Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 2513
    							 20 
    Task Command Remarks 
    Display information about 
    loopback interfaces. display interface
     [ loopback ] [ brief  [ down ] ] [ | 
    {  begin |  exclude  | include  } regular-expression  ] 
    display interface  loopback  interface-number  [ brief  ] 
    [ |  { begin |  exclude | include  } regular-expression ]  Available in any view 
    Display information about 
    the null interface.  display interface
     [ null ] [ brief  [ down  ] ] [ | { begin  | 
    exclude  | include  } regular-expression  ] 
    display interface  null  0  [ brief  ] [ |  { begin | exclude 
    |  include  } regular-expression  ]  Available in any view 
    Clear the statistics on a 
    loopback interface. 
    reset counters interface
     [ loopback 
    [ interface-number  ] ]  Available in user view 
    Clear the statistics on the 
    null interface. reset counters interface
     [ null [ 0 ] ]  Available in user view 
      
    						
    							 21 
    Bulk configuring interfaces 
    You can enter interface range view to bulk configure multiple interfaces with the same feature instead of 
    configuring them one by one. For example, you can perform the  shutdown command in interface range 
    view to shut down a range of interfaces.  
    Failure of applying a command on one member interface does not affect the application of the command 
    on the other member interfaces. If applying a command on one member interface fails, the system 
    displays an error message and continues with the next member interface.  
    Configuration guidelines 
    When you bulk configure interfaces in interface range view, follow these restrictions and guidelines: 
    •   In interface range view, only the commands supported by the first interface are available. 
    •   Do not assign an aggregate interf ace and any of its member interfaces to an interface range at the 
    same time. Some commands, after being executed  on both an aggregate interface and its member 
    interfaces, can break up the aggregation.  
    •   No limit is set on the maximum number of interfaces in an interface range. The more interfaces in 
    an interface range, the longer the command execution time.  
    Configuration procedure 
    To  b u l k  c o n fig u re  i nte r fac e s :  
    Step   Command  Remarks 
    1.  Enter system view. 
    system-view N/A 
    2.  Enter interface range 
    view.   Approach 1: 
     
    interface range  { interface-type 
    interface-number [ to  interface-type 
    interface-number ] } & 
    Approach 2:  
    interface range  name  name  [ interface  
    {  interface-type interface-number  [ to 
    interface-type interface-number  ] } 
    & ]  Use either approach.  
    I n  a p p r o a c h  2,  y o u  a s s i g n  a  n a m e  t o  a n  
    interface range and can specify this 
    name rather than the interface range to 
    enter the interface range view. 
     
    3.  Display commands 
    available for the first 
    interface in the 
    interface range.  Enter ? at the interface range prompt. 
     Optional. 
    4.
      Perform available 
    commands to 
    configure the 
    interfaces.  Available commands vary by interface.
     N/A 
    5.
      Ve ri f y  t h e  
    configuration.  display this 
    Optional. 
      
    						
    							 22 
    Configuring the MAC address table 
    This feature covers only the unicast MAC address table. For information about configuring static multicast 
    MAC address table entries for IGMP snooping and MLD snooping, see  IP Multicast Configuration Guide.  
    The MAC address table can contain only Layer 2 Et hernet ports and Layer 2 aggregate interfaces. 
    The MAC address table configuration tasks are all optional can be performed in any order. 
    Overview 
    To reduce single-destination packet flooding in a sw itched LAN, an Ethernet device uses a MAC address 
    table for forwarding frames through unicast instead of broadcast. This table describes from which port a 
    MAC address (or host) can be reached. When forwardi ng a single-destination frame, the device first 
    looks up the MAC address of the frame in the MAC address  table for a match. If the switch finds an entry, 
    it forwards the frame out of the outgoing port in the entry. If the switch does not find an entry, it floods the 
    frame out of all but the incoming port.  
    How a MAC address table entry is created 
    The switch automatically obtains entries in the MAC address table, or you can add them manually. 
    MAC address learning 
    The device can automatically populate its MAC address table by obtaining the source MAC addresses 
    (called MAC address learning) of incoming frames on each port.  
    When a frame arrives at a port, Port A, for example, the device performs the following tasks: 
    1.  Verifies the source MAC address (for example, MAC-SOURCE) of the frame.  
    2. Looks up the source MAC address in the MAC address table.  
    {  If an entry is found, the  device updates the entry.  
    { If no entry is found, the device adds an entry for MAC-SOURCE and Port A. 
    3. After obtaining this so urce MAC address, when the device  receives a frame destined for 
    MAC-SOURCE, the device finds the MAC-SOURCE  entry in the MAC address table and forwards 
    the frame out of Port A. 
    The device performs this learning process each time  it receives a frame from an unknown source MAC 
    address, until the MAC address table is fully populated.  
    Manually configuring MAC address entries 
    With dynamic MAC address learning, a device does no t distinguish between illegitimate and legitimate 
    frames, which can invite security hazards. For example, when a hacker sends frames with a forged 
    source MAC address to a port different from the one to which the real MAC address is connected, the 
    device creates an entry for the forged MAC address, and forwards frames destined for the legal user to 
    the hacker instead.  
    To improve port security, you can bind specific user devices to the port by manually adding MAC address 
    entries to the MAC address table of the switch.   
    						
    							 23 
    Types of MAC address table entries 
    A MAC address table can contain the following types of entries: 
    •   Static entries —Manually added and never age out. 
    •   Dynamic entries —Manually added or dynamically obtained, and might age out. 
    •   Blackhole entries —Manually configured and never age out. Blackhole entries are configured for 
    filtering out frames with specific source or de stination MAC addresses. For example, to block all 
    packets destined for a specific user for security concerns, you can configure the MAC address of 
    this user as a blackhole MAC address entry. 
    A static or blackhole MAC address entry can over write a dynamic MAC address entry, but not vice 
    versa. 
    To adapt to network changes and prevent inactive  entries from occupying table space, an aging 
    mechanism is adopted for dynamic MAC address entr ies. Each time a dynamic MAC address entry is 
    obtained or created, an aging time starts. If the en try has not updated when the aging timer expires, the 
    device deletes the entry. If the entry has updated before the aging timer expires, the aging timer restarts.   
    MAC address table-based frame forwarding 
    When forwarding a frame, the device adopts the following forwarding modes based on the MAC 
    address table: 
    •   Unicast mode: If an entry is available for the destination MAC address, the device forwards the 
    frame out of the outgoing interface indicated by the MAC address table entry. 
    •   Broadcast mode: If the device receives a frame with  the destination address as all-ones, or no entry 
    is available for the destination MAC address, the de vice broadcasts the frame to all the interfaces 
    except the receiving interface. 
    Configuring static, dynamic, and blackhole MAC 
    address table entries 
    To prevent MAC address spoofing attacks and improve port security, you can manually add MAC 
    address table entries to bind ports with MAC addresses. You can also configure blackhole MAC address 
    entries to filter out packets with certain source or destination MAC addresses.  
    Adding or modifying a static, dynamic, or blackhole MAC 
    address table entry in system view 
     
    Step Command Remarks 
    1.   Enter system view. 
    system-view  N/A 
    2.  Add or modify a 
    dynamic or static MAC 
    address entry.  mac-address 
    { dynamic  | static }  
    mac -address  interface  interface-type 
    interface -number  vlan  vlan -id   Use either command. 
    Make sure that you have created 
    the VLAN and assigned the 
    interface to the VLAN. 
    3.
      Add or modify a 
    blackhole MAC address 
    entry.  mac-address blackhole
     mac -address  vlan 
    vlan- id 
      
    						
    							 24 
    Adding or modifying a static or dynamic MAC address table 
    entry in interface view 
     
    Step Command Remarks 
    1.  Enter system view. 
    system-view  N/A 
    2.  Enter Layer 2 Ethernet 
    interface view or Layer 2 
    aggregate interface 
    view.  interface 
    interface-type 
    interface-number   N/A 
    3.
      Add or modify a static or 
    dynamic MAC address 
    entry.  mac
    -address  { dynamic  | static  } 
    mac -address  vlan vlan -id   Make sure that you have created the 
    VLAN and assigned the interface to the 
    VLAN. 
     
    Disabling MAC address learning 
    Sometimes, you might need to disable MAC address 
    learning to prevent the MAC address table from 
    being saturated, for example, when your device is being attacked by a large amount of packets with 
    different source MAC addresses. 
    When MAC address learning is disabled, the learne d MAC addresses remain valid until they age out. 
    Disabling global MAC address learning 
    Disabling global MAC address learning disables the learning function on all ports. 
    To disable MAC address learning: 
     
    Step Command Remarks 
    1.   Enter system view. 
    system-view  N/A 
    2.
      Disable global MAC address 
    learning.  mac-address mac-learning disable Enabled by default. 
     
    Disabling MAC address learning on ports 
    After enabling global MAC address learning, you can di
    sable the function on a single port, or on all 
    ports in a port group as needed. 
    To disable MAC address learning on an interface or a port group: 
     
    Step Command Remarks 
    1.   Enter system view. 
    system-view  N/A 
    2.  Enable global 
    MAC address 
    learning.  undo mac-address mac-learning 
    disable 
    Optional 
    Enabled by default.  
    						
    							 25 
    Step Command Remarks 
    3.  Enter interface 
    view or port group 
    view. 
    • Enter Layer 2 Ethernet interface 
    view or Layer 2 aggregate 
    interface view:  
    interface  interface-type 
    interface-number 
    •  Enter port group view:  
    port-group  manual 
    port-group-name
     
    Use either command. 
    Settings in Layer 2 Ethernet interface view 
    or Layer 2 aggregate interface view take 
    effect on the interface only. Settings in 
    port group view take effect on all member 
    ports in the port group. 
    4.   Disable MAC 
    address learning 
    on the interface or 
    all ports in the port 
    group.  mac-address mac-learning disable 
    Enabled by default. 
    For more information about configuring a 
    port group, see 
    Configuring Ethernet 
    interfa
    
    ces . 
     
    Disabling MAC address learning on a VLAN (available only on 
    the 5500 EI) 
    You can disable MAC address learning on a per-VLAN basis. 
    To disable MAC address learning on a VLAN: 
     
    Step Command Remarks 
    1.  Enter system view. 
    system-view  N/A 
    2.  Enable global MAC address 
    learning.  undo mac-address mac-learning 
    disable  Optional 
    Enabled by default. 
    3.
      Enter VLAN view. 
    vlan vlan-id   N/A 
    4.  Disable MAC address 
    learning on the VLAN.  mac-address mac-learning disable Enabled by default. 
     
    Configuring the aging timer for dynamic MAC 
    address entries 
    The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient 
    use of table space. If a dynamic MAC address entry has failed to update before the aging timer expires, 
    the device deletes that entry. This aging mechanism ensures that the MAC address table can quickly 
    update to accommodate the latest network changes.  
    Set the aging timer appropriately. Too long an ag
    ing interval might cause the MAC address table to 
    retain outdated entries, exhaust the MAC address ta ble resources, and fail to update its entries to 
    accommodate the latest network changes. Too short an  interval might result in removal of valid entries, 
    causing unnecessary flooding, which might affect device performance. 
    To configure the aging timer for dynamic MAC address entries: 
     
    Step Command Remarks 
    1.   Enter system view. 
    system-view  N/A  
    						
    							 26 
    Step Command Remarks 
    2.  Configure the aging 
    timer for dynamic 
    MAC address entries.  mac-address timer
     
    {  aging  seconds  | 
    no-aging  }  Optional 
    300 seconds by default. 
    The 
    no-aging  keyword disables the aging timer.  
     
    You can reduce flooding on a stable network by di sabling the aging timer to prevent dynamic entries 
    from unnecessarily aging out. By reducing flooding, you improve not only network performance, but also 
    security, because you reduce the chances that a  data packet will reach unintended destinations.  
    Configuring the MAC learning limit on ports 
    To prevent the MAC address table from getting too large, you can limit the number of MAC addresses 
    that a port can learn. 
    To configure the MAC learning limit on a Layer 2 Et hernet interface or all ports in a port group: 
     
    Step Command Remarks 
    1.  Enter system view. 
    system-view  N/A 
    2.  Enter interface 
    view or port group 
    view. 
    • Enter Layer 2 Ethernet interface 
    view:  
    interface  interface-type 
    interface-number 
    •  Enter port group view:  
    port-group  manual 
    port-group-name   Use either command. 
    Settings in Layer 2 Ethernet interface view 
    take effect on the interface only. Settings in 
    port group view take effect on all member 
    ports in the port group. 
    3.
      Configure the 
    MAC learning limit 
    on the interface or 
    port group.  mac-address max-mac-count
     count  
     
    No MAC learning limit is configured by 
    default. 
    Layer 2 aggregate interfaces do not support 
    this command. 
     
     NOTE: 
    Do not confi
    gure the MAC learning limit on any member ports of an aggregation group. Otherwise, the
    member ports cannot be selected. 
     
    Enabling MAC address roaming 
    After you enable MAC address roaming on an IRF fabric, each member switch advertises learned MAC 
    addresses to other member switches. 
    As shown in  Figure 4, D
    evice A and Device B form an IRF fabric enabled with MAC address roaming. 
    They connect to AP C and AP D, respectively. When Client A associates with AP C, Device A learns the 
    MAC address of Client A and advertises it to the member switch Device B.   
    						
    							 27 
    Figure 4 MAC address tables of devices when Client A associates with AP C 
     
     
    If Client A roams to AP D, Device B learns the MAC address of Client A and advertises it to Device A to 
    ensure service continuity for Client A, as shown in Figure 5.  
    Figure 5  MAC address tables of devices wh en Client A roams to AP D 
     
     
    To enable MAC address roaming:  
    Step Command Remarks 
    1.  Enter system view. 
    system-view  N/A 
    2.  Enable MAC address 
    roaming.  mac-address mac-roaming enable Disabled by default.   
    						
    							 28 
     
    Displaying and maintaining MAC address tables 
     
    Task Command Remarks 
    Display MAC address table 
    information. display mac-address
     [ mac-address  [ vlan vlan-id  ] | 
    [ [ dynamic  | static  ] [ interface  interface-type 
    interface-number  ] | blackhole ] [ vlan vlan-id  ] 
    [ count ] ] [ |  { begin |  exclude |  include } 
    regular-expression  ]  Available in any view 
    Display the aging timer for 
    dynamic MAC address 
    entries. 
    display mac-address aging-time
     [ | { begin | 
    exclude  | include  } regular-expression ]  Available in any view
     
    Display the system or interface 
    MAC address learning state. display mac-address mac-learning 
    [ interface-type 
    interface -number  ] [ | { begin  | exclude  | include  } 
    regular-expression  ]  Available in any view 
    Display MAC address 
    statistics. display mac-address statistics
     [ | { begin | exclude | 
    include  } regular-expression ]  Available in any view 
     
    MAC address table configuration example 
    Network requirements 
    As shown in 
    Figure 6: 
    •   T
    he MAC address of Host A is 000f-e235-dc71 an d belongs to VLAN 1. It is connected to 
    GigabitEthernet 1/0/1 of the device. To preven t MAC address spoofing, add a static entry for the 
    host in the MAC address table of the device. 
    •   The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this 
    host once behaved suspiciously on the networ k, add a blackhole MAC address entry for the host 
    MAC address, so all packets destined for the host are dropped. 
    •   Set the aging timer for dynamic MAC address entries to 500 seconds.  
    Figure 6  Network diagram 
     
      
    						
    							 29 
    Configuration procedure 
    # Add a static MAC address entry. 
     system-view 
    [Sysname] mac-address static 000f-e235-dc71 interface gigabitethernet 1/\
    0/1 vlan 1 
    # Add a blackhole MAC address entry.  
    [Sysname] mac-address blackhole 000f-e235-abcd vlan 1 
    # Set the aging timer for dynamic MAC address entries to 500 seconds. 
    [Sysname] mac-address timer aging 500 
    # Display the MAC address entry for port GigabitEthernet 1/0/1. 
    [Sysname] display mac-address interface gigabitethernet 1/0/1 
    MAC ADDR          VLAN ID  STATE            PORT INDEX             AGING\
     TIME(s) 
    000f-e235-dc71    1        Config static    GigabitEthernet 1/0/1     NO\
    AGED 
     
      ---  1 mac address(es) found  --- 
    # Display information about the blackhole MAC address table.  
    [Sysname] display mac-address blackhole 
    MAC ADDR        VLAN ID    STATE            PORT INDEX             AGING\
     TIME(s) 
    000f-e235-abcd  1          Blackhole        N/A                    NOAGE\
    D 
     
      ---  1 mac address(es) found  --- 
    # View the aging time of dynamic MAC address entries.  
    [Sysname] display mac-address aging-time 
    Mac address aging time: 500s 
      
    						
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide