HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1389
253
Step Command Remarks
2. Enter Layer 2 Ethernet
interface view, Layer 2
aggregate interface view, or
port group view.
• Enter Layer 2 Ethernet interface
view or Layer 2 aggregate
interface view:
interface interface-type
interface-number
• Enter port group view:
port-group manual
port-group-name Use either command.
3. Disable the port from
becoming a dynamic router
port. mld-snooping router-port-deny
[
vlan vlan-list ] By default, a port can become a
dynamic router...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1388.png "Page 1389
253
Step Command Remarks
2. Enter Layer 2 Ethernet
interface view, Layer 2
aggregate interface view, or
port group view.
• Enter Layer 2 Ethernet interface
view or Layer 2 aggregate
interface view:
interface interface-type
interface-number
• Enter port group view:
port-group manual
port-group-name Use either command.
3. Disable the port from
becoming a dynamic router
port. mld-snooping router-port-deny
[
vlan vlan-list ] By default, a port can become a
dynamic router...")
![Page 1396
260
Step Command Remarks
2. Enter Layer 2 Ethernet
interface view, Layer 2
aggregate interface view,
port group view.
• Enter Layer 2 Ethernet interface
view or Layer 2 aggregate
interface view:
interface interface-type
interface-number
• Enter port group view:
port-group manual
port-group-name Use either command.
3.
Set the maximum number of
IPv6 multicast groups that a
port can join. mld-snooping group-limit
limit
[ vlan vlan-list ] 1000 by default.
Enabling IPv6...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1395.png "Page 1396
260
Step Command Remarks
2. Enter Layer 2 Ethernet
interface view, Layer 2
aggregate interface view,
port group view.
• Enter Layer 2 Ethernet interface
view or Layer 2 aggregate
interface view:
interface interface-type
interface-number
• Enter port group view:
port-group manual
port-group-name Use either command.
3.
Set the maximum number of
IPv6 multicast groups that a
port can join. mld-snooping group-limit
limit
[ vlan vlan-list ] 1000 by default.
Enabling IPv6...")
255
Step Command Remarks
4. Set the maximum response
delay for MLD general
queries. mld-snooping max-response-time
interval
10 seconds by default
5.
Set the MLD last-member
query interval. mld-snooping
last-listener-query-interval interval
1 second by default
Configuring the source IPv6 addresses for MLD queries
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter VLAN view.
vlan vlan-id N/A
3. Configure the source IPv6
address of MLD general
queries. mld-snooping general-query
source-ip
{ ipv6-address |
current-interface } FE80::02FF:FFFF:FE00:0001 by
default
4. Configure the source IPv6
address of MLD
multicast-address-specific
queries. mld-snooping special-query
source-ip
{ ipv6-address |
current-interface } FE80::02FF:FFFF:FE00:0001 by
default
IMPORTANT:
The source IPv6 address of MLD quer
y messages might affect MLD querier election within the subnet.
Configuring MLD snooping proxying
Configuration prerequisites
Before you configure MLD snooping proxying in a VLAN, complete the following tasks:
• Enable MLD snooping in the VLAN.
• Determine the source IPv6 address for the MLD reports sent by the proxy.
• Determine the source IPv6 address for the MLD done messages sent by the proxy.
Enabling MLD snooping proxying
The MLD snooping proxying function works on a per-VLAN basis. After you enable the function in a
VLAN, the device works as the MLD snooping proxy for the downstream hosts and upstream router in the
VLAN.
To enable MLD snooping proxying in a VLAN:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter VLAN view.
vlan vlan-id N/A
256
Step Command Remarks
3. Enable MLD snooping
proxying in the VLAN. mld-snooping proxying enable
Disabled by default
Configuring the source IPv6 addresses for the MLD messages
sent by the proxy
You can set the source IPv6 addresses for the MLD reports and done messages that the MLD snooping
proxy sends on behalf of its attached hosts.
To configure the source IPv6 addresses for the MLD messages that the MLD snooping proxy sends in a
VLAN:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter VLAN view.
vlan vlan-id N/A
3. Configure a source IPv6
address for the MLD
reports that the proxy
sends. mld-snooping report source-ip
{ ipv6-address | current-interface } The default is
FE80::02FF:FFFF:FE00:0001.
4.
Configure a source IPv6
address for the MLD
done messages that the
proxy sends. mld-snooping done source-ip
{
ipv6-address | current-interface } The default is
FE80::02FF:FFFF:FE00:0001.
