HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 2050
385
Packet check principles
Switch B checks ND protocol packets against ND snooping entries and static binding entries; and checks
the IPv6 data packets from the hosts against dynami c binding entries (including ND snooping entries)
applied on the interfaces connected to the hosts an d against static binding entries. The items to be
examined include MAC address, IPv6 address, VLAN information, and ingress port.
Configuration procedure
# Enable SAVI.
system-view
[SwitchB] ipv6 savi strict
#...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2049.png "Page 2050
385
Packet check principles
Switch B checks ND protocol packets against ND snooping entries and static binding entries; and checks
the IPv6 data packets from the hosts against dynami c binding entries (including ND snooping entries)
applied on the interfaces connected to the hosts an d against static binding entries. The items to be
examined include MAC address, IPv6 address, VLAN information, and ingress port.
Configuration procedure
# Enable SAVI.
system-view
[SwitchB] ipv6 savi strict
#...")
![Page 2052
387
binding entries; and checks the IPv6 data packets from the hosts against dynamic binding entries
(including ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to
the hosts and against static binding entries. The items to be examined include MAC address, IPv6
address, VLAN information, and ingress port.
Configuration procedure
# Enable SAVI.
system-view
[SwitchB] ipv6 savi strict
# Enable IPv6.
[SwitchB] ipv6
# Enable DHCPv6 snooping.
[SwitchB] ipv6 dhcp...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2051.png "Page 2052
387
binding entries; and checks the IPv6 data packets from the hosts against dynamic binding entries
(including ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to
the hosts and against static binding entries. The items to be examined include MAC address, IPv6
address, VLAN information, and ingress port.
Configuration procedure
# Enable SAVI.
system-view
[SwitchB] ipv6 savi strict
# Enable IPv6.
[SwitchB] ipv6
# Enable DHCPv6 snooping.
[SwitchB] ipv6 dhcp...")
![Page 2054
389
Blacklist configuration example
Network requirements
As shown in Figure 143, Ho st A, Host B, and Host C are internal users, and external user Host D is
considered an attacker.
Configure Device to always filter packets from Host D, and to prevent internal users from guessing
passwords.
Figure 143 Network diagram
Configuration procedure
# Assign IP addresses to the interfaces of Device. (Details not shown.)
# Enable the blacklist feature.
system-view
[Device] blacklist enable
#...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2053.png "Page 2054
389
Blacklist configuration example
Network requirements
As shown in Figure 143, Ho st A, Host B, and Host C are internal users, and external user Host D is
considered an attacker.
Configure Device to always filter packets from Host D, and to prevent internal users from guessing
passwords.
Figure 143 Network diagram
Configuration procedure
# Assign IP addresses to the interfaces of Device. (Details not shown.)
# Enable the blacklist feature.
system-view
[Device] blacklist enable
#...")
386 SAVI configuration in DHCPv6+SLAAC address assignment scenario Network requirements Figure 142 Network diagram As shown in Figure 142, Switch B connects to the DHCPv6 server through interface GigabitEthernet 1/0/1 and connects to the DHCPv6 client through interface GigabitEthernet 1/0/3. Host A and Host B access Gateway (Switch A) through Switch B. Interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 on Switch B belong to VLAN 2. The hosts can obtain IP addresses through DHCPv6 or SLAAC. Configure SAVI on Switch B to permit only packets from addresses assigned through DHCPv6 and the bound addresses assigned through SLAAC. Configuration considerations Configure Switch B as follows: • Enable SAVI. • Enable DHCPv6 snooping. For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide . • Enable global unicast address ND snooping and link-local address ND snooping. For more information about ND snooping, see Layer 3—IP Services Configuration Guide . • Enable ND detection in VLAN 2 to check the ND packets arrived on the ports. For more information about ND detection, see Configuring ND attack defense . • Configure a static IPv6 source guard binding entry on each interface connected to a host. This step i s o p t io n a l. I f t h i s s te p i s no t p e r fo rm e d, SAV I d o es not check packets against static binding entries. For more information about static IPv6 source guard binding entries, see Configuring IP source guar d . • Configure dynamic IPv6 source guard binding on the interfaces connected to the hosts. For more information about dynamic IPv6 source guard binding, see Configuring IP source guard. Packet check principles Switch B checks DHCPv6 protocol packets from DHCP v6 clients against link-local address ND snooping entries; checks ND protocol packets against ND snooping entries, DHCP v6 snooping entries, and static
387 binding entries; and checks the IPv6 data packets from the hosts against dynamic binding entries (including ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to the hosts and against static binding entries. The items to be examined include MAC address, IPv6 address, VLAN information, and ingress port. Configuration procedure # Enable SAVI. system-view [SwitchB] ipv6 savi strict # Enable IPv6. [SwitchB] ipv6 # Enable DHCPv6 snooping. [SwitchB] ipv6 dhcp snooping enable # Assign interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 to VLAN 2. [SwitchB] vlan 2 [SwitchB-vlan2] port gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5 # Enable DHCPv6 snooping in VLAN 2. [SwitchB-vlan2] ipv6 dhcp snooping vlan enable [SwitchB] quit # Configure interface GigabitEthernet 1/0/1 as a DHCPv6 snooping trusted port. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] ipv6 dhcp snooping trust [SwitchB-GigabitEthernet1/0/1] quit # Enable ND snooping and ND detection. [SwitchB] ipv6 nd snooping enable link-local [SwitchB] ipv6 nd snooping enable global [SwitchB] vlan 2 [SwitchB-vlan2] ipv6 nd snooping enable [SwitchB-vlan2] ipv6 nd detection enable [SwitchB-vlan2] quit # Configure interface GigabitEthernet 1/0/2 as an ND detection trusted port. [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 nd detection trust [SwitchB-GigabitEthernet1/0/2] quit # Configure the dynamic IPv6 source guard binding function on downlink ports GigabitEthernet 1/0/3 through GigabitEthernet 1/0/5. [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] ipv6 verify source ipv6-address mac-addre\ ss [SwitchB-GigabitEthernet1/0/3] quit [SwitchB] interface gigabitethernet 1/0/4 [SwitchB-GigabitEthernet1/0/4] ipv6 verify source ipv6-address mac-addre\ ss [SwitchB-GigabitEthernet1/0/4] quit [SwitchB] interface gigabitethernet 1/0/5 [SwitchB-GigabitEthernet1/0/5] ipv6 verify source ipv6-address mac-addre\ ss
388
Configuring blacklist
Overview
The blacklist feature is an attack prevention mechanism that filters packets based on the source IP address.
Compared with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering
packets sourced from particular IP addresses.
The device can dynamically add and remove blacklist entries by cooperating with the login user
authentication feature. When the device detects that a user tried to use FTP, Telnet, SSH, SSL, or web to
log in to the device for a specific number of times but failed to log in, it considers the user an invalid user
and automatically blacklists the user’s IP address to fi lter subsequent packets sourced from that IP address.
This function can effectively prevent users from cracking passwords by repeatedly trying to log in.
The device always uses the login failure threshold of 6 and sets the aging time of a dynamic blacklist
entry to 10 minutes. These two settings are not configurable. User login failure reasons include wrong
username, wrong password, and wrong verification code (for web users).
The device also supports adding and removing blacklis t entries manually. Manually configured blacklist
entries fall into two categories: pe rmanent and non-permanent. A perm anent blacklist entry is always
present unless being removed manually, whereas a no n-permanent blacklist entry has a limited lifetime
depending on your configuration. When the lifeti me of a non-permanent entry expires, the device
removes the entry from the blacklist, allowing the packets of the IP address defined by the entry to pass
through.
Configuring the blacklist feature
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable the blacklist
feature. blacklist enable
Disabled by default.
3. Add a blacklist entry. blacklist ip source-ip-address
[ timeout minutes ] Optional.
To add a permanent en
try, do not specify
the timeout minutes option.
Displaying and maintaining the blacklist
Task Command Remarks
Display blacklist
information. display blacklist
{ all | ip source-ip-address [ slot
slot-number ] | slot slot-number } [ | { begin | exclude |
include } regular-expression ] Available in any view
389
Blacklist configuration example
Network requirements
As shown in Figure 143, Ho st A, Host B, and Host C are internal users, and external user Host D is
considered an attacker.
Configure Device to always filter packets from Host D, and to prevent internal users from guessing
passwords.
Figure 143 Network diagram
Configuration procedure
# Assign IP addresses to the interfaces of Device. (Details not shown.)
# Enable the blacklist feature.
system-view
[Device] blacklist enable
# Add the IP address of Host D 5.5.5.5 to the blacklist. Do not specify any aging time to make the entry
never age out.
[Device] blacklist ip 5.5.5.5
Verifying the configuration
If Host C tries to log in to Device through web for si x times but fails to log in, the device blacklists Host
C. Use the display blacklist all command to view all added blacklist entries.
[Device] display blacklist all
Blacklist information
------------------------------------------------------------------------\
------
Blacklist : enabled
Blacklist items : 2
------------------------------------------------------------------------\
------
IP Type Aging started Aging finished Dropped p\
ackets
YYYY/MM/DD hh:mm:ss YYYY/MM/DD hh:mm:ss
5.5.5.5 manual 2011/04/09 16:02:20 Never 0
192.168.1.4 manual 2011/04/09 16:02:26 2011/04/09 16:12:26 0
Internet
Device
Host C (Web user)
Vlan-int2
Vlan-int1
Host A Host B
Attacker
Host D5.5.5.5/24
202.1.0.1/16
192.168.1.1/16
192.168.1.4/16
390 Host D and Host C are on the blacklist. Host C will stay on the list for 10 minutes, and will then be able to try to log in again. The entry for Host D will never age out. When you do not consider Host D an attacker anymore, you can use the undo blacklist ip 5.5.5.5 command to remove the entry.
391 Index A B C D E H I L M N O P R S T U A AAA configuration considerations and task list,15 AAA co nfiguration examples, 50 AAA o verview, 1 A pplying a QoS policy, 228 AR P attack protection configuration task list, 351 B Ba sic configuration for MAC authentication, 118 Blac klist configuration example, 389 C C onfiguration prerequisites, 111 C onfiguration prerequisites, 92 C onfiguration prerequisites, 141 Co nfiguration task list, 335 Co nfiguration task list, 118 Co nfiguration task list, 326 Co nfiguration task list, 208 Co nfiguration task list, 245 C onfiguring a free IP, 111 C onfiguring a MAC authentication critical VLAN, 121 C onfiguring a MAC authentication guest VLAN, 12 0 C onfiguring a NAS ID-VLAN binding, 47 C onfiguring a PKI domain, 258 C onfiguring a switch as a RADIUS server, 48 C onfiguring AAA methods for ISP domains, 40 C onfiguring AAA schemes, 16 C onfiguring an 802.1X critical VLAN, 10 2 C onfiguring an 802.1X guest VLAN, 10 0 C onfiguring an access control policy, 26 4 C onfiguring an Auth-Fail VLAN, 101 Co nfiguring an entity DN, 257 C onfiguring an SSL client policy, 329 C onfiguring an SSL server policy, 326 C onfiguring ARP active acknowledgement, 358 C onfiguring ARP automatic scanning and fixed ARP, 366 C onfiguring ARP defense against IP packet attacks, 352 Co nfiguring ARP detection, 359 C onfiguring ARP filtering, 368 C onfiguring ARP gateway protection, 367 C onfiguring ARP packet rate limit, 355 C onfiguring ARP packet source MAC address consistency check, 358 C onfiguring global SAVI, 381 Co nfiguring HABP, 241 C onfiguring IPsec for IPv6 routing protocols, 278 Co nfiguring password control, 233 C onfiguring PKI certificate verification, 262 C onfiguring port security features, 211 C onfiguring portal detection functions, 15 7 C onfiguring portal stateful failover (available only on the HP 5500 EI series), 15 5 C onfiguring RADIUS related attributes,15 3 C onfiguring secure MAC addresses, 212 C onfiguring source MAC address based ARP attack detection, 356 C onfiguring the authentication trigger function,97 C onfiguring the blacklist feature, 388 C onfiguring the IPv4 source guard function, 336 C onfiguring the IPv6 source guard function, 338 C onfiguring the local portal server, 14 3 C onfiguring the ND detection function, 372 C onfiguring the online user handshake function,96 C onfiguring the quiet timer, 99 C onfiguring the redirect URL, 112 C onfiguring the switch as an SCP server, 321 C onfiguring the switch as an SFTP client, 311 C onfiguring the switch as an SFTP server, 31 0 C onfiguring the switch as an SSH client, 294 C onfiguring the switch as an SSH server, 289 C onfiguring the switch as the SCP client, 321 C onfiguring triple authentication, 19 6 Co nfiguring URPF, 379
392 Controlled/uncontrolled port and port authorization status,78 C ontrolling access of portal users, 14 9 Cr eating a local asymmetric key pair, 246 Cr eating a user profile, 227 D D eleting a certificate, 263 D estroying a local asymmetric key pair, 248 D estroying a local RSA key pair, 263 Displa ying and maintaining 802.1X, 10 3 Dis playing and maintaining AAA, 50 Displa ying and maintaining EAD fast deployment, 112 Displa ying and maintaining HABP, 242 Displa ying and maintaining IP source guard, 341 Displa ying and maintaining IPsec, 281 Displa ying and maintaining MAC authentication, 12 2 Displa ying and maintaining password control, 236 Displa ying and maintaining PKI, 26 4 Displa ying and maintaining port security, 214 Displa ying and maintaining portal, 16 0 Displa ying and maintaining public keys,249 Displa ying and maintaining SSH,296 Displa ying and maintaining SSL,330 Displa ying and maintaining TCP attack protection, 332 Displa ying and maintaining the blacklist, 388 Displa ying and maintaining user profiles, 229 Displa ying or exporting the local host public key, 246 E E AD fast deployment configuration example, 113 Ena bling 802.1X, 93 Ena bling a user profile, 228 Ena bling EAP relay or EAP termination, 93 Ena bling port security, 209 Ena bling portal authentication, 14 7 Ena bling source MAC consistency check for ND packets, 372 E nabling the periodic online user re-authentication function, 99 Ena bling the SYN Cookie feature, 332 H HP i mplementation of 802.1X, 87 HABP c onfiguration example, 242 HABP o verview,240 I I gnoring authorization information from the server, 214 Initi ating 802.1X authentication, 81 I P source guard configuration examples, 341 I Psec for RIPng configuration example, 281 L L ogging off portal users, 16 0 M MA C authentication configuration examples, 12 2 MA C authentication overview,1 16 N ND detec tion configuration example, 374 O Ov erview, 245 Ov erview, 388 Ov erview, 321 Ov erview, 12 9 Ov erview, 254 Ov erview, 332 Ov erview, 19 5 Ov erview, 371 Ov erview, 351 Ov erview, 31 0 Ov erview, 205 Ov erview, 325 Ov erview, 286 Ov erview, 334 Ov erview, 275 Ov erview, 111 P P assword control configuration example, 237 P assword control configuration task list,232 Pa s swo rd c o n t ro l ove r view, 230 PK I configuration examples, 265 PK I configuration task list, 256 P ort security configuration examples, 215 P ortal configuration examples, 161 P ortal configuration task list, 14 0 P ublic key configuration examples, 249 R R etrieving a certificate manually, 261
393 S SAVI configuration in DHCPv6+SLAAC address assignment scenario,386 S AVI configuration in DHCPv6-only address assignment scenario, 382 S AVI configuration in SLAAC-only address assignment scenario, 384 SA VI over view, 381 S etting port securitys limit on the number of MAC addresses on a port, 209 S etting the 802.1X authentication timeout timers, 96 S etting the EAD rule timer, 112 S etting the maximum number of authentication request attempts, 96 S etting the maximum number of concurrent 802.1X users on a port, 95 S etting the port authorization state, 94 S etting the port security mode, 210 SFT P client configuration example, 314 SFT P server configuration example, 318 S pecifying a MAC authentication domain,12 0 S pecifying a mandatory authentication domain on a port, 98 S pecifying a source IP address for outgoing portal packets, 15 4 S pecifying an access control method, 95 S pecifying an Auth-Fail VLAN for portal authentication, 15 2 S pecifying an auto redirection URL for authenticated portal users, 15 6 S pecifying supported domain name delimiters, 10 3 S pecifying the device ID used in stateful failover mode, 48 S pecifying the peer public key on the local device, 248 S pecifying the portal server, 14 2 S SH client configuration examples, 304 S SH server configuration examples, 297 Submit ting a PKI certificate request, 259 T T earing down user connections, 47 T riple authentication configuration examples, 19 7 T roubleshooting AAA, 76 T roubleshooting EAD fast deployment, 115 T roubleshooting IP source guard, 350 Tr ou b l es ho o ti n g P KI, 273 T roubleshooting port security, 224 T roubleshooting portal, 19 3 Tr ou b l es ho o ti n g SS L, 330 U UR PF configuration example, 379 UR PF overview, 376 U ser profile configuration task list, 227 U ser profile overview, 227 U sing MAC authentication with other features, 117
i Contents High availability overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 1 Availability requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ··················\ ········· 1 Availability evaluation ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ··········· 1 High availability technologies ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ··················\ ····· 2 Fault detection technologies ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ················ 2 Protection switchover technologies ··················\ ··················\ ··················\ ··················\ ··················\ ·· ··················\ ··········· 3 Configuring Ethernet OAM ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ················· 5 Ethernet OAM overview ··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ··················\ ······ 5 Major functions of Ethernet OAM ··················\ ··················\ ··················\ ··················\ ··················\ ····· ··················\ ········· 5 Ethernet OAMPDUs ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·· ··················\ ··················\ 5 How Ethernet OAM works ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ············ 6 Standards and protocols ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ················ 8 Ethernet OAM configura tion task list ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ 8 Configuring basic Ethernet OAM functions ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········ 9 Configuring the Ethernet OAM connection detection timers ··················\ ··················\ ··················\ ················ ··················\ 9 Configuring link monitoring ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ ··· 10 Configuring errored symb ol event detection ··················\ ··················\ ··················\ ··················\ ············ ··················\ 10 Configuring errored fr ame event detection ··················\ ··················\ ··················\ ··················\ ············· ··················\ · 10 Configuring errored frame period event detection ··················\ ··················\ ··················\ ··················\ ······ ·············· 10 Configuring errored frame seconds event detection ··················\ ··················\ ··················\ ··················\ ····· ············ 11 Configuring Ethernet OAM remote loopback ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ····· 11 Enabling Ethernet OA M remote loopback ··················\ ··················\ ··················\ ··················\ ················· ················ 11 Rejecting the Ethernet OAM remote l oopback request from a remote port ··················\ ··················\ ················ 12 Displaying and maintaining Ethernet OAM configuration ··················\ ··················\ ··················\ ··················\ · ··············· 13 Ethernet OAM configuration example ··················\ ··················\ ··················\ ··················\ ··················\ ·· ··················\ ··········· 13 Configuring CFD ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ··················\ ····· 16 CFD overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ··················\ ··········· 16 Basic concepts in CFD ··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ··············· 16 CFD functions ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ····· ··················\ ··················\ ···· 18 Protocols and standards ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ·············· 20 CFD configuration task list ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ ····· 20 Configuring basic CFD settings ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ··················\ 21 Enabling CFD ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ········ 21 Configuring the CFD protocol version ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ····· 21 Configuring service instances ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ··········· 22 Configuring MEPs ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ · 22 Configuring MIP generation rules ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············ 23 Configuring CFD functions ··················\ ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ··················\ ··· 24 Configuration prerequisites ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ············· 24 Configuring CC on MEPs ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··········· 24 Configuring LB on MEPs ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ············· 25 Configuring LT on MEPs ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·········· 25 Configuring AIS ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ··················\ ·· 26 Configuring LM ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ··················\ ·· 26 Configuring one-way DM ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··········· 26 Configuring two-way DM ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··········· 27 Configuring TST ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ··················\ ·· 27 Displaying and maintaining CFD ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ··············· 28
ii CFD configuration example ··················\ ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ··················\ · 29 Configuring DLDP ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·· ··················\ ··················\ ····· 35 DLDP overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··············· 35 Background ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··························\ ··················\ ···· 35 How DLDP works ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ················· 36 DLDP configuration task list ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ··················\ ····· 42 Configuring the duplex mode and speed of an Ethernet interface ··················\ ··················\ ··················\ ··················\ ··· 42 Enabling DLDP ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ····· ··················\ ··················\ ··········· 43 Setting DLDP mode ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ········ 43 Setting the interval to send advertisement packets ··················\ ··················\ ··················\ ··················\ ···· ··················\ ······· 43 Setting the delaydown timer ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ ·· 44 Setting the port shutdown mode ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ················· 44 Configuring DLDP authentication ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···· 45 Resetting DLDP state ··················\ ··················\ ··················\ ··················\ ··················\ ················ ··················\ ··················\ ········· 45 Displaying and maintaining DLDP ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·· 46 DLDP configuration examples ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ 46 Automatically shutting down unidirectional links ··················\ ··················\ ··················\ ··················\ ······ ················· 46 Manually shutting down unidirectional links ··················\ ··················\ ··················\ ··················\ ··········· ··················\ · 50 Troubleshooting DLDP ··················\ ··················\ ··················\ ··················\ ··················\ ················ ··················\ ··················\ ······ 53 Configuring RRPP ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·· ··················\ ··················\ ····· 54 RRPP overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ····· ··················\ ··················\ ··········· 54 Background ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ··················\ ···· 54 Basic concepts in RRPP ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··············· 54 RRPPDUS ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ················ 56 RRPP timers ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·························\ ··················\ ······ 57 How RRPP works ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··· 57 Typical RRPP networking ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········· 59 Protocols and standards ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ·············· 62 RRPP configuration task list··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ ····· 62 Creating an RRPP domain ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ·· 63 Configuring control VLANs ··················\ ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ··················\ ·· 63 Configuration guidelines ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ·············· 63 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 63 Configuring protected VLANs ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········· 64 Configuring RRPP rings ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··················\ ······ 65 Configuring RRPP ports ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··············· 65 Configuring RRPP nodes ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ············· 66 Activating an RRPP domain ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 67 Configuring RRPP timers ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ····· 68 Configuring an RRPP ring group ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ················ 68 Configuration restrictio ns and guidelines ··················\ ··················\ ··················\ ··················\ ············· ··················\ ···· 68 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 69 Displaying and ma intaining RRPP ··················\ ··················\ ··················\ ··················\ ··················\ ····· ··················\ ··············· 69 RRPP configuration examples ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·········· 69 Single ring configuration example ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ······· 69 Intersecting ring configuration example ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·· 72 Dual homed rings configuration example ··················\ ··················\ ··················\ ··················\ ················ ··················\ 77 Intersecting-ring load balancing configuration example ··················\ ··················\ ··················\ ··················\ ··········· 87 Troubleshooting ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ··················\ ··········· 96 Configuring Smart Link ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··················\ ·· 97 Smart Link overview ··················\ ··················\ ··················\ ··················\ ··················\ ················· ··················\ ··················\ ········ 97 Background ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ··················\ ···· 97 Terminology ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ··················\ ···· 98