System Description H3C S5500-EI Series Ethernet Switches. Table of Contents

Transcription

1 Table of Contents Table of Contents Chapter 1 Product Overview Preface System Features Service Features Chapter 2 Hardware Description S C-EI Ethernet Switch Appearance Front Panel Rear Panel Power Supply System Cooling System Description of S C-EI LEDs Description of Ports S C-EI Ethernet Switch Appearance Front Panel Rear Panel Power Supply System Cooling System Description of S C-EI LEDs Description of Ports S C-PWR-EI Ethernet Switch Appearance Front Panel Rear Panel Power Supply System Cooling System Description of S C-PWR-EI LEDs Description of Ports S C-PWR-EI Ethernet Switch Appearance Front Panel Rear Panel Power Supply System Cooling System Description of S C-PWR-EI LEDs Description of Ports i

2 Table of Contents 2.5 S F-EI Ethernet Switch Appearance Front Panel Rear Panel Power Supply System Cooling System Description of S F-EI LEDs Port Attributes S C-EI-DC Ethernet Switch Appearance Front Panel Rear Panel Power System Cooling System LED Description Description of Port Attributes Optional Interface Modules port 10 Gbps XFP Module Port 10-GE XFP Module port 10-GE CX4 Short Haul Module Port GE SFP Module Port 10-GE SFP+ Module Description of Extension Module LEDs CX4 Cable Basic Features Link Aggregation Traffic Control DLDP Broadcast Storm Control VLAN GARP/GVRP QinQ VLAN Mapping Network Protocol Features ARP DHCP UDP Helper DNS OAM (802.3ah) Connectivity Fault Detection (802.1ag) NTP ii

3 Table of Contents 3.4 Routing Features Static Route and Default Route RIP v1/v RIPng OSPF v1/v OSPF v Introduction to IS-IS Introduction to IPv6 IS-IS BGP BGP Equivalent Route Routing Policy MCE Features URPF Features Multicast Features IGMP Snooping IGMP PIM-DM PIM-SM MSDP MBGP Multicast VLAN STP/RSTP/MSTP STP/RSTP MSTP STP Protection IPv6 Features NDP Introduction to IPv6 DNS Ping IPv6 and Tracert IPv IPv6 Telnet IPv6 TFTP IPv6 Multicast Features MLD Snooping MLD IPv6 over IPv4 Tunnel Features IPv6 manually configured tunnel to4 tunnel ISATAP Tunnel QACL Traffic Classification Priority Marking iii

4 Table of Contents Traffic Policing/Bandwidth Assurance Traffic Statistics Traffic Mirroring Traffic Redirection Port Mirroring Queue Scheduling Congestion Avoidance User Profile Centralized Management Features HGMP Security Features Terminal Access User Classification SSH Port Isolation IEEE 802.1x Authentication x EAD Fast Deployment IP Source Guard MAC address authentication MAC Address Learning Limit Binding of MAC Addresses to Ports MAC Address Black Hole AAA, RADIUS and HWTACACS Introduction to Portal Reliability Features Smart Link Monitor Link VRRP RRPP IRF Physical Connections Easy Management Efficient Redundancy Backup Chapter 4 System Maintenance and Management Simple and Flexible Maintenance System System Configuration System Maintenance System Test and Diagnosis Software Upgrade Quidview NMS Topology Management Configuration Management Fault Management iv

5 Table of Contents Performance Management Security Management Web-Based Network Management Chapter 5 Networking Applications Distribution Layer Devices in Medium- and Large-Sized Enterprise or Campus Networks Access Switches Distribution Layer Devices in Large-Sized Enterprise Networks Core in Small- and Medium-Sized Enterprise Networks Interconnectivity Devices for an IP SAN Chapter 6 Guide to Purchase Purchasing the S5500-EI Series Supported Interface Modules Purchasing SFP Modules Purchasing XFP Optical Modules Purchasing SFP+ Optical Modules and SFP+ cables Purchasing the Short-haul 2-port 10-GE CX4 Module v

6 Chapter 1 Product Overview Chapter 1 Product Overview 1.1 Preface (hereinafter referred to as the S5500-EI series) are Gigabit Ethernet switching products developed by Hangzhou H3C Technology Co., Ltd. The S5500-EI series have abundant service features. They provide the IPv6 forwarding function and 10-GE uplink interfaces. Through H3C-specific cluster management, you can streamline network management. The S5500-EI series are designed as distribution and access devices for intranets and metropolitan area networks (MANs). Supporting IPv4/IPv6 dual-stack, the S5500-EI series provide abundant service features and routing functions and can also be used for connecting server groups in data centers. The S5500-EI series support the innovative Intelligent Resilient Framework (IRF) technology. With IRF, multiple S5500-EI switches can be interconnected as a logical entity to form a new intelligent network featuring high availability, scalability, and manageability. Table 1-1 lists the models in the S5500-EI series: Table 1-1 Models in the H3C S5500-EI series Model Power supply unit Number of service ports Ports Console port H3C S C-EI AC-input + RPS (remote power supply) (12 V) /100/1,000 M electrical ports + 4 Gigabit SFP Combo ports GE module slots 1 H3C S C-EI AC-input + RPS (12 V) /100/1,000 M electrical ports + 4 Gigabit SFP Combo ports GE module slots 1 H3C S C-P WR-EI AC-input + RPS (48 V) /100/1,000 M PoE electrical ports + 4 Gigabit SFP Combo ports GE module slots 1 1-1

7 Chapter 1 Product Overview Model Power supply unit Number of service ports Ports Console port H3C S C-P WR-EI AC-input + RPS (48 V) /100/1000-Mbps PoE electrical ports + 4 Gigabit SFP Combo ports GE module slots 1 H3C S F-EI Hot-swappab le AC or 48 VDC backup power supply /1,000 M SFP ports /100/1,000 M Combo electrical ports GE module slots 1 H3C S C-EI -DC DC 48 V + RPS (12 V) /100/1,000 M electrical ports + 4 Gigabit SFP Combo ports GE module slots 1 An S5500-EI series Ethernet switch provides two module slots and power inputs on its rear panel, and each module slot can be configured with a 1-port or 2-port 10-GE module. In addition, an S5500-EI series Ethernet switch, except an S F-EI and S C-EI-DC, provides an AC power (48 V) input with an RPS (12 V) input on its rear panel. An S F-EI Ethernet switch provides two power module slots on its rear panel. When an S F-EI is delivered, it has a module in the power module slot PWR1 only, while PWR2 is on a filler panel. You can optionally configure a power module for PWR2 as needed. You can select an AC or DC power module for redundant backup together with PWR1. An S C-EI-DC provides a DC power input with an RPS input on its rear panel. The feature-rich S5500-EI series support the following services: Broadband Internet access Access of MAN and intranet users Multimedia services, such as VOD Delay-sensitive voice services, such as VoIP Enhanced multicast, providing audio/video services over IPv4/IPv6 multicast The S5500-EI series deliver these features: IPv4/IPv6 dual-stack and hardware forwarding Abundant IPv4/IPv6 routing protocols MCE IPv6-over-IPv4, 6to4, and ISATAP tunneling GE and 10-GE uplink ports 1-2

8 Chapter 1 Product Overview Forwarding of jumbo frames Port security features ARP attack defense functions, such as ARP detection Link Aggregation Control Protocol (LACP) Smart Link and Rapid Ring Protection Protocol (RRPP), multi-instance Smart Link and multi-instance RRPP for load balancing 4K VLANs One-to-one, many-to-one and two-to-two VLAN mapping Abundant QoS/ACL functions, including VLAN ACLs and egress ACLs QinQ and VLAN mapping Port- and flow-based mirroring RSPAN Reliable power backup through RPSs or redundant power supply IRF 802.3ah Ethernet OAM and 802.1ag Connectivity Fault Detection (CFD) 1.2 System Features Table 1-2 System features of the S5500-EI series Item S C-EI S C- EI S C-PWR-EI S C-PWR-EI S F-EI S C -EI-DC Physical dimensions (H W D) mm ( in.) mm ( in.) mm ( in.) mm ( in.) Weight <5 kg (11.0 lb) <5 kg (11.0 lb) <7.5 kg (16.6 lb) <7.5 kg (16.6 lb) <6 kg (13.2 lb) <5 kg (11.0 lb) Managemen t port 1 console port 1-3

9 Chapter 1 Product Overview Item S C-EI S C- EI S C-PWR-EI S C-PWR-EI S F-EI S C -EI-DC GE ports 24 10/10 0/100 0Bas e-t Ether net port Base- X SFP port 48 10/100 /1000 Base- T Ethern et port B ase-x SFP port 24 10/100/10 00Base-T Ethernet port Base -X SFP port 48 10/100/10 00Base-T Ethernet port Base- X SFP port 8 10/100/ 1000Ba se-t Etherne t port /100 0Base- X SFP port 24 10/100/100 0Base-T Ethernet port Base- X SFP port Optional interface modules One-port 10 GE XFP module (Support IRF) 2-port 10 GE XFP module (Support IRF) Short-haul dual-port 10 GE CX4 module (Support IRF) 2-port GE SFP interface module (Do not support IRF) 2-port 10 GE SFP+ module (Support IRF) AC Rated voltage range: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage range: 90 VAC to 264 VAC, 47 Hz to 63 Hz Input voltag e DC Rated voltage range (RPS input): 10.8 VDC to 13.2 VDC Rated voltage range (RPS input): 52 VDC to 55 VDC Rated voltage range (RPS input): 48 VDC to 60 VDC Rated voltage range DC input: 48 VDC to 60 VDC RPS input: 10.8 VDC to 13.2 VDC 1-4

10 Chapter 1 Product Overview Item S C-EI S C- EI S C-PWR-EI S C-PWR-EI S F-EI S C -EI-DC Power consumption (full load) 110 W 155 W AC power supply: 575 W, where the system power is 205 W and the PoE power is 370 W. DC power supply: AC power supply: 640 W, where the system power is 270 W and the PoE power is 370 W. DC power supply: 115 W 105 W 485 W, where the system power is 115 W and the PoE power is 370 W. 910 W, where the system power is 170 W and the PoE power is 740 W. Operating temperature Relative humidity (nonconden sing) 0 C to 45 C (32 F to 113 F) 10% to 90% Together with an auto-sensing 10/100/1000BASE-T Ethernet port, each 1000Base-X SFP port forms a Combo port. For each Combo port, either the SFP port or the auto-sensing 10/100/1000BASE-T Ethernet port can be used at a time. For the mapping between the two ports forming a Combo port, refer to Table 1-3. Table 1-3 Mapping between two ports forming a Combo port Model S C-EI S C-EI-DC S C-PWR- EI 1000Base-X SFP port number GigabitEthernet1/0/25 GigabitEthernet1/0/26 GigabitEthernet1/0/27 GigabitEthernet1/0/28 Auto-sensing 10/100/1000Base-T Ethernet port number GigabitEthernet1/0/22 GigabitEthernet1/0/24 GigabitEthernet1/0/21 GigabitEthernet1/0/23 1-5

11 Chapter 1 Product Overview Model S C-EI S C-PWR- EI S F-EI 1000Base-X SFP port number GigabitEthernet1/0/49 GigabitEthernet1/0/50 GigabitEthernet1/0/51 GigabitEthernet1/0/52 GigabitEthernet1/0/25 GigabitEthernet1/0/26 GigabitEthernet1/0/27 GigabitEthernet1/0/28 GigabitEthernet1/0/29 GigabitEthernet1/0/30 GigabitEthernet1/0/31 GigabitEthernet1/0/32 Auto-sensing 10/100/1000Base-T Ethernet port number GigabitEthernet1/0/46 GigabitEthernet1/0/48 GigabitEthernet1/0/45 GigabitEthernet1/0/47 GigabitEthernet1/0/17 GigabitEthernet1/0/18 GigabitEthernet1/0/19 GigabitEthernet1/0/20 GigabitEthernet1/0/21 GigabitEthernet1/0/22 GigabitEthernet1/0/23 GigabitEthernet1/0/ Service Features The S5500-EI series feature the following advantages: Table 1-4 Service features of the S5500-EI series Feature S C-EI S F-EI S C-EI-D C S C -EI S C -PWR-EI S C-PWR -EI Wire speed L2 switching Switching capacity (Full duplex) Packet forwarding rate 128 Gbps 176 Gbps 128 Gbps 95.2 Mpps Mpps 95.2 Mpps 176 Gbps Mpps Power over Ethernet Not supported Supported Link aggregation aggregation of GE ports aggregation of 10-GE ports Static link aggregation Dynamic link aggregation Supports up to 128 aggregation groups, each supporting up to eight GE ports or four 10-GE ports 1-6

12 Chapter 1 Product Overview Feature S C-EI S F-EI S C-EI-D C S C -EI S C -PWR-EI S C-PWR -EI Flow control Jumbo Frame MAC address table VLAN VLAN mapping ARP ND VLAN virtual interface DHCP UDP Helper DNS IEEE 802.3x flow control and back pressure Supports maximum frame size of 9 KB 32K MAC addresses 1K static MAC addresses Blackhole MAC addresses MAC address learning limit on a port Port-based VLANs (4094 VLANs) QinQ and selective QinQ Voice VLAN Protocol-based VLANs MAC-based VLANs IP subnet-based VLANs GVRP One-to-one VLAN mapping Many-to-one VLAN mapping Two-to-two VLAN mapping 8K entries 1K static entries Gratuitous ARP Standard proxy ARP and local proxy ARP ARP source suppression ARP detection (based on DHCP snooping entries/802.1x security entries/static IP-to-MAC bindings) 4K entries 1K static entries 1K DHCP Client DHCP Snooping DHCP Relay DHCP Server UDP Helper Dynamic domain name resolution Dynamic domain name resolution client IPv4/IPv6 addresses 1-7

13 Chapter 1 Product Overview Feature IPv4 route IPv6 route URPF MCE BFD IPv6 over IPv4 Tunnel IPv4 multicast S C-EI S F-EI S C-EI-D C 1K static routes S C -EI S C -PWR-EI S C-PWR -EI RIP (Routing Information Protocol) v1/2; up to 2K IPv4 routes OSPF (Open Shortest Path First) v1/v2; up to 12K IPv4 routes BGP (Border Gateway Protocol); up to 12K IPv4 routes ISIS (Intermediate System to Intermediate system); up to 12K IPv4 routes Four equal-cost routes Routing policy VRRP Policy routing 1K static routes RIPng; up to 2K IPv6 routes OSPF v3; up to 6K IPv6 routes BGP4+ for IPV6; up to 6K IPv6 routes ISIS for IPV6;up to 6K IPv6 routes Four equal-cost routes Routing policy VRRP Policy routing Reverse route check Supported OSPF BGP IS-IS Static Route IPv6 Manual tunnel 6to4 tunnel ISATAP (Intra-Site Automatic Tunneling Protocol) tunnel IGMP (Internet Group Management Protocol) Snooping v1/v2/v3 Multicast VLAN Multicast VLAN+ IGMP v1/v2/v3 PIM-DM (Protocol Independent Multicast-dense mode) PIM-SM (Protocol Independent Multicast-sparse mode) PIM-SSM (PIM Source Specific Multicast) MSDP (Multicast Source Discovery Protocol) MBGP 1-8

14 Chapter 1 Product Overview Feature IPv6 multicast Broadcast/multicast/un icast storm control MSTP RRPP Smart link Monitor link QoS/ACL Mirroring Remote mirroring S C-EI S F-EI S C-EI-D C S C -EI MLD Snooping v1/v2 MLD v1/v2 PIM-DM/SM/SSM for IPv6 IPv6 multicast VLAN IPv6 multicast VLAN+ MBGP for IPv6 S C -PWR-EI Storm control based on port rate percentage PPS-based storm control STP/RSTP/MSTP protocol STP Root Guard BPDU Guard RRPP protocol Multi-instance RRPP Up to 26 groups supported Multi-instance Smart Link Supported S C-PWR -EI Restriction of the rates at which a port sends and receives packets, with a granularity of 64 kbps. Packet redirection Committed access rate (CAR), with a granularity of traffic limit 64 kbps. Eight output queues for each port Flexible queue scheduling algorithms based on port and queue, including strict priority (SP), weighted round robin (WRR), WFQ(Weighted Fair Queuing) and SP + WRR. Remarking of 802.1p and DSCP priorities Packet filtering at L2 (Layer 2) through L4 (Layer 4); flow classification based on source MAC address, destination MAC address, source IP (IPv4/IPv6) address, destination IP (IPv4/IPv6) address, port, protocol, and VLAN. Time range Weighted Random Early Detection (WRED) Traffic shaping User Profile Traffic mirroring Port mirroring Remote port mirroring 1-9

15 Chapter 1 Product Overview Feature Security 802.1X Loading and upgrading Management S C-EI S F-EI S C-EI-D C S C -EI S C -PWR-EI S C-PWR -EI Hierarchical management and password protection of users AAA authentication RADIUS authentication HWTACACS SSH 2.0 Port isolation Port security MAC address authentication IP-MAC-port binding IP Source Guard Https SSL PKI Portal EAD Boot ROM access control(password recovery) Up to 1,024 users Port-based and MAC address based authentication Guest VLAN Trunk port authentication 802.1x-based dynamic QoS/ACL/VLAN delivery Loading and upgrading through XModem protocol Loading and upgrading through FTP Loading and upgrading through the trivial file transfer protocol (TFTP) Configuration at the command line interface Remote configuration through Telnet Configuration through Console port Simple network management protocol (SNMP) Remote monitoring (RMON) alarm, event and history recording Quidview NMS Web-based network management System log Hierarchical alarms Huawei group management protocol (HGMP) V2 NTP Power supply alarm function Fan and temperature alarms 1-10

16 Chapter 1 Product Overview Feature Maintenance S C-EI S F-EI S C-EI-D C S C -EI S C -PWR-EI Debugging information output Ping and Tracert NQA Track Remote maintenance through Telnet Virtual cable test 802.1ag 802.3ah DLDP S C-PWR -EI 1-11

17 Chapter 2 Hardware Description Chapter 2 Hardware Description 2.1 S C-EI Ethernet Switch Appearance S C-EI Ethernet switch provides 24 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S C-EI Ethernet switch. Figure 2-1 Appearance of S C-EI Ethernet switch Note: A Combo port is defined as follows: an SFP Combo electrical port and its corresponding 10/100/1000BASE-T Ethernet port logically provide optoelectronic multiplexing function. Users can select either to meet the networking requirement, but the two ports cannot work at the same time. 2-1

18 Chapter 2 Hardware Description Front Panel (1) (2) (3) (4) (5) (6) (7) (8) (10) (9) (1): 10/100/1000 Base-T autosensing (2): Gigabit SFP Combo port status LED Ethernet port status LEDs (3): Console port (4): Seven-segment Nixie Display (5): Power LED (6): RPS LED (7): Extension slot LED 1 (8): Extension slot LED 2 (9): Mode LED (10): Mode switch LED Figure 2-2 Front panel of S C-EI Ethernet switch Rear Panel (1) (2) (3) (4) (5) (1): AC power input (2): RPS power input (3): Grounding screw (4): Extension slot 1 (5): Extension slot 2 Figure 2-3 Rear panel of S C-EI Ethernet switch Power Supply System S C-EI Ethernet switch supports the use of AC input and RPS 12 V input, the use of both AC and DC inputs (one as backup for the other) at the same time and AC power input alone. RPS DC input can use the RPS power supply recommended by H3C only. AC input: Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz or 63 Hz 2-2

19 Chapter 2 Hardware Description RPS (DC) input: Rated voltage: 10.8 VDC to 13.2 VDC Cooling System S C-EI Ethernet switch provides four fans for heat dissipation Description of S C-EI LEDs The LEDs on the front panels of the S C-EI switches can help you monitor the running status of the switches. Table 2-1 describes the LEDs. You can use the Mode button on the panel to switch the LED display mode between rate mode and duplex mode. Table 2-1 Description of S C-EI LEDs LED Mark Status Description Mode LED Mode Speed Solid green Rate of the port Duplex Solid yellow Duplex mode of the port Solid green The switch is started normally. Flashing green (1 Hz) The system is running a power-on self-test (POST). Power LED PWR Solid red The system fails the POST or a power failure occurs. Flashing yellow (1 Hz) Some ports fail a POST or a port failure occurs. OFF The power is disconnected. Redundant power system LED RPS Solid green Solid yellow The AC power supply is normal and the RPS is connected and works normally. The RPS input is normal, but an AC input failure occurs or no AC power is connected. OFF No RPS is connected. 2-3

20 Chapter 2 Hardware Description LED Mark Status Description Solid green The module is in position and works normally. Module LED MOD Flashing yellow The switch does not support the module or a module failure occurs. OFF No module is installed. POST running The power LED flashes green The LED displays the POST test ID. POST failed The power LED flashes red The LED flashes the POST test ID of the failed test. Software loading The power LED flashes green A bar rotates clockwise around the LED. Fan failure The power LED is solid red The LED displays F. Seven-seg ment digital LED Unit Over-temp erature alarm Status of the switch in a cluster or its member ID in an IRF stack The power LED is solid red The power LED is solid green The LED displays t. If no stack ports are configured and the cluster feature is enabled, the LED displays status of the switch in a cluster; otherwise, the LED displays the member ID of the switch in a stack. The status of a switch in a cluster can be one of the following: C (upper case) for a command switch S for a member switch c (lower case) for a candidate switch. The following are member IDs that can be displayed: 2-4

21 Chapter 2 Hardware Description LED Mark Status Description Speed Green Yellow Flashing yellow (3 Hz) A 1000 Mbps link is present. When data is being received or sent, the LED flashes at a high frequency. A 10/100 Mbps link is present. When data is being received or sent, the LED flashes at a high frequency. The port fails the POST. 10/100/1000 Base-T port status LED OFF Green The port is not up. The port works in the full duplex mode. The LED flashes at a high frequency when data is being received or sent. Duplex Yellow The port works in the half duplex mode. The LED flashes at a high frequency when data is being received or sent Flashing yellow (3 Hz) The port fails the POST. OFF The port is not up. Speed Yellow Flashing yellow (3 Hz) A 100 Mbps link is present. When data is being received or sent, the LED flashes at a high frequency. The port failed the POST. SFP port status LED (1000 Mbps) Duplex OFF Green The port is not up. The port operates in the full duplex mode. When data is being received or sent, the LED flashes at a high frequency. Flashing yellow (3 Hz) The port fails the POST. OFF The port is not up. 2-5

22 Chapter 2 Hardware Description Description of Ports I. Console ports The S5500-EI series switches provide a console port that satisfies the EIA/TIA-232 asynchronous specification. Through the console port, you can perform local or remote configuration. Table 2-2 Attributes of the console port Item Description Connector Interface standard Baud rate Supported services RJ-45 EIA/TIA bps (default) Connection with a character terminal Connection with a serial port of a local terminal (it can be a PC) or a remote terminal (it needs a pair of modems), which runs a terminal simulator. II. Attributes of Gigabit Ethernet ports Table 2-3 Attributes of Gigabit Ethernet ports Item Description Connector RJ-45 Number of ports 24/48 Port specifications 10 M, half duplex/full duplex 100 M, half duplex/full duplex 1,000 M, full duplex MDI/MDI-X autosensing Standard IEEE 802.3u Medium and transmission distance Category-5 unshielded twisted pairs. The maximum transmission distance is 100 m (328.1 ft) III. Attributes of Gigabit SFP Combo ports The S5500-EI series provide four SFP Combo ports on the front panel. You can configure the number of ports or port types freely. Hot-swapping feature and flexible configuration method increases networking flexibility. You can select the SFP modules in Table 6-2 based on your requirements. 2-6

23 Chapter 2 Hardware Description Note: The types of the SFP modules may change. If you need accurate module type information, please consult H3C marketing engineers or technical support engineers. 2.2 S C-EI Ethernet Switch Appearance An S C-EI Ethernet switch provides 48 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S C-EI Ethernet switch. Figure 2-4 Appearance of S C-EI Ethernet switch Front Panel (1): 10/100/1000 Base-T autosensing (2): Console port Ethernet port status LEDs (3): Seven-segment Nixie Display (4): Mode switch button (5): Mode LED (6): Power LED (7): RPS LED (8): Extension slot LED 1 2-7

24 Chapter 2 Hardware Description (9): Extension slot LED 2 (10): Gigabit SFP Combo port status LED Figure 2-5 Front panel of S C-EI Ethernet switch Rear Panel (1) (2) (3) (4) (5) (1): AC power input (2): RPS power input (3): Grounding screw (4): Extension slot 1 (5): Extension slot 2 Figure 2-6 Rear panel of S C-EI Ethernet switch Power Supply System S C-EI Ethernet switch supports the use of AC and RPS 12 V inputs, the use of both AC and DC inputs (one as backup for the other) at the same time and AC power input alone. RPS DC input can use the RPS power supply recommended by H3C only. AC input: Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz or 63 Hz RPS (DC) input: Rated voltage: 10.8 VDC to 13.2 VDC Cooling System S C-EI Ethernet switch provides four fans for heat dissipation Description of S C-EI LEDs LED description of S C-EI and S C-EI is the same. See Table Description of Ports For port description of the S5500-EI series, see Description of Ports. 2-8

25 Chapter 2 Hardware Description 2.3 S C-PWR-EI Ethernet Switch Appearance S C-PWR-EI Ethernet switch provides 24 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S C-PWR-EI Ethernet switch. Figure 2-7 Appearance of S C-PWR-EI Ethernet switch Front Panel (1): 10/100/1000 Base-T autosensing (2): Gigabit SFP Combo port status LED Ethernet port status LEDs (3): Console port (4): Seven-segment Nixie display (5): Power LED (6): RPS LED (7): Extension slot LED 1 (8): Extension slot LED 2 (9): Mode LED (10): Mode switch LED Figure 2-8 Front panel of S C-PWR-EI Ethernet switch 2-9

26 Chapter 2 Hardware Description Rear Panel (1) (2) (3) (4) (5) (1): RPS power input (2): AC power input (3): Grounding screw (4): Extension slot 1 (5): Extension slot 2 Figure 2-9 Rear panel of S C-PWR-EI Ethernet switch Power Supply System S C-PWR-EI Ethernet switch supports the use of both AC and DC inputs (one as backup for the other) at the same time, and AC power input or DC power input alone. AC input: Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz or 63 Hz The S C-PWR-EI switch can use only the external RPS power supply recommended by H3C as the AC power supply. Do not use 48 VAC power in the equipment room; otherwise the switch may be damaged. RPS DC input: Voltage range: -52 VDC to -55 VDC Cooling System S C-PWR-EI Ethernet switch provides six fans for heat dissipation, and three of them are for power supply dissipation Description of S C-PWR-EI LEDs The LEDs on the front panels of the S C-PWR-EI switches can help you monitor the running status of the switches. Table 2-4 describes the LEDs. You can use the Mode button on the panel to switch the LED display mode between rate mode and duplex mode. 2-10

27 Chapter 2 Hardware Description Table 2-4 Description of S C-PWR-EI LEDs LED Mark Status Description Speed Solid green Rate of the port Mode LED Mode Duplex PoE Solid yellow Flashing green (1 Hz) Duplex mode of the port PoE mode of the port Solid green The switch is started normally. Flashing green (1 Hz) The system is running a power-on self-test (POST). Power LED PWR Solid red The system fails the POST or a power failure occurs. Flashing yellow (1 Hz) Some ports fail a POST or a port failure occurs. OFF The power is disconnected. Redundant power system LED RPS Solid green Solid yellow The AC power input and the DC power input are both normal. The DC power input is normal, but an AC power failure occurs or no AC power is connected. OFF No DC power is connected. Solid green The module is in position and works normally. Module LED MOD Flashing yellow The switch does not support the module or a module failure occurs. OFF No module is installed. 2-11

28 Chapter 2 Hardware Description LED Mark Status Description POST running The power LED flashes green The LED displays the POST test ID. POST failed The power LED flashes red The LED flashes the POST test ID of the failed test. Software loading The power LED flashes green A bar rotates clockwise around the LED. Fan failure The power LED is solid red The LED displays F. Over-tempe rature alarm The power LED is solid red The LED displays t. Seven -segment digital LED Unit Status of the switch in a cluster or its member ID in an IRF stack The power LED is solid green If no stack ports are configured and the cluster feature is enabled, the LED displays status of the switch in a cluster; otherwise, the LED displays the member ID of the switch in a stack. The status of a switch in a cluster can be one of the following: C (upper case) for a command switch S for a member switch c (lower case) for a candidate switch. The following are member IDs that can be displayed: PoE mode The power LED is solid green The LED displays the utilization of the power supply % 61-80% 41-60% 21-40% 0-20% 2-12

29 Chapter 2 Hardware Description LED Mark Status Description Green A 1000 Mbps link is present. When data is being received or sent, the LED flashes at a high frequency. Speed Yellow A 10/100 Mbps link is present. When data is being received or sent, the LED flashes at a high frequency. Flashing yellow (3 Hz) The port fails the POST. OFF No link is present. Green The port works in the full duplex mode. The LED flashes at a high frequency when data is being received or sent. 10/100/100 0Base-T Ethernet port status LED Duplex Yellow Flashing yellow (3 Hz) OFF The port works in the half duplex mode. The LED flashes at a high frequency when data is being received or sent The port fails the POST. The port is not up. Solid green The port supplies power normally. PoE Flashing green (1 Hz) Solid yellow The required power of the attached device exceeds the maximum power that the port can supply. The total power reaches the maximum power, so the port stops supplying power. The device attached to the port is not a powered device (PD), so the port cannot supply power. A PoE failure occurs, so the port cannot supply power. Flashing yellow (3 Hz) The port fails the POST. OFF The port is not up. 2-13

30 Chapter 2 Hardware Description LED Mark Status Description Speed/ PoE Yellow Flashing yellow (3 Hz) A 100 Mbps link is present. When data is being received or sent, the LED flashes at a high frequency. The port failed the POST. SFP port status LED (1000 Mbps) Duplex OFF Green The port is not up. The port operates in the full duplex mode. When data is being received or sent, the LED flashes at a high frequency. Flashing yellow (3 Hz) The port fails the POST. OFF The port is not up Description of Ports For port description of the S5500-EI series, see section Description of Ports. 2.4 S C-PWR-EI Ethernet Switch Appearance S C-PWR-EI Ethernet switch provides 48 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S C-PWR-EI Ethernet switch. Figure 2-10 Appearance of S C-PWR-EI Ethernet switch 2-14

31 Chapter 2 Hardware Description Front Panel (1): 10/100/1000 Base-T autosensing (2): Console port Ethernet port status LEDs (3): Seven-segment Nixie Display (4): Mode switch button (5): Mode LED (6): Power LED (7): RPS LED (8): Extension slot LED 1 (9): Extension slot LED 2 (10): Gigabit SFP Combo port status LED Figure 2-11 Front panel of S C-PWR-EI Ethernet switch Rear Panel (1) (2) (3) (4) (5) (1): RPS power input (2): AC power input (3): Grounding screw (4): Extension slot 1 (5): Extension slot 2 Figure 2-12 Front panel of S C-PWR-EI Ethernet switch Power Supply System S C-PWR-EI Ethernet switch supports the use of both AC and DC inputs (one as backup for the other) at the same time, and AC power input or DC power input alone. AC input: Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz or 63 Hz The S C-PWR-EI switch can use only the external RPS power supply recommended by H3C as the AC power supply. Do not use 48 VAC power in the equipment room; otherwise the switch may be damaged. 2-15

32 Chapter 2 Hardware Description RPS DC input: Voltage range: -52 VDC to -55 VDC Cooling System S C-PWR-EI Ethernet switch provides six fans for heat dissipation, and three of them are for power supply dissipation Description of S C-PWR-EI LEDs LED description of S C-PWR-EI and S C-PWR-EI is the same. See Table Description of Ports For port description of the S5500-EI series, see section Description of Ports. 2.5 S F-EI Ethernet Switch Appearance The S F-EI provides twenty-four 1000Base-X SFP ports, eight auto-sensing 10/100/1000Base-T Ethernet ports, and one console port on the front panel, and two AC or DC power sockets and two extended module slots on the rear panel. Together with a 1000Base-X SFP port, each auto-sensing 10/100/1000BASE-T Ethernet port forms a Combo port. Figure 2-13 illustrates the appearance of an S F-EI. Figure 2-13 Appearance of an S F-EI Ethernet switch 2-16

33 Chapter 2 Hardware Description Note: A Combo port is defined as follows: an SFP Combo electrical port and its corresponding 10/100/1000BASE-T Ethernet port logically provide optoelectronic multiplexing function. Users can select either to meet the networking requirement, but the two ports cannot work at the same time Front Panel (1) (2) (3) (4) (5) (6) (7) (8) (11) (10) (9) (1): 100/1,000 M SFP port LEDs (2): 10/100/1000 Base-T Combo autosensing Ethernet port LEDs (3): Console port (4): Seven-segment Nixie display (5): System LED (6): AC power input 1 LED (7): AC power input 2 LED (8): Extension slot 1 LED (9): Extension slot 2 LED (10): Mode LED (11): Mode control button Figure 2-14 Front panel of S F-EI Ethernet switch Rear Panel (1) (2) (3) (4) (5) (1): Grounding screw (2): AC power input 1 (3): AC power input 2 (4): Extension slot 1 (5): Extension slot 2 Figure 2-15 Rear panel of S F-EI Ethernet switch Power Supply System An S F-EI is connected to two hot-swappable AC or DC power inputs, which act as backup for each other. 2-17

34 Chapter 2 Hardware Description AC input: Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz or 63 Hz DC input: Rated voltage range: -48 VDC to -60 VDC Max voltage range: -36 VDC to -72 VDC Cooling System The S F-EI is equipped with six fans (four for the system, and one for each pluggable power module) for heat dissipation Description of S F-EI LEDs The LEDs on the front panels of the S F-EI switches can help you monitor the running status of the switches. Table 2-5 describes the LEDs. You can use the Mode button on the panel to switch the LED display mode between rate mode and duplex mode. Table 2-5 Description of the LEDs on an S F-EI LED Mark State Description Mode LED Mode Rate mode Duplex mode Green, ON Yellow, ON The port LED is indicating port rate mode. The port LED is indicating duplex mode. Green, ON The switch has been normally started. Green, blinking (1 HZ) The system is performing POST (power-on self test). Power LED SYS Red, ON POST fails because a fault occurs Yellow, blinking (1 HZ) Some ports fail in POST because the function fails. OFF The switch has been powered off. 2-18

35 Chapter 2 Hardware Description LED Mark State Description Green, ON The power input is connected to a power module and the output is normal. AC power input 1 LED PWR1 Yellow, ON The power input is connected to a power module but the output is abnormal. OFF No power module is connected or there is no power being input. Green, ON The power input is connected to a power module and the output is normal. AC power input 2 LED PWR2 Yellow, ON The power input is connected to a power module but the output is abnormal. OFF No power module is connected or there is no power being input. Module LED Module (MOD) Green, ON Yellow, blinking The module is in position and is working normally. The module is not supported or a fault has been detected. OFF No module is installed. 2-19

36 Chapter 2 Hardware Description LED Mark State Description In POST Power LED is green and blinking. The nixie display indicates the number of the ongoing self test item. POST has failed LED is red and blinking. The nixie display indicates the number of the self test item that failed in POST Loading software Power LED is green and blinking. The short bars are lit up one by one clockwise when the software is being loaded Fan failure Power LED is red and on. The nixie display shows an F. Seven-segment Nixie display Unit Over-tem perature alarm Power LED is red and on. The nixie display shows a "t". Status of the switch in a cluster or its member ID in an IRF stack The power LED solid green is If no stack ports are configured and the cluster feature is enabled, the LED displays status of the switch in a cluster; otherwise, the LED displays the member ID of the switch in a stack. The status of a switch in a cluster can be one of the following: C (upper case) for a command switch S for a member switch c (lower case) for a candidate switch. The following are member IDs that can be displayed: 2-20

37 Chapter 2 Hardware Description LED Mark State Description Green The port is blinking when it is receiving or sending data at 1000 Mbps. Rate mode Yellow Yellow, blinking (3 Hz) The port is blinking when it is receiving or sending data at 10/100 Mbps Port POST has failed. 10/100/1000BAS E-T Combo port LEDs OFF Green The port is not up. The port is blinking when it is receiving or sending data in the full-duplex mode. Duplex mode Yellow Yellow, blinking (3 Hz) The port is blinking when it is receiving or sending data in the half-duplex mode. Port POST has failed. OFF The port is not up. Green The port is blinking when it is receiving or sending data at 1000 Mbps. 1000Base port LEDs SFP Rate mode Yellow Yellow, blinking (3 Hz) OFF The port is blinking when it is receiving or sending data at 100 Mbps. Port POST has failed. The port is not up. Duplex mode Green Yellow, blinking (3 Hz) The port is blinking when it is receiving or sending data in the full-duplex mode. Port POST has failed. OFF The port is not up. 2-21

38 Chapter 2 Hardware Description Port Attributes For port description of the S5500-EI series, see section Description of Ports. 2.6 S C-EI-DC Ethernet Switch Appearance An S C-EI-DC Ethernet switch provides 24 10/100/1000Base-T Ethernet ports, four Gigabit SFP Combo ports, and one Console port on the front panel, and 48 VDC power inputs, RPS input, and two extension slots on the rear panel. Figure 2-16 illustrates the appearance of the switch. Figure 2-16 Appearance of an S C-EI-DC Front Panel (1) (2) (3) (4) (5) (6) (7) (8) (10) (9) (1): 10/100/1000 Base-T autosensing (2): Gigabit SFP Combo port LEDs Ethernet port LEDs (3): Console port (4): Seven-segment nixie display (5): Power LED (6): RPS LED (7): Extension slot 1 LED (8): Extension slot 2 LED (9): Mode LED (10): Mode control button Figure 2-17 Front panel of an S C-EI-DC 2-22

39 Chapter 2 Hardware Description Rear Panel (1) (2) (3) (4) (5) (1): -48 VDC power input (2): RPS power input (3): Grounding screw (4): Extension slot 1 (5): Extension slot 2 Figure 2-18 Rear panel of an S C-EI-DC Power System An S C-EI-DC switch provides two DC inputs and one RPS 12 V input. The two DC inputs can be used at the same time, acting as backup for each other. Alternatively, you can use either the DC inputs only or the RPS only. Make sure you use an RPS recommended by H3C as a DC input. -48 V DC input: Rated voltage range: -48 VDC to -60 VDC. Max voltage range: -36 VDC to -72 VDC RPS DC input: Rated voltage range: 10.8 V to 13.2 V Cooling System An S C-EI-DC switch is cooled by four fans LED Description LED description of S C-EI and S C-EI is the same. See Table Description of Port Attributes For the description on the port attributes of the S C-EI-DC switch, see section Description of Ports". 2.7 Optional Interface Modules An S5500-EI switch provides two extension module slots on the rear panel, which accept the following modules: 1-port 10-GE XFP modules (supporting IRF) 2-23

40 Chapter 2 Hardware Description 2-port 10-GE XFP modules (supporting IRF) 2-port 10-GE CX4 short haul module (supporting IRF) 2-port GE SFP modules (not supporting IRF) 2-port 10 GE SFP+ module (Support IRF) port 10 Gbps XFP Module Figure 2-19 Front view of a 1-port 10-GE XFP module This module can provide one 10-GE XFP optical interface. You can select the XFP optical modules in Table 6-3 based on your requirements. Note: The type of XFP modules may be updated as time goes by. For updated module types, consult marketing or technical support personnel of H3C Port 10-GE XFP Module Figure 2-20 Front view of 2-port 10-GE XFP module This module can provide two 10Gbps XFP optical interfaces. You can select the XFP optical modules in Table 6-3 based on your requirements. 2-24

41 Chapter 2 Hardware Description Note: The type of XFP modules may be updated as time goes by. For updated module types, consult marketing or technical support personnel of H3C port 10-GE CX4 Short Haul Module Figure port 10-GE CX4 short haul module This module provides two 10-GE electrical interfaces. It supports CX4 electrical standards and protocols. The maximum transmission distance is 3 meters (9.8 ft). Use CX4 cables dedicated for H3C devices to interconnect devices. Note: You can use only dedicated CX4 cable to connect the port on the CX4 extension module and another CX4 port. For dedicated CX4 cable, see section 2.8 "CX4 Cable" Port GE SFP Module Figure 2-22 Front view of 2-port GE SFP module This module can provide two 1-Gbps SFP optical interfaces. You can select the Gigabit SFP modules in Table 6-2 based on your requirements. 2-25

42 Chapter 2 Hardware Description Note: The two 1-Gbps SFP optical interfaces of the 2-port GE SFP module do not support the 100 Mbps SFP modules in Table 6-2. The type of XFP modules may be updated as time goes by. For updated module types, consult marketing or technical support personnel of H3C Port 10-GE SFP+ Module Figure 2-23 Front view of 2-port 10-GE SFP+ module This module can provide two 10Gbps SFP+ optical interfaces. You can select the SFP+ optical modules and SFP+ cables in Table 6-4 based on your requirements. Note: The two 10-Gbps SFP+ optical interfaces of the 2-port 10-GE SFP+ module do not support the SFP modules in Table 6-2. The type of SFP+ optical modules and SFP+ cables may be updated as time goes by. For updated information, contact H3C technical support or marketing staff Description of Extension Module LEDs There is a LED for each port on the extension module panel. Table 2-6 describes the LEDs. 2-26

43 Chapter 2 Hardware Description Table 2-6 Description of extension module LEDs LED Mark State Description Extension module LED This LED is not affected by the mode button Green OFF The port is normally connected. The port is blinking when it is receiving or sending data The port is not connected 2.8 CX4 Cable You can use the CX4 cable to connect the CX4 port on the rear panel of an S5500-EI series switch to another CX4 port. Figure 2-24 CX4 cable The following three types of cables are available (refer to Table 6-5 List of CX4 modules ): 50 cm (19.7 in.): the connectors at both ends of the cable are bayonet connectors. 100 cm (39.4 in.): the connectors at both ends of the cable are screw connectors. 300 cm (118.1 in.): the connectors at both ends of the cable are screw connectors. 2-27

44 3.1 Basic Features Link Aggregation The link aggregation function is used for the connection between Ethernet switches or between the switches and high-speed servers. It is a simple and cheap way to expand the bandwidth of a switch port and balance the traffic among all the ports in a link aggregation. Moreover, it enhances the connection reliability. With link aggregation, several Ethernet ports on a switch are bundled together and are considered one logical port inside the switch. The switch automatically balances the traffic among the ports in the aggregation and increases the bandwidth of the ports. If the link on a port in the aggregation fails, the traffic on it is distributed among other ports without interrupting the normal service. After the port recovers, the traffic is automatically distributed again so that the port can share the load with others. The S5500-EI series support static link aggregation and dynamic link aggregation Traffic Control DLDP Traffic control is a congestion management mode of switches. S5500-EI Ethernet switches support full-duplex traffic control and half-duplex back pressure traffic control. 10-GE uplink interfaces support received pause frames only. In the half-duplex traffic control mode, the switch performs traffic control by sending Jam signals to the peer end. A special phenomenon, unidirectional links, may occur in actual networking. When a unidirectional link occurs, the local device can receive packets from the peer device through the link layer, but the peer device cannot receive packets from the local device. Unidirectional links may cause a series of problems, such as spanning-tree topology loop. The device link detection protocol (DLDP) can monitor the link status of fiber or copper twisted pairs (such as Enhanced Cat-5 twisted pairs). Based on the configuration, DLDP automatically closes, or notifies the user to close manually, the corresponding ports when it finds any unidirectional link, so as to prevent network problems. DLDP has the following features: 3-1

45 As a link layer protocol, it works in cooperation with physical layer protocols to supervise the link status of devices. The automatic negation mechanism of the physical layer detects physical signals and faults, while DLDP identifies the peer device and unidirectional links, and closes unreachable ports. When auto-negotiation mechanism and DLDP are enabled, they work together to detect and disable physical and logical unidirectional links, and to prevent the failure of other protocols such as STP. If links of both ends function independently and normally at the physical layer, DLDP will check whether these links are correctly connected at the link layer and whether packets can be normally exchanged between both ends. This kind of detection cannot be achieved through the automatic negation mechanism Broadcast Storm Control VLAN The broadcast storm control function suppresses the propagation of unknown unicast packets, multicast packets, and broadcast packets in a network, thus limiting their impact on the operating efficiency of the network. For the S5500-EI series, the broadcast storm control function is configured on ports. After storm control is enabled on a port, you can monitor the unknown unicast traffic, multicast traffic, and the broadcast traffic received on it. When the traffic exceeds the specified bandwidth limit, the switch drops the excessive traffic to reduce the traffic ratio to a rational range, so as to guarantee the normal operation of network services. The S5500-EI series can implement both broadcast storm control based on port rate percentage and broadcast storm control based on pps. Virtual local area network (VLAN) is a technology that implements virtual workgroups by assigning the devices in a LAN into network segments logically rather than physically. VLAN standard is described in IEEE 802.1Q protocol standard, which is issued in You can use VLAN to divide a LAN into multiple broadcast domains known as virtual LANs, namely, VLANs, the computers in each of which are correlated in a certain way. As VLANs are implemented logically rather than physically, the computers in the same VLAN do not necessarily reside on the same physical LAN segment; instead, they can belong to different physical LAN network segments. On a switch, following types of VLAN are supported. Port-based VLAN MAC-based VLAN Protocol-based VLAN IP multicast-based VLAN (In this case, a multicast group forms a VLAN.) 3-2

46 Network layer-based VLAN (In this case, VLANs are created based on the network layer addresses of the hosts). VLAN offers the benefit that the broadcast and unicast traffic inside a VLAN are not forwarded to other VLANs, thereby helping implement network traffic control, save equipment investment, streamline network management, and enhance network security. The H3C S5500-EI series support the following types of VLAN. I. Port-based VLAN In a port-based VLAN, VLAN members are defined based on the Ethernet switch ports. You can add specific ports to the same VLAN, through which the hosts connecting to these can communicate with each other. This is the simplest way of creating a VLAN. An S5500-EI Ethernet switch supports up to 4,094 port-based VLANs. II. Protocol-based VLAN VLANs can be divided based on protocol. With this type of VLANs configured, a switch inserts tags to the untagged packets received by the protocols the packets belong to so that the packets are forwarded in the corresponding VLANs. Protocol-based VLANs are usually bound to specific services for ease of management and maintenance. III. Voice VLAN Voice VLAN is designed for voice traffic. An S5500-EI Ethernet switch with voice VLANs configured determines whether or not a received packet carries voice data by checking its source MAC address and forwards the packets carrying voice data in the voice VLANs..Voice VLAN insures transmission priority of voice traffic and improves voice quality. IV. VLAN Trunk The VLAN trunk function is used for the connections between switches. A VLAN trunk is a point-to-point link between two switches. The ports of the two switches across a VLAN trunk are called trunk ports. Multiple VLANs can be carried over the same trunk port. The implementation principle is as follows: On a trunk port, messages of different VLANs are differentiated through different 802.1Q tags. In this way, interconnections among all VLANs are enabled networkwide. 3-3

47 3.1.6 GARP/GVRP I. GARP Generic attribute registration protocol (GARP) provides a means of distributing, propagating, and registering specific type of information (such as VLAN and multicast group address) among the members inside the same switched network. A GARP member can be a workstation or a switch. GARP members communicate with each other by exchanging their messages. By exchanging messages, all the member switches on a switching network get all the attribute information to be registered. GARP enables the configuration information of a GARP member to be propagated throughout the entire switched network. A GARP member triggers other GARP members, through declaration/declaration cancellation messages, to register/deregister its attribute information. It also registers/deregisters the attribute information of other GARP members in response to their declaration/declaration cancellation messages. GARP by itself does not exist on the routing switch as an entity. It takes the form of GARP application, which is implemented on entities adopting GARP. Commonly used GARP applications are GVRP (GARP VLAN registration protocol) and GMRP (generic multicast registration protocol). The PDUs (protocol data unit) of different GARP applications (GVRP and GMRP for example) carry the MAC addresses peculiar to the applications, according to which a routing switch with GARP-employed can recognize the received GARP packets and pass them to the corresponding GARP applications for processing. II. GVRP GVRP is a GARP application that maintains VLAN dynamic registration information in a routing switch and transmits the information to other routing switches, based on the operating mechanism of GARP. A routing switch with GVRP-employed receives VLAN registration information from other routing switches and dynamically updates the local VLAN registration information, including current VLAN members and the ports through which these VLAN members can be reached, etc. Moreover, in a switched network, all the routing switches with GVRP employed transmit the local VLAN registration information to other routing switches, thus keeping the VLAN information maintained by them in consistency. VLAN registration information transmitted by these routing switches includes both the static registration information manually configured locally and the dynamic registration information from other routing switches. 3-4

48 3.1.7 QinQ I. QinQ characteristics QinQ enables packets to traverse the backbone network (public network) of the operator with two layers of VLAN tags, where VLAN tag of the customer network is encapsulated in the VLAN tag of the public network. In the public network, packets are forwarded based on the outer VLAN tag (that is, the public network VLAN tag) only, while the customer network VLAN tag is shielded. Compared with MPLS-based L2 VPN, QinQ has the following features: It provides simpler L2 VPN tunnels. It can be implemented through full-static configuration, without the need of a signaling protocol. QinQ mainly provides the following benefits: Saving public network VLAN IDs Enabling private network VLAN IDs that do not conflict with those of the public network Providing small-sized MANs or intranets with simpler L2 VPN solutions II. BPDU Tunnel BPDU tunnel enables BPDUs to be transmitted transparently between geographically dispersed user networks through the designated VLAN VPN in the carrier s network for uniform spanning tree calculation across the user networks. In this case, the spanning tree of the user network is independent of that of the carrier s network VLAN Mapping With VLAN mapping, the S5500-EI switch can flexibly classify packets at the access layer and distribution layer to promote transmission efficiency. The S5500-EI series switches support the following three types of VLAN mapping: One-to-one VLAN mapping, which maps one customer VLAN (CVLAN) ID to one service-provider VLAN (SVLAN) ID. VLAN X Data VLAN Y Data Figure 3-1 One-to-one VLAN mapping Many-to-one VLAN mapping, which maps multiple CVLAN IDs to one SVLAN IDs. 3-5

49 VLAN A Data VLAN Y Data VLAN B Data VLAN Y Data VLAN C Data VLAN Y Data Figure 3-2 Many-to-one VLAN mapping Two-to-two VLAN mapping, which maps the outer and inner VLAN IDs of double tagged traffic to a new pair of outer and inner VLAN IDs. VLAN A VLAN B Data VLAN X VLAN Y Data Figure 3-3 Two-to-two VLAN mapping One-to-one VLAN mapping and many-to-one VLAN mapping mainly apply to intelligent network environments with mixed data, voice and video applications. In such a network, different VLANs are used for transmitting different services of a user to the corridor access device through a home gateway. To differentiate users that are using the same service, you can perform one-to-one VLAN mapping to map the service traffic to different VLANs by user on an access device. Then, you can perform many-to-one VLAN mapping at the distribution layer to map the traffic to different VLANs by service type, allowing different transmission policies to be applied to the traffic of different service types. Two-to-two VLAN mapping mainly applies to VPN networks. When a packet enters an SP network, the edge device of the SP network adds an outer VLAN tag to the packet through QinQ or selective QinQ. Then, two-to-two VLAN mapping replaces both the original inner VLAN tag and outer VLAN tag of the packet with the inner VLAN tag of the destination network and the outer VLAN tag of another SP network, so that the packet can travel across the two SP networks to reach the destination. 3.2 Network Protocol Features ARP Address resolution protocol (ARP) dynamically maps IP addresses to specific MAC addresses. Upon being enabled, ARP carries out the address resolution without manual intervention. 3-6

50 The S5500-EI series switches support the following extended ARP and attack defense implementations: I. Gratuitous ARP Gratuitous ARP enables a device to test whether or not IP address conflicts exist between itself and other devices in the network by sending ARP requests. Since both the source and destination IP addresses of a gratuitous ARP request packet are set to the local IP address, an IP address conflict exists if a host responds to the ARP request. A gratuitous ARP request is also used to update the corresponding MAC address entries maintained by other devices. A switch updates the corresponding MAC address entry if the IP address contained in a received ARP request packet matches the MAC address entry. As an ARP request packet is broadcast across the network, all the MAC address entries matching the ARP request packet are updated. II. Proxy ARP The S5500-EI series support the following two types of proxy ARP, standard proxy ARP and local proxy ARP. Standard proxy ARP conforms to the related protocol; it responds to ARP requests sourced from other network segments. As shown in Figure 3-4, Host A and Host B are of different network segments connected to an S5500-EI Ethernet switch. Although the gateways configured for Host A and Host B are of different network segments, their IP addresses indicate that they are of the same network segment. Normally, ARP requests sourced from Host A and destined for Host B, which are inter-network segment, are dropped in this case. With standard proxy ARP enabled, the S5500-EI Ethernet switch looks up in the routing table for the route upon receiving an ARP request packet and sends its MAC address to the ARP request sender if the route exists. The ARP request sender then sends another packet to the switch, with the address contained in the route as the destination address. The switch in turn forwards the packet. Switch Vlan-int1 (gateway IP address) /24 Vlan-int2 (gateway IP address) /24 Host A /16 Host B /16 Figure 3-4 A standard proxy ARP implementation 3-7

51 Local proxy ARP only responds to ARP requests on the same network segment. As for the S5500-EI series switches, local proxy ARP is mainly employed on port isolation-enabled ports to allow Layer 3 communication between isolated users. Vlan-int1 (gateway IP address) /24 Switch GE1/0/1 GE1/0/2 Host A /24 Host B /24 Port isolate Figure 3-5 A local ARP proxy implementation As shown in Figure 3-5, port isolation is enabled on the S5500-EI Ethernet switch; therefore, ARP packets cannot be forwarded between downlink ports. If the switch also has local proxy ARP enabled and receives an ARP request sourced from Host A and destined for Host B, the switch looks up in the routing table and sends its MAC address to the ARP request sender if the route exists. The ARP request sender then sends the packet to the switch, with the address contained in the route as the destination address. The switch in turn forwards the packet. III. ARP Attack Defense ARP attacks and viruses are threatening LAN security. H3C S5500-EI Series Ethernet Switches can provide multiple features to detect and prevent such attacks. 1) ARP Source Suppression If a device receives large numbers of IP packets from a host to unreachable destinations, The device sends large numbers of ARP requests to the destination subnets, which increase the load of the destination subnets. The device continuously resolves destination IP addresses, which increase the load of the CPU. To protect the device from such attacks, you can enable the ARP source suppression function. With the function enabled, whenever the number of packets with unresolvable destination IP addresses from a host within five seconds exceeds a specified threshold, the device suppress the sending host from triggering any ARP requests within the following five seconds. 3-8

52 2) Source MAC Address Based ARP Attack Detection This feature allows the device to check the source MAC address of ARP packets that delivered to the CPU. If the number of ARP packets sent from a MAC address within five seconds exceeds the specified value, the device considers this an attack. 3) ARP Detection In normal cases, a Layer 2 access device broadcasts an ARP request within a VLAN, and forwards ARP responses at Layer 2. If an attacker sends an ARP request with the source being the IP address of another client, the corresponding ARP entry maintained by the gateway or other clients is modified. Consequently, the attacker will receive the packets sent to the client. The ARP detection feature allows only the ARP packets of legal clients to be forwarded. ARP Detection consists of two functions: user validity check and ARP packet validity check. User validity check: With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet received from the VLAN against the DHCP snooping entries, 802.1x security entries, or static IP-to-MAC binding entries. ARP packet validity check: With this feature enabled, the device filters out invalid ARP packets received on ARP untrusted ports. You can base ARP packet validity check on the source MAC address, destination MAC address or IP address. ARP packet validity check does not apply to packets received on ARP trusted ports. 4) ARP packet rate limit ARP packets that pass ARP detection are delivered to the CPU. This feature allows you to limit the rate of ARP packets to be sent to the CPU DHCP I. DHCP Relay A routing switch operating as a DHCP relay can relay messages between a DHCP server and a client, making it possible for a DHCP server in a subnet to provide DHCP service to the hosts in another subnet. With DHCP Relay, a network manager needs not to set DHCP server for every subnet, thereby reducing DHCP server costs. II. DHCP Client On a contemporary large-sized and complex network, some computers are mobile and the available IP addresses are far from adequate comparing with the fast-growing number of computers. To address the issue, the dynamic host configuration protocol (DHCP) was introduced. DHCP works in the client/server model, where the DHCP client requests the DHCP server for configuration information dynamically, and upon the receipt of the request the DHCP server returns the configuration information (IP address for example) based on the adopted policy. 3-9

53 III. DHCP Server With the built-in DHCP server function, an S5500-EI Ethernet switch can assign IP addresses to the hosts attached to it and manage the addresses, thus saving the operator s investment on external DHCP server. IV. DHCP Snooping The DHCP snooping function enables the acquisition of user IP addresses and MAC addresses by listening to DHCP broadcast packets. It can be used to improve network security and prevent unauthorized accesses. Additionally, with the DHCP snooping function employed, ports are classified into trusted ports and untrusted ports. Ports with DHCP servers attached are trusted ports; and those with hosts attached are untrusted ports. The DHCP_ACK and DHCP_OFF packets received through untrusted are discarded, through which illegal DHCP servers can be prevented. V. DHCP Option 82 DHCP uses the option field in DHCP messages to carry control information and network configuration parameters, implementing dynamic address allocation and providing more network configuration information for clients. Figure 3-6 shows the DHCP option format Option type Option length Value (variable) Figure 3-6 DHCP option format Option 82 is the relay agent option in the option field of the DHCP message. It records the location information of the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client s request, it adds Option 82 to the request message and sends it to the server. The administrator can locate the DHCP client to further implement security control and accounting. The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients. Option 82 involves at most 255 sub-options. At least one sub-option must be defined. Now the DHCP relay agent supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID). Option 82 has no unified definition. Its padding formats vary with vendors. You can use the following two methods to configure Option 82: User-defined method: Manually specify the content of Option

54 Non-user-defined method: Pad Option 82 in the default normal or verbose mode. If you choose the second method, you can specify the padding format for the sub-options as ASCII or HEX. 2) Normal padding format sub-option 1: Padded with the VLAN ID and number of the port that received the client s request. The following figure gives its format. The value of the sub-option type is 1, and that of the circuit ID type is Sub-option type (0x01) Length (0x06) Circuit ID type (0x00) Length (0x04) VLAN ID Port number Figure 3-7 Sub-option 1 in normal padding format sub-option 2: Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received the client s request. The following figure gives its format. The value of the sub-option type is 2, and that of the remote ID type is Sub-option type (0x02) Length (0x08) Remote ID type (0x00) Length (0x06) MAC Address Figure 3-8 Sub-option 2 in normal padding format 3) Verbose padding format: The padding contents for sub-options in the verbose padding format are: sub-option 1: Padded with the user-specified access node identifier (ID of the device that adds Option 82 in DHCP messages), and type, number, and VLAN ID of the port that received the client s request. Its format is shown in the following figure. Sub-option type (0x01) Length Node identifier Port type Port number VLAN ID Figure 3-9 Sub-option 1 in verbose padding format sub-option 2: Padded with the MAC address of the interface that received the client s request. It has the same format as that in normal padding format, as shown in Figure

55 3.2.3 UDP Helper DNS The UDP helper function mainly functions to relay and forward the specified UDP broadcast packets. It can transform UDP broadcast packets into unicast packets and send them to the specified servers. With the UDP helper function enabled, a switch determines whether or not to forward a received packet by the UDP port number carried in the packet. If the packet is to be forwarded, the switch modifies the destination IP address in the IP header and sends the packet to a specific destination server. Otherwise, the switch passes the packet to the upper layer modules. With the presence of the DHCP relay function, the UDP helper function does not relay DHCP packets on the S5500-EI series switches. Domain name system (DNS) is a distributed database used for TCP/IP applications. It performs translations between domain names and IP addresses. DNS allows you to replace IP addresses with domain names, which is easy to memorize and meaningful. Domain name-to-ip address resolution is carried out by DNS server. There are two kinds of domain name resolution, namely the static domain name resolution and dynamic domain name resolution, both of which supplement each other in real application. You can configure to resolve domain names in the static way, with the dynamic resolution as the ultimate measure. By adding commonly used domain names to the static domain name resolution table, you can greatly improve the efficiency of domain name resolution. I. Static domain name resolution To enable static domain name resolution, you need to establish domain name-to-ip address maps. When you use a domain name for an application, the corresponding IP address can be obtained through the static domain name resolution table. II. Dynamic domain name resolution Dynamic domain name resolution is implemented by querying the DNS server. With dynamic domain name resolution adopted, a DNS client sends DNS requests to the DNS server for the corresponding IP address. The DNS server in turn searches in its own database for the IP address corresponding to the domain name and sends the IP address back to the DNS client. If the DNS server cannot find the corresponding IP address in its database, it forwards the DNS request to the DNS server one level higher than itself for the domain name to be resolved. Such a process goes on and on until the domain name is resolved. An S5500-EI Ethernet switch supports the static domain name resolution and can operate as a DNS client when dynamic domain name resolution is adopted. Besides 3-12

56 IPv4 address-to-domain name conversion, that of IPv6 is also available on an S5500-EI switch OAM (802.3ah) Ethernet OAM (meaning operation, administration, and maintenance) is a tool for monitoring network. It operates on data link layer and can report information about networks to network administrators through the OAMPDUs exchanged between devices, enabling network administrators to manage the network more effectively. Currently, Ethernet OAM is mainly used for detecting data link layer problems occurred in the last mile. By enabling Ethernet OAM on two devices connected by a point-to-point connection, you can monitor the status of the link between the two devices. Ethernet OAM provides the following functions. Link performance monitoring, for detecting link errors Fault detection and alarm, for reporting link errors to the administrators Loopback testing, for detecting link errors through non-oampdus Connectivity Fault Detection (802.1ag) Connectivity fault detection (CFD) is a Layer 2 link OAM (Operations, Administration and Maintenance) mechanism used for link connectivity detection and fault locating. I. Maintenance domain A maintenance domain (MD) is the part of network where CFD plays its role. The MD boundary is defined by some maintenance points configured on the ports. MD is identified by MD name and is divided into 8 levels, represented by integer 0 to 7. The bigger the number, the higher the level. A higher level MD can contain lower level MDs, but they cannot overlap. In other words, a higher level MD covers larger area than a lower level MD. II. Maintenance association Maintenance association (MA) is a set of maintenance points in a maintenance domain. It is identified in the form MD name + MA name. MA works within a VLAN. Packets sent by the maintenance points in an MA carry the corresponding VLAN tag. A maintenance point can receive packets sent by other maintenance points in the same MA. III. Maintenance point A maintenance point (MP) is configured on a port and belongs to an MA. MP can be divided into two types: maintenance association end point (MEP) and maintenance association intermediate point (MIP). MEP 3-13

57 Each MEP is identified by an integer called MEP ID. The MEPs define the range of MD. The MA and MD that MEPs belong to define the VLAN attribute and level of the packets sent by the MEPs. MEPs are divided into inbound MEP and outbound MEP. On Figure 3-10, outbound MEPs are configured on the ports. On Figure 3-11, inbound MEPs are configured on the two ports. Maintenance Association Bridge Bridge Relay Entity Bridge Port Bridge Port Relay Entity Figure 3-10 Outbound MEP Maintenance Association Bridge Bridge Bridge Port Relay Entity Relay Entity Bridge Port Figure 3-11 Inbound MEP MIP Maintenance association intermediate point (MIP) can handle and respond to CFD packets. The MA and MD that a MIP belongs to define the VLAN attribute and level of the packets received. Figure 3-12 demonstrates a grading example of CFD module. In the figure, there are six devices, labeled as 1 to 6 respectively. Suppose each device has two ports, and MEPs and MIPs are configured on some of these ports. Four levels of MDs are designed in this example, the bigger the number, the higher the level and the larger the area covered. In this example, the X port of device 2 is configured with the following MPs: a level 5 MEP, a level 3 inbound MEP, a level 2 inbound MEP, and a level 0 outbound MEP. 3-14

58 x y MD Level MD Level MD Level MD Level MD Level Port Maintenance Association 5 5 MEP ( number is MD level ) MIP ( number is MD level ) Logical path of CFD Messages 3.3 NTP Figure 3-12 Levels of MPs Clock synchronization among devices becomes important given increasingly complex network topologies. The network time protocol (NTP) is a TCP/IP protocol that advertises accurate time on the entire network. NTP provides consistency guarantee for the following applications: When increment backup is performed between a backup server and a client, it ensures the clock between the two system be synchronous. When multiple systems are used to deal with complex events, it ensures the correct order of these events. It ensures the normal performance of the Remote Procedure Call (RPC) between systems. It provides time information about such operations as system login of users and file modification for application program. 3.4 Routing Features Note: As L3 switch is capable of routing, router in this chapter refers to generic routers or L3 routing switches that have routing protocols employed. 3-15

59 3.4.1 Static Route and Default Route I. Static route RIP v1/v RIPng Static routes are configured by the network administrator manually. In a network with a simple structure, static routes can ensure normal running of the switches. Configuring static routes correctly can ensure network security effectively and provide bandwidth for important applications. The disadvantage of static routes is that static routes cannot vary with a network topology when the network topology changes due to some reasons, such as network device failure. The network administrator has to configure static routes again based on the new network topology. II. Default route Default routes are used only when a router fails to find any matching route. In a routing table, the default route is the route to Default routes can save bandwidth resources occupied by packet forwarding and save routing time, thus enabling a great number of users to communicate simultaneously. Route information protocol (RIP) is a widely used interior gateway protocol (IGP). It is based on the distance-vector (D-V) algorithm and is suitable for small-sized and simple networks. RIP exchanges routing information regularly through user datagram protocol (UDP) packets. The port used is port 520. It uses hop count as the routing metric and allows up to 15 hops. RIPv2 supports plain text authentication and message-digest 5 (MD5) authentication, as well as variable-length subnet masks. RIP v1 and RIPv2 support IPv4 routes only. RIP next generation (RIPng) is enhanced RIP-2. Most RIP parameters remain valid in RIPng. Compared with RIP, the following are new in RIPng, which enable it to be implemented in an IPv6 network. Port 521 is used to send and receive routing information. FF02::9 is used as the local RIPng multicast address. The prefix (also the mask) is 128 bits in length. The next hop address is IPv6 address, which is 128 bits in length. The local link address (FE80::/10) is used as the source address to send RIPng routing information update packets. 3-16

60 3.4.4 OSPF v1/v2 RIPng is based on the D-V algorithm. It uses UDP to exchange routing information through port 521. In RIPng, hop count is used to measure the distance to the destination host; the distance is also known as metric or overhead. In RIPng, the hop count to a directly connected network is 0, The hop count between two directly connected routers is 1, and so on. A metric equal to or exceeding 16 indicates that the destination network or host is unreachable. By default, RIPng sends route update packets once in every 30 seconds. If no route update packet is received from a network neighbor within 180 seconds, RIPng identifies all the routes learned from the neighbor as unreachable. If no route update packet is received from a neighbor within 300 seconds, RIPng removes the routes from the routing table. To improve performance and avoid route loop, RIPng supports both split horizon and poison reverse. Besides, RIPng can also use routes learned by other routing protocols. Each router with RIPng employed maintains a route database that contains the routes to all reachable destination addresses in the destination network. A route entry in the routing database contains the following information: Destination address: IPv6 address of a host or a network Next hop address: Address of the next router to the destination Interface: Interface through which the IP packets are forwarded Overhead: Number of hops to reach the destination Timer: Records the time elapsed since the latest modification made to the route entry. Modifying a route entry resets the corresponding timer to 0. Route tag: Tag differentiating between internal routing protocols and external routing protocols Open shortest path first (OSPF) is a kind of IGP protocol. It operates based on link-state (L-S) messages and is designed for networks that are larger in size and complicated in structure. A router uses OSPF to maintain the routing information within an autonomous system (AS). In an AS, each OSPF router collects and broadcasts link state information throughout the AS by using the flooding algorithm to keep the link state database (LSDB) of the AS to be synchronized. A router calculates the shortest-path tree using the LSDB, taking itself as the root and other network nodes as leaves, thus obtain its optimal reachable routes inside the system. Both OSPF v1 and OSPFv2 support IPv4-based routing only. Figure 3-13 shows the format of the header of an OSPF packet. 3-17

61 Figure 3-13 OSPF packet header OSPF v3 Some of the fields are described as follows: Version: OSPF version number. For OSPFv2, this field takes the value of 2. Type: OSPF packet type. It is in the range of 1 to 5, which correspond to Hello, DD (database description), LSR (link state request), LSU (link state update), and LSAck (link state acknowledgement) packet. Packet Length: Total size (in bytes) of an OSPF packet (including the header). AuType: Authentication type. The value can be 0, 1, and 2, which correspond to no authentication, simple authentication, and MD5 authentication. Authentication: Its value depends on the AuType filed. If AuType is set to 0, this field is not defined; if AuType is set to 1, this field holds the password; and if AuType is set to 2, this field holds the Key ID, the MD5 authentication data length, and the serial number. OSPFv3 provides support for IPv6 and is described in RFC 2740 (OSPF for IPv6). Figure 3-14 illustrates the format of the header of an OSPFv3 packet. Figure 3-14 OSPFv3 packet header Some of the fields are described as follows: Version: OSPF version number. For OSPFv3, this field takes the value of 3. Type: OSPF packet type. It is in the range of 1 to 5, which corresponds to Hello, DD, LSR, LSU, and LSAck packet. Packet Length: Total size (in bytes) of an OSPF packet (including the header). Instance ID: ID of an instance attached to the same link. 3-18

62 0: This field is reserved and must be 0. The following are common to both OSPFv3 and OSPFv2: Both have 32-bit Router ID and Area ID. Both process the same types of packets: Hello, DD, LSR, LSU, and LSAck. Both adopt the same mechanism for neighbor discovery and neighborhood formation Both adopt the same LSA advertisement and aging mechanism. OSPFv3 and OSPFv2 are different in that: OSPFv3 is link-based, while OSPFv2 is network-based. OSPFv3 allows multiple instances on the same link. OPSFv3 identifies neighbors by router ID. OSPFv2, however, identifies neighbors by IP address Introduction to IS-IS Intermediate System-to-Intermediate System (IS-IS) is an interior gateway protocol (IGP) used within an Autonomous System. It adopts the Shortest Path First (SPF) algorithm for route calculation. I. Two-level hierarchy IS-IS uses two-level hierarchy in the routing domain to support large scale routing networks. A large routing domain is divided into multiple Areas. The Level-1 router is in charge of forwarding routes within an area, and the Level-2 router is in charge of forwarding routes between areas. II. Level-1 and Level-2 1) Level-1 router The Level-1 router only establishes the neighbor relationship with Level-1 and Level-1-2 routers in the same area. The LSDB maintained by the Level-1 router contains the local area routing information. It directs the packets out of the area to the nearest Level-1-2 router. 2) Level-2 router The Level-2 router establishes the neighbor relationships with the Level-2 and Level-1-2 routers in the same or in different areas. It maintains a Level-2 LSDB which contains inter area routing information. All the Level-2 and Level-1-2 routers must be contiguous to form the backbone in a routing domain. Only Level-2 routers can directly communicate with routers outside the routing domain. 3) Level-1-2 router A router with both Level-1 and Level-2 router functions is called a Level-1-2 router. It can establish the Level-1 neighbor relationship with the Level-1 and Level-1-2 routers 3-19

63 in the same area, or establish Level-2 neighbor relationship with the Level-2 and Level-1-2 routers in different areas. A Level-1 router must be connected to other areas via a Level-1-2 router. The Level-1-2 router maintains two LSDBs, where the Level-1 LSDB is for routing within the area, and the Level-2 LSDB is for routing between areas. Note: The Level-1 routers in different areas can not establish the neighbor relationship. The neighbor relationship establishment of Level-2 routers has nothing to do with area. Figure 3-15 shows a network topology running the IS-IS protocol. Area 1 is a set of Level-2 routers, called backbone network. The other four areas are non-backbone networks connected to the backbone through Level-1-2 routers. Area 3 Area 2 L1/L2 L1/L2 L1 L2 L2 Area 1 L2 L2 Area 5 Area 4 L1/L2 L1/L2 L1 L1 L1 L1 L1 Figure 3-15 IS-IS topology Figure 3-16 shows another network topology running the IS-IS protocol. The Level-1-2 routers connect the Level-1 and Level-2 routers, and also form the IS-IS backbone together with the Level-2 routers. There is no area defined as the backbone in this topology. The backbone is composed of all contiguous Level-2 and Level-1-2 routers which can reside in different areas. 3-20

64 Area 1 L2 Area 2 L1 Area 4 L1/L2 L1 L1/L2 L1 L2 Area 3 Figure 3-16 IS-IS topology Note: The IS-IS backbone does not need to be a specific Area. Both the IS-IS Level-1 and Level-2 routers use the SPF algorithm to generate the Shortest Path Tree (SPT). III. Interface routing hierarchy type You can configure the routing type for each interface. For a Level-1-2 router, one interface may establish Level-1 adjacency with a router, and another one may establish Level-2 adjacency with another router. You can limit the adjacency type by configuring the routing hierarchy on the interface. For example, the level-1 interface can only establish Level-1 adjacency, while the level-2 interface can only establish Level-2 adjacency. By having this function, you can prevent the Level-1 hello packets from propagating to the Level-2 backbone through the Lever-1-2 router. This can result in bandwidth saving. IV. Route leaking An IS-IS routing domain is comprised of only one Level-2 area and multiple Level-1 areas. A Level-1 area is connected with the Level-2 area rather than other Level-1 areas. The routing information of the Level-1 area is sent to the Level-2 area through the Level-1-2 router. Therefore, the Level-2 router knows the routing information of the entire IS-IS routing domain but does not share the information with the Level-1 area by default. 3-21

65 Since the Level-1 router simply sends the routing information for destinations outside the area to the nearest Level-1-2 router, this may cause a problem that the best path cannot be selected. To solve this problem, route leaking was introduced. The Level-2 router can advertise the Level-2 routing information to a specified Level-1 area. By having the routing information of other areas, the Level-1 router can make a better routing choice for the packets destined outside the area Introduction to IPv6 IS-IS BGP BGP4+ The IS-IS routing protocol (Intermediate System-to-Intermediate System intra-domain routing information exchange protocol) supports multiple network protocols, including IPv6. IS-IS with IPv6 support is called IPv6 IS-IS dynamic routing protocol. The international engineer task force (IETF) defines two type-length-values (TLVs) and a new network layer protocol identifier (NLPID) to enable IPv6 support for IS-IS. TLV is a variable field in the link state PDU or link state packet (LSP). The two TLVs are: IPv6 Reachability: Defines the prefix, metric of routing information to indicate the network reachability, with a type value of 236 (0xEC). IPv6 Interface Address: Similar with the IP Interface Address TLV of IPv4, it transforms the 32-bit IPv4 address to the 128-bit IPv6 address. NLPID is an 8-bit field with a value of 142 (0x8E), which indicates the network layer protocol packet. If the IS-IS router supports IPv6, the advertised routing information must be marked with the NLPID. Border gateway protocol (BGP) is an inter-as dynamic route discovery protocol. BGP basically functions to exchange loop-free routing information between ASs. As the path reachability information contains attributes such as AS numbers, BGP enables routers to obtain the AS topology of a network, eliminates routing loops, and implements user routing policies. BGP is often used between Internet service providers (ISPs). It provides various ways of exchanging border routing information and route selection and is highly scalable to accommodate rapid growth of the Internet. Different from other dynamic routing protocols, BGP exchanges routing information through TCP packets. At present, BGPv4 is commonly used. It has become the de facto external routing standard. To provide support for multiple network layer protocols, IETF extended BGP-4 to form BGP4+. BGP4+ is described in RFC 2858 (Multiprotocol extensions for BGP-4). 3-22

66 BGP4+ provides support for IPv6 by mapping IPv6 network layer protocol information to the NLRI (network layer reachable information) and Next_Hop attributes. In BGP4+, the following two NLRI attributes are added: MP_REACH_NLRI (multiprotocol reachable NLRI), which is used to advertise reachable routes and next-hop information. MP_UNREACH_NLRI (multiprotocol unreachable NLRI), which is used to remove unreachable routes. In BGP4+, the Next_Hop attribute holds an IPv6 address, which can be either an IPv6 global unicast address or the local address of the next-hop. BGP multi-protocol extension enables BGP4+ to be employed in IPv6 networks. Note that the BGP message mechanism and routing mechanism remain unchanged Equivalent Route Equivalent routes are routes whose destinations and the priorities are the same. Equivalent routes are used when no route leading to the same destination and with higher priority exists. Packets are forwarded to the destination through a path calculated based on packet source and destination IP addresses, so as to implement load sharing in the network. A routing protocol may discover different routes to the same destination. If the routing protocol has the highest priority among all the active routing protocols, these routes are regarded as valid routes. Thus, load sharing of IP traffic is ensured in terms of routing protocol Routing Policy Routing policies are used to improve the control and management of routing protocols. As for the exchange of routing information performed between routers, you can configure the routers to receive/advertise specific types of routing information only. When a router imports the routing information generated by other routing protocols, you can specify to import specific type of routing information and modify the attributes of the routing information for the current protocol. All these can be achieved through routing policies. A routing policy comprises of a set of rules that regulate route advertisement, route receiving, and route importing procedures. Routing policy is also known as route filtering. A rule in a routing policy is actually a filter. Rules of a routing policy are used when a piece of routing information is to be received/advertised or when routing information of different protocols is exchanged. 3-23

67 MCE Features It is difficult to use traditional routers to isolate services in LANs. There are two ways to isolate services in LANs: As shown in Figure 3-17, you can use VLANs to isolate services, partitioning a user to an independent VLAN. Station 1 VLAN1 User 1 MPLS domain PE CE Switch VLAN2 VLAN 3 User 2 User 3 Figure 3-17 Isolate services with VLANs As shown in, you can use CEs to isolate services, deploying an independent CE router for each user. Station1 CE1 User1 MPLS domain PE CE2 User2 User3 CE3 Figure 3-18 Isolate services with CEs Deploying traditional devices and being not cost-effective, the above solutions require more network management and user/site deployment. To solve the problem, Multi-VPN-Instance CE (MCE) can provide logically independent route instances and addresses on CEs, allowing multiple users to share a CE. MCE solves the problem of isolating services in LANs and ensure security, providing a new, cost-effective, and easy-to-management solution. 3-24

68 URPF Features The main function of Unicast Reverse Path Forwarding (URPF) is to prevent source IP address-based spoofing network attacks. Source IP address-based spoofing attackers fake a series of packets carrying spoofed source IP addresses. For IP address authentication-based applications, such attack can cause unauthorized users to access the system as other legal users, even as the administrator, therefore causing damage to the attack objects even if response packets cannot reach the attacker / /8 源 IP 地址 : /8 Switch A Switch B Switch C Figure 3-19 Source IP address attack As shown in Figure 3-19, the attacker fakes a packet with the source IP address being /8 on Switch A and sends a request to Switch B. When retuning a response, Switch B will sends a packet to the router whose authenticate IP address is /8. Such illegal packet can attack both Switch B and Switch C. The URPF technology is used in the above environment to prevent source IP address-based spoofing attacks. 3.5 Multicast Features IGMP Snooping Internet group management protocol snooping (IGMP Snooping) operates on Layer 2 Ethernet switches. It provides a mechanism to manage and control multicast groups. IGMP snooping runs on the link layer. It checks the information carried in the IGMP packets exchanged between hosts and routers. On the detection of an IGMP host report message, the switch adds the host to the corresponding multicast table. And on the detection of an IGMP Leave message, the switch removes the corresponding multicast entry from the multicast table. By continuously listening to IGMP packets, a switch creates and maintains a Layer 2 MAC multicast address table, through which the switch forwards the multicast packets transmitted by the routers. When IGMP Snooping is not enabled, multicast packets are broadcast on Layer 2. While when IGMP Snooping is enabled, the packets are multicast instead of being broadcast on Layer

69 Multicast packet transmission without IGMP Snooping Multicast packet transmission when IGMP Snooping runs Source Multicast router Source Multicast router Layer 2 switch Layer 2 switch Host A Receiver Host C Receiver Host A Receiver Host C Receiver Host B Host B Multicast packets Figure 3-20 IGMP Snooping IGMP Internet group management protocol (IGMP) is a protocol in TCP/IP protocol suite. It manages the members of an IP multicast group by establishing and maintaining the multicast membership between IP hosts and the directly connected multicast routers. IGMP has two components, one of which is for hosts and the other for routers. A host reports its group membership information to the shared network it resides in. All the IGMP-enabled routers in the same network segment elect the querier. The querier periodically advertises group member query messages in the shared network. The hosts in the network respond the messages by reporting their group membership information. Then, the querier refreshes the group membership based on the response received. IGMP is required for all the hosts participating multicast. A host participating IP multicast can join/exit a multicast group anywhere at any time, regardless of the total number of group members. A multicast router does not (and cannot) save the membership information of all the hosts. It only uses IGMP to check the network segment connected to each of its interface for any receiver of a multicast group, namely, multicast group member. A host only needs to keep the information about the multicast group which it belongs to. Currently, IGMP is available in three versions: IGMPv1 (described in RFC 1112), IGMPv2 (described in RFC 2236), and IGMPv3 (described in RFC 3376), all of which support the ASM (any-source multicast) model. In addition, IGMPv3 provides support for the SSM (source-specific multicast) model. 3-26

70 The S5500-EI series support IGMPv1/v2/v3. I. IGMPv1 operating mechanism Comware implements IGMPv1 and achieves multicast group management by adopting the query and response mechanism. IGMP uses Designated Routers (DR) elected by Layer 3 routing protocols as the querier. Query messages are sent by DRs. Figure 3-21 shows how IGMPv1 works: IP network DR Router A Router B Ethernet Host A (G2) Host B (G1) Host C (G1) Query Report Figure 3-21 IGMPv1 operating mechanism A host goes through the following phases to join a multicast group. Assume that Host B and Host C are expected to receive multicast data addressed to multicast group G1, while Host A is expected to receive multicast data addressed to G2, as shown in Figure The following describes how the hosts join the multicast groups and the IGMP querier (Router B in the figure) maintains the multicast group memberships: 1) The hosts send unsolicited IGMP reports to the addresses of the multicast groups that they want to join, without having to wait for the IGMP queries from the IGMP querier. 2) The IGMP querier periodically multicasts IGMP queries (with the destination address of ) to all hosts and routers on the local subnet. 3) Upon receiving a query message, Host B or Host C (the delay timer of whichever expires first) sends an IGMP report to the multicast group address of G1, to announce its membership for G1. Assume it is Host B that sends the report message. Upon hearing the report from Host B, Host C, which is on the same subnet with Host B, suppresses its own report for G1, because the IGMP routers (Router A and Router B) already know that at least one host on the local subnet is 3-27

71 interested in G1. This mechanism, known as IGMP report suppression, helps reduce traffic on the local subnet. 4) At the same time, because Host A is interested in G2, it sends a report to the multicast group address of G2. 5) Through the above-mentioned query/report process, the IGMP routers learn that members of G1 and G2 are attached to the local subnet, and the multicast routing protocol (PIM for example) running on the routers generates (*, G1) and (*, G2) multicast forwarding entries, which will be the basis for subsequent multicast forwarding, where * represents any multicast source. 6) When the multicast data addressed to G1 or G2 reaches an IGMP router, because the (*, G1) and (*, G2) multicast forwarding entries exist on the IGMP router, the router forwards the multicast data to the local subnet, and then the receivers on the subnet receive the data. No leave multicast group message is defined in IGMPv1; therefore, a host is considered to leave a multicast group if it does not respond to query messages for specific period of time. When all the multicast group members exit the multicast group, the branch corresponding to the network segment is pruned from the multicast tree. II. Newly added functions in IGMPv2 In IGMPv2, the following are new to IGMPv1. Querier election mechanism In a shared network segment with multiple routers operating in it, all routers running IGMP in this network segment can receive the membership report from the hosts. As only one router is needed to send membership query messages, the one acting as the querier needs to be determined among these routers. In IGMPv1, the querier is determined by multicast routing protocols. While in IGMPv2, the multicast router with the smallest IP address acts as the querier. Leave-group mechanism In IGMPv1, a host leaves a multicast group without informing any multicast router. A multicast router determines whether or not a host has left a multicast group by checking timed out query messages. In IGMPv2, however, a host multicasts ( ) a leave-group message to all the multicast routers in the network before leaving the multicast group. A multicast router sends group-specific query messages to the network to determine if a multicast group is empty. Group-specific query message In IGMPv1, general queries are performed, that is, query messages generated by a multicast router are sent to all the multicast groups in the network segment. In IGMPv2, group-specific queries are performed in addition to general queries. In a group-specific query message, both the destination IP address field and the group address field hold the IP address of the same multicast group. And only the members of the multicast 3-28

72 group respond to the query message. This prevents hosts of other multicast group from sending the response packets. The maximum response time field The maximum response time field is added in IGMPv2. This field enables a host to adjust the interval to respond multicast group query messages dynamically. III. Enhancements made in IGMPv3 1) Enhancement in host control In addition to being compatible with IGMPv1 and IGMPv2, IGMPv3 enhances host control. You can not only designate the multicast group that a host is to join, but also specify the multicast source whose information is to be received. (The latter is known as the source-specified multicast function.) By setting the Filter-Mode field in the IGMP report messages to the Include mode and specifying in the IGMP report messages the multicast source addresses, a host can obtain information from specific multicast sources. The multicast sources here are marked as Include Sources (S1, S2, ) in the IGMP report messages. To reject information sent from specific sources, the host can request to receive multicast packets from the multicast sources other than those specified, which are identified as Exclude Sources (S1, S2, ) in IGMP report messages. For example, assume that S1 and S2 are two multicast sources in the same multicast group G. The host User B wants the information sent from S1 only. Figure 3-22 shows the network diagram. Source 1 Host A Receiver Host B Source 2 Host C Packets (S1,G) Packets (S2,G) Figure 3-22 Path of the multicast flow with multicast source/multicast group specified If IGMPv1 or IGMPv2 is employed between the hosts and the routers, the host User B can only join the multicast group G but cannot select the multicast sources. Therefore, the information for the multicast sources S1 and S2 are forwarded to User B no matter 3-29

73 3.5.3 PIM-DM whether or not User B wants the information. With IGMPv3 employed, the host User B can request to join the multicast group G corresponding to the specified multicast source S1 or exit the multicast group G corresponding to the specified multicast source S2. Therefore, only the information from the multicast source S1 is forwarded to User B. 2) Enhancement in query and response messages Query messages carrying source address Besides general query (available in IGMPv1) and group-specific query (available in IGMPv2), IGMPv3 supports source-/group-specific query. An IGMPv3 message carries the multicast source address and a number of control fields, such as the querier robust index and query interval. A general query message carries no group address or source address. A group-specific query message carries a group address but no source address. A source-/group-specific query message carries one or more source addresses besides a group address. Response message carrying multiple multicast group entries The response messages and query messages in IGMPv1 and IGMPv1 have the same packet structure. That is, a IGMPv1/IGMPv2 response packet or query packet contains a multicast group address information only besides the payload. An IGMPv3 response message contains the group address , carrying one or more group entries, each of which contains a multicast group address and one or more multicast source addresses. The multicast group entries in an IGMPv3 response message fall into the following types. Current state. Entries of this type indicate the current receiving state of the interface. The state can be Include or Exclude. In the Include state, the specified multicast source addresses are included. In the Exclude state, the multicast source addresses other than the specified source addresses are included. Filter mode change. Entries of this type indicate the switching between the Include state and the Exclude state. Source address list change. Entries of this type indicate that new multicast sources are added or certain multicast sources are removed. Protocol independent multicast, dense mode (PIM-DM) is a multicast routing protocol suitable for small-sized networks where multicast group members are relatively dense. PIM-DM assumes that each subnet in the network contains at least one receiver that is interested in the multicast source. Therefore, multicast packets flood to all over the nodes in the network. This consumes related system resources (such as bandwidth and router CPUs). To decrease resource consumption, the PIM-DM prunes the branches where no multicast packets are forwarded. The system periodically restores the pruned branches 3-30

74 3.5.4 PIM-SM MSDP back into forwarding status for fear of multicast packets to be forwarded occurring in them. To reduce the delay involved in this status recovery, the PIM-DM implements automatic recovery of packet forwarding by using the graft mechanism. Such periodic flooding and pruning are characteristic of the PIM-DM and suitable for small-sized LANs only. The "flood-prune" technology adopted in PIM-DM does not work on a wide area network (WAN). Generally, the forwarding path of packets in dense mode is a "source tree" with the multicast source as its root and the multicast group members as its leaves. Since the source tree follows the shortest paths from the multicast source to the receivers, it is also called the shortest path tree (SPT). Protocol Independent Multicast, Sparse Mode (PIM-SM) is a multicast routing protocol mainly used in large-scaled networks where group members are scattered sparsely. PIM-SM assumes that no host needs to receive multicast packets unless there is an explicit request. PIM-SM uses (Rendezvous Points) RPs to forward multicast information to all PIM-SM routers connected to the receiver so that the receiver can receive the multicast data flow from a specific multicast group. Multicast forwarding through an RP reduces the bandwidth consumed by data packets and control packets and lowers router processing overhead At the receiving end, the router connected to the receiver that is to receive the information sends a Join message to the RP corresponding to the multicast group. The Join message reaches the root (RP) after passing through routers. The paths that the message followed becomes the braches of the rendezvous point tree (RPT). For the transmitting end to send data to a specific multicast group, the first hop router requests registration with the RP, which triggers the generation of the source tree upon receiving the registration message. Then, the multicast source sends the data to the RP. When the data reaches the RP, the multicast packet is replicated and sent to receivers along the braches of the RPT. Replication occurs only where the RPT branches. This process automatically repeats until the packets reach the receivers. PIM-SM uses an existing unicast routing table, instead of a unicast routing protocol, to perform the RPF check. No ISP would like to forward multicast traffic through the RP of any competitor. However, an ISP has to obtain information from the source and distribute it among its members wherever the source RP is. Multicast Source Discovery Protocol (MSDP) is used to discover multicast source information in other PIM-SM domains. MSDP is significant to the Any-Source Multicast (ASM) model only. 3-31

75 MSDP describes the mechanism for interconnecting multiple PIM-SM domains and allows RPs from different domains to share the multicast source information as long as PIM-SM is the adopted intra-domain multicast routing protocol. I. MSDP peer If an active multicast source S exists in a PIM-SM domain, the RP in the domain can learn of the existence of the multicast source S through multicast source registration. For a PIM-SM domain administered by another ISP to retrieve information from the multicast group, the routers in the two PIM-SM domains must become MSDP peers, as shown in Figure MSDP peers Multicast packets SA message Join message Register message Receiver RP 2 DR 2 PIM-SM 2 DR 1 Source PIM-SM 4 RP 1 RP 3 PIM-SM 1 PIM-SM 3 Figure 3-23 MSDP peers An active multicast source S is on the PIM-SM1 network, where RP1 learns of the location of the multicast source S through multicast source registration and periodically sends Source Active (SA) messages to the MSDP peers (RPs) in other PIM-SM domains. An SA message contains the IP address of the multicast source S, multicast group address G, and the RP address of the generated message. In addition, it contains the multicast data received by the RP in PIM-SM 1. The SA message is forwarded and ultimately reaches all MSDP peers. Thus, the information of the multicast source S in a PIM-SM domain is forwarded to all PIM-SM domains. II. Typical MSDP implementation MSDP can also be used to implement Anycast RP. Anycast RP forms MSDP peer relationship in a PIM-SM domain between two RPs that have the same address, 3-32

76 thereby implementing traffic sharing and redundant backup among RPs within the domain. Within a PIM-SM domain, configure an interface (usually Loopback interface) on each router with the same IP address and enable C-RP on these interfaces; so that MSDP peer relationship is formed among them, as shown in Figure RP 1 RP 2 Router A Router B Source MSDP peers SA message PIM-SM Receiver Figure 3-24 An anycast RP implementation MBGP BGP-4 is capable of carrying routing information for IPv4 only. IETF defined multiprotocol BGP extensions to carry routing information for multiple network layer protocols. For a network, the multicast topology may be different from the unicast topology. To meet the requirement, the multiprotocol BGP extensions enable BGP to carry the unicast Network Layer Reachability Information (NLRI) and multicast NLRI separately, and the multicast NLRI is used to perform reverse path forwarding (RPF) exclusively. In this way, route selection for a destination through the unicast routing table and through the multicast routing table will have different results, ensuring normal unicast and multicast routing. Multi-protocol BGP is defined in RFC 2858 (Multiprotocol Extensions for BGP-4). Multi-protocol BGP for IP multicast is referred to as Multicast BGP (MBGP) for short Multicast VLAN As shown in Figure 3-25, in the traditional multicast programs-on-demand mode, when hosts, Host A, Host B and Host C, belonging to different VLANs require multicast programs on demand service, the Layer 3 device, Router A, needs to forward a separate copy of the multicast traffic in each user VLAN to the Layer 2 device, Switch A. This results in not only waste of network bandwidth but also extra burden on the Layer 3 device. 3-33

77 Multicast packets VLAN 2 VLAN 2 VLAN 3 VLAN 4 VLAN 3 Receiver Host A Receiver Host B Source Router A IGMP querier Switch A VLAN 4 Receiver Host C Figure 3-25 Multicast transmission without multicast VLAN The multicast VLAN feature configured on the Layer 2 device is the solution to this issue. With the multicast VLAN feature, the Layer 3 device needs to replicate the multicast traffic only in the multicast VLAN instead of making a separate copy of the multicast traffic in each user VLAN. This saves the network bandwidth and lessens the burden of the Layer 3 device. The multicast VLAN feature can be implemented in two approaches, as described below: I. Port-based multicast VLAN Port-based multicast VLAN is also known as the traditional multicast VLAN. By assigning hybrid ports to a multicast VLAN in untagged mode, you can forward multicast data to all multicast recipients attached to the hybrid ports in the multicast VLAN. This is possible because a hybrid port can forward traffic of multiple VLANs untagged. As shown in Figure 3-26, Host A, Host B and Host C are in three different user VLANs. All the user ports (ports with attached hosts) on Switch A are hybrid ports. On Switch A, configure VLAN 10 as a multicast VLAN, assign all the user ports to this multicast VLAN, and enable IGMP Snooping in the multicast VLAN and all the user VLANs. 3-34

78 Multicast packets VLAN 10 (Multicast VLAN) VLAN 2 Receiver Host A Eth1/2 VLAN 3 Source Router A IGMP querier Eth1/1 Switch A Eth1/4 Eth1/3 VLAN 4 Receiver Host B Receiver Host C Figure 3-26 Port-based multicast VLAN After the configuration, upon receiving an IGMP message on a user port, Switch A tags the message with the multicast VLAN ID and relays it to the IGMP querier, so that IGMP Snooping can uniformly manage the router ports and member ports in the multicast VLAN. When forwarding multicast data to Switch A, Router A needs to send only one copy of multicast traffic to Switch A in the multicast VLAN, and Switch A distributes the traffic to all the member ports in the multicast VLAN. II. Sub-VLAN-based multicast VLAN Sub-VLAN-based multicast VLAN is also known as multicast VLAN+, which is easier to configure. After you configure a list of user VLANs as the sub-vlans of a multicast VLAN, the device forwards data received from the multicast VLAN to all the recipients in each sub-vlan. As shown in Figure 3-27, Host A, Host B and Host C are in three different user VLANs. On Switch A, configure VLAN 10 as a multicast VLAN, configure all the user VLANs as sub-vlans of this multicast VLAN, and enable IGMP Snooping in the multicast VLAN. 3-35

79 Multicast packets VLAN 10 (Multicast VLAN) VLAN 2 VLAN 3 VLAN 4 VLAN 2 Receiver Host A VLAN 3 Receiver Host B Source Router A IGMP querier Switch A VLAN 4 Receiver Host C Figure 3-27 Sub-VLAN-based multicast VLAN After the configuration, IGMP Snooping manages router ports in the multicast VLAN and member ports in the sub-vlans. When forwarding multicast data to Switch A, Router A needs to send only one copy of multicast traffic to Switch A in the multicast VLAN, and Switch A distributes the traffic to the multicast VLAN s sub-vlans that contain receivers. 3.6 STP/RSTP/MSTP STP/RSTP Spanning tree protocol (STP)/rapid spanning tree protocol (RSTP) prunes a loop L2 switching network into a loop-free tree (all data on the L2 switching network must travel along the spanning tree), thereby avoiding network broadcast storms caused by network loops and providing redundant links for data forwarding. Basically, STP/RSTP is used to generate a "tree" whose root is a switch called root bridge. Which switch is to be selected as root bridge is based on their settings (such as switch priority and MAC address), but there should be only one root bridge at any time. From the root bridge, a tree stretches through the switches. A non-root switch forwards data to the root through its root port and to the connected network segment through its designated port. A root periodically transmits configuration BPDUs, while a non-root switch receives and forwards them. If a switch receives configuration BPDUs from two or more ports, it assumes that there is a loop in the network. To eliminate the loop, the switch selects one of the ports as the root port and blocks others. When a port receives no configuration BPDUs for a long time, the switch considers that the configuration of this port has timed out and the network topology may have changed. Then, it recalculates the network topology and generates a new tree. 3-36

80 3.6.2 MSTP RSTP is an STP enhancement that significantly shortens the time for the network topology to stabilize. Multiple spanning tree protocol (MSTP) is compatible with STP and RSTP. STP cannot transit fast. Even on the point-to-point link or the edge port, it has to take an interval twice as long as forward delay before the network converges. RSTP can converge fast. However, like STP, RSTP has this drawback: All the network bridges in a VLAN share a spanning tree and the redundant links cannot be blocked by VLAN, with all the packets in the VLAN forwarded along a spanning tree. MSTP makes up for the drawback of STP and RSTP. It makes the network converge fast and enables the traffic of different VLANs to be distributed along their respective paths, which provides a better load sharing mechanism for the redundant links. MSTP associates VLAN with spanning tree by using a VLAN mapping table; that is, a table showing the correspondence relationship between VLANs and spanning tree. Meanwhile, MSTP divides a switched network into several domains. In each domain, multiple independent STPs are generated. MSTP prunes a loop network to a loop-free network so as to avoid packet propagation and endless loop. It also provides multiple redundant paths for load balancing of VLAN data in the process of data forwarding STP Protection I. BPDU guard For access layer devices, the access ports are usually connected directly with the user terminals (such as PCs) or file servers. In this case, the access ports are configured as edge ports to allow fast migration of these ports. When these ports receive configuration messages (BPDUs), the system will automatically set these ports as non-edge ports and recalculate the spanning tree. This will cause flapping of the network topology. Under normal conditions, these ports should not receive STP BPDUs. If someone forges BPDUs maliciously to attack the switch, network flapping will occur. The BPDU guard function protects the system against such attacks. II. Root guard The root bridge and backup switches in a spanning tree must reside in the same domain. This is especially true for the root bridge and backup switches of a common and internal spanning tree (CIST). This is because the root bridge and backup switches of a CIST are normally placed in a high-bandwidth core domain. However, due to misconfiguration or a malicious network attack, a legal root bridge in the network may receive a BPDU that has a higher priority. This turns the current root bridge into a non-root switch, causing a wrong change in the network topology. Such illegal change 3-37

81 leads the traffic that would otherwise pass through a high-speed link to follow a lower-speed link, causing network congestion. The root guard function prevents this from occurring. III. Loop guard A switch can keep track of the states of the root port and blocked ports by continuously receiving the BPDUs sent by upstream switches. However, these ports may be unable to receive the BPDUs sent by upstream switches due to link congestion or unidirectional links. In this case, the switch reelects a root port, the original root port turns into a designated port, and blocked ports go into the forwarding state. This causes loops in the switched network. The loop guard function prevents such loops. With the loop guard function enabled, the role of the root port remains unchanged and blocked ports remains in the Discarding state without forwarding any packet. This prevents loops in the network. IV. TC-BPDU attack prevention Upon receiving a TC-BPDU, the switch deletes MAC address entries and ARP entries. If someone forges TC-BPDUs to attack the switch maliciously, the switch will receive excessive TC-BPDUs in a short time. Frequent packet deletion places a heavy burden on the switch and compromises network stability. After TC-BPDU attack prevention is enabled, the switch deletes the received TC-BPDUs only once within a specific timer (usually 10 seconds) and monitors whether any TC-BPDU is received during that timer. If any TC-BPDUs are received within the timer, the switch deletes the TC-BPDUs again after the timer times out. This saves the switch from deleting MAC address entries and ARP entries frequently. 3.7 IPv6 Features Internet protocol version 6 (IPv6) is a second-generation standard network layer protocol. Also known as IP Next Generation (IPng), it is a standard developed by Internet Engineering Task Force (IETF) as an upgrade from IPv4. The main difference between IPv4 and IPv6 lies in that the addresses used in the latter are 128 bits in length, whereas those used in the former is only 32 bits in length. Following are the features of IPv6. I. Simplified packet header The size of the header of an IPv6 basic packet is reduced, because some fields in IPv4 packet header are removed or moved to extension headers. This simplifies the processes used to perform in network devices when packets are forwarded and improves the forwarding efficiency. Despite of the 128-bit IPv6 address, the size of an IPv6 basic packet header is only twice that of IPv4 packet header (the Options field not counted in). 3-38

82 Ver IHL ToS Total length Identification F Fragment offset TTL Protocol Header checksum Traffic Ver class Payload length Flow label Next header Hop limit 31 Source address (32 bits) Destination address (32 bits) Source address (128 bits) Options Padding IPv4 header Destination address (128 bits) Figure 3-28 IPv4 packet header vs. IPv6 packet header Basic IPv6 header II. Sufficient address space In IPv6, the source and destination addresses of a packet are both 128 bits (16 bytes) in length. Such an address scheme can provide more than addresses, which are enough to fully accommodate multi-level address allocation, public address allocation, and address allocation in private networks. III. Hierarchical address structure IPv6 address space is hierarchically organized. Such a structure improves routing performance and route aggregation is made possible. Route aggregation helps reducing the system resource occupied by IPv6 routing tables. IV. Automatic address allocation IPv6 supports stateful address allocation and stateless address allocation, both of which simplify host configuration. The stateful address allocation enables hosts to obtain IPv6 addresses and the related information from servers (for example, DHCP servers). The stateless address allocation enables a host to configure the IPv6 address and related information automatically according to its own link layer address and the prefix information advertised by the router. A host can also generate its link-local address according to its own link layer address and the default prefix (FE80::/64) to communicate with other hosts that on the same link. V. Built-in security In IPv6, IPsec is implemented through the standard expansion header to provide end-to-end security. This feature also provides a standard for addressing network security issues and improves the interoperability among different IPv6 applications. 3-39

83 VI. QoS support The Flow Label field in IPv6 packet header labels flows. Network devices can perform traffic classification and provide differentiated services according to the Flow Label field. VII. Enhanced neighbor discovery mechanism The neighbor discovery protocol for IPv6 is implemented by a group of ICMPv6 (internet control message protocol for IPv6) messages. The interactions among neighboring nodes on the same link are under the administration of IPv6 neighbor discovery protocol. It replaces ARP (address resolution protocol), ICMPv4 router discovery and ICMPv4 redirect messages, and provides a series of other functions. VIII. Flexible extension packet header In the header of an IPv6 packet, multiple extension packet headers replace the Option field. This not only improves the processing efficiency but also enhances flexibility of IPv6 and provides good extendibility for the IP protocol. The Options field in an IPv4 packet header can only be 40 bytes in size, while the sizes of IPv6 extension headers are only limited by the size of the IPv6 packet NDP The neighbor discovery protocol (NDP) for IPv6 is implemented by a group of ICMPv6 messages. The interactions among neighboring nodes on the same link are under the administration of IPv6 NDP. It replaces ARP, ICMPv4 router discovery and ICMPv4 redirect messages and provides a series of other functions. In IPv6 NDP, the following five types of ICMPv6 messages are used. NS (neighbor solicitation) message, which is used to request for the link layer address of a neighbor, check the reachability of a neighbor, and detect for duplicate addresses. NA (Neighbor Advertisement) message. A device answers with an NA message when it receives an NS message. The device can also send NA messages actively to notify its neighbors of the link layer changes. RS (Router Solicitation) message. A host sends RS messages to the router to request for the prefix and other configuration information after it starts. RA (Router Advertisement) message. A router answers with RA messages when it receives RS messages. It also advertises RA messages periodically, which contain prefix and flag bit information. Redirect message. When a router finds that the receiving interface and sending interface of a packet are the same, it sends redirect messages to trigger the corresponding host to use anther next hop address. Table 3-1 summarizes the NDP functions. 3-40

84 Table 3-1 NDP functions Function Router discovery/prefix discovery/parameter discovery Address auto-configuration Address resolution Neighbor unreachable detection (NUD) Duplicate address detection (DAD) Redirect Description Discovers the local routers on the same link (this process is the same as that of ICMPv4 router discovery) and obtain address prefixes and other configuration parameters for address auto-configuration. This is achieved through RS and RA messages. Automatically configures IPv6 addresses and other information of interfaces according to the address prefixes and other configuration parameters carried in the RA messages. Maps the IPv6 address of a neighboring node to the corresponding link layer address (this process is the same as that of IPv4 ARP). This is achieved through NS and NA messages. A node multicasts an NS message, with the destination address being the IPv6 address of the requested node and the local link layer address carried in it. When other nodes on the same link receive the message, each of them checks whether or not the destination address is the local address. If yes, the node answers with an NA message that contains its own link layer address. A node obtains the link layer addresses of neighboring nodes through the procedure above. This function is used to check whether or not a node is reachable. If a node receives an acknowledgment message from the neighbor after sending a NUD message, it considers the neighbor to be reachable. Otherwise, it considers the neighbor to be unreachable. When a node obtains an IPv6 address, it checks whether or not the address conflicts with that of another node through the duplicate address detection function. (This process is similar to the gratuitous ARP function in IPv4.) The node sends an NS message. If the node receives an NA message from another node, it indicates that the address is already in use. Otherwise, it indicates the IPv6 address is not in use. A router informs a host of the optimal next-hop IPv6 address to reach a particular destination through this function. (This is similar to the ICMP redirect function in IPv4) Introduction to IPv6 DNS In an IPv6 network, translation between domain names and IPv6 addresses is also required. This translation can be achieved through IPv6 Domain Name System (DNS). The only difference between IPv6 DNS and IPv4 DNS is that IPv6 DNS translates domain names into IPv6 addresses, instead of IPv4 addresses. 3-41

85 Similar to IPv4 DNS, IPv6 DNS also implements static and dynamic domain name resolution. In addition, the purpose and implementation method of the static and dynamic domain name resolution through IPv6 DNS are the same as those of IPv4 DNS. For details, see the related sections in the IPv4 network protocol part. Normally, a DNS server connecting an IPv4 network to an IPv6 network stores A entries (IPv4 addresses) and AAAA entries (IPv6 addresses). Therefore, the DNS server can resolve domain names into IPv4 addresses and IPv6 addresses. In this case, the DNS server can implement both IPv6 DNS and IPv4 DNS. To resolve domain names into IPv4/IPv6 addresses on a DNS server, configuration is required Ping IPv6 and Tracert IPv IPv6 Telnet IPv6 TFTP You can perform the ping IPv6 operation in an IPv6 network to test the connection between two devices. It can be your first choice to check whether a host is reachable. The operation sends ICMPv6 packets to the destination host and records the round trip time. The traceroute IPv6 operation can record the gateways along the path from a host to a specific node. This operation enables you to locate problems in an IPv6 network by testing the reachability of network connections. Telnet is an application layer protocol of the TCP/IP protocol suite. It implements remote logon and virtual terminal. The host runs the IPv6 Telnet client program establishes an IPv6 Telnet connection with Device A. In this case, Device A serves as the Telnet server. If Device A is connected to Device B through Telnet, the former functions as a Telnet client and Device B functions as a Telnet server. Both Telnet server and Telnet client support IPv6 connections. IPv6 supports trivial file transfer protocol (TFTP) applications. You can upload/download files in an IPv6 network using TFTP. Currently, an S5500-EI Ethernet switch can only operate as an IPv6 TFTP client. 3.8 IPv6 Multicast Features MLD Snooping Multicast Listener Discovery Snooping (MLD Snooping) is an IPv6 multicast constraining mechanism that runs on Layer 2 Ethernet switches to manage and control IPv6 multicast groups. 3-42

86 3.8.2 MLD MLD Snooping is analogous to IGMP Snooping in IPv4: a switch can establish and maintain the corresponding MLD Snooping multicast group table at data link layer by monitoring MLD messages, and forward the IPv6 multicasts delivered by a multicast router based on the MAC multicast group information in the table. Corresponding to IPv4 IGMP, the Multicast Listener Discovery protocol (MLD) is running between the host and multicast routers to discover the presence of multicast listeners. Multicast routers periodically send MLD messages to discover the presence of multicast listeners on the directly connected subnets. The host sends MLD report messages to join the multicast group. So far, two MLD versions are available supported by the S5500-EI series switches: MLDv1 MLDv2 3.9 IPv6 over IPv4 Tunnel Features The IPv6 over IPv4 tunneling mechanism encapsulates an IPv4 header in IPv6 data packets so that IPv6 packets can pass an IPv4 network through a tunnel to realize interworking between isolated IPv6 networks, as shown in Figure The devices at both ends of an IPv6 over IPv4 tunnel must support IPv4/IPv6 dual stack. IPv6 header IPv6 data IPv4 header IPv6 header IPv6 data IPv6 header IPv6 data IPv6 network Dual stack router IPv4 network IPv6 over IPv4 tunnel Dual stack router IPv6 network IPv6 host IPv6 host Figure 3-29 IPv6 over IPv4 tunnel The IPv6 over IPv4 tunnel processes packets in the following way: 1) A host in the IPv6 network sends an IPv6 packet to the device at the source end of the tunnel. 2) After determining according to the routing table that the packet needs to be forwarded through the tunnel, the device at the source end of the tunnel encapsulates the IPv6 packet with an IPv4 header and forwards it through the physical interface of the tunnel. 3-43

87 3) The encapsulated packet goes through the tunnel to reach the device at the destination end of the tunnel. The device at the destination end decapsulates the packet if the destination address of the encapsulated packet is the device itself. 4) The destination device forwards the packet according to the destination address in the decapsulated IPv6 packet. If the destination address is the device itself, the device forwards the IPv6 packet to the upper-layer protocol for processing. An IPv6 over IPv4 tunnel can be established between hosts, between hosts and devices, and between devices. The tunnel destination needs to forward packets if the tunnel destination is not the final destination of the IPv6 packet. Tunnels are divided into configured tunnels and automatic tunnels depending on how the IPv4 address of the tunnel destination is acquired. If the destination address of an IPv6 over IPv4 tunnel cannot be acquired from the destination address of IPv6 packets, it needs to be configured manually. Such a tunnel is called a configured tunnel. If the interface address of an IPv6 over IPv4 tunnel has an IPv4 address embedded into an IPv6 address, the IPv4 address of the tunnel destination can be acquired automatically. Such a tunnel is called an automatic tunnel. According to the way an IPv6 packet is encapsulated, IPv6 over IPv4 tunnels are divided into the following types: IPv6 manual tunnel 6to4 tunnel ISATAP tunnel Among the above tunnels, the IPv6 manual tunnel is a configured tunnel, while the 6to4 tunnel, and intra-site automatic tunnel address protocol (ISATAP) tunnel are automatic tunnels IPv6 manually configured tunnel to4 tunnel A manually configured tunnel is a point-to-point link. One link is a separate tunnel. The IPv6 manually configured tunnels provide stable connections requiring regular secure communication between two border routers or between a border router and a host for access to remote IPv6 networks. An automatic 6to4 tunnel is a point-to-multipoint tunnel and is used to connect multiple isolated IPv6 networks over an IPv4 network to remote IPv6 networks. The embedded IPv4 address in an IPv6 address is used to automatically acquire the destination of the tunnel. The automatic 6to4 tunnel adopts 6to4 addresses. The address format is 2002:abcd:efgh:subnet number::interface ID/64, where abcd:efgh represents the 32-bit source IPv4 address of the 6to4 tunnel, in hexadecimal notation. For example,

88 can be represented by 0101:0101. The tunnel destination is automatically determined by the embedded IPv4 address, which makes it easy to create a 6to4 tunnel. Since the 16-bit subnet number of the 64-bit address prefix in 6to4 addresses can be customized and the first 48 bits in the address prefix are fixed by a permanent value and the IPv4 address of the tunnel source or destination, it is possible that IPv6 packets can be forwarded by the tunnel ISATAP Tunnel With the application of the IPv6 technology, there will be more and more IPv6 hosts in the existing IPv4 network. The ISATAP tunneling technology provides a satisfactory solution for IPv6 application. An ISATAP tunnel is a point-to-point automatic tunnel. The destination of a tunnel can automatically be acquired from the embedded IPv4 address in the destination address of an IPv6 packet. When an ISATAP tunnel is used, the destination address of an IPv6 packet and the IPv6 address of a tunnel interface both adopt special addresses: ISATAP addresses. The ISATAP address format is prefix(64bit):0:5efe:ipv4-address. The ipv4-address is in the form of a.b.c.d or abcd:efgh, where abcd:efgh represents a 32-bit source IPv4 address. Through the embedded IPv4 address, an ISATAP tunnel can automatically be created to transfer IPv6 packets. The ISATAP tunnel is mainly used for connection between IPv6 routers or between a host and an IPv6 router over an IPv4 network. IPv6 host IPv6 network ISATAP router IPv4 network ISATAP tunnel IPv4 address: /24 IPv6 address: FE80::5EFE:0201:0101 3FFE::5EFE:0201:0101 IPv4/IPv6 host Figure 3-30 ISATAP tunnel 3.10 QACL Quality of service (QoS) provides network services of different types and grades selected by users, from the top service quality to normal service quality networkwide to accommodate to various demands. An access control list (ACL) is used primarily to identify traffic flows. In order to filter data packets, a series of match rules must be configured on the network device to identify the packets to be filtered. After the specific packets are identified, and based on the predefined policy, the network device can permit/prohibit the corresponding packets to pass Traffic Classification Traffic classification is to classify packets according to the packet filtering keywords configured by the user. Various types of user-defined service processing can be implemented on the classified packets. 3-45

89 In traffic classification, rules are defined to discriminate packets that conform to certain characteristics. The classification rules can be very simple. For example, traffic flows with different priority characteristics can be discriminated according to the differentiated services codepoint (DSCP) in the packet header. They can also be quite complicated. For example, packets can be classified according to combinations of information involving the data link layer, network layer and transport layer -- such as MAC address, IP protocol type, source host/network segment address, destination host/network segment address, and even application port number Priority Marking The S5500-EI series support priority marking for classified packets and modification of the DSCP or 802.1p priority in the packets according to the user-specified preferred priority values, so as to provide the specified QoS networkwide. The S5500-EI series can provide priority marking service for classified packets. The marking contents include DSCP and 802.1p priority. The series also support assignment of drop precedence and local precedence to packets according to the DSCP or 802.1p level Traffic Policing/Bandwidth Assurance Traffic policing polices the traffic matching a traffic classification rule on the port where the packets are received, so that the traffic can effectively use the assigned network resources such as bandwidth. Traffic policing can also secure the bandwidth for specific services. Bandwidth assurance refers to assuring the minimum bandwidth for a special traffic so that it can satisfy such QoS requirements as packet loss rate, delay, jitter even when network congestion occurs. The S5500-EI series implement traffic policing mainly by limiting the rate of packet-receiving ports, supervising traffic entering a specific network, and performing priority marking for packets within the traffic limit to provide differentiated services. If the traffic is too big, you can drop or try to forward the excessive traffic or remark the priority of the traffic Traffic Statistics Based on traffic classification, the S5500-EI series can perform traffic statistics for the identified packets. This function counts the total number of all packets that match the specified traffic classification rule to facilitate the analysis of specific traffic flows on the network. 3-46

90 Traffic Mirroring Based on traffic classification, the S5500-EI series can perform traffic mirroring for the identified packets to re-monitor service traffic flows that match the traffic classification rule. This function copies the data packets that match the traffic classification rule to the monitoring port to facilitate network tests and troubleshooting Traffic Redirection Based on traffic classification, the S5500-EI series can redirect the identified packets. The traffic redirection function enables you to re-specify the output port of packet forwarding and bypass the Bridge mechanism, with the destination port determined by the traffic redirection function Port Mirroring Port mirroring is used for monitoring packets on a specific port. This function copies the data packets on the specified port to the monitoring port to facilitate network tests and troubleshooting. The S5500-EI series support inbound and outbound port mirroring Queue Scheduling Queue scheduling applies to the situation where multiple forwarded packets compete for the resources. The S5500 series support four queue scheduling algorithms: strict priority (SP), weighted fair queuing (WFQ), weighted round robin (WRR) and SP+WRR. These algorithms process packet forwarding problems of each output queue on the switch ports based on their own rules. The following sections describe these algorithms briefly: 3-47

91 1) SP queue-scheduling algorithm Queue 7 Packets to be sent through this port Queue 6 High priority Sent packets Interface Packet classification Queue 1 Queue 0 Queue scheduling Low priority Sending queue Figure 3-31 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay. Assume that there are eight output queues on the port and the preferential queue classifies the eight output queues on the port into eight classes, which are queue7, queue6, queue5, queue4, queue3, queue2, queue1, and queue0. Their priorities decrease in order. In queue scheduling, SP sends packets in the queue with higher priority strictly following the priority order from high to low. When the queue with higher priority is empty, packets in the queue with lower priority are sent. You can put critical service packets into the queues with higher priority and put non-critical service (such as ) packets into the queues with lower priority. In this case, critical service packets are sent preferentially and non-critical service packets are sent when critical service groups are not sent. The disadvantage of SP queue is that: if there are packets in the queues with higher priority for a long time in congestion, the packets in the queues with lower priority will be starved because they are not served. 3-48

92 II. WFQ queuing Queue 1 Band width 1 Packets to be sent through this port Queue 2 Band width 2 Sent packets Interface Queue N-1 Band width N-1 Packet classification Queue N Band width N Queue scheduling Sending queue Figure 3-32 Diagram for WFQ queuing Before WFQ is introduced, you must understand fair queuing (FQ) first. FQ is designed for the purpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows. It takes the interests of all parties into account, such as: Different queues are scheduled fairly, so the delay of each flow is balanced globally. Both short and long packets are scheduled fairly. When there are multiple long packets and short packets to be sent among different queues, the short packets must be scheduled preferentially, so that the delay jitters of packets of each flow is reduced globally. Compared with FQ, WFQ takes the priority into account when calculating the scheduling sequence of packets. Statistically speaking, WFQ assigns more scheduling chances to high priority packets than those to low priority packets. WFQ can classify the traffic automatically according to the session information of traffic including the protocol types, source and destination TCP or UDP port numbers, source and destination IP addresses, and priority values in the ToS field. WFQ also provide as many queues as possible to accommodate each flow evenly. Thus, the delay of each flow is balanced globally. When the packets dequeue, WFQ assigns the bandwidth to each flow on the egress according to the traffic precedence or DSCP precedence. The lower the traffic precedence is, the less bandwidth the traffic gets. The higher the traffic precedence is, the more bandwidth the traffic gets. Finally, each queue is polled and the corresponding number of packets is taken out to be sent according to the proportion of bandwidth. You can use the WFQ algorithm to assign bandwidth to the output queues of a port, and then decide which queue a traffic flows into according to the mapping between the COS 3-49

93 value of the traffic and the queue, and also deicide how much bandwidth is to be assigned to each traffic. III. WRR queue-scheduling algorithm Queue 1 Weight 1 Packets to be sent through this port Queue 2 Weight 2 Sent packets Interface Queue N-1 Weight N-1 Packet classification Queue N Weight N Queue scheduling Sending queue Figure 3-33 Diagram for WRR queuing WRR queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time. In a typical H3C switch there are eight output queues on each port. WRR configures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0 respectively for queue 7 through queue 0. A weight value indicates the proportion of resources available for a queue. On a 100-Mbps port, configure the weight value of WRR queue-scheduling algorithm to 5, 5, 3, 3, 1, 1, 1, and 1 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 in order). In this way, the queue with the lowest priority can get 5 Mbps (100 Mbps 1/( )) bandwidth at least, and the disadvantage of SP queue-scheduling that the packets in queues with lower priority may not get service for a long time is avoided. Another advantage of WRR queue is that: though the queues are scheduled in order, the service time for each queue is not fixed; that is to say, if a queue is empty, the next queue will be scheduled. In this way, the bandwidth resources are made full use. IV. SP+WRR SP + WRR queue scheduling algorithm is used to configure some queues of each port with the SP algorithm and configure other queues with the WRR algorithm so that bandwidth resources can be fully utilized. A port of an S5500-EI Ethernet switch supports eight output queues. If you set the weight or the bandwidth of one or multiple queues to 0, the switch will add the queue or 3-50

94 these queues to the SP group, where SP is adopted. For other queues, WRR still applies. In this case, both SP and WRR are adopted. In cases where both SP and WRR queue scheduling algorithms are adopted, the queues in the SP group take precedence over other queues. For example, if queue 0, queue 1, queue 2, and queue 3 are in the SP group, queue 4, queue 5, queue 6, and queue 7 are scheduled using WRR, the switch will schedule the queues in the SP group preferentially by using the SP algorithm. Then queues outside the SP group are scheduled by using WRR algorithm only when all the queues in the SP group are empty Congestion Avoidance Serious congestion causes great damages to the network resources, and therefore some measures must be taken to avoid such congestion. As a flow control mechanism, congestion avoidance can actively drop packets when congestion deteriorates through monitoring the utilization of network resources (such as queues or memory buffers) to prevent network overload. You can use random early detection (RED) or weighted random early detection (WRED) to avoid global TCP synchronization caused traditional packet drop policy. The RED or WRED algorithm sets an upper threshold and lower threshold for each queue, and processes the packets in a queue as follows: When the queue size is shorter than the lower threshold, no packet is dropped; When the queue size reaches the upper threshold, all subsequent packets are dropped; When the queue size is between the lower threshold and the upper threshold, the received packets are dropped at random. The longer a queue is, the higher the drop probability is. However, a maximum drop probability exists. Different from RED, WRED determines differentiated drop policies for packets with different IP precedence values. Packets with a lower IP precedence are more likely to be dropped. Both RED and WRED avoid global TCP synchronization by randomly dropping packets. When the sending rate of a TCP session slows down after its packets are dropped, the other TCP sessions remain in high packet sending rates. In this way, some TCP sessions remain in high sending rates in any case, and the link bandwidth can be fully utilized User Profile The S5500-EI series switches use user profiles to control the effective scope of a QoS policy, and flexibly control system resource assignment for users. 3-51

95 A user profile provides a configuration template to save predefined configurations. Based on different application scenarios, you can configure different items for a user profile, such as Committed Access Rate (CAR), Quality of Service (QoS), and so on. With user profiles, you can: Make use of system resources more granularly. For example, without user profiles, you can apply a QoS policy based on interface, VLAN, globally and so on. This QoS policy is applicable to a group of users. With user profile, however, you can apply a QoS policy on a per-user basis which pass the authentication and access the device. Control system resource assignment for users more flexibly. For example, without user profiles, you can perform traffic policing based on CAR, ACL, or for all the traffic of the current interface; when the physical position of users changes (for example, the users access the network using another interface), you need to configure traffic policing on another interface. With user profiles, however, you can perform traffic policing on a per-user basis. As long as users are online, the authentication server applies the corresponding user profile (with CAR configured) to the users; when the users are offline, the system automatically removes the corresponding configuration Centralized Management Features HGMP Through cluster management, the network administrator can configure and troubleshoot multiple switches through a single public network IP address of a primary switch. In each cluster, there is a master switch called a command switch. The rest of the switches serve as member switches. A member switch is typically not configured with an IP address. The command switch and member switches form a cluster. In a cluster the switches have different roles based on different roles and functions. You can specify switch roles. The roles can be switched based on certain rules. Switch roles in a cluster include command switch, member switch, standby switch, and candidate switch. 1) Command switch: the switch configured with a public network IP address. A management command is sent to the command switch and the command switch processes this command. If the destination is a member switch, the management command will be forwarded to the command switch. 2) Member switch: a member in a cluster. The member switch is managed through the proxy of the command switch. Typically no public network IP address is set for the member switch. 3) Candidate switch: Candidate switches are cluster-capable devices that have not yet been added to a cluster. 3-52

96 3.12 Security Features The popularity of network applications, especially in some sensitive occasions (e-commerce for example), highlights the issue of network security. The S5500-EI series have been designed based on full consideration of customers demands, so as to provide full-range network solutions. With respect to terminal access control and user access control, the S5500-EI series provide the following network security features: Hierarchical user management and password protection IP Source Guard MAC address black hole MAC address learning limit Binding of MAC addresses to ports Supports SSH 2.0 IEEE 802.1x compliant access user authentication Supports MAC address based authentication Supports local and RADIUS authentication modes Supports port isolation With respect to filtering and authenticating Ethernet frames and packets from the upper layers, the S5500-EI series support: ACL, with which information is filtered at layers 2 through 4 (such as based on port, by source/destination MAC address, by source/destination IP address, or by the type of upper layer protocol). Encrypted authentication of SNMPv Terminal Access User Classification SSH The S5500-EI series protect command lines in a hierarchical way by dividing the command lines into four levels: visitor, monitor, operator, and administrator. Commensurate with the command division, login users are classified into four levels. A login user can use only the commands equal to or lower than its level. When users log in to the Ethernet switch from an insecure network, Secure Shell (SSH) offers security information protection and powerful authentication function to safeguard the Ethernet switch from attacks, such as IP address spoofing and plain text cipher interception. An Ethernet switch can accept multiple SSH customer connections at the same time. The SSH client allows users to connect to the Ethernet switches and UNIX mainframes that support SSH servers. The S5500-EI series Ethernet switches support SSH

97 Port Isolation Port isolation means isolating ports of the same switch so that Layer 2 and Layer 3 packet forwarding cannot be implemented between these ports. This prevents visiting between the ports, effectively controls unnecessary broadcasting and increases the network throughput IEEE 802.1x Authentication IEEE 802.1x is virtually a port-based network access control protocol. As port-based network access control implies, the NAS on a LAN authenticates and controls the connected customer premises equipment (CPE) at the port level. If the CPE connected to a port passes authentication, it is allowed to access the LAN resources. Otherwise, it is rejected just like its physical link is disconnected. In implementing 802.1x, the Ethernet switches not only support the port-based access authentication, but also extends and optimizes it by: Allowing a physical port to be connected to several terminals. Supporting access control (that is user authentication) based on MAC address in addition to port. This greatly enhances the security, operability and manageability of the system. Note that, although 802.1x provides an implementation scheme for user authentication, the protocol itself is not enough to implement the scheme. The NAS administrators, however, can use RADIUS or local authentication to complete the user authentication with 802.1x x EAD Fast Deployment I. Overview As an integrated security scheme, an endpoint admission defense (EAD) scheme can improve the overall defense capability of a network. However, EAD deployment brings much workload in actual applications. To solve this problem, you can use 802.1x functions to implement fast deployment of EAD scheme. To address the issue, the S5500-EI series switches enable the user s quick redirection to EAD client download server with 802.1x authentication, easing the work of EAD client deployment. II. Operation of Quick EAD Deployment Quick EAD deployment is achieved with the two functions: restricted access and HTTP redirection. 1) Restricted access 3-54

98 Before passing 802.1x authentication, a user is restricted (through ACLs) to a specific range of IP addresses or a specific server. Services like EAD client upgrading/download and dynamic address assignment are available on the specific server. 2) HTTP redirection In the HTTP redirection approach, when the terminal users that have not passed 802.1x authentication access the Internet through Internet Explorer, they are redirected to a predefined URL for EAD client download. The two functions ensure that all the users without an EAD client have downloaded and installed one from the specified server themselves before they can access the Internet, thus decreasing the complexity and effort that EAD client deployment may involve IP Source Guard By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through, thus improving the network security. After receiving a packet, the port looks up the key attributes (including IP address, MAC address and VLAN tag) of the packet in the binding entries of the IP source guard. If there is a matching entry, the port will forward the packet. Otherwise, the port will abandon the packet. IP source guard filters packets based on the following types of binding entries: IP-port binding entry, MAC-port binding entry IP-MAC-port binding entry IP-VLAN-port binding entry MAC-VLAN-port binding entry IP-MAC-VLAN-port binding entry. You can manually set static binding entries, or use DHCP Snooping to provide dynamic binding entries. Binding is on a per-port basis. After a binding entry is configured on a port, it is effective only to the port, instead of other ports MAC address authentication MAC address authentication is a port and Mac address based authentication method to control the network access authority of users. MAC address authentication does not the users to install any client software. The switch enables authentication on a user once it detects a new MAC address of the user. The S5500-EI series support the following two types of MAC address authentication: MAC address mode: the MAC address of a user is used as both the user name and password. 3-55

99 Fixed mode: the user name and password are configured on the switch beforehand. In this case, all the users correspond to the fixed user names and passwords configured on the switch MAC Address Learning Limit MAC address learning limit: limits the number of MAC addresses learned by an Ethernet switch port. The number ranges from 0 to 4k. Static MAC addresses added on the port are not affected Binding of MAC Addresses to Ports If the MAC address of a network device is bound with a port, you can access the Internet through this port only MAC Address Black Hole On an S5500-EI series switch, you can enable the black hole function and configure a black hole list. When the switch receives a packet with a source or destination MAC address in the black hole, it drops the packet AAA, RADIUS and HWTACACS The S5500-EI series support user authentication locally or with RADIUS/HWTACACS servers. I. AAA AAA is the abbreviation of Authentication, Authorization and Accounting. It provides a uniform framework to configure the security functions including authentication, authorization, and accounting. Actually, it offers a way to control the network security, which can be implemented with RADIUS. AAA performs the following services: Authentication: Authenticates if the user can access the network sever. Authorization: Authorizes the user with specified services. Accounting: Tracks the network resources consumed by users. II. RADIUS RADIUS is a distributed system in the client/server model. It can fend off invalid users and is often used in a network environment where both high security and remote user access are desired. For example, it can be used to manage the access based on 802.1x. RADIUS is based on the client/server model where user authentication always involves a device that can provide the proxy function, such as NAS. Between the RADIUS client 3-56

100 and server, the exchanged messages are authenticated using a shared key and user passwords are sent encrypted over the network. The security is thus ensured. III. HWTACACS HWTACACS is a security protocol providing enhanced functions based on TACACS (RFC1492). Similar to RADIUS, this protocol mainly enables the AAA for multiple types of users in the Server-Client mode. It can be used for the AAA of PPP and VPDN access users and login users. Compared with RADIUS, HWTACACS features more reliable transmission and encryption, making it more suitable for security control. The major differences between HWTACACS and RADIUS are listed in the table below: Table 3-2 HWTACACS vs. RADIUS HWTACACS RADIUS Uses TCP for more reliable transmissions over the network. Encrypts packet body completely, except the standard HWTACACS packet header. Authentication and authorization are separated. For example, RADIUS can be used for authentication, while HWTACACS is used for authorization. Suitable for security control. Allows different users to use different configuration commands on the routing module of the switch. Uses UDP. Encrypts only the password field in authentication packets. Authentication and authorization are not separated. Suitable for accounting. Does not support this feature. HWTACACS is mainly used when a dialup user or terminal user needs to log on to the switch. As the client of HWTACACS, the switch sends the user name and password to the HWTACACS server for authentication. After passing the authentication, the user can log on to the switch and perform operations Introduction to Portal I. Portal Portal authentication, as its name implies, helps control access to the Internet. Portal authentication is also called web authentication and a website implementing portal authentication is called a portal website. With portal authentication, an access device forces any user to log into the portal website at first. A user can access the free services provided on the portal website; but to access the Internet, the user must pass portal authentication on the portal website. 3-57

101 A user can access a known portal Website, enter username and password for authentication. This authentication mode is called active authentication. There is still another authentication mode, namely forced authentication, in which the access device forces a user trying to access the Internet through HTTP to log in to a portal website for authentication. The portal feature provides the flexibility for Internet service providers (ISPs) to manage services. A portal website can, for example, present advertisements, and deliver community services and personalized services. In this way, broadband network providers, equipment providers, and content service providers form an industrial ecological system. II. Extended portal By forcing users to implement patching and anti-virus policies, Extended portal helps users to defend against viruses. Extended portal implements a security authentication mechanism to enhance portal authentication. The security authentication mechanism works after the identity authentication process to check that the required anti-virus software, virus definition updates and OS patches are installed, and no unauthorized software is installed on the terminal of a user. A user passing identity authentication can access only network resources like the anti-virus server or OS patch server, which are called the restricted resources. Only users passing security authentication can access more network resources, which are called the unrestricted resources Reliability Features Smart Link Dual-uplink networks (as shown in Figure 3-34) are common in use. In a network of this type, Spanning Tree Protocol (STP) is usually employed to allow for link redundancy. However, STP cannot satisfy the users with high demand on convergence time. Smart Link is dedicated to dual-link networks as shown in Figure 3-34 to provide link redundancy with rapid convergence (sub-second level). It allows the backup link to take over quickly when the primary link fails. In addition to fast convergence, Smart Link is easy to configure. 3-58

102 Internet GE1/0/1 GE1/0/2 GE1/0/1 Switch A GE1/0/1 Switch B GE1/0/2 GE1/0/2 Switch D GE1/0/3 GE1/0/3 GE1/0/1 GE1/0/2 Switch C GE1/0/2 GE1/0/1 Switch E Figure 3-34 Smart link application scenario I. Smart link group A smart link group consists of only two member ports: the master and the slave. At a time, only one port is active for forwarding, and the other port is blocked, that is, in the standby state. When link failure occurs on the active port due to port shutdown or presence of unidirectional link for example, the standby port becomes active to take over while the original active port transits to the blocked state. Note that a port can join only one smart link group. As shown in Figure 3-34, GE1/0/1 and GE1/0/2 of Switch C form a smart link group, with GE1/0/1 being active and GE1/0/2 being standby. GE1/0/1 and GE1/0/2 of Switch E form another smart link group, with GE1/0/2 being active and GE1/0/1 being standby. II. Master port Master port is a port role in a smart link group. When both ports in a smart link group are up, the master port preferentially transits to the forwarding state. Once the master port fails, the slave port takes over to forward traffic until next link switchover. During this period, the master port stays in standby state even if it has recovered. As shown in Figure 3-34, you can configure GE1/0/1 of C and E GE1/0/2 of Switch E as master ports. III. Slave port Slave port is a port role in a smart link group. When both ports in a smart link group are up, the slave port is placed in the standby state. When the master port fails, the slave port takes over to forward traffic. As shown in Figure 3-34, you can configure GE1/0/2 of Switch C and GE1/0/1 of Switch E as slave ports. 3-59

103 IV. Flush message Flush messages are used by a smart link group to notify other devices to refresh their MAC address forwarding entries and ARP/ND entries when link switchover occurs in the link group. V. Transmit control VLAN The transmit control VLAN is used for transmitting flush messages. When link switchover occurs, the devices (such as Switch C and E in Figure 3-34) broadcast flush messages within the VLAN. VI. Receive control VLAN The receive control VLAN is used for receiving and processing flush messages. When link switchover occurs, the devices (such as Switch A, B, and D in Figure 3-34) receive and process flush messages in the receive control VLAN and refresh their MAC address forwarding entries and ARP/ND entries Monitor Link Monitor Link is a collaboration scheme introduced to complement for Smart Link. It is usually used in conjunction with Layer-2 topology protocols. The idea is to adapt the up/down state of downlink ports to the up/down state of uplink ports, triggering link switchover on the downlink device in time. It is used to monitor uplink and to perfect the backup function of Smart Link VRRP Note: A switch running VRRP also functions as a router. The routers covered in the following text represent routers in common sense and L3 switches running (virtual router redundancy protocol) VRRP. Normally, as shown in Figure 3-35, you can configure a default route with the gateway as the next hop for every host on a network segment. All packets destined to other network segments are sent over the default route to the gateway and then be forwarded by the gateway. However, when the gateway fails, all the hosts using the gateway as the default next-hop router fail to communicate with the external network. 3-60

104 Host A Network Host B Gateway Host C Figure 3-35 LAN networking Virtual Router Redundancy Protocol (VRRP) is designed to address this problem. VRRP adds routers that can act as network gateways to a VRRP group, which forms a virtual router. Routers in the VRRP group elect a master through the VRRP election mechanism to take the responsibility of a gateway, and hosts on a LAN only need to configure the virtual router as their default network gateway. VRRP is an error-tolerant protocol, which improves the network reliability and simplifies configurations on hosts. Deploying VRRP on multicast and broadcast LANs such as Ethernet, you can ensure that the system can still provide highly reliable default links without changing configurations (such as dynamic routing protocols, route discovery protocols) when a device fails, and prevent network interruption due to failure of a single link. VRRP has two versions: VRRPv2 and VRRPv3. VRRPv2 is based on IPv4, and VRRPv3 is based on IPv6. The two versions implement the same functions but provide different commands. A VRRP group has the following features: A virtual router has an IP address. A host on the LAN only needs to know the IP address of the virtual router and uses the IP address as the next hop of the default route. Every host on the LAN communicates with external networks through the virtual router. Routers in the VRRP group elect the gateway according to their priorities. When the master acting as the gateway fails, to ensure that the hosts in the network segment can communicate with the external networks uninterruptedly, the other routers in the VRRP group elect a new gateway to undertake the responsibility of the failed router. 3-61

105 Virtual IP address: /24 Host A /24 Switch A Master /24 Switch B Backup Network Host B /24 Switch C Backup Host C Figure 3-36 Network diagram for VRRP RRPP As shown in Figure 3-36, the virtual switch has its own actual IP address: (This address can be the same as that of an interface of a switch within the standby group). A switch within the standby group has its own IP address ( for a master switch, and and for the standby switch). Hosts within the LAN only know the IP address of this virtual router: (generally referred to as the virtual IP address of the backup group), but they do not know the specific IP addresses of the master switch and of the standby routers. They configure the next hop for their own default routes as the IP address of this virtual router: Therefore, hosts within the network will communicate with the external network through this virtual switch. When the master switch in a standby group fails, a backup switch in the group will take over the work of the faulty master switch and become a new master switch. The new master switch continues providing routing services for the hosts within the network so that they can communicate with external networks continuously. The Rapid Ring Protection Protocol (RRPP) is a link layer protocol designed for Ethernet rings. RRPP can prevent broadcast storms caused by data loops when an Ethernet ring is healthy, and rapidly restore the communication paths between the nodes in the event that a link is disconnected on the ring. Compared with the IEEE spanning tree protocols, RRPP features the following: Fast topology convergence Convergence time independent of Ethernet ring size 3-62

106 Domain 1 Device A Device B Port 1 Port 1 Edge node Port 3 Master node Master node Port 2 Port 2 Ring 1 Ring 2 Transit node Port 2 Port 1 Port 1 Port 2 Port 3 Device E Device D Device C Assistant edge node Figure 3-37 Network diagram for RRPP By configuring an individual RRPP domain for transmitting the traffic of the specified VLANs (referred to as protected VLANs) in a ring network, traffic of different VLANs can be transmitted according to different topologies in the ring network. In this way, load balancing is achieved. As shown in Figure 3-38, Ring 1 is configured as the primary ring of both Domain 1 and Domain 2. In Domain 1, Device A is configured as the master node of Ring 1; in Domain 2, Device B is configured as the master node of Ring 1. Such configurations enable the ring to block different links based on VLANs, thus achieving single-ring load balancing. Device A Device B Domain 1 Ring 1 Domain 2 Device D Device C 3.14 IRF Figure 3-38 Network diagram for single-ring load balancing The Intelligent Resilient Framework (IRF) is an innovative technology developed by H3C for mid-range and low-end switches. With IRF, users can design and realize high 3-63

107 availability, scalability and reliability at the core layer and distribution layer of gigabit Ethernet networks Physical Connections You can connect multiple IRF supporting S5500-EI switches to form a logical switching entity, which looks like a switching device from the management view. This type of virtual device features low cost like box-type switches, and high scalability and availability of distributed chassis switches. Figure 3-39 IRF virtual device The devices in an IRF stack exchange hello packets to collect topology of the entire stack and to inform topology changes to the management module. Adding or deleting a member device is similar to inserting or removing a board to or from a chassis switch. This mechanism realizes hot backup and provides excellent scalability. Figure 3-40 Add a member to the IRF stack In an IRF stack, every single device is a stack member, and plays one of the following two roles according to its function: Master: The stack member elected to manage the entire stack. An IRF stack has only one master at one time. Slave: A stack member managed by the master and operates as a backup of the master. In an IRF stack, except for the master, all the other devices are slaves. A typical IRF stack has a bus connection or a ring connection: 3-64

108 Master Slave Master Slave IRF Slave IRF Slave Slave Slave Bus topology Ring topology Figure 3-41 Physical connections of an IRF stack The orange lines in the figure represent stack links, which are different from common Ethernet network cables. A stack link can be composed of either one physical line or multiple physical lines Easy Management An IRF stack can be regarded as a single entity. You can manage the entire IRF stack by logging in to any unit in the stack either from its console port or a network port through Telnet. The management center of an IRF stack is its master device. All login requests and configurations you made are processed on the master device, regardless of by what means or from which member device you log in to the stack. Eventually, the configurations you made are synchronized by the master to the slaves. An IRF stack uses member IDs to uniquely identify member devices. The member IDs are also used in port numbers to identify users. For example, if the member ID of a device is 3, its port number is GigabitEthernet 3/0/x Efficient Redundancy Backup By using S5500-EI series switches to form an IRF stack, you can provide abundant access ports and enhanced forwarding capability. Considering strict requirements for reliability at the distribution layer of a network and data centers, IRF is designed to provide redundancy at the device level, protocol level and link level. I. Device level 1:N backup Common distributed chassis devices use 1:1 backup, where a backup module keeps synchronization with the primary module and takes over when the primary module fails. 3-65

109 IRF uses 1:N backup, where multiple slaves are configured as the backups of the master and are strictly synchronized with the master. Once the master fails, a new master is elected from the slaves to prevent service interruption. Because the slaves are strictly synchronized with the master, the switchover has little impact on ongoing services. Thus, reliability is improved. II. Protocol level hot backup When an IRF stack works normally, all protocol information and entries are synchronized among the devices. If one or more devices fail, other devices can take the services from the failed devices immediately to ensure normal working of the entire stack. For example, the master in normal working state synchronizes the routing information to all the devices in the IRF stack. RIP OSPF 2 Backup information 1 IRF 3 4 Figure 3-42 Routing information synchronization If the master fails, the IRF stack elects a slave (suppose its member ID is 2) as the new master, which then continues communicating with the uplink routers using the routing information synchronized from the former master, and synchronizes update information to other slaves. Thus, the operation of the entire IRF stack is uninterrupted. 3-66

110 RIP OSPF 2 Backup information 1 IRF 3 4 Figure 3-43 Routing protocol backup III. Link level backup Traditional link aggregation technologies provide protection against link failures but not protection against single point of failures caused by node failures. The new distributed link aggregation technology provided by IRF can effectively address this single-point failure issue. With distributed link aggregation of IRF, you can assign ports on different stack units to the same link aggregation group. Thus, even when a unit fails causing unavailability of the link aggregation member port or ports on the unit, traffic can be forwarded out the link aggregation member ports on any other available stack unit to the destination. Meanwhile, the stack links between IRF member devices provide a rate up to 12/24 Gbps, which allows multiple aggregation groups to work at the same time. 3-67

111 2 1 Data packets 3 4 IRF Data packets 2 1 Data packets IRF 3 4 Figure 3-44 Distributed aggregation 3-68

112 Chapter 4 System Maintenance and Management Chapter 4 System Maintenance and Management 4.1 Simple and Flexible Maintenance System System Configuration The S5500-EI series can be configured through the command line interface (CLI), NMS, or Web. In the CLI approach, you can configure the S5500-EI series locally through the console port, or configure it remotely through modem dialup or Telnet. As for Telnet, both Telnet server and Telnet client are supported. In the NMS approach, you can configure the S5500-EI series through an SNMP-based NMS. In the Web approach, you can configure the models in the S5500-EI series that support the Web-based network management System Maintenance The S5500-EI series provide diverse management and maintenance functions: LEDs are available on the switches and optional modules, indicating the board running status. Remote maintenance through Telnet Hierarchical management of user authorities and operation logs, as well as online help function Hierarchical alarm management and alarm filtering System status query, version query, debugging and tracing functions, to monitor system running status System Test and Diagnosis The S5500-EI series provide means for system software and hardware fault detection and diagnosis. The tools such as ping and tracert are available for you to test network connectivity and trace packet transmission paths on line and hence address faults Software Upgrade The S5500-EI series provide multiple approaches to software upgrade, and support remote upgrade and rollback to the previous version after upgrade. The S5500-EI series support software upgrade methods: Software upgrade through a serial port by using the XModem protocol. 4-1

113 Chapter 4 System Maintenance and Management Software upgrade through an Ethernet port through TFTP or FTP. Software upgrade through the Web-based NMS through HTTP. 4.2 Quidview NMS The S5500-EI series support Quidview NMS for centralized management, which is usually implemented in multilingual graphic interfaces. The NMS provides management in topology, configuration, fault, security, and performance Topology Management The Quidview NMS helps you learn your network in the most direct and convenient way by providing a network-wide device topology view. The NMS delivers powerful topology management. It provides physical topology view, logical topology view, and customized views, offering a unified network-wide equipment view. It also provides user-friendly interfaces for network/equipment operation and maintenance. The NMS supports automatic topology discovery, reflecting the real-time changes in network topology and equipment status Configuration Management With the Quidview, you can configure and manage the S5500-EI series Ethernet switches, such as querying/enabling/disabling ports, querying/resetting/loading boards, and querying port parameters/vlan configurations Fault Management Fault management is the most important and common management approach during the network operation and maintenance. In the graphic interfaces, you can implement equipment running/fault status query, real-time monitoring, fault filtering/locating/check/analysis. The system provides audio prompt and graphical displays on the alarm card. Additionally, it can be connected to the alarm box and therefore facilitates routine maintenance Performance Management The Quidview can collect and analyze performance data, monitor performance, and provide graphical performance reports in different forms. You can thus learn the information on equipment load and access traffic, track network service quality, and allocate network resources based on your network evaluation. 4-2

114 Chapter 4 System Maintenance and Management Security Management The Quidview provides many security measures to strictly authenticate the user s operations and ensure the system security. It offers detailed operation log for later query and analysis. 4.3 Web-Based Network Management Web-based network management allows you to manage and maintain a switch through Web. In the implementation of Web-based network management, the switch provides a built-in Web server and runs a Web-based network management program on the homepage at the IP address of the management VLAN. The PC users connected to the Ethernet ports on the switch can access and use, through a browser, the program on the homepage to manage the switch. Figure 4-1 shows the Web-based network operating environment: Figure 4-1 Web-based network management operating environment 4-3