ZXR10 8900 Series 10 Gigabit Routing Switch
Contents
1. 55 ERSPAN Configuration Example ceeeeeeeeeeeeeeeeeeeeees 55 Port Loop Detection Configuration eese 56 Port Loop Detection Overview cen nnn 56 Configuring Port Loop Detection sseeeenenenn 56 Port Loop Detection Configuration Example 57 Network Protocol Configuration 59 IP Address Configuration esses 59 IP Address OVervIeW i o ine e Rer exe a E ER ara 59 Configuring IP Address essssseenene 61 IP Address Configuration Example essess 61 ARP Configuration ccceceeeee eee eee ee teen nemen 61 ARP OVerviG WW i se IMPER IDEAE 61 Configuring ARP 5 ree didit Ea viata La ee x ERE ae xag ta 62 ARP Configuration Example ssseseseen 62 ARP Query Example cessesseeeeeen nnne 63 DHCP Configuration 1 OD DHCP OVEPVICW ceo eget ri nbn itr neri rex RAE eR 65 DHCP Snooping Overview eessssseen mn 66 Configuring DHCP osito vaa cere Fo Na VR EE Ee E Ra 66 Configuring DHCP Server sssssssse nene 66 Configuring DHCP Relay cceseeeeeeeeee test eeeeeeeeeenaees 67 Configuring DHCP Snooping eese 67 DHCP Configuration Examples sess 68 DHCP Server Configuration Example sese 68 DHCP Relay Configuration Example2. eeeeeeeee 69 DHCP Snooping Preventing False DHCP Server Configuration Example eceeeeeeeeeeeeeeeeeaeeees 70 DHCP Snooping Preventing Static IP Configuration Example cte RI EMPTUM ERR ED R AERE 70 DHCP Maintenance and Diagnosis cceeeeeeeeee eee ee ees 71 VRRP Configuration 1 73 VRRP OVGIVIGW 2 cei e be I ex I kPa calx eR IA a M oR PX T us 73 Configuring VRRP zit ener nee na ie a ext X Rer in 74 VRRP Configuration Examples cceceeeeeeeeee eee eeeeeeeaeees 74 Basic VRRP Configuration Example sssssses 74 Symmetric VRRP Configuration Example 75 VRRP Maintenance and DiagQnoSis cceeeeeeeeeeee eee eees 76 ACL Configuration riri c ii uro sre ox ura taiwan 27 AGEOVeEVIBW 245 do aie an ieee er tuer et a e Mo Melt aet 77 NP Based ACL Overview sssssessee mmn 78 Configuring AGES oie et doen ree vea ii deter ea vn E 79 Defining AGES Joe da ex e OX HEX Leo e ER adde 79 Defining Standard ACL sssseseesesessese 79 Defining Extended ACL sseeseseeseeesese 80 Defining Layer 2 ACL csssseeem 81 Defining Hybrid ACL sieran 81 Defining Standard IPv6 ACL ssssssses 82 Defining Extended IPv6 ACL sesessssee 82 Defining Customized ACL ssssseesesseese 83 Configuring Time Range ssssssssse nenne 8
3. 142 Configuring IPTV CDR Parameters sseesesess 142 Configuring IPTV Channels sese 143 Configuring IPTV Service Package sssssss 143 Configuring IPTV Preview Template ssss 144 Configuring CAC wii creer io etr re ERE dr pe iata 144 Configuring IPTV Fast Leave esssseeeernen 145 Managing IPTV Users cccececceeee teens tees enn 145 IPTV Configuration Example csse 145 IPTV Maintenance and Diagnosis eeeeseeesese 146 VBAS Configuration 1 149 VBAS OVBFLVIBW oie xbe xen eens nex Rexe eases ieee ves 149 Configuring VBA S coe a eee nt ridet 149 VBAS Configuration Example ssseeeeeseeee 150 VBAS Maintenance and Diagnosis eseesesses 150 CPU Attack Protection Configuration 151 CPU Attack Protection Overview essen 151 CPU Attack Protection Principle eeseeeeennneee 152 Configuring CPU Attack Protection esseesesseeseees 152 Configuring IPv4 Protocol Protection sus 152 Configuring IPv6 Protocol Protection sseesssse 153 Configuring Layer 2 Protocol Protection 154 CPU Attack Protection Configuration Examples 154 URPF Configuration 4 157 URPF OV rViW Rm 157 Co
4. If incorrect command key words or parameters are entered subscriber interface will provide error isolation with after carriage return will appear below the first character of the input incorrect command key word or parameter For exam ple ZXR10 von ter Invalid input detected at marker ZXR10 Make use of the online help to set system clock ZXR104c1 clear clock ZXR10 clock set Set the time and date ZXR10 clock set hh mm ss Current Time ZXR10 clock set 13 32 00 Incomplete command ZXR10 pel At the end of the above example system prompts that com mand is incomplete This indicates requirement of other key words or parameters Note All commands in the command line operation are case insensitive Command Abbreviation ZXR10 8900 series switch allows abbreviating commands and key word to character or character string identifying the command or key word uniquely For example abbreviate show command to sh or sho Command History User interface provides a record of up to 10 previously entered commands This feature is particularly useful to recall long or com plex commands Re invoke commands from the record buffer Execute one of the following operations Confidential and Proprietary Information of ZTE CORPORATION 15 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Press Ctrl P or This recalls commands in the history buffer in a forwar
5. esses 92 Figure 28 Typical QoS Configuration Example 110 Figure 29 Policy Routing Configuration Example 111 Figure 30 Dotix Radius Authentication Application 117 Figure 31 Dotix Relay Authentication Application 118 Figure 32 Cluster Management Network seeseess 122 Figure 33 Switching Rule sssssssssssrrssssnrnsrrrnrnsrrrrnrerrnerrrnrns 123 Figure 34 Cluster Management Configuration Example 126 Confidential and Proprietary Information of ZTE CORPORATION 169 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Figure 35 NTP Configuration Example seen 130 Figure 36 LLDP Configuration Example eeennn 139 Figure 37 Source Address Snooping 1 sssseeeene 157 Figure 38 Source Address Snooping 2 sese 158 Figure 39 URPF Configuration Example een 159 Figure 40 IPFIX Configuration Example een 166 170 Confidential and Proprietary Information of ZTE CORPORATION Tables Table 1 CHAPTER SUMMARY ccccccceeeeeeecueeeaeeeeaeeeeeeeeaneeaes i Table 3 Parameter V lUCS cccceeceeee eee eee eset eee eaeeeneeaeeaeenaeenes 6 Table 4 Command MOES ccecceeee eee eee eee eeeeeeeeaeeeneeaeeaeennenas 12 Table 5 IP Address for Each Class cccecesceeseeseeeneeaeeaeeeaenas 59 Table 6 ACL Descriptions essem 78 Confidential and Pro
6. To enable auto negotiation function of an interface perform the following steps 44 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 5 Port Configuration ZXR10 config interface lt port name gt byname This accesses port lt by name gt configuration mode ZXR10 config if negotiation auto This enables Ethernet port auto negotiation Note To disable auto negotiation function of an interface use no negotiation auto command m 10 gigabit Ethernet optical interface does not support auto negotiation It is fixed to work in 10 gigabit full duplex mode Configuring Duplex Mode To configure Ethernet port duplex mode perform the following steps 1 ZXR10 config interface lt port name gt byname This accesses port lt by name gt configuration mode 2 ZXR10 config if duplex half full This configures Ethernet port duplex mode Note Only the Ethernet electrical interface can be configured with duplex mode Before configuring the Ethernet port duplex mode disable auto negotiation function first Configuring Ethernet Port Rate To configure Ethernet port rate perform the following steps 1 ZXR10 config interface lt port name gt byname This accesses port lt by name gt configuration mode ZXR10 config if speed 10 100 1000 This configures Ethernet port speed Confidential and Proprietary Information of ZTE CORPORATION 45 ZXR10 8900
7. Configuration of Switch C ZX ZX ZX ZX ZX ZX ZX ZX ZX A A GM OG JJ S JJ O config fevent list zte 0 config event interface gei 1 1 protocol down 0 config event exit O config facl standard number 1 0 config std acl rule 1 permit any event zte 0 config std acl rule 2 deny any 0 config std acl exit 0 config interface gei 1 2 0 config if ip access group 1 in When protocol on gei_1 1 is down rule 1 becomes effective Traf fic can access gei 1 2 When protocol on gei 1 1 is up rule 1 is not effective Traffic fails to access gei 1 2 and can only access interface gei 1 1 In above cases there is only one data flow can be received on SwitchC 86 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 9 ACL Configuration Applying NP Based ACL ACLs that can be applied in NP mode include standard ACL ex tended ACL Layer 2 ACL hybrid ACL user defined ACL standard IPv6 ACL extended IPv6 ACL and user defined IPv6 ACL Applying To apply NP based ACL to physical port perform the following NP Based ACL steps to Physical Port 1 ZXR10 config interface interface name This enters interface configuration mode 2 ZXR10 config if ip access group senior ac numbe This applies NP based ACL to acl name r gt in out physical port To cancel application of NP based ACL to physical port use no ip access group senior ac numbe acl name r in out comma
8. ZXR10 config std acl move rule no after This moves a rule lt rule no gt ZXR10 config std acl attach time range Time This binds a time range to a range name gt to lt rule id gt rule Example This example describes how to define a standard ACL which al lows access of messages from network 192 168 1 0 24 but denies messages from source IP address 192 168 1 100 ZXR10 config acl basic number 10 ZXR10 config std acl rule 1 deny 192 168 1 100 0 0 0 0 Confidential and Proprietary Information of ZTE CORPORATION 79 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH ZXR10 config std acl rule 2 permit 192 168 1 0 0 0 0 255 Defining Extended ACL To configure extended ACL perform the following steps ZXR10 config acl extend number ac number n This enters extended ACL ame lt ac name gt alias lt alias name gt match order configuration mode auto config ZXR10 config ext acl rule lt ru e no gt permit deny This defines ICMP based rules icmp lt source gt lt source wildcard gt any lt dest gt lt dest wildcard gt any icmp type icmp code icmp code precedence pre value tos tos value dscp dscp value time range timerange name ZXR10 config ext acl rule rule no permit deny This defines rules on the basis lt ip number gt ip lt source gt lt source wildcard gt a of IP or IP protocol code ny lt dest gt lt dest wild
9. ZXRl04show rmon history Entry 1 is active and owned by rmontest Monitors ifEntry 1 1 every 10 seconds Requested of time intervals ie buckets is 10 Granted of time intervals ie buckets is 10 Sample 1 began measuring at 00 11 00 Received 38346 octets 216 packets 0 broadcast and 80 multicast packets 0 undersized and 0 oversized packets 0 fragments and 0 jabbers 0 CRC alignment errors and 0 collisions of dropped packet events is 0 Network utilization is estimated at 1 Example This example describes how to configure and enable RMON alarm control entry ZXR10 config rmon alarm 1 system 3 0 10 absolute rising threshold 1000 1 Falling threshold 10 0 owner rmontest Use show command to view RMON alarm information ZXRl04show rmon alarm Alarm 1 is active owned by rmontest Monitors system 3 0 every 10 seconds Taking absolute samples last value was 54000 Rising threshold is 1000 assigned to event 1 Falling threshold is 10 assigned to event 0 On startup enable rising or falling alarm Example This example describes how to configure and enable event ZXR10 config rmon event 1 log trap rmontrap description test owner rmontest After configuring an alarm control entry and wait for 10s use s how command to view the contents of the RMON event ZXR1O0 Show rmon event Event 1 is active owned by rmontest Description is test Event firing causes log and trap to community rmontrap last fired 05 40 20 Current
10. mode cs7 Confidential and Proprietary Information of ZTE CORPORATION 103 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH One traffic class can only match one ACL rule If an ACL rule matches flow class the class must exist and the class can not be deleted Corresponding ACL and rule number must exist To delete a ACL rule use no match acl lt ac no gt rule lt rule no tunnel lt tunnel no gt flow class lt class name gt com mand 3 To display traffic class information use the following command ZXR10 config show flow class class name This displays traffic class information If class name is not configured information of all traffic classes is displayed Example This example shows view traffic class information ZXR10 config show flow class voice Flow class void Match acl 1 rule 1 Match acl 1 rule 3 Configuring WRED Policy To configure WRED policy perform the following steps 1 To create or enter a WRED policy use the following command ZXR10 config sWred profile profile name level lt 1 3 gt This creates or enters a WRED policy Instructions gt Users enter WRED policy view after inputting this com mand If the policy does not exist users should input level to create a policy Each level has a default WRED They are default1 default2 and default3 gt By default level 1 can be configured up to 32 policies level 2 can be conf
11. 0 config acctgrp 4 0 config acctgrp Format number gt ZXR10 config acctgrp 0 config acctgrp disable ZXR10 config acctgrp ZXR10 config acctgrp ES address ZXR10 config acctgrp algorithm first alias lt name str gt deadtime lt time gt tlocal buffer enable max retries times server number ipaddre ss gt key lt keystr gt port lt portnum gt This configures retransmis sion times of RADIUS server nas ip address lt NAS IP This configures nas ip of RADIUS server This configures RADIUS server and its parameters This configures algorithm of RADIUS server This configures byname of RADIUS server group scalling station format lt This defines format of calling station id field This configures dead time of authentication server This clears local buffer of accounting server Confidential and Proprietary Information of ZTE CORPORATION 131 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDH ZXR10 config acctgrp 1 user name format This configures format of include domain strip domain name sent to RADIUS server by BRAS ZXR10 config acctgrp 1 vendor enable disable This enables or disables attributes defined by vendor in RADIUS protocol packets Viewing RADIUS Information To view RADIUS information perform the following steps 1 ZXR10 Show counter radius all This displays statistics information 2 ZXR10 Sho
12. A ia Hyperterminal ZXRIO Serial interface connection configuration TELNET connection configuration SSH connection configuration FTP TFTP connection configuration SNMP connection configuration Confidential and Proprietary Information of ZTE CORPORATION 3 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Configuring Serial Interface Connection Serial interface connection configuration is the principle configu ration mode of ZXR10 series switch Serial configuration cable is delivered with ZXR10 8900 series switch One end is DB9 serial interface connecting to computer serial interface The other end is RJ45 interface connecting to Console interface in MP board of ZXR10 8900 series switch Serial connection configuration adopts VT100 terminal mode using the HyperTerminal tool provided by Windows OS To configure serial interface connection perform the following steps 1 Connect the computer serial port to Console port of ZXR10 8900 series switch with serial configuration cable 2 Open the HyperTerminal as shown in Figure 2 Input the con nection name such as ZXR10 and select the desired icon FIGURE 2 HYPERTERMINAL CONFIGURATION 1 Connection Description a5 New Connection Enter a name and choose an icon for the connection Name ZxR10 5 3 Click Ok A window appears as shown in Figure 3 Select COM1 as COM port in the Connect using field 4 Confidential
13. This indicates the user that there may be attack of some type of proto col message on a port If the user considers this is an attack the user can disable this type of protocol protection Therefore this type of protocol messages can not be sent to switch platform and can not attack CPU anu more When the user considers that the attack stops the user can enable protocol protection again and normal messages of this protocol can be sent to CPU to be pro cessed Configuring CPU Attack Protection Configuring IPv4 Protocol Protection IPv4 and IPv6 protocol protection is configured in interface config uration mode So it modifies this function of physical interfaces To configure IPv4 protocol protection perform the following steps Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 16 CPU Attack Protection Configuration R10 config if ipv4 protocol protect mode This sets IPv4 protocol lt protocolname gt enable disable protection function 2 R10 config if ipv4 protocol protect alarm mode This configures alarm limit of lt protocol name gt lt alarm limit gt IPv4 protocol protection R10 i ZX 3 ZX config if ipv4 protocol protect This configures the average average rate mode protocol name 10 600 rate of IPv4 protocols R10 config if ipv4 protocol protect peak rate This configures the peak rate 2X mode protocol name 100 1000 of IPv4 protocols Note
14. ZXR10 config ext acl rule 1 permit udp 210 168 1 0 0 0 0 255 Eq 100 210 168 2 10 0 0 0 0 eq 200 ZXR10 config ext acl rule 2 deny tcp 192 168 2 0 0 0 0 255 Eq BGP any ZXR10 config ext acl rule 3 deny icmp any any 80 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 9 ACL Configuration ZXR10 config ext acl rule 4 deny 8 any any Defining Layer 2 ACL To configure Layer 2 ACL perform the following steps ZXR10 config acl link number lt ac number gt name This enters Layer 2 ACL lt acl name gt alias lt alias name gt match order configuration mode auto config ZXR10 config link acl rule ru le no permi This configures rules in an t deny protocol number cos lt cos vlaue gt ACL incos cos vlaue dinvlan v an id doutervlan vlan id ingress lt source vlanid gt lt source mac source mac wildcard any egress de st mac dest mac wildcard any time range timerange name ZXR10 config link acl move lt ru e no gt after This moves a rule lt rule no gt ZXR10 config link acl attach time range Time This binds a time range to a range name gt to lt rule id gt rule Example This example describes how to define a L2 ACL which allows ac cess of IP packets with source MAC address 00d0 d0c0 5741 and 802 1p code 5 ZXR10 config acl link number 200 ZXR10 config link acl rule 1 permit ip cos 5 ingress 10 00d0 d0c
15. 1 ZXR10 config interface lt port name gt byname This accesses port lt by name gt configuration mode Configuring TCP Rate Limit To configure TCP rate limit perform the following steps ZXR10 config interface lt port name gt byname This accesses port lt by name gt configuration mode ZXR10 config if tcp syn protect rate limit This configures TCP rate limit lt 64 1000000 gt Configuring Switch of Optical or Electrical Port To switch optical or electrical port perform the following steps 1 ZXR10 config interface lt port name gt byname This accesses port lt by name gt configuration mode 2 ZXR10 config if hybrid attribute copper fiber This switches optical or electrical port Note This command only can not be used on purely optical or electrical interfaces Viewing Port Information To view port information perform the following steps Confidential and Proprietary Information of ZTE CORPORATION 49 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH ZXR10 config show interface lt port name gt This views status information of Ethernet port ZXR10 config show zfid interface lt port list gt This views information on port that enables fast port detection function ZXR10 config show linkage group id This views linkage configuration information on a port ZXR10 config show running config interface This views configuration l
16. Basic Configuration Volume ZTEDH FIGURE 24 SYMMETRIC VRRP CONFIGURATION EXAMPLE RI R2 10 0 0 1 16 10 0 0 2 16 A o lt e e e PCI PC2 PC3 PC4 Configuration on R1 ZXR10_R1 config interface vlan 1 ZXR10_R1l config if ip address 10 0 0 1 255 255 0 0 ZXR10_R1l config if vrrp 1 ip 10 0 0 1 ZXR10_Rl config if vrrp 2 ip 10 0 0 2 Configuration on R2 ZXR10 R2 ZXR10 R2 ZXR10 R2 ZXR10 R2 config interface vlan 1 config if ip address 10 0 0 2 255 255 0 0 config if vrrp 1 ip 10 0 0 1 config if vrrp 2 ip 10 0 0 2 VRRP Maintenance and Diagnosis To configure maintenance and diagnosis perform the following steps zxR104Show vrrp lt group gt brief interface This displays configuration lt interface name gt information of all VRRP groups zxR104debug vrrp state packet event error all This enables the switch for displaying VRRP debugging information 76 Confidential and Proprietary Information of ZTE CORPORATION Chapter 9 ACL Configuration Table of Contents Lig LU Rn 77 MP Based ACL OVENVIEW sersrdie pene cniaigasrscnieideescdieceaesenbatensoene 78 Configuring ACUS em 79 Configuring Event Linkage ACL Rule eoe te ete vues 85 Applying NP Based ACL ccc icis xta kx EX KXUEX KE RAXRESEREUREEXIKRREEA 87 ALL Configuration Example isse kiceie e ee Doe ERR EHE eR EY ERE EE Dac 88 ACL Maintenance and Diagnosi Sicre 89 ACL Overview Packet filtering can help limit network traffic a
17. Foreground and background share an MIB and communicate with each other through SNMP protocol It is required to configure specific SNMP server for the rouging switch as SNMP agent and define contents and authorities availably collected by NMS ZXR10 8900 series switch supports multiple versions of SNMP Configuring SNMP SNMPv1 v2c adopts the community authentication mode SNMP community is named by strings and different communities have read only or read write access authorities Community with read only authority can only query equipment information Community with read write authority can configure the equipment Both read only and read write are limited by the view Operations can only be conducted in the permitted view range When param eter view is omitted use default view and use parameter ro if ro rw are omitted To configure SNMP perform the following steps R10 config snmp server community This sets community name in lt community name gt view lt view name gt ro rw an SNMP message 2 ZXR10 config Ssnmp server view view name subt This defines an SNMPv2 view ree id included excluded ZXR i snmp server contact lt mib sysconta This sets system contact for an MIB object snmp server location mib syslocati This sets the type of trap allowed to be sent by a proxy snmp server enable trap This configures trap type notification type gt R10 config snmp server host lt ip address gt i This c
18. IPv4 protocols that are supported by CPU attack protection include ospf pim igmp vrrp icmp arpreply arprequest group mng vbase vrrp arp dhcp rip bgp telnet Idp_tcp Idp_udp ttl 1 bpdu snmp msdp and radius Configuring IPv6 Protocol Protection To configure IPv6 protocol protection perform the following steps R10 config if ipv6 protocol protect mode This sets IPv6 protocol protocolname enable disable protection function 2 ZXR10 config if ipv6 protocol protect alarm mode This configures alarm limit of protocol name gt lt alarm limit gt IPv6 protocol protection ZXR10 i 3 config if ipv6 protocol protect This configures the average average rate mode protocol name 10 600 rate of IPv6 protocols ZX m R10 config if ipv6 protocol protect peak rate This configures the peak rate ode protocol name 100 1000 of IPv6 protocols Confidential and Proprietary Information of ZTE CORPORATION 153 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH aid Note IPv6 protocols that are supported by CPU attack protection include mid na ns ra rs common icmp6 bgp6 rip6 ospf6 Idptcpo Idpudp6 telnet6 and pim6 Configuring Layer 2 Protocol Protection To configure Layer 2 protocol protection perform the following steps 0 config if 12 protocol protect mode This sets Layer 2 protocol piotocolnames enable disable protection function 0 conf
19. Module 1 Chapter 17 URPF Configuration Table of Contents URFF VSI WIG nmm 157 enguuiiljaEt i ERE 158 URPF Configuration Example asses re tbe E e das E Fe dEE D NER 159 URPF Maintenance and DISOgnaGsisssusececeodechneacei n its aoe dn Ce 160 URPF Overview URPF serves to prevent attacks with source address spoofing to the network Term Reverse is relative to normal route search A router will get destination address of the packet and search for a route to the destination once it receives a packet It will forward the packet if such a route is found or simply discard the packet if there is no available route to the destination URPF gets the source address and ingress interface of the packet and uses source address as destination address to look up in the forwarding table and see if the interface corresponding to the source address matches the ingress interface When interface does not match the ingress interface it will regard source address as a false address and then discard the packet In this way URPF can effectively prevent malicious attacks by modifying the source address to the network A simple network module is shown in Figure 37 FIGURE 37 SOURCE ADDRESS SNOOPING 1 due n o m 3 3 3 3 2222 222 1 S1 S2 S3 When Si uses a packet with a false source address 2 2 2 1 to initiate a request to Server S2 which will send the packet to real address 2 2 2 1 that is S3 while responding to the request This illega
20. Restoring System Software Version Purpose of version restoration is to re transmit the backup soft ware version file in background server through FTP TFTP to FLASH in foreground switch It is important to perform restoration oper ation when version upgrade is failed Note Version restoration and version upgrade procedures are almost the same please refer to Software Version Upgrade Ststem Software Version Upgrade Software version upgrade is only made when the original version fails to support certain functions Improper operation may lead to upgrade failure and system booting failure Therefore before starting to upgrade the version read related documents to under stand principle operation and upgrade procedure of the ZXR10 8900 series switch Upgrading Version at Abnormality Prerequisites The following requirements are to be completed before users begin software version upgrade Connect the configuration port Console port of MP board of ZXR10 8900 series switch to the serial interface of background host by configuration cable delivered with the product Con nect management Ethernet interface of the device 10 100M Ethernet interface to network interface of background host by 24 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Context Steps Chapter 3 System Management straight through Ethernet cable Make sure that both inter faces are connected in a proper way Star
21. aaa authentication local ZXR10 config nas create localuser 1 name A0001 ZXR10 config nas localuser 1 mac 00d0 d0d0 1234 ZXR10 config nas create localuser 2 name A0002 ZXR10 config nas localuser 2 mac 00d0 d0d0 1456 ZXR10 config nas create localuser 3 name A0003 ZXR10 config nas localuser 3 mac 00d0 d0d0 1689 In the above configuration local authentication function on the au thenticator switch is enabled to implement the application require ment of the enterprise According to the above configuration only Confidential and Proprietary Information of ZTE CORPORATION 119 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH 00d0 d0d0 1234 00d0 d0d0 1456 and 00d0 d0d0 1689 network card addresses are accessed and the Internet access duration of these three users named as A0001 A0002 and A0003 is summed up Duration is recorded on the Radius server DOT1x Maintenance and Diagnosis To configure Dot1x maintenance and diagnosis perform the fol lowing steps zxR10 Show dotix This displays Dotix authentication configuration information 2 ZXR10 Show aaa lt rule id gt This displays an AAA control entry ZXR10 Show aaa Statistics lt rule id gt This displays statistics information of rules ZXxR10 Show client port lt port name gt vlan This displays online user vlan id slot lt s ot id gt aaa lt rule id gt all index information id mac lt macaddr gt vlan vlanid zxR10
22. brings problems DHCP service allows multiple DHCP servers to exit in a subnet Therefore the administrator cannot ensure that IP addresses of users are allocated by the designated DHCP server The addresses may be allocated by DHCP servers that are set by other users illegally In a DHCP service subnet hosts with legal IP addresses and masks can access this subnet DHCP server may allocate these legal ad dresses to other hosts This causes address confliction To solve the above problems ZXR10 8900 series switch uses DHCP snooping function to prevent bogus DHCP server in a subnet The port connecting with DHCP server must be set as trust port Com bining with dynamic ARP inspection technology DHCP snooping function prevents binding of illegal IP and MAC This ensures the server to allocate IP addresses correctly Configuring DHCP Configuring DHCP Server To configure DHCP server perform the following steps 1 ZXR10 config ip dhcp enable This enables DHCP server process globally ZXR10 config tip local pool pool name low ip add This configures an IP address ress high ip address net mask pool for a DHCP server ZXR10 config ip dhcp server leasetime lt time gt This sets the lease time of the IP address leased by a DHCP server to client 66 Confidential and Proprietary Information of ZTE CORPORATION ZTEDX Chapter 7 DHCP Configuration ZXR10 config ip dhcp server dns lt mdns address This
23. 1 community name ospf ZXR10 config snmp server location this is ZXR10 in china ZXR10 config snmp server contant this is ZXR10 tel 025 2872006 RMON Configuration RMON Overview Remote Monitoring RMON system is to monitor network termi nal services A remote detector that is the routing switch system completes data collection and processing through RMON Rout ing switch contains RMON agent software communicating with the NMS through the SNMP Information is usually transmitted from the routing switch to the NMS when necessary 134 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 13 Network Management Configuration Configuring RMON To configure RMON perform the following steps ZXR10 config if rmon collection statistics This enables statistics on a lt index gt owner lt string gt port ZXR10 config if rmon alarm index variable This sets alarms and MIB interval delta absolute rising threshold objects value event index falling threshold value event index owner lt string gt ZXR10 config if 4rmon collection history index o This enables history collection wner lt string gt buckets bucket number interval of the interface seconds ZXR10 config if rmon event index log trap This configures an event community description lt string gt owner lt string gt ZXR10 config if show rmon alarms even
24. 15 Command HIStOFy ccecceeceece eee eee ee esse eee eee seat eae nnns 15 System Management 17 File System Management sssssssseee nennen 17 File System Overview eeeeeeeeee nmn 17 Operating File System Management seseeees 18 FTP TFTP Connection Configuration eese 19 Configuring a Switch as FTP Client Terminal 20 Configuring a Switch as TFTP Client Terminal 21 File Backup and Restoration eesssen nnn 23 Backing up Configuration File ceeeeeeeeeee este eee ee es 23 Restoring Configuration File cecceeeee eee neste eee eees 23 Backing up System Software Version eese 23 Restoring System Software Version eese 24 Ststem Software Version Upgrade sseseesesesseee 24 Upgrading Version at Abnormality cesses 24 Upgrading Version at Normality eese 26 Upgrading Version without Interrupting System 27 System Parameter Configuration esses 28 Configuring a Hostname ssssssssenenene 28 Configuring a Welcome Message ssssseeeeeeenen 29 Configuring a Password of Privileged Mode 29 Configuring Telnet Username and Password 29 Configuring System TiIME sssssssssrsssrrrrssrrrsrsrrrrerererers 30 Configuring Ve
25. By now the host can use the IP address and relevant configuration obtained from the DHCP server for communication DHCP supports three mechanisms for IP address allocation DHCP assigns a permanent IP address to a client DHCP assigns an IP address to a client for a limited period of time or until the client explicitly relinquishes the address Network administrator assigns an IP address to a client and DHCP is used simply to convey the assigned address to the client Usually Dynamic allocation method is adopted The valid time seg ment of using the address is called lease period Once the lease period expires the host must request the server for continuous lease The host cannot continue to lease until the server accepts the request otherwise it must give up unconditionally Confidential and Proprietary Information of ZTE CORPORATION 65 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH DHCP Relay Routers do not send the received broadcast packet from a sub net work to another by default But the router as the default gateway of the client host must send the broadcast packet to the sub net work where the DHCP server locates when the DHCP server and client host are not in the same sub network This function is called DHCP relay ZXR10 8900 series switch can act as a DHCP server or DHCP relay to forward DHCP information DHCP Snooping Overview DHCP brings convenience for IP address allocation but it also
26. Chapter 14 IPTV Configuration ZXR10 config iptv cdr create period period This configures the cycle to generate CDR for allowing users to watch programs for long time ZXR10 config iptv cdr deny right enable disable This configures whether to generate CDR when access privilege is configured deny ZXR10 config iptv cdr prw right enable disable This configures whether to generate CDR when access privilege is configured preview ZXR10 config iptv cdr warning threshold This configures the alarm lt threshold value gt threshold value of CDR cache pool ZXR10 config iptv cdr report threshold threshold This configures the threshold value to send CDR Configuring IPTV Channels To configure IPTV channels perform the following steps ZXR10 config iptv channel mvlan lt vian id gt This creates channels of IPTV group lt group ip gt name lt channel name id lt channel id gt count lt count value prename lt prename str gt ZXR10 config iptv channel name lt o d name gt This sets the name of a rename lt new name gt channel ZXR10 config iptv channel name idlist lt This configures a preview channel name gt viewfile name lt viewfile name gt configuration file for a viewfile id lt viewfile id gt channel ZXR10 config iptv channel idlist name lt This configures whether to channel idlist gt cdr enable disable enable logging function for
27. Confidential and Proprietary Information of ZTE CORPORATION 141 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDH This configures the IP address of service management system server ZXR10 config iptv sms server port lt port number gt This configures the port of service management system server Configuring Global Parameters of IPTV Preview To configure global parameters of IPTV preview perform the fol lowing steps ZXR10 config iptv prw enable disable This configures IPTV preview function ZXR10 config iptv prw reset This resets preview function 3 0 config siptv prw auto reset time This configures the auto reset HH MM SS time of preview 4 0 con ig siptv prw recognition time This configures recognition cog time time of preview 0 config iptv prw overcout cdr enable This configures whether to disable generate CDR record when maximum preview times are over Configuring IPTV CDR Parameters To configure CDR parameters perform the following steps 0 config iptv cdr enable disable This configures CDR function Step ZXR i i i ZXR10 config iptv cdr max records lt cdr size gt number of CDR record pere ZXR10 config iptv cdr report This reports CDR manually ZXR10 config iptv cdr report interval This configures the interval to lt report interval gt report CDR 142 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY
28. Information of ZTE CORPORATION ZTEDH Chapter 10 QoS Configuration ZXR10 config if ip access group 101 in Apply ACL 101 to the interface connecting to Network B Policy Routing Configuration Example When multiple Internet service provider ISP egresses exist in a network different ISP egresses can be selected for different groups of users by policy routing As shown in Figure 29 select different egresses according to the IP addresses of users Users in sub network 10 10 0 0 24 use the ISP1 egress Users in sub network 11 11 0 0 24 use the ISP2 egress FIGURE 29 POLICY ROUTING CONFIGURATION EXAMPLE 10 10 0 0 24 ISP1 l 100 1 1 1 gei_1 1 VLANI 11 11 0 0 24 VLAN2 ISP2 200 1 1 1 Configuration of switch ZXR10 config acl standard number 10 ZXR10 config std acl rule 1 permit 10 10 0 0 0 0 0 255 ZXR10 config std acl rule 2 permit 11 11 0 0 0 0 0 255 ZXR10 config std acl exit ZXR10 config redirect in 10 rule id 1 next hop 100 1 1 1 ZXR10 config redirect in 10 rule id 2 next hop 200 1 1 1 ZXR10 config interface gei 1 1 ZXR10 config if ip access group 10 in ZXR10 config if exit ZXR10 config interface gei 1 2 ZXR10 config if ip access group 10 in QoS Maintenance and Diagnosis To configure QoS maintenance and diagnosis use the following command Confidential and Proprietary Information of ZTE CORPORATION 111 ZXR10 8900 Series User Manual Basic Configuration Volu
29. SNMP protocol Background NM server needs installation of NM software that sup ports SNMP protocol It performs management configuration over ZXR10 8900 series switch by NM software Confidential and Proprietary Information of ZTE CORPORATION 11 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERHY Command Modes ZXR10 8900 series switch assigns commands to different modes according to function and authority to facilitate switch configura tion and management One command can only be executed under specific mode Input a question mark under any command mode to query the applicable commands under the mode Major command modes of ZXR10 8900 series switch are described in Ta ble 4 TABLE 4 COMMAND MODES Mode Prompt Accessing Command User EXEC ZXR10 Access this mode directly after e E00 8 AG Privileged EXEC EXEC IARE 00000000000 enable User EXEC enable User EXEC mode Global configuration ZXR10 config configure terminal Privileged EXEC mode Port configuration ZXR10 config if interface interface name b yname lt by name gt Global configuration mode VLAN database ZXR10 vlan vlan database Privileged EXEC configuration mode VLAN configuration ZXR10 config vlan vlan 4 v an id vlan name Global configuration mode VLAN interface ZXR10 config if interface vlan v an id v configuration lan if gt Global configuration mode MSTP configuration ZXR10
30. ZXR10 config monitor session lt session number gt This establishes one ERSPAN session Adding Source or Destination Port to Session Entry ZXR10 config interface lt interface name gt Enter interface configuration mode ZXR10 config if monitor session sessio This adds source or n number gt source direction both tx rx destination port to session cpu rx cpu tx cpu both destination entry erspanflags enable disable tpid 0x8100 ttl lt tt _number gt 128 vlan id lt v an id gt Displaying Session Details Configured by User ZXR10 config Show monitor session all lt session n This displays session details umber gt configured by user ERSPAN Configuration Example FIGURE 17 ERSPAN CONFIGURATION EXAMPLE As shown in Figure 1 set up a tunnel between Switchi and Switch2 use interface gei 1 1 of Switch1 as mirror source port and configure ERSPAN mirroring With this configuration packets passing through interface gei 1 1 of Switch1 will be encapsulated Confidential and Proprietary Information of ZTE CORPORATION 55 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH with ERSPAN head and mirrored to interface gei_1 1 of Switch2 Configurations are as follows Configuration of Switch1 ZXR10 config interface gei 1 1 ZXR10 config gei_1 1 monitor session 1 source directio Configuration of Switch2 ZXR10 config gei_1 1 switchport access vlan 3 ZXR10 config gei_1 1 exit
31. and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 2 Usage and Operation FIGURE 3 HYPERTERMINAL CONFIGURATION 2 Connect To 4 Click Ok COM port attribute setup window appears as shown in Figure 4 Fill in the parameter values as shown in Table 3 FIGURE 4 HYPERTERMINAL CONFIGURATION 3 COM1 Properties Confidential and Proprietary Information of ZTE CORPORATION 5 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERHY TABLE 3 PARAMETER VALUES Bits per second 115200 Data bit Parity Flow control Note If the switch fails to be connected set the value of bits per second to 9600 5 Click Ok to complete setting ZXR10 8900 series switch con figuration window appears At this point start command oper ation Result Serial interface connection has been configured Configuring Telnet Connection ZXR10 8900 series switch can be configured by Telnet locally or remotely Telnet configuration is the principal mode that is used to configure ZXR10 8900 series switch remotely Username and password must be set in the switch to prevent illegal users from accessing the switch by Telnet Only the users with valid username and password could login to the device Use the following command to configure username and password ZXR10 config username username password This configures username and password of Telnet login lt password gt Configuri
32. as the subnet bit Remaining part of the host bit still serves as the host bit IP address is composed of three parts network bit subnet bit and host bit Network bit and subnet bit identify a network uniquely Subnet mask is used to decide which parts of IP address are the network bits subnet bit and host bit The part with the subnet mask being 1 corresponds to the network bit and subnet bit of the IP address Part with the subnet mask being O corresponds to the host bit Division of the subnet greatly improves the utilization of the IP address and alleviates the problem of IP address shortage Some conventions for IP addresses 0 0 0 0 is used when the host without an IP address is started Address is obtained through RARP BOOTP and DHCP This ad dress is also used as a default route in the routing table a 255 255 255 255 is used for the destination address of broad cast and cannot be used as a source address 127 X X X is called loop back address When the actual IP ad dress of the host is not known this address is used to represent this host Address with only the host bit being O indicates the network it self Address with the host bit being 1 is the broadcast address of the network Network part or the host part of a valid host IP address cannot be all O or 1 60 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 6 Network Protocol Configuration Configuring IP Address To
33. config mstp spanning tree mst configuration Global configuration mode Basic ACL configuration ZXR10 config std acl acl standard number acl number name lt acl name gt Global configuration mode Extended ACL ZXR10 config ext acl acl extend number configuration acl number name acl name Global configuration mode L2 ACL configuration ZXR10 config link acl acl link number acl number name lt acl name gt Global configuration mode Hybrid ACL configuration ZXR10 config hybd acl acl hybrid number acl number name lt acl name gt Global configuration mode 12 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 2 Usage and Operation Mode Prompt Accessing Command Customized ACL ZXR10 config user defined a acl user defined numberr configuration cl lt acl number naame lt acl name gt aalliiaass ACL alias gt Global configuration mode VRF configuration mode ZXR10 config vrf ip vrf lt vrf name gt Global configuration mode RIP route configuration ZXR10 config router router rip Global configuration mode RIP address family ZXR10 config router af address family ipv4 vrf configuration vrf name Route RIP configuration mode OSPF route configuration ZXR10 config router router ospf process id vrf vrf name Global configuration mode IS IS route configuration ZXR10 config router router isis vrf lt
34. configuration mode n out vfp ports ZXR10 config if ip access group lt ac number gt i This binds ACL to physical Note Each physical port has in and out direction ACL can only be applied on either of the directions A new configured ACL covers the old ACL For example the following commands are configured in port con figuration mode ZXR10 config if ip access group 10 in ZXR10 config if ip access group 100 in In this situation only ACL 100 is effective on this port in in di rection Configuration in out direction is similar 84 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 9 ACL Configuration When the following commands are configured on a port ACL 10 is effective on this port in in direction and ACL 100 is effective on this port in out direction ZXR10 config if ip access group 10 in ZXR10 config if ip access group 100 out Applying ACL to Virtual Port To apply ACL to virtual port perform the following steps 1 ZXR10 config vlan lt vian number gt This enters VLAN configuration mode ZXR10 config vlan ip access group ac number in This applies ACL to a virtual port Configuring Event Linkage ACL Rule After event linkage ACL rule is configured when two interfaces on a device are connected to an upper layer device only enable one interface If one interface status turns to down the other interface i
35. configuration cable delivered with the product Con nect management Ethernet interface of the device 10 100M Ethernet interface to network interface of background host by straight through Ethernet cable Make sure that both inter faces are connected properly IP addresses of background host for upgrade and management Ethernet interface on the device are set to the same network segment Make sure that the background host could ping to the management Ethernet interface successfully Start the background FTP server To upgrade the version at normality perform the following steps 1 View the information of the running version 2 Delete the old version file in the directory IMG in FLASH with delete command The old version file can be renamed if there is sufficient space in FLASH 3 Copy the new version file in background FTP server to IMG directory in FLASH Version file name is zxr10 zar 4 Check whether the new version file is available in directory IMG in FLASH If the new version file is unavailable it indicates the copy failure please execute step 3 to recopy the version 5 After a normal switch boot up check the running version to confirm whether the upgrade is successful or not END OF STEPS The version has been updated at normality Upgrading Version without Interrupting System The following requirements are to be completed before users begin software version upgrade Connect the configuration por
36. configure IP address perform the following steps 1 ZXR10 config interface interface name gt This enters interface configuration mode ZXR10 config if ip address lt ip address gt lt net mask This sets interface IP address gt lt broadcast address gt secondary ZXR10 config Show ip interface This views interface IP address IP Address Configuration Example Assuming that Layer 3 interface VLAN1 is created in ZXR10 8900 series switch configure the IP address of the interface to 192 168 3 1 and mask to be 255 255 255 0 The configuration is shown below ZXR10 config interface vlan 1 ZXR10 config if ip address 192 168 3 1 255 255 255 0 ARP Configuration ARP Overview A network device should know the IP address of the destination device and its physical address MAC address when transmitting data to another network device The function of Address Resolu tion Protocol ARP is mapping IP address to physical address to ensure successful communication First the source device broadcast carries the ARP request of desti nation device IP address so all devices in the network will receive this ARP request If a device finds that the IP address in the re quest and its own IP address match it will transmit a response containing MAC address to source device The source device ob tains the MAC address of the current device through this response The mapping relationship between IP address and MAC addre
37. contained packet number byte number and other traffic information can be performed statistics As a macro analysis tool for network communication Netflow tech nology doesn t analyze the specific data contained in each packet in network instead it tests characteristics of transmitted data flow which enables Netflow technology with good scalability support ing high speed network port and large scale telecom network As for processing mechanism IPFIX introduces multi level pro cessing procedures In preprocessing stage IPFIX can filter data flow of a specific level or perform sampling to packets on high speed network interface based on demands of network management With IPFIX processing load of network device can be relieved and scalability of system can be enhanced while the needed man agement information is collected and performed statistics In postprocessing stage IPFIX can select to output all collected original statistics of data flow to upper layer server for data sorting and summary alternatively network device can per form data aggregation to original statistics in various modes and send the summary statistics result to upper layer man agement server The latter one can reduce the data quantity output by network device thus decreasing requirement to con figuration of upper layer management server and promoting scalability and working efficiency of upper layer management system IPFIX outputs data in format of
38. duration gt duration for single preview ZXR10 config tiptv view profile name lt viewfile na This configures the minimum me blackout lt view interval gt preview interval ZXR10 config no iptv view profile all This deletes the preview viewfile name lt viewfile name gt viewfile id lt template viewfile id gt Configuring CAC To configure Channel Access Control CAC perform the following steps 1 ZXR10 config interface lt interface name gt This enters interface configuration mode 2 ZXR10 config if iptv vlan v an idlist vlan na This configures current me gt service start pause resume remove service state of user 144 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 14 IPTV Configuration ZXR10 config if iptv vlan v an id vlan name This configures multicast gt control mode package channel control mode for user ZXR10 config if iptv vlan 4 v an idlist vlan n This assigns package for user ame gt package name lt package name gt idlist lt package idlist gt ZXR10 config if iptv vlan lt vi an idlist gt lt vlan This configures the channel name gt channel name lt channel name gt idlist access privilege of user lt channel idlist gt deny permit preview query interface ZXR10 config if ane vlan v an idlist vlan nam This configures whether to e gt cdr enable disab
39. eee e ee teeta eee ees 99 Configuring Tail Discarding ccccceseeeeeeeeeeeeaeeaeeaeeenes 100 Configuring COS Discarding Priority Mapping 100 Configuring COS Local Priority Mapping 101 Configuring DSCP Priority Mapping eene 101 Configuring Traffic Mirroring eeceeeeeee eee eeeee teens 102 Configuring Traffic Statistics cccceceese eee eeeeeeeeaeeenes 102 Configuring Queue Based Bandwidth Upper and Lower Threshold 1 erc amoena iex 103 Configuring HQOS oe ese ree uU ERG 103 Configuring Traffic Class csse mnn 103 Configuring WRED Policy ccceeeeeee eee eee eee eeeeeeeeaeees 104 Configuring WFQ Policy ceceeeeee eee ee eens eee eeeeeeneees 105 Configuring Traffic Shaping esee 105 Configuring HQoS Policy cese 106 QoS Configuration Examples cese 109 Typical QoS Configuration Example sess 109 Policy Routing Configuration Example 111 QoS Maintenance and Diagnosis eeceeeeeee eee ee tees 111 DOT1x Configuration 113 DOT x OVGrVIeW 45 ixsxeee en eve exe x x rex x E DRE C CE CER 113 Configuring DOTAX x22 tp iere ree dilate aioe 114 Cohfig rinig AAA Js ossia ee 114 Configuring DOT1x Parameters seeeeennne 115 Configuring Local Authentication User 115 Managing
40. gei 1 1 2 gei 2 2 direction rx destination gei 3 3 Port mirroring parameters can be deleted either one by one in in terface configuration or batch in global configuration mode Con figuration to delete the source port parameters of session 1 is shown below ZXR10 config no monitor session 1 source gei 1 1 2 gei 2 2 Note In global configuration the values of data flow direction on the source ports are set to the same Configuration information of port mirroring is shown below ZXR10 config show monitor session 1 Session 1 Source Ports Port gei 1 1 Monitor Direction rx Port gei 1 2 Monitor Direction both Destination Port Port gei 3 3 Confidential and Proprietary Information of ZTE CORPORATION 53 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH ERSPAN Configuration ERSPAN Overview Port mirroring can be divided into SPAN RSPAN and ERSPAN SPAN indicates copying packets on one or more ports source port to a monitoring port destination port of this device for packet monitoring and analysis Here source port and destina tion port must be on one device As for RSPAN source port and destination port are unneces sary to be on one device and they can cross multiple network devices At present RSPAN function can pass through L2 net work but fails to pass through L3 network Source port device supports port mirroring or VLAN mirroring As for RSPAN source port and de
41. hybd acl rule 1 permit udp 210 168 1 0 0 0 0 255 Eq 00 210 168 2 10 0 0 0 0 eq 200 Egress 00d0 d0c0 5741 0000 0000 0000 ZXR10 config hybd acl rule 2 deny tcp 192 168 3 0 0 0 255 q BGP any ZXR10 config hybd acl 4rule deny any any ngress 0100 2563 1425 0000 0000 0000 Defining Standard IPv6 ACL To configure standard IPv6 ACL perform the following steps ZXR10 config ipv6 acl standard number This enters standard IPv6 ACL acl number name acl name alias configuration mode alias name match order auto config ZXR10 config std v6acl 4rule lt ru e no gt permit den This defines ACL rule y lt source gt any time range timerange name ZXR10 config std v6 acl move lt ru e no gt after This moves a rule before lt rule no gt ZXR10 config std v6acl attach time range Te This binds a time range to a range name gt to lt rule id gt rule Example This example shows how to configure standard IPv6 ACL It defines an ACL that allows packets from network segment 3001 16 to pass ZXR10 config ipv6 acl standard number 2000 ZXR10 config std v6acl rule 1 permit 3001 16 Defining Extended IPv6 ACL To configure extended IPv6 ACL perform the following steps ZXR10 config ipv6 acl extended number This enters extended IPv6 acl number name acl name alias ACL configuration mode alias name match order auto config ZXR10 config ext v acl rule lt ru e no gt per
42. mass of queues Different queues mean users of different services HQoS can store packets received within 200ms at lone speed on a port This can avoid congestion Supporting mass of scheduling nodes Scheduling node is the main member to create topology model It can express network topology factually With the addition of scheduling hierarchy the number of needed scheduling nodes will increase dramatically Supporting good traffic monitoring and traffic control HQoS supports multiple traffic monitoring algorithms It also supports configuration of CIR and PIR Traffic less than CIR is guaranteed well Traffic more than CIR and less than PIR is guaranteed when there is spare network bandwidth CIR traffic and PIR traffic have different schedules Configuring QoS Configuring Traffic Monitoring To configure traffic monitoring use the following command ZXR10 config traffic limit lt ac number gt rule id This configures traffic monitoring lt rule no gt cir lt cir value gt cbs lt cbs value gt ebs lt ebs value gt pir lt pir value gt pbs lt pbs value gt mode lt mode gt drop yellow forward red remark red dp high low medium remark red dscp lt va ue gt rem ark yellow dp high low medium remark yellow dscp lt value gt n Note Coloring algorithm is applied to traffic monitoring configuration Parameters are described below les o It means pbs parameter defined in protocol pir I
43. of ZTE CORPORATION ZTEDH Chapter 5 Port Configuration Diagnosing and Testing Link ZXR10 8900 series switch supports cable line diagnosis analysis test function that detects the line abnormality or line connection abnormality This test locates the exact position of cable fault facilitating network management and locating fault Both fast Ethernet electrical interface and gigabit Ethernet elec trical interface are connected to other devices by network wire There are four pairs of twisted pair cables in the network wire in which fast Ethernet electrical interface uses 1 2 and 3 6 twisted pair cables gigabit Ethernet electrical interface uses all the four pairs of twisted pair cables including 1 2 3 6 4 5 and 7 8 Line detection can detect the status of twisted pair cable This is de scribed in the following list Open Open circuit Short Short circuit a Mismatch Circuit impedance mismatched Good The circuit is in good condition Broken the circuit is open or short Unknown The result is unknown or undetected Fail Detection failed If the circuit is faulty test result outputs the circuit fault location If the circuit is in good condition approximate length of the normal circuit is generated To diagnose and test link use the following command ZXR10 config Show vct interface lt port name gt This diagnoses and tests link Example n Note Related ports are restarted when line diag
44. priority gt lt cos 5 local priori ty gt lt cos 6 local priority gt lt cos 7 local priority gt 2 ZXR10 config interface lt interface name gt This enters interface configuration mode 3 ZXR10 config if trust cos local enable This applies COS local priority mapping function Example n Note To disable COS local priority mapping function use trust cos lo cal disable command This example shows how to configure COS local priority mapping Configure COS local priority mapping on gei 1 1 Priority of queue 1is 1 priority of queue 2 is 2 and the rest are deduced by analogy ZXR10 config qos cos local map 12 34506 7 ZXR10 config interface gei 1 1 ZXR10 config if trust cos local enable Configuring DSCP Priority Mapping To configure DSCP priority mapping perform the following steps Confidential and Proprietary Information of ZTE CORPORATION 101 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH SS uu ZXR10 config qos Conform dscp lt dscp list gt lt dscp v This configures DSCP priority alue gt lt cos value gt lt drop priority gt mapping ZXR10 config if trust dscp enable This applies DSCP priority mapping ZXR10 config interface interface name This accesses L2 configuration interface By executing command trust dscp disable DSCP priority map ping can be cancelled Example This example shows how to configure DSCP priority mapping on interface gei_1 1 M
45. sets DNS address gt lt sdns address gt advertised by a DHCP server to client 5 ZXR10 config interface vlan v an number This accesses VLAN L3 interface ZXR10 config if ip dhcp mode server This enables DHCP on an interface 7 ZXR10 config if ip dhcp server gateway This configures default lt ip address gt gateway address for one client ZXR10 config if peer default ip pool lt poo name gt This applies defined IP address pool on L3 interface Configuring DHCP Relay To configure DHCP relay perform the following steps config ip dhcp enable This enables DHCP process ZXR10 ZXR10 config interface vlan v an number This enters Layer 3 VLAN interface configuration mode R10 ig R10 ZX config if ip dhcp mode relay This configures DHCP relay on an interface 4 ZX config if ip dhcp relay server lt ip address gt This configures DHCP relay ip dhcp relay agent lt ip address gt agent 5 ZXR10 config if ip dhcp relay server This configures IP address of ip address security standard external DHCP server Note In the command of Step 5 when the mode is set to security the address of DHCP server displayed on DHCP Client is the address of relay agent When the mode is set to standard the address of DHCP server displayed on DHCP Client is actually the address of the server Therefore the security mode can protect the server from attack Configuring DHCP Snoo
46. template Network device will send packet template and data flow records respectively to upper layer management server when outputting data in IPFIX format Packet template specifies format and length of packet in subsequently sent data flow record for management server processing subse quent packets Meanwhile to avoid packet loss and errors in packet transmission network device repeats sending packet template to upper layer management server regularly Sampling IPFIX supports packet number based sampling as well as time based sampling Sampling rate can be configured on each inter face separately Timeout Management As for collected flow data Incase data are not updated within the inactive time data will be output to NM server As for long time active flow the data will also be output to NM server after active time Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 18 IPFIX Configuration Data Output After collecting data flows in network network device always out puts them to NM server IPFIX supports to output data to multiple NM servers Generally data are output to two servers master server and slave server IPFIX adopts template based data output mode IFPIX supports to send template every a few packets or at a certain interval Packet template specifies the format and length of packets in subsequent data flows and server resolves subsequent data flows according to temp
47. the following command ZXR10 Show version This displays the version information about the software and hardware of system Viewing Current Running Configuration Information To view running configuration use the following command Confidential and Proprietary Information of ZTE CORPORATION 33 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH zXR10 Show running config This displays the running configuration Viewing CPU Information To view CPU information use the following command This displays CPU information Viewing Boot Information of Current Running Board To view boot information of current running board use the follow ing command ZXR10 Show boot This displays boot information of current running board Example This example shows how to view boot information of current run ning board ZXR1LO Show boot MEC2 panel 1 master Bootrom Version V1 84 Creation Date 2008 6 17 Update Support YES MEC2 panel 2 slave Bootrom Version V1 84 Creation Date 2008 6 17 Update Support YES NPCI panel 12 Bootrom Version V1 83 Creation Date 2008 7 6 Update Support YES Viewing System Diagnosis Information When malfunction occurs on network it is required to collect di agnosis information as soon as possible and solve the problem It is an urgent task to analyze the malfunction and usually some important information is not collected ZXR10 8900
48. the Internet through proxy 192 168 3 100 but users of department A are forbidden to access the Internet in work time General Managers of both A and B department with their IP addresses as 192 168 1 100 and 192 168 2 100 respectively may access the Internet and all servers at any time The IP addresses of the servers are as follows Mail server 192 168 4 50 FTP server 192 168 4 60 VOD server 192 168 4 70 FIGURE 26 ACL CONFIGURATION EXAMPLE ue Department A 192 168 1 0 24 gei 2 2 tch ue VLAN2 Department B gei 2 1 192 168 2 0 24 VLANI gel 2 4 VLAN4 Mail FTP VOD Server Server Server Switch configuration Configure a time range ZXR10 config time range enable ZXR10 config time range working time ZXR10 config tr periodic daily 09 00 00 to 17 00 00 Define an extended ACL to limit the users of Department A ZXR10 config acl extend number 100 R10 config ext acl rule 1 permit ip 192 168 1 100 0 0 0 0 any ZXR10 config ext acl rule 2 deny ip 192 168 1 0 0 0 0 255 192 8 4 60 0 0 0 0 time range working time R10 config ext acl rule 3 deny tcp any eq 8888 88 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 9 ACL Configuration 192 168 4 70 0 0 0 0 time range working time ZXR10 config ext acl rule 4 deny ip any 192 168 3 100 0 0 0 0 time range working time ZXR10 config ext acl rule 5 permit ip any any Define an extended ACL to limit the use
49. the following features to pass Tag is 1 Rule is Ox1111 Mask is OxOOOf Offset is 4 bytes ZXR10 config acl user define number 3000 ZXR10 config user acl rule 1 permit tag 1 4 Ox1111 0x000f Configuring Time Range To configure time range perform the following steps Confidential and Proprietary Information of ZTE CORPORATION 83 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH 0 config ttime range enable This enables time range function 0 config time range lt time range name gt This enters time range configuration mode R10 config tr absolute start lt hh mm ss gt lt mm d This configures absolute time d yyyy gt end lt hh mm ss gt lt mm dd yyyy gt range R10 config tr periodic daily monday tuesday This configures periodic time wednesday thursday friday staturday sunday weekdays weekend lt hh mm ss gt to daily monday tuesday wednesday thursday friday staturday sunday weekdays weekend hh mm ss aid Note Configuration of time range has the following situations Configuration of absolute time range configure the start time and end time of the time range Configuration of periodic time range configure the start time and end time of the period Applying ACL to Physical Port To apply ACL to physical ports perform the following steps ZXR10 config interface lt port name gt This enters port
50. vlan 20 down rate k 600 ZXR10 config nas ratelimit ip host 168 1 2 4 vlan 20 up rate k 300 ZXR10 config nas ratelimit exit ZXR10 config nas exit ZXR10 config show ratelimit all Host ip Vlan Up rate Down rate 168 1 2 3 20 B 600K 168 1 2 4 20 300K Configuring Queue Scheduling ZXR10 8900 series switch supports SP and WRR queue scheduling modes When these two modes are mixed used SP has a higher priority over WRR To configure queue scheduling use the following command ZXR10 config if queue mode strict priority 4dwrr This configures queue queue no dwrr weight amp 1 8 wrr queue no scheduling and default 802 1p gt lt wrr weight gt amp lt 1 8 gt priority on port Note Value range of dwrr weight is 1 160000 Value range of wrr weight is 1 15 Example Configure strict scheduling based on priority on interface gei 1 1 Enable WRR scheduling on interface gei_1 2 Weights of Queues O 7 are 10 5 8 10 5 8 9 10 respectively Set the default 802 1p of interface gei 1 2 to 5 ZXR10 config interface gei 1 1 ZXR10 config gei_1 1 queue mode strict priority ZXR10 config gei_1 1 exit ZXR10 config interface gei 1 2 98 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 10 QoS Configuration ZXR10 config gei_1 2 queue mode wrr 0 10 ZXR10 config gei_1 2 queue mode wrr 1 5 ZXR10 config gei_ 1 2 queue mode wrr 2 8 ZXR10 config
51. vrf name gt Global configuration mode BGP route configuration ZXR10 config router router bgp lt as number gt Global configuration mode BGP address family ZXR10 config router af address family vpnv4 Route configuration BGP configuration mode address family ipv4 vrf lt vrf name gt BGP route configuration mode PIM SM route ZXR10 config router router pimsm Global configuration configuration mode Route map configuration ZXR10 config route map route map lt map tag gt permi t deny lt sequence number gt Global configuration mode Diagnosis test ZXR10 diag diagnose Privileged EXEC mode The following commands are used to exit from different command modes In privileged EXEC mode use disable command to return to user EXEC mode In user EXEC mode and privileged EXEC mode use exit com mand to quit the switch in other modes use exit command to return to the previous mode In the modes other than user EXEC mode and privileged EXEC mode use end command or press Ctrl z to return to the priv ileged EXEC mode Confidential and Proprietary Information of ZTE CORPORATION 13 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Command Line Usage Online Help In command mode available command list is displayed if a ques tion mark is entered that follows the system prompt Com mand key word list and parameters can be obtained through online help Input a questi
52. with show with user privilege level of 12 ZXR10 show privilege Show current privilege level The result shows that only show privilege command is dis played Note If there is no command with privilege level 12 after the user inputs for help no command will be displayed Configure the user privilege level to 15 ZXR10 enable Password ZXR10 Configure the privilege level to 12 for all commands beginning with show interface ZXR10 configure terminal ZXR10 config privilege show all level 12 show interface Go back to privilege level 12 ZXR10 enable 12 ZXR10 e Note When the user goes back to a lower privilege level from a higher privilege level the user does not need to input enabling password View all commands beginning with show with user privilege level of 12 ZXR10 show interface Show interface property and statistics privilege Show current privilege level The result shows that show interface command is added to commands with privilege level of 12 Use show interface command to view interface information as shown below ZXR10 show interface gei 1 2 gei 1 2 is up line protocol is up Description is none The port is electric Duplex full Mdi type auto VLAN mode is hybrid pvid 1 MTU 1500 bytes BW 1000000 Kbits Last clearing of show interface counters never 120 seconds input rate 0 Bps 0 pps 120 seconds output rate 5 Bps 0 pps Confidential and Proprietar
53. 0 24 Strict URPF is configured on interface fei 1 2 on S1 so as to pre vent the users behind network 192 168 0 0 24 from maliciously attacking networks behind S1 Configuration on S1 ZXR10 config interface fei 1 2 ZXR10 config if sw ac vlan 10 ZXR10 config if ip verify strict ZXR10 config if exit ZXR10 config int vlan 10 ZXR10 config if ip address 192 168 0 1 255 255 255 0 Confidential and Proprietary Information of ZTE CORPORATION 159 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH URPF Maintenance and Diagnosis To configure maintenance and diagnosis of URPF perform the fol lowing steps 1 ZXR10 Show interface This shows statistical count of URPF on an interface 2 zxR10 Show ip traffic This shows the statistical count of URPF in the system 160 Confidential and Proprietary Information of ZTE CORPORATION Chapter 18 IPFIX Configuration Table of Contents pA SI VIEW M 161 COTES IPETR E A E E 163 IPFIX Configuration Example aisina a EAE 166 IPFIX Maintenance and Diagnosis sisicisivaveriiner cin cenieteracens 166 IPFIX Overview IPFIX Overview IPFIX IP Flow Information Export is used to analyze and perform statistics to communication traffic and flow direction in network In 2003 IETF select Netflow V9 as IPFIX standard from 5 candidate schemes To analyze and perform statistics to data flow in network it is needed to distinguish types of packets transmitted in n
54. 0 5741 0000 0000 0000 ZXR10 config link acl 4rule 2 deny 8847 Defining Hybrid ACL To configure hybrid ACL perform the following steps ZXR10 config acl hybrid number ac number n This enters hybrid ACL ame acl name alias alias name Y configuration mode ZXR10 config hybd acl rule ru le no permit This defines rule in an ACL deny lt protocol numberl gt lt source ip gt lt sour ce ip wildcard gt any eq lt port number gt lt d estination ip gt lt dest ip wildcard gt any eq lt port number gt 4 ethernet protocol number any arp ip cos incos dinvlan doutervlan egress ingress time range ZXR10 config hybd acl move lt ru e no gt after This moves a rule lt rule no gt ZXR10 config hybd acl attach time range Time This binds a time range to a range name gt to lt rule id gt rule Confidential and Proprietary Information of ZTE CORPORATION 81 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Example This example describes how to configure a hybrid ACL It is re quired to implement the following functions Permit access of UDP messages from network 210 168 1 0 24 destination IP address 210 168 2 10 destination MAC address 00d0 d0c0 5741 source port 100 and destination port 200 Denies BGP messages from network 192 168 3 0 24 Denies messages from MAC address 0100 2563 1425 ZXR10 config acl hybrid number 300 ZXR10 config
55. 1 belongs to VLAN1 and VLAN2 Port loop detection function is enabled on gei 1 1 in VLAN1 and VLAN2 Confidential and Proprietary Information of ZTE CORPORATION 57 58 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERHY FIGURE 18 PORT Loop DETECTION CONFIGURATION EXAMPLE gei 1 1 S1 S2 Configuration on S1 ZXR10 config interface gei_1 1 ZXR10 config if switchport mode trunk ZXR10 config if switchport trunk vlan 1 2 ZXR10 config if exit ZXR10 config loop detect interface gei_1 1 enable ZXR10 config loop detect interface gei 1 1 vlan 1 2 enable ZXR10 config loop detect reopen time 5 The information on gei 1 1 is shown below ZXR10 show loop detect interface gei 1 4 Interface Monitor State VlanRange The reopen time on gei 1 1 is shown below ZXRl104show loop detect reopen time The reopen time of loop detect 5 minute Confidential and Proprietary Information of ZTE CORPORATION Address Classification Chapter 6 Network Protocol Configuration Table of Contents IP Address Conftat I t esce eser eo pe SEHE EUR E ret ERE FO o FUE KU RER 59 ARP Conteutabiettocei casu eenpe nass Rye sue ERES RR NER EE RAM CRF ER Ra REIS 61 IP Address Configuration IP Address Overview IP address is network layer address in the IP protocol stack One IP address is composed of two parts Network bit identifying the network to which this IP address belongs Host bit identifyi
56. 3 Applying ACL to Physical Port ccccceceeseeeeeeaeeaeeaeeeaees 84 Applying ACL to Virtual Port ccccecceceeee esse eaeeae n 85 Configuring Event Linkage ACL Rule c eeeeeeeeeeeeeeees 85 Applying NP Based ACL essen mmn nnn 87 ACL Configuration Example ceseseseeme 88 ACL Maintenance and Diagnosis eeessseeseeesese 89 QoS Configuration 4 91 QOS OVERVIEW coi e ple E IEDOE ER Ip Rc E EE EUR RIEN x 91 Traffic Classification aa a AEA Er EE TERANE 92 Traffic Monitoring ssssssssssssee enm 92 Traffic Shaping eoe te prar a rea e e nav cate pean n ts 93 Queue Scheduling and Default 802 1p 93 Policy Routing erede ep vh de va e Ex a2 a eR Ra gn 94 Priority Mark a E ew A a 94 Traffic Mirroring uee iaceo cetero tod en ee t a inten 95 Traffic Statistics it e t me ein ee e c Y eu ae 95 Queue Based Bandwidth Upper and Lower Threshold 2 rect a oc rv erem erus 95 HOOS rnt TEE Pn E 95 Configuritid QOS o seeren renan niiae Na EKEN AA PAAA KANAR 96 Configuring Traffic Monitoring s sssssssssssrsssrrrsrsrrrrsrererers 96 Configuring Traffic Rate Limit esses 97 Configuring Layer 3 Rate Limit eene 97 Configuring Queue Scheduling eere 98 Configuring Policy Routing sssssssssssresserrrssrrrsrsrerrsrereners 99 Configuring Priority Mark ccceeeeee eee ee
57. 4show localuser user id This displays information of local users zxR10 debug nas This traces the transmitting and receiving packet and handling processes of the dotix zxR10 debug radius all This traces the process of interacting with the radius 1 5 zxR104 Show client statistics This displays statistics information of online users 120 Confidential and Proprietary Information of ZTE CORPORATION Chapter 12 Cluster Management Configuration Table of Contents Cluster Management Over viIeW erinran ina E 121 Configuring Cluster Management c cceceeeeeeeeeeeeeeeaeeaeeees 123 Cluster Management Configuration Example 126 Cluster Management Maintenance and Diagnosis 126 Cluster Management Overview Cluster is a combination of a group of switches in a specific broad cast domain This group of switches forms a unified management domain which provides a public network IP address and a man agement interface to the outside and provides the functions of managing and accessing every member in the cluster Management switch is configured with public network IP address as a command switch and other managed switches such as mem ber switches Public network IP address is not configured for the member switch but a private address is assigned to the member switch with similar DHCP function of the command switch Com mand switch and member switch form a cluster private network I
58. 5 ERSPAM Configuration ExamgpWe 2 ccceiccrecessiateccevatedsocessceasecive 55 Port Loop Detection Configuration sope nx eek d rr E EFO X RER d Kennt 56 Port Basic Configuration Port Basic Configuration Overview ZXR10 8900 series switch provides fast Ethernet port gigabit Eth ernet port and 10 gigabit Ethernet port Fast Ethernet electrical interface supports full duplex half du plex 10 100M and MDI MDIX self adaptive function Default working mode is auto negotiation It negotiates work mode and rate with the opposite end devices Gigabit Ethernet electrical interface supports full duplex half duplex 10 100 1000M and MDI MDIX self adaptive function Default working mode is auto negotiation It negotiates work ing mode and rate with the opposite end devices Gigabit Ethernet electrical interface works in gigabit full duplex mode Duplex mode and rate of the port cannot be configured but auto negotiation mode can be configured 10 gigabit Ethernet optical interface works in 10 gigabit full duplex mode Auto negotiation duplex mode and rate of the port cannot be configured System adds the ports automatically user plugs interface board into the corresponding slot when the interface board starts nor mally port of the interface board has been added to the system port list automatically ZXR10 8900 series switch names the ports in the following way Port type_Slot No Port No Port type covers FEI Fast E
59. 5 Running Template ne ririraioai t a a aaa a 165 IPFIX Configuration Example sssssssssssssrrrrsrrrrsrsrrrrerrrnns 166 IPFIX Maintenance and Diagnosis sssssssrrssrresesrrrrerrrrns 166 Figures re LOD ADIOS Gusta ec urestu T vested T O A List of Glossary ionis iva ves vae veuve wwa v x da wu L73 Purpose Intended Audience What Is in This Manual About This Manual This manual provides procedures and guidelines that support the operation of ZXR10 8900 Series V2 8 02 C 10 Gigabit Routing Switch This manual is intended for engineers and technicians who perform operation activities on ZXR10 8900 Series V2 8 02 C 10 Gigabit Routing Switch This manual contains the following chapters TABLE 1 CHAPTER SUMMARY chapter Summary o Chapter 1 Safety This chapter describes the safety Instructions instructions and signs Chapter 2 Usage and This chapter describes ZXR10 Operation 8912 8908 8905 8902 configuration mode in common use Chapter 3 System This chapter introduces file system Management management file backup and restoration software version upgrade Chapter 4 CLI Privilege This chapter describes CLI privilege Classification classification and configuration on ZXR10 8912 8908 8905 8902 Chapter 5 Port This chapter describes the configuration Configuration of ZXR10 8912 8908 8905 8902 port parameters and port mirroring function Chapter 6 Network This chapter describes IP address Protocol Configuration confi
60. 8 89 zxrl0 zar target target flash img zxrl0 zar Starting copying file file copying successful ZXR10 Note If copying version files from the management Ethernet of MP board in the copy command ftp must be followed with mng 7 Check whether new version file is available in FLASH or not If the new version file is unavailable it indicates the file copy failure please execute step 6 to re copy the version 8 Restart ZXR10 8900 series switch and follow the methods in step 4 and boot the system from FLASH enabled at this time Boot path is changed into flash img zxr10 zar automatically n Note Boot mode is changed to boot from FLASH by using nvram imgfile location local command in global configuration mode 9 Input Q in ZXR10 Boot now system will boot a new version from FLASH after carriage return 10 After a normal boot up check the running version to confirm the successful upgrade END OF STEPS Result The version has been updated at abnormality Upgrading Version at Normality Prerequisites The following requirements are to be completed before users begin software version upgrade Connect the configuration port Console port of MP board of ZXR10 8900 series switch to the serial interface of background 26 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Context Steps Result Prerequisites Context Chapter 3 System Management host by
61. DOT1x Authentication User sss 116 DOT1x Configuration Examples esee 117 Dotix Radius Authentication Application 117 Dotix Relay Authentication Application 118 Dotix Local Authentication Application 119 DOT1x Maintenance and Diagnosis sseeesess 120 Cluster Management Configuration 121 Cluster Management Overview esses 121 Configuring Cluster Management eeeeeeeeee teense ees 123 Enabling Z DP icone eee ne een clea e een 123 Enabling ZT Passato E Re E utr re DH A EHE 124 Setting up a Cluster eno eere ede 124 Maintaining a Cluster orsida ana ia 125 Configuring Cluster Operation Commands 125 Cluster Management Configuration Example 126 Cluster Management Maintenance and Diagnosis 126 Network Management Configuration 129 NTP Configuration recep eret eet deed ot nw Di a 129 NTP OVGrVIGW s oie re re ort Ie cats 129 Configuring NTP eicere nre nx eei Ex i ERE ER 129 NTP Configuration Example sese 130 RADIUS Configuration cceeeeee eect ee eee eee ee eee eeeeeeneees 130 Radi s OVERVIEW veer nece keen Re E examen te e RR ncies 130 Configuring a RADIUS Accounting Group 130 Configuring a RADIUS Authentication Group 131 Conf
62. E EC 111 QoS Overview Traditional network provides services at its best effort and all pack ets are treated in the same way Network equipment sends mes sages to the destination in the principle of first in first service but does not guarantee transfer reliability and transfer delay of messages With the continuous emergence of new applications a new require ment for network service quality is raised because traditional net work at the best effort cannot satisfy the requirement for appli cations For example user cannot use VoIP service and real time image transmission normally if packet transfer delay is too long To solve this problem provide system with capability of supporting QoS When QoS is configured it selects specific network traffic prioritiz ing it according to its relative importance and use Implementing QoS in the network makes network performance more predictable and bandwidth utilization more effective QoS provides the follow ing functions Traffic classification Traffic policing Traffic shaping m Queue scheduling and default 802 1p Redirection and policy routing Priority marking Traffic mirroring Traffic statistics Confidential and Proprietary Information of ZTE CORPORATION 91 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERHY 92 Traffic Classification Traffic refers to packets passing through switch Traffic classifica tion is the process of distinguishin
63. FIGURE 8 SETTING IP ADDRESS AND PORT OF SSH SERVER x Category Basic options for your PuT TY session Stet Gu vesc duse dotis m Host Name or IP address 192 168 3 1 Defaut Settings ii Set SSH version as shown in Figure 9 10 Confidential and Proprietary Information of ZTE CORPORATION ZTE Chapter 2 Usage and Operation FIGURE 9 SETTING SSH VERSION At PuTTY Configuration Category Session Options controlling SSH connections Loggng Data to send to the server Ternnal Keyboard Remote command Bell Features L Window Protocol options Appearance Don t allocate a pseudo terminal Behaviour Enable compression Translation Preferred SSH protocol version Selection Cio Cl 62 C 2only AUR j Connection Proxy Telnet Rlogin SSH Auth Tunnels Bugs Enable legacy use of single DES in SSH 2 ENT De ee 4 Click Open to login to the switch and input valid username and password Result SSH connection has been configured Configuring SNMP Connection Simple Network Management Protocol SNMP is an NM protocol With SNMP one NM server can manage all devices in the network SNMP adopts management based on server and client terminal Background NM server serves as the SNMP server and the fore ground network equipment ZXR10 8900 series switch serves as SNMP client terminal Foreground and background share the same MIB management database performing communication by
64. IP address 67 100 88 0 24 on port gei_4 8 ZXR10 config acl extend number 100 ZXR10 config ext acl rule 1 permit ip 168 2 5 5 0 0 0 0 any ZXR10 config ext acl rule 2 permit ip any 67 100 88 0 0 0 0 255 ZXR10 config ext acl exit ZXR10 config traffic statistics in 100 rule id 2 ZXR10 config interface gei 4 8 ZXR10 config if ip access group 100 in Configuring Queue Based Bandwidth Upper and Lower Threshold ZXR10 config interface lt interface name gt This accesses L2 configuration interface ZXR10 config if traffic shape queue This configures queue based lt queue number gt max datarate limit bandwidth upper and lower rate min gua datarate lt rate gt threshold Configuring HQoS Configuring Traffic Class To configure traffic class perform the following steps 1 To create a traffic class or enter a traffic class use the following command ZXR10 config flow class lt class name gt This creates a traffic class or enters a traffic class To delete a traffic class use no flow class lt class name gt command If the traffic class is used the class can not be deleted 2 To configure a matching rule use the following command ZXR10 config fclass match acl ac no rule This configures a matching rule lt rule no gt tunnel lt 1 4096 gt vlan lt 1 4094 gt vip in traffic class configuration lt 1 16384 gt phb be af1 af2 af3 af4 ef cs6
65. P r Repeater P Phone W W LAN Access Point Local Intrfce Device ID Holdtime Capability Platform Port ID gei 1 1 0019c6059fc0 99 B S ZXR10 ROS Version gei 1 1V4 08 23 ZX Confidential and Proprietary Information of ZTE CORPORATION Chapter 14 IPTV Configuration Table of Contents gx sau Ne rm 141 COTM IE TV Lessecisteosxeseate harenis aarHTRE T E p Raus 141 IPTV Configuration Example s ieesoketae ko MEER dE oO E Me UE DH RERO 145 IPT Maintenance ang Diagnosis suae ciexaodonacGrnexucekc c mie t n ce 146 IPTV Overview Internet Protocol Television IPTV is also called Interactive Net work TV IPTV is a method of distributing television content over IP that enables a more customized and interactive user experi ence IPTV allows people who are separated geographically to watch a movie together while chatting and exchanging files si multaneously IPTV uses a two way broadcast signal that is sent through the service provider s backbone network and servers It allows the viewers to select content on demand and take advan tage of other interactive TV options IPTV can be used through PC or IP machine box TV Configuring IPTV Configuring IPTV Global Parameters To configure IPTV global parameters perform the following steps ZXR10 config iptv control enable disable This configures IPTV function 2 ZXR10 config iptv cac enable disable This configures IPTC Channel Access Control CAC function
66. Path zxrlO0 zar Use default Enable Password Use default Enable Password Confirm Use default ZXR10 Boot Input System boots the version from background FTP server automatically after carriage return The following information is displayed ZXR10 Boot amp G Loading get file zxr10 zar 15922273 successfully file size 15922273 Omitted KKKKKKKK ck ck ck ck ck ck ck ckck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck KKK KKK ck ck ck k k k kk kkk k kt Welcome to ZXR10 10G Routing switch of ZTE Corporation CkCkck ck ck ck ck ck ck ck ck ck ck ck ckck kk ck ck ck ck ck ck ck ck ck ckck ck ck ck ck ck ck ck ck ck ck ck ck ck kk k kk kk kk k ZXR10 If system has been started normally use show version com mand to check whether the new version is running in the mem ory or not If it is the old running version it indicates that Confidential and Proprietary Information of ZTE CORPORATION 25 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH booting from background server failed in this case repeat the operations from step 1 5 Delete the old version file zxr10 zar in the directory IMG in FLASH with delete command Old version file is renamed for backup due to of space in FLASH is sufficient 6 Copy the new version file in background FTP server to IMG directory in FLASH Version file name is zxr10 zar The following information is displayed ZXR10 copy ftp mng 168 4 16
67. Port ID TLV TTL TLV Optional TLV LLDPUD ending TLV Device ID TLV and port ID TLV are used to identify the senders TTL TLV tells the receivers the hold time of the message If the re ceiver does not receive update information from the sender within the hold time the receiver will discard all related messages IEEE Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 13 Network Management Configuration has defined a recommendatory update frequency that is the up date messages should be sent every 30 seconds Optional TLV contains a basic management TLV set an IEEE 802 1 organized particular TVL and an IEEE 802 3 organized particular TVL The appearance of LLDPUD ending TLV means the end of the LLD PDU Configuring LLDP To configure LLDP perform the following steps ZXR10 config lldp enable This enables LLDP ZXR10 config lldp hellotime lt seconds gt This configures the interval of sending LLDPDUs ZXR10 config lldp holdtime multiple This configures the aging time of LLDPDU The product of parameters multiple and hellotime is aging time ZXR10 config interface lt interface name gt This enters interface configuration mode ZXR10 config if lldp setAdminStatus This configures the enabledtxrx rxonly txonly disabled management state of LLDP LLDP Configuration Example This example shows how to configure LLDP As shown in Figure 36 S1
68. RPF This chapter introduces URPF Configuration Unicast Reverse Path Forwarding and related configuration on ZXR10 8912 8908 8905 8902 Chapter 18 UDLD This chapter describes UDLD and configu Configuration ration on ZXR10 8912 8908 8905 8902 The following documentation is related to this manual ZXR10 8900 Series V2 8 02 C 10 Gigabit Routing Switch Hardware Installation Manual ZXR10 8900 Series V2 8 02 C 10 Gigabit Routing Switch Hardware Manual ZXR10 8900 Series V2 8 02 C 10 Gigabit Routing Switch User Manual Basic Configuration Volume ZXR10 8900 Series V2 8 02 C 10 Gigabit Routing Switch User Manual Ethernet Switching Volume ZXR10 8900 Series V2 8 02 C 10 Gigabit Routing Switch User Manual IPv4 Routing Volume ZXR10 8900 Series V2 8 02 C 10 Gigabit Routing Switch User Manual MPLS Volume ZXR10 8900 Series V2 8 02 C 10 Gigabit Routing Switch User Manual IPv6 Volume Confidential and Proprietary Information of ZTE CORPORATION Chapter 1 Safety Instructions Table of Contents Sar ecc MUOU O e a pesci E ERE CERIS OE P E ent ienneecennes 1 caret Desc eua iie tme x Ve CRF aia DX PME Fa RE CR QNO TM Ye PRO ENS 1 Safety Introduction In order to operate the equipment in a proper way follow these instructions Only qualified professionals are allowed to perform installation operation and maintenance due to the high temperature and high voltage of the equipment Observe the local safe
69. Series User Manual Basic Configuration Volume ZTERH ai Note Only the Ethernet electrical interface can be configured with port rate Before configuring the port rate disable auto negotiation function first Configuring Traffic Control To configure Ethernet port traffic control perform the following steps 1 ZXR10 config interface lt port name gt byname This accesses port lt by name gt configuration mode 2 ZXR10 config if flowcontrol enable disable This configures Ethernet port flow control n Note Ethernet port uses traffic control to restrain the packets sent to the port in a period of time When the receiving buffer is full a port sends a pause packet notifying the remote port to suspend packet transmission for a period of time Ethernet port can also receive pause packet from other devices and execute operations according to the packet regulation Allowing Jumbo Frame To allow jumbo frame to pass the Ethernet port perform the fol lowing steps 1 ZXR10 config interface lt port name gt byname This accesses port lt by name gt configuration mode 2 ZXR10 config if 4jumbo frame enable This allows jumbo frame to pass the Ethernet port 46 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 5 Port Configuration Note E By default the maximum allowed length of the frame passing Ethernet port is 1560 bytes and jumbo frame is p
70. Setting Source Address for Network Device Sending Packets ZXR10 config ip stream export source lt jip address gt This sets source address for network device sending packets Setting Template Refresh Rate ZXR10 config ip stream template refreh rate This sets the number of number packets after which template packet is sent 20 by default ZXR10 config ip stream template refreh rate This sets template refresh number timeout rate number rate time 30 minutes by default 164 Confidential and Proprietary Information of ZTE CORPORATION ZTEDHY Chapter 18 IPFIX Configuration Configuring TOPN ZXR10 config ip stream topn N sort by bytes packets This sets size and sorting behavior of TOPN by packet number or byte number Template Configuration Setting Template ZXR10 config ip stream templat template name This sets template Setting Data Field Contained in Template Packet ZXR10 config match field This sets data field contained in template packet Server resolves data contained in subsequent data flow according to these fields The fields include source IP destination IP source port destination port the number of bytes contained in data flow the number of packets contained in data flow type of L3 protocol TOS field start time of data flow end time of data flow data flow ingress index data flow egress index and TCP flag Deleting Template ZXR10 config no ip stream templat
71. This example shows detailed statistic information of policy named telecom ZXR10 show qos policy telcom detail Qos policy telcom Class voice Match acl 1 rule 1 Class video Match acl 1 rule 3 Policy video Class CCTV1 Match acl 1 rule 5 This example shows policy statistic information on gei 2 1 ZXR10 show qos policy statistics interface gei 2 1 in Qos policy telcom Class voice Receive Packet 10000 Reveive byte 1000000 Drop packet 100 Drop byte 10000 Class video QoS Configuration Examples Typical QoS Configuration Example Network A Network B and internal servers are connected to an Ethernet switch as shown in Figure 28 Internal servers include a VOD server with IP address 192 168 4 70 To ensure QoS of VOD it should be configured with a higher priority Internal users can access Internet through proxy 192 168 3 100 However band width of Network A and B should be limited and traffic statistics is required Confidential and Proprietary Information of ZTE CORPORATION 109 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERHY FIGURE 28 TYPICAL QOS CONFIGURATION EXAMPLE uu Department A 192 168 1 0 24 i 1 2 Switch n VLAN2 j Department B gei 1 1 192 168 2 0 24 VLANI gei 1 4 Mail FTP VOD Server Server Server Configuration on the switch ZXR10 config acl extended number 100 ZXR10 config ext acl rule 1 permit tcp any 192 168 4 70 0 0 0 0 ZXR10 config ext acl rule 2
72. ZTEDR ZXR10 8900 Series 10 Gigabit Routing Switch User Manual Basic Configuration Volume ZTE CORPORATION ZTE Plaza Keji Road South Hi Tech Industrial Park Nanshan District Shenzhen P R China 518057 Tel 86 755 26771900 Fax 86 755 26770801 URL http ensupport zte com cn E mail support zte com cn Version 2 8 02 C LEGAL INFORMATION Copyright 2006 ZTE CORPORATION The contents of this document are protected by copyright laws and international treaties Any reproduction or distribution of this document or any portion of this document in any form by any means without the prior written consent of ZTE CORPO RATION is prohibited Additionally the contents of this document are protected by contractual confidentiality obligations All company brand and product names are trade or service marks or registered trade or service marks of ZTE CORPORATION or of their respective owners This document is provided as is and all express implied or statutory warranties representations or conditions are dis claimed including without limitation any implied warranty of merchantability fitness for a particular purpose title or non in fringement ZTE CORPORATION and its licensors shall not be liable for damages resulting from the use of or reliance on the information contained herein ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications covering the subject mat
73. ZXR10 config Port Loop Detection Configuration Port Loop Detection Overview With port loop detection function the switch can detect whether there is a loop on the port If there is a loop the switch will take measures This can avoid broadcast storm On ZXR10 8900 series switch port loop detection function can be configured to detect loop on a port or all ports By default the detection function is disabled The switch supports detection function based on VLAN that is the switch can detect loop in the VLAN that owns the same PVID with that on the port as well as in the VLAN that users designate On a port it is up to detect loops in 8 VLANs at the same time A port sends a Layer 2 multicast message every 15 seconds If there is a loop on a port the multicast message will go back to the port through which the message is sent Configuring Port Loop Detection To configure port loop detection function perform the following steps ZXR10 config loop detect interface lt port_name gt e This configures port loop nable disable detection function on one port or multiple ports ZXR10 config loop detect interface port name This configures port loop vlan lt vian_id gt enable disable detection function in a VLAN or multiple VLANs that a port belongs to ZXR10 config loop detect portstate block normal This configures the state of protect port name loop port 56 Confidential and Proprieta
74. ZXR1LO mkdir ABC Add a subdirectory ABC under the current directory ZXR104dir Check the current directory information and the directory ABC can be successfully added Directory of flash attribute size date time name drwx 512 MAY 17 2004 14 22 10 IMG 2 drwx 512 MAY 17 2004 14 38 22 CFG 3 drwx 512 MAY 17 2004 14 38 22 DATA 4 drwx 512 MAY 17 2004 15 40 24 ABC 65007616 bytes total 48861184 bytes free ZXR10 rmdir ABC Delete the subdirectory ABC ZXR10 dir Check the current directory information and the directory ABC has been deleted successfully Directory of flash attribute size date time name 1 drwx 512 MAY 17 2004 14 22 10 IMG 2 drwx 512 MAY 17 2004 14 38 22 CFG 3 drwx 512 MAY 17 2004 14 38 22 DATA 65007616 bytes total 48863232 bytes free ZXR104 FTP TFTP Connection Configuration ZXR10 8900 series switch serves as the client terminal of FTP TFTP It is possible to take files backup and to restore them On ZXR10 8900 series switch configuration can be imported by FTP TFTP Confidential and Proprietary Information of ZTE CORPORATION 19 20 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Configuring a Switch as FTP Client Terminal Prerequisites Enable FTP server software in the background host and switch communicates as client terminal Context To configure switch serving as FTP client terminal perform the following steps Steps 1 Run WFTPD software in the backg
75. a channel ZXR10 config no iptv channel idlist lt This deletes channels channel idlist gt all name lt channel name gt Configuring IPTV Service Package To configure IPTV service package perform the following steps 1 ZXR10 config 4iptv package name lt package name This creates an IPTV service gt pkgid lt package id gt package Confidential and Proprietary Information of ZTE CORPORATION 143 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH ZXR10 config iptv package lt package name gt This adds a channel to the channel lt jdlist gt deny permit preview package and sets the privilege of the channel ZXR10 config no iptv package all This deletes the package ora package name package name package id channel in the package lt package id gt channel idlist gt n Note Package ID and name are unique When package ID is not config ured the system assigns an ID for the package automatically Configuring IPTV Preview Template To configure IPTV preview template perform the following steps ZXR10 config tiptv view profile name lt viewfile na This creates a preview me id lt viewfile id gt configuration file ZXR10 config tiptv view profile name lt viewfile na This configures the maximum me count lt view count gt preview times ZXR10 config tiptv view profile name lt viewfile na This configures the maximum me duration lt view
76. ads files through the cluster tftp server on the member switch Confidential and Proprietary Information of ZTE CORPORATION 125 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Cluster Management Configuration Example This example describes how to connect two devices to implement cluster management as shown in Figure 34 FIGURE 34 CLUSTER MANAGEMENT CONFIGURATION EXAMPLE DUT A DUT B Configuration steps are as follows 1 Ensure that two ports are in a VLAN configured as vlani and ensure that vlani does not configure Layer 3 address 2 Execute show zdp neighbor on DUT A and ensure zdp neigh bor is already set up 3 Execute ztp start on DUT A to conduct topology collection and then execute show ztp device list to view DUT A and DUT B 4 Configure DUT A as command switch with group switch type command View command switch with show group com mand 5 Configure DUT B as the member switch with group member device 1 command and then view Member 1 in the up state with the show group member command 6 Log in to Member 1 with the rlogin member 1 command in the privilege mode and log in from Member 1 to the command switch with the rlogin commander command Cluster Management Maintenance and Diagnosis To configure cluster management maintenance and diagnosis per form the following steps 1 ZxR10 Show zdp This displays ZDP configuration information 2 zxR104Show ztp This displays ZTP configuration
77. al and Proprietary Information of ZTE CORPORATION 63 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 64 Confidential and Proprietary Information of ZTE CORPORATION Chapter T DHCP Configuration Table of Contents DACP OYVETVISW cic iqaedaa ca X COCRAR AE RR OA AARAU KRUGER Ce UL REL R 65 DACP ShOOBIE OVSFVIGN vcskicipeees ridice UR Ca Edel dece ie bd Cete eoe bati 66 Configuring DACP iiia ka M ERROR OG OR UAE ORO AUC AU RA SERA 66 DACP Configuration Examples pena roter tr po bet ER Fux Fe pn ee 68 DHCP Maintenance and Diagnosis iiie eene tatnen n 71 DHCP Overview DHCP allows a host on a network to obtain an IP address for nor mal communications and related configuration information from a DHCP server Details of DHCP are described in RFC 2131 Working DHCP uses UDP as the transmission protocol The host sends mes Procedure sages to port 67 of the DHCP server who will return messages to port 68 of the host A DHCP works in the following steps 1 A host sends a DHCP Discover broadcast message requesting an IP address and other configuration parameters 2 ADHCP server returns a DHCP Offer message containing a valid IP address 3 Host selects the server at which the DHCP Offer arrives first and sends a DHCP Request message to the server which indi cates it accepts the related configurations 4 Selected DHCP server returns a DHCP Ack message for ac knowledgement
78. and switch on a commander switch 124 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 12 Cluster Management Configuration ZXR10 config group time synchronize ZXR10 config group member all candidates deviice lt device id gt maac lt mac address gt This enables clock synchronization for cluster management This adds a designated device or MAC address as a member memberr lt member id gt on a commander switch Maintaining a Cluster To maintain a cluster perform the following steps ZXR10 config group reset member all member id ZXR10 config tgroup save member all member id ZXR10 config group erase member all member id ZXR10 config group tftp server ip addr ZXR10 config group trap host ip addr This restart the member on the command switch This saves the member configuration on the command switch This deletes the member configuration file from the command switch This configures the tftp server on the cluster This configures the alarm receiver of the cluster Configuring Cluster Operation Commands To configure cluster operation commands perform the following steps ZXxR104CODy source device source file destination device gt lt destination file gt This logs in from the command switch to member switch or from the member switch to command switch This uploads or downlo
79. ap DSCP value 30 to 20 and set COS value to O and drop priority to high ZXR10 config qos conform dscp 30 20 0 2 ZXR10 config interface gei 1 1 ZXR10 config if trust dscp enable Configuring Traffic Mirroring To configure traffic mirroring use the following command ZXR10 config traffic mirror in lt ac number gt rule id This configures traffic mirroring lt rule no gt cpu interface lt port name gt Example This example describes how to map data traffic with source IP address 168 2 5 6 on port gei 1 8 to port gei 1 4 ZXR10 config acl basic number 10 ZXR10 config basic acl rule 1 permit 168 2 5 5 ZXR10 config basic acl rule 2 permit 168 2 5 6 ZXR10 config basic acl exit ZXR10 config traffic mirror in 10 rule id 2 interface ZXR10 config interface gei 1 8 ZXR10 config if ip access group 10 in ZXR10 config if exit ZXR10 config interface gei 1 4 ZXR10 config if monitor session 1 destination Configuring Traffic Statistics To configure traffic statistics use the following command ZXR10 config traffic statistics lt ac number gt This configures traffic statistics rule id lt ru e no gt pkt type all green red yellow statistics type byte packet 102 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 10 QoS Configuration Example This example describes how to collect traffic statistics on data in the network with destination
80. card gt any precedence pre value tos lt tos value gt dscp lt dscp value time range timerange name ZXR10 config ext acl rule rule no permit deny This defines TCP based rules tcp source source wildcard any Y rule p ort dest dest wildcard any rule port established 4 precedence pre value tos tos value dscp dscp value tcp control tcp control value time range lt timerange name gt ZXR10 config ext acl 2rule lt ru e no gt permit deny This defines UDP based rules udp source source wildcard any rule port gt lt dest gt lt dest wildcard gt any lt rule gt lt port gt p recedence pre value tos tos value dscp dscp value time range lt timerange name gt ZXR10 config ext acl move lt rule no gt after This moves a rule lt rule no gt ZXR10 config ext acl attach time range Time This binds a time range to a range name gt to lt rule id gt rule Example This example describes how to configure an extended ACL It is required to implement the following functions Permit UDP packets from network segment 210 168 1 0 24 destination IP address is 210 168 2 10 source port is 100 and destination port is 200 to pass Denies BGP messages from network 192 168 2 0 24 Denies all ICMP messages Denies all messages with IP protocol code 8 ZXR10 config acl extend number 150
81. ccounting AAA is used to authenticate users accessing the routing switch and prevent accessing of illegal users thus enhanc ing security of the equipment What s more services like DOT1X can also use RADIUS server for authentication and accounting ZXR10 8900 series switch supports RADIUS authentication func tion to authenticate Telnet users accessing routing switch ZXR10 8900 series switch supports multiple RADIUS server groups Four authentication servers can be configured in each RADIUS group Server timeout time and max retry times for timeout can be set for each group Administrator can configure different RADIUS groups to select a specific RADIUS server Configuring a RADIUS Accounting Group To configure RADIUS accounting group use the following com mand 130 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 13 Network Management Configuration ZXR10 config radius accounting group lt group numb This configures RADIUS er gt accounting group Configuring a RADIUS Authentication Group To configure RADIUS authentication group use the following com mand This configures RADIUS authentication group Configuring RADIUS Parameters ZXR10 config radius authentication group lt group number gt To configure RADIUS parameters perform the following steps This configures RADIUS timeout 0 config acctgrp 1 timeout lt timeout gt 2 0 config acctgrp nd robin a
82. ce are matched against the ACL Confidential and Proprietary Information of ZTE CORPORATION 77 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Layer 2 ACL Source destination MAC address source VLAN ID Layer 2 Ethernet protocol type and 802 1p priority value are matched against the ACL Hybrid ACL Source destination MAC address source VLAN ID source des tination IP address TCP source destination port number UDP source destination port number are matched against the ACL Standard IPv6 ACL Only source IPv6 address is matched Extended IPv6 ACL Source Destination IPv6 address is matched User Defined ACL The number of tags and byte offset value are matched Each ACL has an access list number to identify The access list number is a number The access list number ranges of different types of ACLs are shown in Table 6 TABLE 6 ACL DESCRIPTIONS ACL Type Access List Number Standard ACL The range is from 1 to 99 The expanded range is from 1000 to 1499 Extended ACL The range is from 100 to 199 The expanded range is from 1500 to 1999 Layer 2 ACL The range is from 200 to 299 Each ACL supports up to 1000 rules with the codes ranging from 1 to 1000 NP Based ACL Overview To apply the configured ACL to physical port VLAN or Smartgroup virtual interface user can choose common processing mode or Network Processor NP mode As for NP processing mode based ACL the switch must be configured
83. cedence precedence value This configures priority marking Example This example describes how to change DSCP value of packets with source IP address 168 2 5 5 on port gei 5 1 to 34 and select 4 for output queues ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 config facl basic number 10 config basic acl rule 1 permit 168 2 5 5 config basic acl exit config priority mark 10 rule id 1 dscp 34 cos 4 config interface gei 5 1 config if ip access group 10 in Confidential and Proprietary Information of ZTE CORPORATION 99 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Configuring Tail Discarding To configure tail discarding perform the following steps ZXR10 config qos tail drop lt session index gt This configures parameters of queue id queue id green threshold yellow thr packets to be discarded eshold red threshold 2 ZXR10 config interface interface name This enters interface configuration mode 3 ZXR10 config if drop mode tail drop This discards packets lt session index gt Example This example shows how to configure tail discarding Configure tail discarding function on gei 1 1 Yellow packets with waterline 100 red packets with waterline 120 and green packets with waterline 120 are discarded ZXR10 config qos tail drop 1 queue id 1 120 100 120 ZXR10 config interface gei 1 1 ZXR10 config if drop mode tail drop 1 Configuring COS Discarding Priori
84. ch the prompt is shown below Username test Password ZXR10 This example shows hot to change the privilege level to 1 of the user ZXR10 config username test password test privilege 1 When the user telnets to log in to the switch the prompt is shown below Username test Password ZXR10 gt n Note When a user with privilege level 2 15 logs in to the switch the prompt is Z When a user with privilege level 1 logs in to the switch the prompt is gt indicating that user should input the enabling password as shown below Username test Password ZXR10 enable 12 if no parameter is input after enable the default privilege level is 15 Password ZXR10 Configuring an Enabling Password Administrators can configure an enabling password for each privi lege level When a user with lower privilege level wants to obtain a higher privilege level the user should input the enabling pass word Confidential and Proprietary Information of ZTE CORPORATION 39 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDHY To configure an enabling password for a privilege level use the following command ZXR10 config enable secret level lt eve gt lt password gt This configures an enabling password for a privilege level Note To delete the enabling password use no enable secret level lt ev el gt command Example This example shows how to configure an enabling pas
85. connects to S2 Configure LLDP on the two switches to make them discover each other FIGURE 36 LLDP CONFIGURATION EXAMPLE Sl S2 Configuration of S1 ZxrlOdsconf t ZxrlO config f lldp enable interface gei 1 1 Configuration of S2 Zxrl0 conf t ZxrlO config ftlldp enable interface gei 1 1 Show configuration results Confidential and Proprietary Information of ZTE CORPORATION 139 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDH 140 Showing global information of line card Zxrl0 show lldp config Lldp enable enabledRxTx Lldp hellotime 30s Lidp holdtime 120s Lldp maxneighbor 128 Lldp curneighbor 28 Showing interface information Zxrl0 show lldp config interface gei 1 1 Lldp port enable enabledRxTx Lldp maxneighbor 8 Lldp curneighbor 0 Showing neighbor information of line card Zxrl0 show lldp neighbor Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGMP r Repeater P Phone W W LAN Access Point Local Intrfce Device ID Holdtime Capability Platform Port ID gei 1 3 00d0d0c7ffe0 120 B S ZXR10 ROS Version gei 1 2 V4 08 23 ZX B gei 1 2 00d0d0c7ffeO0 120 B S ZXR10 ROS Version gei 1 3 V4 08 23 ZX gei 1 5 00d0d0c7ffe0 120 B S ZXR10 ROS Version gei 1 Showing interface neighbor information Zxrl0 show lldp neighbor interface gei 1 1 c Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGM
86. d sequence Press CtrI N or This recalls commands in the history buffer in a backward sequence In the privileged mode use show history command to list the recently used commands 16 Confidential and Proprietary Information of ZTE CORPORATION IMG CFG Chapter 3 System Management Table of Contents File System MANAGEIIENE ous caren seed pnidarnceninedvendceteereneeideeenen 17 FTP TFTP Connection Configuration iissieoeex een en reete tna bx rin 19 File Backup and Resborsblon ueisetesk minu ke SEKOSEERSEKRCAREKSSERUNNERGNEE 23 Ststem Software Version Upgrade s iesconcoeee ee ceti e ka 24 System Parameter Coanfgulatigll sies ee ade ent ee HR el e OG eai 28 System Information VIEW uissnceoccrkbr onbres RE RR bL ROCA e OE 33 File System Management File System Overview On ZXR10 8900 series switch FLASH in MP board is used as major storage device that is for storing ZXR10 8900 series switch version files and configuration files When upgrading software version and saving configuration an operation over FLASH is necessary There are three directories in Flash by default IMG CFG DATA System mapping files that is image files are stored under this directory The extended name of the image files is zar The image files are dedicated compression files Version upgrade means to change the corresponding image files under the directory Note Default name of ZXR10 8900 series switch software vers
87. d With great benefits from IP network for life and work there is also great loss due to attacks in network and computer virus invading In the past network attack and virus aim at PCs and servers But now network attack and virus also begin to aim at network devices such as switches and routers For switch it is possible to take protection measure according to known or predictable network attack and virus This makes the switch have ability to protect itself and guarantee network security CPU attack protection function is to monitor upward rate of pack ets When discovering packets with abnormal upward rate sys tem makes alarm This prompts network management that there may be packets attacking CPU Network management system de cides whether to discard this kind of packet or not according to situations Or network management system filters unreasonable packets If IPv4 or IPv6 protocol protection function is disabled some kind of protocol packets are discarded by bottom layer drives directly And some kind of protocol packets are transmitted to upward by bottom layer drives with lower priorities When these packets reach MUX module they are discarded except SNMP packets and RADIUS packets So platform is not shocked If IPv4 or IPv6 protocol protection function is enabled protocol packets are transmitted to platform with high priorities When protocol protection module discovers that some kind of protocol packets are transmitted
88. d 0 Example User who connects to port gei 1 1 in Vlani is the preview user of multicast group 224 1 1 1 Max preview time is 2 minutes Least preview interval is for 20 seconds Max preview counts are 10 Vlan ID of multicast group is 100 There is only one channel with ID of 0 Configuration is shown below ZXR10 config iptv control enable ZXR10 config iptv cac enable ZXR10 config iptv channel mvlan 100 group 224 1 1 1 ZXR10 config iptv view profile name vwl ZXR10 config iptv view profile name vwl duration 120 ZXR10 config iptv view profile name vwl blackout 20 ZXR10 config iptv view profile name vwl count 10 ZXR10 config iptv channel id list 0 viewfile name vwl ZXR10 config interface gei 1 1 ZXR10 config if iptv vlan 1 service start ZXR10 config if iptv vlan 1 control channel ZXR10 config if iptv vlan 1 channel id 0 Example Port gei 1 1 only allows receiving the querying packets of multi cast group 224 1 1 1 Vlan ID of this multicast group is 100 There is only one channel with ID of 0 Configuration is shown below ZXR10 config iptv control enable ZXR10 config iptv cac enable ZXR10 config iptv channel mvlan 100 group 224 1 1 1 ZXR10 config interface gei 1 1 ZXR10 config if iptv vlan 100 channel id 0 query IPTV Maintenance and Diagnosis To locate IPTV problems and perform troubleshooting execute re lated debugging commands Here some show commands are in trod
89. d CIR and is marked in green if its size is less than CIR Traffic Shaping Traffic shaping is used to control the rate of output packets thus sending packets at even speed Traffic shaping is used to match packet rate with downlink equipment to avoid congestion and packet discarding Traffic shaping is to cache packets whose rate exceeds the limited value and send packets at even rate while traffic monitoring is to discard packets whose rate exceeds the limited value Moreover traffic shaping makes delay longer but traffic monitoring does not introduce any extra delay Traffic shaping is classified into the following two kinds Incoming port bandwidth traffic shaping Outgoing port bandwidth traffic shaping Queue Scheduling and Default 802 1p Each physical port of the ZXR10 8900 series switch supports eight output queues queue 0 to queue 7 called CoS queues Switch performs incoming port output queue operation according to the CoS queue corresponding to 802 1p of packets In network con gestion the queue scheduling is generally used to solve the prob lem that multiple packets compete with each other for resources at the same time Confidential and Proprietary Information of ZTE CORPORATION 93 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH ZXR10 8900 series switch supports Strict Priority SP Weighted Round Robin WRR and Dynamic Weighted Round Robin DWRR queue scheduling modes Eight output q
90. d Diagnosis of CLI Privilege Classification 42 CLI Privilege Classification Overview ZXR10 8900 series switch supports CLI privilege classification function There are 16 levels Different users can have different privilege levels The higher privilege level users have the more commands users can use The administrators have the highest level Level 15 Therefore they can set the levels of different commands CLI privilege classification function consists of two parts privilege level maintenance of commands and users as shown in Figure 14 Confidential and Proprietary Information of ZTE CORPORATION 37 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDH FIGURE 14 CLI PRIVILEGE CLASSIFICATION FUNCTION 38 Administrators set the privilege levels of commands Administrators view the configuration of privilege levels Privilege level maintenance of commands Privilege Level Maintenance of Commands Privilege Level Maintenance of Users Boot the switch to obtain default privilege of commands Default privilege level of users logging through the console interface is 1 Privilege levels of users logging through telnet can configured with username command CLI privilege classification function Privilege levels of users can be switched with enable and disable commands Privilege Administrators vi
91. d Proprietary Information of ZTE CORPORATION Chapter 15 VBAS Configuration Table of Contents YBAS MET VIEW m T UU c E EE 149 CONO VERS conici Ry S Ex Rr ORIS ARP HTRE ERO SER 149 VBAS Configuration Example arreen AE br ERO SERE EE RUE 150 VBAS Maintenance and Diagnosis sce sexcenta 150 VBAS Overview VBAS VBAS protocol is an extended inquiry protocol between IP DSLAM and BRAS equipment BRAS and IP DSLAM use point to point link to communicate Port information inquiry and re sponse message are encapsulated in layer 2 Ethernet data frame Configure corresponding Digital Subscriber Line Access Multiplexer DSLAM of VLAN on BAS in the course of PPPoE calling start VBAS protocol that is mapping to corresponding DSLAM accord ing to the VLAN in user band BAS start user line identifier inquiry to DSLAM DSLAM give user line identifier response to BAS In this manual the switches are DSLAMs VBAS function is implemented by sending VBAS messages be tween BAS and DSLAM Configuring VBAS To configure VBAS perform the following steps ZX ZX config vlan vbas enable This enables VBAS function in a designated VLAN R10 R10 ERH ZXR10 config if Vbas trust This configures a VBAS R10 config if vbas port type user net This configures a designated port as VBAS user port or network port Confidential and Proprietary Information of ZTE CORPORATION 149 ZXR10 8900 Series User Manual Basic Configuration V
92. e eee e cena eeeeeeeaees 45 Configuring Ethernet Port Rate cceeeeeeeeee teste eeeees 45 Configuring Traffic Control ccceecece eee eee eee eeae eae nnn 46 Allowing Jumbo Frame csssssee m 46 Configuring Broadcast Storm Suppression 47 Configuring Multicast Suppression eeeeeeeeee 47 Configuring Unknown Unicast Suppression 48 Enabling Fast Port Detection Function ccccceee eee e ea ees 48 Configuring FEFI Function cece cece teen eens eee eeeeaees 49 Configuring TCP Rate Limit cceeeeeeeeee eee ee eens eee ees 49 Configuring Switch of Optical or Electrical Port 49 Viewing Port Information cceeeeeeeeee eee eens eee aeees 49 Diagnosing and Testing Link ecceeeee eee e neta eee eees 51 Port Mirroring Configuration cceeeeeeeeee teen nena tena eeeees 52 Port Mirroring OVErViCW ceceeeee eee cette ener nnn 52 Configuring Port Mirroring cceecee cess test este eeeeeeeaees 52 Port Mirroring Configuration Example cccceeeeeeeeaees 52 ERSPAN Configuration 5 extre te erra hired a 54 ERSPAN OVERVIEW sist oer i aa dotate dee d tees ebd da 54 Configuring ERSPAN e rene trennen en Rl e E Rn 55 Establishing One ERSPAN Session eeeennn 55 Adding Source or Destination Port to Session Entry 55 Displaying Session Details Configured by User
93. e man in the middle This imitates the server to receive the data transmitted by the client terminal and then imitates the client terminal to transmit data to the real server SSH Secure Shell can solve the problem SSH establishes a se cure channel for remote login and other network services in the insecure network It encrypts and compresses the transmitted data that prevents people from getting secret information Two incompatible versions of SSH protocols are available SSH v1 x SSH v2 x ZXR10 8900 series switch supports SSH v2 0 It provides secure remote login function SSH falls into two parts including server and client terminal ZXR10 8900 series switch serves as the server of SSH Host logs in to the switch by running SSH client terminal To configure SSH connection perform the following steps 1 Use the following commands to enable SSH server function of ZXR10 8900 series switch ZXR10 config ssh server enable This enables SSH server function Confidential and Proprietary Information of ZTE CORPORATION 9 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Note The SSH server function is disabled by default 2 Connect the host network interface to the Ethernet port of the switch Enable the host to ping the IP address of VLAN interface in the switch 3 Run SSH client terminal software in the host i Setthe IP address and port number of SSH server as shown in Figure 8
94. e master authentication slave accounting server and the latter serves as the slave authentication master accounting server Set the encryption key to be aaazte when the system ex changes packets with the authentication RADIUS server Set the system to resend packets to the RADIUS server if no re sponse comes from this server within five seconds after the Confidential and Proprietary Information of ZTE CORPORATION 117 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH previous sending and packets can be resent for five times at most Direct the system to remove the user domain name from the user name and before sending it to the RADIUS server Configuration on the switch ZXR10 config radius authentication group 1 ZXR10 config authgrp 1 fserver 1 10 1 1 1 master key aaazte port 1812 ZXR10 config authgrp 1 server 2 10 1 1 2 key aaazte port 1812 ZXR10 config authgrp 1 fmax retries 5 ZXR10 config authgrp 1 timeout 5 ZXR10 config authgrp 1 exit ZXR10 config radius accounting group ZXR10 config acctgrp 1 fserver 1 10 1 1 2 master key aaazte port 1813 ZXR10 config acctgrp 1 server 2 10 1 1 1 key aaazte port 1813 ZXR10 config nas ZXR10 config nas create aaa 1 port fei 1 1 ZXR10 config nas faaa 1 control dotlx enable ZXR10 config nas faaa 1 authorization auto ZXR10 config nas aaa 1 accounting enable ZXR10 config nas faaa 1 multiple hosts enable ZXR10 config nas faaa 1 defaul
95. e template name This deletes one template Running Template ZXR10 config ip stream template template name This runs template Confidential and Proprietary Information of ZTE CORPORATION 165 ZXR10 8900 Series User Manual Basic Configuration Volume ITEmX IPFIX Configuration Example An IPFIX configuration example is given here with network topol ogy as shown in Figure 40 FIGURE 40 IPFIX CONFIGURATION EXAMPLE Mgmt 2 application Incoming Traffic Data e i Record Collectors ZXR10 Rl config tip stream enable ZXR10 Rl config fsinterface gei 2 12 ZXR10_R1 config if netflow sample ingress unicast 100 ZXR10 R1 config if netflow sample egress unicast 100 ZXR OR config ip strem exprot destination 192 168 1 1 2055 ZXR10_Rl config ip strem exprot destination 192 168 1 2 2055 ZXR10_Rl config ip stream export source 192 168 1 244 ZXR10_Rl config ip stream export version 9 ZXR10_R1l config ip stream topn 10 sort by packets ZXR10_Rl config ip stream template test ZXR10 Rl config stream tempalte fmatch srcaddr ZXR10 Rl config stream tempalte fmatch dstaddr ZXR10 Rl config stream tempalte fmatch srcport ZXR10 Rl config stream tempalte fmatch dstsrcport ZXR10_R1 config stream tempalte exit ZXR10 R1 config ip stream run template test IPFIX Maintenance and Diagnosis For the convenience of IPFIX maintenance and diagnosis IPFIX provides related view commands 1 To show IPFIX relat
96. e vlanl0 0 config if ip dhcp mode server O config if ip address 10 10 1 1 255 255 255 0 O0 config if ip dhcp server gateway 10 10 1 1 O config if Sspeer default ip pool dhcp 0 config if 4exit O config fip dhcp enable DHCP Relay Configuration Example When DHCP client and server are not in the same sub network the router which connects with users works as a DHCP relay The switch enables DHCP relay function and a single server 10 10 2 2 provides DHCP server function This mode is usually adopted when a lot of hosts require the DHCP service This is shown in Figure 20 FIGURE 20 DHCP RELAY CONFIGURATION EXAMPLE DHCP server 10 10 2 2 24 10 10 1 1 24 FTP server 10 10 1 2 24 Configuration on the switch ZXR10 config interface vlan10 ZXR10 config if ip dhcp mode relay ZXR10 config if ip address 10 10 1 1 255 255 255 0 ZXR10 config if ip dhcp relay server 10 10 2 2 security ZXR10 config if exit ZXR10 config if ip dhcp relay agent 10 10 1 1 ZXR10 config ip dhcp enable Confidential and Proprietary Information of ZTE CORPORATION 69 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH DHCP Snooping Preventing False DHCP Server Configuration Example DHCP server 1 connects with fei_1 1 of the switch DHCP Server 1 is configured by administrator DHCP server 2 connects with fei 1 2 of switch and it is a private and illegal server Fei 1 1 and fei 1 2 belo
97. ed configurations execute the following command show ip stream config This includes whether to enable IPFIX module size of mem ory entries server address port configuration source address configuration template refresh rate and refresh time configu ration 166 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 18 IPFIX Configuration 2 To show TOPN execute the following command show ip stream topn This shows information of N data flows according to set TOPN display mode The information includes data flow ingress egress source address destination address source port destination port L3 protocol type the number of packets or the number of bytes corresponding to TOPNS setting To show template configuration execute the following com mand show ipstream template This shows configuration of template that is fields contained in template Confidential and Proprietary Information of ZTE CORPORATION 167 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 168 Confidential and Proprietary Information of ZTE CORPORATION Figures Figure 1 Configuration Modes s sssssssssessrrrsrnsrrrrrrnnrrrrrensens 3 Figure 2 HyperTerminal Configuration 1 essseeseess 4 Figure 3 HyperTerminal Configuration 2 ccceeeeeeeeeeeeeee ees 5 Figure 4 HyperTerminal Configuration 3 eese 5 Figure 5 Runnin
98. el after the port is enabled Authentication Authentication server is usually a RADIUS server In authentication Server System server user related information is stored such as the VLAN where the user locates CAR parameter priority and access control list of the user Once the user passes authentication the authentica tion server delivers user related information to the authentication system which creates a dynamic access control list The above parameters are used to measure subsequent traffic of the user Authentication server and RADIUS server communicate with each other through the RADIUS protocol Configuring DOT1x Configuring AAA To configure AAA perform the following steps ZXR10 config nas This enters nas configuration mode ZXR10 config nas create aaa lt ru e id gt port This creates AAA control entry lt port name gt vlan lt vlan id gt R10 config nas aaa lt rule id gt control This enables disables dotix dot1x dot1ix relay enable disable authentication or relay R10 config nas aaa lt rule id gt authentication This selects an authentication auto locl radius mode R10 config nas aaa lt rule id gt protocol This selects an authentication pap chap eap protocol 0 config nas aaa lt rule id gt accounting This configures to charge or enable disable not 0 config nas aaa rule id multiple hosts This configures whether enable max hosts lt host number gt disable multiple users a
99. eters of ip address gt fport fport Iport lt port gt the background SysLog server R10 config show logging alarm typeid This displays log information lt type gt start date date end date date level lt eve gt Note In step 10 types of supported alarmed information include envi ronment board port ROS database OAM security OSPF RIP BGP DRP TCP UDP IP IGMP Telnet ARP ISIS ICMP SNMP and RMON SysLog Configuration Example This example describes the setting SysLog Before configuring SysLog enable the log function with logging on command ZXR10 config logging on ZXR10 config logging buffer 100 ZXR10 config logging mode FULLCLEAR ZXR10 config logging console warnings ZXR10 config logging level errors Confidential and Proprietary Information of ZTE CORPORATION 137 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH 138 Working Flow Function LLDPDU TLV LLDP Configuration LLDP Overview Link Layer Discovery Protocol LLDP is a new protocol defined in 802 1ab It enables that neighbor devices can send messages to each other LLDP is used to update physical topology information and create a device management information database The working flow of LLDP is described as follows 1 Local device sends link and management information to neigh bor devices 2 Local device receives network management information fro
100. etwork Due to non connection oriented characteristics of IP network the communication of different types of services in network can be a series of IP packets sent from one terminal device to another ter minal device This series of packets actually forms one data flow of a service in carrier network If management system can distin guish all flows in the entire network and correctly record transmit time of each flow occupied network port transmit source desti nation address and size of data flows traffic and flow direction of all communications in the entire carrier network can be analyzed and performed with statistics By telling differences among different flows in network it is avail able to judge if two IP packets belong to the same one flow This can be realized by analyzing 7 attributes of IP packet source IP address destination IP address source port id destination id L3 protocol type TOS byte DSCP ifIndex for network device input or output With above 7 attributes of IP packet flows of different service types transmitted in network can be rapidly distinguished Each distinguished data flow can be traced separately and counted accu rately its flow direction characteristics such as transmit direction and destination can be recorded and the start time end time ser Confidential and Proprietary Information of ZTE CORPORATION 161 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH 162 vice type
101. ew level the configuration of maintenance privilege levels of users When a device is booted each command has a default privilege level Administrators can modify the privilege levels of the com mands Administrators also can modify the privilege levels of the users who log into the switch When a user s privilege level is the same with or higher than the privilege level of a command the user can use the command Configuring CLI Privilege Classification Configuring Telnet User Considering security the privilege level of a user only can be con figured by the administrators That is after a user logs in to the switch the user can not modify own login password and privilege level Administrators do not need to check the password when modifying the privilege level of the user To configure the privilege level of a telnet login user use the fol lowing command Confidential and Proprietary Information of ZTE CORPORATION ZTERR Chapter 4 CLI Privilege Classification ZXR10 config username username password This configures the user name password privilege lt evel gt password and privilege level of a telnet login user Example Example Note To delete the user use no username lt username gt command This example shows how to configure the privilege level to 12 of a user named test ZXR10 config username test password test privilege 12 When the user telnets to log in to the swit
102. fic limit 100 rule id 1 cir 10000 cbs 2000 pir 10000 pbs 2000 mode blind ZXR10 config interface gei 5 1 ZXR10 config if ip access group 100 in Configuring Traffic Rate Limit To configure traffic rate limit use the following command ZXR10 config if traffic limit rate limit lt rate va ue gt This configures traffic rate limit bucket size lt va ue gt in out Example This example describes how to enable traffic limit on gei_1 1 Con figure egress rate to be 20M and ingress rate to be 10M ZXR10 config interface gei 1 1 ZXR10 config if traffic limit rate limit 20000 bucket size 4 out ZXR10 config if traffic limit rate limit 10000 bucket size 4 in Configuring Layer 3 Rate Limit To configure Layer 3 rate limit perform the following steps Confidential and Proprietary Information of ZTE CORPORATION 97 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH This enters nas configuration mode This enters ratelimit configuration mode ZXR10 config nas ratelimit ip host ip addr vlan This limits the rate of uplink vlan id down rate up rate k 64 1000 m 10 or downlink users 1000 gt ZXR10 config Show ratelimit all host ip This views configuration lt ip addr gt information of Layer 3 rate limit Example This example shows how to configure Layer 3 rate limit ZXR10 config nas ZXR10 config nas ratelimit ZXR10 config nas ratelimit ip host 168 1 2 3
103. file name is zxr10 zar 4 Check whether the new version file is available in directory IMG in FLASH If the new version file is unavailable it indicates the copy failure please execute step 3 to recopy the version 5 Copy the new version file in the directory IMG in FLASH to memory with update imgfile command 6 Reboot the secondary board with reload mp slave command Switch over the primary board and secondary card with redu ndancy force command 8 To reboot the interface cards one by one with reload slot board unit number command 9 Check the running version to confirm whether the upgrade is successful or not END OF STEPS Result The version has been updated without interrupting the system oystem Parameter Configuration Configuring a Hostname To set a hostname of system use the following command ZXR10 config hostname network name This sets hostname of system 28 Confidential and Proprietary Information of ZTE CORPORATION ZTERR Chapter 3 System Management n Note By default the system hostname is ZXR10 which can be modified with the hostname command in the global configuration mode Log on to router again after hostname modification and the prompt will include the new hostname Configuring a Welcome Message To set welcome message upon system boot or when login on telnet use the following command ZXR10 config banner incoming This sets the greeting words Exam
104. g Telnet ie cente ren ERE Ra ERR EXAM ER 7 Figure 6 Telnet Login Schematic Diagram sssssss 7 Figure 7 Telnet Connection Limit Configuration Example 9 Figure 8 Setting IP Address and Port of SSH Server 10 Figure 9 Setting SSH Version essen 11 Figure 10 WFTPD Window eesem Hn 20 Figure 11 User Rights Security Dialog Box esses 21 Figure 12 TFTPD Window essesmn 22 Figure 13 Configuration Dialog BOX ssssssssssssrrrsserrnserrnnrsres 22 Figure 14 CLI Privilege Classification Function 38 Figure 15 Port Mirroring Configuration Example 53 Figure 16 ERSPAN Example csessese emm 54 Figure 17 ERSPAN Configuration Example seen 55 Figure 18 Port Loop Detection Configuration Example 58 Figure 19 DHCP Server Configuration Example s 68 Figure 20 DHCP Relay Configuration Example 69 Figure 21 DHCP Snooping Preventing False DHCP Server 70 Figure 22 DHCP Snooping Preventing Static IP 71 Figure 23 Basic VRRP Configuration Example se 75 Figure 24 Symmetric VRRP Configuration Example 76 Figure 25 Configuring Event Linkage ACL Rule 86 Figure 26 ACL Configuration Example seen 88 Figure 27 Traffic Monitoring Working Flow
105. g one kind of traffic from another by examining the fields in the packet Traffic classification of QoS is based on ACL and the ACL rule must be permitted The user can classify packets according to some filter options of the ACL which are as follows Source IP address destination IP address source MAC ad dress destination MAC address IP protocol type and TCP source port number TCP destination port number UDP source port number UDP destination port number ICMP type ICMP code DSCP ToS precedence source VLAN ID Layer 2 Ethernet protocol type and 802 1p priority value Traffic Monitoring Traffic monitoring involves creating a policer that specifies the bandwidth limits for the traffic Packets that exceed the limits are out of profile or nonconforming Each policer specifies the action to take for packets that are in or out of profile The following operations are specified by the policer Discard or forward Change its DSCP value Change its discard priority packets with the higher discard pri ority are discarded preferentially in case of queue congestion Traffic monitoring will not introduce extra delay and its working flow is shown in Figure 27 FIGURE 27 TRAFFIC MONITORING WORKING FLOW Marked IP packet gt Meter gt Marker gt packet ZXR10 8900 series switch implements Single Rate Three Color Marker SrTCM RFC2697 and Two Rate Three Color Marker TrTCM RFC2698 funct
106. gei_1 2 queue mode wrr 3 10 ZXR10 config gei_1 2 queue mode wrr 4 5 ZXR10 config gei_ 1 2 queue mode wrr 5 8 ZXR10 config gei_ 1 2 queue mode wrr 6 9 ZXR10 config gei_ 1 2 queue mode wrr 7 10 ZXR 0 config gei_ 2 priority 5 Configuring Policy Routing To configure policy routing use the following command ZXR10 config redirect in lt ac number gt rule id rule no cpu interface lt port name gt next hop1 This configures policy routing ip address priority Y This example shows how to redirect packet Redirect packets with source IP address 168 2 5 5 on gei 1 4 to gei 1 3 Designate the next hop IP address 166 88 96 56 to packets with destination address 66 100 5 6 ZXR10 config acl extended ZXR10 config ext acl rule ZXR10 config ext acl rule ZXR10 config ext acl exit Example number 100 1 permit ip 168 2 5 5 0 0 0 0 any 2 permit ip any 66 100 5 6 0 0 0 0 ZXR10 config redirect in 100 rule id 1 interface gei 1 3 ZXR10 config redirect in 100 rule id 2 next hopl 166 88 96 56 1 ZXR10 config interface gei 1 4 ZXR10 config if ip access group 100 in Configuring Priority Mark To configure priority marking use the following command ZXR10 config priority mark lt ac number gt rule id lt rule no gt dscp ascp value drop precedence drop value cos cos value local precedence local value out vlanID v an id pre
107. guration and ARP configuration Chapter 7 DHCP This chapter introduces DHCP and Configuration related configuration on ZXR10 8912 8908 8905 8902 Chapter 8 VRRP This chapter describes Virtual Router Configuration Redundancy Protocol VRRP on ZXR10 8912 8908 8905 8902 Chapter 9 ACL This chapter introduces ACL and Configuration related configuration on ZXR10 8912 8908 8905 8902 Chapter 10 QoS This chapter introduces QoS and Configuration related configuration on ZXR10 8912 8908 8905 8902 Chapter 11 DOT1x This chapter introduces DOT1x Authentication Authentication configuration on ZXR10 Configuration 8912 8908 8905 8902 Confidential and Proprietary Information of ZTE CORPORATION i ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Related Documentation Chapter Summary 000000000 Chapter 12 Cluster This chapter introduces cluster Management management configuration on ZXR10 Configuration 8912 8908 8905 8902 Chapter 13 Network This chapter introduces Network Management management configuration on ZXR10 Configuration 8912 8908 8905 8902 Chapter 14 IPTV This chapter describes IPTV configuration Configuration maintenance and diagnosis for ZXR10 8912 8908 8905 8902 Chapter 15 VBAS This chapter describes VBAS on ZXR10 Configuration 8912 8908 8905 8902 Chapter 16 CPU Attack This chapter describes configuration Protection Configuration for CPU attack protection on ZXR10 8912 8908 8905 8902 Chapter 17 U
108. h 3 zxR104dir lt directory gt This displays files subdirectory information under a designated directory zxR10 delete filename This deletes the files under the a designated directory of the current device zxR104Ccd directory This enables to enter specified directory or the current device 1 2 4 5 zxR104cd This returns to the superior directory 7 zxR10 mkdir directory This creates new directory in flash osrmdir lt directory name gt This deletes designated directory from flash ZX E i Rlo rename source filename destination filen This modifies the name of the ame designated file or directory in a flash Result File system management has been configured 18 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Example Example Chapter 3 System Management This example shows how to view the current files in the Flash ZXR10 dir Directory of flash attribute size date time name drwx 512 MAY 17 2004 14 22 10 IMG 2 drwx 512 MAY 17 2004 14 38 22 CFG 3 drwx 512 MAY 17 2004 14 38 22 DATA 65007616 bytes total 48863232 bytes free ZXR10 cd img ZXR10 dir Directory of flash img attribute size date time name drwx 512 MAY 17 2004 14 22 10 2 drwx 512 MAY 17 2004 14 22 10 3 rwx 15922273 MAY 17 2004 14 29 18 ZXR10 ZAR 65007616 bytes total 48863232 bytes free ZXR10 This example shows how to create a directory ABC in the Flash and then delete it
109. h certain features according to traffic classifica tion Redirection changes transmission direction of packets and export messages to the specific port CPU or next hop IP address Redirect packets to the next hop IP address to implement policy routing On the aspect of packet forwarding control policy based routing has more powerful control capacity than traditional routing be cause it can select a forwarding path according to the matched field in the ACL Policy routing can implement traffic engineering to a certain extent thus making traffic of different service quality or different service data such as voice and FTP to go to different paths The user has higher and higher requirements for network performance therefore it is necessary to select different packet forwarding paths based on the differences of services or user cat egories Priority Mark Priority marking is used to reassign a set of service parameters to specific traffic described in the ACL to perform the following operations 94 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH HQoS Functions Chapter 10 QoS Configuration Change the CoS queue of the packet and change the 802 1p value Change the CoS queue of the packet and do not change the 802 1p value Change the DSCP value of the packet Change the discard priority of the packet Traffic Mirroring Traffic mirroring is used to copy a service flow matching the ACL ru
