Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 1041 to Favourites
    image text
    Enable zoom 
    							 
 
352 
 
[SwitchC-bgp-af-ipv6] quit 
[SwitchC-bgp] quit 
# Configure Switch B. 
[SwitchB-bgp] ipv6-family 
[SwitchB-bgp-af-ipv6] group ebgp external 
[SwitchB-bgp-af-ipv6] peer 3::2 as-number 65009 
[SwitchB-bgp-af-ipv6] peer 3::2 group ebgp 
[SwitchB-bgp-af-ipv6] quit 
[SwitchB-bgp] quit 
4. Configure IPsec policies:  
# On Switch A, create an IPsec proposal named  tran1, and set the encapsulation mode to 
transport mode, the security protocol to ESP, the  encryption algorithm to DES, and authentication 
algorithm to SHA1; create an IPsec policy named  policy001, specify the manual mode for it, 
reference IPsec proposal  tran1, set the SPIs of the inbound and outbound SAs to 12345, and the 
keys for the inbound and outbound SAs using ESP to abcdefg. 
[SwitchA] ipsec proposal tran1 
[SwitchA-ipsec-proposal-tran1] encapsulation-mode transport 
[SwitchA-ipsec-proposal-tran1] transform esp 
[SwitchA-ipsec-proposal-tran1] esp encryption-algorithm des 
[SwitchA-ipsec-proposal-tran1] esp authentication-algorithm sha1 
[SwitchA-ipsec-proposal-tran1] quit 
[SwitchA] ipsec policy policy001 10 manual 
[SwitchA-ipsec-policy-manual-policy001-10] proposal tran1 
[SwitchA-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345 
[SwitchA-ipsec-policy-manual-policy001-10] sa spi inbound esp 12345 
[SwitchA-ipsec-policy-manual-policy001-10] sa string-key outbound esp ab\
cdefg 
[SwitchA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abc\
defg 
[SwitchA-ipsec-policy-manual-policy001-10] quit 
# On Switch B, create an IPsec proposal named  tran1, and set the encapsulation mode to 
transport mode, the security protocol to ESP, the  encryption algorithm to DES, and authentication 
algorithm to SHA1; create an IPsec policy named  policy001, specify the manual mode for it, 
reference IPsec proposal  tran1, set the SPIs of the inbound and outbound SAs to 12345, and the 
keys for the inbound and outbound SAs using ESP to abcdefg; create an IPsec proposal named 
tran2 , and set the encapsulation mode to transpor t mode, the security protocol to ESP, the 
encryption algorithm to DES, and authentication  algorithm to SHA1; create an IPsec policy named 
policy002 , specify the manual mode for  it, reference IPsec proposal tran2 , set the SPIs of the 
inbound and outbound SAs to 54321, and the keys  for the inbound and outbound SAs using ESP 
to gfedcba. 
[SwitchB] ipsec proposal tran1 
[SwitchB-ipsec-proposal-tran1] encapsulation-mode transport 
[SwitchB-ipsec-proposal-tran1] transform esp 
[SwitchB-ipsec-proposal-tran1] esp encryption-algorithm des 
[SwitchB-ipsec-proposal-tran1] esp authentication-algorithm sha1 
[SwitchB-ipsec-proposal-tran1] quit 
[SwitchB] ipsec policy policy001 10 manual 
[SwitchB-ipsec-policy-manual-policy001-10] proposal tran1
    Add page 1042 to Favourites
    image text
    Enable zoom 
    							 
