ZXR10 5900E Series All Gigabit-Port Intelligent Routing Switch
Contents
1. Session Options controlling SSH connections Logging m Data to send to the server Terminal Pone d Keyboard Remote command Bell hemes r Protocol options Window P Appearance Don t allocate a pseudo terminal Behaviour Enable compression Translation Preferred SSH protocol version Selection C 1 only C1 2 C 2onl Coins r Encryption options Connection YP P Proxy Encryption cipher selection policy Telnet AES SSH 2 only Aloain Blowfish Up 59 3DES SSH warn below here D Auth DES Zo Tunnels Bugs Enable legacy use of single DES in SSH 2 About Cancel 4 Click Open to log in to the switch and input the correct user name and password following the prompt The user enters switch configuration interface upon successful lo gin Simple Network Management Protocol SNMP Simple Network Management Protocol SNMP is one of the most popular network protocols An NM server can manage all devices on the network through this protocol SNMP adopts the management That is based on the server and client Background NM server serves as SNMP server and the fore ground network device ZXR10 5900E serves as the SNMP client Foreground and background shares one MIB management data base and the SNMP is used for communications NMS software supporting the SNMP shall be installed in the back ground NM server to manage and configure ZXR10 5900E Confidential2. 1 To create channels of IPTV use the following command ZXR10 config create iptv channel general lt 256 gt This creates channels of IPTV special lt 0 255 gt Channel number is 0 256 0 255 are special channels Each channel must designate a multicast address 256 is general channel and needn t to designate multicast address 2 To set the name of a channel use the following command 124 Confidential and Proprietary Information of ZTE CORPORATION ZTEDX Chapter 12 IPTV Configuration ZXR10 config iptv channel 0 256 name This sets the name of a channel 3 Toseta channel belonging to a multicast Vlan use the following command ZXR10 config iptv channel 0 256 mvlan This sets a channel belonging to a multicast Vlan 4 To delete a channel use the following command ZXR10 config clear iptv channel 0 256 This deletes a channel Configuring Channel Access Control CAC 1 To create rules of CAC use the following command ZXR10 config create iptv cac rule lt 1 256 gt This creates rules of CAC 2 To set the name of CAC rule use the following command ZXR10 config iptv cac rule lt 1 256 gt name This sets the name of CAC rule 3 To set maximum preview counts of rules use the following command ZXR10 config iptv cac rule lt 1 256 gt prvcount This sets maximum preview counts of rules The default is global maximum preview count 4 To
3. 3 To configure hostname of dhcp client on the interface use the following command ZXR10 config if vlanx ip dhcp client hostname WORD This configures hostname of dhcp client on the interface 4 To configure lease information of dhcp client on the interface use the following command ZXR10 config if vlanx ip dhcp client lease 0 365 This configures lease infinite information of dhcp client on the interface 5 To configure request information of dhcp client on the interface use the following command ZXR10 config if vlanx ip dhcp client request This configures request dns nameserver domain name router static route information of dhcp client tftp server address on the interface Confidential and Proprietary Information of ZTE CORPORATION 93 ZXR10 5900E Series User Manual Basic Configuration Volume ZTE DHCP Configuration Example DHCP Server Configuration Example Ri acts as the DHCP server and default gateway and the host ob tains IP addresses through the DHCP dynamically as shown in Figure 23 FIGURE 23 DHCP SERVER CONFIGURATION DNS Server 10 10 2 2 24 10 10 1 1 24 R1 ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX A A GU JJ JO QU GO JO JJ UJ JJ JJ JJ DO 3 FTP Server 10 10 1 2 24 configuration config config config config d config d config config d config d config d config 0 0 0 0 0
4. e Independent Candidate Switch Switch Outside the cluster Switching rule of four types switches in the cluster is shown in Figure 33 154 Confidential and Proprietary Information of ZTE CORPORATION ZTEDHY Chapter 15 Cluster Management Configuration FIGURE 33 SWITCH SWITCHING RULE Member switch Specified as the command switch Independent sw itch Specified as the independent sw itch without member Join in the cluster Delete from the cluster Specified as the candidate sw itch Candidate switch independent switch Specified as the candidate switch without member Specified as the command switch Specified as the command sw itch Configuring Cluster Management Configuring ZDP Neighbor Discovery Protocol 1 To enable the ZDP function globally or in specific interface use the following command ZXR10 config zdp enable This enables the ZDP function globally or in specific interface 2 To configure time interval of transmitting ZDP packets use the following command ZXR10 config zdp timer time This configures time interval of transmitting ZDP packets 3 To configure the valid holding time of ZDP information use the following command Confidential and Proprietary Information of ZTE CORPORATION 155 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH ZXR10 config zdp holdtime lt time gt This configures
5. ZXR10 config ip pool no conflict time Chapter 8 DHCP Configuration This configures conflict time in IP pool lt time gt conflict time value 1 18000 minutes the default value is 30 minutes This deletes the original configuration and restores default time value 3 To configure reserving address in IP pool or delete the original configuration use the following commands ZXR10 config ip pool exclude lt ow_ip_addr gt lt hig _ip_addr gt ZXR10 config ip pool no exclude lt ow_ip_addr gt lt h ig_ip_addr gt This configures reserving address in ip pool lt low_ip_addr gt the begin low address of reserving address or a specific address lt Hig_ip_add r gt the highest address of reserving address range This command parameter must be a subset of this address pool This deletes the original configuration lt low_ip_addr gt the begin low address of reserving address or a specific address lt Hig_ip_add r gt the highest address of reserving address range This command parameter must be a subset of this address pool 4 To add all suitable ip addresses to ip pool or delete the corre sponding IP address range use the following commands ZXR10 config ip pool network net number net mask ZXR10 config ip pool no network net number n et mask This adds all suitable IP addresses to IP pool net numberr a specific subnet network number n
6. Confidential and Proprietary Information of ZTE CORPORATION 175 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH FIGURE 41 POE POWER SUPPLY Switch MN eee IN is Hub Bluetooth AP 9 NS O IP Ph T Wireless local Network Camera Area network AP Configuring PoE ZXR10 config if poe enable This enables interface PoE function The default is disabled ZXR10 config if poe pd max power 15 4 7 0 This configures port maximum 4 0 ext 18 ext 27 ext 30 0 power This command only can be used when this interface doesn t be enabled PoE function The default is 15 4 ZXR10 config if poe priority critical high low This configures interface priority This command only can be used when this interface doesn t be enabled PoE function The default is low 176 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH ZXR10 config if poe enhanced mode enable disable ZXR10 config poe overtemperature auto recovery enable ZXR10 config poe power threshold lt 40 90 gt ZXR10 config poe upgrade firmware firmware name Chapter 17 POE Configuration This configures compatibility detection of port connected device This command only can be used when this interface doesn t be enabled PoE function The default is enabled This command indicates whether to open the connected device compatibility detection If enable is configure
7. 2 ZXR10 config no ip dhcp ramble This disables DHCP ramble function 7 To enable DHCP log print switch or stop DHCP print function use the following command ZXR10 config ip dhcp logging on This enables DHCP log print switch The default is to disable DHCP log print function After DHCP log print function is enabled DHCP user on line log will be recorded 2 ZXR10 config no ip dhcp logging on This disables DHCP print function Configuring DHCP Snooping 1 To add the binding entry to binding database manually or delete binding entry from DHCP SNOOPING binding database use the following commands ZXR10 config ip dhcp snooping binding mac This adds user binding entry vlan lt vian gt lt ip address lt interface number gt expiry to binding database manually lt 2147483647 gt lt mac gt user MAC address vlan the VLAN user belongs to 1 4096input the range lt ip address gt DHCP binding IP address lt interface number gt physical interface numbersuch as fei gei and smartgroup ZXR10 config no ip dhcp snooping binding nac This deletes user binding vlan lt vian gt lt ip address lt interface number gt entry from DHCP SNOOPING binding database Confidential and Proprietary Information of ZTE CORPORATION 85 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH 2 To delete the entry of DHCP SNOOPING binding table on layer 2 interface manually
8. ZXR10 config interface lt port name gt This enters interface configuration mode ZXR10 config gei_1 x duplex half full This sets Ethernet port to working in duplex mode Setting Ethernet Port Speed ZXR10 config interface lt port name gt This enters interface configuration mode ZXR10 config gei_1 x speed 10 100 This sets Ethernet port speed Only GE port allows configuration of its duplex mode and rate Disable auto negotiation on the port before the configuration Setting Flow Control on an Ethernet Port ZXR10 config interface lt port name gt This enters interface configuration mode 2 ZXR10 config gei_1 x flowcontrol enable disable This sets flow control on an Ethernet port Flow control is to restrict packet count sent to the Ethernet port within certain time period The port sends a pause packet when the receive buffer is full to tell the remote port not to send any more packet to it within certain period The Ethernet port can also receive pause packets from other devices and do as required by the packets 32 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 4 Interface Configuration Allowing Prohibiting Jumbo Fame on an Ethernet Port ZXR10 config interface lt port name gt This enters interface configuration mode ZXR10 config gei_1 x 4jumbo frame enable disab This allows prohibits jumbo le fame on an Ethernet port By default m
9. any lt rule gt lt 0 maxPortNo gt lt tcpporttype gt udp lt source prefix gt any lt rule gt lt 0 max PortNo gt lt udpporttype gt lt destination prefix gt anyj rule 0 maxPortNo udpporttype y ingress Source mac address Source wildcard bits egress Destination mac address Destination wildcard bits time range timerange name event event name ZXR10 config ext v acl move lt ru e no gt after This moves a rule behind before lt rule no gt another rule Example In this example define a extended ipv6 ACL to permit IP packets with the source ip network segment as 10 0 0 0 0 0 0 0 16 and destination ip network segment as 20 0 0 0 0 0 0 0 16 to pass and deny the packets with MAC address 0012 0001 0002 to pass ZXR10 config ipv6 acl extended 2500 ZXR10 config ext v6acl rule 1 permit 10 16 20 16 ZXR10 config ext v6acl rule 2 deny fragment any any ingress 0012 0001 0002 0000 0000 0000 58 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 6 ACL Configuration Applying ACL on Physical Port ZXR10 config interface lt port name gt This enters interface configuration mode ZXR10 config if ip access group ac number This applies ACL on physical in out vfp port and can bind inbound of port outbound of port and vfp Note One physical port only can apply one ACL The new configuration wil
10. gt Uncontrolled port is always in bidirectional connection state and delivers EAPOL protocol which ensures the client to always send or receive authentication gt Controlled port opens upon success of the authentication to deliver network resources and services The controlled port modes can be configured as bidirectional controlled and only transmission controlled to adapt to different ap plication environments If the user fails to pass authentica tion the controlled port is in unauthenticated state and the user cannot access services offered by the authentication system Controlled port and uncontrolled port in the IEEE 802 1x pro tocol are logical concepts and such physical switches are inex istent in the equipment The IEEE 802 1x protocol establishes Confidential and Proprietary Information of ZTE CORPORATION 105 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH a logical authentication channel for each user and other users cannot use the logical channel after the port is enabled 3 Authentication server is usually a RADIUS server In authen tication server user related information is stored such as the VLAN where the user locates CAR parameter priority and ac cess control list of the user Once the user passes authen tication the authentication server delivers user related infor mation to the authentication system which creates a dynamic access control list The above parameters are used to mea
11. sure subsequent traffic of the user Authentication server and RADIUS server communicate with each other through the RA DIUS protocol Configuring DOT1X Configuring AAA 1 To create an AAA control entry use the following command ZXR10 config nas screate aaa lt rule id gt port This creates an AAA control lt port name gt vlan lt vlan id gt entry 2 To clear an AAA control entry use the following command ZXR10 config nas sclear aaa lt rule id gt This clears an AAA control entry 3 To enable disable dotix authentication or trunk use the fol lowing command ZXR10 config nas aaa lt rule id gt control dotix dotix This enables disables dotix relay enable disable authentication or trunk 4 To select an authentication mode use the following command ZXR10 config nas 4aaa rule id authentication This selects an authentication local radius mode 5 To select an authentication protocol use the following com mand 106 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 10 DOT1X Configuration ZXR10 config nas aaa rule id protocol pap chap e This selects an authentication ap protocol 6 To configure the keepalive interval use the following com mand ZXR10 config nas aaa lt rule id gt keepalive enable This configures the keepalive period lt period value gt disable interval 7 To configure whether to charge use the following c
12. Manual mode is ap plied in user static IP address configuration scene Automatic mode is used in user dynamically getting IP address by DHCP pro tocol scene Configuring MFF 1 To set MFF mode use the following commands 1 ZXR10 config mff mode auto manus This configures MFF manual mode or automatic modes 2 ZXR10 config no mff mode This cancels MFF mode configuration 2 To enable MFF function use the following command 1 ZXR10 config if vlanx mff enable This enables MFF function in VLAN interface 2 ZXR10 config if vlanx no mff mode This disables MFF function in VLAN interface 3 To configure MFF interface type use the following command 170 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 16 Security Configuration ZXR10 config gei_1 x set mff user port This sets layer 2 physical network port interface as MFF user interface or network interface 4 To configure MFF gateway IP address use the following com mand ZXR10 config if vlanx set mff gateway ip This configures MFF gateway lt A B C D gt IP address in VLAN by manual mode ZXR10 config if vlanx no set mff gateway ip This cancels MFF gateway IP address 5 To configure MFF user statically use the following command ZXR10 config mff user A B C D H H H vlan This configures MFF user 1 4094 gateway A B C D statically in manual mode ZXR10 config no mff use
13. NTP Configuration NTP Overview Network Time Protocol NTP is the protocol used to synchronize the clocks of computers on a network or across multiple networks like the Internet Without adequate NTP synchronization organi zations cannot expect their network and applications to function properly In practice ZXR10 5900E can act as the NTP client and support the configuration of at most 5 NTP time servers Configuring NTP 1 To define a time server use the following command ZXR10 config rmon collection statistics index owner This defines a time server lt string gt Priority must be selected Each server priority is different and the range is 1 5 Version is option the range is 1 3 the default is 3 Key is valid when authentication is enabled and option Lock unlock is used to configure if server is locked and option Confidential and Proprietary Information of ZTE CORPORATION 129 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH 2 To enable NTP function use the following command ZXR10 config ntp enable This enables NTP function 3 To configure the source address used by the NTP in the process of sending a synchronization time request use the following command ZXR10 config ntp source ip address This configures the source address used by the NTP in the process of sending a synchronization time request 4 To configure time zone of the switch use th
14. Network Management Configuration 129 NTP Config ratioh tree ex eco Mins RR REC e 129 NTP OVerVIQW uide deci terrx rer Ern Nepr rir NR dodgeawy se 129 Configuring NTP ives sks re ree E enr nre e RR URS 129 NTP Configuration Example sese 130 RADIUS Configuration cceeeece eee eee eect a 131 RADIUS OV6rVIeW cst eme e Rr EI ERA t Ur Reda ee 131 Configuring RADIUS oriri bn aa 131 RADIUS Configuration Example sseessese 133 SNMP Configuration cccececeee scene a a a 133 SNMP OVerVIeW oret ri ere n RI RERAN i 133 Configuring SNMP cecceeeee eee ee EATEN ERENER 133 SNMP Configuration Example eececeeeeeeeeeeeee eee 136 RMON Configuration ccceceee eee e eee estes eee ee nennen 137 RMON OVervIGW sareno tex Er xen c Ine gae anda ue 137 Configuring RMON cceeeeee eens teens teeta eee a aa 137 RMON Configuration Example ccceeeeeeeeee teens eens 138 SysLog Configuration cceceee eee e cece eee ee eee neta eeeeeeneees 139 SYSLOG Overview Sienaan ia a Ea TEA eee ene nnns 139 GCONFIGUFING SysLog rere iEn 139 Syslog Configuration Example sese 141 TACACS Configuration cccceeceeeee eee eee eeeeeeeeeeeee nae 142 TACACS H OVERVIEW sente eae du eA ER NEAR tate 142 Configuring TACACS F cc ee ee cee ce ai dca tera 142 TACACS Configuration Example sssessesse 145 S
15. PoE Maintenance ZXR10 5900E provides show command to help maintenance and diagnosis of POE Common commands used in PoE maintenance and diagnosis are as follows ZXR10 config show poe config interface This views interface PoE lt infterface name gt configuration ZXR10 config show poe interface infterface name This views interface PoE status configuration ZXR10 config show poe device lt device id gt This views PSE status information 178 Confidential and Proprietary Information of ZTE CORPORATION Figures Figure 1 ZXR10 5900E Configuration Modes eeseeeese 3 Figure 2 STARTING THE HYPERTERMINAL ene 4 Figure 3 LOCATION INFORMATION seem me 4 Figure 4 SETTING UP A CONNECTION eenm 5 Figure 5 CONNECTION CONFIGURATION eene 6 Figure 6 COM1 PROPERTIES ecceeeeeee eee eeeee eee nme 7 Figure 7 RUN TELNE aviei sace n eer be hn ate rb k ERR 8 Figure 8 TELNET LOGIN sssesememImmeem nenne 8 Figure 9 SETTING IP ADDRESS AND PORT NUMBER OF SSH Suid cT 10 Figure 10 SETTING THE SSH VERSION NUMBER 11 Figure 11 WFTPD INTERFACE csssseseem m 19 Figure 12 USER RIGHTS SECURITY DIALOG BOX 20 Figure 13 TFTPD INTERFACE ssssseeeme mee 21 Figure 14 CONFIGURING DIALOG BOX sesseee 21 Figure 15 PORT MIRRORING EXAMPLE esese 39 Figure 16 PORT RSPAN MIRRORING EXA
16. Port fei 1 1 Monitor Direction rx Destination Port Port tunnell ERSPAN Destination IP 10 10 10 10 Source IP 20 20 20 20 Loopback Detection Configuration Port Loopback Detection Overview ZXR10 5900E supports single port loopback detection This func tion can detect the loopback of user which connects to the switch and switch itself Then it can solve this problem It can avoid broadcast storm in result of loopback ZXR10 5900E detects loopback of a few ports or all ports By default it is not detected It supports loopback detection in VLAN One port supports up to loopback detection of 8 Vlans at the same time Configuring Port Loopback Detection ZXR10 config loop detect interface lt port name gt e This enables the loopback nable disable detection function of one port or multiple ports ZXR10 config loop detect interface lt port name gt This configures the loopback vlan lt vi an id gt enable disable detection of Vlan in one port Confidential and Proprietary Information of ZTE CORPORATION 41 ZXR10 5900E Series User Manual Basic Configuration Volume ZXR10 config loop detect protect interface lt port name gt lt enable disable gt ZXR10 config loop detect reopen time interval ZXR10 config show loop detect interface ZXR10 config show loop detect interface detail lt port name gt ZXR10 config show loop detect protect interface a ZXR10 config show lo
17. So that C completes man in the middle attack To avoid this bug all ARP packets should be checked Those that conform to the qualification are forwared by software The ARP packets that fail in check will be discarded Based on this requirement the following methods that prevents usual ARP attack are added 1 Asforuntrusted interface DAI blocks all ARP packets and send them to upper layer software for check 2 The speed that ARP packet sent to CPU is configurable 3 When DHCP SNOOPING is enabled laye 2 IP MAC and port corresponding relationship are checked Illegal user will be discarded Confidential and Proprietary Information of ZTE CORPORATION 167 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH z 4 lt 1 100 gt DAI detects ARP packet according to the binding relationship be tween IP and MAC address which is stored in trust database When DHCP SNOOPING of VLAN is open database is created by DHCP SNOOPING If ARP packet is received from a trust port switch need not any detection and forwards packet directly If ARP packet is received from a untrust port switch only forwards valid packet Configuring DAI Zxr10 config gei_1 x ip arp inspection trust This configures trust attribute of interface Zxrl0 config smartgroupX ip arp inspection trust This configures trust attribute of Smartgroup interface 0 config ip arp inspection validate This configures global ARP des mac ip
18. The default configuration is restored with no command Command parameter description is as follows lt 1 1000 gt timeout time The unit is second 1 1000 5s by default 9 To configure TACACS server group use the following com mand ZXR10 config aaa group server tacacs lt group name gt This enters into AAA server group configuration mode Server group configuration is deleted with no command Command parameter description is as follows tacacs server group name with 1 31 characters TACACS Configuration Example ZX ZX ZX ZX ZX ZX ZX ZX A oA GJ UJ JJ UG GU AJ UG config config config config config config config config config 0 0 0 0 0 0 0 0 0 0 config tacacs enable tacacs server host 1 1 1 1 tacacs client 1 1 1 2 aaa authentication login default group zte aaa authentication enable default local group zte aaa authorization login default group zte user authentication type tacacst user authorization type tacacs aaa group server tacacs zte sg server 1 1 1 1 Confidential and Proprietary Information of ZTE CORPORATION 145 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 146 Confidential and Proprietary Information of ZTE CORPORATION Chapter 14 Switch Stack System Table of Contents Switch Stack System Introd Ic lon ennienni 147
19. community na This sets the SNMP packet me view lt view name gt ro rw community SNMPvi v2c adopts the community authentication mode SNMP community is named by character strings and different communities have read only or read write access authorities Community with read only authority can only query equipment information and the community with read write authority can configure the equipment Confidential and Proprietary Information of ZTE CORPORATION 133 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Both read only and read write are limited by the view Oper ations can only be conducted in the permitted view range If parameter view is omitted use default view and use parameter ro if ro rw are omitted 2 To define a SNMPv2 view use the following command ZXR10 config snmp server view lt view name gt lt subtree This defines a SNMPv2 view id gt included excluded 3 To set the system handler contract mode SysContact of the MIB object use the following command ZXR10 config snmp server contact lt mib syscontact This sets the system handler text gt contract mode SysContact of the MIB object SysContact is a management variable of the system group in the MIB II and it records ID and contact mode of the relevant personnel of the managed equipment 4 To set the location SysLocation of the MIB object use the following command ZXR10 config snmp server location rm
20. config if monitor session lt session number gt This sets monitor port The desination range of session number is 14 ZXR10 config if monitor session lt session number gt This sets RSPAN monitor port desination rspan vlanid v anid priority lt The range of session number priorityid gt is 14 the range of vlanid is 14094 the range of priorityid is 07 ZXR10 config if monitor session lt session number gt This sets ERSPAN monitor desination erspan ttl 77255 flags disable en port The range of able tpid 0x8100 DSCP lt 0 63 gt session number is 14 ZXR10 config if 2XR10 config show monitor This displays configuration session all lt session number gt and status of port mirroring The range of session number is 14 Port Mirroring Configuration Example 1 This example shows single device port mirroring configuration Port fei_1 3 is connected to a computer data received is on fei 1 1 and data received sent is on fei 1 2 are to be moni tored This is shown in Figure 15 38 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 4 Interface Configuration FIGURE 15 PORT MIRRORING EXAMPLE ZXRI10 Lo fei 1 3 Ga p A p I lt fei_1 1 fei_1 2 Configuration of switch ZXR10 config interface fei 1 1 ZXR10 config fei 1 1 monitor session 1 source direction rx ZXR10 config fei 1 1 exit ZXR10 config interface fei 1 2 ZXR10
21. config nas aaa accounting disable ZXR10 config nas aaa multiple hosts enable ZXR10 config nas aaa default isp ztel63 net ZXR10 config nas aaa fullaccount disable ZXR10 config nas aaa 1 radius server accounting 1 ZXR10 config nas create localuser 1 name A0001 ZXR10 config nas localuser 1 mac 00d0 d0d0 1234 ZXR10 config nas localuser 1 accounting enable ZXR10 config nas create localuser 2 name A0002 ZXR10 config nas localuser 2 mac 00d0 d0d0 1456 ZXR10 config nas localuser 2 accounting enable ZXR10 config nas create localuser 3 name A0003 ZXR10 config nas localuser 3 mac 00d0 d0d0 1689 ZXR10 config nas localuser 3 accounting enable In the above configuration the local authentication function on the ZXR10 5900E is enabled to implement the application require ment of the enterprise According to the above configuration only 00d0 d0d0 1234 00d0 d0d0 1456 and 00d0 d0d0 1689 network card addresses can be accessed and the Internet access duration of these three users named as A0001 A0002 and A0003 is summed up The duration is recorded on the Radius server DOT1X Multiple Domains Function In figure Dotix radius authentication application and figure Dot1x trunk authentication application Guest Vlan function is based on interface When user authentication at the port succeeds interface will be switched in authentication VLAN and other users which are not unauthorized can t visit Guest Vlan intern
22. default policy 8 To configure DHCP client server id that DHCP Relay responses or cancel DHCP client server id that DHCP Relay responses use the following command ZXR10 config ip dhcp relay security client This configures DHCP client server id lt ip address gt server id that DHCP Relay response lt ip address gt server id ip addressin dotted decimal notation ZXR10 config no ip dhcp relay security client This cancels DHCP client server id server id that DHCP Relay responses 9 To enable DHCP Relay Snooping use the following command ZXR10 config ip dhcp relay snooping enable This enables DHCP Relay Snooping DHCP Relay Snooping is disabled by default 2 ZXR10 config no ip dhcp relay snooping enable This cancels DHCP Relay Snooping function 10 To enable DHCP network packet that all reply on the interface use the following command Confidential and Proprietary Information of ZTE CORPORATION 91 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH ZXR10 config if vlanx tip dhcp relay snooping This enables DHCP network packet reply packet that all reply on the interface ZXR10 config if vlanx no ip dhcp relay snooping This command disables DHCP packet reply network packet that all reply on the interface 11 To enable DHCP network packet that all request on the inter face use the following command ZXR10 config if vlanx tip dhcp relay snooping This enables DHCP
23. lt password gt Setting Telnet Username and Password ZXR10 config username username password This sets Telnet user and lt password gt password 26 Confidential and Proprietary Information of ZTE CORPORATION ZTEDX Chapter 3 System Management Setting System Time ZxR10 Clock set current time month day year This sets system time oetting System Console User Connection Parameters ZXR10 config line console idle timeout lt idle timeout gt This sets idle timeout time ZXR10 config line console absolute timeout This sets absolute timeout time lt absolute timeout gt Setting System Telnet User Connection Parameters ZXR10 config line telnet access class lt access list nu This configures access class mber gt ZXR10 config line telnet idle timeout lt d e timeout gt This configures dle timeout time ZXR10 config line telnet absolute timeout This configures absolute timeout lt absolute timeout gt time There are parameters absolute timeout and absolute timeout af ter line console and line telnet absolute timeout refers to the time which is from the begin of connection to connection timeout idle timeout refers to the idle timeout that after user last oper ation System will disconnect automatically when timeout User should logon again if they need to continue operating switch sys tem process By default absolute timeout is 1440 minutes and idle timeout is
24. no ip dhcp snooping information This cancels configured 82 format option format to restore default format 6 To configure the policy of forwarding DHCP data packet 82 op tion or cancel the policy use the following command ZXR10 config ip dhcp snooping information policy This configures the policy of keep replace forwarding DHCP data packet 82 option keep keep the original 82 option and transparently transmit replace replace the original 82 option The default is to keep the original 82 option and transparently transmit ZXR10 config no ip dhcp snooping information This cancels configured 82 policy option policy to restore default format 7 To configure DHCP SNOOPING ramble function and allow user to switch on different ports use the following command 1 ZXR10 config ip dhcp snooping ramble This configures DHCP SNOOPING ramble function 2 ZXR10 config no ip dhcp snooping ramble This disables DHCP SNOOPING ramble function 8 To configure the interface connects to DHCP SERVER as trust interface use the following command ZXR10 config ip dhcp snooping trust This configures DHCP SERVER lt interface number gt interface as trust interface lt interface number gt physical interface numbersuch as fei gei and smartgroup ZXR10 config no ip dhcp snooping trust This cancels DHCP SERVER lt interface numbe gt interface as trust interface Confidential and Proprietary Infor
25. the user can use the show version command to check whether the new version is running in the memory If not booting from the background server failed The user must repeat steps 1 to 5 6 Delete the old version file zxr10 zar from the Flash s IMG directory with the delete command If there is enough space in the Flash the user can reserve the old version with another name 7 Copy the new version file on the background FTP server to the Flash s IMG directory with the filename as zxr10 zar i Set temporary Vlan interface which is interworking with the host suppose IP address is 168 4 168 1 ii Set the host ip address suppose ip address is 168 4 168 89 in the same network segment that Vlan interface ip address is in The interface which host connects belongs to the vlan and can ping through Vlan ip address iii Use copy command at the privileged mode ZXR10 copy ftp 168 4 168 89 zxrl0 zar target target flash img zxrl0 zar Starting copying file file copied successfully ZXR10 24 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 3 System Management 8 Check for the new version file in the Flash If not found the copying failed when must repeat step 8 to copy the version again 9 Reboot ZXR10 5900E and follow step 4 to change the boot mode to booting from Flash when Boot path changes to flash img zxr10 zar automatically Note can also change the boot mode to booting form
26. 1 To display QoS configuration use the following command show qos 2 To displayconfiguration of map of service parameter of data packets according to conformance level and DSCP use the fol lowing command show qos conform dscp 3 To display 802 1p parameter map table configuration infor mation according to local precedence use the following com mand show qos cos local map 74 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Example Chapter 7 QoS Configuration 4 To display table configuration information that 802 1P user pri ority maps to switch local precedence use the following com mand show qos cos drop map ZXR10 config ZXR10 ZXR10 ZXR10 config acl standard number 1 config std acl rule 1 permit 100 1 1 1 config std acl exit traffic limit in 1 rule id 1 cir 10000 cbs 2000 ebs 2000 mode blind ZXR10 config traffic limit ZXR10 config ZXR10 config show qos in 1 rule id 1 cir 10000 cbs 2000 ebs 2000 mode blind qos conform dscp 10 7 2 show qos conform dscp qos conform dscp 10 72 ZXR10 config qos cos local map 12 345 670 0 ZXR10 config show qos cos local map qos cos local map 12 345 670 ZXR10 config qos cos drop map 21021101 ZXR10 config show qos cos drop map qos cos drop map 21021101 Con fidential and Proprietary Information of ZTE CORPORATION 75 ZXR10 5900E Series User Manual Basic Configur
27. 120 minutes Allowing Multiple Users to Configure system at the Same Time multi user configure Confidential and Proprietary Information of ZTE CORPORATION 27 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH 28 be care for the reason that the configuration could bring switch configuration disorder Viewing System Information Viewing Hardware and Software Versions of the System The following information is displayed after carrying out show version command ZXR10 show version ZXR10 Router Operating System Software ZTE Corporation ZXR10 ROS Version V4 08 23 ZXR10 5952 Software Version ZXR10 5900 V2 8 23 A 12 RELEASE SOFTWARE Copyright c 2000 2007 by ZTE Corporation Compiled Jun 14 2009 11 47 14 System image files are flash lt flash img zxrl0 zar gt System uptime is 2 days 18 hours 19 minutes MPU Main processor ZXR10 MPC8270 450M PCI with 256M bytes of memory 512K bytes of non volatile configuration memory 16M bytes of processor board System flash Read Write ROM System Bootstrap Version V1 12 RELEASE SOFTWARE Hardware Version V1 8 CPLD Version V1 4 System serial 5952 Viewing Running Configuration show running config Confidential and Proprietary Information of ZTE CORPORATION Chapter 4 Interface Configuration Table of Contents Basic Port ConnguraQuom iesxeiscuseske sex t npe XE Nice DUXI PREND KA M e ERE 29 Part Mirroring Contar SEO oes ieeeue
28. 2 deny tcp 192 168 3 0 0 0 0 255 Eq BGP any any ZXR10 config hybd acl 4rule 3 deny any any any ingress 0100 2563 1425 0000 0000 0000 Confidential and Proprietary Information of ZTE CORPORATION 57 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Configuring Basic IPV6 ACL 1 ZXR10 config ipv6 acl standard number This enters the basic ACL acl number name acl name configuration mode ZXR10 config std v6acl rule lt 1 100 gt permit de This configures the rules of ny lt source gt any mac lt Source mac gt lt Source ACL wildcard bits gt time range lt timerange name gt ZXR10 config std v acl move lt ru e no gt after This moves a rule behind before lt rule no gt another rule Example In this example define a ACL to permit IP packets with the network segment as 10 0 0 0 0 0 0 0 16 to pass ZXR10 config ipv6 acl standard number 2000 ZXR10 config std v6acl rule 1 permit 10 16 Configuring Extended IPV6 ACL ZXR10 config ipv6 acl extended number This enters ACL configuration acl number name ac name Y mode ZXR10 config ext v6acl rule lt 1 maxRuleNo This configures the rules of gt permit deny icmp lt source prefix gt ACL any lt destination prefix gt any protocol gt lt source prefix gt any destination prefix any tcp lt source prefix gt any lt rule gt lt 0 m axPortNo tcpporttype 4 destination prefix
29. Confidential and Proprietary Information of ZTE CORPORATION 23 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH subnet mask and FTP user name and password pair After the modification the prompt ZXR10 Boot appears ZXR10 Boot c clear field go to previous field D quit Boot Location 0 Net 1 Flash 0 0 means booting from the background FTP 1 means botting from Flash Port Number 24 Client IP 0 bootp 168 4 168 168 Management Ethernet port address Netmask 255 255 0 0 Server IP 0 bootp 168 4 168 89 Background FTP server address Gateway IP 168 4 168 168 Management Ethernet port address FTP User target FTP user name target FTP Password Password of target FTP Password Confirm Boot Path zxrlO0 zar Default Enable Password Default Enable Password Confirm Default ZXR10 Boot 4 Type and press ENTER Then the system automatically boot from the background FTP server ZXR10 Boot Loading get file zxrl0 zar 15922273 successfully file size 15922273 Omitted Ck CckCk ck ck ck ck ck ck ck ck ck ck ckckck ckckokock ck ckockokokock ck ckckckckckckckckckckckckckckckck ck ck ck ko k k k kk kk Welcome to ZXR10 5928 Switch of ZTE Corporation Ck CkCkck ck ck ckck ck ck ck ck ck ck ckck kk ck ck ck ck ckck ck ckck ckck ck ck ck ck ck ck ck ck ck ck ck ck ckck k ck ck k kc k k k kk kk ZXR10 5 If the system starts successfully
30. DHCP user unrestricted message and recovers default mode DHCP client continuous rent is launched by DHCP client For that DHCP client does not send continuous rent message if can receive ACK message that DHCP Server response to client it is taken for granted that DHCP client is on line and send transparently this message to client 6 To configure the insert 82 option when the DHCP process is in relay forwarding or cancel the insert of 82 option use the following command ZXR10 config ip dhcp relay information option This configures the insert 82 option when the DHCP process is in relay forwarding The default 82 option is not inserted ZXR10 config no ip dhcp relay information option This cancels the insert 82 option 90 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 8 DHCP Configuration 7 To configure the DHCP process when the insert 82 option has been configured in the DHCP process in relay forwarding data and host should configure the insert 82 option or delete con figured 82 option handle policy use the following command ZXR10 config ip dhcp relay information policy keep keep the original 82 keep replace option and transparently transmit replace replace the original 82 option The default is to keep the original 82 option and transparently transmit ZXR10 config no ip dhcp relay information policy This cancels configured 82 option policy to restore
31. The default value is 49 timeout Connection timeout time in range of 171000 Unit is second The configuration here will invalidate the global configuration key Encryption key between NAS and TACACS server The configuration here will invalidate the global configuration 6 To configure global TACACS protocol encryption key use the following command ZXR10 config tacacs server key key This configures global TACACS protocol encryption key which is valid for all servers without designated key Configuration is deleted with no command Command parameter description is as follows Encryption key used in exchanging packets between NAS and server Length 1 63 characters without space The key defined in the server must be same as this one 7 To configure TACACS maximum packet length use the fol lowing command ZXR10 config tacacs server packet 1024 4096 This configures TACACS maximum packet length The default configuration 1024 is restored with no command Command parameter description is as follows lt 1024 4096 gt Packet maximum length The default is 1024 8 To configure connection timeout for TACACS server use the following command 144 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 13 Network Management Configuration ZXR10 config tacacs server timeout lt 1 1000 gt This configures connection timeout for TACACS server The default is 5s
32. The router with high priority is used as the master router if the third party address is used If two routers have the same priority the one with the greater interface address wins For ZXR10 5900E if the two routers priorities are same master apply priority rule Set the IP address of the virtual router to gateway on the host in this broadcast domain The master router is replaced with the backup router with the highest priority if the master router is faulty without affecting the host in this domain The host in this domain cannot communicate with outside world only when all routers in the VRRP group work abnormally These routers can be configured into multiple groups for mutual backup The hosts in the domain use different IP addresses as gateway to implement data load balance Confidential and Proprietary Information of ZTE CORPORATION 99 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH Configuring VRRP 1 To run VRRP use the following command ZXR10 config if vlanx vrrp group ip lt ip address gt se This runs VRRP condary This configures multiple virtual addresses in a VRRP group and the linked host can use any address as gateway for communi cation 2 To configure VRRP priority on the interface use the following command ZXR10 config if vlanx vrrp group prirority priority This configures VRRP priority on the interface 3 To configure whether preemption is enabled on the
33. ZXR10 config gei_1 1 ip access group 100 in ZXR10 config gei_ 1 1 exit ZXR10 config interface gei 1 2 vs Confidential and Proprietary Information of ZTE CORPORATION ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH ZXR10 config gei_1 2 ip access group 101 in ZXR10 config gei_1 2 exit ACL Maintenance and Diagnosis For the convenience of ACL maintenance and diagnosis ZXR10 5900E provides related view commands 1 To display the contents of all ACLs with specified list number use the following command show acl lt ac number gt name lt ac name gt 2 To show whether an ACL is applied on a physical port use the following command show running config interface lt port name gt 62 Confidential and Proprietary Information of ZTE CORPORATION Chapter T QoS Configuration Table of Contents QoS OVErVIEW Mem 63 Lontiguring GDS iescasedesccdd tercer beet ep eE 67 QoS Configuration Example uunc xk EX RDEERSERER ERROR RR ERR REA AE 72 QoS Maintenance and Diagnmasis sies n reta o n rn rna FREE eda 74 QoS Overview Traditional networks provide best effort service treating all pack ets identically and handling them with the first in first out FIFO policy This service policy delivers the packets to their destination as it can without any assurance and guarantee for reliability and delivery delay and so on for packet forwarding With the continuous emergence of
34. a period of time which is called the aging time of the ARP Configuring ARP 1 ZXR10 config arp protect interface mac whole This configures ARP protection limit num lt number gt i 2 ZXR10 config arp to static This sets dynamic arp entries to static arp ZXR10 config interface vlan lt vian id gt This enters Layer 3 VLAN interface R10 config if vlanx arp timeout lt timeout gt This configures the aging time of ARP entry in the ARP buffer area 5 ZXR10 config if vlanx set arp static permanen This adds arp entry in t ip address hardware address static permanent binding To delete arp entry use the following command zxR10sclear arp cache interface supervlan lt id gt vlan lt i This deletes all dynamic arp d gt lt ipaddress gt dynamic permanet static entries in from specific interface ARP buffer ARP Configuration Example ARP configuration example is shown as follows ZXR10 config interface vlan 1 ZXR10 config if vlanl arp timeout 1200 ARP entry of designated interface can be viewed with show arp lt interface name gt command The following example shows the ARP table of the layer 3 interface VLAN1 ZXR10 show arp Address Age min Hardware Addr Interface Tollel 000a 010c e2c6 vlani 10 1 100 100 18 00b0 d08f 820a vianl 10 10 10 2 S 0000 1111 2222 vlanl 10 10 10 3 P 0000 1111 2221 vlanl 50 Confidential and Proprietary Information of ZTE
35. a sub directory of ABC in current directory ZXR1LO dir view the information in current directory and find the sub directory of ABC Directory of flash attribute size date time name 1 drwx 512 MAY 17 2004 14 22 10 IMG 18 Confidential and Proprietary Information of ZTE CORPORATION ZTE Chapter 3 System Management 2 drwx 512 MAY 17 2004 14 38 22 CFG 3 drwx 512 MAY 17 2004 14 38 22 DATA 4 drwx 512 MAY 17 2004 15 40 24 ABC 65007616 bytes total 48861184 bytes free ZXR10 rmdir ABC remove the sub directory of ABC ZXR10 dir Show the current directory information and find sub directory of ABC which has been removed Directory of flash attribute size date time name T drwx 512 MAY 17 2004 14 22 10 IMG 2 drwx 512 MAY 17 2004 14 38 22 CFG 3 drwx 512 MAY 17 2004 14 38 22 DATA 65007616 bytes total 48863232 bytes free FIP TFTP Overview ZXR10 5900E can server as an FTP TFTP client Files can be used as backup and restore purpose Files can also be used as im port export configurations Configuring Switch as an FTP Client Enable FTP server on the background host and access the ZXR10 5900E as an FTP client from the FTP server 1 Run wftpd on the background host and an interface as shownFigure 11 FIGURE 11 WFTPD INTERFACE E No log file open WFTPD ial x File Edit view Logging Messages Security Help For Help press F1 1 socket 0 users Confidential and Proprietary Information of ZTE
36. address for DHCP Client dynamically by external DHCP Server configured in the interface After enabling built in DHCP Proxy process system will process IP address request sent from DHCP client on the interface allocate IP address for DHCP Client dynamically by external DHCP Server configured in the interface and replace the long lease with short lease to client When DHCP Client sending continue to rent request if the long lease allocated by DHCP Server is not timeout DHCP Proxy will response DHCP Client directly and won t send continue to rent request to external DHCP Server to relieve the burden of external DHCP Server Confidential and Proprietary Information of ZTE CORPORATION 83 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Only one function among system built in DHCP Server function DHCP Relay function and DHCP Proxy function can be run on the same interface To bind policy to an interface or delete configuration use the following commands ZXR10 config if vlanx ip dhcp policy lt This binds policy to an policy_name gt interface lt policy_name gt the policy name that interface need bind ZXR10 config if vlanx no ip dhcp policy This deletes configuration 4 To configure DHCP user quota on interface or cancel this con figuration use the following command ZXR10 config if vlanx ip dhcp user quota This configures DHCP user limit value quota on interface that is t
37. address of new main device will become that of stack system 2 Default Configuration nvram stack member priority 255 set interface stack enable stack disable stack port Accessing the Specific Stack Member by Command Line In stack system all devices can log in to other devices by session to operate other devices When logging in to member device show operation or operation on file system will be carried out and Confidential and Proprietary Information of ZTE CORPORATION 151 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH configuring command operation can t be carried out That mem ber device logging in to main device need the authentication of username and password which can be configured on main device zxR104Session device id The parameter is the ID of the device that will be log in to After the command is carried out the corresponding device can be operated Viewing Switch Stack oystem Information 1 ZXR10 Show switch all status This views the whole stack system information ZXR10 Show switch all neighbours This views the whole stack system neighbor relationship ZXR10 Show switch neighbours stack member nu This views neighbor mber relationship of designated device The parameter is device ID ZXR10 Show switch stack ports This views current device stack interface information including sending receiving packet statistics ZXR10 Show switch stack ports stack member nu This views
38. ame ac name configuration ZXR10 config ext acl rule rule no permit d This configures the rules eny lt source gt lt source wildcard gt any lt dest based on ICMP gt lt dest wildcard gt any icmp type icmp code icmp code precedence pre value tos lt tos value gt dscp dscp value fragment time range timerange name ny lt dest gt lt dest wildcard gt any precedence number excluded ICMP TCP pre value tos lt tos value gt dscp lt dscp value UDP fragment time range lt timerange name gt ZXR10 config ext acl rule lt ru e no gt permit den This configures the rules y lt source gt lt source wildcard gt any lt rule gt lt port based on TCP gt lt dest gt lt dest wildcard gt any lt rule gt lt port gt est ablished precedence pre value tos lt tos val ue gt dscp dscp value fragment time range timerange name ZXR10 config ext acl rule rule no permit den This configures the rules y lt ip number gt ip lt source gt lt source wildcard gt a based on IP or IP protocol Confidential and Proprietary Information of ZTE CORPORATION 55 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH ZXR10 config ext acl rule lt ru e no gt permit den This configures the rules y lt source gt lt source wildcard gt any lt rule gt lt port based on UDP gt lt dest gt lt dest wildcard gt any lt
39. and configuration of all stack members in which the main device is All members of the stack system which fails in selection will restart and join this stack system During this joining process these switch member IDs will possibly be allocated again After joining they will implement the configuration of the main device selected again If neither original main device nor original standby device is in the separate stack system all members of this stack system will restart In addition because the configuration of each stack sys tem is same IP address will be in collision IP address of the new stack system need to be modified If the stack system is not be divided intentionally the operation is as follows 1 Turn off powers of all switches in the new stack system 2 Connect these switches with the original stack system 3 Open the power of these switches Stack System Main Device Election and Renewed Election Stack system main device election and renewed election will com ply with the following rules 1 The current switch is main device of stack system 2 The switch member priority is the highest When you want a switch to be the main device of stack system configure its priority the highest 3 The MAC address of the switch is the smallest when member priorities are same Main device will change when the following happen The main device leaves from the current stack system Confidential and Proprietary Information
40. average speed use the following command ZXR10 config gei_1 x protocol protect peak rate This configures protocol packet average rate mode protocol name rate limit gt passing peak average speed This command is used to configure peak speed or average speed of corresponding protocol packet on corresponding port The unit is pps peak speed can be configured 100 1000 and the default value is 300 average speed can be set 10600 and the default is 100 5 To configure port type use the following command ZXR10 config gei_1 x protocol protect type nni uni This configures the type of a certain port is uni or nni This command is used to configure a certain port type which is uni or nni The default is nni The above commands supporting protocol includes pim igmp icmp arpreply arprequestudld group mng vbaselldp dhcplacpbpdusnmp nansrars When protocol packet is configured discard even if uploaded to MUX module it will be discarded by this module which leads to fail to upload to platform When control plane security mod ule find that the speed of a certain protocol packet uploading to platform is too fast it will send alarm to remind user that maybe there is a certain protocol packet to attack CPU When seeing this alarm user can configure protocol packet discard or limit speed to prevent attack from CPU Confidential and Proprietary Information of ZTE CORPORATION 165 ZXR10 5900E Series User Manua
41. config fei 1 2 monitor session 1 source ZXR10 config fei 1 2 exit ZXR10 config interface fei 1 3 ZXR10 config fei_ 1 3 monitor session 1 destination Show port mirroring configuration ZXR10 config show monitor session 1 Session 1 Source Ports Port fei_1 1 Monitor Direction rx Port fei 1 2 Monitor Direction both Destination Port Port fei 1 3 Rspan vlanid 0 Rspan priority 0 ZXR10 config 2 The following example shows RSPAN mirroring configuration As shown in Figure 16 port fei_1 3 is connected to other equip ment s mirroring out port data received is on fei_1 1 and data received sent is on fei_1 2 are to be monitored RSPAN s Vlan is Vlan 10 and the priority is 1 Confidential and Proprietary Information of ZTE CORPORATION 39 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH FIGURE 16 PORT RSPAN MIRRORING EXAMPLE wae P d j iN N ZXR10 fei 1 3 ZXR10 RSPAN qo ea N 7 EN P4 b I r I D d le le fei 1 1 fei 1 2 Configuration of Switch ZX ZX config interface fei 1 3 config fei_1 3 monitor session 1 destination rspan vlanid 10 priority 1 ZXR10 config interface fei 1 1 ZXR10 config fei_1 1 monitor session 1 source direction rx ZXR10 config fei_ 1 1 exit ZXR10 config interface fei 1 2 ZXR10 config fei_1 2 monitor session 1 source ZXR10 config fei_ 1 2 exit R10 R10 Show port mirrori
42. config vlan2 ip arp inspection Gei_1 1 and gei_1 2 are bound with VLAN 2 Gei_1 1 is set as untrusted interface the default attribute is un trusted interface The legal ARP packet legal ARP packet consistent witch IP port MAC in DHCP binding table that host A sends to switch is broad cast in VLAN Host B can receive ARP packet The illegal packet is discarded and not forwarded Host B can t receive ARP packet If gei_1 1 is set as trusted interface host A sends ARP packet legal illegal to switch Switch forwards ARP packet by hardware to all interfaces that are bound with VLAN 1 Host B can receive ARP packet When configuring interface lim Confidential and Proprietary Information of ZTE CORPORATION 169 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH ited speed as X 1 100 switch will receive at most X ARP packets every second the additional are discarded MFF Configuration MFF Overview MFF MAC Forced Forwarding mainly implements layer 2 isolation and layer 3 intercommunication among different client hosts in the same broadcast domain MFF blocks user ARP request packet and reply response packet of gateway MAC address by ARP an swer agent mechanism This way can force user to send all traf fic includes traffic in the same subnet to gateway which makes gateway monitor data flow prevent malicious attack among users and ensure safety of network deployment MFF supports manual and automatic modes
43. configuration Even if main device or other stack members leave form stack system stack system can be managed with this IP address There are two modes for managing stack system The serial port cable is connected to any serial port of stack member Management is implemented by CLI Management is implemented by SNMP Confidential and Proprietary Information of ZTE CORPORATION 147 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH 148 Member Specification of Switch Stack System At most 9 devices compose a stack system by stack port Each stack system only has one main device If an independent device enables stack it is stack system itself and the main device is itself If two stack systems can be combined together an independent switch can be added into an existing stack system to increase the member number of this stack system If a stack member in the stack system is replaced by the switch with the same model and the member ID of this switch is same as that of the original stack member this switch will implement the same configuration that is same as the configuration of replaced stack member When two running stack systems combine together a main de vice will be selected from the two main devices for the reason that the two stack systems have their own main devices The se lection rule is same as the one that the main device is selected from stack members The main device selected again and roles
44. configuration files Operations such as version upgrading and configuration saving must be conducted in flash There are three directories in Flash by default 1 IMGSystem mapping files that is image files are stored un der this directory The extended name of the image files is zar The image files are dedicated compression files Version upgrade means to change the corresponding image files under the directory 2 CFGThis directory is for saving configuration files whose name is startrun dat Information is saved in the Memory when using command to modify the switch configuration To prevent the configuration information loss at the time of switch restart use write command to write the information in the Memory into FLASH and save the information in the startrun dat file When there is a need to clear the old configuration in the switch to reconfigure data use delete command to delete startrun dat file then restart the switch 3 DATAThis directory is for saving log dat file which records alarm information Confidential and Proprietary Information of ZTE CORPORATION 17 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Operating File System Management ZXR10 5900E provides many commands for file operations Com mand format is similar to DOS commands as present in Microsoft Windows Operating System 1 To copy files between Flash and FTP TFTP server use the fol lowing command copy source de
45. dhcp snooping This deletes IP Source Guard ip source guard of interface Confidential and Proprietary Information of ZTE CORPORATION 161 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERHY IP Source Guard Configuration Example IP Source Guard Configuration based on IP Address In Figure 35 DHCP server connects gei_1 1 on R1 administra tor sets management DHCP gei 1 1 belongs to vlan100 DHCP Snooping function is enabled in VLAN100 and interface gei_1 1 is configured as trusted PC connects gei_1 2 of switch which be longs to vlan100 FIGURE 35 IP SOURCE GUARD CONFIGURATION IP Source Guard based on IP address is configured on the gei_1 2 interface mode After getting IP address dynamically PC can only pass the data packet with source IP address that is distributed by DHCP server Configuration of R1 ZXR10 config ip dhcp snooping enable ZXR10 config ip dhcp snooping vlan 100 ZXR10 config tip dhcp snooping trust gei 1 1 XR10 config interface gei 1 2 ZXR10 config gei_1 2 ip dhcp snnoping ip source guard ip base IP Source Guard Configuration based on MAC Address In Figure 36 DHCP server connects gei_1 1 on R1 administra tor sets management DHCP gei 1 1 belongs to vlan100 DHCP Snooping function is enabled in VLAN100 and interface gei_1 1 is configured as trusted PC connects gei_1 2 of switch which be longs to vlan100 162 Confidential and Proprietary Information of ZTE CORPORA
46. events is 0 Network utilization is estimated at 1 3 This example shows how to configure and start alarm control entries of the RMON ZXR10 config rmon alarm 1 system 3 0 10 absolute rising threshold 1000 1 Falling threshold 10 1 owner rmontest ZXR10 config View RMON alarm information with the show command ZXRl04show rmon alarm 138 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 13 Network Management Configuration Alarm 1 is active owned by rmontest Monitors system 3 0 every 10 seconds Taking absolute samples last value was 54000 Rising threshold is 1000 assigned to event 1 Falling threshold is 10 assigned to event 0 On startup enable rising or falling alarm ZXR10 4 This example shows how to configure and enable the event function ZXR10 config rmon event 1 log trap rmontrap description test owner rmontest ZXR10 config Configure an alarm control entry and wait for 10s and then view RMON event contents with the show command ZXR10 show rmon event Event 1 is active owned by rmontest Description is test Event firing causes log and trap to community rmontrap last fired 05 40 20 Current log entries index time description 1 05 40 14 test ZXR10 SysLog Configuration SysLog Overview ZXR10 5900E provides users with log information setting and query functions Log information provides convenient routine maintenance of the routing switch User can view alarm in
47. extended number lt ac number gt configuration mode name lt ac name gt global configuration mode L2 ACL ZXR10 config link acl acl link number ac number name configuration mode acl name global configuration mode Hybrid ACL ZXR10 config hybd acl acl hybrid number lt ac number gt configuration mode name acl name y global configuration mode RIP configuration router ripglobal configuration mode mode RIP address ZXR10 config router af address family ipv6 vrf lt vrf name gt RIP configuration mode routing configuration mode OSPF configuration 2XR10 config router router ospf lt process id gt global mode configuration mode 12 Confidential and Proprietary Information of ZTE CORPORATION ZTEDHY Chapter 2 Usage and Operation IS IS configuration 2XR10 config router router isisglobal configuration mode mode BGP configuration ZXR10 config router router bgp lt as number gt global mode configuration mode BGP address ZXR10 config router af address family vpnv4 ipv4 vrf configuration mode lt vrf name gt BGP configuration mode XR10 ig XR10 BGP configuration Zz config router router pimsmglobal configuration mode mode Z Route map config route map route map lt map tag gt permit deny lt s configuration mode equence number gt global configuration mode Diagnosis test ZXR10 diag diagnose privileged mode mode In any command mode input a ma
48. following command show ip arp inspection vlan lt vian id gt 9 To display DHCP pool use the following command show ip dhcp pool lt poo name gt 10 To display DHCP policy use the following command show ip dhcp policy lt policy_name gt To handle DHCP server relay processes use debug ip dhcpcom mand 98 Confidential and Proprietary Information of ZTE CORPORATION Chapter 9 VRRP Configuration Table of Contents kit rs meet 99 CnN VRRP ERREUR 100 VRRP Configuration Example ccccccaispndscansioieenereadepereneres 101 VRRP Maintenance and Disghpslsu cessere th cr nd Caci 103 VRRP Overview Host in a broadcast domain usually sets a default gateway as the next hop of route packets The host in the broadcast domain can not communicate with the host in another network unless the de fault gateway works normally To avoid the single point of failure caused by the default gateway multiple router interfaces are con figured in the broadcast domain and run the Virtual Router Redun dancy Protocol VRRP in these routers VRRP is used to configure multiple router interfaces in a broadcast domain into a group to form a virtual router and assigns an IP address to the router to function as its interface address This interface address may be the address of one of router interfaces or the third party address The router is used as the master router if its interface address is used and other routers are used as the backup ones
49. for faulty ports and is not recommended for ports connected to users Port Mirroring Configuration Port Mirroring Overview Port mirroring is to copy data from one or more ports mirrored ports of a switch to a specified destination port monitor port This data is obtained from the mirrored port s It provides an effective tool for the maintenance and monitoring of the switch Also it supports cross equipment port mirroring RSPAN Port mirroring function of ZXR10 5900E complies with the following rules Support up to one group of ports eight mirrored ports to the most Support cross board port mirroring that is the mirrored port and monitor port can be on different interface boards Confidential and Proprietary Information of ZTE CORPORATION 37 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Support monitoring only sent received data on the mirrored port Support cross equipment port mirroring that is mirrored port and monitor port can be on different equipment Support cross tunnel port mirroring that is data flow from source port can be encapsulated and forward by GRE tunnel configuration to the destination monitor end Configuring Port Mirroring ZXR10 config if monitor session lt session number gt This sets mirror port for source direction both tx rx capturing in out traffic of monitor port at interface mode The range of session number is 14 ZXR10
50. from Confidential and Proprietary Information of ZTE CORPORATION 29 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH left to right are slot 2 slot 3 slot 4 and slot 5 Sloti is GE port in front of the device Port No The No of the port on the interface board starting from 1 Example gt Gei 1 8 Port 8 on the GE interface board in slot 1 gt Xgei 3 1 Port 1 on the XGE interface board in slot 3 The ports are named differently because the number of boards and the number of ports on each board are different for specific devices 1 ZXR10 5928 5228 5928 FI 5228 FI gt The 24 ports in the front of the switch correspond to gei 1 1 to gei 1 24 The 4 xgei Ethernet interface board at the back of switch are arranged from left to right corresponding to xgei 2 1 xgei 3 1xgei 4 1lxgei 5 1 2 ZXR10 5952 5252 gt The 48 ports correspond to gei 1 1gei 1 48 The 4 xgei Ethernet interface board at the back of switch are arranged from left to right corresponding to xgei 2 1 xgei 3 1lxgei 4 lxgei 5 1 3 ZXR10 5924 5224 gt The 24 ports in the front of the switch correspond to gei 1 1 to gei 1 24 Disabling Enabling an Ethernet port 1 ZXR10 config interface lt port name gt This enters interface configuration mode 2 ZXR10 config gei_1 x shutdown no shutdown This disables enables an Ethernet port shutdown command sets the physical link state of the port to down when t
51. in this stack system the ID can be saved Otherwise it will be allocated the smallest and unused ID Stack System MAC Address The MAC address of stack system uses that of main device When main device leaves the MAC address of main device which is newly elected will be the MAC address of stack system MAC switch func tion sets MAC address switching time If the device is configured this function when main device leaves the MAC address of stack system will be that of the original main device At the setting time if original main device returns to stack system again the MAC ad dress of stack system will retain unchanged Otherwise it will be changed to the MAC address of new main device Stack Member Device Priority The higher the switch priority the greater the possibility of being main device during main device election The priority range is Confidential and Proprietary Information of ZTE CORPORATION 149 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDHY 150 from 0 to 255 The default is 255 Priority information of all stack member devices can be viewed by show switch all status The priority can be modified by nvram stack member priority It can not be valid until the device restarts Stack Member Device Software Version Check and Automatic Upgrade The software version in each member of stack system should be the same When stack system starts and main device is elected software version numbe
52. information use the following command ZXR10 config domain lt domain id gt default This configures domain information ZXR10 config no domain lt domain id gt default This cancels domain information 4 To configure domain fullname authentication information use the following command ZXR10 config domain domain fullaccount enable This configures domain fullname authentication information ZXR10 config domain no domain fullaccount This deletes domain fullname authentication information 5 To configure domain name information use the following com mand ZXR10 config domain domain name lt domain name gt This configures domain name information ZXR10 config domain no domain name This deletes domain name information Confidential and Proprietary Information of ZTE CORPORATION 111 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH 6 To configure domain accounting server information use the following command ZXR10 config domain tdomain radius account server This configures domain lt server id gt accounting server information ZXR10 config domain no domain radius account server This deletes domain accounting server information 7 To configure domain authentication server information use the following command ZXR10 config domain domain radius authen server This configures domain server id authentication server information ZXR10 config dom
53. interface use the following command ZXR10 config if vlanx vrrp group preempt delay To configure whether lt milliseconds gt preemption is enabled on the interface use the following command 4 To configure the time interval for sending VRRP notifications on the interface use the following command ZXR10 config if vlanx vrrp group advertise This configures the time interval msec lt interval gt for sending VRRP notifications on the interface 5 To configure how to learn about the time interval for sending VRRP packets on the interface use the following command ZXR10 config if vlanx vrrp group learn This configures how to learn about the time interval for sending VRRP packets on the interface 6 To configure authentication character string on the interface use the following command 100 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 9 VRRP Configuration ZXR10 config if vlanx vrrp group authentication This configures authentication lt string gt character string on the interface 7 To configure VRRP up flow link track function use the following command ZXR10 config if vlanx vrrp group track This configures VRRP up flow lt track num gt decrement lt priority gt link track function 8 To configure the mode of virtual device use the following com mand ZXR10 config if vlanx vrrp lt group mode private This configures
54. new applications a new require ment for network service quality is raised because the traditional network at the best effort cannot satisfy the requirement for ap plications For example the user cannot use the VoIP service and real time image transmission normally if packet transfer delay is too long To solve the problem provide the system with the capa bility of supporting QoS QoS is designed to provide different qualities of service for differ ent demands from various applications such as providing specific bandwidth reducing packet loss ratio shortening packet transfer delay and delay jitter To achieve the above purposes QoS offers the following functions Traffic classification Traffic Policing Traffic Shaping Queue scheduling and default 802 1p Priority Redirection and policy routing Priority Mark Flow Mirroring Traffic statistics BODIE Traffic Classification Traffic refers to packets passing through switch Traffic classifica tion is the process of distinguishing one kind of traffic from another by examining the fields in the packet Confidential and Proprietary Information of ZTE CORPORATION 63 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Traffic classification of QoS is based on ACL and the ACL rule must be permit The user can classify packets according to some filter options of the ACL which are as follows Source IP address desti nation IP address source MAC address des
55. of ZTE CORPORATION 45 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Viewing the Record Information That Module Exceeds Threshold zxXR10 Show optical inform threshold alarm interface This views threshold information lt interface name gt of interface optical module includes temperature voltage current sending and receiving power This supports single interface view and single board view Only support physical interface Example This views alarm information that optical module exceeds thresh old ZXR10 Show optical inform threshold alarm Description tem temperature vol volage cur current tx transmit power rx receive power h w high warning h a high alarm l w low warning l a low alarm Interface Time in slot Threshold Violation Type s of Last Known Name DDDD HH MM SS DDDD HH MM SS Threshold Violation gei 2 1 22 14 57 27 04 29 2008 14 57 07 04 29 2008 tem h w 52 00C gt 52 00C 14 57 07 04 29 2008 vol h w 5 00V gt 5 00V 14 57 07 04 29 2008 cur 1 w 60 00mA lt 80 00mA 14 57 07 04 29 2008 rx l a 440 00dBm 333 01dBm 14 57 07 04 29 2008 rx l a 440 00dBm 333 01dBm gei 2 1 23 14 57 27 04 29 2008 14 57 07 04 29 2008 tem h w 52 00C gt 52 00C 14 57 07 04 29 2008 vol h w 5 00V gt 5 00V 14 57 07 04 29 2008 cur l w 60 00mA 80 00mA 14 57 07 04 29 2008 rx l a 440 00dBm 333 01dBm 14 57 07 04 29 2008 rx l a 440 00dBm 333 01dBm The threshold is re
56. rule gt lt port gt p recedence pre value tos lt tos value gt dscp dscp value fragment time range lt timerange name ZXR10 config ext acl move rule no after This moves a rule behind before rule no another rule Example This shows an extended ACL to perform the following functions 1 Permit UDP packets from the network segment 210 168 1 0 24 the destination IP address 210 168 2 10 the source port 100 and the destination port 200 to pass 2 Forbid the BGP packets from the network segment 192 168 2 0 24 passing 3 Forbid all ICMP packets 4 Forbid all packets with the IP protocol No 8 ZXR10 config acl extend number 150 ZXR10 config ext acl rule 1 permit udp 210 168 1 0 0 0 0 255 eq 100 210 168 2 10 0 0 0 0 eq 200 ZXR10 config ext acl rule 2 deny tcp 192 168 2 0 0 0 0 255 eq bgp any ZXR10 config ext acl 4rule 3 deny icmp any any ZXR10 config ext acl rule 4 deny 8 any any Configuring L2 ACL ZXR10 config acl link number lt ac number gt This enters the L2 ACL configuration mode ZXR10 config link acl Rule rule no permit de This configures the rules of ny lt protoco number any gt cos lt va ue gt ingress ACL lt source mac gt lt source mac wildcard gt any vlan id vlan engress4 lt dest mac gt lt dest mac wildcard gt any time range timerange name ZXR10 config link acl move lt rul e no gt after This moves a rule beh
57. set maximum preview time of rules use the following com mand ZXR10 config iptv cac rule 1 256 prvtime This sets maximum preview time of rules The default is global maximum preview time Confidential and Proprietary Information of ZTE CORPORATION 125 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH 5 To set the least preview interval of rules use the following command ZXR10 config iptv cac rule 1 256 prvinterval This sets the least preview interval of rules The default is global least preview interval 6 To set the right rule to channel use the following command ZXR10 config iptv cac rule lt 1 256 gt right This sets the right rule to channel 7 To delete rules use the following command ZXR10 config clear iptv cac rule lt 1 256 gt This deletes rules Configuring Administrative Command of IPTV Users ZXR10 config clear iptv client IPTV Configuration Example 1 User which connects to port gei_1 1 is a requesting user of multicast group 224 1 1 1 Vlan ID of this multicast group is 100 Configuration is shown below ZXR10 config nas ZXR10 config nas create iptv cac rule 1 port gei 1 1 iptv cac rule 1 right order 1 ZXR10 config nas iptv control enable ZXR10 config nas create iptv channel special 1 address 224 1 1 1 ZXR10 config nas iptv channel 1 mvlan 100 ZXR10 config nas iptv channel 1 name cctvl 2 User which c
58. specific device mber stack interface information including sending receiving packet statistics The parameter is device ID zxR104show switch status This views current device topology related content 7 ZXR10 Show switch status stack member number This views designated device topology content The parameter is device ID 152 Confidential and Proprietary Information of ZTE CORPORATION Chapter 15 Cluster Management Configuration Table of Contents Cluster Management Over VviIeW vcccecersnceneiecondernrexaneerseecnneenes 153 Configuring Cluster Management sse nen 155 Cluster Management Configuration Example 159 Cluster Management Maintenance and Diagnosis 159 Cluster Management Overview Cluster is a combination of a group of switches in a specific broad cast domain This group of switches forms a unified management domain which provides a public network IP address and a man agement interface to the outside and provides the functions of managing and accessing every member in the cluster The management switch which configures public network IP ad dress is called command switch and other managed switches are called member switches Generally public network IP address is not configured for the member switch but a private address is as signed to the member switch with similar DHCP function of the command switch Command switch and member switch form a cluster priva
59. teen neta teens eee ees 37 Port Mirroring Overview esseseeeen enn 37 Configuring Port Mirroring eesseeeeen nmn 38 Port Mirroring Configuration Example esses 38 Loopback Detection Configuration scceeeeeee testes eeees 41 Port Loopback Detection Overview cene 41 Configuring Port Loopback Detection susss 41 Port Loop Detection Example cen 42 DOM Configuration eessssssesssseenm mmn 43 DOM Function Overview eseeseeeenem nnn 43 Configuring DOM sssssssses enne 44 Enabling DOM Function on Port sssus 44 Viewing Current Optical Module Information 44 Viewing Module Threshold Information 45 Viewing the Record Information That Module Exceeds Threshold ssuesusss 46 Network Protocol Configuration 47 IP Address Configuration dasare ce hen nne einn 47 IP Address OverViIeW c ce rere exer east eee 47 Configuring IP Address eessseeseeeenen 49 IP Address Configuration Example esssss 49 ARP Configuratio Nessa ea ea ee eee ee eee eee ee eens enaeeenae tates 49 ARP OVERVIEW 49 Configuring ARP reisen oru eda she e vx EHE Y ener 50 ARP Configuration Example ssssssssrsssssrrrsrrrrrrsrrressrrrns 50 ACL Configuration iii iioi zonas aea Raesea pere c
60. the mode of standard virtual device 9 To configure virtual device vrrp protocol message out inter face use the following command ZXR10 config if vlanx vrrp lt group out interface This configures virtual device lt interfacename gt vrrp protocol message out interface VRRP Configuration Example Basic VRRP Configuration Example This example shows that R1 and R2 run in the VRRP protocol between each other R1 interface address 10 0 0 1 is used as the VRRP virtual address therefore R1 is considered as a mas ter router This is shown in Figure 27 Confidential and Proprietary Information of ZTE CORPORATION 101 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERHY FIGURE 27 BASIC VRRP CONFIGURATION master backup 10 0 0 1 16 x o lt e e PCI PC2 PC3 PC4 Gateway 10 0 0 1 16 R1 configuration ZXR10_R1 config interface vlan 1 ZXR10_R1 config if vlanl ip address 10 0 0 1 255 255 0 0 ZXR10 Rl config if vlanl svrrp 1 ip 10 0 0 1 R2 configuration ZXR10 R2 config fsinterface vlan 1 ZXR10 R2 config if vlanl fsip address 10 0 0 2 255 255 0 0 ZXR10_R2 config if vlanl vrrp 1 ip 10 0 0 1 oymmetric VRRP Configuration Example Two VRRP groups are booted in this example where PC1 and PC2 use the virtual router in Group 1 as default gateway with the ad dress 10 0 0 1 PC3 and PC4 use the virtual router in Group 2 as default gateway with the address 10 0 0 2 R1 and R
61. thorization Authentication and Accounting TACACS supports in dependent authentication authorization and accounting allowing different TACACS security server to be authentication authoriza tion and accounting server respectively PPP user and Telnet user that use the system service should be au thenticated authorized and accounted in ZXROS TACACS proto col can solve this problem effectively TACACS module provides centralized security authentication authorization and accounting for logging user TACACS software module in ZXROS is client software authen ticated by TACACS It implements the protocol interaction be tween NAS and TACACS security server to complete TACACS AAA function TACACS client also provides the operation that TACACS configuration needs to configure TACACS environment At present ZXR10 5900E supports TACACS authentication to provide authentication of Telnet users accessing the routers ZXR10 5900E supports multiple TACACS server groups Each TACACS group permits the configuration of four authentication servers and each group can be configured with two parameters server timeout time and retry times The administrator can config ure different TACACS server groups to select a specific TACACS server Configuring TACACS 1 To enable TACACS protocol function use the following com mand ZXR10 config tacacs enable This enables TACACS protocol function 2 To disable TACACS pr
62. thus making traffic of different service quality or different service data such as voice and FTP to go to different paths The user has higher and higher requirements for network performance therefore it is necessary to select different packet forwarding paths based on the differences of services or user categories Priority Marking Priority marking is used to reassign a set of service parameters to specific traffic described in the ACL to perform the following operations 1 Change the CoS queue of the packet and change the 802 1p value 66 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 7 QoS Configuration 2 Change the CoS queue of the packet and do not change the 802 1p value 3 Change the DSCP value of the packet 4 Change the discard priority of the packet Marking Outside Vlan Value Marking outside Vlan value means configuring outside VLAN tag value for traffic complying with ACL rule Traffic Mirroring Traffic mirroring is used to copy a service flow matching the ACL rule to the CPU or specific port to analyze and monitor packets during network fault diagnosis Traffic Statistics Traffic statistics is used to sum up packets of the specific service flow This is to understand the actual condition of the network and reasonably allocate network resources The main content of traffic statistics contains the number of packets received from the incoming direction of the por
63. to Configure System at the Same TImezsd uo oe e ER a 27 Viewing System Information s s ssssssssssrrnssrrnssrerrnsrrnnnreren 28 Viewing Hardware and Software Versions of the SVSLEM coded su EY ERETIRE MA Aiea sates 28 Viewing Running Configuration esses 28 Interface Configuration 20 Basic Port Configuration ssssssssssses nenne 29 Disabling Enabling an Ethernet port essseseseee 30 Enabling Disabling Auto Negotiation on an Ethernet olg eL ERE 31 Configuring Automatic Negotiation Notification on an Ethernet Port cene x ved ne x HERR 31 Setting Ethernet port Duplex Mode eeeeeese 32 Setting Ethernet Port Speed sss 32 Setting Flow Control on an Ethernet Port 32 Allowing Prohibiting Jumbo Fame on an Ethernet POPE sont ise a teed ted Eu tod ut eae Eus 33 Setting Port Alias on an Ethernet Port sssessse 33 Setting Broadcast Storm Suppression on an Ethernet ola EM 33 Setting Multicast Packet Suppression on an Ethernet POM asia E 34 Setting Unknowcast Packet Suppression on an Ethernet POLL sso t Ris ARS A then Waa Edd A A EE T 34 Viewing Layer 2 Interface Physical Status 35 Displaying Port Information cccceceeseeeeeeeeeeeeeeeeenees 36 Diagnosing and Analyzing Lines eese 36 Port Mirroring Configuration cceceeeeeeee
64. with the MAC lt mac address gt address 6 To configure whether to charge the local user use the following command ZXR10 config nas localuser lt user id gt accounting This configures whether to enable disable charge the local user Managing DOT1X Authentication Access User 1 To display all dotix authentication users use the following command ZXR10 config nas Show clients device lt device numb This displays all dotix er gt index lt client index gt mac lt mac address gt port authentication users lt port name gt vlan lt vian id gt 2 To delete a specific user use the following command ZXR10 config nas Clear client index lt c ient index gt port This deletes a specific user lt port name gt vlan lt vian id gt 110 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 10 DOT1X Configuration Managing Multiple Domains Configuration 1 To enable disable multiple domains function use the following command ZXR10 config no domain auth This disables multiple domains authentication function ZXR10 config domain auth enable This enables multiple domains authentication function 2 To configure domain separator use the following command ZXR10 config domaindelimiter lt domaindelimiter gt 9o or other characters ZXR10 config no domaindelimiter This cancels domain separator configuration 3 To configure domain
65. ztp start on DUT A to conduct topology collection and then execute show ztp device list to view DUT A and DUT B Configure DUT A as the command switch with group switch type command View whether DUT A has become the com mand switch with show group command Configure DUT B as the member switch with group member device 1 command and then view Member 1 in the up state with the show group member command on DUT A Log in to Member 1 with the rlogin member 1 command in the privilege mode and log in from Member 1 to the command switch with the rlogin commander command on DUT A Cluster Management Maintenance and Diagnosis When encountering cluster management problem we can locate the fault and remove them with relevant debugging commands Among these commands show command and debug command may be used Command show can be used to view current cluster configuration information 1 To display ZDP configuration information use the following command show zdp To view ZTP configuration information use the following com mand show ztp To display cluster configuration information use the following command Confidential and Proprietary Information of ZTE CORPORATION 159 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH 160 show group 4 To display ZDP neighbor use the following command show zdp neighbour interface interface mac mac a ddress 5 To display received equipment informatio
66. 0 0 0 0 0 0 0 0 O c 0 0 interface vl if vlanl0 fip dhcp mode server if vlanl0 ip address 10 10 1 1 255 255 255 0 config if vlan10 sexit ip pool pool config ip pool range 10 10 1 10 10 10 1 100 255 255 255 0 config ip pool exit ip dhcp pool an 10 1 dhcpl hep pool ip pool pooll hep pool exit ip dhep policy pl 1 hcp policy hcp policy hcp policy interface v dhcp pool dhcpl default route 10 10 1 1 exit lan 10 config if vlanl0 ip dhcp policy pl 94 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 8 DHCP Configuration ZXR10 config ip dhcp enable DHCP Relay Configuration Example Router at the user end is connected directly as DHCP relay when the DHCP client and server are not in the same network Ri enables DHCP relay function and a single server 10 10 2 2 pro vides DHCP server function This mode is usually adopted when a lot of hosts require the DHCP service This is shown in Figure 24 FIGURE 24 DHCP RELAY CONFIGURATION DHCP Server 10 10 2 2 24 R 10 10 1 1 24 PC R1 configuration ZXR10 config interface vlan10 ZXR10 config if vlanl0 ip dhcp mode relay ZXR10 config if vlanl0 ip address 10 10 1 1 255 255 255 0 ZXR10 config if vlanl0 ip dhcp relay agent 10 10 1 1 ZXR10 config if vlanl10 ip dhcp relay server 10 10 2 2 ZXR10 config if vlanl0 exit ZXR10 config ip dhcp enable Confidential an
67. 0 config ip dhcp relay server retry lt limit value gt the retry time limit values that DHCP Relay applies from outside DHCP Server The range is 571000 The value is 10 by default ZXR10 config no ip dhcp relay server retry This recovers default retry time 4 To configure the specific domain name DHCP CLient applies from outside DHCP Server use the following command Confidential and Proprietary Information of ZTE CORPORATION 89 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH ZXR10 config ip dhcp relay server vclass id lt domain name gt domain domain name gt ip address standard security name that DHCP Client request packet carries lt ip address gt outside DHCP Server ip address in dotted decimal notation standard comply with DHCP standard protocol forwarding mode security ZTE security forwarding mode ZXR10 config no ip dhcp relay server vclass id lt domain name gt domain domain name lt ip address gt name that DHCP Client request packet carries lt ip address gt outside DHCP Server ip address in dotted decimal notation 5 To configure unrestricted DHCP user message on DHCP Relay standard mode or restrict DHCP user message use the follow ing command ZXR10 config ip dhcp relay forward reply This configurse unrestricted unrestricted DHCP user message on DHCP Relay standard mode ZXR10 config no ip dhcp relay forward reply This restricts
68. 0 0 0 is used when a host without an IP address is started RARP BOOTP and DHCP are used to obtain the IP address The address serves as the default route in the routing table 2 255 255 255 255 is a destination address used for broadcast and cannot serve as a source address 3 127 X X X is called the loop back address 4 Only an IP address with host bits being all O indicate the network itself An IP address with host bits being all 1 serves as the broadcast address of the network 5 For a legal host IP address the network part or the host part should not be all 0 or all 1 48 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 5 Network Protocol Configuration Configuring IP Address 1 ZXR10 config interface interface name This enters nterface configuration mode 2 ZXR10 config if vlanx tip address ip address net This sets IP address mask gt lt broadcast address gt secondary One interface allows multiple IP addresses IP Address Configuration Example Suppose that a layer 3 interface vlani is created on ZXR10 5900E IP address to 192 168 3 1 and mask to 255 255 255 0 needs to be set The detailed configuration is as follows ZXR10 config interface vlan 1 ZXR10 config if vlanl ip address 192 168 3 1 255 255 255 0 The show ip interface command can be used to view the IP ad dress of the interface ZXR10 config if vlanl show ip interface vlanl Adm
69. 10 config traffic mirror in 10 rule id 2 interface gei 1 4 ZXR10 config interface gei 1 8 ZXR10 config gei 1 8 ip access group 10 in ZXR10 config gei_1 8 exit Configuring Tail Drop ZXR10 config qos tail drop lt session index gt queue id This configures the tail drop lt queue id gt lt all threshold yellow threshold gt lt parameter red threshold Example To enable the tail drop function on the port use the following com mand drop mode tail drop lt session id gt This example shows the configuration of tail drop In queue 1 Red packets tail drop value is 120 Yellow packets tail drop value is 120 all packets tail drop value is 240 This is configured on the port gei 1 8 ZXR10 config qos tail drop 1 queue id 1 240 120 120 ZXR10 config finterface gei 1 8 ZXR10 config gei 1 84 drop mode tail drop 1 Configuring Traffic Statistics ZXR10 config straffic statistics lt ac number gt rrulle iid This configures traffic statistics rule no pkt type all green red yellow statistics type byte packet Confidential and Proprietary Information of ZTE CORPORATION 71 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Example This example shows the conduction of traffic statistics to data whose destination IP address network segment is 67 100 88 0 24 on the port gei_1 8 ZXR10 config acl extend number 100 ZXR10 config ext acl rule 1 permit ip 168 2
70. 2 Pay attention to the format requirement while editing startrun dat with a text editor Software Version Upgrade Normally version upgrade is needed only when the original ver sion does not support some functions or the equipment cannot run normally due to some special reasons If version upgrade opera tions are performed improperly upgrade failure may occur or the system fails to start Therefore before version upgrade the main tenance personnel must be familiar with the principles and opera tions of the ZXR10 5900E and learn the upgrade steps earnestly Upgrading the Version at Abnormality To upgrade the version for ZXR10 5900E in abnormal case per form the following steps 1 Set the switch management Ethernet port IP address and back ground host in the same network section 2 Refer to FTP TFTP overview start the background FTP server 3 Reboot ZXR10 5900E and press any key at prompt in a Hy perTerminal session to enter the Boot state The display is as follows ZXR10 System Boot Version 1 0 Creation date Dec 31 2002 14 01 52 Omitted Press any key to stop for change parameters 2 ZXR10 Boot Type c in the Boot state and press ENTER to enter the param eter modification state Change the boot mode to booting from the background FTP change the FTP server address to that of the background host change the client and gateway addresses to that of the management Ethernet port of the switch set the
71. 2 serve as mutual backup Four hosts cannot communicate with outside world until both routers become invalid This is shown in Figure 28 102 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 9 VRRP Configuration FIGURE 28 SYMMETRIC VRRP CONFIGURATION master backup 72 m oe Interface 10 0 0 1 16 y Interface 10 0 0 2 16 Group id 1 addr 10 0 0 1 16 Group id 1 addr 10 0 0 1 16 Group id 2 addr 10 0 0 2 16 Group id 2 addr 10 0 0 2 16 A J we A e e e e PCI PC2 PC3 PC4 Gateway Gateway 10 0 0 1 16 10 0 0 2 16 R1 configuration ZXR10_R1 config interface vlan 1 ZXR10_R1 config if vlanl ip address 10 0 0 1 255 255 0 0 ZXR10_R1 config if vlanl vrrp 1 ip 10 0 0 1 ZXR10_R1 config if vlanl vrrp 2 ip 10 0 0 2 R2 configuration ZXR10_R2 config interface vlan 1 _R2 config if vlanl ip address 10 0 0 2 255 255 0 0 ZXR10_R2 config if vlanl vrrp 1 ip 10 0 0 1 _R2 config if vlanl vrrp 2 ip 10 0 0 2 VRRP Maintenance and Diagnosis To perform VRRP maintenance and diagnosis ZXR10 5900E pro vides the following commands to view all VRRP configuration in formation show vrrp lt group gt brief interface interface name all ZXR10 5900E provides debug vrrp command to display VRRP de bug information switch debug vrrp state packet event error all Confidential and Proprietary Information of ZTE CORPORATION 103 ZXR10 5900E Series User Manual Basic Config
72. 5 5 0 0 0 0 any ZXR10 config ext acl rule 2 permit ip any 67 100 88 0 0 0 0 255 ZXR10 config ext acl exit ZXR10 config traffic statistics 100 rule id 2 pkt type all statistics type byte ZXR10 config interface gei 1 8 ZXR10 config gei_1 8 ip access group 100 in QoS Configuration Example Typical QoS Configuration Example Network A Network B and internal servers are all connected to an Ethernet switch as shown in Figure 21 One of internal servers is the VOD server with the IP address of 192 168 4 70 To guar antee service quality of the VOD configure it as one with high priority The internal user can access the Internet over the agent 192 168 3 100 but the bandwidth of Network A and Network B should be restricted and their traffic statistics should be conducted FIGURE 21 QOS CONFIGURATION EXAMPLE Se DepartmentA 192 168 1 0 24 Switch gei 1 2 VLAN DepartmentB gei 1 1 GZ 192 1682 0 24 VLANI gei 1 4 VLAN4 Mail FTP VOD Server Server Server Switch configuration ZXR10 config acl extend number 100 ZXR10 config ext acl rule 1 permit tcp any 192 168 4 70 0 0 0 0 ZXR10 config ext acl rule 2 permit ip any 192 168 3 100 0 0 0 0 ZXR10 config ext acl 4rule 3 permit ip any any 72 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 7 QoS Configuration ZXR10 config ext acl exit To guarantee the service quality of the VOD change the 802 1pvalue to 7 ZXR10
73. 6 96 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 8 DHCP Configuration FIGURE 26 DHCP SNOOPING PREVENT STATIC IP CONFIGURATION R1 A Je PC DHCP Server R1 configuration ZXR10 config ip dhcp snooping enable ZXR10 config fsip dhcp snooping vlan 100 ZXR10 config vlan 100 ZXR10 config vlanl00 ip arp inspection DHCP Maintenance and Diagnosis 1 To display configuration information of the DHCP relay process module use the following command show ip dhcp relay forward information security server snooping user 2 To display configuration information of the local address pool use the following command show ip local pool lt poo name gt 3 To display configuration information of interface related DHCP server relay use the following command show ip interface 4 To display the DHCP snooping configuration use the following command show ip dhcp snooping configure 5 To view the DHCP snooping Vlan use the following command show ip dhcp snooping vlan v an id 6 To view the IP DHCP snooping trust use the following com mand show ip dhcp snooping trust Confidential and Proprietary Information of ZTE CORPORATION 97 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH 7 To display DHCP snooping database use the following com mand show ip dhcp snooping database lt port number gt 8 To view dynamic arp inspection use the
74. CORPORATION ZTEDH Chapter 5 Network Protocol Configuration ZXR10 The of Age in the result indicates that it is the ARP of the switch vlan interface The arp is generated in the process of configuring switch vlan interface address s indicates that it is a static ARP and P indicates that it is a permanent ARP added manually The number means the time since ARP updates last time Confidential and Proprietary Information of ZTE CORPORATION 51 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 52 Confidential and Proprietary Information of ZTE CORPORATION Chapter 6 ACL Configuration Table of Contents piel Rer 53 Soaig g SL occ ccauiicercqatsaeacc oaa PURIS ERO re s TIS PRA pe TE T E 54 ALL tonmaurarton EXAample c eco mine ke E EAE gute Fo ER Ee cones 60 ALL Maintenance ang Diagnosi Seernes eere 62 ACL Overview Packet filtering can help limit network traffic and restrict network use by certain users or devices ACL s can filter traffic as it passes through a router and permit or deny packets at specified inter faces An ACL is a sequential collection of permit and deny conditions that apply to packets When a packet is received on an interface the switch compares the fields in the packet against any applied ACL s to verify that the packet has the required permissions to be forwarded based on the criteria specified in the access lists It tests packets against th
75. CORPORATION 19 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH 2 Select SecuritySelect User Rights and perform the follow ing operations on the popup dialog box i Click New User to create a user type target for an ex ample and set password for it ii Select target from the User Name drop down list iii Type the directory of the version configuration file in the Home Directory text box such as D IMG After these setting dialog box appears as shown in Figure 12 FIGURE 12 USER RIGHTS SECURITY DIALOG BOX User Rights Security Dialog User Name target Y m User target New User Delete Change Pass Home Directory p uiMG Restricted to home Help Rights gt gt 3 Click Done to finish the settings Configuring Switch as an TFTP Client Start TFTP server on the background host and access the ZXR10 5900E as a TFTP client from the TFTP server 1 Run tftpd on the background host and an interface as shown in Figure 13 20 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 3 System Management FIGURE 13 TFTPD INTERFACE igi xi Tftpd Help Server is not running 2 Select Tftpd EConfigure click Browse on the popup dialog box and select a directory to store the version configuration file such as D IMG The following dialog box will appear as shown in Figure 14 FIGURE 14 CONFIGURING DIALOG BOX Tftpd S
76. Chapter 11 VBAS Configuration ZXR10 config vlanl vbas enable ZXR10 config vlanl exit ZXR10 config interface gei 1 1 ZXR10 config gei_1 1 vbas trust ZXR10 config gei_1 1 vbas port type user Note In this example vlani which enables VBAS should include at least two interfaces one connection user and another BRAS enquip ment In this example gei 1 1 is used to connect BRAS equip ment VBAS Maintenance and Diagnosis On the privileged mode the command debug vbas is used to open VBAS debug function and send VBAS debug information Confidential and Proprietary Information of ZTE CORPORATION 121 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 122 Confidential and Proprietary Information of ZTE CORPORATION Chapter 12 IPTV Configuration Table of Contents Internet Protocol Television OVerVieW sconcsssesiacdusntenexcanteres 123 CMO O TEIN dep ER 123 IPT Y Configuration Example uaa ise esae Eo MEER dE oO E Fe EE DH RERO 126 IPT Maintenance ang Diagnosis uoxeccuexaodonac nexu eic uci e p n denne 127 Internet Protocol Television Overview Internet Protocol television IPTV is also called Interactive Net work TV IPTV is a method of distributing television content over IP that enables a more customized and interactive user experi ence IPTV could allow people who were separated geographically to watch a movie together while chatting and exchang
77. Configuration DAI Configuration DAI Overview The attack based on ARP often happens in network DHCP SNOOP ING module on the switch implements DAI Dynamic ARP Inspec tion function but this function is limited Currently DAI function only checks binding table in DHCP SNOOP ING for switch learning ARP packet that is only can check layer 3 user If users of the switch are in the same VLAN the communication between users requires switch to forward not on layer 3 but layer 2 Switch need not to learn ARP packets of these users Therefore there isn t relevant security check It is a big security bug which causes man in the middle attack as shown in Figure 38 FIGURE 38 MAN IN THE MIDDLE ATTACK HOST A HOST B IA MA IB MB HOST C man in the middle IC MC A B C are in the same broadcast domain that is the same net work segment When A and B communicates with each other ARP packet is sent first which can be learned by C If C acts as man in the middle to do malicious scanning only sends free ARP to A to inform that IP corresponding MAC address of B has been updated to that of C the flow from A to B is directly forwarded to C Based on the same principle the flow from B to A can be forwarded to C After doing malicious scanning on packet C mod ifies the destination address as the real MAC address of B or A and return the packet to switch The flow between A and B can be forwarded normally and not be perceived
78. Configuring Switch Stack System eee rrr tuner renun 151 Accessing the Specific Stack Member by Command Line 151 Viewing Switch Stack System Information 152 owitch Stack System Introduction Switch stack system means the collection of multiple switches which is implemented by connecting the switch stack port with stack cable The multiple switches in stack system work together as one switch Layer 2 and Layer 3 protocols act as an entity in the network 59 series switch support at most stack of 9 devices in which one switch is main device that can configure and manage all members in stack system All the features that main switch supports can be supported in stack system Main switch saves configuration file of stack system When configuration is saved configuration fill will be copied to all stack member for backup When stack system acts as layer 3 device the MAC address of stack system is the unique ID in the network The MAC address of main device in stack system is that of the whole stack system Each stack member is identified by its stack member ID Any one of stack members can be main device When main de vice isn t applicable a new main device will be designated among other member devices according to a specific rule The rule will be introduced as follows Stack system can be managed with a IP address which is not re lated to specific main device and other stack members but is a system level
79. Flash with the nvram imgfile location local command in the global config uration mode 10 Type at the prompt ZXR10 Boot and press ENTER to boot the system with the new version in the Flash 11 When the system is booted successfully check the running ver sion to confirm the success of upgrade Upgrading the Version at Normality Upgrade the software version in several different ways when the switch is working properly including copying the version to the switch acting as an FTP TFTP client and remote upgrade over FTP The local upgrade procedure is as follows when the switch serving as an FTP client 1 Connect the ZXR10 5900E s console port on the main control board to the serial port of the background host with a console cable attached to the switch connect the management Ether net port 10 100 M Ethernet port on the main control board to the background host s network port with a straight through network cable Make sure that both connections are correct 2 Set the background host for upgrade to be in the network seg ment as the switch s management Ethernet port so that the background host can ping the management Ethernet port Refer to FTP TFTP overview Start the background FTP server View the running version Use Delete command to the old version file from the Flash s IMG directory with the delete command If there is enough space in the Flash you can also reserve the old version with another
80. MPLE see 40 Figure 17 ERSPAN MIRRORING EXAMPLE seen 40 Figure 18 Port Loopback Detection Example 43 Figure 19 ACL Configuration Example c sess 61 Figure 20 TRAFFIC POLICING WORKING FLOW 64 Figure 21 QOS CONFIGURATION EXAMPLE eese 72 Figure 22 POLICY ROUTING EXAMPLE seseenm I 74 Figure 23 DHCP SERVER CONFIGURATION seen 94 Figure 24 DHCP RELAY CONFIGURATION eem 95 Figure 25 DHCP SNOOPING CONFIGURATION es 96 Figure 26 DHCP SNOOPING PREVENT STATIC IP CONFIGURATION ehh nania ahh Ra RR RR EAR EAR 97 Figure 27 BASIC VRRP CONFIGURATION eenemme 102 Figure 28 SYMMETRIC VRRP CONFIGURATION 103 Figure 29 DOT1X RADIUS AUTHENTICATION APPLICATION 113 Figure 30 DOT1X TRUNK AUTHENTICATION APPLICATION 114 Figure 31 NTP CONFIGURATION EXAMPLE nnm 130 Figure 32 CLUSTER MANAGEMENT NETWORKING ee 154 Confidential and Proprietary Information of ZTE CORPORATION 179 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH 180 Figure 33 SWITCH SWITCHING RULE cceeeeeeee teen ee eee eee ee ene 155 Figure 34 CLUSTER MANAGEMENT CONFIGURATION 159 Figure 35 IP SOURCE GUARD Configuration eese 162 Figure 36 IP Source Guard Configuration esee 163 Figure 37 IP Source Gu
81. OE OV6ErVIBW oc uocueevdex sav a xen eua dne eat on ae 175 Configuring POE niri evt Te HO A Ra 176 PoE Configuration Example sesessseeeeeeen 177 PoE Maintehanice cere Rx RR KR E ERE CR RE CREME 178 FIQUEBS iioii iei IU PEEENUeE Eoo es vede ss kanani 1 7 9 Tables Eo EE Els GIOSSAlY TERRE ELTE CET LE Purpose Intended Audience What Is in This Manual About This Manual This manual is ZXR10 5900E V2 8 23 B Series All Gigabit Port Intelligent Routing Switch User Manual Basic Configuration Volume This manual introduces basic functions of ZXR10 5900E including configuration modes network protocol configuration ACL configuration network management configuration and secu rity configuration This manual is intended for the following engineers on site maintenance engineers network monitor engineers system maintenance engineer ZXR10 5900E V2 8 23 B Series All Gigabit Port Intelligent Rout ing Switch User Manual Basic Configuration Volume contains the following chapters chapter Summary o Chapter 1 Safety This chapter describes the safety instructions Description and signs Chapter 2 Usage and This chapter describes configuration mode Operation command mode and command line use Chapter 3 System This chapter introduces system management Management file system and operation of switch and software version upgrade procedure in detail Chapter 4 Interface This chapter describes interface
82. TION ZTERR Chapter 16 Security Configuration FIGURE 36 IP SOURCE GUARD CONFIGURATION sop DHCP Server IP Source Guard based on MAC address is configured on the gei_1 2 interface mode Afer getting IP address dynamically PC can only pass the data packet with source MAC address that is local host NIC card Configuration of R1 ZXR10 config ip dhcp snooping enable ZXR10 config ip dhcp snooping vlan 100 ZXR10 config tip dhcp snooping trust gei 1 1 ZXR10 config interface gei 1 2 ZXR10 config if ip dhcp snnoping ip source guard mac base IP Source Guard Configuration based on IP Address and MAC address In Figure 37 DHCP server connects gei 1 1 on R1 administra tor sets management DHCP gei 1 1 belongs to vlan100 DHCP Snooping function is enabled in VLAN100 and interface gei 1 1 is configured as trusted PC connects gei 1 2 of switch which be longs to vlan100 FIGURE 37 IP SOURCE GUARD CONFIGURATION 2 eo g PC Ri Server IP Source Guard based on MAC address is configured on the gei_1 2 interface mode After getting IP address dynamically PC can only pass the data packet with source MAC address that is local host NIC card and source IP address that is distributed by DHCP server Configuration of R1 ZXR10 config ip dhcp snooping enable ZXR10 config ip dhcp snooping vlan 100 ZXR10 config ip dhcp snooping trust gei 1 1 ZXR10 config interface gei 1 2 ZXR10 config if ip dhcp snnoping
83. Use the following command to configure the user name and password username username password password To strengthen the security of the switch switch can limit telnet login of the users Use the following command to admit or refuse telnet s IP address line telnet access class basic access list 1 Connectthe host directly to the switch and Telnet to the switch Confidential and Proprietary Information of ZTE CORPORATION 7 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERHY i Configure the Telnet login user name and password through the console port ii Configure the Telnet login user name and password through the console port iii Connect the host network port to the Ethernet port of the switch iv Set the host IP address to one in the same network seg ment as that of the VLAN interface so that the host can ping the IP address of the VLAN interface v Run the telnet command on the host and input the IP ad dress of the VLAN interface to log in to the switch as shown inFigure 7 FIGURE 7 RUN TELNET SS h 2x Type the name of a program folder document or iE Internet resource and Windows will open it for you vi Click OK to enter the interface as shown inFigure 8 FIGURE 8 TELNET LOGIN Telnet 192 163 3 1 Velcone to ZXR1B 5952 tch of ZIE Corporation Username vii Type the correct user name and password at the prompt to enter into switch configuration
84. ZTE Chapter 2 Usage and Operation 3 After the Connection Description dialog box appears enter a name and choose an icon for the new connection as shown in Figure 4 FIGURE 4 SETTING UP A CONNECTION Connection Description E 2 x AP New Connection Enter a name and choose an icon for the connection 4 Based on serial port connection to the console cable choose COM1 or COM2 as the serial port is to be connected as shown in Figure 5 Confidential and Proprietary Information of ZTE CORPORATION 5 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERHY FIGURE 5 CONNECTION CONFIGURATION Connect To 5 Enter the properties of the selected serial port as shown in Figure 6 The port property configuration includes Bits per Second 9600 Data bit 8 Parity None Stop bit 1 Data flow control None 6 Confidential and Proprietary Information of ZTE CORPORATION ZTEDHY Chapter 2 Usage and Operation FIGURE 6 COM1 PROPERTIES Port Settings Bits per second 500 e Data bits e ne mH Stop bits 1 Elow controk None vr Power on and boot ZXR10 5900E to initialize the system and to enter into configuration for operational use Telnet Connection Configuration Telnet is the main remote configuration mode for the ZXR10 5900E Telnet access is set through user name and password This enables unauthorized users from accessing the switch through Telnet
85. ZTE CORPORATION 35 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH Displaying Port Information zxR104Show interface port name This views Ethernet port state information zXR10 Show running config interface lt port name gt This displays Ethernet port configuration information Example 1 It shows the state and statistics for port gei 1 2 ZXR10 show int gei 1 2 gei 1 2 is up line protocol is up Description is none eepalive set 10 sec The port is electric Duplex full Mdi type auto VLAN mode is access pvid 10 BW 100000 Kbits Last clearing of show interface counters ODay 0Hour 3Min 8Sec 20 seconds input rate 0 Bps 0 pps 20 seconds output rate 0 Bps 0 pps nterface peak rate input 40 Bps output 0 Bps nterface utilization input 0 output 0 Forward packets input output statistics including error packet statistics Input Packets t 19 Bytes 1501 Unicasts 19 Multicasts 0 Broadcasts 0 Undersize 0 Oversize 0 CRC ERROR 0 Dropped 0 Fragments 0 Jabber 0 MacRxErr 0 Output Packets 0 Bytes 20 Unicasts 0 Multicasts O0 Broadcasts 0 Collision 0 LateCollision 0 Total 64B 0 65 127B 19 128 255B 2 0 256 511B 0 512 1023B 0 1024 2047B 0 2 It shows the configuration information for port gei 1 2 ZXR10 show run int gei 1 2 Building configuration interface gei 1 2 negotiation auto switchport access vlan 10 Switchport qinq normal Diagnosing and An
86. ZTEDH Chapter 10 DOT1X Configuration The criteria is that Internet resources can only be accessed through the authentication host and only enterprise network resources can be accessed by other hosts Divide the hosts in the enterprise into a sub network or mul tiple sub networks where the hosts can access each other Enable the 802 1X trunk function on the Ethernet switch inside the sub network and enable 802 1X authentication on the Eth ernet port of the sub network gateway Do not charge users inside the enterprise and only authenti cate them on the Radius server The master slave authentica tion servers are 10 1 1 1 10 1 1 2 respectively It is assumed that the enterprise uses the 2826E Ethernet switch inside it and gateway uses the ZXR10 5900E 2826E configuration Set dotlxreley enable ZXR10 5900E configuration ZXR10 config s4radius authentication group 1 ZXR10 config authgrp 1 server 1 10 1 1 1 key aaazte port 1812 ZXR10 config authgrp 1 server 2 10 1 1 2 key aaazte port 1812 ZXR10 config authgrp 1 exit ZXR10 config nas ZXR10 config nas create aaa 1 port gei 1 1 ZXR10 config nas aaa 1 control dotlx enable ZXR10 config nas aaa 1 authentication radius ZXR10 config nas aaa 1 authorization auto ZXR10 config nas aaa 1 accounting disable ZXR10 config nas aaa 1 multiple hosts enable ZXR10 config nas aaa 1 default isp ztel63 net ZXR10 config nas aaa 1 fullaccount
87. ZTEDR ZXR10 5900E Series All Gigabit Port Intelligent Routing Switch User Manual Basic Configuration Volume Version 2 8 23 B ZTE CORPORATION ZTE Plaza Keji Road South Hi Tech Industrial Park Nanshan District Shenzhen P R China 518057 Tel 86 755 26771900 Fax 86 755 26770801 URL http ensupport zte com cn E mail support zte com cn LEGAL INFORMATION Copyright 2006 ZTE CORPORATION The contents of this document are protected by copyright laws and international treaties Any reproduction or distribution of this document or any portion of this document in any form by any means without the prior written consent of ZTE CORPO RATION is prohibited Additionally the contents of this document are protected by contractual confidentiality obligations All company brand and product names are trade or service marks or registered trade or service marks of ZTE CORPORATION or of their respective owners This document is provided as is and all express implied or statutory warranties representations or conditions are dis claimed including without limitation any implied warranty of merchantability fitness for a particular purpose title or non in fringement ZTE CORPORATION and its licensors shall not be liable for damages resulting from the use of or reliance on the information contained herein ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications coveri
88. ain sno domain radius authen server This deletes domain authentication server information 8 To configure ISP name in rule use the following command ZXR10 config nas aaa lt rule id gt default isp isp name This configures ISP name in default rule ZXR10 config nas no aaa lt rule id gt default isp This deletes ISP name in rule lt isp name gt 9 To configure domain name separator in rule use the following command ZXR10 config nas aaa lt rule id gt domaindelimiter 9o or other characters lt domaindelimiter gt ZXR10 config nas 4nO aaa lt ru e id gt domaindelimiter This cancels domain separator in rule Configuring 802 1x VLAN Hopping To configure VLAN hopping function at the interface use the fol lowing command ZXR10 config gei_1 x vlanjump enable disable de This configures VLAN hopping faultauthvlan lt vian id gt function at the specific interface 112 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 10 DOT1X Configuration DOT1X Configuration Example Dot1x Radius Authentication Application Workstation of a user is connected to Ethernet A of the Ethernet switch This is shown in Figure 29 FIGURE 29 DOT1X RADIUS AUTHENTICATION APPLICATION Radius Server 10 1 1 1 10 1 1 2 Switch d E m m supplicant Authenticator The following needs to be implemented on the switch Conduct user access authenticati
89. al resource When all authentication users at the port are offline port can recover attribute of Guest Vlan If one authentication user exists on the port the port can t recover attribute of Guest Vlan This application can be implemented on 5900 5200 switch In figure Dotix radius authentication application and figure Dotix trunk authentication application authenticator applies 5900 5200 the configuration example of 5900 5200 is as follows ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 config nas config nas create aaa 1 port gei 1 1 config nas aaa 1 control dotlx enable config nas aaa 1 authentication local config nas create localuser 1 name A0001 config gei_1 1 vlanjump enable defaultauthvlan 20 In the above configuration local authentication function on 5900 5200 is applied to meet manager application requirement DOT1X Maintenance and Diagnosis When encountering DOT1X problem we can locate the fault and remove them with relevant debugging commands Among these commands show command and debug command may be used 116 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 10 DOT1X Configuration To display Dot1x authentication configuration information use the following command show dotix To view an AAA control entry use the following command show aaa To display online user information use the following command show clients To display configured local user information use the fo
90. alyzing Lines ZXR10 5900E supports cable connection diagnosis and analysis to find out any abnormality and accurately locate the fault for easy network management and troubleshooting 36 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 4 Interface Configuration FE electrical port and GE electrical port are both connected to other devices with a network cable There are four twisted pairs in a network cable There are four twisted pairs in a network cable The FE electrical port uses pairs 1 2 and 3 6 and the GE electrical port uses all four pairs 1 2 3 6 4 5 and 7 8 Line detection is to test the state of each twisted pair which includes Open open line Short short circuit Good normal line Broken open broken line Unknown unknown line or no result Crosstalkline coupling Fail detection failure STOUR DOES In case of line fault the location of failure is output If the line is normal the approximate length of the line is output To diagnose and analyze a line run the show vct interface command in any configuration modes other than user configuration mode Example Detect the line of port gei 1 2 ZXR10 config show vct int gei 1 2 CableStatus Good Pair 1 2 3 6 4 5 7 8 Status Good Good Good Good Length 50m 50m 50m 50m A Caution Line diagnosis and analysis will restart the tested port when links of the port is broken and then restored This function is used only
91. and Proprietary Information of ZTE CORPORATION 11 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Command Mode Function ZXR10 5900E allocates the commands to various modes based on the function In order to authorize the facilitation to user s configuration and management for the switch only one command can be executed in the special mode Input a mark in any command mode to view allowed commands in this mode The main commands of the ZXR10 5900E are shown in Table 1 TABLE 1 COMMAND MODES Entry Command User mode Directly enter it after logging in to the system Privileged mode Ot enable user mode Global configura 0 config configure terminal privileged mode tion mode Port configuration ZXR10 config gei_1 x interface lt interface name gt byname mode lt by name gt global configuration mode VLAN database 0 vlan vlan databaseprivileged mode configuration mode VLAN configuration 2XR10 config vlan vlan lt vian id gt lt vlan name gt global mode configuration mode VLAN interface 0 config if interface vlan v an id vlan if configuration mode global configuration mode MSTP configuration 2XR10 config mstp spanning tree mst configurationglobal mode configuration mode Standard ACL 0 config std acl acl standard number lt ac number gt configuration mode name lt ac name gt global configuration mode Extended ACL ZXR10 config ext acl acl
92. ard Configuration seeeee 163 Figure 38 Man in the middle Attack s ssssssssrssrrrerrsrrrriresens 167 Figure 39 DAI Configuration Example esee 169 Figure 40 Manual Mode Basic MFF Function Configuration Example pe e E 172 Figure 41 POE Power Supply c een 176 Confidential and Proprietary Information of ZTE CORPORATION Tables Table 1 COMMAND MODEG ccccceceeeeeeeeeeeeeeaeeeeaeeeaeensaees 12 Table 2 INVOKING A COMMAND eeeenem meme nnn 15 Table 3 Interface State Abnormal Condition 35 Table 4 IP ADDRESS RANGE FOR EACH CLASS eee 47 Confidential and Proprietary Information of ZTE CORPORATION 181 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 182 Confidential and Proprietary Information of ZTE CORPORATION Glossary AAA Authentication Authorization and Accounting ACL Access Control List ARP Address Resolution Protocol BAS Broadband Access Server BOOTP BOOTstrap Protocol CBS Cell Broadcast Service CIR Committed Information Rate CoS Class of Service DHCP Dynamic Host Configuration Protocol DSCP Differentiated Services Code Point DSLAM Digital Subscriber Line Access Multiplexer EAPOL Extensible Authentication Protocol Over LAN FTP File Transfer Protocol ICMP Internet Control Message Protocol IP Internet Proto
93. at n computers are linked to the port gei_1 1 and when these computers communicate on the sub network We can view traffic statistics data through NMS software and view RMON statistics information with the show command ZXRl04show rmon statistics EtherStatsEntry 1 is active and owned by rmontest Monitors ifEntry 1 1 which has Received 60739740 octets 201157 packets 1721 broadcast and 9185 multicast packets 0 undersized and 0 oversized packets 0 fragments and 0 jabbers 0 CRC alignment errors and 32 collisions of dropped packet events due to lack of resources 511 of packets received of length in octets 64 92955 65 127 14204 128 255 1116 256 511 4479 512 1023 85856 1024 1518 2547 ZXR104 2 This example shows how to configure and start history control entries of the RMON ZXR10 config tstinterface gei 1 1 ZXR10 config gei_1 1 rmon collection history 1 bucket 10 interval 10 owner rmontest ZXR10 config gei 1 1 View RMON history information with the show command ZXRl04show rmon history Entry 1 is active and owned by rmontest Monitors ifEntry 1 1 every 10 seconds Requested 4 of time intervals ie buckets is 10 Granted of time intervals ie buckets is 10 Sample 1 began measuring at 00 11 00 Received 38346 octets 216 packets 0 broadcast and 80 multicast packets 0 undersized and 0 oversized packets 0 fragments and 0 jabbers 0 CRC alignment errors and 0 collisions of dropped packet
94. ation Volume ZTERH This page is intentionally blank 76 Confidential and Proprietary Information of ZTE CORPORATION Chapter 8 DHCP Configuration Table of Contents DACP EE Mt rem 77 Onto Mig DHG P ETE 78 DHCP Configuration Example ress pe vexnncdge VERRE KO MER de eR 94 DHCP Maintenance and Diagnosis aoieeexn ace entr aec 97 DHCP Overview Dynamic Host Configuration Protocol DHCP enables a host on the network to obtain an IP address ensuring its normal communica tion and relevant configuration information from a DHCP server DHCP adopts UDP as the transmission protocol Host sends a mes sage to Port 67 of the DHCP server and the DHCP server returns the message to Port 68 of the host The DHCP works in the fol lowing steps 1 Host sends a broadcast packet DHCPDiscover including the re quest of IP address and other configuration parameters 2 DHCP server returns a unicast packet DHCPOffer including the valid IP address and configuration 3 Host selects the server which returns DHCPOffer arriving at first and sends a unicast DHCPRequest to the server indicating to accept relevant configuration 4 Selected DHCP server returns a unicast packet DHCPAck for confirmation By now the host can use the IP address and relevant configuration obtained from the DHCP server for communication DHCP supports three mechanisms for IP address allocation 1 Automatic allocation DHCP assigns a permanent IP address to a c
95. ation of ZTE CORPORATION ZTEDY Chapter 6 ACL Configuration 1 If a packet matches multiple rules at the same time the first matched rule shall apply Therefore the sequence of these rules is critical important In usual cases the rule with smaller range is put ahead and the rule with larger range is put behind 2 Taking network security into account an implicit Deny rule is automatically attached to the end of each ACL to deny all pack ets Therefore a Permit rule is usually configured at the end of ACL to permit all packets to pass through Configuring Basic ACL Rule ZXR10 config acl standard number lt ac number This enters the standard ACL gt name lt ac name gt configuration mode ZXR10 config std acl rule lt 1 100 gt permit den This configures the rules of y lt source gt lt source wildcard gt any time range ACL lt timerange name gt ZXR10 config std acl move rule no after This moves a rule behind of before lt rule no gt another rule Example This example defines a standard ACL The ACL permits packets from the network segment 192 168 1 0 24 to pass but reject packets with the source IP address of 192 168 1 100 ZXR10 config acl standard number 10 ZXR10 config std acl rule 1 deny 192 168 1 100 ZXR10 config std acl rule 2 permit 192 168 1 0 0 0 0 0 0 0 0 2558 Configuring Extended ACL ZXR10 config acl extend number ac number n This enters the extended ACL
96. aximum fame allowed on an Ethernet port is 1560 byte long and jumbo frames are prohibited Maximum frame al lowed on an Ethernet port is 9216 byte long when jumbo frame are permitted Setting Port Alias on an Ethernet Port ZXR10 config interface lt port name gt This enters interface configuration mode 2 ZXR10 config gei_1 x hyname lt by name gt This sets port alias on an Ethernet port Port alias is set to uniquely identify a port with a mnemonic name Port can be accessed with its alias instead of the port name Setting Broadcast Storm Suppression on an Ethernet Port ZXR10 config interface lt port name gt This enters interface configuration mode ZXR10 config gei_1 x broadcast limit lt va ue gt This sets broadcast storm suppression on an Ethernet port Broadcast traffic through an Ethernet port can be limited Broad cast packets are dropped when the traffic exceeds the limit so that the broadcast traffic through the Ethernet port is kept in a reason Confidential and Proprietary Information of ZTE CORPORATION 33 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH able range This effectively suppresses broadcast storm helps avoid congestion and ensures normal provisioning of network ser vices Broadcast storm suppression is implemented by setting the rate parameter the lower the rate the smaller the allowed broad cast traffic Setting Multicast Packet Suppression on an Eth
97. client doesn t get IP ad dress from illegal DHCP server set by some clients but only gets legal IP address from DHCP server set by administrator Secondly in subnet deployed DHCP service the host which is designated le gal IP address subnet mask and gateway can access network nor mally But DHCP server will still allocate this IP address to other hosts possibly It will lead to address collision and affect the nor mal distribution of IP address DHCP snooping function is enabled for ZXR10 5900E to prevent bogus DHCP server from being laid in network and in this case the port connecting to DHCP server must be set to trusted port What s more dynamic ARP inspection technology can be used together to prevent illegal IP and MAC ad dress binding thus ensuring normal assignment of IP addresses by DHCP server Configuring DHCP Configuring IP Pool 1 To configure or delete an IP pool use the following command ZXR10 config ip pool word This creates IP pool which DHCP function uses and enters into IP pool of corresponding name configuration mode lt word gt IP address pool name 1 16 characters 2 ZXR10 config no ip pool lt word gt This deletes IP address pool which name corresponds 2 To configure conflict time in ip pool or delete the orginal con figuration use the following commands 78 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH ZXR10 config ip pool conflict time time
98. col IPTV Internet Protocol Television MAC Medium Access Control MIB Management Information Base NMS Network Management System NTP Network Time Protocol PBS Peak Burst Size Confidential and Proprietary Information of ZTE CORPORATION 183 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH PIR Peak Information Rate Qos Quality of Service RADIUS Remote Authentication Dial In User Service RARP Reverse Address Resolution Protocol RMON Remote Monitoring SP Signal Processing module TCP Transfer Control Protocol TFTP Trivial File Transfer Protocol ToS Type Of Service UDP User Datagram Protocol VBAS Virtual Broadband Access Server VLAN Virtual Local Area Network VRRP Virtual Router Redundancy Protocol WRR Weighted Round Robin ZDP ZTE Discovery Protocol ZTP ZTE Topology Protocol 184 Confidential and Proprietary Information of ZTE CORPORATION
99. config group reset member all member id This restarts the member on the command switch 2 To save the member on the command switch use the following command ZXR10 config group save member all member id This saves the configuration for member on the command Switch 3 To delete the member configuration file from the command switch use the following command ZXR10 config group erase member all member i This deletes the member d gt configuration file from the command switch 4 To configure the tftp server on the cluster use the following command ZXR10 config group tftp server lt ip_addr gt This configures the tftp server on the cluster 5 To configure the alarm receiver on the cluster use the following command ZXR10 config group trap host lt p_addr gt This configures the alarm receiver on the cluster 158 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 15 Cluster Management Configuration Cluster Management Configuration Example Connect two devices to implement cluster management as shown in Figure 34 FIGURE 34 CLUSTER MANAGEMENT CONFIGURATION a de DUTA DUT B Configuration steps are as follows 1 2 3 Ensure that two ports are in a VLAN configured as vlani and ensure that vlani does not configure Layer 3 address Execute show zdp neighbor on DUT A and ensure zdp neighbor is already set up Execute
100. config priority mark in 100 rule id 1 dscp 62 cos 7 local precedence 7 drop precedence low Restrict the bandwidth of Network A to access Internet ZXR10 config traffic limit in 100 rule id 2 cir 5000 cbs 2000 ebs 3000 mode blind Sum up traffic of Network A ZXR10 config traffic statistics in 100 rule id 2 pkt type all statistics type byte ZXR10 config acl extend number 101 ZXR10 config ext acl rule 1 permit tcp 192 168 2 0 0 0 0 255 192 168 4 70 0 0 0 0 ZXR10 config ext acl rule 2 permit ip any 192 168 3 100 0 0 0 0 ZXR10 config ext acl rule 3 permit ip any any ZXR10 config ext acl exit To guarantee the sevice quality of the VOD cange the 802 1p value to7 ZXR10 config priority mark in 101 rule id 1 dscp 62 cos 7 drop precedence low Restrict the bandwidth of Network B to access Internet ZXR10 config traffic limit in 101 rule id 2 cir 10000 cbs 2000 ebs 3000 mode blind Sum up traffic of Network B ZXR10 config traffic statistics in 101 rule id 2 ZXR10 config interface gei 1 1 ZXR10 config gei_1 1 ip access group 100 in ZXR10 config gei_1 1 exit ZXR10 config interface gei 1 2 ZXR10 config gei_1 2 ip access group 101 in Policy Routing Configuration Example When there are many Internet Service Provider ISP egresses on the network select different ISP egresses for users from differ ent groups through policy routing or select different ISP e
101. configuration Configuration on ZXR10 5900E Chapter 5 Network This chapter describes IP address Protocol Configuration configuration and ARP configuration on ZXR10 5900E Chapter 6 ACL This chapter introduces ACL concept related Configuration configuration command and configuration example Chapter 7 QOS This chapter introduces QOS concept related Configuration configuration command and configuration example Chapter 8 DHCP This chapter introduces DHCP concept Configuration related configuration command and configuration example Chapter 9 VRRP This chapter introduces VRRP concept Configuration related configuration command and configuration example Confidential and Proprietary Information of ZTE CORPORATION i ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH chapter Summary o Chapter 10 DOT1X Configuration Chapter 11 VBAS Configuration Chapter 12 IPTV Configuration Chapter 13 Network Management Configuration Chapter 14 Switch Stack System Chapter 15 Cluster Management Configuration Chapter 16 Security Configuration Chapter 17 POE Configuration Related s Documentation This chapter introduces DOT1X concept related configuration command and configuration example This chapter introduces VBAS concept related configuration command and configuration example This chapter introduces IPTV concept related configuration command and configuration example Th
102. ctric Duplex full 1000 up up up none gei 2 2 electric Duplex full 1000 up up up none gei 2 3 electric Duplex full 1000 up up up none gei 2 4 electric Duplex full 1000 up up up none gei 2 5 electric Duplex full 1000 up up up none gei 2 6 electric Duplex full 1000 up up up none gei 2 7 electric Duplex full 1000 up down down none gei 2 8 electric Duplex full 1000 up down down none Admin Phy and Prot indicate management physical and protocol status of interface respectively Only all three states are up is interface in normal working status At the interface configuration mode input shutdown the Admin state of the interface will turn down Table 3 lists some abnormal interface conditions and handling pro cedures TABLE 3 INTERFACE STATE ABNORMAL CONDITION Interface State Analysis and Solution Admin is DOWN This indicates that physical Phy is UP connection is normal and the i corresponding interface maybe Prot is DOWN is shutdown carry out the no shutdown command at the interface mode Admin is UP This indicates that physical link Phy is DOWN has problem check physical link Prot is DOWN Admin is UP Check interface configuration the Phy is UP problem maybe is that interface parameter is not correct or is not Prot is DOWN configured refer to user manual to solve the problem if this problem can t be solved contact ZTE client supporting engineer for further handling Confidential and Proprietary Information of
103. d power will be supplied on port when non standard PD device cisco big capacity device is detected If disable is configured power will be supplied only when standard PD device is detected This configures switch temperature recovery When device works at stack mode the command format is poe overtemperature auto recovery enable device id lt device id gt The default is disabled This configures switch power occupancy alarm threshold When device works in stack mode this command format is poe power threshold lt 40 90 gt device id lt device id gt The default is 80 This upgrades firmware used in device When device works in stack mode this command format is poe upgrade firmware firmware name device id lt device id gt This command upgrades Firmware PSE handling software on line PoE Configuration Example This examples shows the PoE configuration on switch in a stack system ZXR10 config int gei 2 1 5 Confidential and Proprietary Information of ZTE CORPORATION 177 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH ZXR10 config gei 2 1 5 ZXR10 config gei 2 1 5 fpoe pd max power ext 27 ZXR10 config gei 2 1 5 t poe enhanced mode enable poe priority high ZXR10 config gei 2 1 5 poe enable ZXR10 config gei_2 1 5 exit ZXR10 config poe overtemperature auto recovery enable device id 2 ZXR10 config poe power threshold 88 device id 2
104. d Proprietary Information of ZTE CORPORATION 95 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH DHCP Snooping Configuration Example DHCP server 1 connects to the interface gei 1 1 in switch R1 Man ager configures the DHCP The server 2 connects to the interface gei 1 2 in switch R1 This is configured by the user it is illegal DHCP server Both ports gei 1 1 and gei 1 2 are in vlan 100 Enable the DHCP snooping function in the switch can prevent set illusive DHCP server Now it is needed to enable DHCP Snooping function in vlan 100 and configure the interface gei 1 1 be trust interface This is shown in Figure 25 FIGURE 25 DHCP SNOOPING CONFIGURATION R1 A A lt PC DHCP DHCP Server1 Server2 R1 configuration ZXR10 config interface gei 1 1 ZXR10 config gei_1 1 switch access vlan 100 ZXR10 config gei_1 1 exit ZXR10 config interface gei 1 2 ZXR10 config gei_1 2 switch access vlan 100 ZXR10 config gei_1 2 exit ZXR10 config ip dhcp snooping enable ZXR10 config ip dhcp snooping vlan 100 ZXR10 config tip dhcp snooping trust gei 1 1 DHCP Snooping Prevent Static IP Configuration Example DHCP server belongs to vlan 100 and PC belongs to vlan 200 PC gets the IP address use by DHCP Now it is required to forbid the PC to configure the static IP address through the DHCP snooping and dynamic ARP inspection technologies This illustration is shown in Figure 2
105. d i cete tte Eve asas eds 161 IP Source Guard Overview ccceceee eee ee eee eeeeeeeeee eee 161 Configuring IP Source Guard esee 161 IP Source Guard Configuration Example 162 IP Source Guard Configuration based on IP Address iei iiu cde icr aaiae 162 IP Source Guard Configuration based on MAC Address sets 162 IP Source Guard Configuration based on IP Address and MAC address 163 Control Plane Security Configuration sssessesss 164 Control Plane Security Overview eene 164 Command Configuration sesseesseeeeeeeee 164 Configuration Example ccceceeeee eee eeeee eee eeeeeeneees 166 Maintenance and DiaQnoSiS ceeeeeeeeee eee eee eee ee es 166 DAT Configuration c z eee a a ehe caviar iden tude cele 167 DAL OVENVIEW vise E 167 Configuring DAT 2 3 ei eter pest elt T Alama pta eua 168 DAI Maintenance and Diagnosis eseeseese 168 DAI Configuration Example ssseeseeeseeeee 169 MFF Config ratioti cree en a a EE aa en errare kai 170 MEF OV6GrVIGW x idisacsec s it Cove t ve secos Ee ga VEA VAL CR EXTAT 170 Config ring MEF reitse crenata tee et diet od decent init 170 MFF Configuration Example cccececeeeeeeee eee eeeeee need 171 MFF maintenance and diagnosis sssessess 172 POE Configuration s 175 P
106. disable ZXR10 config nas aaa 1 radius server authentication 1 Dot1x Local Authentication Application In the applications shown in figure Dot1x radius authentication application and figure Dot1x trunk authentication application the enterprise wants to register the network card address of each host Only the MAC address of the network card is checked when the user uses any account to log in from the dotix client User can log in only when address is legal In addition enterprise num bers each MAC address and sums up Internet access duration of the user based on the number ZXR10 5900E can implement the application requirement Authenticator adopts ZXR10 5900E as shown in figure Dot1x radius authentication application and figure Dotix trunk authentication application to implement the applica tion configuration as follows ZXR10 config 4radius accounting group 1 ZXR10 config acctgrp 1 server 1 10 1 1 1 key aaazte port auth server port num ZXR10 config acctgrp 1 server 2 10 1 1 2 key aaazte port auth server port num ZXR10 config acctgrp 1 exit ZXR10 config nas ZXR10 config nas create aaa 1 port gei 1 1 ZXR10 config nas aaa 1 control dotlx enable ZXR10 config nas aaa 1 authentication local Confidential and Proprietary Information of ZTE CORPORATION 115 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH ZXR10 config nas aaa authorization auto ZXR10
107. e DE 67 Configuring QOS 22 ect ee ae ec c rudis 67 Configuring Traffic Polices sssseeeeeeeeeeeeee 67 Configuring Traffic Shaping seseseenn nnn 68 Configuring Queue Bandwidth Limit eseeseeess 68 Configuring Queue Scheduling and Default 802 1p of ia Aro Pm 69 Configuring Redirection and Policy Routing 69 Configuring Priority Marking seen 70 Configuring Outer VLAN Value eseeeeeenen 70 Configuring Traffic Mirroring ccceceeeeeeeeeeeeaeeaeeaeennenas 71 Configuring Tail Drop sessseen me 71 Configuring Traffic Statistics ccccceccese eee eeee eee eerren 71 QoS Configuration Example seseeeeeen enn 72 Typical QoS Configuration Example seeeeee 72 Policy Routing Configuration Example sss 73 QoS Maintenance and Diagnosis eesseeeeeeesee 74 DHCP Configuration e s 77 DHCP Overview ccd ceeeaeds rtan Rx rex ner aca ore Pe n ne lega 77 Configuring DHCP er ri ite perte n PER diate EN ERE e va 78 Configuring IP Pool cio rape RF tei a 78 Configuring DHCP POOL sssssese mme 80 Configuring DHCP POLICY ssssseeennmene 82 Configuring DCHP Server cceeeeeee eee ee eee cena etna eeaees 83 Configuring DHCP Snooping eene 85 Configuring DHCP Relay cceseeeee teste e
108. e Configuration FIGURE 18 PORT LOOPBACK DETECTION EXAMPLE Switch A gei 1 3 PC Switch B Configuration of Switch A ZXR10 config finterface gei 1 1 ZXR10 config gei_1 1 switchport mode trunk ZXR10 config gei_1 1 switchport trunk vlan 1 2 ZXR10 config gei_1 1 exit ZXR10 config loop detect interface gei 1 1 enable ZXR10 config loop detect protect interface gei_1 1 enable ZXR10 config loop detect reopen time 5 ZXR10 config loop detect interface gei 1 1 vlan 1 2 enable This displays detail of port which enables loopback detection ZXR10 config show loop detect interface gei 1 1 ZXR10 config show loop detect interface detail gei 1 1 isUp isMonitor isLoop isProtected Yes Yes Yes Yes reopenTime loopvlan vlanRange 300 2 1 2 DOM Configuration DOM Function Overview DOMdigital optical monitoring is a part of optical module specifica tion The optical module with DOM function can read temperature voltage current sending and receiving power of optical module In addition each optical module sets some threshold values of module include alarm threshold and warning threshold when leaving the factory After DOM function is enabled the module running state value can be polled by I2C bus of optical module It is compared with threshold value When the current value exceeds the threshold value that manufacturer sets the alarm will be sent by syslog and SNMP trap Confidential and Proprie
109. e as follows Mail server 192 168 4 50 FTP server 192 168 4 60 VOD server 192 168 4 70 FIGURE 19 ACL CONFIGURATION EXAMPLE Qe DepartmentA 192 168 1 0 24 gei 1 2 Switch VLAN2 Department B gei 1 1 192 168 2 0 24 VLANI gei 1 4 Mail FTP VOD Server Server Server Configuration of switch Configure time range ZXR10 config time range en ZXR10 config time range working time ZXR10 config tr periodic daily 09 00 00 to 17 00 00 Define an extended ACL to limit users of department A ZXR10 config acl extend number 100 ZXR10 config ext acl rule 1 permit ip 192 168 1 100 0 0 0 0 any ZXR10 config ext acl rule 2 deny ip 192 168 1 0 0 0 0 255 192 168 4 60 0 0 0 0 time range working time ZXR10 config ext acl rule 3 deny tcp any 192 168 4 70 0 0 0 0 time range working time ZXR10 config ext acl rule 4 deny ip any 192 168 3 100 0 0 0 0 time range working time ZXR1O config ext acl rule 5 permit ip any any Define an extended ACL to limit users of department B ZXR10 config acl extend number 101 ZXR10 config ext acl rule 1 permit ip 192 168 2 100 0 0 0 0 any ZXR10 config ext acl rule 2 deny ip 192 168 2 0 0 0 0 255 192 168 4 60 0 0 0 0 time range working time ZXR10 config ext acl rule 3 deny tcp any 192 168 4 70 0 0 0 0 time range working time ZXR1O config ext acl rule 4 permit ip any any Apply the ACL to the corresponding physical port ZXR10 config finterface gei 1 1
110. e conditions in an access list one by one The first match determines whether the switch accepts or rejects the packets because the switch stops testing conditions after the first match The order of conditions in the list is critical If no conditions match the switch rejects the packets If there are no restrictions the switch forwards the packet otherwise the switch drops the packet Packet matching rules defined by the ACL are also used in other conditions where distinguishing traffic is needed For instance the matching rules can define the traffic classification rule in the QoS ZXR10 5900E provides the following six types of ACLs Standard ACL Only match the source IP address Extended ACL Match the following items Source IP address destination IP address IP protocol type TCP source port num ber TCP destination port number UDP source port number UDP destination port number ICMP type ICMP Code DiffServ Code Point DSCP ToS and Precedence L2 ACL Match source MAC address destination MAC address source VLAN ID L2 Ethernet protocol type and 802 1p priority value Hybrid ACL Match source MAC address destination MAC ad dress source VLAN ID source IP address destination IP ad Confidential and Proprietary Information of ZTE CORPORATION 53 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH dress TCP source port number TCP destination port number UDP source port number UDP destinat
111. e following com mand ZXR10 config clock timezone This configures time zone of the switch 5 To view the NTP running state use the following command ZXR10 config router show ntp status This views the NTP running state NTP Configuration Example This example shows routing switch as a NTP client and assume that the NTP protocol version is 2 This is shown in Figure 31 FIGURE 31 NTP CONFIGURATION EXAMPLE 192 168 2 2 24 VLAN24 ZXRI10 192 168 2 1 24 NTP Server 130 Confidential and Proprietary Information of ZTE CORPORATION ZTEDHY Chapter 13 Network Management Configuration ZXR10 Configuration ZXR10 config interface vlan24 ZXR10 config if vlan24 ip address 192 168 2 2 255 255 255 0 ZXR10 config if vlan24 exit ZXR10 config ntp enable ZXR10 config ntp server 192 168 2 1 version 2 RADIUS Configuration RADIUS Overview Remote Authentication Dial In User Service RADIUS is a stan dard AAA protocol AAA represents Authorization Authentication and Accounting AAA is used to authenticate the users accessing the routing switch and prevent illegal users from accessing which results in enhancing security of the equipment ZXR10 5900E supports RADIUS authentication function to authen ticate Telnet users accessing the routing switch ZXR10 5900E supports multiple RADIUS server groups Three au thentication servers can be configured in each RADIUS group The server timeout time and
112. e mete Yebxie oun io peu re sua Pate icin 37 Loopback Detection Configukationoa usiuneo x postura xke Ro ERR AR renee 41 DOM ConB gubdtipb eene casiaxciirke as vac naire die voice tic Ga Oe Gn cle 43 Basic Port Configuration The ZXR10 5900E provides GE and XGE ports The GE electrical port supports full half duplex 10 100 1000 M adaptation and MDI MDIX adaptation It woks in auto ne gotiation mode by default consulting work mode and rate with the peer end The GE optical port must work at 1000 M full duplex it can t be configured duplex mode and rate but can be configured to work in the auto negotiation mode The XGE electrical port supports 10000M full duplex it can t be configured to work in auto negotiation duplex mode and rate The XGE optical port supports 10000M full duplex it can t be configured to work in auto negotiation duplex mode and rate The system automatically adds ports When you insert an inter face board to a proper slot and start the board ports of the board are automatically added to the port list Note The GE port and XGE port can t support hot swap ZXR10 5900E names ports as follows Port type Slot No gt lt Port No Port type gei 1000M Ethernet interface and xgei 10000M Ethernet interface a Slot No ZXR10 5924 5224 only has one slot ZXR10 5928 5228 5928 FI 5228 FI 5952 5252 has 5 slots There are 4 slots at the back of device Slots numbered
113. e the following command ZXR10 config dhcp pool dhcp pool poo name This binds the policy to a dhcp pool pool name name of dhcp pool 2 ZXR10 config dhcp pool no dhcp pool poo name This deletes binding relationship 3 To configure relay agent address or delete the configuration use the following commands 82 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 8 DHCP Configuration ZXR10 config dhcp pool relay agent ip addr This configures relay agent address lt ip_addr gt IP Address 2X810 confi g dhep poo1 no relay agent Configuring DCHP Server 1 To enable DHCP or stop DHCP use the following command ZXR10 config ip dhcp enable After enabling DHCP system will take DHCP ip address request on the interface which is configured user interface attribute This system builts in DHCP Server function and DHCP Relay function which are enabled by using this command By default disable DHCP ZXR10 config no ip dhcp enable This stops DHCP 2 To enable DHCP working mode on the interface use the fol lowing command ZXR10 config if vlanx ip dhcp mode server relay Relay enalbe DHCP Relay on proxy the interface server enable DHCP Server on the interface proxy enable DHCP Proxy on the interface After enabling built in DHCP Relay process system processes IP address request sent from DHCP client on the interface and allocate IP
114. ece DO ACLOVerVIB Wo tes tie heehee o eL E E Ded dA A Es 53 Gonfiguring ACE i essei dates Evo de en n Fg bx Ee ner 54 Configuring Time Range sssssesseen ee 54 Configuring ACL Rule rere exte e ex ee as 54 Configuring Basic ACL RUule cceeeeeeee teen eee ee 55 Configuring Extended ACL cceceeeeeeee teen ees 55 Configuring L2 ACL s nct n a te 56 Configuring Hybrid ACL ccceeeeeeee cette eee eee es 57 Configuring Basic IPV6 ACL c cee eeeeeeee eee es 58 Configuring Extended IPV6 ACL ssssss 58 Applying ACL on Physical Port seen 59 Applying ACL on VLAN sssseeee mmn nnns 59 Configuring an ACL to Support Renaming 60 ACL Configuration Example cseseseeeee 60 ACL Maintenance and Diagnosis eceeeeeeeeeeee eee eees 62 QoS Configuration ee ee ee ee eS QoS OVERVIEW oaeo I 63 Traffic Classification ceno o dad e oc o e y ss 63 Traffic Policing xicacice ex ihn da eec 64 Traffic Shaping erre en x ere e nen ie en ea 65 Queue Bandwidth Limit esses nnn 65 Queue Scheduling and Default 802 1p 65 Redirection and Policy Routing seseeeeeeeeese 66 Priority Marking erre e a et eee az rax ecu ners 66 Marking Outside Vlan Value sssseeseesenene 67 Traffic Mirtoring ec Ha eene d e e ean t 67 Traffic Statistics noe E tiep rx EROR o
115. ed to hardware optical module If optical module and manufacturer are different the viewed information will be different 44 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 4 Interface Configuration Viewing Module Threshold Information ZXR10 Show optical inform detail temperature This views detailed threshold voltage current rx power tx power j interface information of interface optical lt interface name gt module includes temperature voltage current sending and receiving power This supports single interface view and single board view Command parameter description receiving power of optical module Only support physical interface Example This views threshold information of interface optical module ZXR10 show optical inform detail temperature High Alarm High Warn Low Warn Low Alarm Temperature Threshold Threshold Threshold Threshold Port Celsius Celsius Celsius Celsius Celsius gei 1 1 48 1 100 0 100 0 0 0 0 0 gei 1 2 34 9 100 0 100 0 0 0 0 0 ZXR10 Show optical inform detail Voltage High Alarm High Warn Low Warn Low Alarm Voltage Threshold Threshold Threshold Threshold Port Volts Volts Volts Volts Volts gei 1 1 3 30 6 50 6 50 3 50 3 50 gei 1 2 3 30 6 50 6 50 3 450 3 50 The threshold is related to hardware optical module If optical mod ule and manufacturer are different the viewed information will be different Confidential and Proprietary Information
116. eee eens eeeeeenaees 88 Configuring DHCP Client esses 92 DHCP Configuration Example csse 94 DHCP Server Configuration Example 94 DHCP Relay Configuration Example eeeeeeee 95 DHCP Snooping Configuration Example 96 DHCP Snooping Prevent Static IP Configuration I Tajo E E 96 DHCP Maintenance and Diagnosis seeseeseeeseess 97 VRRP Configuration eee 99 VRRP QVeFrVIGW zu cine re cd tc D c d e D C D CR e 99 Gonfiguring VRRP J A Ee a A Ue ad 100 VRRP Configuration Example csse 101 Basic VRRP Configuration Example sss 101 Symmetric VRRP Configuration Example 102 VRRP Maintenance and Diagnosis sesesseseeese 103 DOT1X Configuration LOS DOT IX OVGrVvIeW iere erexerunt Rte mx pe ere rex kx vt dee vee 105 Configuring DOT TX 2 nigri eripe regie ene n a 106 Configuring AAA sse eren texts 106 Configuring DOT1X Parameter seseeeseeeeeee 108 Configuring Local Authentication User 109 Managing DOT1X Authentication Access User 110 Managing Multiple Domains Configuration 111 Configuring 802 1x VLAN Hopping eese 112 DOT1X Configuration Example eeseeeeeeeeeee 113 Dotix Rad
117. em Management s 17 i Meydciuiname ee TIU 17 Introduction to File System cese 17 Operating File System Management eeeeees 18 FTP TFTP Overview eeeeeeeeee enne nnne nnne 19 Configuring Switch as an FTP Client cecce 19 Configuring Switch as an TFTP Client seseesss 20 Backing up Data and Restoring Data sssesssss 22 Backing Up Configuration File eseeseeseeeeee 22 Restoring Configuration File cecceeeee eee eeeeeee eee eees 22 Backing Up Version File ccceeeee eee ee eee ee seen eeeeeeaeaes 22 Restoring Version File reset xo Ra Re Rr RR na 22 Software Version Upgrade ssssssseseee ene 23 Upgrading the Version at Abnormality s 23 Upgrading the Version at Normality esses 25 Configuring System Parameters essen 26 Setting a Hostname of System cccececeeeeeeee eee eeeeeeeenes 26 Setting Welcome Message upon System Boot 26 Setting Privileged Mode Key ssesseeeen nn 26 Setting Telnet Username and Password 26 Setting System Time cessssseseeeenen nnn 27 Setting System Console User Connection Parameters cicer see xe Rr Rr dete TERR RE E grat 27 Setting System Telnet User Connection Parameters 27 Allowing Multiple Users
118. er 1 To set the switch to command candidate or independent switch use the following command ZXR10 config group switch type candidate This sets the switch to independent commander ip pool ip addr command candidate or mask ip addr length lt mask_len gt independent switch and allocates an IP address pool to cluster 2 To change the cluster name use the following command ZXR10 config group name lt name gt This changes the cluster name 3 To set the cluster handshake time use the following command ZXR10 config group handtime lt time gt This sets the cluster handshake time 4 To set the holding time between the member and command switch on the command switch use the following command ZXR10 config group holdtime lt time gt This sets the holding time between the member and command switch on the command switch 5 To add a specific equipment or MAC address as a member on the command switch use the following command Confidential and Proprietary Information of ZTE CORPORATION 157 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH ZXR10 config group member mac lt mac_addr gt This adds a specific equipment member lt mem_id gt device device id or MAC address as a member on the command switch Maintaining Cluster 1 To restart the member on the command switch use the fol lowing command ZXR10
119. ernet Port ZXR10 config interface lt port name gt This enters interface configuration mode ZXR10 config gei_1 x multicast limit lt va ue gt This sets multicast packet suppression on an Ethernet port When multicast packet suppression function of ZXR10 5900E is enabled port will take multicast packet suppression according to configured allowed number of multicast packet on an Ethernet port every second Setting Unknowcast Packet Suppression on an Ethernet Port ZXR10 config interface lt port name gt This enters interface configuration mode ZXR10 config gei_1 x unknowcast limit lt va ue gt This sets unknowcast storm suppression on an Ethernet port When unknowcast packet suppression function of ZXR10 5900E is enabled port will take unknowcast packet suppression according to configured allowed number of unknowcast packet on an Ether net port every second 34 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 4 Interface Configuration Viewing Layer 2 Interface Physical Status Short Description To view switch layer 2 physical interface running status such as if the interface is up duplex and rate ZXR10 Show interface brief This views interface running status Example The output of the viewing interface running status command is as follows ZXR10 show interface brief Interface portattribute mode BW Mbits Admin Phy Prot Description gei 2 1 ele
120. et maskr subnet mask This deletes corresponding IP address range configuration net numberr a specific subnet network number net maskr subnet mask Confidential and Proprietary Information of ZTE CORPORATION 79 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH 5 To configure IP pool range or delete corresponding IP address range use the following commands ZXR10 config ip pool range begin ip addr last i This configures IP pool range p_addr gt lt ip_mask gt lt begin_ip_addr gt the beginning address of IP address pool lt last_n_ip_add r gt the end address of IP address pool lt ip_mask r gt mask ZXR10 config ip pool no range begin ip addr l This deletes corresponding IP ast_ip_addr gt lt ip_mask gt address range configuration lt begin_ip_addr gt the beginning address of IP address pool lt last_n_ip_add r gt the end address of IP address pool lt ip_mask r gt mask Configuring DHCP POOL A DHCP pool will bind a ip pool DHCP server will allocate address in binding address pool 1 To configure a DHCP pool or delete a DHCP pool use the fol lowing command ZXR10 config ip dhcp pool lt word gt This configures a DHCP pool lt word gt DHCP pool name ZXR10 config no ip dhcp pool word This deletes a DHCP pool 2 To configure binding table between MAC address and ip ad dress or delete the original configuration use the fo
121. ettings E x Home Directory D AMG Browse Number of Clients 22 Logging Desired I7 Check to enable logging Log File Name Browse Verbose Logging Check for verbose logging Cancel 3 Click OK to finish the settings Background of TFTP server is implemented Start the TFTP server and run copy on the switch to backup restore files or import ex port configurations Confidential and Proprietary Information of ZTE CORPORATION 21 22 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Backing up Data and Restoring Data With FTP TFTP you can backup the software version file configu ration file and log file of ZXR10 5900E to the background server or restore backup files from the background server Backing Up Configuration File After saving the configuration information to startrun dat with the write command you can backup the file to the background FTP TFTP to keep the file intact and available for restoration Run the following command to back up the configuration file in the Flash to the background TFTP server ZXR10 copy flash cfg startrun dat tftp 168 1 1 1 startrun dat Restoring Configuration File Run the following command to restore the backup of the configu ration file from the background TFTP server ZXR10 copy tftp 168 1 1 1 startrun dat flash cfg startrun dat Backing Up Version File Take a backup of the running version file to the background server
122. fig nas create iptv channel special 1 address 224 1 1 1 ZXR10 config nas iptv channel 1 mvlan 100 ZXR10 config nas create iptv cac rule 1 port gei 1 1 ZXR10 config nas iptv cac rule 1 right query 1 IPTV Maintenance and Diagnosis 1 To display the global configuration information of IPTV use the following command show iptv control 2 To display the channel information of IPTV use the following command show iptv channel id lt channe no gt name lt channel nam e gt 3 To display the CAC rule use the following command show iptv cac rule id lt channe no gt name lt channel nam e gt 4 To display online users of IPTV use the following command show iptv client port lt portno gt vlan lt vianid gt device lt devno gt Confidential and Proprietary Information of ZTE CORPORATION 127 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 128 Confidential and Proprietary Information of ZTE CORPORATION Chapter 13 Network Management Configuration Table of Contents NTP ontigukitiil eco pee rere Cox EE tuU EE 129 RADIUS CRON ieissa Er PES HE REN EAR pe Ee IR SpPTR RUE mA 131 SNMP Contfallbatis uis co su eode Eod keine E RU E bn teado 133 RMON Conga DUI e doceat desc e ene ka emo koe nini 137 SysLug CODHBUIPSERIEI eid vk hui HER ERR ER EO RRAGE HERE EAUX LR 6E HE 139 TACACS T Cong el lE oec oid Iesu bkbes ra etch eroi lem o e tene 142
123. following command ZXR10 config nas aaa rule id radius server This configures binding radius accounting lt group number gt accounting server group 14 To configure authentication mode as local or radius server mode use the following command ZXR10 config nas aaa lt rule id gt authentication This configures authentication local radius mode as local or radius server mode 15 To configure authorization mode use the following command ZXR10 config nas aaa rule id authorization This configures authorization auto unauthorized authorized mode Configuring DOT1X Parameter 1 To configure dotix period for re authentication use the follow ing command ZXR10 config nas dotix re authentication enable This configures dotix period for period period gt disable re authentication 2 To configure the quiet period of dot1x authentication use the following command ZXR10 config nas dot1x quiet period period gt This configures the quiet period of dotix authentication 3 To configure the sending period of dotix authentication use the following command 108 Confidential and Proprietary Information of ZTE CORPORATION ZTEDHY Chapter 10 DOT1X Configuration ZXR10 config nas dot1x tx period period This configures the sending period of dotix authentication 4 To configure dotix client timeout time use the following com mand ZXR10 config nas dot1x supplicant
124. for mation and port state change condition on the routing switch through log information Log information can be displayed on the configuration terminal in real time or can be saved to a file on the routing switch or background log server The syslog protocol can be enabled on ZXR10 5900E so that the routers can communicate with the background syslog server to deliver the log information Configuring SysLog 1 To enable the log function use the following command ZXR10 config logging on This enables the log function 2 To set the log buffer size use the following command Confidential and Proprietary Information of ZTE CORPORATION 139 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH ZXR10 config logging buffer lt buffer size gt This sets the log buffer size 3 To set log clearance mode use the following command ZXR10 config logging mode lt mode gt lt interval gt This sets log clearance mode 4 To set the log level displayed on the console interface of telnet interface use the following command ZXR10 config logging console lt eve gt filter This sets the log level displayed map name on the console interface of telnet interface 5 To set the log level saved in log buffer use the following com mand ZXR10 config logging level lt eve gt This sets the log level saved in log buffer 6 To set the background FTP log server parameter use the fol lowing com
125. gresses based on service types As shown in Figure 22 Users on both sub networks are connected to the switch and there are two available ISP egresses It is required to select different egresses based on IP addresses of users as follows Users on the sub network 10 10 0 0 24 use the ISP1 egress Users on the sub network 11 11 0 0 24 use the ISP2 egress Confidential and Proprietary Information of ZTE CORPORATION 73 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERHY FIGURE 22 POLICY ROUTING EXAMPLE 10 10 0 0 24 ISP1 100 1 1 1 gei 1 1 VLANI 11 11 0 0 24 gei L2 t X ud VLAN2 Switch ISP2 200 1 1 1 Switch configuration Define an ACC which describes users in 10 10 0 0 24 network segment and 11 11 0 0 24 network segment ZXR10 config facl standard number 10 ZXR10 config std acl rule 1 permit 10 10 0 0 0 0 0 255 ZXR10 config std acl rule 2 permit 11 11 0 0 0 0 0 255 ZXR10 config std acl exit Configure policy routing of QoS ZXR10 config redirect in 10 rule id 1 next hop 100 1 1 1 ZXR10 config redirect in 10 rule id 2 next hop 200 1 1 1 Apply to the corresponding port ZXR10 config interface gei 1 1 ZXR10 config gei_1 1 ip access group 10 in ZXR10 config gei_1 1 exit ZXR10 config interface gei 1 2 ZXR10 config gei_1 2 ip access group 10 in QoS Maintenance and Diagnosis ZXR10 5900E provides the following commands of QoS mainte nance and diagnosis
126. he maximum number of DHCP Client on the interface limit value DHCP user quota 1 2048 The default no quota ZXR10 config if vlanx no ip dhcp user quotar This cancel dhcp user quota As for DHCP Server DHCP user quota is used to limit the max number of DHCP users on an interface thus limiting the num ber of IP addresses assigned on the interface As for DHCP Relay DHCP Relay standard mode doesn t support DHCP user quota thus user quota doesn t take effect But if DHCP Relay is configured forwarding in safety mode DHCP Relay will make DHCP user quota configuration valid To configure the interface select outside DHCP Server policy or cancel this policy use the following command ZXR10 config if vlanx ip dhcp helper address This configures the interface policy vclass id select outside DHCP Server policy The default is to select DHCP Server in ip dhcp relay server command on the interface ZXR10 config if vlanx tno ip dhcp helper address This cancels this interface policy vclass id select outside DHCP Server policy 84 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 8 DHCP Configuration 6 To configure DHCP SERVER RELAY PROXY ramble function or disable DHCP ramble function use the following command ZXR10 config ip dhcp ramble When DHCP ramble function is enabled DHCP user can switch the access interface on line The default disable DHCP ramble function
127. he port s link indicator goes off All ports are enabled by default 30 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 4 Interface Configuration Enabling Disabling Auto Negotiation on an Ethernet Port ZXR10 config interface lt port name gt This enters interface configuration mode ZXR10 config gei_1 x negotiation auto no This enables disables negotiation auto auto negotiation on an Ethernet port Enable auto negotiation on an Ethernet port when GE work on 1000M Configuring Automatic Negotiation Notification on an Ethernet Port ZXR10 config gei_1 x negotiation auto speed This configures automatic 10 100 negotiation notification on an Ethernet port to 10M or 100M When working mode of PHY is electrical interface GE FE 10M half duplex and full duplex can be set if it can be notified When working mode of PHY is optical port only half duplex and full duplex can be set if it can be notified The notification of speed can t be set Description negotiation auto speed 100 negotiation auto speed 10 negotiation auto no negotiation auto The four are in mutual exclusive relationship After configuring nego auto speed 100 10 speed and duplex of port are not configured and only can be adaptive Confidential and Proprietary Information of ZTE CORPORATION 31 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Setting Ethernet port Duplex Mode
128. ib syslocation This sets the location text gt SysLocation of the MIB object SysLocation is a management variable of the system group in the MIB II and is used to indicate the location of the managed equipment 5 To set the types of TRAP allowed for sending use the following command ZXR10 config snmp server enable trap notification t This sets the types of TRAP ype allowed for sending TRAP is un requested information sent by the managed equip ment initiatively to the NMS and is used to report some emer gent events 6 To set the TRAP destination host use the following command plinformj version 1 2c 3 auth noauth priv lt com munity name gt udp port lt udp port gt lt trap type gt 134 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 13 Network Management Configuration ZXR10 5900E supports five kinds of ordinary traps SNMP bgp OSPF RMON and stalarm 7 To use ACL to control the host that can access the switches through SNMP protocol use the following command ZXR10 config snmp server access list lt ac number gt This uses ACL to control the host that can access the switches through SNMP protocol 8 To define context name of SNMP use the following command ZXR10 config snmp server context lt context name gt This defines context name of SNMP 9 To set local engine id of SNMPv3 use the following command ZXR10 config snmp ser
129. iber s IP address Hardware Address User MAC Address VlanID User VLAN ID Confidential and Proprietary Information of ZTE CORPORATION 173 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 174 Confidential and Proprietary Information of ZTE CORPORATION Chapter 17 POE Configuration Table of Contents POE OVET e rr 175 CONO PIER Er geese INI S SARI HR ERE ar le pd Rr MS 176 POE Configuration Example iier talo eda pe ii NEAR 177 POE Malntenalitg ussecusuicuxa hcc vl nbl wt C CIE LR D CIPR a LOT Cb 178 POE Overview PoEPower over Ethernetis an extended feature of network device that supports Ethernet electrical interface The network device supporting PoE function such as switch and router can provide power supply to remote PD including IP phone WLANE AP and Network Camera through twisted pair for implementing remote power supply Ethernet remote power supply sometimes is called network power supply It is the technology that transfers power through 10 BaseT and 100 Base TX When the current Ethernet Cat 5 infrastructure doesn t change data signal can be transmitted to the terminals based on IP such as IP phone AP and network camera and DC power can be supplied to those at the same time PoE technology can ensure the structured cabling security and the current network normal operation to decrease the cost greatly Figure 41 displays a common PoE power supply example
130. idential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 2 Usage and Operation History Commands The input command can be recorded in the user interface Up to 10 history commands can be recorded and this function is useful for invoking a long or complicated command again Execute one of the following operations to re invoke a command from the record buffer as shown inTable 2 TABLE 2 INVOKING A COMMAND lt Ctri P gt or z Invoke a history command in the buffer forward lt Ctri N gt or lt gt Invoke a history command in the buffer backward In the privileged mode execute the show history command to list the commands input the latest in this mode Confidential and Proprietary Information of ZTE CORPORATION 15 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 16 Confidential and Proprietary Information of ZTE CORPORATION Chapter 3 System Management Table of Contents File SUE EOD oece sce tu ODERE NEUE RES PIE cles eA EIN EEP EU HD 17 PUP TETP OVEA EW www nm 19 Backing up Data and Restoring Data ener nne 22 Software Version DI Iglbsss caeecer ioco pee co eoe ce ead 23 Configuring System Parameters esee nnn 26 Viewing System Information acie xe xke ina o Dco DR EH bee ko ies EE 28 File System Introduction to File System In ZXR10 5900E FLASH is used as the major storage device for storing version files and
131. imit of queue 2 as 20M minimum bandwidth limit of queue 3 as 2M ZXR10 config interface gei 1 1 ZXR10 config gei_1 1 traffic shape queue 1 max datarate limit 20000 min gua datarate 2000 ZXR10 config gei_1 1 traffic shape queue 2 max datarate limit 20000 ZXR10 config gei_1 1 traffic shape queue 3 min gua datarate 2000 Configuring Queue Scheduling and Default 802 1p of the Port ZXR10 5900E supports two types of queue scheduling modes Strict Priority Scheduling SP and weighted Round Robin WRR When these two modes are used together SP has a higher priority than WRR ZXR10 config gei_1 x queue mode strict priority wrr This configures queue lt Queue number gt lt Queue weight gt scheduling and default 802 1p Example priority of the port This example shows the implementing of SP scheduling on the port gei 1 1 This implements WRR scheduling on port gei 1 2 and configures the weight of queue 0 to queue 7 sequentially as 10 5 8 10 5 8 9 and 10 Default 802 1p is configured on the port gei 1 2 as 5 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 config finterface gei 1 1 config gei_1 1 queue mode strict priority config gei 1 1 fexit config finterface gei 1 2 config gei 1 2 f queue mode wrr 010152 83104558697 10 config gei_1 2 priority 5 Configuring Redirection and Policy Routing ZXR10 config redirect in lt ac number gt rule id This redirects the packets lt rule no gt cpu interface lt
132. inStatus is up PhyStatus is up line protocol is up Internet address is 10 1 1 1 24 Broadcast address is 255 255 255 255 IP MTU is 1500 bytes ICMP unreachables are always sent ICMP redirects are never sent ARP Timeout 00 10 00 ARP Configuration ARP Overview Network device when sends data to another network device It should know the IP address and physical address MAC address of the destination device ARP is to map the IP address to the physical address to ensure smooth communication At first the source device broadcasts the ARP request with the IP address of the destination device Then all the devices on the net work receive this ARP request If one device finds the IP address in the request matches with its IP address it sends a reply con taining the MAC address to the source device The source device obtains the MAC address of the destination device through this re ply Confidential and Proprietary Information of ZTE CORPORATION 49 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH To reduce ARP packets on the network and send data faster the mapping between IP address and MAC address is cached in the local ARP table When a device wants to send data it looks up the ARP table according to the IP address first If the MAC address of the destination device is found in the ARP table it is unnecessary to send the ARP request again The dynamic entry in the ARP table will be automatically deleted after
133. ind before lt rule no gt another rule Example In this example define a L2 ACL to permit IP packets with the source MAC address as 00d0 d0c0 5741 and the 802 1p as 5 from VLAN 10 ZXR10 config acl link number 200 ZXR10 config link acl rule 1 permit any cos 5 douter 10 ingress 00d0 d0c0 5741 0000 0000 0000 56 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 6 ACL Configuration Configuring Hybrid ACL ZXR10 config acl hybrid number lt ac number gt n This enters the hybrid ACL ame lt ac l name gt configuration ZXR10 config hybd acl rule lt ru e no gt permit d This configures the rules eny lt jip number gt ip lt source gt lt source wildc based on IP or IP protocol ard gt any lt dest gt lt dest wildcard gt any any number excluded ICMP TCP ether protocol gt cos 0 7 vlan id ingress UDP source mac source mac wildcard egress dest mac dest mac wildcard time range timerange name ZXR10 config hybd acl 4rule rule no i pe This configures the rules rmit deny 4 source source wildcard based on TCP any lt dest ip gt lt dest wildcard gt any ethe r protocol lt vian id gt cos lt value gt egress dst mac lt dst wildcard gt ingress lt sor mac gt lt s or wildcard gt time range lt range name gt eq any ether protocol vlan id cos value port number dst mac dst wildcard eg
134. ing files si multaneously IPTV uses a two way broadcast signal sent through the provider s backbone network and servers allowing viewers to select content on demand and take advantage of other interactive TV options IPTV can be used through PC or IP machine box TV Configuring IPTV Configuring IPTV Global Parameters 1 To set the least preview time use the following command ZXR10 config nas iptv control login time This sets the least preview time 2 To set the max preview counts on global use the following command Confidential and Proprietary Information of ZTE CORPORATION 123 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH ZXR10 config nas iptv control prvcount count This sets the max preview counts on global 3 To set the least preview interval on global use the following command ZXR10 config nas iptv control prvinterval This sets the least preview interval on global 4 To set the max preview time on global use the following com mand ZXR10 config nas iptv control prvtime This sets the max preview time on global 5 To set the period of global reset preview counts use the fol lowing command ZXR10 config nas iptv control prvcount reset period This sets the period of global reset preview counts 6 To enable disable IPTV use the following command ZXR10 config nas iptv control enable disable This enables disables IPTV Configuring IPTV Channels
135. ion port number Standard IPv6ACL Only match the IPv6 source IP address Extended IPv6ACL Only match the IPv6 source and destination IP address Each ACL has an access list number to identify The access list number is a number The access list number ranges of different types of ACLs are shown as follows Standard ACL 1 99 Extended ACL 100 199 L2 ACL 200 299 Hybrid ACL 300 349 Standard IPV6ACL 2000 2499 Extended IPV6ACL 2500 2999 Each ACL has at best 100 rules with the rule number range from 1 to 100 Configuring ACL Configuring Time Range ZXR10 config time range lt timerange name gt lt hh m This enables time range m ss to lt hh mm ss gt lt days of the week gt from lt hh m m ss gt lt mm dd yyyy gt to lt hh mm ss gt lt mm dd yyyy gt There are several conditions in time range configuration Configure time range for each day Specify the exact start time and end time in a day Configure period range Specify the period to be a fixed day of a week Configure date range Specify start date and end date If not configured the start date is the day when configuration takes effect and the end date is the max day that system can identify Configuring ACL Rule When configuring ACL it is needed to enter ACL configuration mode firstly and then define ACL rules The following items shall be noted when defining ACL rules 54 Confidential and Proprietary Inform
136. ip source guard mac ip base Confidential and Proprietary Information of ZTE CORPORATION 163 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH Control Plane Security Configuration Control Plane Security Overview Internet and IP technology wildspread application bring the great change to the world With IP network being developed widely and deeply network attack and virus are becoming more and more frequent which brings people much visible and invisible loss The previous network attack and virus mostly take PC or server host as major attack objects But now terminal end user anti virus capability and virus maker capability increases day by day the network devices such as router and switch become the object that virus attacks According to known or predictable attack and virus on the switch we can take many kinds of measures to make switch have self pro tection and safeguarding network security capability The main function of control plane security is to monitor the packet upload ing rate generate alarm on abnormal rate uploading packet and remind network manager to pay attention to possible packet attack to CPU So that network manager can decide if discard this packet on the interface or limit speed and filter unreasonable packet Command Configuration 1 To enable disable control plane security function use the fol lowing command ZXR10 config control plane security enable This command is contr
137. is chapter introduces NTP RADIUS SNMP RMON and SysLog configuration This chapter describes the content and related knowledge of stack system and related configuration This chapter describes the content and related knowledge of cluster management and related configuration This chapter introduces security concept related configuration command and configuration example This chapter introduces POE concept related configuration command and configuration example ZXR10 5900E V2 8 23 B Series All Gigabit Port Intelligent Routing Switch Hardware Manual ZXR10 5900E V2 8 23 B Series All Gigabit Port Intelligent Routing Switch User Manual Basic Configuration Volume ZXR10 5900E V2 8 23 B Series All Gigabit Port Intelligent Routing Switch User Manual Ethernet Switching Volume ZXR10 5900E V2 8 23 B Series All Gigabit Port Intelligent Routing Switch User Manual IPv4 Routing Volume ZXR10 5900E V2 8 23 B Series All Gigabit Port Intelligent Routing Switch User Manual IPv6 Routing Volume ii Confidential and Proprietary Information of ZTE CORPORATION Chapter 1 Safety Description Table of Contents Sarery Introd um OTI oer oe re EISE POE X DER re EX DER UE EOD ED tuU 1 SAD Descrast olt cid cexuec xis ime ciate nadia PRXTER UN PN ve rM Y PR RE CENE 1 Safety Introduction Only qualified professionals are allowed to perform installation operation and maintenance due to the high temperature and high vo
138. istics This enables the interface lt index gt owner lt string gt statistics function only for Ethernet ZXR10 config rmon alarm index variable This sets an alarm and MIB gt lt interval gt delta absolute rising thershold object value event index falling threshold value event index owner lt string gt 3 To enable the history collection function of the interface use the following command ZXR10 config gei_1 x rmon collection history index This enables the history gt owner lt string gt buckets lt bucket number gt interval collection function of the seconds interface 4 To configure an event use the following command ZXR10 config rmon event lt ndex gt log trap This configures an event community description lt string gt owner lt string gt 5 To display RMON configuration and relevant information use the following command Confidential and Proprietary Information of ZTE CORPORATION 137 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH ZXR10 config show rmon alarms events history st This displays RMON atistics configuration and relevant information RMON Configuration Example 1 This example shows how to configure and start statistics con trol entries of the RMON ZXR10 config interface gei 1 1 ZXR10 config gei_1 1 rmon collection statistics 1 owner rmontest ZXR10 config gei_ 1 1 Assume th
139. ius Authentication Application 113 Dotix Trunk Authentication Application 114 Dotix Local Authentication Application 115 DOT1X Multiple Domains Function eeeeeeee 116 DOT1X Maintenance and Diagnosis ssessssss 116 VBAS Configuration e 119 VBAS OVerVIe Wc ise nre ex RE E ERU RD ERR 119 Configuring VBAS cider idee e bna e rd Pr e nda 119 Enabling Disabling VBAS sseseseesee 119 Enabling Disabling VBAS in VLAN Mode 120 Configuring VBAS Trust Interface ceeeeeeeeee teenies 120 Configuring VBAS Interface as User Interface or Network Interface eee naanin 120 VBAS Configuration Example seseeeeene 120 VBAS Maintenance and Diagnosis sesssesses 121 IPTV Configuration 2 123 Internet Protocol Television Overview uesssss 123 Configuring IPTV exter ener ten exe de a eae XE REY Aes ree 123 Configuring IPTV Global Parameters sesesee 123 Configuring IPTV Channels ceeeeeeeeeeeeeeeeeeeeeees 124 Configuring Channel Access Control CAC 125 Configuring Administrative Command of IPTV BEIC AIL vane DTI RII 126 IPTV Configuration Example esee 126 IPTV Maintenance and Diagnosis eeeeseeesess 127
140. k in 10 rule id 1 dscp 34 cos 4 drop precedence low ZXR10 config interface gei 1 1 ZXR10 config gei_1 1 ip access group 10 in Configuring Outer VLAN Value To configure outer VLAN value of traffic which matches ACL rule use the following command ZXR10 config qos set acl svlan map acl acl number This configures outer VLAN acl name rule lt rule id gt to out vlanid v an id value of traffic which matches ACL rule Example This example shows how to configure outer vlan value of traffic which complies with rule 1 on gei 1 4 as 2000 ZXR10 config acl standard number 10 ZXR10 config std acl rule 1 permit 168 2 5 5 ZXR10 config std acl exit ZXR10 config interface gei 1 4 ZXR10 config gei 1 4 ip access group 10 in ZXR10 config gei_1 4 exit ZXR10 config qos set acl svlan map acl 10 rule 1 to out vlanid 2000 70 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 7 QoS Configuration Configuring Traffic Mirroring ZXR10 config traffic mirror in lt ac number gt rule id This configures traffic mirroring lt rule no gt cpu interface interface num Example This example shows the mirror data traffic whose source IP ad dress is 168 2 5 6 on the port gei_1 8 to the port gei_1 4 ZXR10 config acl standard number 10 ZXR10 config std acl rule 1 permit 168 2 5 5 ZXR10 config std acl rule 2 permit 168 2 5 6 ZXR10 config std acl exit ZXR
141. ket s dscp value from O0 to 63 and one value can be chosen Example This example shows the traffic policy of packets sent to the desti nation IP address of 168 2 5 5 on port of gei 1 1 and bandwidth is set to 10M ZXR10 config acl extended number 100 ZXR10 config ext acl rule 1 permit ip any 168 2 5 5 0 0 0 0 ZXR10 config ext acl exit ZXR10 config traffic limit in rule id 1 cir 10000 cbs 2000 pir 10000 pbs 2000 mode blind ZXR10 config interface gei 1 1 ZXR10 config gei_1 1 ip access group 100 in Configuring Traffic Shaping ZXR10 config gei_1 x traffic shape data rate This configures traffic shaping lt rate value gt burst size lt va ue gt for the port Example This example shows the conduction of traffic shaping on port gei 1 1 and configures the port rate as 20 M ZXR10 config finterface gei 1 1 ZXR10 config gei_1 1 traffic shape data rate 20000 burst size 4 Configuring Queue Bandwidth Limit ZXR10 config gei_1 x traffic shape queue This configures queue maximum queue no max datarate limit lt max daterate viaue and minimum bandwidth limit gt min gua datarate lt min datarate viaue gt 68 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Example Chapter 7 QoS Configuration This example shows the conduction of queue bandwidth limit on port gei_1 1 and configures maximum bandwidth limit of queue 1 as 20M and minimum bandwidth as 2M maximum bandwidth l
142. l Basic Configuration Volume ZTEDH n Note The discard of some protocol packets will make the correspond ing service invalid Configuration Example 1 This example shows how to configure port arp protocol and set alarm threshold as 2500 ZxrlOdsconf t ZxrlO config finter gei 1 1 Zxr10 config gei_1 1 protocol protect mode arp enable ZxrlO0 config gei 1 1 4 protocol protocol alarm mode arp 2500 2 This example shows how to configure icmp protocol packet passing peak average speed Zxrl0 conf t ZxrlO config finter gei 1 1 ZxrlO config gei 1 1 4 protocol protect peak rate mode icmp 500 ZxrlO0 config gei 1 1 4 protocol protocol average mode mode icmp 250 Maintenance and Diagnosis ZXR10 5900E provides show command to help maintenance and diagnosis Common commands used in control plane security maintenance and diagnosis are as follows ZXR10 config show protocol protect packet config This views a certain port interfacename type and the protocol packet configuration and receiving statistics on this port ZXR10 config show protocol protect token buck This views protocol packet ets interfacename receiving speed configuration and statistics on a certain port 3 zxR104 clear protocol protect packets count This clears protocol statistic buckets count interfacename count on a certain port 166 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 16 Security
143. l cover the old one For example on fei_1 1 configuration mode the following two commands are configured ip access group 10 in ip access group 100 in Only ACL 100 takes effects Applying ACL on VLAN ACL can be applied on both physical port and VLAN after it is de fined 1 ZXR10 config vlan lt vlan id gt This enters VLAN configuration mode 2 ZXR10 config vlanx ip access group lt ac numbe This applies ACL on VLAN r gt lt acl name gt in Note 1 Currently ACL type that VLAN binds only supports IPv4 hybrid ACL 2 One VLAN can only apply one ACL the new configuration will cover the old one For example in vlan configuration mode the following two commands are configured ip access group 300 in ip access group 305 in only ACL 305 takes effects Confidential and Proprietary Information of ZTE CORPORATION 59 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH Configuring an ACL to Support Renaming To configure a name for ACL rule use the following commands ZXR10 config acl standard number lt ac number This enters ACL configuration gt name ac name mode ZXR10 config std acl rule lt 1 100 gt permit den This configures the rules of y lt source gt lt source wildcard gt any time range ACL lt timerange name gt ZXR10 config std acl rule description This configures name for a lt 1 100 gt lt rule description gt rule Example Define a
144. lated to hardware optical module If optical module and manufacturer are different the viewed information will be different 46 Confidential and Proprietary Information of ZTE CORPORATION Chapter 5 Network Protocol Configuration Table of Contents IP Address COMMQUISTION us iai ce bake cep Y OCCUR oO OUR Ear 47 ARP Configurations icikeeie katie per Cr doe eL EAS ERE Ko Reb cadi 49 IP Address Configuration IP Address Overview Network addresses in the IP protocol stack refer to IP addresses IP address is composed of two parts Network bit identifying the network to which this IP address belongs Host bit identifying a certain host in the network IP addresses are divided into five classes Class A Class B Class C Class D and Class E Classes A B and C are the most common ones Class D is the network multicast address and Class E is reserved for future use Table 4lists range of each class TABLE 4 IP ADDRESS RANGE FOR EACH CLASS Prefix Network Bit Range Characteristic Bit Class A 24 0 0 0 0 127 255 255 25 5 Class B 10 16 16 128 0 0 0 191 255 255 25 5 Confidential and Proprietary Information of ZTE CORPORATION 47 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Prefix Network Bit Range Characteristic Bit ass 0 a 3 92 0 0 0 223 255 255 25 5 Class D 1110 Multicast Address 224 0 0 0 239 255 255 25 5 Class E 1111 Reserved 240 0 0 0 255 255 255 25 5 Some Class A B and C addres
145. lient 2 Dynamic allocation DHCP assigns an IP address to a client for a limited period of time or until the client explicitly relinquishes the address 3 Manual allocation the network administrator assigns an IP ad dress to a client and DHCP is used simply to convey the as signed address to the client Usually Dynamic allocation method is adopted The valid time seg ment of using the address is called lease period Once the lease period expires the host must request the server for continuous lease The host cannot continue to lease until it accepts the re quest otherwise it must give up unconditionally Confidential and Proprietary Information of ZTE CORPORATION 77 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Routers do not send the received broadcast packet from a sub net work to another by default But the router as the default gateway of the client host must send the broadcast packet to the sub net work where the DHCP server locates when the DHCP server and client host are not in the same sub network This function is called DHCP relay ZXR10 5900E can act as a DHCP server or DHCP relay to forward DHCP information but it cannot use both functions at the same time DHCP makes IP address allocation more convinent But with the wide application of DHCP service some problem happens Firstly DHCP service allows multiple DHCP servers to bein a subnet which means that administrator can t assure that
146. llowing command show localuser Command debug can be used to trace packet sending receiving and its processing during Dot1x Server Relay process 1 2 To trace the transceiving packet and handling processes of the dotix use the following command debug nas To trace the process of interacting with the radius use the following command debug radius Confidential and Proprietary Information of ZTE CORPORATION 117 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 118 Confidential and Proprietary Information of ZTE CORPORATION Chapter 11 VBAS Configuration Table of Contents YBAS MET VIEW m T uU S LS 119 CORMOUGEIG is ERR 119 VBAS Configuration Example scesutekas ko OE EO SERRE Rr ERN RENE dE eR 120 VBAS Maintenance and Diagnosis sccexe cuve orm n d comes 121 VBAS Overview VBAS is the abbreviation of Virtual Broadband Access Server It is an extent inquiry protocol between IP DSLAM and BAS equip ment The communication method between IP DSLAM and BRAS is layer 2 point to point that is interface information inquiry and response packets are encapsulated in layer 2 Ethernet data frame The principle is to configure DSLAMDigital Subscriber Line Access Multiplexer corresponding to VLAN on BAS During the procedure of PPPOE calling DSLAM applies VBAS protocol that is mapping to corresponding DSLAM according to VLAN of user BAS demand the user line identit
147. llowing commands ZXR10 config dhcp pool binding lt mac_addr gt lt ip_ad This configures binding table dr gt vrf instance instance namer between MAC address and ip address mac addr Mac address ip addr IP Address instance namer instance name ZXR10 config dhcp pool no binding mac addr ip This deletes the original addr vrf instance instance namer configuration 80 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 8 DHCP Configuration 3 To configure a default route or delete the configured content use the following commands ZXR10 config dhcp pool default router This configures a default ip addr ip addr ip addr route E ZXR10 config dhcp pool no default router This deletes the configured lt ip_addr gt lt ip_addr gt lt ip_addr gt content 4 To configure DNS server or delete the corresponding configu ration use the following commands ZXR10 config dhcp pool dns server jp addr ip This configure DNS server addr ip addr address This command can configure up to 8 DNS server addresses ZXR10 config dhcp pool no dns server This deletes the correspond lt ip_addr gt lt ip_addr gt lt ip_addr gt ing configuration 5 To bind the specific ip pool with dhcp pool or delete binding relationship use the following command ZXR10 config dhcp pool ip pool lt ip_pool_name gt This binds
148. ltage of the equipment Observe the local safety codes and relevant operation procedures during equipment installation operation and maintenance to pre vent personal injury or equipment damage Safety precautions introduced in this manual are supplementary to the local safety codes ZTE bears no responsibility in case of universal safety operation requirements violation and safety standards violation in designing manufacturing and equipment usage Symbol Descriptions Contents deserving special attention during ZXR10 5900E config uration are explained as follow A Caution It indicates that the fault will happen if safety is ignored Note It provides additional information Confidential and Proprietary Information of ZTE CORPORATION 1 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 2 Confidential and Proprietary Information of ZTE CORPORATION Chapter 2 Usage and Operation Table of Contents Configuration Modessa 3 Command Mode FUNCTION s accricccceiminercieiedecrisveiarveieiaidenacns 12 Command Line Functio ceo b RERO a DIE 13 Configuration Mode As shown in Figure 1 ZXR10 5900E offers multiple configuration modes A user can select configuration mode based on the con nected network 1 Configuration of Console Port Connection 2 TELNET Connection Configuration 3 SSHSecure Shell Connection Configuration 4 SNMP Connection Configurati
149. mand ZXR10 config logging ftp lt eve gt mng lt ftp server gt lt us This sets the background FTP ername password filename log server parameter 7 To set parameters of alarm information which is sent to trap server use the following command ZXR10 config logging trap eve community mn This sets parameters of alarm g lt host address gt information which is sent to trap server 8 To set parameters to pack information in alarm buffer to file and send it to ftp server use the following command ZXR10 config logging filesavetime everyday This sets parameters to pack hh mm ss interval hh mm ss month information in alarm buffer to monthday hh mmm ss week weekday hh mm s file and send it to ftp server s gt mng lt ftp sever username password alarm file prefix 140 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 13 Network Management Configuration 9 To set background syslog server parameters use the following command ZXR10 config syslog server host lt ip address gt fport This sets background syslog fport Iport lt port gt alarmlog alarmlog alarmlog server parameters 10 To display log information use the following command ZXR10 config show logging alarm typeid This displays log information type start date lt date gt end date date level level Now the
150. mation of SNMP 16 To display users of SNMPv3 use the following command ZXR10 config Show snmp user This displays users of SNMPv3 17 To display information of SNMPv3 group use the following command ZXR10 config show snmp group This displays information of SNMPv3 group 18 To display SNMP engine ID use the following command This displays SNMP engine ID SNMP Configuration Example The following is an example of SNMP configuration ZXR10 config snmp server view myViewName 1 3 6 1 2 1 included ZXR10 config snmp server community myCommunity view myview rw ZXR10 config snmp host 168 1 1 1 trap ver 1 ospf ZXR10 config snmp server location this is ZXR10 in china ZXR10 config snmp server contact this is ZXR10 tel 025 2872006 136 Confidential and Proprietary Information of ZTE CORPORATION ZTERH Chapter 13 Network Management Configuration RMON Configuration RMON Overview Remote Monitoring RMON system is to monitor network terminal services A remote detector the local routing switch system com pletes data collection and processing through the RMON The rout ing switch contains RMON agent software communicating with the NMS through the SNMP Information is usually transmitted from the routing switch to the NMS Configuring RMON 1 To enable the interface statistics function only for Ethernet use the following command ZXR10 config gei_1 x rmon collection stat
151. mation of ZTE CORPORATION 87 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH 9 To enable DHCP SNOOPING on the specific VLAN use the fol lowing command This enables DHCP SNOOPING on the specific VLAN vlan the VLAN user belongs to 14094 input the range Configuring DHCP Relay 1 To configure the DHCP agent ip address on the interface or delete the ip address use the following command ZXR10 config if vlanx tip dhcp relay agent This configures the DHCP lt ip address gt agent ip address on the interface lt ip address gt DHCP agent IP address on the interface in dotted decimal notation 2 ZXR10 config if vlanx no ip dhcp relay agent This deletes the DHCP agent ip address on the interface Before enabling DHCP Relay to forward user DHCP request to external DHCP Server it is needed to configure IP address of DHCP Agent which is one of the IP addresses of interfaces where DHCP Client locates External DHCP Server will assign IP address according to IP address of DHCP Agent to make them in the same subnet DHCP reply packet returned to DHCP client by DHCP server is forwarded by DHCP Agent Therefore a route pointing to the subnet where DHCP Agent locates needs to be configured on external DHCP Server 2 To configure the outside DHCP server ip address on the inter face or delete outside DHCP Server address on the interface use the following command 88 Confidential and Prop
152. n use the following command show ztp device list device mac mac address id 5 6 To display group member information use the following com mand show group member candidates mac lt mac address gt Command debug group management can be used to trace packet sending receiving of ZDP and ZTP and its processing during cluster management process Confidential and Proprietary Information of ZTE CORPORATION Chapter 16 Security Configuration Table of Contents IP Source GUS estes pedet re aa E EE 161 Control Plane Security Configuration e ecce heme 164 BAT Lonff3ur tiat asarei dde proe tede e eade oO Rd e E fo dbe D MNT RE 167 FI X OPTIO ie va nct adiri ticus ui HER X S Y ear ta n aod 170 IP Source Guard IP Source Guard Overview IP Source Guard is an application based on DHCP SNOOPING It records dynamic user information IP MAC by constructing DHCP SNOOPING binding database After enabling this function user only can use the address that DHCP server dynamically distributes to access external network This prevents other users from using other IP address for deceit Configuring IP Source Guard To configure IP Source Guard or delete IP Source Guard use the following commands ZXR10 config if vlanx ip dhcp snooping This configures IP Source ip source guard ip base mac base Guard of interface mac ip base vlan default lt v an id gt ZXR10 config if vlanx no ip
153. n and packet discarding The difference between traffic shaping and traffic policing is that traffic shaping is to cache packets whose rate exceeds the limited value and send packets at even rate whereas traffic policing is to discard packets whose rate exceeds the limited value Moreover traffic shaping makes delay longer but traffic policing does not in troduce any extra delay Queue Bandwidth Limit Queue bandwidth limit means limiting the bandwidth of queue on interface to ensure the minimum bandwidth for queue When traf fic is blocked certain bandwidth can be ensured for this queue Queue Scheduling and Default 802 1p Each physical port of the ZXR10 5900E supports eight output queues queue O to queue 7 called CoS queues The switch performs incoming port output queue operation according to the CoS queue corresponding to 802 1p of packets In network congestion the queue scheduling is generally used to solve Confidential and Proprietary Information of ZTE CORPORATION 65 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH the problem that multiple packets compete with each other for resources at the same time ZXR10 5900E supports Strict Priority SP and Weighted Round Robin WRR queue scheduling modes Eight output queues of a port can adopt different modes respectively SP Scheduling SP is to strictly schedule data of each queue according to queue priority First send packets in the highest pri
154. n device has running fault or leaves standby device will be come main device and a new standby device will be elected from the rest of member devices Therefore stack system configuration won t lost and the effect on traffic forwarding will be minimized Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 14 Switch Stack System Configuring Switch Stack system ZXR10 config mac switch time 0 300 This configures time delayed parameter The unit is second The maximum value is 300s 0 the default value means when main device leaves MAC address is switched to new main device MAC address ZXR10 config Show running config This views configured MAC switching time from the current configuration content If this command is set mac switch time will be viewed Reference Information 1 The function of enabling MAC switching In stack system the MAC address of main device is that of whole system When main device leaves standby device will be the main device Meanwhile its MAC address will replace MAC address of original main device to be that of the whole system Now a time delay 1 300scan be configured by MAC switching function after device leaves In this time if the orig inal main device joins this stack system again the MAC address of original main device will become that of stack system and whole system MAC address is not switched If original main device doesn t join this stack system the MAC
155. name 6 Copy the new version file on the background FTP server to the Flash s IMG directory with the filename as zxr10 zar 7 Check for the new version file in the Flash s IMG directory If the new version file is not found the copy failed The user must repeat step 5 to copy the version again 8 When the system is rebooted successfully check the running version to confirm the success of upgrade DUM Confidential and Proprietary Information of ZTE CORPORATION 25 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Configuring System Parameters Setting a Hostname of System The default hostname of system is ZXR10 Use hostname lt netw ork name gt in global configuration mode to modify the hostname Log on to router again after hostname modification and the prompt will include the new hostname setting Welcome Message upon system Boot Use banner to set welcome message upon system boot Welcome message begins and ends with custom character The example is as follows ZXR10 config banner incoming C Enter TEXT message End with the character C KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK Welcome to ZXR10 Switch World KEKKKKKKKKKKKKKKKKK KKK KKK kk kk kkkk C ZXR10 config Setting Privileged Mode Key To prevent an unauthorized user from modifying the configuration use the following command ZXR10 config enable secret 0 lt password gt 5 This sets password lt password gt
156. network packet request packet that all request on the interface ZXR10 config if vlanx no ip dhcp relay snooping This disables DHCP network packet request packet that all request on the interface 12 To enable the interface as DHCP Relay trust or disable the in terface as DHCP Relay trust use the following command ZXR10 config if vlanx ip dhcp relay snooping trust This enables the interface as DHCP Relay trust ZXR10 config if vlanx no ip dhcp relay snooping This disables the interface as DHCP Relay trust 13 To enable DHCP Relay Snooping Trust or disable DHCP Relay Snooping Trust use the following command ZXR10 config ip dhcp relay snooping trust enable This enables DHCP Relay Snooping Trust ZXR10 config no ip dhcp relay snooping trust This disables DHCP Relay enable Snooping function Configuring DHCP Client 1 To enable class id of dhcp client on the interface use the fol lowing command 92 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 8 DHCP Configuration ZXR10 config if vlanx sip dhcp client class id WORD This enables class id of dhcp hex client on the interface 2 This configures class id of dhcp client on the interface ZXR10 config if vlanx sip dhcp client client id This configures dhcp client id on the interface ZXR10 config if vlanx no ip dhcp client client id This cancels the configuration of dhcp client id on the interface
157. ng configuration ZXR10 config show monitor session 1 Session 1 Source Ports Port fei_1 1 Monitor Direction rx Port fei_1 2 Monitor Direction both Destination Port Port fei_1 3 Rspan_vlanid 10 Rspan priority 1 ZXR10 config 3 The following example shows ERSPAN mirroring configuration FIGURE 17 ERSPAN MIRRORING EXAMPLE Tunnell Switch 1 Switch2 fei_1 1 20 20 20 20 fei_1 2 20 20 20 10 fei_1 1 10 10 10 10 As shown in Figure 17 set up a tunnel between Switchi and Switch2 use interface fei_1 1 of Switch1 as mirror source port and configure ERSPAN mirroring With this configuration mes 40 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 4 Interface Configuration sage passing through interface fei 1 1 of Switch1 will be en capsulated with ERSPAN head and mirrored to interface fei_1 1 of Switch2 The configuration is as follows Configuration of Switch ZXR10 config interface fei 1 1 0 config fei_1 1 monitor session 1 source direction rx config fei 1 1 exit config interface tunnell config tunnell monitor session 1 destination erspan ttl 23 config tunnell tunnel mode gre ip config tunnell tunnel source ipv4 10 10 10 10 R R R R R R R R config tunnell tunnel destination ipv4 20 20 20 20 0 0 0 0 0 0 Show port mirroring configuration ZXR10 config show monitor session 1 Session 1 Source Ports
158. ng the subject matter of this document Except as expressly provided in any written license between ZTE CORPORATION and its licensee the user of this document shall not acquire any license to the subject matter herein ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice Users may visit ZTE technical support website http ensupport zte com cn to inquire related information The ultimate right to interpret this product resides in ZTE CORPORATION Revision History Revision No Revision Date Revision Reason Serial Number sjzl20096392 Contents About This Manual ne nnns Safety Description N I Safety Introduction visiirisi irice inienn 1 Symbol Descriptions sssssssssrssssesserrsrrnrnnssnrrnerrnnnaennesnns 1 Usage and Operation 3 Configuration Mode xxr Rr E EX ER Ex Kauai a Ka 3 Configuring Through Console Port ssssesssses 4 Telnet Connection Configuration ssseesesesseees 7 SSH Connection Configuration esses 9 Simple Network Management Protocol SNMP 11 Command Mode Function eeseeseeeeeeneen nnn 12 Command Line Function csse nmn 13 Online Help Command esee 13 Command Abbreviation sees nnne 14 History Commands eeesseeseee nennen nnn 15 Syst
159. of ZTE CORPORATION ZTEDH Chapter 14 Switch Stack System Main device restarts or powers off a Stack system is reset Other stack system is combined with the current stack sys tem As for the two conditions with the current main device will be joined into the process of main device renewed election and pos sibly be elected main device again When all switches in the stack system are opened or stack system is reset only some stack members can join main device election If stack member start time gap is in 15s it can join the main device election Otherwise the device only can become stack member All stack members can join the process of main device renewed election When the main device has been elected and the original main de vice has joined stack system again the original main device can not be the current main device again but member device Stack System Member ID Stack member ID from 1 to 9 identifies each member in stack system The interface configuration of each stack member is based on this member ID Meanwhile each stack member ID can be viewed by command line If a device hasn t configured ID before joining stack system it will has default ID 1 In a stack system two or multiple devices can t have the same IDs The command nvram stack machine id modifies stack device ID which is valid after restarting the device When a device joins a stack system if its ID is different from the ID of any member
160. ol plane disable security function global switch It is used to open or close control plane security function the default is enabled 2 To discard or pass protocol packet use the following command ZXR10 config gei_1 x protocol protect mode This passes discards protocol protocolname enable disable packet This command is configured in the interface mode Configura tion decides if a certain protocol packet will be discarded in a physical port As for the port whose port configuration is NNI all configured protocol packets are enabled in default But as for the port whose port configuration is UNI the default value 164 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 16 Security Configuration is different according to different protocol packets which can be viewed by show command 3 To configure protocol packet alarm threshold use the following command ZXR10 config gei_1 x protocol protect alarm mode This configures a certain lt protocol name gt lt alarm limit gt protocol packet alarm threshold as 30s The alarm limit range is 1000 18000 This command is also configured in the interface mode It is used to modify a certain protocol packet alarm threshold in a certain physical port When the number of specific protocol packet exceeds this threshold in 30s an alarm message is sent to user The default value is 3000 4 To configure protocol packet passing peak
161. ommand ZXR10 config nas aaa lt rule id gt accounting This configures whether to enable disable enable accounting 8 To configure whether multiple users are allowed and limitation on the number of users use the following command ZXR10 config nas aaa rule id multiple hosts enable This configures whether multiple max hosts lt host number gt disable users are allowed and limitation on the number of users 9 To configure the default ISP server name use the following command ZXR10 config nas aaa lt rule id gt default isp lt isp name gt This configures the default ISP server name 10 To configure whether to conduct full name accounting use the following command ZXR10 config nas aaa lt rule id gt fullaccount This configures whether to enable disable conduct full name accounting 11 To configure a group name use the following command ZXR10 config nas aaa lt rule id gt groupname This configures a group name lt group name gt 12 To bind an AAA control entry with the radius server group use the following command Confidential and Proprietary Information of ZTE CORPORATION 107 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH ZXR10 config nas aaa lt rule id gt radius server This binds an AAA control entry authentication lt group number gt with the radius server group 13 To configure binding radius accounting server group use the
162. on FIGURE 1 ZXR10 5900E CONFIGURATION MODES FTP TFTP Server Telnet Host SNMP NMS A A le le Serial Port J I lt Hyper Terminal ZXRIO Confidential and Proprietary Information of ZTE CORPORATION 3 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Configuring Through Console Port This is main configuration mode of ZXR10 5900E ZXR10 5900E debugging configuration is implemented through the console port connection The console port connection configuration adopts the VT100 terminal mode 1 Select Start gt Programs gt Accessories gt Communica tions gt HyperTerminalon the PC screen to start the Hyper Terminal as shown in Figure 2 FIGURE 2 STARTING THE HYPERTERMINAL HyperTerminal by Hilgraeve Monroe Michigan USA Developed for Microsoft Copyright 1996 by Hilgraeve Inc Hilgraeve Inc 2 Input the related local information in the interface as shown in Figure 3 FIGURE 3 LOCATION INFORMATION Location Information 2 x Before you can make any phone ot modem connections Windows needs the following information about your current location What country region are you in now China What area code ot city code are you in now If you dial a number to access an outside line what is it amp 2e60sl The phone system at this location uses Tone dialing Pulse dialing OK Cancel 4 Confidential and Proprietary Information of ZTE CORPORATION
163. on on each port to control the user s access to the Internet It is required that the access control mode is MAC address based access control mode All the AAA access users belong to the default domain zte163 net This authentication and RADIUS authentication are conducted at the same time Disconnect the user and make it offline if RADIUS accounting fails Do not add the domain name after the user name during ac cess Connect the server group composed of two RADIUS servers to the switch IP addresses of these servers are 10 1 1 1 and 10 1 1 2 respectively It is required that the former serves as the master authentication slave charging server and the latter serves as the slave authentication master charging server Confidential and Proprietary Information of ZTE CORPORATION 113 ZXR10 5900E Series User Ma Sw ZXR ZXR au ZXR au ZXR ZXR ZXR lt ac ZXR lt ac ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX DAHANDAADADAAAAAAAD nual Basic Configuration Volume ZTEDH Set the encryption password to aaazte when the system ex changes packets with the authentication RADIUS server Set the system to resend packets to the RADIUS server if no re sponse comes from this server within five seconds after the previous sending and packets can be resent for five times at most Direct the system to remove the user domain name from the user name and then send it to the RADIUS server i
164. onnects to port gei 1 1 in Vlan 1 is the preview user of multicast group 224 1 1 1 Max preview time is 2 min utes Least preview interval is for 20 seconds Max preview counts are 10 Vlan ID of multicast group is 100 Configura tion is shown below ZXR10 config nas iptv control enable ZXR10 config nas f create iptv channel special 1 address 224 1 1 1 ZXR10 config nas iptv channel 1 mvlan 100 ZXR1O config nas iptv channel 1 name cctvl ZXR10 config nas f create iptv cac rule 1 port gei 1 1 vlan 1 126 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 12 IPTV Configuration ZXR10 ZXR10 ZXR10 ZXR10 config nas config nas config nas config nas iptv cac rule iptv cac rule iptv cac rule iptv cac rule prvcount 10 prvtime 120 prvinterval 20 right preview 1 PRPRR 3 User which connects to port gei 1 1 wants to view all multicast groups in Vlan 100 Configuration is shown below ZXR10 config nas iptv control enable ZXR10 config nas create iptv channel general 256 ZXR10 config nas iptv channel 256 mvlan 100 ZXR10 config nas create iptv cac rule 1 port gei 1 1 ZXR10 config nas iptv cac rule 1 right order 256 4 Port gei 1 1 only permits receiving the requesting packets of multicast group 224 1 1 1 Vlan ID of this multicast group is 100 Configuration is shown below ZXR10 config nas iptv control enable ZXR10 con
165. op detect reopen time ZTEDH This configures the loopback detection port interface When a switch detects a loopback of one port switch deal with it according to parameter protect interface When parameter protect interface is enable switch sets a alarm it has detected a loopback but there will be no operation When the parameter protect interface is disable the switch will shutdown the port After enabling loopback detection the default parameter protect interface is disable This configures the reopen time when the port was shut down as a result of loopback detection This enables the loopback detection function This displays detail of port which enables loopback detection This displays the port which enables loopback detection protection This displays the reopen time when one port has been shutdown in result of loopback detection Port Loop Detection Example As shown in Figure 18 port gei_1 3 is connected to a computer telnet into the switch A Port gei 1 1 is in Vlan1 and Vlan2 Enable loopback detection in port gei 1 1 Loopback detection is done in Vlani and Vlan2 at the same time Switch A is connected to Switch B with gei 1 1 port Switch B shuts spanning tree protocol and loop two ports with one network line The two ports in loop and the port which connect to switch are in the same Vlans as gei 1 1 42 Confidential and Proprietary Information of ZTE CORPORATION ZTEDHY Chapter 4 Interfac
166. ority queue and after that send packets in the higher priority queue Similarly after that send packets in the lower priority queue and so on SP scheduling makes packets of key services processed prefer entially thus guaranteeing service quality of key services But the low priority queue may never be processed and starved WRR WRR makes each queue investigated possibly and not starved Each queue is investigated at different time that is has different weight indicating the ratio of resources obtained by each queue Packets in the high priority queue have more opportunities to be scheduled than the low priority queue Data priority is contained in the 802 1P label If data entering the port is not marked with an 802 1P label a default 802 1p value will be assigned by the switch Redirection and Policy Routing Redirecting is used to make the decision again about the forward ing of packets with certain features according to traffic classifica tion Redirection changes transmission direction of packets and export messages to the specific port CPU or next hop IP address Redirect packets to the next hop IP address to implement policy routing On the aspect of packet forwarding control policy based route has more powerful control capacity than traditional route because it can select a forwarding path according to the matched field in the ACL Policy routing can implement traffic engineering to a certain extent
167. otocol function use the following com mmand 142 Confidential and Proprietary Information of ZTE CORPORATION ZTEDHY Chapter 13 Network Management Configuration ZXR10 config tacacs disable clear This disables TACACS protocol function 3 To configure TACACS server group member use the following command ZXR10 config sg server ip addr port lt 1025 65535 gt This configures TACACS server group member Command parameter description is as follows IP address of TACACS Server which must be the configured one 1025765555 The port number that TCP connects 4 To configure TACACS client IP address use the following com mand ZXR10 config tacacs client lt ip addr gt port This configures Tacacs client lt 1025 65535 gt IP address which is used to communicate with Tacacs server Configuration is deleted with no command Command parameter description is as follows lt 1025 65535 gt Client layer 4 port 5 To configure TACACS server parameter use the following com mand ZXR10 config tacacs server host lt ip addr gt port This configures TACACS server integer timeout integer key lt string gt parameter Configuration is deleted with no command Command parameter description is as follows Confidential and Proprietary Information of ZTE CORPORATION 143 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Port number for TCP connection
168. ow mff configure Example This configures global configuration information manually ZXR104 show mff configure MFF Mode manus MFF Gateway MAC detecting disable 172 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 16 Security Configuration This displays MFF VLAN configuration information show mff vlan lt vian id gt Example This designates VLAN configuration information manually ZXR10 show mff vlan 1 MFF function enable MFF gateway ip 10 40 20 1 This displays MFF physical interface configuration information show mff interface interface name The command with interface name will view configuration in formation of designated interface The command without pa rameter will view all opened MFF function configuration infor mation Example view configuration information of the designated in terface ZXR10 show mff interface gei 1 1 Interface MFF Type gei 1 1 Network port This views MFF corresponding relationship table show mff table vlan v an id A B C D Command Illustration i The command without option will view all MFF correspond ing relationship ii The command with VLAN option will view all MFF corre sponding relationship in this VLAN iii The command with VLAN and user IP address option will view MFF corresponding relationship of specific user iv Illustration to displayed command information information Description IP Address Subscr
169. port name gt next hop lt ip address gt Example This example shows the redirection of the packet whose source IP address is 168 2 5 5 on the port gei_1 4 to the port gei_1 3 In addition it is to implement the policy routing to packet whose Confidential and Proprietary Information of ZTE CORPORATION 69 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH destination IP address is 66 100 5 6 and specify the next hop IP address as 166 88 96 56 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 config acl extend number 100 config ext acl rule 1 permit ip 168 2 5 5 0 0 0 0 any config ext acl rule 2 permit ip any 66 100 5 6 0 0 0 0 config ext acl exit config redirect in 100 rule id 1 interface gei_1 3 config redirect in 100 rule id 2 next hop 166 88 96 56 config interface gei 1 4 config gei_1 4 ip access group 100 in Configuring Priority Marking ZXR10 config priority mark in lt ac number gt rule id This configures priority marking lt rule no gt dscp lt dscp value gt cos lt cos value gt local precedence lt oca va ue gt drop precedence dropl value y Example This example shows how to change the DSCP value of the packet whose source IP address is 168 2 5 5 on the port gei 1 1 to 34 and selects the output queue to 4 ZXR10 config acl standard number 10 ZXR10 config std acl rule 1 permit 168 2 5 5 ZXR10 config std acl exit ZXR10 config priority mar
170. prior to version upgrade so that the original version can be re stored in case the new version loading fails To backup the soft ware version file is similar to backing up the configuration file Run the following command to backup the software version file in the Flash to img under the background TFTP server s root direc tory ZXR10 copy flash img zxrlO0 zar tftp 168 1 1 1 img zxrl0 zar Restoring Version File Version restoration is to transfer the backup of the software ver sion file from the background server to the foreground Flash of the switch over FTP TFTP Version restoration is important when the upgrade fails Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 3 System Management Procedure of version restoration is basically the same as version upgrade As mentioned previously the ZXR10 5900E supports configuration file import export Copy the configuration file startrun dat to the background host over FTP TFTP where edit the file with a certain text editor and then copy the file back to the foreground Flash s CFG directory over FTP TFTP The file will take effect the next time the system is rebooted Note 1 When use copy command to transfer FTP file between back host and switch fisrt configure host ip address in the same network segment that VLAN interface ip address is in and the interface which host connects belongs to the vlan and can ping through Vlan ip address
171. r lt A B C D gt vlan lt 1 4094 gt This clears statically configured MFF user 6 To enable MFF gateway MAC address detection function use the following commands This enables MFF gateway MAC address detection function ZXR10 config mff gateway detect disable This disables MFF gateway MAC address detection function MFF Configuration Example As shown in Figure 40 R1 is MFF gateway PC1 obtains IP address through DHCP DHCP SNOOPING and MFF are configured on switch Confidential and Proprietary Information of ZTE CORPORATION 171 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH FIGURE 40 MANUAL MODE BASIC MFF FUNCTION CONFIGURATION EXAMPLE R1 DHCP Gei 1 2 Server Switch e PCI MFF configuration of switch ZXR10 config mff mode auto ZXR10 config mff gateway detect enable ZXR10 config interface vlan 1 ZXR10 config if vlanl ip address 192 168 1 100 255 255 255 0 ZXR10 config if vlanl mff enable ZXR10 config if vlanl exit ZXR10 config interface gei 1 2 ZXR10 config gei_1 2 set mff network port ZXR10 config gei_ 1 2 exit ZXR10 config interface gei 1 4 ZXR10 config gei_1 4 set mff user port MFF maintenance and diagnosis When MFF encounters problem we can locate the fault and re move them with relevant debugging commands The mostly used command is show command 1 This displays MFF global configuration information sh
172. r of each member device will be automat ically checked If the version number of stack member is different from that of main device the main device will synchronize the software to member device After synchronizing member device will restart and join the stack system again It is recommended that the priority of the device with the high est software version is configured the highest Therefore it can be the main device and other member devices can automatically upgrades the latest software Stack System Configuration File The configuration file of stack system applies configuration file of main device The name of configuration file is stackcfg dat When system starts it reads configuration file from flash of main de vice and recovers according to the record of this configuration file When write is used configuration file is not only saved in this device but also synchronized to other devices that is the same configuration file will be saved in flash of other devices If member device leaves it will automatically load this configuration file after starting Stack System Active Standby Changeover There is a main device and a standby device in stack system if there is only one device that is main device The command can be carried out in main device to configure the whole stack system Meanwhile these configure will be synchronized to standby device that is the standby device will record these configuration When mai
173. ress ast mac dst wildcard ingress sor mac sor wildcard time range lt range name gt ZXR10 config hybd acl 4rule lt ru le no gt pe This configures the rules rmit deny lt source gt lt source wildcard gt based on UDP any lt dest ip gt lt dest wildcard gt any ethe r protocol lt vian id gt cos lt va ue gt egress lt dst mac gt dst wildcard ingress lt sor mac gt lt s or wildcard gt time range lt range name gt eq lt port number gt lt dst mac gt lt dst wildcard gt any lt ether protocol gt lt vilan id gt cos lt value gt egress lt dst mac gt dst wildcard ingress lt sor mac gt lt sor wildcard gt time range lt range name gt ZXR10 config hybd acl move rule no after This moves a rule behind before lt rule no gt another rule Example This shows an extended ACL to perform the following functions 1 Permit UDP packets from the network segment 210 168 1 0 24 the destination IP address 210 168 2 10 destination MAC address 00d0 d0c0 5741 the source port 100 and the destination port 200 to pass 2 Forbid the BGP packets from the network segment 192 168 3 0 24 passing 3 Forbid all packets with the MAC address 0100 2563 1425 ZXR10 config acl hybrid number 300 ZXR10 config hybd acl rule 1 permit udp 210 168 1 0 0 0 0 255 Eq 100 210 168 2 10 0 0 0 0 eq 200 any Egress 00d0 d0c0 5741 0000 0000 0000 ZXR10 config hybd acl rule
174. rietary Information of ZTE CORPORATION ZTEDY Chapter 8 DHCP Configuration ZXR10 config if vlanx ip dhcp relay server lt ip address gt outside DHCP lt ip address gt standard security Server ip address in dotted decimal notation standard comply with DHCP standard protocol forwarding mode security ZTE security forwarding mode The default is standard ZXR10 config if vlanx no ip dhcp relay server lt ip address gt outside DHCP lt ip address gt Server ip address in dotted decimal notation Standard forwarding mode conforms to DHCP standard proto col After user obtains corresponding IP address DHCP process will not process subsequent unicast interaction any more such as security inspection At the same time writing ARP table function is invalid for standard mode Standard forwarding mode performance will be better for big consumer number be cause it does not deal with the subsequent unicast interaction Security forwarding mode combines DHCP standard protocol with ZTE patent technology to control and manage all interac tion of DHCP client and outside DHCP SERVER such as security check Therefore DHCP process can work in all DHCP inter action At the same time it supports ARP writing function System default Relay forwarding mode is standard forwarding mode 3 To configure the retry time that DHCP Relay applies from out side DHCP Server or recover default retry time use the follow ing command ZXR1
175. rk behind the system prompt to view the list of available commands in this command mode In the privileged mode execute the disable command to return to the user mode In the user mode and privileged mode execute the exit command to exit the switch In other command mode execute the exit com mand to return to the previous mode In command modes other than the user mode and privileged mode execute the end command or press lt Ctri z gt to return to the privileged mode Command Line Function Online Help Command 1 Input a mark behind the prompt of any command mode to view all commands and brief descriptions of this mode ZXR10 Exec commands enable Turn on privileged commands exit Exit from the EXEC login Login as a particular user logout Exit from the EXEC ping Send echo messages quit Quit from the EXEC show Show running system information telnet Open a telnet connection trace Trace route to destination who List users who are logining on 2 Inputthe question mark behind a character or character string to view the list of commands or keywords beginning with that Confidential and Proprietary Information of ZTE CORPORATION 13 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH character or character string There is no space between the character character string and the question mark ZXR10 co configure copy ZXR10 co 3 Press Tab behind the character string If the command or ke
176. s of RADIUS server which corresponds to nas ip and source ip address of protocol packets ZXR10 config authgrp 1 server ipaddress key This configures radius server lt keystr gt port lt portnum gt and its parameter ia ZXR10 config authgrp 1 tuser name format This configures format of user config authgrp include domain strip domain name which BRAS sends to RADIUS server manufacturer is in a sending RADIUS protocol packet 10 ZXR10 config authgrp 1 vendor enable disable This configures whether self definition attribute of 4 To perform RADIUS maintenance and diagnosis execute the following commands zxR10 debug radius accounting event error data This displays RADIUS debugging packet lt group number all gt authentication event information error data packet lt group number all gt user user nam all exception ZXR10 Show counter radius accounting group group This displays statistics number authentication group group number all information zXR10 Show accounting local buffer group This displays the content of group number name radiusname session accounting packets in local session id user user name sum all buffer zxR10 Clear accounting local buffer group number This clears the content of all accounting packets in local buffer 132 Confidential and Proprietary Information of ZTE CORPORATION ZTERH Chapter 13 Network Management Configuration RADIUS Config
177. ses are reserved for private net works It is recommended that the internal network should use the private network address These addresses refer to a Class A 10 0 0 0 10 255 255 255 a Class B 172 16 0 0 172 31 255 255 Class C 192 168 0 0 192 168 255 255 This address classification method is to facilitate routing protocol designing From this method it can be known the network type just by the prefix characteristic bit of the IP address This method however cannot make the best of the address space With the dramatic expansion of Internet problem of address shortage be comes increasingly serious To make most of IP addresses network can be divided into multiple subnets Borrow some bits from the highest bit of the host bit as the subnet bit Remaining part of the host bit still serves as the host bit Thus the structure of an IP address consists of three parts Network bits subnet bits and host bits The network bits and subnet bits are used to uniquely identify a network Use the subnet mask to find which part in the IP address indicates network bits and subnet bits and which part stands for host bits The part with subnet mask of 1 corresponds to the network bits and subnet bits of the IP address while the part with subnet mask of 0 corresponds to host bits The division of the subnet greatly improves the utilization of IP address and alleviates the problem of IP address shortage Regulations on IP addresses 1 0
178. src mac validate inspection function 0 config gei_1 x ip arp inspection limit This configures the limited speed of interface As for untrusted interface the default is 15pps As for trusted interface ARP packet speed is not limited 5 Zxr10 config vlanx ip arp inspection This configures DAI enabled of VLAN 168 DAI Maintenance and Diagnosis ZXR10 5900E provides show command to help maintenance and diagnosis Common commands used in DAI maintenance and di agnosis are as follows 1 To view trusted attribute of interface use the following com mand show ip arp inspection interface interface name 2 To view ARP packet validated inspection information use the following command show ip arp inspection configure 3 To view DAI configuration information of VLAN use the follow ing command show ip arp inspection vlan 1 4094 disable enable name vian name Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 16 Security Configuration DAI Configuration Example As shown in Figure 39 VLAN 2 is configured on switch and DAI is run FIGURE 39 DAI CONFIGURATION EXAMPLE Server Switch B Switch 10 1 1 2 3 gei 1 2 A P gei 1 1 Switch A A 10 1 1 1 A Prerequisites DHCP SNOOPING function is opened in VLAN 2 ZXR10 config ip dhcp snooping enable ZXR10 config fip dhcp snooping vlan 2 VLAN 2 is configured on switch A and DAI is run ZXR10
179. standard ACL permitting packets from net work segment 192 168 1 0 24 to pass through and denying pack ets whose source IP addresses are 192 168 1 100 Rule 1 and rule 2 can be configured different name ZXR10 config acl standard number 10 ZXR10 config std acl rule 1 deny 192 168 1 100 0 0 0 0 ZXR10 config std acl rule description 1 testl ZXR10 config std acl rule 2 permit 192 168 1 0 0 0 0 255 ZXR10 config std acl rule description 2 test2 ai Note Currently only IPv4 standard ACL IPv4 extended ACL IPv4 hybrid ACL and IPv4 layer 2 ACL support ACL renaming function ACL Configuration Example A company has an Ethernet switch to which users of both de partment A and department B and servers are connected This is shown in Figure 19 The relevant provisions as follows 1 Users of both department A and department B are forbidden to access the FTP server and the VOD server in work time 9 00 17 00 but can access the Mail server at any time 2 Internal users can access the Internet through proxy 192 168 3 100 but users of department A are forbidden to access the Internet in work time 3 General Managers of both department A and department B with their IP addresses as 192 168 1 100 and 192 168 2 100 60 Confidential and Proprietary Information of ZTE CORPORATION ZTE Chapter 6 ACL Configuration respectively may access the Internet and all servers at any time The IP addresses of the servers ar
180. status 8 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 2 Usage and Operation Note i ZXR10 5900E allows up to four Telnet users at a time ii Never modify delete the IP address of the management Ethernet port during Telnet configuration through the man agement port otherwise the Telnet connection will be bro ken 2 Telnet to the switch from other devices such as a switch or router i Configure the IP addresses and interface of the VLAN through the console port ii Configure the Telnet login user name and password through the console port iii Consider router as an example Connect the router and the switch ensuring that the router can ping the IP address of the switch VLAN interface iv Run the telnet command on the router and input the IP address of the VLAN interface to log in to the switch SSH Connection Configuration Telnet and FTP connections are not safe because they use the plain text to transmit the password and data on the network This re sults in data to be easily intercepted by attackers A disadvantage of the Telnet FTP security authentication is that it is easily attacked by the man in the middle This imitates the server to receive the data sent by the client and imitates the client to transmit the data to the real server SSH can solve this hidden trouble The SSH sets up a security channel for the remote login on non security network and other net
181. supported alarm information types contain ENVIRO MENT BOARD PORT ROS DATABASE OAM SECURITY OSPF RIP BGP DRP TCP UDP IP IGMP TELNET ARP ISIS ICMP SNMP and RMON 11 To save alarm logging information in location flash data log dat use the following command zxR10 Write logging This saves alarm logging information in location flash data log dat 12 To configure packets use the following command zxR104sSyslog server facility This distinguishes different servers by this field 13 To designate source address in syslog use the following com mand zxR104Syslog server source lt p address gt This designates source address in syslog oyslog Configuration Example The following is a system log setting example When configuring log function must be enabled with the logging on command ZXR10 config logging on ZXR10 config logging buffer 100 ZXR10 config logging mode FULLCLEAR ZXR10 config logging console warnings ZXR10 config logging level errors Confidential and Proprietary Information of ZTE CORPORATION 141 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH ZXR10 config logging ftp notificational 168 1 70 100 target target zxralarm log ZXR10 config syslog server host 192 168 0 100 TACACS Configuration TACACS Overview TACACS Terminal Access Controller Access Control System is the most popular AAA protocol which is the simplified name of Au
182. t Configuring QoS Configuring Traffic Polices ZXR10 config traffic limit in lt ac number gt rule id This configures traffic policy rule no cir cir value cbs cbs value ebs ebs value pir pir value mode mode drop yellowj forward red remark red dp high low me dium remark red dscp value remark yellow dp high low medium remark yellow dscp lt va ue gt Color rendering configuration parameters contain cir cbs ebs and pir To use the dual rate marker algorithm configure the pir pa rameter The ebs parameter indicates the pbs parameter stipu lated in the protocol Confidential and Proprietary Information of ZTE CORPORATION 67 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Parameter mode mode blind indicates Color Blind mode and aware indicates Color Aware mode Parameter drop yellow indicates dropping yellow packets packets will be forwarded by default Parameter forward red indicates forwarding red packets pack ets will be forwarded by default Parameter remark indicates remarking service parameter of pack ets with color remark red dp Remark drop precedence of red packets pri ority parameter includes high medium and low remark red dscp Remark DSCP priority of red packets pri ority parameter is 0 63 remark yellow dp Remark yellow packet dp to parameter of high medium or low remark yellow dscp Remark yellow pac
183. t information Maker colors the IP packet according to result from Meter and the color is marked in DS field 64 Confidential and Proprietary Information of ZTE CORPORATION ZTEDX Chapter 7 QoS Configuration The following two methods will be described 1 Single Rate Three Color Marker SrTCM This algorithm is used in Diffserv traffic conditioner SrTCM measures data flow and marks packets according to three traf fic parameters Committed Information Rate CIR Committed Burst Size CBS Excess Burst Size EBS We call the three parameters as green yellow and red marker respectively A packet is green if its size is less than CBS A packet is yellow if its size is between CBS and EBS and is red if its size exceeds EBS By default red packet is discarded 2 Two Rate Three Color Marker TrTCM This algorithm is used in Diffserv traffic conditioner TrTCM measures IP data flow and marks packets with green yellow and red based on two types of rates Peak Information Rate PIR and Committed Information Rate CIR and their related committed burst size CBS and PBS A packet is marked in red if its size exceeds PIR A packet is marked in yellow is its size is between PIR and CIR and is marked in green if its size is less than CIR Traffic Shaping Traffic shaping is used to control the rate of output packets thus sending packets at even speed Traffic shaping is used to match packet rate with downlink equipment to avoid congestio
184. tary Information of ZTE CORPORATION 43 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Configuring DOM Enabling DOM Function on Port ZXR10 config gei_1 x optical inform monitor enable SFP DOM polling test function disable need to be enabled or disabled on interface by command line The default is disabled The polling diagnosis related information will be viewed after it is enabled Otherwise the related optical module information can t be showed Only support physical interface 100M port gigabit port and 10G port Viewing Current Optical Module Information zXR10 Show optical info brief This views brief information of interface optical module includes temperature voltage current sending and receiving power This supports single interface view and single board view Only support physical interface Example This views optical module information of an interface ZXR10 Show optical inform brief Optical Optical Interface Temperature Voltage Current Tx Power Rx Power Name Celsius Volts mA mW mW gei 2 1 21 2 00 5 00 60 00 0 00 1 00 gei 2 1 22 12 00 5 00 60 00 0 00 1 00 gei 2 1 23 2 00 5 00 60 00 0 00 1 00 gei 2 1 24 2 00 5 00 60 00 0 00 1 00 ZXR10 Show optical inform brief interface gei 2 1 23 Optical Optical Interface Temperature Voltage Current Tx Power Rx Power Name Celsius Volts mA mW mW gei 2 1 23 2 00 5 00 60 00 0 00 1 00 The threshold is relat
185. tch configuration 0 config radius authentication group 0 config authgrp 1 server 1 10 1 1 1 th server port num gt 0 config authgrp 1 server 2 10 1 1 2 th server port num gt 0 config authgrp 1 exit 0 config radius accounting group 0 config acctgrp 1 server 1 10 1 1 1 ct server port num gt 0 config acctgrp 1 ct server port num gt server 2 10 1 1 2 config acctgrp exit config nas aaa authen radius key key key key aaazte port aaazte port aaazte port aaazte port 0 O config f nas 0 config nas dotlx re authentication enable period 5 0 config nas dotlx max request 5 0 config nas create aaa 1 port gei 1 1 0 config nas aaa authentication radius 0 config nas aaa control dotlx enable 0 config nas faaa authorization auto 0 config nas faaa accounting enable 0 config nas faaa multiple hosts enable 0 config nas faaa default isp ztel63 net 0 config nas faaa fullaccount disable 0 config nas aaa radius server authentication 1 0 config nas aaa radius server accounting 1 0 Dot1x Trunk Authentication A pplication Internal network of an enterprise is shown in Figure 30 FIGURE 30 DOT1X TRUNK AUTHENTICATION APPLICATION Supplicant Supplicant A Lis 114 Confidential and Proprietary Information of ZTE CORPORATION Ethernet A Switch Switch pa Authentication Radius Server 10 1 1 1 10 1 1 2 Internet
186. te network It is suggested to isolate the broadcast domain of the public net work and that of the private network on the command switch and shield the direct access to the private address The command switch provides a management and maintenance channel to the outside to manage the cluster in a centralized and unified manner A broadcast domain is usually composed of four kinds of switches command switch member switch candidate switch and indepen dent switch There is only one command switch in a cluster Command switch can collect equipment topology and establish a cluster automati cally After the cluster is established command switch provides a management channel for cluster to manage member switch Mem ber switch serves as a candidate switch before being added into cluster Switch which does not support cluster management is called independent switch Confidential and Proprietary Information of ZTE CORPORATION 153 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERHY Cluster management network is formed as shown in Figure 32 FIGURE 32 CLUSTER MANAGEMENT NETWORKING x 2s TFTP Server NMS 110 1 1 2 Platform 110 1 1 1 Public e TT MT IL lt P di 100 1 1 10 S 7 z N 7 7 Address pool Network inside the Command inside the cluster Switch cluster fs 192 168 2 N ae 000 I ember Memb Member Switch l Switch Member N 7 Nc E Po ember d es Switch T m
187. the specific ip pool with dhcp pool lt ip_pool_namer gt ip pool address pool name 1 16 characters 2 ZXR10 config dhcp pool nO ip pool This deletes binding relationship 6 To configure ip address lease time or delete configured time use the following commands ZXR10 config lease time infinite days hours This configurse ip address gt lt minutes gt lease time lt days gt 0 365 lt hours gt 0 23 lt minutes gt 0 59 infinite The default is 60 minutes Confidential and Proprietary Information of ZTE CORPORATION 81 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH 2XR10 config dhcp pool option lt option_code gt ascii This configures other options lt string gt hex lt hex_num gt ip ip adar option code configured optional code 1 254 string NVT ASCII character string hex num hexadecimal number ip addr IP Address Configuring DHCP POLICY 1 To enter POLICY configuration mode or delete name corre sponding policy configuration use the following commands ZXR10 config ip dhcp policy policy name priori This enters policy ty configuration mode policy namer name of policy 1 16 characters priority priority ZXR10 config no ip dhcp policy policy name pri This deletes name ority gt corresponding policy configuration 2 To bind the policy to a dhcp pool or delete binding relationship us
188. the valid holding time of ZDP information Configuring ZTP Topology Collection Protocol 1 To enable the ZTP function globally or in specific interface use the following command ZXR10 config ztp enable This enables the ZTP function globally or in specific interface 2 To conduct ZTP topology collection on different VLANs use the following command ZXR10 config ztp vlan lt vi anId gt This conducts ZTP topology collection on different VLANs 3 To set the hops of ZTP topology collection use the following command ZXR10 config Ztp hop lt number gt This sets the hops of ZTP topology collection 4 To set each hop delay in sending ZTP protocol packets use the following command ZXR10 config Ztp hop delay time This sets each hop delay in sending ZTP protocol packets 5 To set delay in sending ZTP protocol packets on the port use the following command ZXR10 config Ztp port delay lt time gt This sets delay in sending ZTP protocol packets on the port 6 To conduct once topology collection use the following com mand 156 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 15 Cluster Management Configuration ZXR10 config ztp start This conducts once topology collection 7 To set ZTP timing topology collection time use the following command ZXR10 config ztp timer This sets ZTP timing topology collection time Establishing Clust
189. timeout period This configures dotix client timeout time 5 To configure dot1x authentication server timeout time use the following command ZXR10 config nas dot1x server timeout period This configures dotix authentication server timeout time 6 To configure the maximum times of requests for dot1x client use the following command ZXR10 config nas dot1x max requests count This configures the maximum times of requests for dotix client Configuring Local Authentication User 1 To create a local user use the following command ZXR10 config nas create localuser user id name This creates a local user user name password lt user password gt 2 To delete a local user use the following command ZXR10 config nas clear localuser lt user id gt This deletes a local user 3 To bind the user with the port use the following command Confidential and Proprietary Information of ZTE CORPORATION 109 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH ZXR10 config nas localuser lt user id gt port lt port name gt This binds the user with the port 4 To bind the user with the VLAN use the following command ZXR10 config nas localuser lt user id gt vlan lt vlan id gt This binds the user with the VLAN 5 To bind the user with the MAC address use the following com mand ZXR10 config nas localuser lt user id gt mac This binds the user
190. times of timeout retransmission can be set for each group The administrator can configure different RADIUS groups to select a specific RADIUS server Configuring RADIUS 1 To configure RADIUS accounting group use the following com mand ZXR10 config radius accounting group lt group numb This configures RADIUS er gt accounting group 2 To configure RADIUS authentication group use the following command ZXR10 config radius authentication group This configures RADIUS lt group number gt authentication group 3 To configure the parameters of RADIUS peform the following steps Confidential and Proprietary Information of ZTE CORPORATION 131 ZXR10 5900E Series User Manual Basic Configuration Volume ZTEDH 1 ZXR10 config authgrp 1 timeout lt timeout gt This configures timeout retry parameter of RADIUS server 0 2 ZXR10 config authgrp 1 algorithm first round r This configures algorithm of obin RADIUS server ZXR10 config authgrp 1 alias lt name str gt This configures alias of RADIUS server group 4 ZXR10 config authgrp 1 calling station format lt This configures format of Format number gt command calling station id 5 ZXR10 config authgrp 1 tdeadtime lt time gt This configures dead time of authentication server ZXR10 max retries times This configures timeout retry parameter of RADIUS server ZXR10 config authgrp 1 nas ip address lt NAS IP This configures nas ip addres
191. tination MAC address IP protocol type TCP source port No TCP destination port No UDP source port No UDP destination port No ICMP type ICMP code DSCP ToS precedence source VLAN ID Layer 2 Ethernet protocol type and 802 1p priority value Traffic Policing Traffic policing is to impose restriction on bandwidth occupied by some traffic flow to prevent it from exceeding specified bandwidth and thus affecting other services As for the exceeding amount of traffics conduct the following operation Discard or forward Modify its DSCP value Modify its drop precedence packets with higher drop prece dence will be dropped preferentially when congestion occurs Traffic policing will not introduce extra delay Its working process is shown in Figure 20 FIGURE 20 TRAFFIC POLICING WORKING FLOW J TESTEN L Result npe dendi 1 1 I I I Marked IP packet 2 Meter Marker gt 7 packet ET l b 3 l Io l ME l E l Rial E L l ZXR10 5900E implements the Single Rate Three Color Marker SrTCM RFC2697 and Two Rate Three Color Marker TrTCM RFC2698 functions which both support the color blind and color aware modes It assumes that packets are colorless in color blind mode but as sumes that packets are marked in a color in color aware mode On the switch each packet traversing the switch will be assigned a color according to some principle packe
192. uration Example The mode of configuring accounting group is same as that of con figuring authentication group The following example is how to configure accounting group ZXR10 config radius accounting group 1 ZXR10 config acct group 1 falgorithm round robin ZXR10 config acct group 1 calling station format 2 ZXR10 config acct group 1 deadtime 5 ZXR10 config acct group 1 local buffer enable ZXR10 config acct group 1 fmax retries 5 ZXR10 config acct group 1 nas ip address 10 1 1 4 ZXR10 config acct group 1 server 1 10 2 1 3 key uas ZXR10 config acct group 1 server 2 12 1 2 3 key uas ZXR10 config acct group 1 ftimeout 10 SNMP Configuration SNMP Overview Simple Network Management Protocol SNMP is the most popu lar NMS protocol nowadays An NMS server can manage all the devices on the network through this protocol SNMP is managed based on server and client The background NMS server serves as the SNMP server and the foreground network device serves as SNMP client The foreground and background share an MIB and communicate with each other through the SNMP protocol It is required to configure the specific SNMP server for the rouging switch as the SNMP agent and define contents and authorities availably collected by the NMS ZXR10 5900E supports multiple versions of SNMP Configuring SNMP 1 To set the SNMP packet community use the following com mand ZXR10 config tSnmp server community
193. uration Volume ZTERH This page is intentionally blank 104 Confidential and Proprietary Information of ZTE CORPORATION Chapter 10 DOT1X Configuration Table of Contents wleqphois cui s qp m 105 Comgudpng DOT LX aesiscorxpe pere paar ERES ARP eYRE ER PRU Hs bane ER 106 DOTIX Conitquration Examples cedo cree Fo E Ee pEE RH UTERE 113 DOTIX Maintenance and Diagnosis iinccsivivetswr ein atm oe dn ce 116 DOT1x Overview DOT1X IEEE 802 1x is a port based network access control pro tocol It optimizes the authentication mode and authentication architecture and solves the problems caused by traditional PPPoE and Web Portal authentication modes therefore it is more suitable for the broadband Ethernet IEEE 802 1x protocol architecture contains three major parts Supplicant System Authenticator System and Authentication Server System 1 Generally client system is a user terminal system where client software is often installed User originates IEEE802 1x protocol authentication by booting the client software To support port based access control the client system needs to support the Extensible Authentication Protocol Over LAN EAPOL 2 Authentication system is network equipment supporting the IEEE802 1x protocol such as the switch The equipment cor responds to different user ports physical port or MAC address VLAN and IP of the user equipment and has two logical ports composed of the controlled port and uncontrolled port
194. use the following command ZXR10 config ip dhcp snooping clear lt nterface num This deletes the entry of DHCP ber gt SNOOPING binding table on layer 2 interface manually lt interface number gt physical interface numbersuch as fei gei and smartgroup 3 To enable DHCP SNOOPING or disable DHCP SNOOPING use the following command ZXR10 config ip dhcp snooping enable After DHCP SNOOPING is globally enabled DHCP SNOOPING need to be enabled on the corresponding VLAN to take effect on it 2 ZXR10 config no ip dhcp snooping enable This disables DHCP SNOOPING function 4 To configure if 82 option is inserted when DHCP SNOOPING is configured use the following command ZXR10 config ip dhcp snooping information option This inserts 82 This inserts 82 option ZXR10 config no ip dhcp snooping information This doesn t insert 82 option option 5 To configure the 82 option format or delete the configured 82 option format and restore the default format use the following command ZXR10 config ip dhcp snooping information format This configures 82 option china tel dsl forum format which is inserted when DHCP SNOOPING is configured china tel China Telecom 82 option format dsl forum DSL forum 82 option format The default is China Telecom 82 option format 86 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 8 DHCP Configuration ZXR10 config
195. ver engine id lt engine id gt This sets local engine id of SNMPv3 10 To configure safe mode group of user use the following com mand ZXR10 config Snmp server group lt groupname gt This configures safe mode group v3 auth noauth priv context lt context name gt of user match prefix match exact read lt readview gt write lt writeview gt notify lt notifyview gt 11 To set the maximum packet size of SNMP use the following command ZXR10 config snmp server packetsize 484 1400 This sest the maximum packet size of SNMP 12 To configure TRAP source use the following command ZXR10 config snmp server trap source JP address gt This configures TRAP source 13 To configure the users which are allowed to access SNMP engine use the following command Confidential and Proprietary Information of ZTE CORPORATION 135 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH 2XR10 config snmp server user username groupna This configures the users which me v3 encrypted auth md5 sha lt auth password are allowed to access SNMP gt priv des56 lt priv password gt engine 14 To display relevant information of SNMP use the following com mand ZXR10 config show snmp This displays relevant information of SNMP 15 To display configuration information of SNMP use the following command ZXR10 config show snmp config This displays configuration infor
196. vice source file destination device de stination file gt To view current directory path use the following command pwd To view files and subdirectories of a specified device or under a specified directory use the following command dir lt directory gt To delete a file under a designated directory of the current device use the following command delete filename To enter into specific directory use the following command x cd directory To make directory in flash use the following command mkdir lt directory gt To delete a directory in flash use the following command rmdir lt directory gt To modify the name of directory in flash use the following com mand rename lt source filename gt lt destination filename gt This example shows how to view the current files in the Flash ZXR10 dir Directory of flash attribute size date time name drwx 512 MAY 17 2004 14 22 10 IMG 2 drwx 512 MAY 17 2004 14 38 22 CFG 3 drwx 512 MAY 17 2004 14 38 22 DATA 65007616 bytes total 48863232 bytes free ZXR10 cd img Enter the directory img ZXR1LO dir Show the current directory information Directory of flash img attribute size date time name drwx 512 MAY 17 2004 14 22 10 2 drwx 512 MAY 17 2004 14 22 10 3 rwx 15922273 MAY 17 2004 14 29 18 ZXR10 ZAR 65007616 bytes total 48863232 bytes free This example shows how to create a directory ABC in the Flash and then delete it ZXR10 mkdir ABC Add
197. witch Stack System 147 Switch Stack System INtroductiOn ccceceeeeeeeeseeeeeeeeas 147 Member Specification of Switch Stack System 148 Stack System Main Device Election and Renewed EIGCtON pe ET 148 Stack System Member ID ccccceeceeee eee eeeeeeeeaeeaeenees 149 Stack System MAC Address seeeeeeenn nn 149 Stack Member Device Priority eese 149 Stack Member Device Software Version Check and Automatic Upgrade ccececeee cette eens eee eeeeeeees 150 Stack System Configuration File ceceeeeeeeeee eee 150 Stack System Active Standby Changeover 150 Configuring Switch Stack System seen 151 Accessing the Specific Stack Member by Command MI 151 Viewing Switch Stack System Information 152 Cluster Management Configuration 153 Cluster Management Overview eese enn 153 Configuring Cluster Management ssssssssssssrrrrssrrsrrrrrrrrns 155 Configuring ZDP Neighbor Discovery Protocol 155 Configuring ZTP Topology Collection Protocol 156 Establishing Cluster 4 err te e e e tni 157 Maintaining Cluster ssssessesemm 158 Cluster Management Configuration Example 159 Cluster Management Maintenance and Diagnosis 159 Security Configuration LOL IP Source Guar
198. work to encrypt and compress all transmitted data In this way no useful information can be obtained in the interception The current SSH protocol has two versions that incompatible each other SSH vi x and SSH v2 x ZXR10 5900E supports the SSH v2 0 that provides a safe remote login function SSH consists of server and client ZXR10 5900E serves as SSH server and the host runs SSH client to log in to the switch 1 Execute the following command to enable the SSH server in ZXR10 5900E By default SSH server function is disabled ssh server enable 2 Connect the host network interface to the switch Ethernet in terface so that the host can ping the IP of the switch VLAN interface 3 Run the SSH client software putty on the host i Set the IP and port number of the SSH server as shown inFigure 9 Confidential and Proprietary Information of ZTE CORPORATION 9 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERHY FIGURE 9 SETTING IP ADDRESS AND PORT NUMBER OF SSH SERVER PuTTY Configuration B Terminal 0 Keyboard Features E Window Appearance Behaviour Translation Selection Default Settings ii Set the SSH version numberas shown inFigure 10 10 Confidential and Proprietary Information of ZTE CORPORATION ZTEDHY Chapter 2 Usage and Operation FIGURE 10 SETTING THE SSH VERSION NUMBER 2t PuTTY Configuration l x Category
199. y inquiry from DSLAM In this user manual switch means DSLAM equipment VBAS protocol is implemented by sending VBAS packet between BAS and DSLAM Configuring VBAS Enabling Disabling VBAS ZXR10 config vbas enable This enables VBAS ZXR10 config no vbas enable This disables VBAS Confidential and Proprietary Information of ZTE CORPORATION 119 ZXR10 5900E Series User Manual Basic Configuration Volume ZTERH Enabling Disabling VBAS in VLAN Mode 1 ZXR10 config vlan lt vlan id gt This enters into VLAN Configuration Mode 2 ZXR10 config vlanx vbas enable This enables VBAS in VLAN configuration mode Configuring VBAS Trust Interface 1 ZXR10 config interface interface name This enters interface configuration mode ZXR10 config gei_1 x vbas trust This configures VBAS trust interface Configuring VBAS Interface as User Interface or Network Interface ZXR10 config interface interface name This enters interface configuration mode ZXR10 config gei_1 x vbas port type user net This configures VBAS interface as user interface or network interface VBAS Configuration Example Enable VBAS on the switch and configure VBAS enable vlan as vlan 1 Configure gei_1 1 as trust interface and interface type is user Configuration is shown below ZXR10 config vbas enable ZXR10 config vlan 1 120 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH
200. yword beginning with this character string is unique This will complete the character string with space at the end ZXR10 con lt Tab gt ZXR10 configure there is a space between the configure and cursor 4 Input behind the command keyword and parameter It shows the keyword or parameter to be input next and its brief explanation There is a space in front of the question mark ZXR10 configure terminal Enter configuration mode ZXR10 configure 5 If incorrect command keyword or parameter is input the error isolation is offered with in the user interface after you press ENTER The is below the first character of the input incorrect command keyword or parameter An example is given below ZXR1LO von ter 9 Invalid input detected at marker ZXR10 An example of system clock is given below ZXR104c1 clear clock ZXR10 clock set Set the time and date ZXR104clock set hh mm ss Current Time ZXR10 clock set 13 32 00 Q Incomplete command At the end of the above example the system prompts that the command is not complete and other keyword or parameter should be input Note All commands in the command line operation are case insensitive Command Abbreviation ZXR10 5900E allows the command or keyword to be abbreviated into a character or character string that uniquely identifies this command or keyword For example the show command can be abbreviated to sh or sho 14 Conf
Download Pdf Manuals
Related Search