Configuring an MLD snooping policy
Configuration prerequisites
Before you configure an MLD snooping policy, complete the following tasks:
•
Enable MLD snooping in the VLAN.
• Determine the IPv6 ACL rule for IPv6 multicast group filtering.
• Determine the maximum number of IPv6 multicast groups that a port can join.
• Determine the 802.1p precedence for MLD messages.
Configuring an IPv6 multicast group filter
On an MLD snooping–enabled switch, you can configure an IPv6 multicast group filter to limit multicast
programs available to users.
Configuration guidelines
In an application, when a user requests a multicast pr ogram, the user’s host initiates an MLD report. After
receiving this report message, the switch resolves the IPv6 multicast group address in the report and looks
up the ACL. If a match is found to permit the port that received the report to join the IPv6 multicast group,
the switch creates an MLD snooping forwarding entry for the IPv6 multicast group and adds the port to
257 the forwarding entry. Otherwise, the switch drops this report message, in which case, the IPv6 multicast data for the IPv6 multicast group is not sent to this port, and the user cannot retrieve the program. When you configure a multicast group filter in an IPv6 multicast VLAN, be sure to configure the filter in the sub-VLANs of the IPv6 multicast VLAN. Otherwise, the configuration does not take effect. In MLDv2, when a host is enabled to join multiple multicast groups, the multicast group filter cannot correctly filter multicast groups because the host that runs MLDv2 sends multiple multicast groups that it wants to join in one membership report. Configuration procedure To configure an IPv6 multicast group globally: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD-snooping view. mld-snooping N/A 3. Configure an IPv6 multicast group filter. group-policy acl6-number [ vlan vlan-list ] By default, no IPv6 group filter is globally configured. That is, the hosts in a VLAN can join any valid multicast group. To configure an IPv6 multicast group filer for a port: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view, Layer 2 aggregate interface view, or port group view. • Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view: interface interface-type interface-number • Enter port group view: port-group manual port-group-name Use either command. 3. Configure an IPv6 multicast group filter. mld-snooping group-policy acl6-number [ vlan vlan-list ] By default, no IPv6 group filter is configured on an interface. That is, the hosts on the interface can join any valid multicast group. Configuring IPv6 multicast source port filtering When the IPv6 multicast source port filtering feature is enabled on a port, the port can connect only to IPv6 multicast receivers rather than multicast sources. The reason is that the port blocks all IPv6 multicast data packets but it permits multicast protocol packets to pass. If this feature is disabled on a port, the port can connect to both multicast sources and IPv6 multicast receivers. Configuring IPv6 multicast source port filtering globally
258 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD-snooping view. mld-snooping N/A 3. Enable IPv6 multicast source port filtering. source-deny port interface-list Disabled by default Configuring IPv6 multicast source port filtering for a port Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view, or port group view. • Enter Layer 2 Ethernet interface view: interface interface-type interface-number • Enter port group view: port-group manual port-group-name Use either command. 3. Enable IPv6 multicast source port filtering. mld-snooping source-deny Disabled by default. NOTE: Some models of devices, when enabled to filter IP v6 multicast data based on the source ports, are automatically enabled to filter IPv4 multicast data based on the source ports. Enabling dropping unknown IPv6 multicast data Configuration guidelines Unknown IPv6 multicast data refers to IPv6 multicas t data for which no entries exist in the MLD snooping forwarding table. When the switch receives such IP v6 multicast traffic, one of the following occurs: • When the function of dropping unknown IPv6 multicast data is disabled, the switch floods unknown IPv6 multicast data in the VLAN to which the unknown IPv6 multicast data belongs. • When the function of dropping unknown IPv6 multicast data is enabled, the switch forwards unknown multicast data to its router ports instead of flooding it in th e VL A N. I f no router por ts exist, the switch drops the unknown multicast data. Configuration procedure To enable dropping unknown IPv6 multicast data in a VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id N/A 3. Enable dropping unknown IPv6 multicast data. mld-snooping drop-unknown Disabled by default
259 Configuring MLD report suppression Configuration guidelines When a Layer 2 switch receives an MLD report from an IPv6 multicast group member, the Layer 2 switch forwards the message to the Layer 3 device that directly connects to the Layer 2 switch. When multiple members of an IPv6 multicast group are attached to the Layer 2 switch, the Layer 3 device might receive duplicate MLD reports for the IPv6 multicast group from these members. With the MLD report suppression function enabled, within a query interval, the Layer 2 switch forwards only the first MLD report for the IPv6 multicast group to the Layer 3 device. It does not forward subsequent MLD reports for the same IPv6 multicast group to the Layer 3 device. This helps reduce the number of packets being transmitted over the network. On an MLD snooping proxy, MLD reports for an IPv6 multicast group from downstream hosts are suppressed if the forwarding entry for the multicast group exists on the proxy, whether the suppression function is enabled or not. Configuration procedure To configure MLD report suppression: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD-snooping view. mld-snooping N/A 3. Enable MLD report suppression. report-aggregation Enabled by default Setting the maximum number of multicast groups that a port can join You can set the maximum number of IPv6 multicast groups that a port can join to regulate the traffic on the port. When you configure this maximum number, if the number of IPv6 multicast groups the port has joined exceeds the configured maximum value, the system deletes all the forwarding entries for the port from the MLD snooping forwarding table, and the hosts on this port join IPv6 multicast groups again until the number of IPv6 multicast groups that the port joins reaches the maximum value. When the port joins an IPv6 multicast group, if the port has been configur ed as a static member port, the system applies the configurations to the port again. If you have co nfigured simulated joining on the port, the system establishes corresponding forwarding entry for the port after receiving a report from the simulated member host. To configure the maximum number of IPv6 multicast groups that a port can join: Step Command Remarks 1. Enter system view. system-view N/A
260 Step Command Remarks 2. Enter Layer 2 Ethernet interface view, Layer 2 aggregate interface view, port group view. • Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view: interface interface-type interface-number • Enter port group view: port-group manual port-group-name Use either command. 3. Set the maximum number of IPv6 multicast groups that a port can join. mld-snooping group-limit limit [ vlan vlan-list ] 1000 by default. Enabling IPv6 multicast group replacement Fo r v a r i o u s re a s o n s , t h e n u m b e r o f I P v 6 m u l t i c a s t g r o u p s t h a t a s w i t c h o r a p o r t c a n j o i n m i g h t e xc e e d t h e upper limit. In addition, in some specific applications, an IPv6 multicast group that the switch newly joins must replace an existing IPv6 multicast group automa tically. A typical example is channel switching. To view a new TV channel, a user switches from the current IPv6 multicast group to the new one. To realize such requirements, you can enable the IPv6 multicast group replacement function on the switch or on a certain port. When the number of IPv6 multicast groups that the switch or the port has joined reaches the limit, one of the following occurs: • If the IPv6 multicast group replacement feature is disabled, new MLD reports are automatically discarded. • If the IPv6 multicast group replacement feature is enabled, the IPv6 multicast group that the switch or the port newly joins automatically replaces an existing IPv6 multicast group that has the lowest IPv6 address. IMPORTANT: Be sure to configure the maximu m number of IPv6 multicast groups allowed on a port (see Setting the maximum number of mult icast groups that a port can join ) before enabling IPv6 multicast group replacement. Otherwise, the IPv6 multicast group replacement functionality will not take effect. Enabling IPv6 multicast group replacement globally Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD-snooping view. mld-snooping N/A 3. Enable IPv6 multicast group replacement. overflow-replace [ vlan vlan-list ] Disabled by default Enabling IPv6 multicast group replacement for a port Step Command Remarks 1. Enter system view. system-view N/A
261 Step Command Remarks 2. Enter Layer 2 Ethernet interface view, Layer 2 aggregate interface view, or port group view. • Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view: interface interface-type interface-number • Enter port group view: port-group manual port-group-name Use either command. 3. Enable IPv6 multicast group replacement. mld-snooping overflow-replace [ vlan vlan-list ] Disabled by default. Setting the 802.1p precedence for MLD messages You can change the 802.1p precedence of MLD messages so that they can be assigned higher forwarding priority when congestion occurs on their outgoing ports. Setting the 802.1p precedence for MLD messages globally Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD-snooping view. mld-snooping N/A 3. Set the 802.1p precedence for MLD messages. dot1p-priority priority-number The default 802.1p precedence for MLD messages is 0. Setting the 802.1p precedence for MLD messages in a VLAN Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id N/A 3. Set the 802.1p precedence for MLD messages. mld-snooping dot1p-priority priority-number The default 802.1p precedence for MLD messages is 0. Configuring an IPv6 multicast user control policy IPv6 multicast user control policies are configured on access switches to allow only authorized users to receive requested IPv6 multicast data. This helps restrict users from ordering certain multicast-on-demand programs. Configuration guidelines In practice, a device first needs to perform authentication (for example, 802.1X authentication) for the connected hosts through a RADIUS server. Then, the device uses the configured multicast user control policy to perform multicast access control for authenticated users as follows. • After receiving an MLD report from a host, the access switch matches the IPv6 multicast group address and multicast source address carried in the report with the configured policies. If a match
262 is found, the user is allowed to join the multicast group. Otherwise, the join report is dropped by the access switch. • After receiving a done message from a host, the access switch matches the IPv6 multicast group address and source address against the policies. If a ma tch is found, the host is allowed to leave the group. Otherwise, the done message is dropped by the access switch. An IPv6 multicast user control policy is functionally similar to an IPv6 multicast group filter. A difference lies in that a control policy can control both multicast joining and leaving of users based on authentication and authorization, but a multicast grou p filter is configured on a port to control only multicast joining but not leaving of users without authentication or authorization. Configuration procedure To configure a multicast user control policy Step Command Remarks 1. Enter system view. system-view N/A 2. Create a user profile and enter its view. user-profile profile-name N/A 3. Configure a multicast user control policy. mld-snooping access-policy acl6-number No p oli cy is c o nfigured b y d efa ult. That is, a host can join or leave a valid multicast group at any time. 4. Return to system view. quit N/A 5. Enable the created user profile. user-profile profile-name enable Not enabled by default. For more information about the user-profile and user-profile enable commands, see Security Command Reference. Enabling the MLD snooping host tracking function With the MLD snooping host tracking function, the switch can record the information of the member hosts that are receiving IPv6 multicast traffic, including the host IPv6 address, running duration, and timeout time. You can monitor and manage the member hosts according to the recorded information. Enabling the MLD snooping host tracking function globally Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD-snooping view. mld-snooping N/A 3. Enable the MLD snooping host tracking function globally. host-tracking Disabled by default Enabling the MLD snooping host tracking function in a VLAN Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id N/A
263
Step Command Remarks
3. Enable the MLD snooping host
tracking function in the VLAN. mld-snooping host-tracking
Disabled by default
Setting the DSCP value for MLD messages
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter MLD-snooping view.
mld-snooping N/A
3. Set the DSCP value for MLD
messages. dscp
dscp-value By default, the DSCP value in MLD
messages is 48.
NOTE:
This configuration applies to only the MLD messa
ges that the local switch generates rather than those
forwarded ones.
Displaying and maintaining MLD snooping
Task Command Remarks
Display MLD snooping group
information. display mld-snooping group [
vlan
vlan-id ] [ slot slot-number ]
[ verbose ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display information about the hosts
tracked by MLD snooping. display mld-snooping host vlan
vlan-id group ipv6-group-address
[ source ipv6-source-address ] [ slot
slot-number ] [ | { begin | exclude
| include } regular-expression ] Available in any view
Display IPv6 static multicast
MAC address entries. display mac-address
[ mac-address [ vlan vlan-id ] |
[ multicast ] [ vlan vlan-id ]
[ count ] ] [ | { begin | exclude
| include } regular-expression ]
Available in user view
Display statistics for the MLD
messages learned through MLD
snooping.
display mld-snooping statistics
[ |
{ begin | exclude | include }
regular-expression ] Available in any view
Remove dynamic group entries of
a specified MLD snooping group
or all MLD snooping groups.
reset mld-snooping group
{ ipv6-group-address | all } [ vlan
vlan-id ] Available in user view
Clear statistics for the MLD
messages learned through MLD
snooping.
reset mld-snooping statistics
Available in user view
264 NOTE: • The reset mld-snooping group command works only on an MLD snooping–enabled VLAN, but not in a VLAN with MLD enabled on its VLAN interface. • The reset mld-snooping group command cannot remove the static group entries of MLD snooping groups. For more information about the display mac-address multicast command, see IP Multicast Command Reference. MLD snooping configuration examples IPv6 group policy and simulated joining configuration example Network requirements As shown in Figure 68, MLDv1 runs on Router A, MLDv1 snooping required on Switch A, and Router A acts as the MLD querier on the subnet. The receivers, Host A and Host B can receive IPv6 multicast traffic addressed to IPv6 multicast group FF1E::101 only. IPv6 multicast data for group FF1E::101 can be forwarded through GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 of Switch A even if Host A and Host B accidentally, temporarily stop receiving IPv6 multicast data, and that Switch A drops unknown IPv6 multicast data and does not broadcast the data to the VLAN where Switch A resides. Figure 68 Network diagram Configuration procedure 1. Enable IPv6 forwarding and configure IPv6 addresses: Enable IPv6 forwarding and configure an IPv6 addr ess and prefix length for each interface as per Figure 68 . (Details not shown.) 2. Configure Router A: