Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 1411 to Favourites
    image text
    Enable zoom 
    							 275 
Configuration procedures 
1. Configure IP addresses for interfaces: 
Enable IPv6 forwarding and configure an IP addr ess and prefix length for each interface as 
per  Figure 72 . (Details not shown.) 
2. Configure Switch A: 
# Create VLAN 101 through VLAN 104 and assign GigabitEthernet 1/0/1 through 
GigabitEthernet 1/0/4 to the four VLANs respectively.  
 system-view 
[SwitchA] vlan 101 
[SwitchA-vlan101] port gigabitethernet 1/0/1 
[SwitchA-vlan101] quit 
[SwitchA] vlan 102 
[SwitchA-vlan102] port gigabitethernet 1/0/2 
[SwitchA-vlan102] quit 
[SwitchA] vlan 103 
[SwitchA-vlan103] port gigabitethernet 1/0/3 
[SwitchA-vlan103] quit 
[SwitchA] vlan 104 
[SwitchA-vlan104] port gigabitethernet 1/0/4 
[SwitchA-vlan104] quit 
# Enable IPv6 multicast routing. Enable IPv6 PIM-DM on VLAN-interface 101, VLAN-interface 102 
and VLAN-interface 104, and enabl e MLD on VLAN-interface 104.  
[SwitchA] multicast ipv6 routing-enable 
[SwitchA] interface vlan-interface 101 
[SwitchA-Vlan-interface101] pim ipv6 dm 
[SwitchA-Vlan-interface101] quit 
[SwitchA] interface vlan-interface 102 
[SwitchA-Vlan-interface102] pim ipv6 dm 
[SwitchA-Vlan-interface102] quit 
[SwitchA] interface vlan-interface 104 
[SwitchA-Vlan-interface104] pim ipv6 dm 
[SwitchA-Vlan-interface104] mld enable 
[SwitchA-Vlan-interface104] quit 
# Create a multicast source control policy,  policy1, so that multicast flows from Source 2 to 
FF1E::101 will be blocked. 
[SwitchA] acl ipv6 number 3001 
[SwitchA-acl6-adv-3001] rule permit udp source 2::1 128 destination ff1e\
::101 128 
[SwitchA-acl6-adv-3001] quit 
[SwitchA] traffic classifier classifier1 
[SwitchA-classifier-classifier1] if-match acl ipv6 3001 
[SwitchA-classifier-classifier1] quit 
[SwitchA] traffic behavior behavior1 
[SwitchA-behavior-behavior1] filter deny 
[SwitchA-behavior-behavior1] quit 
[SwitchA] qos policy policy1 
[SwitchA-qospolicy-policy1] classifier classifier1 behavior behavior1 
[SwitchA-qospolicy-policy1] quit
    Add page 1412 to Favourites
    image text
    Enable zoom 
    							 276 
# Create a user profile, apply policy1 to the inbound direction of GE 1/0/2 in user profile view, 
and enable the user profile.  
[SwitchA] user-profile profile1 
[SwitchA-user-profile-profile1] qos apply policy policy1 inbound 
[SwitchA-user-profile-profile1] quit 
[SwitchA] user-profile profile1 enable 
# Create RADIUS scheme scheme1 ; set the service type for the RADIUS server to  extended; specify 
the IP addresses of the primary authentication/autho rization server and accounting server as 3::1; 
set the shared keys to 123321; specify that no domain name is carried in a username sent to the 
RADIUS server.  
[SwitchA] radius scheme scheme1 
[SwitchA-radius-scheme1] server-type extended 
[SwitchA-radius-scheme1] primary authentication 3::1 
[SwitchA-radius-scheme1] key authentication 123321 
[SwitchA-radius-scheme1] primary accounting 3::1 
[SwitchA-radius-scheme1] key accounting 123321 
[SwitchA-radius-scheme1] user-name-format without-domain 
[SwitchA-radius-scheme1] quit 
# Create an ISP domain  domain1; reference  scheme1 for the authentication, authorization, and 
accounting for LAN users; specify  domain1 as the default ISP domain. 
[SwitchA] domain domain1 
[SwitchA-isp-domian1] authentication lan-access radius-scheme scheme1 
[SwitchA-isp-domian1] authorization lan-access radius-scheme scheme1 
[SwitchA-isp-domian1] accounting lan-access radius-scheme scheme1 
[SwitchA-isp-domian1] quit 
[SwitchA] domain default enable domain1 
# Globally enable 802.1X and then enable it on GigabitEthernet 1/0/1 and GigabitEthernet 
1/0/2.  
[SwitchA] dot1x 
[SwitchA] interface gigabitethernet 1/0/1 
[SwitchA-GigabitEthernet1/0/1] dot1x 
[SwitchA-GigabitEthernet1/0/1] quit 
[SwitchA] interface gigabitethernet 1/0/2 
[SwitchA-GigabitEthernet1/0/2] dot1x 
[SwitchA-GigabitEthernet1/0/2] quit 
3. Configure Switch B: 
# Globally enable MLD snooping.  
 system-view 
[SwitchB] mld-snooping 
[SwitchB-mld-snooping] quit 
# Create VLAN 104, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to this VLAN, 
and enable MLD snooping in this VLAN.  
[SwitchB] vlan 104 
[SwitchB-vlan104] port gigabitethernet 1/0/1 to gigabitethernet 1/0/3 
[SwitchB-vlan104] mld-snooping enable 
[SwitchB-vlan104] quit
    Add page 1413 to Favourites
    image text
    Enable zoom 
    							 277 
# Create a user profile profile2 and configure the user profile so that users can join or leave only 
one IPv6 multicast group, FF1E::101. Then, enable the user profile.  
[SwitchB] acl ipv6 number 2001 
[SwitchB-acl6-basic-2001] rule permit source ff1e::101 128 
[SwitchB-acl6-basic-2001] quit 
[SwitchB] user-profile profile2 
[SwitchB-user-profile-profile2] mld-snooping access-policy 2001 
[SwitchB-user-profile-profile2] quit 
[SwitchB] user-profile profile2 enable 
# Create a RADIUS scheme  scheme2; set the service type for the RADIUS server to  extended; 
specify the IP addresses of the primary authenticati on/authorization server and accounting server 
as 3::1; set the shared keys to 321123; specify that  a username sent to the RADIUS server carry 
no domain name. 
[SwitchB] radius scheme scheme2 
[SwitchB-radius-scheme2] server-type extended 
[SwitchB-radius-scheme2] primary authentication 3::1 
[SwitchB-radius-scheme2] key authentication 321123 
[SwitchB-radius-scheme2] primary accounting 3::1 
[SwitchB-radius-scheme2] key accounting 321123 
[SwitchB-radius-scheme2] user-name-format without-domain 
[SwitchB-radius-scheme2] quit 
# Create an ISP domain  domain2; reference  scheme2 for the authentication, authorization, and 
accounting for LAN users; specify  domain2 as the default ISP domain. 
[SwitchB] domain domain2 
[SwitchB-isp-domian2] authentication lan-access radius-scheme scheme2 
[SwitchB-isp-domian2] authorization lan-access radius-scheme scheme2 
[SwitchB-isp-domian2] accounting lan-access radius-scheme scheme2 
[SwitchB-isp-domian2] quit 
[SwitchB] domain default enable domain2 
# Globally enable 802.1X and then enable it on GigabitEthernet 1/0/2 and GigabitEthernet 
1/0/3.  
[SwitchB] dot1x 
[SwitchB] interface gigabitethernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] dot1x 
[SwitchB-GigabitEthernet1/0/2] quit 
[SwitchB] interface gigabitethernet 1/0/3 
[SwitchB-GigabitEthernet1/0/3] dot1x 
[SwitchB-GigabitEthernet1/0/3] quit 
4. Configure RADIUS server: 
On the RADIUS server, configure the parameters related to Switch A and Switch B. For more 
information, see the configuration guide of the RADIUS server.  
5. Verify the configuration: 
After the configurations, the two multicast source s and hosts initiate 802.1X authentication. After 
passing the authentication, Source 1 sends multicast flows to FF1E::101 and Source 2 sends 
multicast flows to FF1E::102; Host A sends repo rt messages to join IPv6 multicast groups 
FF1E::101 and FF1E::102. Use the  display mld-snooping group command to display information 
about MLD snooping grou ps. For example:
    Add page 1414 to Favourites
    image text
    Enable zoom 
    							 278 
# Display information about MLD snooping groups in VLAN 104 on Switch B. 
[SwitchB] display mld-snooping group vlan 104 verbose 
  Total 1 IP Group(s). 
  Total 1 IP Source(s). 
  Total 1 MAC Group(s). 
 
  Port flags: D-Dynamic port, S-Static port, C-Copy port, P-PIM port 
  Subvlan flags: R-Real VLAN, C-Copy VLAN 
  Vlan(id):104. 
    Total 1 IP Group(s). 
    Total 1 IP Source(s). 
    Total 1 MAC Group(s). 
    Router port(s):total 1 port(s). 
            GE1/0/1                (D) ( 00:01:30 ) 
    IP group(s):the following ip group(s) match to one mac group. 
      IP group address:FF1E::101 
        (::, FF1E::101): 
          Attribute:    Host Port 
          Host port(s):total 1 port(s). 
            GE1/0/3                (D) ( 00:04:10 ) 
    MAC group(s): 
      MAC group address:3333-0000-0101 
          Host port(s):total 1 port(s). 
            GE1/0/3 
The output shows that GigabitEthernet 1/0/3 on Switch B has joined FF1E::101 but not 
FF1E::102.  
Assume that Source 2 starts sending multicast traffic to FF1E::101. Use the display multicast ipv6 
forwarding-table to display the IPv6 multicast  forwarding table information.  
# Display the information about FF1E::101 in the IPv6 multicast forwarding table on Switch A.  
[SwitchA] display multicast ipv6 forwarding-table ff1e::101 
IPv6 Multicast Forwarding Table 
 
Total 1 entry 
 
Total 1 entry matched 
00001. (1::1, FF1E::101) 
     MID: 0, Flags: 0x0:0 
     Uptime: 00:08:32, Timeout in: 00:03:26 
     Incoming interface: Vlan-interface101 
     List of 1 outgoing interfaces: 
       1: Vlan-interface104 
     Matched 19648 packets(20512512 bytes), Wrong If 0 packets 
     Forwarded 19648 packets(20512512 bytes) 
The output shows that Switch A maintains a multic ast forwarding entry for multicast packets from 
Source 1 to FF1E::101. No forwarding entry exists  for packets from Source 2 to FF1E::101, which 
indicates that IPv6 multicast packets from Source 2 are blocked.
    Add page 1415 to Favourites
    image text
    Enable zoom 
    							 279 
Troubleshooting MLD snooping 
Layer 2 multicast forwarding cannot function 
Symptom 
Layer 2 multicast forwarding cannot function.  
Analysis 
MLD snooping is not enabled. 
Solution 
1. Use the  display current-configuration  command to display the running status of MLD snooping.  
2. If MLD snooping is not enabled, use the  mld-snooping c o m m a n d  t o  e n a b l e  M L D  s n o o p i n g  g l o b a l l y ,  
and then use  mld-snooping enable  command to enable MLD snooping in VLAN view.  
3. If MLD snooping is disabled only for the corresponding VLAN, use the  mld-snooping enable 
command in VLAN view to enable MLD snooping in the corresponding VLAN. 
Configured IPv6 multicast group policy fails to take effect 
Symptom 
A l t h o u g h  a n  I P v 6  m u l t i c a s t  g ro u p  p o l i c y  h a s  b e e n  c o n f i g u re d  t o  a l l ow  h o s t s  t o  j o i n  s p e ci f i c  I P v 6  m u l t i c a s t  
groups, the hosts can still receive IPv6 mu lticast data addressed to other groups.  
Analysis 
•  The IPv6 ACL rule is incorrectly configured.  
•   The IPv6 multicast group policy is not correctly applied.  
•   The function of dropping unknown IPv6 multicast data is not enabled, so unknown IPv6 multicast 
data is flooded. 
Solution 
1. Use the  display acl ipv6  command to check the configured IPv6 ACL rule. Make sure that the IPv6 
ACL rule conforms to the IPv6 multicas t group policy to be implemented.  
2. Use the  display this  command in MLD-snooping view or the corresponding interface view to verify 
that the correct IPv6 multicast group poli cy has been applied. If not, use the group-policy or 
mld-snooping group-policy  command to apply the correct IPv6 multicast group policy.  
3. Use the  display current-configuration  command to verify that the function of dropping unknown 
IPv6 multicast data is enabled. If not, use the  drop-unknown or mld-snooping drop-unknown  
command to enable the function of dro pping unknown IPv6 multicast data.  
Appendix 
Processing of IPv6 multicast protocol messages 
With Layer 3 multicast routing enabled, an MLD snooping–enabled switch processes IPv6 multicast 
protocol messages differently under different conditions, as follows:
    Add page 1416 to Favourites
    image text
    Enable zoom 
    							 280 
1.
 
If only MLD is enabled on the switch, or if both  MLD and IPv6 PIM are enabled on the switch, the 
switch does the following: 
{  Maintains dynamic member ports or dynamic  router ports according to MLD packets  
{ Maintains dynamic router ports according to IPv6 PIM hello packets 
2. If only IPv6 PIM is enabled on  the switch, the following occurs:  
{ The switch broadcasts MLD messages as unknown messages in the VLAN.  
{ After receiving an IPv6 PIM hello message, the switch maintains the corresponding dynamic 
router port.  
3. If MLD is disabled on the switch, one of the following occurs:  
{  If IPv6 PIM is disabled, the switch deletes all its dynamic member ports and dynamic router 
ports.  
{ If IPv6 PIM is enabled, the switch deletes only its dynamic member ports but not its dynamic 
router ports.  
 
  NOTE: 
On a switch with Layer-3 IPv6 multicast routing enabled, use the  display mld group port-info command
to display Layer-2 port information. For more information about the  display mld group port-info 
command, see 
IP Multicast Command Reference.  
4.  If IPv6 PIM is disabled on the sw itch, one of the following occurs:  
{ If MLD is disabled, the switch dele tes all its dynamic router ports.  
{ If MLD is enabled, the switch maintains all its dynamic member ports and dynamic router ports.
    Add page 1417 to Favourites
    image text
    Enable zoom 
    							 281 
Configuring IPv6 PIM snooping 
Overview 
IPv6 Protocol Independent Multicast (PIM) snooping runs on Layer 2 devices. It determines which ports 
are interested in multicast data by analyzing the received IPv6 PIM messages, and adds the ports to a 
multicast forwarding entry to make sure that multic ast data can be forwarded to only the ports that are 
interested in the data.  
Figure 73  Multicast packet transmission without or with IPv6 PIM snooping 
 
 
As shown in Figure 73, Source 1 sends multicast data to multicast group G1, and Source 2 sends 
multicast data to multicast group G2. Receiver 1 belo ngs to G1, and Receiver 2 belongs to G2. The Layer 
2 switch’s interfaces that connect to the IPv6 PIM-capable routers are in the same VLAN.  
•   When running MLD snooping without IPv6 PIM snooping, the Layer 2 switch maintains the router 
ports according to IPv6 PIM hello messages received  from IPv6 PIM-capable routers, broadcasts all 
IPv6 multicast packet transmission
when only MLD snooping runs IPv6 multicast packet transmission when
MLD snooping and IPv6 PIM snooping both run
Source 1
Source 2
Receiver 1 Receiver 2
IPv6 multicast packets (S1, G1) Join message (S1, G1)
Layer 2 switch
Source 1Source 2
Receiver 1 Receiver 2
Layer 2 switch
IPv6 multicast packets (S2, G2) Join message (S2, G2)
IPv6 PIM
router 3
IPv6 PIM
router 1 IPv6 PIM
router 2
IPv6 PIM router 4 IPv6 PIM
router 3
IPv6 PIM
router 1 IPv6 PIM
router 2
IPv6 PIM router 4
    Add page 1418 to Favourites
    image text
    Enable zoom 
    							 282 
other types of received IPv6 PIM messages in the VLAN, and forwards all multicast data to all router 
ports in the VLAN. Each IPv6 PIM-capable router in the VLAN, whether interested in the multicast 
data or not, will receive all multicast data and all IPv6 PIM messages except for IPv6 PIM hello 
messages. 
•   If the Layer 2 switch runs both MLD snooping and IP v6 PIM snooping, it determines whether an IPv6 
PIM-capable router is interested in the multicast  data destined for a multicast group according to the 
received IPv6 PIM messages that the router sends, and adds the port that connects to the router to 
a multicast forwarding entry. Then, the Layer 2 switch can correctly forward IPv6 PIM messages and 
the multicast data only to the router according to the multicast forwarding entry, saving network 
bandwidth. 
For more information about MLD snoo ping and the router port, see Configuring MLD snooping.  
Fo

r more information about IPv6 PIM, see  Configuring IPv6 PIM (available only on the HP 5500 EI)  
Configuring IPv6 PIM snooping 
Configuration guidelines 
Before you configure IPv6 PIM snooping for a VLAN, you must enable IPv6 forwarding and MLD 
snooping globally and enable MLD  snooping in the VLAN.  
IPv6 PIM snooping does not work in the sub-VLANs of a multicast VLAN. For more information about IPv6 
multicast VLAN, see  Configuring IPv6 multicast VLANs . 
In a net

work with IPv6 PIM snooping enabled switches, configure the size of each join/prune message 
no more than the path maximum transmission unit (M TU) on the IPv6 PIM-enabled edge router on the 
receiver side. For more information about the join/prune messages, see  Configuring IPv6 PIM 
(

available only on the HP 5500 EI) . 
After you enable IPv6 PIM snooping in a VLAN, IPv6 PIM snooping works only on the member interfaces 
of the VLAN. 
Configuration procedure 
To configure IPv6 PIM snooping:  
Step Command Remarks 
1.   Enter system view. 
system-view N/A 
2.  Enable IPv6 forwarding 
globally.  ipv6 
Disabled by default 
3.  Enable MLD snooping 
globally and enter 
MLD-snooping view.  mld-snooping 
Disabled by default 
4.  Return to system view. 
quit N/A 
5.  Enter VLAN view. 
vlan vlan-id   N/A 
6.  Enable MLD snooping in the 
VLAN   mld-snooping enable 
Disabled by default 
7.  Enable IPv6 PIM snooping in 
the VLAN   pim-snooping ipv6 enable Disabled by default 
 
For more information about the 
mld-snooping and mld-snooping enable  commands, see IP Multicast 
Command Reference .
    Add page 1419 to Favourites
    image text
    Enable zoom 
    							 283 
Displaying and maintaining IPv6 PIM snooping 
 
Task Command Remarks 
Display IPv6 PIM snooping 
neighbor information. display pim-snooping ipv6 
neighbor [ vlan
 vlan-id  ] [ slot 
slot-number  ] [ | { begin |  exclude 
|  include  } regular-expression  ] Available in any view
 
Display IPv6 PIM snooping routing 
entries.  display pim-snooping ipv6 
routing-table
 [ vlan  vlan-id  ] [ slot 
slot-number  ] [ | { begin |  exclude 
|  include  } regular-expression  ] Available in any view
 
Display the statistics information of 
IPv6 PIM messages learned by IPv6 
PIM snooping..  display pim-snooping ipv6 
statistics 
[ | { begin  | exclude  | 
include  } regular-expression ]  Available in any view
 
Clear the statistics information of 
IPv6 PIM messages learned by IPv6 
PIM snooping..  reset pim-snooping ipv6 statistics 
Available in user view 
 
IPv6 PIM snooping configuration example 
Network requirements 
As shown in Figure 74, S ource 1 sends multicast data to IPv6 multicast group FF1E::101, and Source 2 
sends multicast data to IPv6 multicast group FF2E::101 . Receiver 1 belongs to multicast group FF1E::101, 
and Receiver 2 belongs to multicast group FF2E::101.  Router C and Router D run MLD on their interface 
GigabitEthernet 1/0/1. Router A, Router B, Router  C, and Router D run IPv6 PIM-SM, and interface 
GigabitEthernet 1/0/2 on Router A acts as a C-BSR and C-RP. 
Configure MLD snooping and IPv6 PIM snooping on Switch A so that Switch A forwards IPv6 PIM 
messages and multicast data to only the router s that are interested in the multicast data. 
Figure 74  Network diagram
    Add page 1420 to Favourites
    image text
    Enable zoom 
    							 284 
Configuration procedure 
1. Enable IPv6 forwarding, and assign IPv6 addresses: 
Enable IPv6 forwarding on the devices, configur e an IPv6 address and prefix length for each 
interface according to  Figure 74. (Details not shown.)  
2. Configure Router A: 
# Enable IPv6 multicast routing, enable IPv6 PIM-SM on each interface, and configure interface 
GigabitEthernet 1/0/2 as a C-BSR and C-RP.  
 system-view 
[RouterA] multicast ipv6 routing-enable 
[RouterA] interface gigabitethernet 1/0/1 
[RouterA-GigabitEthernet1/0/1] pim ipv6 sm 
[RouterA-GigabitEthernet1/0/1] quit 
[RouterA] interface gigabitethernet 1/0/2 
[RouterA-GigabitEthernet1/0/2] pim ipv6 sm 
[RouterA-GigabitEthernet1/0/2] quit 
[RouterA] pim ipv6 
[RouterA-pim6] c-bsr 1001::1 
[RouterA-pim6] c-rp 1001::1 
3. Configure Router B: 
 # Enable IPv6 multicast routing, and en able IPv6 PIM-SM on each interface. 
 system-view 
[RouterB] multicast ipv6 routing-enable 
[RouterB] interface gigabitethernet 1/0/1 
[RouterB-GigabitEthernet1/0/1] pim ipv6 sm 
[RouterB-GigabitEthernet1/0/1] quit 
[RouterB] interface gigabitethernet 1/0/2 
[RouterB-GigabitEthernet1/0/2] pim ipv6 sm 
4. Configure Router C: 
# Enable IPv6 multicast routing, enable IPv6 PI M-SM on each interface, and enable MLD on 
GigabitEthernet 1/0/1.  
 system-view 
[RouterC] multicast ipv6 routing-enable 
[RouterC] interface gigabitethernet 1/0/1 
[RouterC-GigabitEthernet1/0/1] pim ipv6 sm 
[RouterC-GigabitEthernet1/0/1] mld enable 
[RouterC-GigabitEthernet1/0/1] quit 
[RouterC] interface gigabitethernet 1/0/2 
[RouterC-GigabitEthernet1/0/2] pim ipv6 sm 
5.  Configure Router D: 
The configuration on Router D is similar to  that on Router C. (Details not shown.) 
6. Configure Switch A: 
# Enable MLD snooping globally. 
 system-view 
[SwitchA] mld-snooping 
[SwitchA-mld-snooping] quit
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide