HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
20 Task Command Remarks Display information about loopback interfaces. display interface [ loopback ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] display interface loopback interface-number [ brief ] [ | { begin | exclude | include } regular-expression ] Available in any view Display information about the null interface. display interface [ null ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] display interface null 0 [ brief ] [ | { begin | exclude | include } regular-expression ] Available in any view Clear the statistics on a loopback interface. reset counters interface [ loopback [ interface-number ] ] Available in user view Clear the statistics on the null interface. reset counters interface [ null [ 0 ] ] Available in user view
21 Bulk configuring interfaces You can enter interface range view to bulk configure multiple interfaces with the same feature instead of configuring them one by one. For example, you can perform the shutdown command in interface range view to shut down a range of interfaces. Failure of applying a command on one member interface does not affect the application of the command on the other member interfaces. If applying a command on one member interface fails, the system displays an error message and continues with the next member interface. Configuration guidelines When you bulk configure interfaces in interface range view, follow these restrictions and guidelines: • In interface range view, only the commands supported by the first interface are available. • Do not assign an aggregate interf ace and any of its member interfaces to an interface range at the same time. Some commands, after being executed on both an aggregate interface and its member interfaces, can break up the aggregation. • No limit is set on the maximum number of interfaces in an interface range. The more interfaces in an interface range, the longer the command execution time. Configuration procedure To b u l k c o n fig u re i nte r fac e s : Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface range view. Approach 1: interface range { interface-type interface-number [ to interface-type interface-number ] } & Approach 2: interface range name name [ interface { interface-type interface-number [ to interface-type interface-number ] } & ] Use either approach. I n a p p r o a c h 2, y o u a s s i g n a n a m e t o a n interface range and can specify this name rather than the interface range to enter the interface range view. 3. Display commands available for the first interface in the interface range. Enter ? at the interface range prompt. Optional. 4. Perform available commands to configure the interfaces. Available commands vary by interface. N/A 5. Ve ri f y t h e configuration. display this Optional.
22 Configuring the MAC address table This feature covers only the unicast MAC address table. For information about configuring static multicast MAC address table entries for IGMP snooping and MLD snooping, see IP Multicast Configuration Guide. The MAC address table can contain only Layer 2 Et hernet ports and Layer 2 aggregate interfaces. The MAC address table configuration tasks are all optional can be performed in any order. Overview To reduce single-destination packet flooding in a sw itched LAN, an Ethernet device uses a MAC address table for forwarding frames through unicast instead of broadcast. This table describes from which port a MAC address (or host) can be reached. When forwardi ng a single-destination frame, the device first looks up the MAC address of the frame in the MAC address table for a match. If the switch finds an entry, it forwards the frame out of the outgoing port in the entry. If the switch does not find an entry, it floods the frame out of all but the incoming port. How a MAC address table entry is created The switch automatically obtains entries in the MAC address table, or you can add them manually. MAC address learning The device can automatically populate its MAC address table by obtaining the source MAC addresses (called MAC address learning) of incoming frames on each port. When a frame arrives at a port, Port A, for example, the device performs the following tasks: 1. Verifies the source MAC address (for example, MAC-SOURCE) of the frame. 2. Looks up the source MAC address in the MAC address table. { If an entry is found, the device updates the entry. { If no entry is found, the device adds an entry for MAC-SOURCE and Port A. 3. After obtaining this so urce MAC address, when the device receives a frame destined for MAC-SOURCE, the device finds the MAC-SOURCE entry in the MAC address table and forwards the frame out of Port A. The device performs this learning process each time it receives a frame from an unknown source MAC address, until the MAC address table is fully populated. Manually configuring MAC address entries With dynamic MAC address learning, a device does no t distinguish between illegitimate and legitimate frames, which can invite security hazards. For example, when a hacker sends frames with a forged source MAC address to a port different from the one to which the real MAC address is connected, the device creates an entry for the forged MAC address, and forwards frames destined for the legal user to the hacker instead. To improve port security, you can bind specific user devices to the port by manually adding MAC address entries to the MAC address table of the switch.
23 Types of MAC address table entries A MAC address table can contain the following types of entries: • Static entries —Manually added and never age out. • Dynamic entries —Manually added or dynamically obtained, and might age out. • Blackhole entries —Manually configured and never age out. Blackhole entries are configured for filtering out frames with specific source or de stination MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a blackhole MAC address entry. A static or blackhole MAC address entry can over write a dynamic MAC address entry, but not vice versa. To adapt to network changes and prevent inactive entries from occupying table space, an aging mechanism is adopted for dynamic MAC address entr ies. Each time a dynamic MAC address entry is obtained or created, an aging time starts. If the en try has not updated when the aging timer expires, the device deletes the entry. If the entry has updated before the aging timer expires, the aging timer restarts. MAC address table-based frame forwarding When forwarding a frame, the device adopts the following forwarding modes based on the MAC address table: • Unicast mode: If an entry is available for the destination MAC address, the device forwards the frame out of the outgoing interface indicated by the MAC address table entry. • Broadcast mode: If the device receives a frame with the destination address as all-ones, or no entry is available for the destination MAC address, the de vice broadcasts the frame to all the interfaces except the receiving interface. Configuring static, dynamic, and blackhole MAC address table entries To prevent MAC address spoofing attacks and improve port security, you can manually add MAC address table entries to bind ports with MAC addresses. You can also configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses. Adding or modifying a static, dynamic, or blackhole MAC address table entry in system view Step Command Remarks 1. Enter system view. system-view N/A 2. Add or modify a dynamic or static MAC address entry. mac-address { dynamic | static } mac -address interface interface-type interface -number vlan vlan -id Use either command. Make sure that you have created the VLAN and assigned the interface to the VLAN. 3. Add or modify a blackhole MAC address entry. mac-address blackhole mac -address vlan vlan- id
24 Adding or modifying a static or dynamic MAC address table entry in interface view Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view. interface interface-type interface-number N/A 3. Add or modify a static or dynamic MAC address entry. mac -address { dynamic | static } mac -address vlan vlan -id Make sure that you have created the VLAN and assigned the interface to the VLAN. Disabling MAC address learning Sometimes, you might need to disable MAC address learning to prevent the MAC address table from being saturated, for example, when your device is being attacked by a large amount of packets with different source MAC addresses. When MAC address learning is disabled, the learne d MAC addresses remain valid until they age out. Disabling global MAC address learning Disabling global MAC address learning disables the learning function on all ports. To disable MAC address learning: Step Command Remarks 1. Enter system view. system-view N/A 2. Disable global MAC address learning. mac-address mac-learning disable Enabled by default. Disabling MAC address learning on ports After enabling global MAC address learning, you can di sable the function on a single port, or on all ports in a port group as needed. To disable MAC address learning on an interface or a port group: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable global MAC address learning. undo mac-address mac-learning disable Optional Enabled by default.
25 Step Command Remarks 3. Enter interface view or port group view. • Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view: interface interface-type interface-number • Enter port group view: port-group manual port-group-name Use either command. Settings in Layer 2 Ethernet interface view or Layer 2 aggregate interface view take effect on the interface only. Settings in port group view take effect on all member ports in the port group. 4. Disable MAC address learning on the interface or all ports in the port group. mac-address mac-learning disable Enabled by default. For more information about configuring a port group, see Configuring Ethernet interfa ces . Disabling MAC address learning on a VLAN (available only on the 5500 EI) You can disable MAC address learning on a per-VLAN basis. To disable MAC address learning on a VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable global MAC address learning. undo mac-address mac-learning disable Optional Enabled by default. 3. Enter VLAN view. vlan vlan-id N/A 4. Disable MAC address learning on the VLAN. mac-address mac-learning disable Enabled by default. Configuring the aging timer for dynamic MAC address entries The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient use of table space. If a dynamic MAC address entry has failed to update before the aging timer expires, the device deletes that entry. This aging mechanism ensures that the MAC address table can quickly update to accommodate the latest network changes. Set the aging timer appropriately. Too long an ag ing interval might cause the MAC address table to retain outdated entries, exhaust the MAC address ta ble resources, and fail to update its entries to accommodate the latest network changes. Too short an interval might result in removal of valid entries, causing unnecessary flooding, which might affect device performance. To configure the aging timer for dynamic MAC address entries: Step Command Remarks 1. Enter system view. system-view N/A
26 Step Command Remarks 2. Configure the aging timer for dynamic MAC address entries. mac-address timer { aging seconds | no-aging } Optional 300 seconds by default. The no-aging keyword disables the aging timer. You can reduce flooding on a stable network by di sabling the aging timer to prevent dynamic entries from unnecessarily aging out. By reducing flooding, you improve not only network performance, but also security, because you reduce the chances that a data packet will reach unintended destinations. Configuring the MAC learning limit on ports To prevent the MAC address table from getting too large, you can limit the number of MAC addresses that a port can learn. To configure the MAC learning limit on a Layer 2 Et hernet interface or all ports in a port group: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view or port group view. • Enter Layer 2 Ethernet interface view: interface interface-type interface-number • Enter port group view: port-group manual port-group-name Use either command. Settings in Layer 2 Ethernet interface view take effect on the interface only. Settings in port group view take effect on all member ports in the port group. 3. Configure the MAC learning limit on the interface or port group. mac-address max-mac-count count No MAC learning limit is configured by default. Layer 2 aggregate interfaces do not support this command. NOTE: Do not confi gure the MAC learning limit on any member ports of an aggregation group. Otherwise, the member ports cannot be selected. Enabling MAC address roaming After you enable MAC address roaming on an IRF fabric, each member switch advertises learned MAC addresses to other member switches. As shown in Figure 4, D evice A and Device B form an IRF fabric enabled with MAC address roaming. They connect to AP C and AP D, respectively. When Client A associates with AP C, Device A learns the MAC address of Client A and advertises it to the member switch Device B.
27 Figure 4 MAC address tables of devices when Client A associates with AP C If Client A roams to AP D, Device B learns the MAC address of Client A and advertises it to Device A to ensure service continuity for Client A, as shown in Figure 5. Figure 5 MAC address tables of devices wh en Client A roams to AP D To enable MAC address roaming: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable MAC address roaming. mac-address mac-roaming enable Disabled by default.
28 Displaying and maintaining MAC address tables Task Command Remarks Display MAC address table information. display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ] [ | { begin | exclude | include } regular-expression ] Available in any view Display the aging timer for dynamic MAC address entries. display mac-address aging-time [ | { begin | exclude | include } regular-expression ] Available in any view Display the system or interface MAC address learning state. display mac-address mac-learning [ interface-type interface -number ] [ | { begin | exclude | include } regular-expression ] Available in any view Display MAC address statistics. display mac-address statistics [ | { begin | exclude | include } regular-expression ] Available in any view MAC address table configuration example Network requirements As shown in Figure 6: • T he MAC address of Host A is 000f-e235-dc71 an d belongs to VLAN 1. It is connected to GigabitEthernet 1/0/1 of the device. To preven t MAC address spoofing, add a static entry for the host in the MAC address table of the device. • The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this host once behaved suspiciously on the networ k, add a blackhole MAC address entry for the host MAC address, so all packets destined for the host are dropped. • Set the aging timer for dynamic MAC address entries to 500 seconds. Figure 6 Network diagram
29 Configuration procedure # Add a static MAC address entry. system-view [Sysname] mac-address static 000f-e235-dc71 interface gigabitethernet 1/\ 0/1 vlan 1 # Add a blackhole MAC address entry. [Sysname] mac-address blackhole 000f-e235-abcd vlan 1 # Set the aging timer for dynamic MAC address entries to 500 seconds. [Sysname] mac-address timer aging 500 # Display the MAC address entry for port GigabitEthernet 1/0/1. [Sysname] display mac-address interface gigabitethernet 1/0/1 MAC ADDR VLAN ID STATE PORT INDEX AGING\ TIME(s) 000f-e235-dc71 1 Config static GigabitEthernet 1/0/1 NO\ AGED --- 1 mac address(es) found --- # Display information about the blackhole MAC address table. [Sysname] display mac-address blackhole MAC ADDR VLAN ID STATE PORT INDEX AGING\ TIME(s) 000f-e235-abcd 1 Blackhole N/A NOAGE\ D --- 1 mac address(es) found --- # View the aging time of dynamic MAC address entries. [Sysname] display mac-address aging-time Mac address aging time: 500s