 
353 
 
[SwitchB-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345 
[SwitchB-ipsec-policy-manual-policy001-10] sa spi inbound esp 12345 
[SwitchB-ipsec-policy-manual-policy001-10] sa string-key outbound esp ab\
cdefg 
[SwitchB-ipsec-policy-manual-policy001-10] sa string-key inbound esp abc\
defg 
[SwitchB-ipsec-policy-manual-policy001-10] quit 
[SwitchB] ipsec proposal tran2 
[SwitchB-ipsec-proposal-tran2] encapsulation-mode transport 
[SwitchB-ipsec-proposal-tran2] transform esp 
[SwitchB-ipsec-proposal-tran2] esp encryption-algorithm des 
[SwitchB-ipsec-proposal-tran2] esp authentication-algorithm sha1 
[SwitchB-ipsec-proposal-tran2] quit 
[SwitchB] ipsec policy policy002 10 manual 
[SwitchB-ipsec-policy-manual-policy002-10] proposal tran2 
[SwitchB-ipsec-policy-manual-policy002-10] sa spi outbound esp 54321 
[SwitchB-ipsec-policy-manual-policy002-10] sa spi inbound esp 54321 
[SwitchB-ipsec-policy-manual-policy002-10] sa string-key outbound esp gf\
edcba 
[SwitchB-ipsec-policy-manual-policy002-10] sa string-key inbound esp gfe\
dcba 
[SwitchB-ipsec-policy-manual-policy002-10] quit 
# On Switch C, create an IPsec proposal named tran2, and set the encapsulation mode to 
transport mode, the security protocol to ESP, the  encryption algorithm to DES, and authentication 
algorithm to SHA1; create an IPsec policy named  policy002, specify the manual mode for it, 
reference IPsec proposal  tran2, set the SPIs of the inbound and outbound SAs to 54321, and the 
keys for the inbound and outbou nd SAs using ESP to gfedcba. 
[SwitchC] ipsec proposal tran2 
[SwitchC-ipsec-proposal-tran2] encapsulation-mode transport 
[SwitchC-ipsec-proposal-tran2] transform esp 
[SwitchC-ipsec-proposal-tran2] esp encryption-algorithm des 
[SwitchC-ipsec-proposal-tran2] esp authentication-algorithm sha1 
[SwitchC-ipsec-proposal-tran2] quit 
[SwitchC] ipsec policy policy002 10 manual 
[SwitchC-ipsec-policy-manual-policy002-10] proposal tran2 
[SwitchC-ipsec-policy-manual-policy002-10] sa spi outbound esp 54321 
[SwitchC-ipsec-policy-manual-policy002-10] sa spi inbound esp 54321 
[SwitchC-ipsec-policy-manual-policy002-10] sa string-key outbound esp gf\
edcba 
[SwitchC-ipsec-policy-manual-policy002-10] sa string-key inbound esp gfe\
dcba 
[SwitchC-ipsec-policy-manual-policy002-10] quit 
5. Apply IPsec policies to IBGP peers: 
# Configure Switch A. 
[SwitchA] bgp 65008 
[SwitchA-bgp] ipv6-family 
[SwitchA-bgp-af-ipv6] peer 1::2 ipsec-policy policy001 
[SwitchA-bgp-af-ipv6] quit 
[SwitchA-bgp] quit 
# Configure Switch B. 
[SwitchB] bgp 65008 
[SwitchB-bgp] ipv6-family
    Add page 1043 to Favourites
    image text
    Enable zoom 
    							 
 
354 
 
[SwitchB-bgp-af-ipv6] peer 1::1 ipsec-policy policy001 
[SwitchB-bgp-af-ipv6] quit 
[SwitchB-bgp] quit 
6. Apply IPsec policies to EBGP peers: 
# Configure Switch C. 
[SwitchC] bgp 65009 
[SwitchC-bgp] ipv6-family 
[SwitchC-bgp-af-ipv6] peer ebgp ipsec-policy policy002 
[SwitchC-bgp-af-ipv6] quit 
[SwitchC-bgp] quit 
# Configure Switch B. 
[SwitchB] bgp 65008 
[SwitchB-bgp] ipv6-family 
[SwitchB-bgp-af-ipv6] peer ebgp ipsec-policy policy002 
[SwitchB-bgp-af-ipv6] quit 
[SwitchB-bgp] quit 
7. Verify the configuration: 
# Display detailed IPv6 BGP peer information. 
 [SwitchB] display bgp ipv6 peer verbose 
         BGP Peer is 1::1,  remote AS 65008, 
         Type: IBGP link 
         BGP version 4, remote router ID 1.1.1.1 
         BGP current state: Established, Up for 00h01m51s 
         BGP current event: RecvKeepalive 
         BGP last state: OpenConfirm 
         Port:  Local – 1029     Remote - 179 
         Configured: Active  Hold Time: 180 sec  Keepalive Time: 60 sec \
         Received  : Active  Hold Time: 180 sec 
         Negotiated: Active  Hold Time: 180 sec 
         Peer optional capabilities: 
         Peer support bgp multi-protocol extended 
         Peer support bgp route refresh capability 
         Address family IPv4 Unicast: advertised and received 
 Received: Total 0 messages, Update messages 0 
 Sent: Total 0 messages, Update messages 0 
 Maximum allowed prefix number: 4294967295 
 Threshold: 75% 
 Minimum time between advertisement runs is 30 seconds 
 Optional capabilities: 
  Route refresh capability has been enabled 
  ORF advertise capability based on prefix (type 64): 
    Local: both 
    Negotiated: send 
 Peer Preferred Value: 0 
 IPsec policy name: policy001, SPI :12345
    Add page 1044 to Favourites
    image text
    Enable zoom 
    							 
 
355 
 
 Routing policy configured: 
 No routing policy is configured 
         BGP Peer is 3::2,  remote AS 65009, 
         Type: EBGP link 
         BGP version 4, remote router ID 3.3.3.3 
         BGP current state: Established, Up for 00h01m51s 
         BGP current event: RecvKeepalive 
         BGP last state: OpenConfirm 
         Port:  Local – 1029     Remote - 179 
         Configured: Active  Hold Time: 180 sec  Keepalive Time: 60 sec \
         Received  : Active  Hold Time: 180 sec 
         Negotiated: Active  Hold Time: 180 sec 
         Peer optional capabilities: 
         Peer support bgp multi-protocol extended 
         Peer support bgp route refresh capability 
         Address family IPv4 Unicast: advertised and received 
 Received: Total 0 messages, Update messages 0 
 Sent: Total 0 messages, Update messages 0 
 Maximum allowed prefix number: 4294967295 
 Threshold: 75% 
 Minimum time between advertisement runs is 30 seconds 
 Optional capabilities: 
  Route refresh capability has been enabled 
  ORF advertise capability based on prefix (type 64): 
    Local: both 
    Negotiated: send 
 Peer Preferred Value: 0 
 IPsec policy name: policy002, SPI :54321 
 Routing policy configured: 
 No routing policy is configured 
The output shows that both IBGP and EBGP neighbor relationships have been established and all 
protocol packets are protected by IPsec.  
Configuring BFD for IPv6 BGP 
Network requirements 
As shown in  Figure 118,  
•   C
onfigure OSPFv3 as the IGP in AS 200. 
•   Establish two IBGP connections between Switch A  and Switch C. When both links are working, 
Switch C adopts the link Switch ASwitch BSwitch C to exchange packets with network 
1200::0/64. Configure BFD over the link. Then if the link fails, BFD can quickly detect the failure 
and notify it to IPv6 BGP. Then the link Switch ASwitch DSwitch C takes effect 
immediately.
    Add page 1045 to Favourites
    image text
    Enable zoom 
    							 
 
356 
  Figure 118 Network diagram 
 
Device Interface IP address Device Interface IP address 
Switch A  Vlan-int100  3000::1/64 Switch C Vlan-int101 3001::3/64 
 Vlan-int200 2000::1/64  Vlan-int201  2001::3/64 
Switch B  Vlan-int100  3000::2/64 Switch D Vlan-int200 2000::2/64 
 Vlan-int101 3001::2/64  Vlan-int201 2001::2/64  
Configuration procedure 
1. Configure IP addresses for inte rfaces. (Details not shown.) 
2. C o nfi gu r e  O SP F v3  to  mak e  s u re  that Sw i t c h A  and   Switch C are reachable to each other. (Details 
not shown.) 
3.  Configure IPv6 BGP on Switch A.  
# Establish two IBGP connections be tween Switch A and Switch C.  
 system-view 
[SwitchA] bgp 200 
[SwitchA-bgp] ipv6-family 
[SwitchA-bgp-af-ipv6] peer 3001::3 as-number 200 
[SwitchA-bgp-af-ipv6] peer 2001::3 as-number 200 
[SwitchA-bgp-af-ipv6] quit 
# When the two links between Switch A and Switch  C are both up, Switch C adopts the link Switch 
ASwitch BSwitch C to exchange packets  with network 1200::0/64. (Set a higher MED 
value for route 1200::0/64 sent to peer 2001::3 on Switch A.) 
{  Create IPv6 ACL 2000 to permit 1200::0/64 to pass.  
[SwitchA] acl ipv6 number 2000 
[SwitchA-acl6-basic-2000] rule permit source 1200::0 64 
[SwitchA-acl6-basic-2000] quit 
{ Create two route policies, apply_med_50  and apply_med_100 . Policy apply_med_50  sets the 
MED for route 1200::0/64 to 50. Policy  apply_med_100 sets that to 100.
    Add page 1046 to Favourites
    image text
    Enable zoom 
    							 
 
357 
 
[SwitchA] route-policy apply_med_50 permit node 10 
[SwitchA-route-policy] if-match ipv6 address acl 2000 
[SwitchA-route-policy] apply cost 50 
[SwitchA-route-policy] quit 
[SwitchA] route-policy apply_med_100 permit node 10 
[SwitchA-route-policy] if-match ipv6 address acl 2000 
[SwitchA-route-policy] apply cost 100 
[SwitchA-route-policy] quit 
{ Apply routing policy  apply_med_50 to routes outgoing to peer 3001::3, and apply routing 
policy  apply_med_100  to routes outgoing to peer 2001::3.  
[SwitchA] bgp 200 
[SwitchA-bgp] ipv6-family 
[SwitchA-bgp-af-ipv6] network 1200:: 64 
[SwitchA-bgp-af-ipv6] peer 3001::3 route-policy apply_med_50 export 
[SwitchA-bgp-af-ipv6] peer 2001::3 route-policy apply_med_100 export 
# Configure BFD over the link to peer 3001::3 so that when the link Switch ASwitch 
BSwitch C fails, BFD can quickly detect the failur e and notify it to IPv6 BGP, and then the link 
Switch ASwitch DSwitch C takes effect immediately.  
[SwitchA-bgp-af-ipv6] peer 3001::3 bfd 
[SwitchA-bgp-af-ipv6] quit 
[SwitchA-bgp] quit 
4.  Configure IPv6 BGP on Switch C:  
 system-view 
[SwitchC] bgp 200 
[SwitchC-bgp] ipv6-family 
[SwitchC-bgp-af-ipv6] peer 3000::1 as-number 200 
[SwitchC-bgp-af-ipv6] peer 3000::1 bfd 
[SwitchC-bgp-af-ipv6] peer 2000::1 as-number 200 
[SwitchC-bgp-af-ipv6] quit 
[SwitchC-bgp] quit 
5. Configure BFD parameters (you can us e default BFD parameters instead): 
# Configure Switch A.  
[SwitchA] bfd session init-mode active 
[SwitchA] interface vlan-interface 100 
{  Configure the minimum interval for transmitting BFD control packets as 500 milliseconds.  
[SwitchA-Vlan-interface100] bfd min-transmit-interval 500 
{ Configure the minimum interval for receiving BFD control packets as 500 milliseconds.  
[SwitchA-Vlan-interface100] bfd min-receive-interval 500 
{ Configure the detect multiplier as 7.  
[SwitchA-Vlan-interface100] bfd detect-multiplier 7 
[SwitchA-Vlan-interface100] quit 
# Configure Switch C.  
[SwitchC] bfd session init-mode active 
[SwitchC] interface vlan-interface 101
    Add page 1047 to Favourites
    image text
    Enable zoom 
    							 
 
358 
 
{ Configure the minimum interval for transmitting BFD control packets as 500 milliseconds.  
[SwitchC-Vlan-interface101] bfd min-transmit-interval 500 
{ Configure the minimum interval for receiving BFD control packets as 500 milliseconds.  
[SwitchC-Vlan-interface101] bfd min-receive-interval 500 
{ Configure the detect multiplier as 7.  
[SwitchC-Vlan-interface101] bfd detect-multiplier 7 
[SwitchC-Vlan-interface101] return 
6. Verify the configuration: 
The following operations are made on Switch C.  Operations on Switch A and Switch B are similar 
and are not shown.  
# Display detailed BFD session information.  
 display bfd session verbose 
 
 Total session number: 1   Up session number: 1   Init mode: Active 
 
 IPv6 Session working under Ctrl mode: 
 
     Local Discr: 17                  Remote Discr: 13 
       Source IP: 3001::3 
  Destination IP: 3000::1 
   Session State: Up                     Interface: Vlan-interface101 
 Min Trans Inter: 500ms            Act Trans Inter: 500ms 
  Min Recv Inter: 500ms           Act Detect Inter: 3000ms 
    Recv Pkt Num: 57                  Send Pkt Num: 53 
       Hold Time: 2200ms              Connect Type: Direct 
  Running Up for: 00:00:06               Auth mode: none 
        Protocol: BGP6 
       Diag Info: No Diagnostic 
The output shows that a BFD session is established between Switch A’s  VLAN-interface 100 and 
Switch C’s VLAN-interface 101 and that BFD runs properly.  
Display IPv6 peer information on Switch C, and  you can see that the neighborship between Switch 
A and Switch C is established.  
 display bgp ipv6 peer 
 BGP local router ID : 1.1.1.1 
 Local AS number : 200 
 Total number of peers : 2                 Peers in established state : \
2 
  Peer                    AS  MsgRcvd  MsgSent OutQ PrefRcv Up/Down  Sta\
te 
  2000::1                200        7       10    0       0 00:01:05 Est\
ablished 
  3000::1                200        7       10    0       0 00:01:34 Est\
ablished 
# Display route 1200::0/64 on Switch C, and you can see that Switch A and Switch C 
communicate through Switch B.  
 display ipv6 routing-table 1200::0 64 verbose 
Routing Table : 
Summary Count : 2
    Add page 1048 to Favourites
    image text
    Enable zoom 
    							 
 
359 
 
 Destination  : 1200::                                  PrefixLength : 6\
4 
 NextHop      : 3000::1                                 Preference   : 2\
55 
 RelayNextHop : 3001::2                                 Tag          : 0\
H 
 Neighbor     : 3000::1                                 ProcessID    : 0\
 
 Interface    : Vlan-interface101                     Protocol     : BGP\
4+ 
 State        : Active Adv                              Cost         : 5\
0 
 Tunnel ID    : 0x0                                     Label        : N\
ULL 
 Age          : 4538sec 
 
 Destination  : 1200::                                  PrefixLength : 6\
4 
 NextHop      : 2000::1                                 Preference   : 2\
55 
 RelayNextHop : 2001::2                                 Tag          : 0\
H 
 Neighbor     : 2000::1                                 ProcessID    : 0\
 
 Interface    : Vlan-interface201                     Protocol     : BGP\
4+ 
 State        : Invalid Adv                             Cost         : 1\
00 
 Tunnel ID    : 0x0                                     Label        : N\
ULL 
 Age          : 4515sec 
The output shows that Switch C has two routes to reach network 1200::0/64: Switch 
CSwitch BSwitch A, which is the currently active route; Switch CSwitch 
DSwitch A, which is the backup route.  
# Enable BFD debugging on Switch C.  
 debugging bfd scm 
 debugging bfd event 
 debugging bgp bfd 
 terminal monitor 
 terminal debugging 
# The following debugging information shows that Switch C can quickly detect the failure on 
Switch B.  
%Nov  5 11:42:24:172 2009 SwitchC BFD/5/BFD_CHANGE_FSM: Sess[3001::3/300\
0::1, 
13/17,VLAN101,Ctrl], Sta: UP->DOWN, Diag: 1 
%Nov  5 11:42:24:172 2009 SwitchC BGP/5/BGP_STATE_CHANGED: 3000::1 state\
 is changed 
from ESTABLISHED to IDLE. 
*Nov  5 11:42:24:187 2009 SwitchC RM/6/RMDEBUG: BGP_BFD: Recv BFD DOWN msg, Src IP 
3001::3, Dst IP 3000::1, Instance ID 0. 
*Nov  5 11:42:24:187 2009 SwitchC RM/6/RMDEBUG: BGP_BFD: Reset BGP sessi\
on 3000::1 
for BFD session down. 
*Nov  5 11:42:24:187 2009 SwitchC RM/6/RMDEBUG: BGP_BFD: Send DELETE msg\
 to BFD, 
Connection type DIRECT, Src IP 3001::3, Dst IP 3000::1, Instance ID 0. 
# Display route 1200::0/64 on Switch C, and you can see that Switch A and Switch C 
communicate through Switch D.  
 display ipv6 routing-table 1200::0 64 verbose 
Routing Table : 
Summary Count : 1 
 Destination  : 1200::                                  PrefixLength : 6\
4 
 NextHop       : 2000::1                                Preference   : 2\
55 
 RelayNextHop : 2001::2                                 Tag          : 0\
H
    Add page 1049 to Favourites
    image text
    Enable zoom 
    							 
 
360 
 
 Neighbor     : 2000::1                                 ProcessID    : 0\
 
 Interface    : Vlan-interface201                       Protocol     : B\
GP4+ 
 State        : Active Adv                              Cost         : 1\
00 
 Tunnel ID    : 0x0                                     Label        : N\
ULL 
 Age          : 4635sec 
The output shows that Switch C has one route to reach network 1200::0/64, that is, Switch 
CSwitch DSwitch A.  
Troubleshooting IPv6 BGP configuration 
IPv6 BGP peer relationship not established 
Symptom 
Display BGP peer information by using the  display bgp ipv6 peer command. The state of the connection 
to the peer cannot be come established.  
Analysis 
To become IPv6 BGP peers, any two routers must establish a TCP session using port 179 and exchange 
open messages successfully. 
Processing steps 
1. Use the  display current-configuration  command to check that the peer’s AS number is correct. 
2. Use the  display bgp ipv6 peer command to check that the peer’s IPv6 address is correct. 
3. If a loopback interface is used, check that  the loopback interface is specified with the  peer 
connect-interface  command. 
4. If the peer is not directly connected, check that the  peer ebgp-max-hop command is configured. 
5. Check that a valid route to the peer is available. 
6. Use the  ping command to check the connectivity to the peer. 
7. Use the  display tcp ipv6 status command to check the TCP connection. 
8. Check whether an ACL for disabling TCP port 179 is configured.
    Add page 1050 to Favourites
    image text
    Enable zoom 
    							 361 
Configuring routing policies 
Hardware compatibility 
The HP 5500 SI Switch Series does not support OSPF, BGP, IS -IS, OSPFv3, IPv6 BGP, IPv6 IS -IS, or FRR. 
Introduction to routing policy 
Routing policies are used to receive, advertise, and redistribute only specific routes and modify the 
attributes of some routes. 
Routing policy in this chapter involves both IPv4 routing policy and IPv6 routing policy. 
A routing policy is used to filter routes when they are received, advertised, or redistributed and modify 
the attributes of some routes. 
Routing policy application 
A routing policy has the following applications: 
•   Filters advertised routes. 
•   Filters received routes. 
•   Filters redistributed routes. 
•   Modifies or sets the attributes of some routes. 
Routing policy implementation 
To configure a routing policy, you must do the following:  
1. Define some filters based on the  attributes of routing information, such as destination address, and 
the advertising routers address.  
2.  Apply the filters to the routing policy. 
You can use multiple filters to define match criteria. For detailed information, see  Filters.  
Filters 
You can use the following types of filters: ACL, IP prefix list, AS path ACL, community list, extended 
community list, and routing policy. 
ACL 
ACL involves IPv4 ACL and IPv6 ACL. An ACL is configured to match the destinations or next hops of 
routing information. 
For more information about ACL, see  ACL and QoS Configuration Guide. 
IP prefix list 
IP prefix list involves IPv4 prefix list and IPv6 prefix list.
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide