v2 IPv6 multicast VLAN 1024 multicast groups Storm control based on port rate percentage PPS-based storm control MSTP protocol 16 instances STP Root Guard BPDU Guard RRPP protocol Multi-instance RRPP Up to 26 groups supported Supported Restriction of the rates at which a port sends and receives packets, with a granularity of 64 kbps. Packet redirection Committed access rate (CAR), with a granularity of traffic limit 64 kbps. Eight output queues for each port Flexible queue scheduling algorithms based on port and queue, including strict priority (SP), weighted round robin (WRR), and SP + WRR. Remarking of 802.1p and DSCP priorities Packet filtering at L2 (Layer 2) through L4 (Layer 4); flow classification based on source MAC address, destination MAC address, source IP (IPv4/IPv6) address, destination IP (IPv4/IPv6) address, port, protocol, and VLAN. Time range Traffic mirroring Port mirroring Remote port mirroring 1-6

11 Chapter 1 Product Overview Feature S C-EI S C-EI S C-PWR -EI S C-PWR-EI S P-EI S P-EI Security 802.1X Loading and upgrading Manageme nt Hierarchical management and password protection of users AAA authentication RADIUS authentication HWTACACS+ SSH 2.0 Port isolation Port security Centralized MAC address authentication IP-MAC-port binding IP Source Guard Https SSL PKI ( Public Key Infrastructure ) EAD Up to 1,024 users Port-based and MAC address based authentication Guest VLAN Trunk port authentication Dynamic assignment of QoS/ACL/VLAN based on 802.1X Loading and upgrading through XModem protocol Loading and upgrading through FTP Loading and upgrading through the trivial file transfer protocol (TFTP) Configuration through CLI Remote configuration through Telnet Configuration through Console port Simple network management protocol (SNMP) Remote monitoring (RMON) alarm, event and history recording imc NMS Web-based network management System log Hierarchical alarms Huawei group management protocol (HGMP) V2 NTP Power supply alarm function Fan and temperature alarms IRF( only supported by S5120-C-EI series switches) 1-7

12 Chapter 1 Product Overview Feature S C-EI S C-EI S C-PWR -EI S C-PWR-EI S P-EI S P-EI Maintenanc e Debugging information output Ping and Tracert NQA Track Remote maintenance through Telnet Virtual cable test 802.1ag 802.3ah DLDP 1-8

13 Chapter 2 Hardware Description Chapter 2 Hardware Description 2.1 S C-EI Ethernet Switch Appearance S C-EI Ethernet switch provides 24 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S C-EI Ethernet switch. Figure 2-1 Appearance of S C-EI Ethernet switch Note: A Combo port is defined as follows: an SFP Combo electrical port and its corresponding 10/100/1000BASE-T Ethernet port logically provide optoelectronic multiplexing function. Users can select either to meet the networking requirement, but the two ports cannot work at the same time. 2-1

14 Chapter 2 Hardware Description Front Panel (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (12) (11) (1): 10/100/1000 Base-T auto-sensing Ethernet port (2): 10/100/1000 Base-T auto-sensing Ethernet port status LED (3): 1000 Base-X SFP port (4): 1000Base-X SFP port status LED (5): Console port (6): Seven-segment LED (7): Port mode LED (Mode) (8): System LED (PWR) (9): RPS status LED (RPS) (10): Interface module 1 status LED (MOD1) (11): Interface module 2 status LED (MOD2) (12): Port status LED mode switching button Figure 2-2 Front panel of S C-EI Ethernet switch Rear Panel (1) (2) (3) (4) (5) (1): AC power input (2): RPS power input (shipped with a filler panel) (3): Grounding screw (4): Interface module slot 1 (MOD1) (5): Interface module slot 2 (MOD2) Figure 2-3 Rear panel of S C-EI Ethernet switch Power Supply System S C-EI Ethernet switch supports the use of AC input and RPS 12 V input, the use of both AC and DC inputs (one as backup for the other) at the same time and AC power input alone. RPS DC input can use the RPS power supply recommended by H3C only. AC input: Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz to 63 Hz RPS (DC) input: Rated voltage: 10.8 V to 13.2 V 2-2

15 Chapter 2 Hardware Description Cooling System S C-EI Ethernet switch provides four fans for heat dissipation Description of S C-EI LEDs The LEDs on the front panels of the S C-EI switches can help you monitor the running status of the switches. Table 2-1 describes the LEDs. You can use the Mode button on the panel to switch the LED display mode between rate mode and duplex mode. Table 2-1 Description of S C-EI LEDs LED Mark State Description Mode LED Mode Rate mode Duplex mode Green, ON Yellow, ON The port LED is indicating rate mode The port LED is indicating duplex mode Green, ON The switch has been normally started Green, blinking (1 Hz) The system is performing POST Power LED PWR Red, ON POST fails because a fault occurs Yellow, blinking (1 Hz) Some ports fail in POST because the function fails OFF The switch has been powered off Green, ON The AC input is normal, and the RPS is in the position or works normally. DC power LED RPS Yellow, ON RPS input is normal, but AC input fails or AC input is not connected. OFF RPS is not connected. Module LED Module (MOD) Green, ON Yellow, blinking The module is in position and working normally Not supported or the module fails OFF This module is not installed 2-3

16 Chapter 2 Hardware Description LED Mark State Description In POST The power LED is green and blinking The nixie display indicates the number of the ongoing self test item POST has failed The power LED is red and blinking The nixie display indicates the number of the self test item failed in POST Loading software The power LED is green and blinking The short bars are lit up one by one clockwise while the software is being loaded Fan failure The power LED is red and on The nixie display shows an F Seven-segment Nixie display Unit Over-tem perature alarm The power LED is red and on The nixie display shows a t Status of the switch in a cluster or its member ID in an IRF stack The power LED solid green is If no stack ports are configured and the cluster feature is enabled, the LED displays status of the switch in a cluster; otherwise, the LED displays the member ID of the switch in a stack. The status of a switch in a cluster can be one of the following: C (upper case) for a command switch S for a member switch c (lower case) for a candidate switch. The following are member IDs that can be displayed: 2-4

17 Chapter 2 Hardware Description LED Mark State Description Rate mode Green Yellow Yellow, blinking (3 Hz) The port is blinking when it is receiving or sending data at 1,000 M The port is blinking when it is receiving or sending data at 10/100 M Port POST has failed 10/100/1000BAS E-T port LED OFF Green The port is not connected The port is blinking when it is receiving or sending data in the full duplex mode Duplex mode Yellow Yellow, blinking (3 Hz) The port is blinking when it is receiving or sending data in the half duplex mode Port POST has failed OFF The port is not connected Rate mode Green Yellow, blinking (3 Hz) The port is blinking when it is receiving or sending data at 1,000 M Port POST has failed 1000Base port LED SFP Duplex mode OFF Green Yellow, blinking (3 Hz) The port is not connected The port is blinking when it is receiving or sending data in the full duplex mode Port POST has failed OFF The port is not connected 2-5

18 Chapter 2 Hardware Description Description of Ports I. Console ports The S5120-EI series switches provide a console port that satisfies the EIA/TIA-232 asynchronous specification. Through the console port, you can perform local or remote configuration. Table 2-2 Attributes of the console port Item Description Connector Interface standard Baud rate Supported services RJ-45 EIA/TIA bps (default) Connection with a character terminal Connection with a serial port of a local terminal (it can be a PC) or a remote terminal (it needs a pair of modems), which runs a terminal simulator. II. Attributes of Gigabit Ethernet ports Table 2-3 Attributes of Gigabit Ethernet ports Item Description Connector RJ-45 Number of ports 24/48 Port specifications Standard Medium and transmission distance 10 M, half duplex/full duplex 100 M, half duplex/full duplex 1,000 M, full duplex MDI/MDI-X autosensing IEEE802.3i, IEEE 802.3u, IEEE802.3ab Category-5 unshielded twisted pairs. The maximum transmission distance is 100 m (328.1 ft) III. Attributes of Gigabit SFP Combo ports The S5120-EI series provide four SFP Combo ports on the front panel. You can configure the number of ports or port types freely. Hot-swapping feature and flexible configuration method increases networking flexibility. You can select the SFP modules in Table 6-2 based on your requirements. 2-6

19 Chapter 2 Hardware Description Note: The types of the Gigabit SFP modules may change. If you need accurate module type information, please consult H3C marketing engineers or technical support engineers. 2.2 S C-EI Ethernet Switch Appearance An S C-EI Ethernet switch provides 48 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S C-EI Ethernet switch. Figure 2-4 Appearance of S C-EI Ethernet switch Front Panel (1) (2) (3) (4) (5) (12)(11) (10) (6) (7) (8) (9) (1): 10/100/1000 Base-T auto-sensing Ethernet port (2): 10/100/1000 Base-T auto-sensing Ethernet port status LED (3): Console port (4): Seven-segment LED (5): Port mode LED (Mode) (6): System LED (PWR) (7): RPS status LED (RPS) (8): Interface module 1 status LED (MOD1) (9): Interface module 2 status LED (MOD2) (10): Port status LED mode switching button (11): 1000 Base-X SFP port (12): 1000Base-X SFP port status LED Figure 2-5 Front panel of S C-EI Ethernet switch 2-7

20 Chapter 2 Hardware Description Rear Panel (1) (2) (3) (4) (5) (1): AC power input (2): RPS power input (shipped with a filler panel) (3): Grounding screw (4): Interface module slot 1 (MOD1) (5): Interface module slot 2 (MOD2) Figure 2-6 Rear panel of S C-EI Ethernet switch Power Supply System S C-EI Ethernet switch supports the use of AC and RPS 12 V inputs, the use of both AC and DC inputs (one as backup for the other) at the same time and AC power input alone. RPS DC input can use the RPS power supply recommended by H3C only. AC input: Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz to 63 Hz RPS (DC) input: Rated voltage: 10.8 V to 13.2 V Cooling System S C-EI Ethernet switch provides four fans for heat dissipation Description of S C-EI LEDs LED description of S C-EI and S C-EI is the same. See Table Description of Ports For port description of the S5120-EI series, see Description of Ports. 2.3 S C-PWR-EI Ethernet Switch Appearance S C-PWR-EI Ethernet switch provides 24 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC 2-8

21 Chapter 2 Hardware Description power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S C-PWR-EI Ethernet switch. Figure 2-7 Appearance of S C-PWR-EI Ethernet switch Front Panel (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (12) (11) (1): 10/100/1000 Base-T auto-sensing Ethernet port (2): 10/100/1000 Base-T auto-sensing Ethernet port status LED (3): 1000 Base-X SFP port (4): 1000Base-X SFP port status LED (5): Console port (6): Seven-segment LED (7): Port mode LED (Mode) (8): System LED (PWR) (9): RPS status LED (RPS) (10): Interface module 1 status LED (MOD1) (11): Interface module 2 status LED (MOD2) (12): Port status LED mode switching button Figure 2-8 Front panel of S C-PWR-EI Ethernet switch Rear Panel (1) (2) (3) (4) (5) (1): RPS power input (2): AC power input (3): Grounding screw (4): Interface module slot 1 (MOD1) (5): Interface module slot 2 (MOD2) Figure 2-9 Rear panel of S C-PWR-EI Ethernet switch 2-9

22 Chapter 2 Hardware Description Power Supply System S C-PWR-EI Ethernet switch supports the use of both AC and DC inputs (one as backup for the other) at the same time, and AC power input or DC power input alone. AC input: Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz to 63 Hz The S C-PWR-EI switch can use only the PoE external power supply recommended by H3C as the AC power supply. Do not use 48 VAC power in the equipment room; otherwise the switch may be damaged. RPS DC input: Voltage range: -52 V to -55 V Cooling System S C-PWR-EI Ethernet switch provides six fans for heat dissipation, and three of them are for power supply dissipation Description of S C-PWR-EI LEDs The LEDs on the front panels of the S C-PWR-EI switches can help you monitor the running status of the switches. Table 2-4 describes the LEDs. You can use the Mode button on the panel to switch the LED display mode between rate mode, duplex mode and PoE mode. Table 2-4 Description of S C-PWR-EI LEDs LED Mark State Description Rate mode Green, ON The port LED is indicating rate mode Mode LED Mode Duplex mode PoE mode Yellow, ON Green, blinkin g (1 Hz) The port LED is indicating duplex mode The port LED is indicating PoE state Green, ON The switch has been normally started Power LED PWR Green, blinking (1 Hz) The system is performing POST Red, ON POST fails and a fault occurs 2-10

23 Chapter 2 Hardware Description LED Mark State Description Yellow, blinking (1 Hz) POST on some ports fails and the ports are not available OFF The switch has been powered off Green, ON Both AC and RPS inputs are normal DC power LED RPS Yellow, ON RPS input is normal, but AC input fails or AC input is not connected. OFF RPS input is not normal Module LED Modul e (MOD ) Green, ON Yellow, blinking OFF The module is in position and working normally Not supported or the module fails This module is not installed In POST The power LED is green and blinking The nixie display indicates the number of the ongoing self test item POST has failed The power LED is red and blinking The nixie display indicates the number of the self test item failed in POST Seven-segment Nixie display Unit Loading software The power LED is green and blinking The short bars are lit up one by one clockwise while the software is being loaded Fan failure The power LED is red and on The nixie display shows an F Over-tem perature alarm The power LED is red and on The nixie display shows a t 2-11

24 Chapter 2 Hardware Description LED Mark State Description Status of the switch in a cluster or its member ID in an IRF stack The power LED is solid green If no stack ports are configured and the cluster feature is enabled, the LED displays status of the switch in a cluster; otherwise, the LED displays the member ID of the switch in a stack. The status of a switch in a cluster can be one of the following: C (upper case) for a command switch S for a member switch c (lower case) for a candidate switch. The following are member IDs that can be displayed: PoE mode The power LED is green and on The nixie displays the utilization rate of the power supply % 61-80% 41-60% 21-40% 0-20% 10/100/1000BAS E-T port mode LED Rate mode Duplex mode Green Yellow Yellow, blinking (3 Hz) OFF Green Yellow Yellow, blinking (3 Hz) OFF The port is blinking when it is receiving or sending data at 1,000 M The port is blinking when it is receiving or sending data at 10/100 M Port POST has failed The port is not connected The port is blinking when it is receiving or sending data in the full duplex mode The port is blinking when it is receiving or sending data in the half duplex mode Port POST has failed The port is not connected 2-12

25 Chapter 2 Hardware Description LED Mark State Description Green, ON The port supplies power normally PoE mode Green, blinking (1 Hz) Yellow, ON The power consumption required by the external device exceeds the maximum power consumption that the port can provide. The total power consumption of the switch reaches the maximum power consumption. The port cannot provide power. The device connected to the port is a non-pd device. This port cannot provide power to the connected device. PoE power supply fails. This port cannot provide power to the connected device. Yellow, blinking (3 Hz) Port POST has failed OFF The port does not supply power Rate mode/ PoE mode Green Yellow, blinking (3 Hz) The port is blinking when it is receiving or sending data at 1,000 M Port POST has failed 1000Base SFP port mode LED Duplex mode OFF Green Yellow, blinking (3 Hz) The port is not connected The port is blinking when it is receiving or sending data in the full duplex mode Port POST has failed OFF The port is not connected Description of Ports For port description of the S5120-EI series, see section Description of Ports. 2-13

26 Chapter 2 Hardware Description 2.4 S C-PWR-EI Ethernet Switch Appearance S C-PWR-EI Ethernet switch provides 48 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S C-PWR-EI Ethernet switch. Figure 2-10 Appearance of S C-PWR-EI Ethernet switch Front Panel (1) (2) (3) (4) (5) (12)(11) (10) (6) (7) (8) (9) (1): 10/100/1000 Base-T auto-sensing Ethernet port (2): 10/100/1000 Base-T auto-sensing Ethernet port status LED (3): Console port (4): Seven-segment LED (5): Port mode LED (Mode) (6): System LED (PWR) (7): RPS status LED (RPS) (8): Interface module 1 status LED (MOD1) (9): Interface module 2 status LED (MOD2) (10): Port status LED mode switching button (11): 1000 Base-X SFP port (12): 1000Base-X SFP port status LED Figure 2-11 Front panel of S C-PWR-EI Ethernet switch 2-14

27 Chapter 2 Hardware Description Rear Panel (1) (2) (3) (4) (5) (1): RPS power input (2): AC power input (3): Grounding screw (4): Interface module slot 1 (MOD1) (5): Interface module slot 2 (MOD2) Figure 2-12 Front panel of S C-PWR-EI Ethernet switch Power Supply System S C-PWR-EI Ethernet switch supports the use of both AC and DC inputs (one as backup for the other) at the same time, and AC power input or DC power input alone. AC input: Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz to 63 Hz The S C-PWR-EI switch can use only the PoE external power supply recommended by H3C as the AC power supply. Do not use 48 VAC power in the equipment room; otherwise the switch may be damaged. RPS DC input: Voltage range: -52 V to -55 V Cooling System S C-PWR-EI Ethernet switch provides six fans for heat dissipation, and three of them are for power supply dissipation Description of S C-PWR-EI LEDs LED description of S C-PWR-EI and S C-PWR-EI is the same. See Table Description of Ports For port description of the S5120-EI series, see section Description of Ports. 2-15

28 Chapter 2 Hardware Description 2.5 S P-EI Ethernet Switch Appearance S P-EI Ethernet switch provides 24 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input. The following figure describes the appearance of the S P-EI Ethernet switch. Figure 2-13 Appearance of S P-EI Ethernet switch Note: A Combo port is defined as follows: an SFP Combo electrical port and its corresponding 10/100/1000BASE-T Ethernet port logically provide optoelectronic multiplexing function. Users can select either to meet the networking requirement, but the two ports cannot work at the same time Front Panel (1) (2) (3) (4) (5) (6) (7) (8) (10) (9) (1): 10/100/1000 Base-T auto-sensing Ethernet port (2): 10/100/1000 Base-T auto-sensing Ethernet port status LED (3): 1000 Base-X SFP port (4): 1000Base-X SFP port status LED (5): Console port (6): Seven-segment LED (7): Port mode LED (Mode) (8): System LED (PWR) (9): RPS status LED (RPS) (10): Port status LED mode switching button Figure 2-14 Front panel of S P-EI Ethernet switch 2-16

29 Chapter 2 Hardware Description Rear Panel (1) (2) (3) (4) (4) (1): AC power input (2): RPS power input (shipped with a filler panel) (3): Grounding screw (4): DO NOT REMOVE label Figure 2-15 Rear panel of S P-EI Ethernet switch Power Supply System S P-EI Ethernet switch supports the use of AC input and RPS 12 V input, the use of both AC and DC inputs (one as backup for the other) at the same time and AC power input alone. RPS DC input can use the RPS power supply recommended by H3C only. AC input: Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz to 63 Hz RPS (DC) input: Rated voltage: 10.8 V to 13.2 V Cooling System S P-EI Ethernet switch provides four fans for heat dissipation Description of S P-EI LEDs The LEDs on the front panels of the S P-EI switches can help you monitor the running status of the switches. Table 2-1 describes the LEDs. You can use the Mode button on the panel to switch the LED display mode between rate mode and duplex mode. Table 2-5 Description of S P-EI LEDs LED Mark State Description Mode LED Mode Rate mode Duplex mode Green, ON Yellow, ON The port LED is indicating rate mode The port LED is indicating duplex mode 2-17

30 Chapter 2 Hardware Description LED Mark State Description Green, ON The switch has been normally started Green, blinking (1 Hz) The system is performing POST Power LED PWR Red, ON POST fails because a fault occurs Yellow, blinking (1 Hz) Some ports fail in POST because the function fails OFF The switch has been powered off Green, ON The AC input is normal, and the RPS is in the position or works normally. DC power LED RPS Yellow, ON RPS input is normal, but AC input fails or AC input is not connected. OFF RPS is not connected. In POST The power LED is green and blinking The nixie display indicates the number of the ongoing self test item POST has failed The power LED is red and blinking The nixie display indicates the number of the self test item failed in POST Seven-segment Nixie display Unit Loading softwar e The power LED is green and blinking The short bars are lit up one by one clockwise while the software is being loaded Fan failure The power LED is red and on The nixie display shows an F Over-te mperatu re alarm The power LED is red and on The nixie display shows a t 2-18

31 Chapter 2 Hardware Description LED Mark State Description Cluster status Rate mode The power LED is green and on Green Yellow Yellow, blinking (3 Hz) Command switch, C is displayed Member switch, S is displayed Candidate switch, C is displayed 1 is displayed if cluster is disabled The port is blinking when it is receiving or sending data at 1,000 M The port is blinking when it is receiving or sending data at 10/100 M Port POST has failed 10/100/1000BAS E-T port LED OFF Green The port is not connected The port is blinking when it is receiving or sending data in the full duplex mode Duplex mode Yellow Yellow, blinking (3 Hz) The port is blinking when it is receiving or sending data in the half duplex mode Port POST has failed OFF The port is not connected 1000Base port LED SFP Rate mode Duplex mode Green Yellow, blinking (3 Hz) OFF Green Yellow, blinking (3 Hz) The port is blinking when it is receiving or sending data at 1,000 M Port POST has failed The port is not connected The port is blinking when it is receiving or sending data in the full duplex mode Port POST has failed 2-19

32 Chapter 2 Hardware Description LED Mark State Description OFF The port is not connected Description of Ports For port description of the S5120-EI series, see Description of Ports. 2.6 S P-EI Ethernet Switch Appearance An S P-EI Ethernet switch provides 48 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input. The following figure describes the appearance of the S P-EI Ethernet switch. Figure 2-16 Appearance of S P-EI Ethernet switch Front Panel (1) (2) (3) (4) (5) (10) (9) (8) (6) (7) (1): 10/100/1000 Base-T auto-sensing Ethernet port (2): 10/100/1000 Base-T auto-sensing Ethernet port status LED (3): Console port (4): Seven-segment LED (5): Port mode LED (Mode) (6): System LED (PWR) (7): RPS status LED (RPS) (8): Port status LED mode switching button (9): 1000 Base-X SFP port (10): 1000Base-X SFP port status LED Figure 2-17 Front panel of S P-EI Ethernet switch 2-20

33 Chapter 2 Hardware Description Rear Panel (1) (2) (3) (4) (4) (1): AC power input (2): RPS power input (shipped with a filler panel) (3): Grounding screw (4): DO NOT REMOVE label Figure 2-18 Rear panel of S P-EI Ethernet switch Power Supply System S P-EI Ethernet switch supports the use of AC and RPS 12 V inputs, the use of both AC and DC inputs (one as backup for the other) at the same time and AC power input alone. RPS DC input can use the RPS power supply recommended by H3C only. AC input: Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz to 63 Hz RPS (DC) input: Rated voltage: 10.8 V to 13.2 V Cooling System S P-EI Ethernet switch provides four fans for heat dissipation Description of S P-EI LEDs LED description of S P-EI and S P-EI is the same. See Table Description of Ports For port description of the S5120-EI series, see Description of Ports. 2.7 Optional Interface Modules S C-EI/S C-EI/S C-PWR-EI/S C-PWR-EI switch provides two extension module slots on the rear panel. You can select the following interface modules: One-port 10 GE XFP interface module Dual-port 10 GE XFP interface module 2-21

34 Chapter 2 Hardware Description Short-haul dual-port 10GE CX4 interface module Dual-port 10 GE SFP+ interface module One-port 10 Gbps XFP Module Figure 2-19 Front view of a one-port 10GE XFP module This module can provide one 10GE XFP optical interface. You can select the XFP optical modules in Table 6-3 based on your requirements. Note: The type of XFP modules may be updated as time goes by. For updated module types, consult marketing or technical support personnel of H3C Dual-port 10GE XFP Module Figure 2-20 Front view of dual-port 10GE XFP module This module can provide two 10 Gbps XFP optical interfaces. You can select the XFP optical modules in Table 6-3 based on your requirements. Note: The type of XFP modules may be updated as time goes by. For updated module types, consult marketing or technical support personnel of H3C. 2-22

35 Chapter 2 Hardware Description Dual-port 10GE CX4 Module for Short Haul Figure 2-21 Dual-port 10GE CX4 module for short haul This module provides two 10GE electrical interfaces. It supports CX4 electrical standards and protocols. The maximum transmission distance is 3 meters (9.8 ft). Use CX4 cables dedicated for H3C devices to interconnect devices. Note: You can use only dedicated CX4 cable to connect the port on the CX4 extension module and another CX4 port. For dedicated CX4 cable, see section 2.8 "CX4 Cable" Dual-port 10 GE SFP+ Interface Module Figure 2-22 Dual-port 10 GE SFP+ interface module This module provides two 10GE SFP+ ports. You can select the SFP+ transceivers or the SFP+ cables provided by H3C list in Table

36 Chapter 2 Hardware Description Note: The 10GE SFP+ ports do not support GE SFP transceivers. The type of SFP+ transceivers and SFP+ cables may be updated as time goes by. For updated module types, consult marketing or technical support personnel of H3C Description of Extension Module LEDs There is a LED for each port on the extension module panel. Table 2-6 describes the LEDs. Table 2-6 Description of extension module LEDs LED Mark State Description Extension module LED This LED is not affected by the mode button Green OFF The port is normally connected. The port is blinking when it is receiving or sending data The port is not connected 2.8 CX4 Cable You can use the CX4 cable to connect the CX4 port on the Dual-port 10GE CX4 Module to another CX4 port. Handle Handle Connector 1 Connector 2 Figure 2-23 CX4 cable The following four types of cables are available: 50 cm (19.7 in.): the connectors at both ends of the cable are bayonet connectors. 100 cm (39.4 in.): the connectors at both ends of the cable are bayonet connectors. 300 cm (118.1 in.): the connectors at both ends of the cable are bayonet connectors. 2-24

37 Chapter 2 Hardware Description 2.9 SFP+ Cable You can use the SFP+ cable to connect the SFP+ port on the Dual-port 10 GE SFP+ interface module to another SFP+ port. Handle Connector 1 Handle Connector 2 Figure 2-24 SFP+ Cable The following four types of cables are available: 0.65m (25.6 in.), 1.2m (47.2 in.) and 3m (118.1 in.). For details about these four types of SFP+ cables, please refer to Table 6-5 SFP+ transceivers and SFP+ cables supported by dual-port 10 GE SFP+ interface module 2-25

38 Chapter 3 Software Features Chapter 3 Software Features 3.1 Basic Features Link Aggregation The link aggregation function is used for the connection between Ethernet switches or between the switches and high-speed servers. It is a simple and cheap way to expand the bandwidth of a switch port and balance the traffic among all the ports in a link aggregation. Moreover, it enhances the connection reliability. With link aggregation, several Ethernet ports on a switch are bundled together and are considered one logical port inside the switch. The switch automatically balances the traffic among the ports in the aggregation and increases the bandwidth of the ports. If the link on a port in the aggregation fails, the traffic on it is distributed among other ports without interrupting the normal service. After the port recovers, the traffic is automatically distributed again so that the port can share the load with others. The S5120-EI series support static link aggregation and dynamic link aggregation Traffic Control DLDP Traffic control is a congestion management mode of switches. S5120-EI Ethernet switches support full-duplex traffic control and half-duplex back pressure traffic control. 10-GE uplink interfaces support received pause frames only. In the half-duplex traffic control mode, the switch performs traffic control by sending Jam signals to the peer end. A special phenomenon, unidirectional links, may occur in actual networking. When a unidirectional link occurs, the local device can receive packets from the peer device through the link layer, but the peer device cannot receive packets from the local device. Unidirectional links may cause a series of problems, such as spanning-tree topology loop. The device link detection protocol (DLDP) can monitor the link status of fiber or copper twisted pairs (such as Enhanced Cat-5 twisted pairs). Based on the configuration, DLDP automatically closes, or notifies the user to close manually, the corresponding ports when it finds any unidirectional link, so as to prevent network problems. DLDP has the following features: 3-1

39 Chapter 3 Software Features As a link layer protocol, it works in cooperation with physical layer protocols to supervise the link status of devices. The automatic negation mechanism of the physical layer detects physical signals and faults, while DLDP identifies the peer device and unidirectional links, and closes unreachable ports. When auto-negotiation mechanism and DLDP are enabled, they work together to detect and disable physical and logical unidirectional links, and to prevent the failure of other protocols such as STP. If links of both ends function independently and normally at the physical layer, DLDP will check whether these links are correctly connected at the link layer and whether packets can be normally exchanged between both ends. This kind of detection cannot be achieved through the automatic negation mechanism Broadcast Storm Control VLAN The broadcast storm control function suppresses the propagation of unknown unicast packets, multicast packets, and broadcast packets in a network, thus limiting their impact on the operating efficiency of the network. For the S5120-EI series, the broadcast storm control function is configured on ports. After storm control is enabled on a port, you can monitor the unknown unicast traffic, multicast traffic, and the broadcast traffic received on it. When the traffic exceeds the specified bandwidth limit, the switch drops the excessive traffic to reduce the traffic ratio to a rational range, so as to guarantee the normal operation of network services. The S5120-EI series can implement both broadcast storm control based on port rate percentage and broadcast storm control based on pps. Virtual local area network (VLAN) is a technology that implements virtual workgroups by assigning the devices in a LAN into network segments logically rather than physically. VLAN standard is described in IEEE 802.1Q protocol standard, which is issued in You can use VLAN to divide a LAN into multiple broadcast domains known as virtual LANs, namely, VLANs, the computers in each of which are correlated in a certain way. As VLANs are implemented logically rather than physically, the computers in the same VLAN do not necessarily reside on the same physical LAN segment; instead, they can belong to different physical LAN network segments. On a switch, following types of VLAN are supported. Port-based VLAN MAC-based VLAN Protocol-based VLAN IP multicast-based VLAN (In this case, a multicast group forms a VLAN.) 3-2

40 Chapter 3 Software Features Network layer-based VLAN (In this case, VLANs are created based on the network layer addresses of the hosts). VLAN offers the benefit that the broadcast and unicast traffic inside a VLAN are not forwarded to other VLANs, thereby helping implement network traffic control, save equipment investment, streamline network management, and enhance network security. The H3C S5120-EI series support the following types of VLAN. I. Port-based VLAN In a port-based VLAN, VLAN members are defined based on the Ethernet switch ports. You can add specific ports to the same VLAN, through which the hosts connecting to these can communicate with each other. This is the simplest way of creating a VLAN. An S5120-EI Ethernet switch supports up to 4,094 port-based VLANs. II. Protocol-based VLAN VLANs can be divided based on protocol. With this type of VLANs configured, a switch inserts tags to the untagged packets received by the protocols the packets belong to so that the packets are forwarded in the corresponding VLANs. Protocol-based VLANs are usually bound to specific services for ease of management and maintenance. III. MAC-based VLAN 1) Overview MAC-based VLANs group VLAN members by MAC address. They only apply to untagged frames. When receiving an untagged frame, the device looks up the list of MAC-to-VLAN mappings based on the MAC address of the frame for a match. If a match is found, the system forwards the frame in the corresponding VLAN. If no match is found, the system looks up other types of VLANs to make the forwarding decision. MAC-based VLANs are mostly used in conjunction with security technologies such as 802.1X to provide secure, flexible network access for terminal devices. 2) Approaches to Creating MAC Address-to-VLAN Mappings In addition to creating MAC address-to-vlan mappings at the CLI, you can use an authentication server to automatically issue MAC address-to-vlan mappings. Manually Static configuration (through CLI) You can associate MAC addresses with VLANs by using corresponding commands. Automatic configuration through the authentication server (that is, VLAN issuing) The device associates MAC addresses with VLANs dynamically based on the information provided by the authentication server. If a user goes offline, the 3-3

41 Chapter 3 Software Features corresponding MAC address-to-vlan association is removed automatically. Automatic configuration requires MAC address-to VLAN mapping be configured on the authentication server. For detailed information, refer to 802.1X Configuration in the Security Volume. The two configuration approaches can be used at the same time, that is, you can configure a MAC address-to-vlan entry on both the local device and the authentication server at the same time. Note that the MAC address-to-vlan entry configuration takes effect only when the configuration on the local device is consistent with that on the authentication server. Otherwise, the previous configuration takes effect. The S5120-EI supports 1024 VLANs based on MAC addresses without masks globally. IV. IP subnet-based VLAN In this approach, packets are assigned to VLANs based on their source IP addresses and subnet masks. A port configured with IP subnet-based VLANs assigns a received untagged packet to a VLAN based on the source address of the packet. This feature is used to assign packets from the specified network segment or IP address to a specific VLAN. One VLAN supports 12 network segments for the S5120-EI GARP/GVRP I. GARP Generic attribute registration protocol (GARP) provides a means of distributing, propagating, and registering specific type of information (such as VLAN and multicast group address) among the members inside the same switched network. A GARP member can be a workstation or a switch. GARP members communicate with each other by exchanging their messages. By exchanging messages, all the member switches on a switching network get all the attribute information to be registered. GARP enables the configuration information of a GARP member to be propagated throughout the entire switched network. A GARP member triggers other GARP members, through declaration/declaration cancellation messages, to register/deregister its attribute information. It also registers/deregisters the attribute information of other GARP members in response to their declaration/declaration cancellation messages. GARP by itself does not exist on the routing switch as an entity. It takes the form of GARP application, which is implemented on entities adopting GARP. Commonly used GARP applications are GVRP (GARP VLAN registration protocol) and GMRP (generic multicast registration protocol). The PDUs (protocol data unit) of different GARP applications (GVRP and GMRP for example) carry the MAC addresses peculiar to the applications, according to which a routing switch with GARP-employed can recognize 3-4

42 Chapter 3 Software Features the received GARP packets and pass them to the corresponding GARP applications for processing. II. GVRP GVRP is a GARP application that maintains VLAN dynamic registration information in a routing switch and transmits the information to other routing switches, based on the operating mechanism of GARP. A routing switch with GVRP-employed receives VLAN registration information from other routing switches and dynamically updates the local VLAN registration information, including current VLAN members and the ports through which these VLAN members can be reached, etc. Moreover, in a switched network, all the routing switches with GVRP employed transmit the local VLAN registration information to other routing switches, thus keeping the VLAN information maintained by them in consistency. VLAN registration information transmitted by these routing switches includes both the static registration information manually configured locally and the dynamic registration information from other routing switches QinQ I. QinQ characteristics QinQ enables packets to traverse the backbone network (public network) of the operator with two layers of VLAN tags, where VLAN tag of the customer network is encapsulated in the VLAN tag of the public network. In the public network, packets are forwarded based on the outer VLAN tag (that is, the public network VLAN tag) only, while the customer network VLAN tag is shielded. Compared with MPLS-based L2 VPN, QinQ has the following features: It provides simpler L2 VPN tunnels. It can be implemented through full-static configuration, without the need of a signaling protocol. QinQ mainly provides the following benefits: Saving public network VLAN IDs Enabling private network VLAN IDs that do not conflict with those of the public network Providing small-sized MANs or intranets with simpler L2 VPN solutions II. BPDU Tunnel As a Layer 2 tunneling technology, BPDU tunneling enables Layer 2 protocol packets from geographically dispersed customer networks to be transparently transmitted over specific channels across a service provider network. 3-5

43 Chapter 3 Software Features Customers usually use dedicated lines in a service provider network to build their own Layer 2 networks. As a result, very often, a customer network is broken down into parts located at different sides of the service provider network. As shown in Figure 3-1, User A has two devices: CE 1 and CE 2, both of which belong to VLAN 100. User A s network is divided into network 1 and network 2, which are connected by the service provider network. When Layer 2 protocol packets cannot be transparently transmitted in the service provider network, User A s network cannot implement independent Layer 2 protocol calculation (for example, STP spanning tree calculation). In this case, the Layer 2 protocol calculation in User A s network is mixed with that in the service provider network. PE 1 PE 2 ISP network CE 1 CE 2 User A network 1 VLAN 100 User A network 2 VLAN 100 Figure 3-1 BPDU tunneling application scenario With BPDU tunneling, Layer 2 protocol packets from customer networks can be transparently transmitted in the service provider network: 1) After receiving a Layer 2 protocol packet from User A network 1, PE 1 in the service provider network encapsulates the packet, replaces its destination MAC address with a specific multicast MAC address, and then forwards the packet in the service provider network; 2) The encapsulated Layer 2 protocol packet (called bridge protocol data unit, BPDU) is forwarded to PE 2 at the other end of the service provider network, which decapsulates the packet, restores the original destination MAC address of the packet, and then sends the packet to User A network 2. On the S5120-EI series switches, BPDU tunneling may support the transparent transmission of these types of Layer 2 protocol packets: Cisco Discovery Protocol (CDP) Device Link Detection Protocol (DLDP) Ethernet Operation, Administration and Maintenance (EOAM) GARP VLAN Registration Protocol (GVRP) HW Group Management Protocol (HGMP) 3-6

44 Chapter 3 Software Features Link Aggregation Control Protocol (LACP) Link Layer Discovery Protocol (LLDP) Port Aggregation Protocol (PAGP) Per VLAN Spanning Tree (PVST) Spanning tree protocol (STP) Uni-directional Link Direction (UDLD) VLAN Trunking Protocol (VTP) 3.2 Network Protocol Features ARP Address resolution protocol (ARP) dynamically maps IP addresses to specific MAC addresses. Upon being enabled, ARP carries out the address resolution without manual intervention. The S5120-EI series switches support the following extended ARP and attack defense implementations: I. Gratuitous ARP Gratuitous ARP enables a device to test whether or not IP address conflicts exist between itself and other devices in the network by sending ARP requests. Since both the source and destination IP addresses of a gratuitous ARP request packet are set to the local IP address, an IP address conflict exists if a host responds to the ARP request. A gratuitous ARP request is also used to update the corresponding MAC address entries maintained by other devices. A switch updates the corresponding MAC address entry if the IP address contained in a received ARP request packet matches the MAC address entry. As an ARP request packet is broadcast across the network, all the MAC address entries matching the ARP request packet are updated. II. Proxy ARP The S5120-EI series support the following two types of proxy ARP, standard proxy ARP and local proxy ARP. Standard proxy ARP conforms to the related protocol; it responds to ARP requests sourced from other network segments. As shown in Figure 3-2, Host A and Host B are of different network segments connected to an S5120-EI Ethernet switch. Although the gateways configured for Host A and Host B are of different network segments, their IP addresses indicate that they are of the same network segment. Normally, ARP requests sourced from Host A and destined for Host B, which are inter-network segment, are dropped in this case. With standard proxy ARP enabled, the S5120-EI Ethernet switch looks up in the routing table for the route upon receiving an ARP 3-7

45 Chapter 3 Software Features request packet and sends its MAC address to the ARP request sender if the route exists. The ARP request sender then sends another packet to the switch, with the address contained in the route as the destination address. The switch in turn forwards the packet. Switch Vlan-int1 (gateway IP address) /24 Vlan-int2 (gateway IP address) /24 Host A /16 Host B /16 Figure 3-2 A standard proxy ARP implementation Local proxy ARP only responds to ARP requests on the same network segment. As for the S5120-EI series switches, local proxy ARP is mainly employed on port isolation-enabled ports to allow Layer 3 communication between isolated users. Vlan-int1 (gateway IP address) /24 Switch GE1/0/1 GE1/0/2 Host A /24 Host B /24 Port isolate Figure 3-3 A local ARP proxy implementation As shown in Figure 3-3, port isolation is enabled on the S5120-EI Ethernet switch; therefore, ARP packets cannot be forwarded between downlink ports. If the switch also has local proxy ARP enabled and receives an ARP request sourced from Host A and destined for Host B, the switch looks up in the routing table and sends its MAC address to the ARP request sender if the route exists. The ARP request sender then sends the packet to the switch, with the address contained in the route as the destination address. The switch in turn forwards the packet. 3-8

46 Chapter 3 Software Features III. ARP Attack Defense ARP attacks and viruses are threatening LAN security. H3C S5120-EI Series Ethernet Switches can provide multiple features to detect and prevent such attacks. 1) ARP Source Suppression If a device receives large numbers of IP packets from a host to unreachable destinations, The device sends large numbers of ARP requests to the destination subnets, which increase the load of the destination subnets. The device continuously resolves destination IP addresses, which increase the load of the CPU. To protect the device from such attacks, you can enable the ARP source suppression function. With the function enabled, whenever the number of packets with unresolvable destination IP addresses from a host within five seconds exceeds a specified threshold, the device suppress the sending host from triggering any ARP requests within the following five seconds. 2) Source MAC Address Based ARP Attack Detection This feature allows the device to check the source MAC address of ARP packets that delivered to the CPU. If the number of ARP packets sent from a MAC address within five seconds exceeds the specified value, the device considers this an attack. 3) ARP Detection In normal cases, a Layer 2 access device broadcasts an ARP request within a VLAN, and forwards ARP responses at Layer 2. If an attacker sends an ARP request with the source being the IP address of another client, the corresponding ARP entry maintained by the gateway or other clients is modified. Consequently, the attacker will receive the packets sent to the client. The ARP detection feature allows only the ARP packets of legal clients to be forwarded. ARP Detection consists of two functions: user validity check and ARP packet validity check. User validity check: With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet received from the VLAN against the DHCP snooping entries, 802.1x security entries, or static IP-to-MAC binding entries. ARP packet validity check: With this feature enabled, the device filters out invalid ARP packets received on ARP untrusted ports. You can base ARP packet validity check on the source MAC address, destination MAC address or IP address. ARP packet validity check does not apply to packets received on ARP trusted ports. 4) ARP packet rate limit 3-9

47 Chapter 3 Software Features ARP packets that pass ARP detection are delivered to the CPU. This feature allows you to limit the rate of ARP packets to be sent to the CPU DHCP I. DHCP Relay A routing switch operating as a DHCP relay can relay messages between a DHCP server and a client, making it possible for a DHCP server in a subnet to provide DHCP service to the hosts in another subnet. With DHCP Relay, a network manager needs not to set DHCP server for every subnet, thereby reducing DHCP server costs. II. DHCP Client On a contemporary large-sized and complex network, some computers are mobile and the available IP addresses are far from adequate comparing with the fast-growing number of computers. To address the issue, the dynamic host configuration protocol (DHCP) was introduced. DHCP works in the client/server model, where the DHCP client requests the DHCP server for configuration information dynamically, and upon the receipt of the request the DHCP server returns the configuration information (IP address for example) based on the adopted policy. III. DHCP Snooping The DHCP snooping function enables the acquisition of user IP addresses and MAC addresses by listening to DHCP broadcast packets. It can be used to improve network security and prevent unauthorized accesses. Additionally, with the DHCP snooping function employed, ports are classified into trusted ports and untrusted ports. Ports with DHCP servers attached are trusted ports; and those with hosts attached are untrusted ports. The DHCP_ACK and DHCP_OFF packets received through untrusted are discarded, through which illegal DHCP servers can be prevented. IV. DHCP option82 DHCP uses the option field in DHCP messages to carry control information and network configuration parameters, implementing dynamic address allocation and providing more network configuration information for clients. Figure 3-4 shows the DHCP option format Option type Option length Value (variable) Figure 3-4 DHCP option format 3-10

48 Chapter 3 Software Features Option 82 is the relay agent option in the option field of the DHCP message. It records the location information of the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client s request, it adds Option 82 to the request message and sends it to the server. The administrator can locate the DHCP client to further implement security control and accounting. The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients. Option 82 involves at most 255 sub-options. At least one sub-option must be defined. Now the DHCP relay agent supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID). Option 82 has no unified definition. Its padding formats vary with vendors. You can use the following two methods to configure Option 82: User-defined method: Manually specify the content of Option 82. Non-user-defined method: Pad Option 82 in the default normal or verbose mode. If you choose the second method, you can specify the padding format for the sub-options as ASCII or HEX. 2) Normal padding format sub-option 1: Padded with the VLAN ID and number of the port that received the client s request. The following figure gives its format. The value of the sub-option type is 1, and that of the circuit ID type is Sub-option type (0x01) VLAN ID Length (0x06) Circuit ID type (0x00) Length (0x04) Port number Figure 3-5 Sub-option 1 in normal padding format sub-option 2: Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received the client s request. The following figure gives its format. The value of the sub-option type is 2, and that of the remote ID type is Sub-option type (0x02) Length (0x08) Remote ID type (0x00) Length (0x06) MAC Address Figure 3-6 Sub-option 2 in normal padding format 3) Verbose padding format: 3-11

49 Chapter 3 Software Features The padding contents for sub-options in the verbose padding format are: sub-option 1: Padded with the user-specified access node identifier (ID of the device that adds Option 82 in DHCP messages), and type, number, and VLAN ID of the port that received the client s request. Its format is shown in the following figure. Sub-option type (0x01) Length Node identifier Port type Port number VLAN ID Figure 3-7 Sub-option 1 in verbose padding format UDP Helper DNS sub-option 2: Padded with the MAC address of the interface that received the client s request. It has the same format as that in normal padding format, as shown in Figure 3-6. The UDP helper function mainly functions to relay and forward the specified UDP broadcast packets. It can transform UDP broadcast packets into unicast packets and send them to the specified servers. With the UDP helper function enabled, a switch determines whether or not to forward a received packet by the UDP port number carried in the packet. If the packet is to be forwarded, the switch modifies the destination IP address in the IP header and sends the packet to a specific destination server. Otherwise, the switch passes the packet to the upper layer modules. With the presence of the DHCP relay function, the UDP helper function does not relay DHCP packets on the S5120-EI series switches. Domain name system (DNS) is a distributed database used for TCP/IP applications. It performs translations between domain names and IP addresses. DNS allows you to replace IP addresses with domain names, which is easy to memorize and meaningful. Domain name-to-ip address resolution is carried out by DNS server. There are two kinds of domain name resolution, namely the static domain name resolution and dynamic domain name resolution, both of which supplement each other in real application. You can configure to resolve domain names in the static way, with the dynamic resolution as the ultimate measure. By adding commonly used domain names to the static domain name resolution table, you can greatly improve the efficiency of domain name resolution. 3-12

50 Chapter 3 Software Features I. Static domain name resolution To enable static domain name resolution, you need to establish domain name-to-ip address maps. When you use a domain name for an application, the corresponding IP address can be obtained through the static domain name resolution table. II. Dynamic domain name resolution Dynamic domain name resolution is implemented by querying the DNS server. With dynamic domain name resolution adopted, a DNS client sends DNS requests to the DNS server for the corresponding IP address. The DNS server in turn searches in its own database for the IP address corresponding to the domain name and sends the IP address back to the DNS client. If the DNS server cannot find the corresponding IP address in its database, it forwards the DNS request to the DNS server one level higher than itself for the domain name to be resolved. Such a process goes on and on until the domain name is resolved. An S5120-EI Ethernet switch supports the static domain name resolution and can operate as a DNS client when dynamic domain name resolution is adopted. Besides IPv4 address-to-domain name conversion, that of IPv6 is also available on an S5120-EI switch OAM (802.3ah) Ethernet OAM (meaning operation, administration, and maintenance) is a tool for monitoring network. It operates on data link layer and can report information about networks to network administrators through the OAMPDUs exchanged between devices, enabling network administrators to manage the network more effectively. Currently, Ethernet OAM is mainly used for detecting data link layer problems occurred in the last mile. By enabling Ethernet OAM on two devices connected by a point-to-point connection, you can monitor the status of the link between the two devices. Ethernet OAM provides the following functions. Link performance monitoring, for detecting link errors Fault detection and alarm, for reporting link errors to the administrators Loopback testing, for detecting link errors through non-oampdus Connectivity Fault Detection (802.1ag) Connectivity fault detection (CFD) is a Layer 2 link OAM (Operations, Administration and Maintenance) mechanism used for link connectivity detection and fault locating. I. Maintenance domain A maintenance domain (MD) is the part of network where CFD plays its role. The MD boundary is defined by some maintenance points configured on the ports. MD is 3-13

51 Chapter 3 Software Features identified by MD name and is divided into 8 levels, represented by integer 0 to 7. The bigger the number, the higher the level. A higher level MD can contain lower level MDs, but they cannot overlap. In other words, a higher level MD covers larger area than a lower level MD. II. Maintenance association Maintenance association (MA) is a set of maintenance points in a maintenance domain. It is identified in the form MD name + MA name. MA works within a VLAN. Packets sent by the maintenance points in an MA carry the corresponding VLAN tag. A maintenance point can receive packets sent by other maintenance points in the same MA. III. Maintenance point A maintenance point (MP) is configured on a port and belongs to an MA. MP can be divided into two types: maintenance association end point (MEP) and maintenance association intermediate point (MIP). MEP Each MEP is identified by an integer called MEP ID. The MEPs define the range of MD. The MA and MD that MEPs belong to define the VLAN attribute and level of the packets sent by the MEPs. MEPs are divided into inbound MEP and outbound MEP. On Figure 3-8, outbound MEPs are configured on the ports. On Figure 3-9, inbound MEPs are configured on the two ports. Maintenance Association Bridge Bridge Relay Entity Bridge Port Bridge Port Relay Entity Figure 3-8 Outbound MEP 3-14

52 Chapter 3 Software Features Maintenance Association Bridge Bridge Bridge Port Relay Entity Relay Entity Bridge Port Figure 3-9 Inbound MEP MIP Maintenance association intermediate point (MIP) can handle and respond to CFD packets. The MA and MD that a MIP belongs to define the VLAN attribute and level of the packets received. Figure 3-10 demonstrates a grading example of CFD module. In the figure, there are six devices, labeled as 1 to 6 respectively. Suppose each device has two ports, and MEPs and MIPs are configured on some of these ports. Four levels of MDs are designed in this example, the bigger the number, the higher the level and the larger the area covered. In this example, the X port of device 2 is configured with the following MPs: a level 5 MEP, a level 3 inbound MEP, a level 2 inbound MEP, and a level 0 outbound MEP x y MD Level MD Level MD Level MD Level MD Level Port Maintenance Association 5 5 MEP ( number is MD level ) MIP ( number is MD level ) Logical path of CFD Messages Figure 3-10 Levels of MPs 3-15

53 Chapter 3 Software Features 3.3 NTP Clock synchronization among devices becomes important given increasingly complex network topologies. The network time protocol (NTP) is a TCP/IP protocol that advertises accurate time on the entire network. NTP provides consistency guarantee for the following applications: When increment backup is performed between a backup server and a client, it ensures the clock between the two system be synchronous. When multiple systems are used to deal with complex events, it ensures the correct order of these events. It ensures the normal performance of the Remote Procedure Call (RPC) between systems. It provides time information about such operations as system login of users and file modification for application program. 3.4 Routing Features Note: The S5120-EI is a Layer 2 switch capable of some Layer 3 functions because it supports 32 static routes Static Route and Default Route I. Static route Static routes are configured by the network administrator manually. In a network with a simple structure, static routes can ensure normal running of the switches. Configuring static routes correctly can ensure network security effectively and provide bandwidth for important applications. The disadvantage of static routes is that static routes cannot vary with a network topology when the network topology changes due to some reasons, such as network device failure. The network administrator has to configure static routes again based on the new network topology. II. Default route Default routes are used only when a router fails to find any matching route. In a routing table, the default route is the route to Default routes can save bandwidth resources occupied by packet forwarding and save routing time, thus enabling a great number of users to communicate simultaneously. 3-16

54 Chapter 3 Software Features 3.5 Multicast Features IGMP Snooping Internet group management protocol snooping (IGMP Snooping) operates on Layer 2 Ethernet switches. It provides a mechanism to manage and control multicast groups. IGMP snooping runs on the link layer. It checks the information carried in the IGMP packets exchanged between hosts and routers. On the detection of an IGMP host report message, the switch adds the host to the corresponding multicast table. And on the detection of an IGMP Leave message, the switch removes the corresponding multicast entry from the multicast table. By continuously listening to IGMP packets, a switch creates and maintains a Layer 2 MAC multicast address table, through which the switch forwards the multicast packets transmitted by the routers. When IGMP Snooping is not enabled, multicast packets are broadcast on Layer 2. While when IGMP Snooping is enabled, the packets are multicast instead of being broadcast on Layer 2. Multicast packet transmission without IGMP Snooping Multicast packet transmission when IGMP Snooping runs Source Multicast router Source Multicast router Layer 2 switch Layer 2 switch Host A Receiver Host C Receiver Host A Receiver Host C Receiver Host B Host B Multicast packets Figure 3-11 IGMP Snooping Multicast VLAN As shown in Figure 3-12, in the traditional multicast programs-on-demand mode, when hosts, Host A, Host B and Host C, belonging to different VLANs require multicast programs on demand service, the Layer 3 device, Router A, needs to forward a separate copy of the multicast traffic in each user VLAN to the Layer 2 device, Switch A. 3-17

55 Chapter 3 Software Features This results in not only waste of network bandwidth but also extra burden on the Layer 3 device. Multicast packets VLAN 2 VLAN 2 VLAN 3 VLAN 4 VLAN 3 Receiver Host A Receiver Host B Source Router A IGMP querier Switch A VLAN 4 Receiver Host C Figure 3-12 Multicast transmission without multicast VLAN The multicast VLAN feature configured on the Layer 2 device is the solution to this issue. With the multicast VLAN feature, the Layer 3 device needs to replicate the multicast traffic only in the multicast VLAN instead of making a separate copy of the multicast traffic in each user VLAN. This saves the network bandwidth and lessens the burden of the Layer 3 device. The multicast VLAN feature can be implemented in two approaches, as described below: I. Port-based multicast VLAN Port-based multicast VLAN is also known as the traditional multicast VLAN. By assigning hybrid ports to a multicast VLAN in untagged mode, you can forward multicast data to all multicast recipients attached to the hybrid ports in the multicast VLAN. This is possible because a hybrid port can forward traffic of multiple VLANs untagged. As shown in Figure 3-13, Host A, Host B and Host C are in three different user VLANs. All the user ports (ports with attached hosts) on Switch A are hybrid ports. On Switch A, configure VLAN 10 as a multicast VLAN, assign all the user ports to this multicast VLAN, and enable IGMP Snooping in the multicast VLAN and all the user VLANs. 3-18

56 Chapter 3 Software Features Multicast packets VLAN 10 (Multicast VLAN) VLAN 2 Receiver Host A Eth1/2 VLAN 3 Source Router A IGMP querier Eth1/1 Switch A Eth1/4 Eth1/3 VLAN 4 Receiver Host B Receiver Host C Figure 3-13 Port-based multicast VLAN After the configuration, upon receiving an IGMP message on a user port, Switch A tags the message with the multicast VLAN ID and relays it to the IGMP querier, so that IGMP Snooping can uniformly manage the router ports and member ports in the multicast VLAN. When forwarding multicast data to Switch A, Router A needs to send only one copy of multicast traffic to Switch A in the multicast VLAN, and Switch A distributes the traffic to all the member ports in the multicast VLAN. 3.6 STP/RSTP/MSTP STP/RSTP Spanning tree protocol (STP)/rapid spanning tree protocol (RSTP) prunes a loop L2 switching network into a loop-free tree (all data on the L2 switching network must travel along the spanning tree), thereby avoiding network broadcast storms caused by network loops and providing redundant links for data forwarding. Basically, STP/RSTP is used to generate a "tree" whose root is a switch called root bridge. Which switch is to be selected as root bridge is based on their settings (such as switch priority and MAC address), but there should be only one root bridge at any time. From the root bridge, a tree stretches through the switches. A non-root switch forwards data to the root through its root port and to the connected network segment through its designated port. A root periodically transmits configuration BPDUs, while a non-root switch receives and forwards them. If a switch receives configuration BPDUs from two or more ports, it assumes that there is a loop in the network. To eliminate the loop, the switch selects one of the ports as the root port and blocks others. When a port receives no configuration BPDUs for a long time, the switch considers that the configuration of this port has timed out and the network topology may have changed. Then, it recalculates the network topology and generates a new tree. 3-19

57 Chapter 3 Software Features MSTP RSTP is an STP enhancement that significantly shortens the time for the network topology to stabilize. Multiple spanning tree protocol (MSTP) is compatible with STP and RSTP. STP cannot transit fast. Even on the point-to-point link or the edge port, it has to take an interval twice as long as forward delay before the network converges. RSTP can converge fast. However, like STP, RSTP has this drawback: All the network bridges in a VLAN share a spanning tree and the redundant links cannot be blocked by VLAN, with all the packets in the VLAN forwarded along a spanning tree. MSTP makes up for the drawback of STP and RSTP. It makes the network converge fast and enables the traffic of different VLANs to be distributed along their respective paths, which provides a better load sharing mechanism for the redundant links. MSTP associates VLAN with spanning tree by using a VLAN mapping table; that is, a table showing the correspondence relationship between VLANs and spanning tree. Meanwhile, MSTP divides a switched network into several domains. In each domain, multiple independent STPs are generated. MSTP prunes a loop network to a loop-free network so as to avoid packet propagation and endless loop. It also provides multiple redundant paths for load balancing of VLAN data in the process of data forwarding STP Protection I. BPDU guard For access layer devices, the access ports are usually connected directly with the user terminals (such as PCs) or file servers. In this case, the access ports are configured as edge ports to allow fast migration of these ports. When these ports receive configuration messages (BPDUs), the system will automatically set these ports as non-edge ports and recalculate the spanning tree. This will cause flapping of the network topology. Under normal conditions, these ports should not receive STP BPDUs. If someone forges BPDUs maliciously to attack the switch, network flapping will occur. The BPDU guard function protects the system against such attacks. II. Root guard The root bridge and backup switches in a spanning tree must reside in the same domain. This is especially true for the root bridge and backup switches of a common and internal spanning tree (CIST). This is because the root bridge and backup switches of a CIST are normally placed in a high-bandwidth core domain. However, due to misconfiguration or a malicious network attack, a legal root bridge in the network may receive a BPDU that has a higher priority. This turns the current root bridge into a non-root switch, causing a wrong change in the network topology. Such illegal change 3-20

58 Chapter 3 Software Features leads the traffic that would otherwise pass through a high-speed link to follow a lower-speed link, causing network congestion. The root guard function prevents this from occurring. III. Loop guard A switch can keep track of the states of the root port and blocked ports by continuously receiving the BPDUs sent by upstream switches. However, these ports may be unable to receive the BPDUs sent by upstream switches due to link congestion or unidirectional links. In this case, the switch reelects a root port, the original root port turns into a designated port, and blocked ports go into the forwarding state. This causes loops in the switched network. The loop guard function prevents such loops. With the loop guard function enabled, the role of the root port remains unchanged and blocked ports remains in the Discarding state without forwarding any packet. This prevents loops in the network. IV. TC-BPDU attack prevention Upon receiving a TC-BPDU, the switch deletes MAC address entries and ARP entries. If someone forges TC-BPDUs to attack the switch maliciously, the switch will receive excessive TC-BPDUs in a short time. Frequent packet deletion places a heavy burden on the switch and compromises network stability. After TC-BPDU attack prevention is enabled, the switch deletes the received TC-BPDUs only once within a specific timer (usually 10 seconds) and monitors whether any TC-BPDU is received during that timer. If any TC-BPDUs are received within the timer, the switch deletes the TC-BPDUs again after the timer times out. This saves the switch from deleting MAC address entries and ARP entries frequently. 3.7 IPv6 Features Internet protocol version 6 (IPv6) is a second-generation standard network layer protocol. Also known as IP Next Generation (IPng), it is a standard developed by Internet Engineering Task Force (IETF) as an upgrade from IPv4. The main difference between IPv4 and IPv6 lies in that the addresses used in the latter are 128 bits in length, whereas those used in the former is only 32 bits in length. Following are the features of IPv6. I. Simplified packet header The size of the header of an IPv6 basic packet is reduced, because some fields in IPv4 packet header are removed or moved to extension headers. This simplifies the processes used to perform in network devices when packets are forwarded and improves the forwarding efficiency. Despite of the 128-bit IPv6 address, the size of an IPv6 basic packet header is only twice that of IPv4 packet header (the Options field not counted in). 3-21

59 Chapter 3 Software Features Ver IHL ToS Total length Identification F Fragment offset TTL Protocol Header checksum Traffic Ver class Payload length Flow label Next header Hop limit 31 Source address (32 bits) Destination address (32 bits) Source address (128 bits) Options Padding IPv4 header Destination address (128 bits) Figure 3-14 IPv4 packet header vs. IPv6 packet header Basic IPv6 header II. Sufficient address space In IPv6, the source and destination addresses of a packet are both 128 bits (16 bytes) in length. Such an address scheme can provide more than addresses, which are enough to fully accommodate multi-level address allocation, public address allocation, and address allocation in private networks. III. Hierarchical address structure IPv6 address space is hierarchically organized. Such a structure improves routing performance and route aggregation is made possible. Route aggregation helps reducing the system resource occupied by IPv6 routing tables. IV. Automatic address allocation IPv6 supports stateful address allocation and stateless address allocation, both of which simplify host configuration. The stateful address allocation enables hosts to obtain IPv6 addresses and the related information from servers (for example, DHCP servers). The stateless address allocation enables a host to configure the IPv6 address and related information automatically according to its own link layer address and the prefix information advertised by the router. A host can also generate its link-local address according to its own link layer address and the default prefix (FE80::/64) to communicate with other hosts that on the same link. V. Built-in security In IPv6, IPsec is implemented through the standard expansion header to provide end-to-end security. This feature also provides a standard for addressing network security issues and improves the interoperability among different IPv6 applications. 3-22

60 Chapter 3 Software Features VI. QoS support The Flow Label field in IPv6 packet header labels flows. Network devices can perform traffic classification and provide differentiated services according to the Flow Label field. VII. Enhanced neighbor discovery mechanism The neighbor discovery protocol for IPv6 is implemented by a group of ICMPv6 (internet control message protocol for IPv6) messages. The interactions among neighboring nodes on the same link are under the administration of IPv6 neighbor discovery protocol. It replaces ARP (address resolution protocol), ICMPv4 router discovery and ICMPv4 redirect messages, and provides a series of other functions. VIII. Flexible extension packet header In the header of an IPv6 packet, multiple extension packet headers replace the Option field. This not only improves the processing efficiency but also enhances flexibility of IPv6 and provides good extendibility for the IP protocol. The Options field in an IPv4 packet header can only be 40 bytes in size, while the sizes of IPv6 extension headers are only limited by the size of the IPv6 packet NDP The neighbor discovery protocol (NDP) for IPv6 is implemented by a group of ICMPv6 messages. The interactions among neighboring nodes on the same link are under the administration of IPv6 NDP. It replaces ARP, ICMPv4 router discovery and ICMPv4 redirect messages and provides a series of other functions. In IPv6 NDP, the following five types of ICMPv6 messages are used. NS (neighbor solicitation) message, which is used to request for the link layer address of a neighbor, check the reachability of a neighbor, and detect for duplicate addresses. NA (Neighbor Advertisement) message. A device answers with an NA message when it receives an NS message. The device can also send NA messages actively to notify its neighbors of the link layer changes. RS (Router Solicitation) message. A host sends RS messages to the router to request for the prefix and other configuration information after it starts. RA (Router Advertisement) message. A router answers with RA messages when it receives RS messages. It also advertises RA messages periodically, which contain prefix and flag bit information. Redirect message. When a router finds that the receiving interface and sending interface of a packet are the same, it sends redirect messages to trigger the corresponding host to use anther next hop address. Table 3-1 summarizes the NDP functions. 3-23

61 Chapter 3 Software Features Table 3-1 NDP functions Function Router discovery/prefix discovery/parameter discovery Address auto-configuration Address resolution Neighbor unreachable detection (NUD) Duplicate address detection (DAD) Redirect Description Discovers the local routers on the same link (this process is the same as that of ICMPv4 router discovery) and obtain address prefixes and other configuration parameters for address auto-configuration. This is achieved through RS and RA messages. Automatically configures IPv6 addresses and other information of interfaces according to the address prefixes and other configuration parameters carried in the RA messages. Maps the IPv6 address of a neighboring node to the corresponding link layer address (this process is the same as that of IPv4 ARP). This is achieved through NS and NA messages. A node multicasts an NS message, with the destination address being the IPv6 address of the requested node and the local link layer address carried in it. When other nodes on the same link receive the message, each of them checks whether or not the destination address is the local address. If yes, the node answers with an NA message that contains its own link layer address. A node obtains the link layer addresses of neighboring nodes through the procedure above. This function is used to check whether or not a node is reachable. If a node receives an acknowledgment message from the neighbor after sending a NUD message, it considers the neighbor to be reachable. Otherwise, it considers the neighbor to be unreachable. When a node obtains an IPv6 address, it checks whether or not the address conflicts with that of another node through the duplicate address detection function. (This process is similar to the gratuitous ARP function in IPv4.) The node sends an NS message. If the node receives an NA message from another node, it indicates that the address is already in use. Otherwise, it indicates the IPv6 address is not in use. A router informs a host of the optimal next-hop IPv6 address to reach a particular destination through this function. (This is similar to the ICMP redirect function in IPv4) Introduction to IPv6 DNS In an IPv6 network, translation between domain names and IPv6 addresses is also required. This translation can be achieved through IPv6 Domain Name System (DNS). The only difference between IPv6 DNS and IPv4 DNS is that IPv6 DNS translates domain names into IPv6 addresses, instead of IPv4 addresses. 3-24

62 Chapter 3 Software Features Similar to IPv4 DNS, IPv6 DNS also implements static and dynamic domain name resolution. In addition, the purpose and implementation method of the static and dynamic domain name resolution through IPv6 DNS are the same as those of IPv4 DNS. For details, see the related sections in the IPv4 network protocol part. Normally, a DNS server connecting an IPv4 network to an IPv6 network stores A entries (IPv4 addresses) and AAAA entries (IPv6 addresses). Therefore, the DNS server can resolve domain names into IPv4 addresses and IPv6 addresses. In this case, the DNS server can implement both IPv6 DNS and IPv4 DNS. To resolve domain names into IPv4/IPv6 addresses on a DNS server, configuration is required Ping IPv6 and Tracert IPv IPv6 Telnet IPv6 TFTP You can perform the ping IPv6 operation in an IPv6 network to test the connection between two devices. It can be your first choice to check whether a host is reachable. The operation sends ICMPv6 packets to the destination host and records the round trip time. The traceroute IPv6 operation can record the gateways along the path from a host to a specific node. This operation enables you to locate problems in an IPv6 network by testing the reachability of network connections. Telnet is an application layer protocol of the TCP/IP protocol suite. It implements remote logon and virtual terminal. The host runs the IPv6 Telnet client program establishes an IPv6 Telnet connection with Device A. In this case, Device A serves as the Telnet server. If Device A is connected to Device B through Telnet, the former functions as a Telnet client and Device B functions as a Telnet server. Both Telnet server and Telnet client support IPv6 connections. IPv6 supports trivial file transfer protocol (TFTP) applications. You can upload/download files in an IPv6 network using TFTP. Currently, an S5120-EI Ethernet switch can only operate as an IPv6 TFTP client. 3.8 IPv6 Multicast Features MLD Snooping Multicast Listener Discovery Snooping (MLD Snooping) is an IPv6 multicast constraining mechanism that runs on Layer 2 Ethernet switches to manage and control IPv6 multicast groups. 3-25

63 Chapter 3 Software Features 3.9 QACL MLD Snooping is analogous to IGMP Snooping in IPv4: a switch can establish and maintain the corresponding MLD Snooping multicast group table at data link layer by monitoring MLD messages, and forward the IPv6 multicasts delivered by a multicast router based on the MAC multicast group information in the table. Quality of service (QoS) provides network services of different types and grades selected by users, from the top service quality to normal service quality networkwide to accommodate to various demands. An access control list (ACL) is used primarily to identify traffic flows. In order to filter data packets, a series of match rules must be configured on the network device to identify the packets to be filtered. After the specific packets are identified, and based on the predefined policy, the network device can permit/prohibit the corresponding packets to pass Traffic Classification Traffic classification is to classify packets according to the packet filtering keywords configured by the user. Various types of user-defined service processing can be implemented on the classified packets. In traffic classification, rules are defined to discriminate packets that conform to certain characteristics. The classification rules can be very simple. For example, traffic flows with different priority characteristics can be discriminated according to the differentiated services codepoint (DSCP) in the packet header. They can also be quite complicated. For example, packets can be classified according to combinations of information involving the data link layer, network layer and transport layer -- such as MAC address, IP protocol type, source host/network segment address, destination host/network segment address, and even application port number Priority Marking The S5120-EI series support priority marking for classified packets and modification of the DSCP or 802.1p priority in the packets according to the user-specified preferred priority values, so as to provide the specified QoS networkwide. The S5120-EI series can provide priority marking service for classified packets. The marking contents include DSCP and 802.1p priority. The series also support assignment of drop precedence and local precedence to packets according to the DSCP or 802.1p level Traffic Policing/Bandwidth Assurance Traffic policing polices the traffic matching a traffic classification rule on the port where the packets are received, so that the traffic can effectively use the assigned network 3-26

64 Chapter 3 Software Features resources such as bandwidth. Traffic policing can also secure the bandwidth for specific services. Bandwidth assurance refers to assuring the minimum bandwidth for a special traffic so that it can satisfy such QoS requirements as packet loss rate, delay, jitter even when network congestion occurs. The S5120-EI series implement traffic policing mainly by limiting the rate of packet-receiving ports, supervising traffic entering a specific network, and performing priority marking for packets within the traffic limit to provide differentiated services. If the traffic is too big, you can drop or try to forward the excessive traffic or remark the priority of the traffic Traffic Statistics Based on traffic classification, the S5120-EI series can perform traffic statistics for the identified packets. This function counts the total number of all packets that match the specified traffic classification rule to facilitate the analysis of specific traffic flows on the network Traffic Mirroring Based on traffic classification, the S5120-EI series can perform traffic mirroring for the identified packets to re-monitor service traffic flows that match the traffic classification rule. This function copies the data packets that match the traffic classification rule to the monitoring port to facilitate network tests and troubleshooting Traffic Redirection Based on traffic classification, the S5120-EI series can redirect the identified packets. The traffic redirection function enables you to re-specify the output port of packet forwarding and bypass the Bridge mechanism, with the destination port determined by the traffic redirection function Port Mirroring Port mirroring is used for monitoring packets on a specific port. This function copies the data packets on the specified port to the monitoring port to facilitate network tests and troubleshooting. The S5120-EI series support inbound and outbound port mirroring Queue Scheduling Queue scheduling applies to the situation where multiple forwarded packets compete for the resources. The S5120 series support four queue scheduling algorithms: strict 3-27

65 Chapter 3 Software Features priority (SP), weighted round robin (WRR) and SP+WRR. These algorithms process packet forwarding problems of each output queue on the switch ports based on their own rules. The following sections describe these algorithms briefly: 1) SP queue-scheduling algorithm Queue 7 Packets to be sent through this port Queue 6 High priority Sent packets Interface Packet classification Queue 1 Queue 0 Queue scheduling Low priority Sending queue Figure 3-15 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay. Assume that there are eight output queues on the port and the preferential queue classifies the eight output queues on the port into eight classes, which are queue7, queue6, queue5, queue4, queue3, queue2, queue1, and queue0. Their priorities decrease in order. In queue scheduling, SP sends packets in the queue with higher priority strictly following the priority order from high to low. When the queue with higher priority is empty, packets in the queue with lower priority are sent. You can put critical service packets into the queues with higher priority and put non-critical service (such as ) packets into the queues with lower priority. In this case, critical service packets are sent preferentially and non-critical service packets are sent when critical service groups are not sent. The disadvantage of SP queue is that: if there are packets in the queues with higher priority for a long time in congestion, the packets in the queues with lower priority will be starved because they are not served. 3-28

66 Chapter 3 Software Features II. WRR queue-scheduling algorithm Queue 1 Weight 1 Packets to be sent through this port Queue 2 Weight 2 Sent packets Interface Queue N-1 Weight N-1 Packet classification Queue N Weight N Queue scheduling Sending queue Figure 3-16 Diagram for WRR queuing WRR queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time. In a typical H3C switch there are eight output queues on each port. WRR configures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0 respectively for queue 7 through queue 0. A weight value indicates the proportion of resources available for a queue. On a 100-Mbps port, configure the weight value of WRR queue-scheduling algorithm to 5, 5, 3, 3, 1, 1, 1, and 1 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 in order). In this way, the queue with the lowest priority can get 5 Mbps (100 Mbps 1/( )) bandwidth at least, and the disadvantage of SP queue-scheduling that the packets in queues with lower priority may not get service for a long time is avoided. Another advantage of WRR queue is that: though the queues are scheduled in order, the service time for each queue is not fixed; that is to say, if a queue is empty, the next queue will be scheduled. In this way, the bandwidth resources are made full use. III. SP+WRR SP + WRR queue scheduling algorithm is used to configure some queues of each port with the SP algorithm and configure other queues with the WRR algorithm so that bandwidth resources can be fully utilized. A port of an S5120-EI Ethernet switch supports eight output queues. If you set the weight or the bandwidth of one or multiple queues to 0, the switch will add the queue or these queues to the SP group, where SP is adopted. For other queues, WRR still applies. In this case, both SP and WRR are adopted. 3-29

67 Chapter 3 Software Features User Profile In cases where both SP and WRR queue scheduling algorithms are adopted, the queues in the SP group take precedence over other queues. For example, if queue 0, queue 1, queue 2, and queue 3 are in the SP group, queue 4, queue 5, queue 6, and queue 7 are scheduled using WRR, the switch will schedule the queues in the SP group preferentially by using the SP algorithm. Then queues outside the SP group are scheduled by using WRR algorithm only when all the queues in the SP group are empty. The S5120-EI series switches use user profiles to control the effective scope of a QoS policy, and flexibly control system resource assignment for users. A user profile provides a configuration template to save predefined configurations. Based on different application scenarios, you can configure different items for a user profile, such as Committed Access Rate (CAR), Quality of Service (QoS), and so on. With user profiles, you can: Make use of system resources more granularly. For example, without user profiles, you can apply a QoS policy based on interface, VLAN, globally and so on. This QoS policy is applicable to a group of users. With user profile, however, you can apply a QoS policy on a per-user basis which pass the authentication and access the device. Control system resource assignment for users more flexibly. For example, without user profiles, you can perform traffic policing based on CAR, ACL, or for all the traffic of the current interface; when the physical position of users changes (for example, the users access the network using another interface), you need to configure traffic policing on another interface. With user profiles, however, you can perform traffic policing on a per-user basis. As long as users are online, the authentication server applies the corresponding user profile (with CAR configured) to the users; when the users are offline, the system automatically removes the corresponding configuration Centralized Management Features HGMP Through cluster management, the network administrator can configure and troubleshoot multiple switches through a single public network IP address of a primary switch. In each cluster, there is a master switch called a command switch. The rest of the switches serve as member switches. A member switch is typically not configured with an IP address. The command switch and member switches form a cluster. In a cluster the switches have different roles based on different roles and functions. You can specify switch roles. The roles can be switched based on certain rules. 3-30

68 Chapter 3 Software Features Switch roles in a cluster include command switch, member switch, standby switch, and candidate switch. 1) Command switch: the switch configured with a public network IP address. A management command is sent to the command switch and the command switch processes this command. If the destination is a member switch, the management command will be forwarded to the command switch. 2) Member switch: a member in a cluster. The member switch is managed through the proxy of the command switch. Typically no public network IP address is set for the member switch. 3) Candidate switch: Candidate switches are cluster-capable devices that have not yet been added to a cluster Security Features The popularity of network applications, especially in some sensitive occasions (e-commerce for example), highlights the issue of network security. The S5120-EI series have been designed based on full consideration of customers demands, so as to provide full-range network solutions. With respect to terminal access control and user access control, the S5120-EI series provide the following network security features: Hierarchical user management and password protection IP Source Guard MAC address black hole MAC address learning limit Binding of MAC addresses to ports Supports SSH 2.0 IEEE 802.1x compliant access user authentication Supports MAC address based authentication Supports local and RADIUS authentication modes Supports port isolation With respect to filtering and authenticating Ethernet frames and packets from the upper layers, the S5120-EI series support: ACL, with which information is filtered at layers 2 through 4 (such as based on port, by source/destination MAC address, by source/destination IP address, or by the type of upper layer protocol). Encrypted authentication of SNMPv Terminal Access User Classification The S5120-EI series protect command lines in a hierarchical way by dividing the command lines into four levels: visitor, monitor, operator, and administrator. 3-31

69 Chapter 3 Software Features SSH Commensurate with the command division, login users are classified into four levels. A login user can use only the commands equal to or lower than its level. When users log in to the Ethernet switch from an insecure network, Secure Shell (SSH) offers security information protection and powerful authentication function to safeguard the Ethernet switch from attacks, such as IP address spoofing and plain text cipher interception. An Ethernet switch can accept multiple SSH customer connections at the same time. The SSH client allows users to connect to the Ethernet switches and UNIX mainframes that support SSH servers. The S5120-EI series Ethernet switches support SSH Port Isolation Port isolation means isolating ports of the same switch so that Layer 2 and Layer 3 packet forwarding cannot be implemented between these ports. This prevents visiting between the ports, effectively controls unnecessary broadcasting and increases the network throughput IEEE 802.1x Authentication IEEE 802.1x is virtually a port-based network access control protocol. As port-based network access control implies, the NAS on a LAN authenticates and controls the connected customer premises equipment (CPE) at the port level. If the CPE connected to a port passes authentication, it is allowed to access the LAN resources. Otherwise, it is rejected just like its physical link is disconnected. In implementing 802.1x, the Ethernet switches not only support the port-based access authentication, but also extends and optimizes it by: Allowing a physical port to be connected to several terminals. Supporting access control (that is user authentication) based on MAC address in addition to port. This greatly enhances the security, operability and manageability of the system. Note that, although 802.1x provides an implementation scheme for user authentication, the protocol itself is not enough to implement the scheme. The NAS administrators, however, can use RADIUS or local authentication to complete the user authentication with 802.1x. 3-32

70 Chapter 3 Software Features x EAD Fast Deployment I. Overview As an integrated security scheme, an endpoint admission defense (EAD) scheme can improve the overall defense capability of a network. However, EAD deployment brings much workload in actual applications. To solve this problem, you can use 802.1x functions to implement fast deployment of EAD scheme. To address the issue, the S5120-EI series switches enable the user s quick redirection to EAD client download server with 802.1x authentication, easing the work of EAD client deployment. II. Operation of Quick EAD Deployment Quick EAD deployment is achieved with the two functions: restricted access and HTTP redirection. 1) Restricted access Before passing 802.1x authentication, a user is restricted (through ACLs) to a specific range of IP addresses or a specific server. Services like EAD client upgrading/download and dynamic address assignment are available on the specific server. 2) HTTP redirection In the HTTP redirection approach, when the terminal users that have not passed 802.1x authentication access the Internet through Internet Explorer, they are redirected to a predefined URL for EAD client download. The two functions ensure that all the users without an EAD client have downloaded and installed one from the specified server themselves before they can access the Internet, thus decreasing the complexity and effort that EAD client deployment may involve IP Source Guard By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through, thus improving the network security. After receiving a packet, the port looks up the key attributes (including IP address, MAC address and VLAN tag) of the packet in the binding entries of the IP source guard. If there is a matching entry, the port will forward the packet. Otherwise, the port will abandon the packet. IP source guard filters packets based on the following types of binding entries: IP-port binding entry, MAC-port binding entry IP-MAC-port binding entry IP-VLAN-port binding entry MAC-VLAN-port binding entry 3-33

71 Chapter 3 Software Features IP-MAC-VLAN-port binding entry. You can manually set static binding entries, or use DHCP Snooping to provide dynamic binding entries. Binding is on a per-port basis. After a binding entry is configured on a port, it is effective only to the port, instead of other ports MAC address authentication MAC address authentication is a port and Mac address based authentication method to control the network access authority of users. MAC address authentication does not the users to install any client software. The switch enables authentication on a user once it detects a new MAC address of the user. The S5120-EI series support the following two types of MAC address authentication: MAC address mode: the MAC address of a user is used as both the user name and password. Fixed mode: the user name and password are configured on the switch beforehand. In this case, all the users correspond to the fixed user names and passwords configured on the switch MAC Address Learning Limit MAC address learning limit: limits the number of MAC addresses learned by an Ethernet switch port. The number ranges from 0 to 4k. Static MAC addresses added on the port are not affected Binding of MAC Addresses to Ports If the MAC address of a network device is bound with a port, you can access the Internet through this port only MAC Address Black Hole On an S5120-EI series switch, you can enable the black hole function and configure a black hole list. When the switch receives a packet with a source or destination MAC address in the black hole, it drops the packet AAA/RADIUS/HWTACACS The S5120-EI series support user authentication locally or with RADIUS/HWTACACS servers. I. AAA AAA is the abbreviation of Authentication, Authorization and Accounting. It provides a uniform framework to configure the security functions including authentication, 3-34

72 Chapter 3 Software Features authorization, and accounting. Actually, it offers a way to control the network security, which can be implemented with RADIUS. AAA performs the following services: Authentication: Authenticates if the user can access the network sever. Authorization: Authorizes the user with specified services. Accounting: Tracks the network resources consumed by users. II. RADIUS RADIUS is a distributed system in the client/server model. It can fend off invalid users and is often used in a network environment where both high security and remote user access are desired. For example, it can be used to manage the access based on 802.1x. RADIUS is based on the client/server model where user authentication always involves a device that can provide the proxy function, such as NAS. Between the RADIUS client and server, the exchanged messages are authenticated using a shared key and user passwords are sent encrypted over the network. The security is thus ensured. III. HWTACACS HWTACACS is a security protocol providing enhanced functions based on TACACS (RFC1492). Similar to RADIUS, this protocol mainly enables the AAA for multiple types of users in the Server-Client mode. It can be used for the AAA of PPP and VPDN access users and login users. Compared with RADIUS, HWTACACS features more reliable transmission and encryption, making it more suitable for security control. The major differences between HWTACACS and RADIUS are listed in the table below: Table 3-2 HWTACACS vs. RADIUS HWTACACS RADIUS Uses TCP for more reliable transmissions over the network. Encrypts packet body completely, except the standard HWTACACS packet header. Authentication and authorization are separated. For example, RADIUS can be used for authentication, while HWTACACS is used for authorization. Suitable for security control. Allows different users to use different configuration commands on the routing module of the switch. Uses UDP. Encrypts only the password field in authentication packets. Authentication and authorization are not separated. Suitable for accounting. Does not support this feature. 3-35

73 Chapter 3 Software Features HWTACACS is mainly used when a dialup user or terminal user needs to log on to the switch. As the client of HWTACACS, the switch sends the user name and password to the HWTACACS server for authentication. After passing the authentication, the user can log on to the switch and perform operations Reliability Features Smart Link Dual-uplink networks (as shown in Figure 3-17) are common in use. In a network of this type, Spanning Tree Protocol (STP) is usually employed to allow for link redundancy. However, STP cannot satisfy the users with high demand on convergence time. Smart Link is dedicated to dual-link networks as shown in Figure 3-17 to provide link redundancy with rapid convergence (sub-second level). It allows the backup link to take over quickly when the primary link fails. In addition to fast convergence, Smart Link is easy to configure. Internet GE1/0/1 GE1/0/2 GE1/0/1 Switch A GE1/0/1 Switch B GE1/0/2 GE1/0/2 Switch D GE1/0/3 GE1/0/3 GE1/0/1 GE1/0/2 Switch C GE1/0/2 GE1/0/1 Switch E Figure 3-17 Smart link application scenario II. Smart link group A smart link group consists of only two member ports: the master and the slave. At a time, only one port is active for forwarding, and the other port is blocked, that is, in the standby state. When link failure occurs on the active port due to port shutdown or presence of unidirectional link for example, the standby port becomes active to take over while the original active port transits to the blocked state. Note that a port can join only one smart link group. As shown in Figure 3-17, GE1/0/1 and GE1/0/2 of Switch C form a smart link group, with GE1/0/1 being active and GE1/0/2 being standby. GE1/0/1 and GE1/0/2 of Switch E form another smart link group, with GE1/0/2 being active and GE1/0/1 being standby. 3-36

74 Chapter 3 Software Features III. Master port Master port is a port role in a smart link group. When both ports in a smart link group are up, the master port preferentially transits to the forwarding state. Once the master port fails, the slave port takes over to forward traffic until next link switchover. During this period, the master port stays in standby state even if it has recovered. As shown in Figure 3-17, you can configure GE1/0/1 of C and E GE1/0/2 of Switch E as master ports. IV. Slave port Slave port is a port role in a smart link group. When both ports in a smart link group are up, the slave port is placed in the standby state. When the master port fails, the slave port takes over to forward traffic. As shown in Figure 3-17, you can configure GE1/0/2 of Switch C and GE1/0/1 of Switch E as slave ports. V. Flush message Flush messages are used by a smart link group to notify other devices to refresh their MAC address forwarding entries and ARP/ND entries when link switchover occurs in the link group. VI. Transmit control VLAN The transmit control VLAN is used for transmitting flush messages. When link switchover occurs, the devices (such as Switch C and E in Figure 3-17) broadcast flush messages within the VLAN. VII. Receive control VLAN The receive control VLAN is used for receiving and processing flush messages. When link switchover occurs, the devices (such as Switch A, B, and D in Figure 3-17) receive and process flush messages in the receive control VLAN and refresh their MAC address forwarding entries and ARP/ND entries Monitor Link Monitor Link is a collaboration scheme introduced to complement for Smart Link. It is usually used in conjunction with Layer-2 topology protocols. The idea is to adapt the up/down state of downlink ports to the up/down state of uplink ports, triggering link switchover on the downlink device in time. It is used to monitor uplink and to perfect the backup function of Smart Link. 3-37

75 Chapter 3 Software Features RRPP The Rapid Ring Protection Protocol (RRPP) is a link layer protocol designed for Ethernet rings. RRPP can prevent broadcast storms caused by data loops when an Ethernet ring is healthy, and rapidly restore the communication paths between the nodes in the event that a link is disconnected on the ring. Compared with the IEEE spanning tree protocols, RRPP features the following: Fast topology convergence Convergence time independent of Ethernet ring size Domain 1 Device A Device B Port 1 Port 1 Edge node Port 3 Master node Master node Port 2 Port 2 Ring 1 Ring 2 Transit node Port 2 Port 1 Port 1 Port 2 Port 3 Device E Device D Device C Assistant edge node Figure 3-18 Network diagram for RRPP By configuring an individual RRPP domain for transmitting the traffic of the specified VLANs (referred to as protected VLANs) in a ring network, traffic of different VLANs can be transmitted according to different topologies in the ring network. In this way, load balancing is achieved. As shown in Figure 3-19, Ring 1 is configured as the primary ring of both Domain 1 and Domain 2. In Domain 1, Device A is configured as the master node of Ring 1; in Domain 2, Device B is configured as the master node of Ring 1. Such configurations enable the ring to block different links based on VLANs, thus achieving single-ring load balancing. 3-38

76 Chapter 3 Software Features Device A Device B Domain 1 Ring 1 Domain 2 Device D Device C Figure 3-19 Network diagram for single-ring load balancing 3.13 IRF The Intelligent Resilient Framework (IRF) is an innovative technology developed by H3C for mid-range and low-end switches. With IRF, users can design and realize high availability, scalability and reliability at the core layer and distribution layer of gigabit Ethernet networks Physical Connections You can connect multiple IRF supporting S5120-EI switches to form a logical switching entity, which looks like a switching device from the management view. This type of virtual device features low cost like box-type switches, and high scalability and availability of distributed chassis switches. Figure 3-20 IRF virtual device The devices in an IRF stack exchange hello packets to collect topology of the entire stack and to inform topology changes to the management module. Adding or deleting a member device is similar to inserting or removing a board to or from a chassis switch. This mechanism realizes hot backup and provides excellent scalability. 3-39

77 Chapter 3 Software Features Figure 3-21 Add a member to the IRF stack In an IRF stack, every single device is a stack member, and plays one of the following two roles according to its function: Master: The stack member elected to manage the entire stack. An IRF stack has only one master at one time. Slave: A stack member managed by the master and operates as a backup of the master. In an IRF stack, except for the master, all the other devices are slaves. A typical IRF stack has a bus connection or a ring connection: Master Slave Master Slave IRF Slave IRF Slave Slave Slave Bus topology Ring topology Figure 3-22 Physical connections of an IRF stack The orange lines in the figure represent stack links, which are different from common Ethernet network cables. A stack link can be composed of either one physical line or multiple physical lines Easy Management An IRF stack can be regarded as a single entity. You can manage the entire IRF stack by logging in to any unit in the stack either from its console port or a network port through Telnet. 3-40

78 Chapter 3 Software Features The management center of an IRF stack is its master device. All login requests and configurations you made are processed on the master device, regardless of by what means or from which member device you log in to the stack. Eventually, the configurations you made are synchronized by the master to the slaves. An IRF stack uses member IDs to uniquely identify member devices. The member IDs are also used in port numbers to identify users. For example, if the member ID of a device is 3, its port number is GigabitEthernet 3/0/x Efficient Redundancy Backup By using S5120-EI series switches to form an IRF stack, you can provide abundant access ports and enhanced forwarding capability. Considering strict requirements for reliability at the distribution layer of a network and data centers, IRF is designed to provide redundancy at the device level, protocol level and link level. I. Device level 1:N backup Common distributed chassis devices use 1:1 backup, where a backup module keeps synchronization with the primary module and takes over when the primary module fails. IRF uses 1:N backup, where multiple slaves are configured as the backups of the master and are strictly synchronized with the master. Once the master fails, a new master is elected from the slaves to prevent service interruption. Because the slaves are strictly synchronized with the master, the switchover has little impact on ongoing services. Thus, reliability is improved. II. Protocol level hot backup When an IRF stack works normally, all protocol information and entries are synchronized among the devices. If one or more devices fail, other devices can take the services from the failed devices immediately to ensure normal working of the entire stack. For example, the master in normal working state synchronizes the ARP information to all the devices in the IRF stack. 3-41

79 Chapter 3 Software Features ARP ARP 2 Backup Information 1 IRF 3 4 Figure 3-23 ARP information synchronization If the master fails, the IRF stack elects a slave (suppose its member ID is 2) as the new master, which then continues communicating with the uplink routers using the ARP information synchronized from the former master, and synchronizes update information to other slaves. Thus, the operation of the entire IRF stack is uninterrupted. ARP ARP 2 Backup Information 1 IRF 3 4 Figure 3-24 ARP protocol backup III. Link level backup Traditional link aggregation technologies provide protection against link failures but not protection against single point of failures caused by node failures. The new distributed link aggregation technology provided by IRF can effectively address this single-point failure issue. With distributed link aggregation of IRF, you can assign ports on different stack units to the same link aggregation group. Thus, even when a unit fails causing unavailability of the link aggregation member port or ports on the unit, traffic can be forwarded out the 3-42

80 Chapter 3 Software Features link aggregation member ports on any other available stack unit to the destination. Meanwhile, the stack links between IRF member devices provide a rate up to 12/24 Gbps, which allows multiple aggregation groups to work at the same time. 2 1 Data packets 3 4 IRF Data packets 2 1 Data packets IRF 3 4 Figure 3-25 Distributed aggregation 3-43

81 Chapter 4 System Maintenance and Management Chapter 4 System Maintenance and Management 4.1 Simple and Flexible Maintenance System System Configuration The S5120-EI series can be configured through the command line interface (CLI), NMS, or Web. In the CLI approach, you can configure the S5120-EI series locally through the console port, or configure it remotely through modem dialup or Telnet. As for Telnet, both Telnet server and Telnet client are supported. In the NMS approach, you can configure the S5120-EI series through an SNMP-based NMS. In the Web approach, you can configure the models in the S5120-EI series that support the Web-based network management System Maintenance The S5120-EI series provide diverse management and maintenance functions: LEDs are available on the switches and optional modules, indicating the board running status. Remote maintenance through Telnet Hierarchical management of user authorities and operation logs, as well as online help function Hierarchical alarm management and alarm filtering System status query, version query, debugging and tracing functions, to monitor system running status System Test and Diagnosis The S5120-EI series provide means for system software and hardware fault detection and diagnosis. The tools such as ping and tracert are available for you to test network connectivity and trace packet transmission paths on line and hence address faults Software Upgrade The S5120-EI series provide multiple approaches to software upgrade, and support remote upgrade and rollback to the previous version after upgrade. The S5120-EI series support software upgrade methods: Software upgrade through a serial port by using the XModem protocol. 4-1

82 Chapter 4 System Maintenance and Management 4.2 imc NMS Software upgrade through an Ethernet port through TFTP or FTP. Software upgrade through the Web-based NMS through HTTP. The S5120-EI series support imc NMS for centralized management, which is usually implemented in multilingual graphic interfaces. The NMS provides management in topology, configuration, fault, security, and performance Topology Management The imc NMS helps you learn your network in the most direct and convenient way by providing a network-wide device topology view. The NMS delivers powerful topology management. It provides physical topology view, logical topology view, and customized views, offering a unified network-wide equipment view. It also provides user-friendly interfaces for network/equipment operation and maintenance. The NMS supports automatic topology discovery, reflecting the real-time changes in network topology and equipment status Configuration Management With the IMC, you can configure and manage the S5120-EI series Ethernet switches, such as querying/enabling/disabling ports, querying/resetting/loading boards, and querying port parameters/vlan configurations Fault Management Fault management is the most important and common management approach during the network operation and maintenance. In the graphic interfaces, you can implement equipment running/fault status query, real-time monitoring, fault filtering/locating/check/analysis. The system provides audio prompt and graphical displays on the alarm card. Additionally, it can be connected to the alarm box and therefore facilitates routine maintenance Performance Management The IMC can collect and analyze performance data, monitor performance, and provide graphical performance reports in different forms. You can thus learn the information on equipment load and access traffic, track network service quality, and allocate network resources based on your network evaluation. 4-2

83 Chapter 4 System Maintenance and Management Security Management The IMC provides many security measures to strictly authenticate the user s operations and ensure the system security. It offers detailed operation log for later query and analysis. 4.3 Web-Based Network Management Web-based network management allows you to manage and maintain a switch through Web. In the implementation of Web-based network management, the switch provides a built-in Web server and runs a Web-based network management program on the homepage at the IP address of the management VLAN. The PC users connected to the Ethernet ports on the switch can access and use, through a browser, the program on the homepage to manage the switch. Figure 4-1 shows the Web-based network operating environment: Figure 4-1 Web-based network management operating environment 4-3