Zte ZXR10 8900 Series, User Manual

Page 1: ...nual Basic Configuration Volume Version 2 8 02 C ZTE CORPORATION ZTE Plaza Keji Road South Hi Tech Industrial Park Nanshan District Shenzhen P R China 518057 Tel 86 755 26771900 Fax 86 755 26770801 URL http ensupport zte com cn E mail support zte com cn ...

Page 2: ...rchantability fitness for a particular purpose title or non in fringement ZTE CORPORATION and its licensors shall not be liable for damages resulting from the use of or reliance on the information contained herein ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications covering the subject matter of this document Except as expressly provided in any...

Page 3: ... 15 System Management 17 File System Management 17 File System Overview 17 Operating File System Management 18 FTP TFTP Connection Configuration 19 Configuring a Switch as FTP Client Terminal 20 Configuring a Switch as TFTP Client Terminal 21 File Backup and Restoration 23 Backing up Configuration File 23 Restoring Configuration File 23 Backing up System Software Version 23 Restoring System Softwa...

Page 4: ...ssification 37 CLI Privilege Classification Overview 37 Configuring CLI Privilege Classification 38 Configuring Telnet User 38 Configuring an Enabling Password 39 Configuring Privilege Level of a Command 40 CLI Privilege Classification Configuration Example 42 Maintenance and Diagnosis of CLI Privilege Classification 42 Port Configuration 43 Port Basic Configuration 43 Port Basic Configuration Ove...

Page 5: ...ation Example 55 Port Loop Detection Configuration 56 Port Loop Detection Overview 56 Configuring Port Loop Detection 56 Port Loop Detection Configuration Example 57 Network Protocol Configuration 59 IP Address Configuration 59 IP Address Overview 59 Configuring IP Address 61 IP Address Configuration Example 61 ARP Configuration 61 ARP Overview 61 Configuring ARP 62 ARP Configuration Example 62 AR...

Page 6: ...guring ACLs 79 Defining ACLs 79 Defining Standard ACL 79 Defining Extended ACL 80 Defining Layer 2 ACL 81 Defining Hybrid ACL 81 Defining Standard IPv6 ACL 82 Defining Extended IPv6 ACL 82 Defining Customized ACL 83 Configuring Time Range 83 Applying ACL to Physical Port 84 Applying ACL to Virtual Port 85 Configuring Event Linkage ACL Rule 85 Applying NP Based ACL 87 ACL Configuration Example 88 A...

Page 7: ...guring Queue Based Bandwidth Upper and Lower Threshold 103 Configuring HQoS 103 Configuring Traffic Class 103 Configuring WRED Policy 104 Configuring WFQ Policy 105 Configuring Traffic Shaping 105 Configuring HQoS Policy 106 QoS Configuration Examples 109 Typical QoS Configuration Example 109 Policy Routing Configuration Example 111 QoS Maintenance and Diagnosis 111 DOT1x Configuration 113 DOT1x O...

Page 8: ...P Configuration Example 130 RADIUS Configuration 130 Radius Overview 130 Configuring a RADIUS Accounting Group 130 Configuring a RADIUS Authentication Group 131 Configuring RADIUS Parameters 131 Viewing RADIUS Information 132 RADIUS Configuration Example 132 SNMP Configuration 133 SNMP Overview 133 Configuring SNMP 133 SNMP Configuration Example 134 RMON Configuration 134 RMON Overview 134 Configu...

Page 9: ...BAS Configuration Example 150 VBAS Maintenance and Diagnosis 150 CPU Attack Protection Configuration 151 CPU Attack Protection Overview 151 CPU Attack Protection Principle 152 Configuring CPU Attack Protection 152 Configuring IPv4 Protocol Protection 152 Configuring IPv6 Protocol Protection 153 Configuring Layer 2 Protocol Protection 154 CPU Attack Protection Configuration Examples 154 URPF Config...

Page 10: ...ddress and L4 Port ID 164 Setting Source Address for Network Device Sending Packets 164 Setting Template Refresh Rate 164 Configuring TOPN 165 Template Configuration 165 Setting Template 165 Setting Data Field Contained in Template Packet 165 Deleting Template 165 Running Template 165 IPFIX Configuration Example 166 IPFIX Maintenance and Diagnosis 166 Figures 169 Tables 171 List of Glossary 173 ...

Page 11: ...hapter describes CLI privilege classification and configuration on ZXR10 8912 8908 8905 8902 Chapter 5 Port Configuration This chapter describes the configuration of ZXR10 8912 8908 8905 8902 port parameters and port mirroring function Chapter 6 Network Protocol Configuration This chapter describes IP address configuration and ARP configuration Chapter 7 DHCP Configuration This chapter introduces ...

Page 12: ...r introduces URPF Unicast Reverse Path Forwarding and related configuration on ZXR10 8912 8908 8905 8902 Chapter 18 UDLD Configuration This chapter describes UDLD and configu ration on ZXR10 8912 8908 8905 8902 Related Documentation The following documentation is related to this manual ZXR10 8900 Series V2 8 02 C 10 Gigabit Routing Switch Hardware Installation Manual ZXR10 8900 Series V2 8 02 C 10...

Page 13: ...ersonal injury or equipment damage Safety precautions introduced in this manual are supplementary to the local safety codes ZTE bears no responsibility in case of universal safety oper ation requirements violation and safety standards violation in designing manufacturing and equipment usage Safety Description Contents deserving special attention during configuration of ZXR10 8900 series switch are...

Page 14: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 2 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 15: ...configuration modes as shown in Figure 1 User can select appropriate configuration mode according to the connected network FIGURE 1 CONFIGURATION MODES Serial interface connection configuration TELNET connection configuration SSH connection configuration FTP TFTP connection configuration SNMP connection configuration Confidential and Proprietary Information of ZTE CORPORATION 3 ...

Page 16: ... 8900 series switch Serial connection configuration adopts VT100 terminal mode using the HyperTerminal tool provided by Windows OS To configure serial interface connection perform the following steps 1 Connect the computer serial port to Console port of ZXR10 8900 series switch with serial configuration cable 2 Open the HyperTerminal as shown in Figure 2 Input the con nection name such as ZXR10 an...

Page 17: ...TERMINAL CONFIGURATION 2 4 Click Ok COM port attribute setup window appears as shown in Figure 4 Fill in the parameter values as shown in Table 3 FIGURE 4 HYPERTERMINAL CONFIGURATION 3 Confidential and Proprietary Information of ZTE CORPORATION 5 ...

Page 18: ...l users from accessing the switch by Telnet Only the users with valid username and password could login to the device Use the following command to configure username and password Command Function ZXR10 config username username password password This configures username and password of Telnet login Configuring Telnet Connection through Management Port To configure telnet connection through manageme...

Page 19: ...ra tion mode Note ZXR10 8900 series switch allows up to four Telnet users logging in simultaneously If appears after inputting username and password it indicates that the number of users reaches the limit please retry later or re login after logging out other users When users perform Telnet configuration through management port connecting to the switch the IP address of management port cannot be m...

Page 20: ...P address of VLAN and VLAN interface through Con sole port 2 Configure username and password of Telnet login through Con sole port 3 Take a router connected to a switch as an example from which the IP address of VLAN interface can be pinged successfully 4 Run telnet command in the router Input the IP address of VLAN interface login to the switch For the detailed proce dures please refer to Configu...

Page 21: ... solve the problem SSH establishes a se cure channel for remote login and other network services in the insecure network It encrypts and compresses the transmitted data that prevents people from getting secret information Two incompatible versions of SSH protocols are available SSH v1 x SSH v2 x ZXR10 8900 series switch supports SSH v2 0 It provides secure remote login function SSH falls into two ...

Page 22: ... port of the switch Enable the host to ping the IP address of VLAN interface in the switch 3 Run SSH client terminal software in the host i Set the IP address and port number of SSH server as shown in Figure 8 FIGURE 8 SETTING IP ADDRESS AND PORT OF SSH SERVER ii Set SSH version as shown in Figure 9 10 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 23: ...adopts management based on server and client terminal Background NM server serves as the SNMP server and the fore ground network equipment ZXR10 8900 series switch serves as SNMP client terminal Foreground and background share the same MIB management database performing communication by SNMP protocol Background NM server needs installation of NM software that sup ports SNMP protocol It performs ma...

Page 24: ...e b yname by name Global configuration mode VLAN database configuration ZXR10 vlan vlan database Privileged EXEC mode VLAN configuration ZXR10 config vlan vlan vlan id vlan name Global configuration mode VLAN interface configuration ZXR10 config if interface vlan vlan id v lan if Global configuration mode MSTP configuration ZXR10 config mstp spanning tree mst configuration Global configuration mod...

Page 25: ...r bgp as number Global configuration mode BGP address family configuration ZXR10 config router af address family vpnv4 Route BGP configuration mode address family ipv4 vrf vrf name BGP route configuration mode PIM SM route configuration ZXR10 config router router pimsm Global configuration mode Route map configuration ZXR10 config route map route map map tag permi t deny sequence number Global con...

Page 26: ...race Trace route to destination who List users who is logining on ZXR10 Input a question mark following character or character string the list of commands or key words with the character or character string as the prefix are displayed For example ZXR10 co configure copy ZXR10 co Note There is no space between character Character string and the question mark Press Tab after the character if the com...

Page 27: ...ncomplete command ZXR10 At the end of the above example system prompts that com mand is incomplete This indicates requirement of other key words or parameters Note All commands in the command line operation are case insensitive Command Abbreviation ZXR10 8900 series switch allows abbreviating commands and key word to character or character string identifying the command or key word uniquely For ex...

Page 28: ... This recalls commands in the history buffer in a forward sequence Press Ctrl N or This recalls commands in the history buffer in a backward sequence In the privileged mode use show history command to list the recently used commands 16 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 29: ...tem mapping files that is image files are stored under this directory The extended name of the image files is zar The image files are dedicated compression files Version upgrade means to change the corresponding image files under the directory Note Default name of ZXR10 8900 series switch software version file is zxr10 zar If it uses other names boot Path must be modified in boot status Otherwise ...

Page 30: ...rm the following steps Step Command Function 1 ZXR10 copy source device source file destination device destination file This copies files between Flash and FTP TFTP server 2 ZXR10 pwd This displays current directory path 3 ZXR10 dir directory This displays files subdirectory information under a designated directory 4 ZXR10 delete filename This deletes the files under the a designated directory of ...

Page 31: ...information and the directory ABC can be successfully added Directory of flash attribute size date time name 1 drwx 512 MAY 17 2004 14 22 10 IMG 2 drwx 512 MAY 17 2004 14 38 22 CFG 3 drwx 512 MAY 17 2004 14 38 22 DATA 4 drwx 512 MAY 17 2004 15 40 24 ABC 65007616 bytes total 48861184 bytes free ZXR10 rmdir ABC Delete the subdirectory ABC ZXR10 dir Check the current directory information and the dir...

Page 32: ...ckground host A window appears as shown in Figure 10 FIGURE 10 WFTPD WINDOW 2 Click Security select User Rights and perform the fol lowing operations i Click New Use to create a new user such as target with password enabled ii Select user name target in the drop down list of User Name iii Input the directory saving version files or configuration files in the Home Directory box such as D IMG After ...

Page 33: ... file and import export configuration Configuring a Switch as TFTP Client Terminal Prerequisites Enable TFTP server software in the background host and switch communication as client terminal Context To configure a switch serving as TFTP client terminal perform the following steps Steps 1 Run TFTPD software in the background host A window appears as shown in Figure 12 Confidential and Proprietary ...

Page 34: ... appears Click Browse and select the file saving version files or configuration files such as D IMG After configuration is completed a dialog box appears as shown in Figure 13 FIGURE 13 CONFIGURATION DIALOG BOX 3 Click OK to complete setting END OF STEPS 22 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 35: ...es in FLASH to background TFTP server ZXR10 copy flash cfg startrun dat tftp 168 1 1 1 startrun dat Restoring Configuration File To restore configuration files use the following command Command Function ZXR10 copy source device source file destination de vice destination file This restores configuration files Example This example shows copy command that restores backup config uration files from ba...

Page 36: ...n upgrade procedures are almost the same please refer to Software Version Upgrade Ststem Software Version Upgrade Software version upgrade is only made when the original version fails to support certain functions Improper operation may lead to upgrade failure and system booting failure Therefore before starting to upgrade the version read related documents to under stand principle operation and up...

Page 37: ...R10 Boot c clear field go to previous field D quit Boot Location 0 Net 1 Flash 0 0 means booting from background FTP 1 means booting from FLASH Client IP 0 bootp 168 4 168 168 Corresponds to administrative Ethernet port address Netmask 255 255 0 0 Server IP 0 bootp 168 4 168 89 Corresponds to background FTP server address Gateway IP 168 4 168 168 Corresponds to administrative Ethernet port address...

Page 38: ...he new version file is unavailable it indicates the file copy failure please execute step 6 to re copy the version 8 Restart ZXR10 8900 series switch and follow the methods in step 4 and boot the system from FLASH enabled at this time Boot path is changed into flash img zxr10 zar automatically Note Boot mode is changed to boot from FLASH by using nvram imgfile location local command in global conf...

Page 39: ...e step 3 to recopy the version 5 After a normal switch boot up check the running version to confirm whether the upgrade is successful or not END OF STEPS Result The version has been updated at normality Upgrading Version without Interrupting System Prerequisites The following requirements are to be completed before users begin software version upgrade Connect the configuration port Console port of...

Page 40: ...file is unavailable it indicates the copy failure please execute step 3 to recopy the version 5 Copy the new version file in the directory IMG in FLASH to memory with update imgfile command 6 Reboot the secondary board with reload mp slave command 7 Switch over the primary board and secondary card with redu ndancy force command 8 To reboot the interface cards one by one with reload slot board unit...

Page 41: ...g This sets the greeting words Example This example shows how to configure welcome message upon sys tem boot ZXR10 config banner incoming Enter TEXT message End with the character Welcome to ZXR10 Router World ZXR10 config Configuring a Password of Privileged Mode To prevent an unauthorized user from modifying the configuration use the following command Command Function ZXR10 config enable secret ...

Page 42: ... switches or when there are multiple version files in a switch the users who perform usual upgrade steps likely feel confused Besides users have to compare the memories that the version files take which is inconvenient When version file is uploading to flash users can specify the direc tory and name of version file and then select the needed version file when booting the switch This is the functio...

Page 43: ...me and nvram default gateway com mands Example This example shows how to configure booting from local device ZXR10 config nvram imgfile location local This example shows how to configure booting from network ZXR10 config nvram imgfile location network sys img Saving Command Log File A switch can save some log files However after a switch is re booted the log files before rebooting will be lost If ...

Page 44: ...d log Configuring Saving Time of Alarm Log Event information is kept in system buffer of a switch When the buffer is full system clears the earliest event information If sav ing time is configured system clears corresponding events auto matically when it is time When there are a lot of events and buffer is full before saving time comes events are cleared according to configuration of logging buffe...

Page 45: ...flash start time 6 12 2008 00 00 01 end time 6 12 2008 23 59 59 This example shows how to save alarm log to flash aaa log ZXR10 config write alarmlog flash start time 06 25 2008 15 03 00 end time 06 25 2008 15 04 45 filename aaa log System Information View System information view includes the following topics Viewing Hardware and Software Versions To view hardware and software versions of the syst...

Page 46: ...xample This example shows how to view boot information of current run ning board ZXR10 show boot MEC2 panel 1 master Bootrom Version V1 84 Creation Date 2008 6 17 Update Support YES MEC2 panel 2 slave Bootrom Version V1 84 Creation Date 2008 6 17 Update Support YES NPCI panel 12 Bootrom Version V1 83 Creation Date 2008 7 6 Update Support YES Viewing System Diagnosis Information When malfunction oc...

Page 47: ...nformation CPU usage ratio Process information Queue information IGMP snooping information IP multicast routing table Layer 3 multicast joining information IP multicast forwarding table File information in flash Detailed information of software abnormity Resetting information of main control board Changeover information of active and standby boards Abnormal information of main control board interm...

Page 48: ... displayed page by page The displayed information is not saved by default Parameter descriptions Parameter Description detail Display detailed system information module module name Display information of designated module begin Display configuration information beginning with designated character or character string exclude Display configuration information excluding designated character or charac...

Page 49: ...8900 series switch supports CLI privilege classification function There are 16 levels Different users can have different privilege levels The higher privilege level users have the more commands users can use The administrators have the highest level Level 15 Therefore they can set the levels of different commands CLI privilege classification function consists of two parts privilege level maintenan...

Page 50: ...rivilege level is the same with or higher than the privilege level of a command the user can use the command Configuring CLI Privilege Classification Configuring Telnet User Considering security the privilege level of a user only can be con figured by the administrators That is after a user logs in to the switch the user can not modify own login password and privilege level Administrators do not n...

Page 51: ...config username test password test privilege 1 When the user telnets to log in to the switch the prompt is shown below Username test Password ZXR10 Note When a user with privilege level 2 15 logs in to the switch the prompt is When a user with privilege level 1 logs in to the switch the prompt is indicating that user should input the enabling password as shown below Username test Password ZXR10 en...

Page 52: ...change the priv ilege level to 12 the user should input the enabling password as shown below Username test Password this password should be test ZXR10 enable 12 Password this password should be zte ZXR10 Configuring Privilege Level of a Command By configuring privilege levels of commands administrators can control the range of commands that users can use When the privilege level of a user is highe...

Page 53: ...hen the user goes back to a lower privilege level from a higher privilege level the user does not need to input enabling password 5 View all commands beginning with show with user privilege level of 12 ZXR10 show interface Show interface property and statistics privilege Show current privilege level The result shows that show interface command is added to commands with privilege level of 12 Use sh...

Page 54: ...s shown below ZXR10 config exit ZXR10 enable 10 ZXR10 show run Building configuration urpf log off Maintenance and Diagnosis of CLI Privilege Classification To configure maintenance and diagnosis of CLI privilege classifica tion perform the following steps Step Command Function 1 ZXR10 show privilege cur mode detail level level node command keywords This views the privilege level of commands in cu...

Page 55: ...00M and MDI MDIX self adaptive function Default working mode is auto negotiation It negotiates work ing mode and rate with the opposite end devices Gigabit Ethernet electrical interface works in gigabit full duplex mode Duplex mode and rate of the port cannot be configured but auto negotiation mode can be configured 10 gigabit Ethernet optical interface works in 10 gigabit full duplex mode Auto ne...

Page 56: ...To enable an Ethernet port perform the following steps Step Command Function 1 ZXR10 config interface port name byname by name This accesses port configuration mode 2 ZXR10 config if no shutdown This enables an Ethernet port 3 ZXR10 config if byname by name This sets port byname Note To disable an Ethernet port use shutdown command The shutdown command makes the physical link status of the port ch...

Page 57: ... following steps Step Command Function 1 ZXR10 config interface port name byname by name This accesses port configuration mode 2 ZXR10 config if duplex half full This configures Ethernet port duplex mode Note Only the Ethernet electrical interface can be configured with duplex mode Before configuring the Ethernet port duplex mode disable auto negotiation function first Configuring Ethernet Port Ra...

Page 58: ...thernet port uses traffic control to restrain the packets sent to the port in a period of time When the receiving buffer is full a port sends a pause packet notifying the remote port to suspend packet transmission for a period of time Ethernet port can also receive pause packet from other devices and execute operations according to the packet regulation Allowing Jumbo Frame To allow jumbo frame to...

Page 59: ...his configures Ethernet port broadcast storm suppression Note It is possible to limit the volume of broadcast flow that is al lowed to pass through the Ethernet port System discards the broadcast flow exceeding the set value to lower the rate of broadcast flow to a reasonable range It suppresses broadcast storm and avoids network congestion ensuring normal opera tion of network service Broadcast s...

Page 60: ...percent percent value value This configures unknown unicast suppression of Ethernet port Enabling Fast Port Detection Function To enable fast port detection function perform the following steps Step Command Function 1 ZXR10 config interface port name byname by name This accesses port configuration mode 2 ZXR10 config if zfid interface port list This enables fast port detection function Note This f...

Page 61: ...esses port configuration mode 2 ZXR10 config if tcp syn protect rate limit 64 1000000 This configures TCP rate limit Configuring Switch of Optical or Electrical Port To switch optical or electrical port perform the following steps Step Command Function 1 ZXR10 config interface port name byname by name This accesses port configuration mode 2 ZXR10 config if hybrid attribute copper fiber This switch...

Page 62: ...mode is access pvid 2 Vrpf All Discard Count 0 BW 1000000 Kbits Last clearing of show interface counters never 120 seconds input rate 0 Bps 0 pps 120 seconds output rate 0 Bps 0 pps Interface peak rate input 0 Bps output 0 Bps Interface utilization input 0 output 0 Statistic of input output transmit message including statistic of error message Input Packets 338 Bytes 41572 Unicasts 0 Multicasts 32...

Page 63: ...t Open Open circuit Short Short circuit Mismatch Circuit impedance mismatched Good The circuit is in good condition Broken the circuit is open or short Unknown The result is unknown or undetected Fail Detection failed If the circuit is faulty test result outputs the circuit fault location If the circuit is in good condition approximate length of the normal circuit is generated To diagnose and test...

Page 64: ...ng for example mirrored port and the monitoring port can be in different inter face boards here the switch can be configured with one port mirroring at most Monitor the data transmitted or received by the mirrored port only Configuring Port Mirroring To configure port mirroring perform the following steps Step Command Function 1 ZXR10 config monitor session session number This creates a session 2 ...

Page 65: ...iguration mode Configuration in global configuration mode is shown below ZXR10 config monitor session 1 source gei_1 1 2 gei_2 2 direction rx destination gei_3 3 Port mirroring parameters can be deleted either one by one in in terface configuration or batch in global configuration mode Con figuration to delete the source port parameters of session 1 is shown below ZXR10 config no monitor session 1...

Page 66: ...AN mirroring FIGURE 16 ERSPAN EXAMPLE ERSPAN implements the following functions mirroring of original traffic and GRE encapsulation on source port device common IP packet forwarding on intermediate device and mirroring on desti nation port device Function implementation on intermediate de vice is not illustrated here Source device Oirt traffic or vlan traffic can be used as source traffic of mirro...

Page 67: ...le disable tpid 0x8100 ttl ttl_number 128 vlan id vlan id This adds source or destination port to session entry Displaying Session Details Configured by User Command Functions ZXR10 config show monitor session all session n umber This displays session details configured by user ERSPAN Configuration Example FIGURE 17 ERSPAN CONFIGURATION EXAMPLE As shown in Figure 1 set up a tunnel between Switch1 ...

Page 68: ...ection function based on VLAN that is the switch can detect loop in the VLAN that owns the same PVID with that on the port as well as in the VLAN that users designate On a port it is up to detect loops in 8 VLANs at the same time A port sends a Layer 2 multicast message every 15 seconds If there is a loop on a port the multicast message will go back to the port through which the message is sent Co...

Page 69: ... a port the switch takes measures according to corresponding configuration If the configuration is block the data flow breaks off The state of the port does not turn down System generates an alarm If the configuration is normal the data flow breaks off and the state of the port turns down System generates an alarm If the configuration is protect the data flow does not break off The state of the po...

Page 70: ...R10 config loop detect interface gei_1 1 enable ZXR10 config loop detect interface gei_1 1 vlan 1 2 enable ZXR10 config loop detect reopen time 5 The information on gei_1 1 is shown below ZXR10 show loop detect interface gei_1 4 Interface Monitor State VlanRange gei_1 4 YES normal 1 2 The reopen time on gei_1 1 is shown below ZXR10 show loop detect reopen time The reopen time of loop detect 5 minu...

Page 71: ...t in the network Address Classification IP addresses are divided into five classes A B C D and E Front three classes are commonly used Addresses of class D are net work multicast addresses and addresses of class E are reserved classes Range of each class is shown in Table 5 TABLE 5 IP ADDRESS FOR EACH CLASS Class Prefix Characteristic Bit Network Bit Host Bit Range Class A 0 8 24 0 0 0 0 to 127 25...

Page 72: ...the host bit IP address is composed of three parts network bit subnet bit and host bit Network bit and subnet bit identify a network uniquely Subnet mask is used to decide which parts of IP address are the network bits subnet bit and host bit The part with the subnet mask being 1 corresponds to the network bit and subnet bit of the IP address Part with the subnet mask being 0 corresponds to the ho...

Page 73: ... address MAC address when transmitting data to another network device The function of Address Resolu tion Protocol ARP is mapping IP address to physical address to ensure successful communication First the source device broadcast carries the ARP request of desti nation device IP address so all devices in the network will receive this ARP request If a device finds that the IP address in the re ques...

Page 74: ... address mac address This configures ARP binding on a Layer 3 interface 6 ZXR10 config ip arp inspection vlan vlan id This configures dynamic ARP inspection on a Layer 3 interface 7 ZXR10 config if arp learn This enables ARP learning on a Layer 3 interface 8 ZXR10 config if arp source filtered This configures ARP source filtration on a Layer 3 interface 9 ZXR10 config if ip proxy arp This configur...

Page 75: ...gnated external VLAN ID and internal VLAN ID use the following command Command Function ZXR10 show arp exvlanID id invlanID id This views ARP entry with designated external VLAN ID and internal VLAN ID Example This example shows how to view ARP table with external VLAN ID of 21 and internal VLAN ID of 31 ZXR10 show arp exvlanID 21 invlanID 31 Arp protect whole is disabled The count is 2 IPAddress ...

Page 76: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 64 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 77: ... first and sends a DHCP Request message to the server which indi cates it accepts the related configurations 4 Selected DHCP server returns a DHCP Ack message for ac knowledgement By now the host can use the IP address and relevant configuration obtained from the DHCP server for communication DHCP supports three mechanisms for IP address allocation DHCP assigns a permanent IP address to a client D...

Page 78: ...gally In a DHCP service subnet hosts with legal IP addresses and masks can access this subnet DHCP server may allocate these legal ad dresses to other hosts This causes address confliction To solve the above problems ZXR10 8900 series switch uses DHCP snooping function to prevent bogus DHCP server in a subnet The port connecting with DHCP server must be set as trust port Com bining with dynamic AR...

Page 79: ... ZXR10 config interface vlan vlan number This enters Layer 3 VLAN interface configuration mode 3 ZXR10 config if ip dhcp mode relay This configures DHCP relay on an interface 4 ZXR10 config if ip dhcp relay server ip address ip dhcp relay agent ip address This configures DHCP relay agent 5 ZXR10 config if ip dhcp relay server ip address security standard This configures IP address of external DHCP...

Page 80: ... interface 4 ZXR10 config ip dhcp snooping binding mac ad dress vlan vlan id ip address port number expiry time This adds an entry to DHCP Snooping database 5 ZXR10 config ip arp inspection vlan vlan id This configures dynamic ARP inspection DHCP Configuration Examples DHCP Server Configuration Example The switch acts as the DHCP server and default gateway The host obtains IP address through the D...

Page 81: ...client and server are not in the same sub network the router which connects with users works as a DHCP relay The switch enables DHCP relay function and a single server 10 10 2 2 provides DHCP server function This mode is usually adopted when a lot of hosts require the DHCP service This is shown in Figure 20 FIGURE 20 DHCP RELAY CONFIGURATION EXAMPLE Configuration on the switch ZXR10 config interfa...

Page 82: ...port FIGURE 21 DHCP SNOOPING PREVENTING FALSE DHCP SERVER Configuration on the switch ZXR10 config interface fei_1 1 ZXR10 config if sw ac vlan 100 ZXR10 config interface fei_1 2 ZXR10 config if sw ac vlan 100 ZXR10 config vlan 100 ZXR10 config vlan ip dhcp snooping ZXR10 config ip dhcp snooping enable ZXR10 config ip dhcp snooping vlan 100 ZXR10 config ip dhcp snooping trust fei_1 1 DHCP Snooping...

Page 83: ...DHCP server process module 2 ZXR10 show ip local pool pool name This displays configuration information of local address pools 3 ZXR10 show ip interface This displays configuration information of DHCP server relay related to an interface 4 ZXR10 show ip dhcp snooping configure This displays DHPC snooping global configuration information 5 ZXR10 show ip dhcp snooping vlan vlan id This displays conf...

Page 84: ...information in DHCP Snooping database 8 ZXR10 show ip arp inspection vlan vlanl id This displays configuration information of VLAN that enables dynamic ARP inspection function 9 ZXR10 debug ip dhcp This tracks packet sending and receiving as well as processing on DHCP server relay 72 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 85: ...is interface address may be the address of one of router interfaces or the third party address If the interface address is used a router with the interface address acts as the master router Other routers act as the backup routers The router with high priority is used as the master router if the third party address is used If two routers have the same priority the one that sends VRRP message first ...

Page 86: ... for sending VRRP advertisements 6 ZXR10 config if vrrp group learn This learns the time interval from primary gateway to send VRRP messages 7 ZXR10 config if vrrp group authentication string This configures authentication character string 8 ZXR10 config if vrrp group out interface interface name This configures the out interface of VRRP messages Note A VRRP group can be configured with multiple v...

Page 87: ...55 255 0 0 ZXR10_R2 config if vrrp 1 ip 10 0 0 1 Symmetric VRRP Configuration Example Two VRRP groups are booted in this example where PC1 and PC2 use virtual router in Group 1 as default gateway with ad dress 10 0 0 1 PC3 and PC4 use virtual router in Group 2 as default gateway with address 10 0 0 2 R1 and R2 serve as mu tual backup Four hosts cannot communicate with outside world until both rout...

Page 88: ... ZXR10_R2 config if ip address 10 0 0 2 255 255 0 0 ZXR10_R2 config if vrrp 1 ip 10 0 0 1 ZXR10_R2 config if vrrp 2 ip 10 0 0 2 VRRP Maintenance and Diagnosis To configure maintenance and diagnosis perform the following steps Step Command Function 1 ZXR10 show vrrp group brief interface interface name This displays configuration information of all VRRP groups 2 ZXR10 debug vrrp state packet event ...

Page 89: ...ditions in an access list one by one The first match determines whether the switch accepts or rejects the packets because the switch stops testing conditions after the first match The order of conditions in the list is critical When there are no conditions matched the switch rejects the packets If there are no restrictions the switch forwards the packet otherwise the switch drops the packet Packet...

Page 90: ... ACL Type Access List Number Standard ACL The range is from 1 to 99 The expanded range is from 1000 to 1499 Extended ACL The range is from 100 to 199 The expanded range is from 1500 to 1999 Layer 2 ACL The range is from 200 to 299 Hybrid ACL The range is from 300 to 349 Standard IPv6 ACL The range is from 2000 to 2499 Extended IPv6 ACL The range is from 2500 to 2999 User Defined ACL The range is f...

Page 91: ...ackets should be de fined at the end of each ACL Defining Standard ACL To configure standard ACL perform the following steps Step Command Function 1 ZXR10 config acl standard number acl number name acl name alias alias name match order auto config This enters standard ACL configuration mode 2 ZXR10 config std acl rule rule no permit deny source source wildcard any time range timerange name This de...

Page 92: ...os value dscp dscp value tcp control tcp control value time range timerange name This defines TCP based rules 2 ZXR10 config ext acl rule rule no permit deny udp source source wildcard any rule port dest dest wildcard any rule port p recedence pre value tos tos value dscp dscp value time range timerange name This defines UDP based rules 3 ZXR10 config ext acl move rule no after rule no This moves ...

Page 93: ...to define a L2 ACL which allows ac cess of IP packets with source MAC address 00d0 d0c0 5741 and 802 1p code 5 ZXR10 config acl link number 200 ZXR10 config link acl rule 1 permit ip cos 5 ingress 10 00d0 d0c0 5741 0000 0000 0000 ZXR10 config link acl rule 2 deny 8847 Defining Hybrid ACL To configure hybrid ACL perform the following steps Step Command Function 1 ZXR10 config acl hybrid number acl ...

Page 94: ...andard number acl number name acl name alias alias name match order auto config This enters standard IPv6 ACL configuration mode 2 ZXR10 config std v6acl rule rule no permit den y source any time range timerange name This defines ACL rule 3 ZXR10 config std v6acl move rule no after before rule no This moves a rule 4 ZXR10 config std v6acl attach time range Te range name to rule id This binds a tim...

Page 95: ...e acl name alias alias name This enters basic ACL configuration mode 2 ZXR10 config user acl rule rule id permit deny any tag tag num offset rule string rule mask 1 4 time range timerange name This defines ACL rule 3 ZXR10 config user acl move rule no after before rule no This moves a rule 4 ZXR10 config user acl attach time range Time range name to rule id This binds a time range to a rule Exampl...

Page 96: ...onfigure the start time and end time of the time range Configuration of periodic time range configure the start time and end time of the period Applying ACL to Physical Port To apply ACL to physical ports perform the following steps Step Command Function 1 ZXR10 config interface port name This enters port configuration mode 2 ZXR10 config if ip access group acl number i n out vfp This binds ACL to...

Page 97: ... one interface status turns to down the other interface is enabled automatically To configure linkage ACL rule perform the following steps Step Command Function 1 ZXR10 config event list name This creates an event list 2 ZXR10 config event interface interface name ad min physical protocol down up This sets the conditions of triggering event where port management state physical state and protocol s...

Page 98: ...Switch C ZXR10 config event list zte ZXR10 config event interface gei_1 1 protocol down ZXR10 config event exit ZXR10 config acl standard number 1 ZXR10 config std acl rule 1 permit any event zte ZXR10 config std acl rule 2 deny any ZXR10 config std acl exit ZXR10 config interface gei_1 2 ZXR10 config if ip access group 1 in When protocol on gei_1 1 is down rule 1 becomes effective Traf fic can ac...

Page 99: ... NP based ACL to VLAN perform the following steps Step Command Function 1 ZXR10 config vlan vlan number This enters VLAN configuration mode 2 ZXR10 config vlan ip access group senior acl numbe acl name r in out This applies NP based ACL to VLAN To cancel application of NP based ACL to VLAN use no ip access group senior acl numbe acl name r in out command Applying NP Based ACL to Smartgroup Interfa...

Page 100: ...r IP addresses as 192 168 1 100 and 192 168 2 100 respectively may access the Internet and all servers at any time The IP addresses of the servers are as follows Mail server 192 168 4 50 FTP server 192 168 4 60 VOD server 192 168 4 70 FIGURE 26 ACL CONFIGURATION EXAMPLE Switch configuration Configure a time range ZXR10 config time range enable ZXR10 config time range working time ZXR10 config tr p...

Page 101: ... 0 0 0 0 time range working time ZXR10 config ext acl rule 4 permit ip any any Apply ACLs to the corresponding physical ports ZXR10 config interface fei_2 1 ZXR10 config if ip access group 100 in ZXR10 config if exit ZXR10 config interface fei_2 2 ZXR10 config if ip access group 101 in ZXR10 config if exit ACL Maintenance and Diagnosis To configure ACL maintenance and diagnosis perform the follow ...

Page 102: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 90 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 103: ...t work at the best effort cannot satisfy the requirement for appli cations For example user cannot use VoIP service and real time image transmission normally if packet transfer delay is too long To solve this problem provide system with capability of supporting QoS Functions When QoS is configured it selects specific network traffic prioritiz ing it according to its relative importance and use Imp...

Page 104: ... value Traffic Monitoring Traffic monitoring involves creating a policer that specifies the bandwidth limits for the traffic Packets that exceed the limits are out of profile or nonconforming Each policer specifies the action to take for packets that are in or out of profile The following operations are specified by the policer Discard or forward Change its DSCP value Change its discard priority p...

Page 105: ...d PBS A packet is marked in red if its size exceeds PIR A packet is marked in yellow if its size is between PIR and CIR and is marked in green if its size is less than CIR Traffic Shaping Traffic shaping is used to control the rate of output packets thus sending packets at even speed Traffic shaping is used to match packet rate with downlink equipment to avoid congestion and packet discarding Traf...

Page 106: ...hile the weight value of WRR means the scheduled packet number of each queue Therefore DWRR does not effect much on bandwidth Data priority is contained in the 802 1P label If data entering the port is not marked with an 802 1P label a default 802 1p value will be assigned by the switch Policy Routing Redirecting is used to make the decision again about the forward ing of packets with certain feat...

Page 107: ...ased Bandwidth Upper and Lower Threshold Due to limited queue buffer resources when network congestion occurs multiple packets will compete to use limited resources After configuring upper and lower threshold on outgoing inter face and when multiple flows compete for limited resources a cos queue flow can obtain a bandwidth which will not be less than bandwidth lower threshold or more than bandwid...

Page 108: ...c and PIR traffic have different schedules Configuring QoS Configuring Traffic Monitoring To configure traffic monitoring use the following command Command Function ZXR10 config traffic limit acl number rule id rule no cir cir value cbs cbs value ebs ebs value pir pir value pbs pbs value mode mode drop yellow forward red remark red dp high low medium remark red dscp value rem ark yellow dp high lo...

Page 109: ...d set the discard priority to high this part of packets will be discarded at a higher priority in queue congestion ZXR10 config acl extend number 100 ZXR10 config ext acl rule 1 permit any 168 2 5 5 ZXR10 config ext acl exit ZXR10 config traffic limit 100 rule id 1 cir 10000 cbs 2000 pir 10000 pbs 2000 mode blind ZXR10 config interface gei_5 1 ZXR10 config if ip access group 100 in Configuring Tra...

Page 110: ... all Host ip Vlan Up rate Down rate 168 1 2 3 20 600K 168 1 2 4 20 300K Configuring Queue Scheduling ZXR10 8900 series switch supports SP and WRR queue scheduling modes When these two modes are mixed used SP has a higher priority over WRR To configure queue scheduling use the following command Command Function ZXR10 config if queue mode strict priority dwrr queue no dwrr weight 1 8 wrr queue no wr...

Page 111: ...t acl rule 1 permit ip 168 2 5 5 0 0 0 0 any ZXR10 config ext acl rule 2 permit ip any 66 100 5 6 0 0 0 0 ZXR10 config ext acl exit ZXR10 config redirect in 100 rule id 1 interface gei_1 3 ZXR10 config redirect in 100 rule id 2 next hop1 166 88 96 56 1 ZXR10 config interface gei_1 4 ZXR10 config if ip access group 100 in Configuring Priority Mark To configure priority marking use the following com...

Page 112: ... packets with waterline 120 and green packets with waterline 120 are discarded ZXR10 config qos tail drop 1 queue id 1 120 100 120 ZXR10 config interface gei_1 1 ZXR10 config if drop mode tail drop 1 Configuring COS Discarding Priority Mapping To configure COS discarding priority mapping perform the follow ing steps Step Command Function 1 ZXR10 config qos cos drop map cos 0 drop priorit y cos 1 d...

Page 113: ...ty cos 4 local priority cos 5 local priori ty cos 6 local priority cos 7 local priority This configures parameters of COS local priority 2 ZXR10 config interface interface name This enters interface configuration mode 3 ZXR10 config if trust cos local enable This applies COS local priority mapping function Note To disable COS local priority mapping function use trust cos lo cal disable command Exa...

Page 114: ...lowing command Command Function ZXR10 config traffic mirror in acl number rule id rule no cpu interface port name This configures traffic mirroring Example This example describes how to map data traffic with source IP address 168 2 5 6 on port gei_1 8 to port gei_1 4 ZXR10 config acl basic number 10 ZXR10 config basic acl rule 1 permit 168 2 5 5 ZXR10 config basic acl rule 2 permit 168 2 5 6 ZXR10...

Page 115: ...c shape queue queue number max datarate limit rate min gua datarate rate This configures queue based bandwidth upper and lower threshold Configuring HQoS Configuring Traffic Class To configure traffic class perform the following steps 1 To create a traffic class or enter a traffic class use the following command Command Function ZXR10 config flow class class name This creates a traffic class or en...

Page 116: ...onfiguring WRED Policy To configure WRED policy perform the following steps 1 To create or enter a WRED policy use the following command Command Function ZXR10 config wred profile profile name level 1 3 This creates or enters a WRED policy Instructions Users enter WRED policy view after inputting this com mand If the policy does not exist users should input level to create a policy Each level has ...

Page 117: ...reate a policy Each level has a default WFQ They are default1 default2 and default3 By default level 1 can be configured up to 64 policies level 2 can be configured up to 64 policies and level 3 can be configured up to 16 policies To delete a WFQ policy use no wfq profile profile name command In global configuration mode if a view is used this view can not be deleted Default1 default2 and default3...

Page 118: ...t be deleted Default1 default2 and default3 can not be deleted 2 To configure discarding parameters of traffic shaping policy use the following command Command Function ZXR10 config shaping cir 1 10000000 cbs 1024 1671 1680 pir 1 10000000 pbs 1024 16711680 This configures discarding parameters of traffic shaping policy By default the value of CIR and PIR is 1 Configuring HQoS Policy To configure H...

Page 119: ...icy to a traffic class use the following com mand Command Function ZXR10 config qpolicy class wfq profile profile name This applies WFQ policy to a traffic class By default a traffic class is associated with a default WFQ pol icy of corresponding level If the WFQ policy does not exist system prompts error To cancel WFQ policy of a traffic class use no wfq profile command 6 To apply WRED policy to ...

Page 120: ...y policy name in out shaping shaping name This applies policy to an interface The interface can be a physical port a Layer 2 VLAN port or a Smartgroup interface 10 To copy QoS policy use the following command Command Function ZXR10 config copy qos profile source profile name destination profile name overwrite This copies QoS policy If the source policy does not exist system prompts error If policy...

Page 121: ... Policy video Class CCTV1 Match acl 1 rule 5 This example shows policy statistic information on gei_2 1 ZXR10 show qos policy statistics interface gei_2 1 in Qos policy telcom Class voice Receive Packet 10000 Reveive byte 1000000 Drop packet 100 Drop byte 10000 Class video QoS Configuration Examples Typical QoS Configuration Example Network A Network B and internal servers are connected to an Ethe...

Page 122: ...tistics on the traffic of Network A ZXR10 config interface gei_1 1 ZXR10 config if ip access group 100 in ZXR10 config if exit Apply ACL 100 to the interface connecting to Network A ZXR10 config acl extended number 101 ZXR10 config ext acl rule 1 permit tcp 192 168 2 0 0 0 0 255 192 168 4 70 0 0 0 0 ZXR10 config ext acl rule 2 permit ip any 192 168 3 100 0 0 0 0 ZXR10 config ext acl rule 3 permit ...

Page 123: ...se the ISP2 egress FIGURE 29 POLICY ROUTING CONFIGURATION EXAMPLE Configuration of switch ZXR10 config acl standard number 10 ZXR10 config std acl rule 1 permit 10 10 0 0 0 0 0 255 ZXR10 config std acl rule 2 permit 11 11 0 0 0 0 0 255 ZXR10 config std acl exit ZXR10 config redirect in 10 rule id 1 next hop 100 1 1 1 ZXR10 config redirect in 10 rule id 2 next hop 200 1 1 1 ZXR10 config interface g...

Page 124: ...mple shows how to view QoS configuration information ZXR10 config acl standard number 1 ZXR10 config std acl rule 1 permit 100 1 1 1 ZXR10 config std acl exit ZXR10 config traffic limit 1 rule id 1 cir 10000 cbs 2000 ebs 2000 mode blind ZXR10 config show qos traffic limit 1 rule id 1 cir 10000 cbs 2000 ebs 2000 mode blind 112 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 125: ...em Authentication system is network equipment supporting the IEEE802 1x protocol such as the switch Corresponding to every different user port physical port or MAC address VLAN and IP of the user equipment the equipment has two logical ports composed of the controlled port and uncontrolled port Uncontrolled port is always in bidirectional connection state and delivers EAPOL protocol frames thus en...

Page 126: ...e aaa rule id port port name vlan vlan id This creates AAA control entry 3 ZXR10 config nas aaa rule id control dot1x dot1x relay enable disable This enables disables dot1x authentication or relay 4 ZXR10 config nas aaa rule id authentication auto locl radius This selects an authentication mode 5 ZXR10 config nas aaa rule id protocol pap chap eap This selects an authentication protocol 6 ZXR10 con...

Page 127: ...able period period disable This configures dot1x re authentication cycle 3 ZXR10 config nas dot1x quiet period period This configures quiet period of dot1x authentication 4 ZXR10 config nas dot1x tx period period This sets seconds for timeout and resending request for authentication 5 ZXR10 config nas dot1x supplicant timeout period This configures online detection timeout time of the dot1x user 6...

Page 128: ...he user with MAC address 6 ZXR10 config nas localuser user id accounting enable disable This configures accounting attribute of users Note To delete a local user use clear localuser user id command Managing DOT1x Authentication User To manage access users of DOT1x authentication perform the fol lowing steps Step Command Function 1 ZXR10 config show client port port number v lan vlan number slot sl...

Page 129: ... RADIUS authentication are conducted at the same time Disconnect the user and make it offline if RADIUS accounting fails Do not add the domain name after the user name during ac cess Connect the server group composed of two RADIUS servers to the switch IP addresses of these servers are 10 1 1 1 and 10 1 1 2 respectively It is required that the former serves as the master authentication slave accou...

Page 130: ...3 ZXR10 config nas ZXR10 config nas create aaa 1 port fei_1 1 ZXR10 config nas aaa 1 control dot1x enable ZXR10 config nas aaa 1 authorization auto ZXR10 config nas aaa 1 accounting enable ZXR10 config nas aaa 1 multiple hosts enable ZXR10 config nas aaa 1 default isp zte163 net ZXR10 config nas aaa 1 fullaccount disable ZXR10 config nas aaa 1 radius server authentication 1 ZXR10 config nas aaa 1 ...

Page 131: ...ion and Dot1x relay authentication enterprise wants to register network card address of each host When user logs in from the dot1x client only MAC address of the network card is checked User can log in only when address is legal Enterprise numbers for each MAC address and Internet access du ration of the user is based on the number A ZXR10 8908 switch works as the authenticator and it can implemen...

Page 132: ... ZXR10 show aaa rule id This displays an AAA control entry 3 ZXR10 show aaa statistics rule id This displays statistics information of rules 4 ZXR10 show client port port name vlan vlan id slot slot id aaa rule id all index id mac macaddr vlan vlanid This displays online user information 5 ZXR10 show client statistics This displays statistics information of online users 6 ZXR10 show localuser user...

Page 133: ...for the member switch but a private address is assigned to the member switch with similar DHCP function of the command switch Com mand switch and member switch form a cluster private network It is recommended to isolate the broadcast domain of the public network and that of the private network on the command switch and shield the direct access to the private address The command switch provides a m...

Page 134: ...o cluster Switch which does not support member switch is called independent switch Cluster management network is formed as shown in Figure 32 FIGURE 32 CLUSTER MANAGEMENT NETWORK Switching rule of four kinds of switches in the cluster is shown in Figure 33 122 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 135: ...ally 2 ZXR10 config interface interface name This enters interface configuration mode 3 ZXR10 config if zdp enable This enable ZDP function on an interface 4 ZXR10 config if exit This exits interface configuration mode 5 ZXR10 config zdp timer time This configures time interval of transmitting ZDP packets 6 ZXR10 config zdp holdtime time This configures valid holding time of ZDP information Confid...

Page 136: ...ing ZTP protocol packets 8 ZXR10 config ztp port delay time This sets delay in sending ZTP protocol packets on the port 9 ZXR10 config ztp start This conducts once topology collection 10 ZXR10 config ztp timer time This sets ZTP timing topology collection time Setting up a Cluster To set up a cluster perform the following steps Step Command Function 1 ZXR10 config group switch type candidate indep...

Page 137: ... configuration on the command switch 3 ZXR10 config group erase member all member_id This deletes the member configuration file from the command switch 4 ZXR10 config group tftp server ip_addr This configures the tftp server on the cluster 5 ZXR10 config group trap host ip_addr This configures the alarm receiver of the cluster Configuring Cluster Operation Commands To configure cluster operation c...

Page 138: ...ch type command View command switch with show group com mand 5 Configure DUT B as the member switch with group member device 1 command and then view Member 1 in the up state with the show group member command 6 Log in to Member 1 with the rlogin member 1 command in the privilege mode and log in from Member 1 to the command switch with the rlogin commander command Cluster Management Maintenance and...

Page 139: ...quipment information 6 ZXR10 show group member member num mem_id This displays group member information Note To trace transmitting and receiving packets condition and handling condition of cluster management processes ZDP and ZTP with d ebug group command Confidential and Proprietary Information of ZTE CORPORATION 127 ...

Page 140: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 128 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 141: ...net Without adequate NTP synchronization organi zations cannot expect their network and applications to function properly ZXR10 8900 series switch acts as the NTP client Configuring NTP To configure NTP perform the following steps Step Command Function 1 ZXR10 config ntp server ip address version number This defines a time server 2 ZXR10 config ntp enable This enables NTP function 3 ZXR10 config n...

Page 142: ...ng AAA is used to authenticate users accessing the routing switch and prevent accessing of illegal users thus enhanc ing security of the equipment What s more services like DOT1X can also use RADIUS server for authentication and accounting ZXR10 8900 series switch supports RADIUS authentication func tion to authenticate Telnet users accessing routing switch ZXR10 8900 series switch supports multip...

Page 143: ...bin This configures algorithm of RADIUS server 3 ZXR10 config acctgrp 1 alias name str This configures byname of RADIUS server group 4 ZXR10 config acctgrp 1 calling station format Format number This defines format of calling station id field 5 ZXR10 config acctgrp 1 deadtime time This configures dead time of authentication server 6 ZXR10 config acctgrp 1 local buffer enable disable This clears lo...

Page 144: ...us all This displays RADIUS debugging information Note To clear all information in local buffer use clear accounting loca l buffer all command RADIUS Configuration Example This example describes how to configure a RADIUS accounting group Procedure of configuring a RADIUS authentication group is the same ZXR10 config radius accounting group 1 ZXR10 config acct group 1 algorithm round robin ZXR10 co...

Page 145: ...quipment information Community with read write authority can configure the equipment Both read only and read write are limited by the view Operations can only be conducted in the permitted view range When param eter view is omitted use default view and use parameter ro if ro rw are omitted To configure SNMP perform the following steps Step Command Function 1 ZXR10 config snmp server community comm...

Page 146: ... request It is used to report emergent and important events For step 6 ZXR10 8900 series switch supports 5 types of con ventional traps snmp bgp ospf rmon and stalarm SNMP Configuration Example This example describes the configuration of SNMP ZXR10 config snmp server view myViewName 1 3 6 1 2 1 included ZXR10 config snmp server community myCommunity view myview rw ZXR10 config snmp host 168 1 1 1 ...

Page 147: ...xample shows how to configure and start statistics control entries of the RMON ZXR10 config interface fei_1 1 ZXR10 config if rmon collection statistics 1 owner rmontest Assume n computers are linked to port fei_1 1 and when these computers communicate on the sub network traffic statistics can be viewed through NMS software and it can also be viewed with show command ZXR10 show rmon statistics Eth...

Page 148: ...old is 1000 assigned to event 1 Falling threshold is 10 assigned to event 0 On startup enable rising or falling alarm Example This example describes how to configure and enable event ZXR10 config rmon event 1 log trap rmontrap description test owner rmontest After configuring an alarm control entry and wait for 10s use s how command to view the contents of the RMON event ZXR10 show rmon event Even...

Page 149: ...ol processing 8 ZXR10 config syslog level level This sets a log level for SysLog protocol processing 9 ZXR10 config syslog server vrf vrf name mng ip address fport fport lport lport This sets the parameters of the background SysLog server 10 ZXR10 config show logging alarm typeid type start date date end date date level level This displays log information Note In step 10 types of supported alarmed...

Page 150: ...hbor discovery protocol providing a standard for devices in Ethernet such as switches routers and wireless LAN access points It helps the devices to tell the neighbors its existence and saves discovery information of the neighbors Information such as configuration and device identifier can be notified by LLDP LLDPDU LLDP defines a universal advertisement set a protocol for notify ing advertisement...

Page 151: ...ldp holdtime multiple This configures the aging time of LLDPDU The product of parameters multiple and hellotime is aging time 4 ZXR10 config interface interface name This enters interface configuration mode 5 ZXR10 config if lldp setAdminStatus enabledtxrx rxonly txonly disabled This configures the management state of LLDP LLDP Configuration Example This example shows how to configure LLDP As show...

Page 152: ...H Host I IGMP r Repeater P Phone W W LAN Access Point Local Intrfce Device ID Holdtime Capability Platform Port ID gei_1 3 00d0d0c7ffe0 120 B S ZXR10 ROS Version gei_1 2 V4 08 23 ZX gei_1 2 00d0d0c7ffe0 120 B S ZXR10 ROS Version gei_1 3 V4 08 23 ZX gei_1 5 00d0d0c7ffe0 120 B S ZXR10 ROS Version gei_1 Showing interface neighbor information Zxr10 show lldp neighbor interface gei_1 1 c Capability Cod...

Page 153: ...d exchanging files si multaneously IPTV uses a two way broadcast signal that is sent through the service provider s backbone network and servers It allows the viewers to select content on demand and take advan tage of other interactive TV options IPTV can be used through PC or IP machine box TV Configuring IPTV Configuring IPTV Global Parameters To configure IPTV global parameters perform the foll...

Page 154: ...tv prw auto reset time HH MM SS This configures the auto reset time of preview 4 ZXR10 config iptv prw recognition time recog time This configures recognition time of preview 5 ZXR10 config iptv prw overcout cdr enable disable This configures whether to generate CDR record when maximum preview times are over Configuring IPTV CDR Parameters To configure CDR parameters perform the following steps St...

Page 155: ...teps Step Command Function 1 ZXR10 config iptv channel mvlan vlan id group group ip name channel name id channel id count count value prename prename str This creates channels of IPTV 2 ZXR10 config iptv channel name old name rename new name This sets the name of a channel 3 ZXR10 config iptv channel name idlist channel name viewfile name viewfile name viewfile id viewfile id This configures a pre...

Page 156: ...es a preview configuration file 2 ZXR10 config iptv view profile name viewfile na me count view count This configures the maximum preview times 3 ZXR10 config iptv view profile name viewfile na me duration view duration This configures the maximum duration for single preview 4 ZXR10 config iptv view profile name viewfile na me blackout view interval This configures the minimum preview interval 5 Z...

Page 157: ...lan id vlan id vlan name vlan name package name package name idlist package idlist This deletes package allocated to rule Configuring IPTV Fast Leave To configure IPTV fast leave perform the following steps Step Command Function 1 ZXR10 config iptv fast leave mvlan mvlan id This enables IPTV fast leave function To enable this function igmp snooping function must be enabled in mvlan 2 ZXR10 config ...

Page 158: ...ig iptv channel id list 0 viewfile name vw1 ZXR10 config interface gei_1 1 ZXR10 config if iptv vlan 1 service start ZXR10 config if iptv vlan 1 control channel ZXR10 config if iptv vlan 1 channel id 0 Example Port gei_1 1 only allows receiving the querying packets of multi cast group 224 1 1 1 Vlan ID of this multicast group is 100 There is only one channel with ID of 0 Configuration is shown bel...

Page 159: ...iewfile name This shows the information of view profile ZXR10 show iptv rule port port name vlan id vlan i d vlan name vlan name channel package This shows CRC rules ZXR10 show iptv rule statistics rule id rule id This shows CRC rule statistics ZXR10 show iptv client port port NPC slot no vlan id vlan id vlan name vlan name This shows online IPTV users ZXR10 show iptv channel statistics channel id...

Page 160: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 148 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 161: ...S protocol that is mapping to corresponding DSLAM accord ing to the VLAN in user band BAS start user line identifier inquiry to DSLAM DSLAM give user line identifier response to BAS In this manual the switches are DSLAMs VBAS function is implemented by sending VBAS messages be tween BAS and DSLAM Configuring VBAS To configure VBAS perform the following steps Step Command Function 1 ZXR10 config vb...

Page 162: ...VBAS function on Switches Configure VBAS and enable vlan as vlan1 configure fei_1 1 as trust port its type is user ZXR10 config vbas enable ZXR10 config vlan 1 ZXR10 config vlan vbas enable ZXR10 config vlan exit ZXR10 config interface fei_1 1 ZXR10 config if vbas trust ZXR10 config if vbas port type user VBAS Maintenance and Diagnosis To configure of maintenance and diagnosis use the following co...

Page 163: ...ack ets When discovering packets with abnormal upward rate sys tem makes alarm This prompts network management that there may be packets attacking CPU Network management system de cides whether to discard this kind of packet or not according to situations Or network management system filters unreasonable packets CPU Attack Protection Working Principle If IPv4 or IPv6 protocol protection function i...

Page 164: ... sent to CPU during a cycle is compared with a configured threshold value For example the number of protocol messages sent to CPU within 30 seconds is bigger than the configured threshold value system sends a piece of alarm information in format of Receive too many packets of protocol message type from port port number This indicates the user that there may be attack of some type of proto col mess...

Page 165: ... include ospf pim igmp vrrp icmp arpreply arprequest group mng vbase vrrp arp dhcp rip bgp telnet ldp_tcp ldp_udp ttl 1 bpdu snmp msdp and radius Configuring IPv6 Protocol Protection To configure IPv6 protocol protection perform the following steps Step Command Function 1 ZXR10 config if ipv6 protocol protect mode protocolname enable disable This sets IPv6 protocol protection function 2 ZXR10 conf...

Page 166: ...ol protect average rate mode protocol name 10 600 This configures the average rate of Layer 2 protocols 4 ZXR10 config if l2 protocol protect peak rate mode protocol name 100 1000 This configures the peak rate of Layer 2 protocols Note Layer 2 protocol supported by CPU attack protection is LLDP CPU Attack Protection Configuration Examples Example This example shows how to enable OSPF protection fu...

Page 167: ...CPU Attack Protection Configuration ZXR10 config if ipv6 protocol protect mode icmp enable ZXR10 config if ipv6 protocol protect alarm mode icmp 3200 Confidential and Proprietary Information of ZTE CORPORATION 155 ...

Page 168: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 156 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 169: ... table and see if the interface corresponding to the source address matches the ingress interface When interface does not match the ingress interface it will regard source address as a false address and then discard the packet In this way URPF can effectively prevent malicious attacks by modifying the source address to the network Module 1 A simple network module is shown in Figure 37 FIGURE 37 SO...

Page 170: ...lex scenario is that TCP SYN flooding attack will cause TCP SYN ACK data packet to be sent to many hosts completely independent of the attack and such hosts will become victims As a result attacker may spoof one or more systems at the same time Similarly UDP and ICMP may be used to implement flooding at tacks All these attacks will severely lower the system performance or even cause system to cras...

Page 171: ...source IP ad dress can find route and the route is not by default it will be processed in the normal way Otherwise it will be discarded URPF Configuration Example URPF network topology is shown in Figure 39 FIGURE 39 URPF CONFIGURATION EXAMPLE Strict URPF is configured on interface fei_1 2 on S1 so as to pre vent the users behind network 192 168 0 0 24 from maliciously attacking networks behind S1...

Page 172: ...maintenance and diagnosis of URPF perform the fol lowing steps Step Command Function 1 ZXR10 show interface This shows statistical count of URPF on an interface 2 ZXR10 show ip traffic This shows the statistical count of URPF in the system 160 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 173: ...system can distin guish all flows in the entire network and correctly record transmit time of each flow occupied network port transmit source desti nation address and size of data flows traffic and flow direction of all communications in the entire carrier network can be analyzed and performed with statistics By telling differences among different flows in network it is avail able to judge if two ...

Page 174: ...ce can per form data aggregation to original statistics in various modes and send the summary statistics result to upper layer man agement server The latter one can reduce the data quantity output by network device thus decreasing requirement to con figuration of upper layer management server and promoting scalability and working efficiency of upper layer management system IPFIX outputs data in fo...

Page 175: ...data flows according to template Configuring IPFIX Basic Configuration Enabling Disabling IPFIX Module Command Functions ZXR10 config ip stream enable disable This enables disables IPFIX module Setting IPFIX Memory Entries Command Functions ZXR10 config ip stream cache entries number This sets the number of data flow entries stored in IPFIX module 4096 by default Setting Aging Time of Active Strea...

Page 176: ...ing rate Setting NM Server Address and L4 Port ID Command Functions ZXR10 config ip stream export destination ip address udp port This sets the address and port id of NM server to which packets are sent Setting Source Address for Network Device Sending Packets Command Functions ZXR10 config ip stream export source ip address This sets source address for network device sending packets Setting Templ...

Page 177: ...et Server resolves data contained in subsequent data flow according to these fields The fields include source IP destination IP source port destination port the number of bytes contained in data flow the number of packets contained in data flow type of L3 protocol TOS field start time of data flow end time of data flow data flow ingress index data flow egress index and TCP flag Deleting Template C...

Page 178: ...1 config ip stream topn 10 sort by packets ZXR10_R1 config ip stream template test ZXR10_R1 config stream tempalte match srcaddr ZXR10_R1 config stream tempalte match dstaddr ZXR10_R1 config stream tempalte match srcport ZXR10_R1 config stream tempalte match dstsrcport ZXR10_R1 config stream tempalte exit ZXR10_R1 config ip stream run template test IPFIX Maintenance and Diagnosis For the convenien...

Page 179: ...flow ingress egress source address destination address source port destination port L3 protocol type the number of packets or the number of bytes corresponding to TOPNS setting 3 To show template configuration execute the following com mand show ipstream template This shows configuration of template that is fields contained in template Confidential and Proprietary Information of ZTE CORPORATION 16...

Page 180: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 168 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 181: ...55 Figure 18 Port Loop Detection Configuration Example 58 Figure 19 DHCP Server Configuration Example 68 Figure 20 DHCP Relay Configuration Example 69 Figure 21 DHCP Snooping Preventing False DHCP Server 70 Figure 22 DHCP Snooping Preventing Static IP 71 Figure 23 Basic VRRP Configuration Example 75 Figure 24 Symmetric VRRP Configuration Example 76 Figure 25 Configuring Event Linkage ACL Rule 86 F...

Page 182: ...ion Example 130 Figure 36 LLDP Configuration Example 139 Figure 37 Source Address Snooping 1 157 Figure 38 Source Address Snooping 2 158 Figure 39 URPF Configuration Example 159 Figure 40 IPFIX Configuration Example 166 170 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 183: ... Table 1 CHAPTER SUMMARY i Table 3 Parameter Values 6 Table 4 Command Modes 12 Table 5 IP Address for Each Class 59 Table 6 ACL Descriptions 78 Confidential and Proprietary Information of ZTE CORPORATION 171 ...

Page 184: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 172 Confidential and Proprietary Information of ZTE CORPORATION ...

Page 185: ...AN EBS Excess Burst Size FTP File Transfer Protocol ICMP Internet Control Message Protocol IP Internet Protocol IPTV Internet Protocol Television LLDP Link Layer Discovery Protocol LLDPDU Link Layer Discovery Protocol Data Unit MAC Media Access Control MIB Management Information Base NMS Network Management System NTP Network Time Protocol PBS Peak Burst Size PIR Peak Information Rate PVID Port VLA...

Page 186: ...l File Transfer Protocol TLV Type Length Value ToS Type Of Service UDLD UniDirectional Link Detection UDP User Datagram Protocol URPF Unicast Reverse Path Forwarding VBAS Virtual Broadband Access Server VLAN Virtual Local Area Network VRRP Virtual Router Redundancy Protocol WRR Weighted Round Robin 174 Confidential and Proprietary Information of ZTE CORPORATION ...