110. he background host A window appears as shown in Figure 12 Confidential and Proprietary Information of ZTE CORPORATION 21 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERHY FIGURE 12 TFTPD WINDOW oix Tftpd Help Server is not running 2 Click Tftpd gt Configure Adialog box appears Click Browse and select the file saving version files or configuration files such as D IMG After configuration is completed a dialog box appears as shown in Figure 13 FIGURE 13 CONFIGURATION DIALOG BOX Tftpd Settings x we Browse Check to enable logging Bowe Verbose Logging Check for verbose logging Cx ca 3 Click OK to complete setting END OF STEPS 22 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Result Chapter 3 System Management TFTP client is configured After enabling TFTP server execute copy command in the switch to back up restore file and import export configuration File Backup and Restoration Backing up Configuration File After saving the configuration file to startrun dat with write com mand users can back up the file to background FTP TFTP server to prevent the file from being destroyed To back up the configuration file use the following command ZXR10 COpy lt source device gt lt source file gt lt destination de This backs up configuration file vice gt lt destination file gt Example This example s
111. his configures ARP proxy on a Layer 3 interface ARP Configuration Example This example shows how to configure ARP ZXR10 config interface vlan 1 ZXR10 config if arp timeout 1200 To view ARP entries of specified interface use the following com mand zxR10Sshow arp interface lt interface name gt This views ARP entries of specified interface Example This example shows how to view ARP table of Layer 3 interface VLAN1 62 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 6 Network Protocol Configuration ZXR10 show arp interface vlan 1 Address Age min Hardware Addr Interface 10411 7 x 000a 010c e2c6 vlani 10 1 100 100 18 00b0 d08 820a vlan1 ZXR10 To view ARP entries with keepalive attribute use the following command zxR10show arp rt This views ARP entries with keepalive attribute ARP Query Example To view ARP entry with designated external VLAN ID and internal VLAN ID use the following command ZXR10 Show arp exvlanID lt d gt invlanID lt id gt This views ARP entry with designated external VLAN ID and internal VLAN ID Example This example shows how to view ARP table with external VLAN ID of 21 and internal VLAN ID of 31 ZXR10 show arp exvlanID 21 invlanID 31 Arp protect whole is disabled The count is 2 IPAddress Age HardwareAddress interface ExVlanID InVlanID sdl S 0000 0000 0001 gingl 21 31 2 S 0000 0000 0001 gingl 21 31 Confidenti
112. hows copy command that takes a backup of con figuration files in FLASH to background TFTP server ZXR10 copy flash cfg startrun dat tftp 168 1 1 1 startrun dat Restoring Configuration File To restore configuration files use the following command vice gt lt destination file gt ZXR104CODy source device source file destination de This restores configuration files Example This example shows copy command that restores backup config uration files from background TFTP server ZXR10 copy tftp 168 1 1 1 startrun dat flash cfg startrun dat Backing up System Software Version Before users upgrade software version it is necessary to take a backup of the running version files up to background server If the system fails to load new version users can restore the old version from the background server Software version file backup is similar to configuration file backup Confidential and Proprietary Information of ZTE CORPORATION 23 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERHY To back up version files use the following command ZXR104CODy source device source file destination de This backs up version files vice destination file Example This example shows copy command that takes a backup of the software version file in FLASH to directory IMG in root directory of background TFTP server ZXR10 copy flash img zxrl0 zar tftp 168 1 1 1 img zxrl0 zar
113. ic class The level of sub policy should be lower ZXR10 config if qos policy policy name in out This applies policy to an shaping lt shaping name gt interface The interface can be a physical port a Layer 2 VLAN port or a Smartgroup interface 10 To copy QoS policy use the following command ZXR10 config copy qos profile source lt profile name gt destination profile name overwrite If the source policy does not exist system prompts error If policy name in destination has existed and users do not set the covering mode system prompts error 11 To display policy use the following command ZXR10 config Show qos policy policy name detail This displays policy When the policy name is not configured information of all poli cies is displayed If a policy name is configured information of its sub policy is also displayed 12 To display policy statistic information on an interface use the following command 108 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 10 QoS Configuration ZXR10 config Show qos policy statistics interface This displays policy statistic lt name gt vlan lt vian id gt lt in out information on an interface 13 To clear policy statistic information on an interface use the following command ZXR10 config if clear qos policy statistics in out This clears policy statistic information on an interface Example
114. ica tion by booting the client software To support port based access control the client system needs to support the Extensible Authen tication Protocol Over LAN EAPOL Authentication system is network equipment supporting the IEEE802 1x protocol such as the switch Corresponding to every different user port physical port or MAC address VLAN and IP of the user equipment the equipment has two logical ports composed of the controlled port and uncontrolled port Uncontrolled port is always in bidirectional connection state and delivers EAPOL protocol frames thus ensuring the client to always send or receive authentication Controlled port opens upon success of the authentication and de livers network resources and services The controlled port modes can be configured as bidirectional control and only in direction con trol to adapt to different application environments When the user fails to pass authentication the controlled port is in unauthenti cated state and the user cannot access services offered by the authentication system Controlled and uncontrolled ports in the IEEE 802 1x protocol are logical concepts and such physical switches are inexistent in the equipment The IEEE 802 1x protocol establishes a logical au Confidential and Proprietary Information of ZTE CORPORATION 113 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH thentication channel for each user and other users cannot use the logical chann
115. ich the IP address of VLAN interface can be pinged successfully 4 Run telnet command in the router Input the IP address of VLAN interface login to the switch For the detailed proce dures please refer to Configuring Telnet Connection through Management Port Note When users perform Telnet configuration through VLAN interface connecting to the switch the IP address of VLAN and VLAN inter face cannot be modified or deleted otherwise Telnet is discon nected Configuring The number of Telnet connections can be limited by the following Limit to Telnet command configuration to enhance system security and practica Connections pjlity ZXR10 config Line telnet lt max link gt This adds limit to the number 1 16 of connected users Example As shown in Figure 7 one PC is connected to interface gei_1 1 To telnet switch conduct the following configuration 8 Confidential and Proprietary Information of ZTE CORPORATION ZTEDHY Chapter 2 Usage and Operation FIGURE 7 TELNET CONNECTION LIMIT CONFIGURATION EXAMPLE Switch gei 1 1 A e Configuration of Switch ZXR10 config line telnet max link 2 Configuring SSH Connection Telnet and FTP connections are not safe because they use the plain text to transmit the password and data on the network This re sults in data to be easily intercepted by hackers A disadvantage of the Telnet FTP security authentication is that it is easily attacked by th
116. ig if 412 protocol protect alarm mode This configures alarm limit of rotocolname gt lt alarm limit gt Layer 2 protocol protection 0 config if 412 protocol protect average rate This configures the average de protocol name 10 600 rate of Layer 2 protocols XR10 config if I2 protocol protect peak rate This configures the peak rate mode protocol name 100 1000 of Layer 2 protocols n Note Layer 2 protocol supported by CPU attack protection is LLDP CPU Attack Protection Configuration Examples Example This example shows how to enable OSPF protection function and to set alarm limit to be 2500 ZXR10 config terminal ZXR10 config tinter gei 1 1 ZXR10 config if ipv4 protocol protect mode ospf enable ZXR10 config if ipv4 protocol protect alarm mode ospf 2500 Example This example shows how to enable ICMP6 protection function and to set alarm limit to be 3200 ZXR10 config terminal ZXR10 config tinter gei 1 1 154 Confidential and Proprietary Information of ZTE CORPORATION ZTERH Chapter 16 CPU Attack Protection Configuration ZXR10 config if ipv6 protocol protect mode icmp enable ZXR10 config if ipv6 protocol protect alarm mode icmp 3200 Confidential and Proprietary Information of ZTE CORPORATION 155 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 156 Confidential and Proprietary Information of ZTE CORPORATION Working Principle
117. igured up to 32 policies and level 3 can be configured up to 8 policies To delete a WRED policy use no wred profile lt profile name gt command In global configuration mode if a view is used this view can not be deleted Defaulti default2 and default3 can not be deleted 2 To configure discarding parameters of WRED policy use the following command 104 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 10 QoS Configuration ZXR10 config wred color red yellow green min This configures discarding 0 256000 max lt 20 256000 gt percent lt 0 100 gt parameters of WRED policy By default the minimum and maximum values of red yellow and green are 100 and the value of percent is 0 Configuring WFQ Policy To configure WFQ policy perform the following steps 1 To create or enter a WFQ policy use the following command ZXR10 config wfq profile lt profile name gt level lt 1 3 gt This creates or enters a WFQ policy Instructions gt Users enter WFQ policy view after inputting this command If the policy does not exist users should input level to create a policy Each level has a default WFQ They are defaulti default2 and default3 gt By default level 1 can be configured up to 64 policies level 2 can be configured up to 64 policies and level 3 can be configured up to 16 policies To delete a WFQ policy use no wfq profile lt profile name gt com
118. iguring RADIUS Parameters esses 131 Viewing RADIUS Information seseeseeseeeeee 132 RADIUS Configuration Example sseeseess 132 SNMP Configuration cccececeee eee ee eee ee eee eee teen eee ena ees 133 SNMP OVeFVIeW ener rit ete yv oi even angie ex Ea cies 133 Configuring SNMP eee rx HERE swine EXER ae ee 133 SNMP Configuration Example ssseeseeeeese 134 RMON Configuration ccceceeeeee eee NENANA EENE 134 RMON OVErViGW pereeo nie aon ettet eder POE Roa ete 134 Configuring RMON cceeeee eee ee eens teeta ANELA RETEK S 135 RMON Configuration Example ccceeeeeee eee eeeee ened 135 SysLog Configuration cceeeee eee ee eee ee eee teense eee eeeeen ates 136 SYSLOG Overview iser iniirur eee eaten a xax ranae xa a 136 Config ring SysLEog certe ee ede rta 137 SysLog Configuration Example eseseesse 137 EEDP onfig tatlOn ecrire m rar eter xag 138 LLDP OVGErVIGW cr err eek eee be c i ebd de 138 Configuring ELDP ecce eniin ente nere Ra xxu dean ne iE 139 LLDP Configuration Example sees 139 IPTV Configuration s 141 IPTV OVerVieW ce ee cede oe d P RARE X ON 141 Configuring IPTV aerden ennaa t eren fe e e br eet eed 141 Configuring IPTV Global Parameters sss 141 Configuring Global Parameters of IPTV Preview
119. information XR10 R10 2 show group This displays cluster configuration information 4 ZX show zdp neighbour interface This displays ZDP neighbor lt interface gt mac lt mac id gt 126 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 12 Cluster Management Configuration 5 zXR10 how zdp device list This displays received equipment information ZXR10 Show group member member num This displays group member lt mem_id gt information Note To trace transmitting and receiving packets condition and handling condition of cluster management processes ZDP and ZTP with d ebug group command Confidential and Proprietary Information of ZTE CORPORATION 127 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 128 Confidential and Proprietary Information of ZTE CORPORATION Chapter 13 Network Management Configuration Table of Contents NTP ontigukitbil eere see rere Cox EE tute xU p RE FUXER Ed EE anteater peices 129 RADIUS CORDIQHUEPEIOPI iioc REPRE o ER HE REN EAR pM Ee IR SpPTR RUE mA 130 SNMP Cont fallat ls iocos eode Eod ERR E 133 RMON Congrats ka ER C RSQbI kic ea elo t nia 134 avsLug COMM BUD SE OEI uec isvbnii HEIKE RR ERR EUR ERE HERE ERUNT EIE DEUX 13b LLDP ConBgubtibbl acu cias ced eb ie ck bita rd eot DESEE Hk iae KL e Lib D 138 NTP Configuration NTP Overview Network Time Protocol NTP is the protocol
120. ion file is zxriO zar If it uses other names boot Path must be modified in boot status Otherwise version cannot be loaded when users start the system It is recommended using default file name This directory is for saving configuration files whose name is startrun dat Information is saved in the Memory when users use command to modify the switch configuration To prevent the configuration information loss when the device restarts use write Confidential and Proprietary Information of ZTE CORPORATION 17 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDHY command to write the information in the Memory into FLASH and save the information in the startrun dat file If it is necessary to clear the old configuration in the switch to reconfigure data use delete command to delete startrun dat file then restart the switch DATA This directory is for saving log dat file which records alarm infor mation ai Note If IMG CFG or DATA is unavailable in FLASH create them manually with mkdir command Operating File System Management ZXR10 8900 series switch provides many commands for file oper ations Command format is similar to DOS commands as present in Microsoft Windows Operating System To configure file system management perform the following steps ZxR104CODy source device source file destination This copies files between device destination file Flash and FTP TFTP server pat
121. ions which both support color blind and color aware modes Meter works in two modes color blind mode and color aware mode Confidential and Proprietary Information of ZTE CORPORATION ZTEDH SrTCM TrTCM Chapter 10 QoS Configuration It assumes that packets are colorless in color blind mode but as sumes that packets are marked in a color in color aware mode A color is assigned to each packet passing through the switch ac cording to a certain principle packet information on the switch The Maker renders IP packets in the DS domain according to re sults given by the Meter Algorithm of the above two markers are described in details below This algorithm is used in the Diffserv traffic conditioner to mea sure information flow and mark packets according to three traffic parameters Committed Information Rate CIR Committed Burst Size CBS and Excess Burst Size EBS These parameters are called green yellow and red markers A packet is green if its size is less than CBS A packet is yellow if its size is between CBS and EBS and is red if its size exceeds EBS This algorithm is used in the Diffserv traffic conditioner to mea sure IP information flow and mark a packet in green yellow or red according to the Peak Information Rate PIR and Committed Information Rate CIR and their relevant burst sizes CBS and PBS A packet is marked in red if its size exceeds PIR A packet is marked in yellow if its size is between PIR an
122. itch All version files are saved in the same directory Version file loaded normally are named ZXR10 ZAR When users are upgrading mul tiple switches or when there are multiple version files in a switch the users who perform usual upgrade steps likely feel confused Besides users have to compare the memories that the version files take which is inconvenient When version file is uploading to flash users can specify the direc tory and name of version file and then select the needed version file when booting the switch This is the function that version load selection module provides When device is running normally users can configure the version file name and directory to load when the device is rebooted next time To configure version load selection function use the following com mand ZXR10 config nvram imgfile location local flash This configures location of image sd lt filename gt network lt filename gt file Parameter descriptions ocat Image fle is in ocal device 30 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Example Chapter 3 System Management The type of storage device from which version file is booted is flash The type of storage device from which version file is booted is SD card Image file is on a network lt filename gt File name within 80 characters The following characters are available in version file name 0123456789abcdefghijklmnopqrstuvw
123. l packet will attack both S2 and S3 Attackers may wage an attack by randomly changing source ad dress in the packet In this example source address is one of reserved non global IP addresses and thus is unreachable A legal Confidential and Proprietary Information of ZTE CORPORATION 157 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH IP address may also be used to wage an attack as long as it is unreachable Module 2 Another network model is shown in Figure 38 FIGURE 38 SOURCE ADDRESS SNOOPING 2 E a iP 204 69 207 0 24 The attacker may forge a source address that is the address of another legal network and exists in global routing table For ex ample attacker may forge a source address so that the attacked will think that the attack comes from forged source address but in fact source address is completely innocent In addition some times network administrator will close all data flows coming from that source address and this in return makes DOS attack of the attacker successfully become true A more complex scenario is that TCP SYN flooding attack will cause TCP SYN ACK data packet to be sent to many hosts completely independent of the attack and such hosts will become victims As a result attacker may spoof one or more systems at the same time Similarly UDP and ICMP may be used to implement flooding at tacks All these attacks will severely lower the system performance or even cause system to c
124. late Configuring IPFIX Basic Configuration Enabling Disabling IPFIX Module ZXR10 config ip stream enable disable This enables disables IPFIX module Setting IPFIX Memory Entries ZXR10 config ip stream cache entries lt number gt This sets the number of data flow entries stored in IPFIX module 4096 by default Setting Aging Time of Active Stream ZXR10 config ip stream cache actinve number This sets aging time of active stream As for long time active stream in case it exceeds the set aging time this data flow will age out in minutes 30 minutes by default Confidential and Proprietary Information of ZTE CORPORATION 163 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Setting Aging Time of Inactive Stream ZXR10 config ip stream cache inactive number This sets aging time of inactive stream If data of a flow are not updated within the specified time the aging information will be notified to stream record in seconds 15 seconds by default Setting Sampling Rate ZXR10 config interface lt interface name gt This enters interface configuration mode ZXR10 config if netflow sample ingress egress This configures packet number based IPFIX sampling rate Setting NM Server Address and L4 Port ID ZXR10 config ip stream export destination This sets the address and port id ip address udp port of NM server to which packets are sent
125. le generate CDR record ZXR10 config if iptv vlan lt vian idlist gt lt This sets max user accesses vian name gt max access lt channel num gt to channel ZXR10 config if no iptv vlan id lt vian id gt This deletes package allocated vlan name lt vian name gt package name lt to rule package name gt idlist lt package idlist gt Configuring IPTV Fast Leave To configure IPTV fast leave perform the following steps This enables IPTV fast leave function To enable this function igmp snooping function must be enabled in mvlan Managing IPTV Users To manage IPTV users use the following command ZXR10 config clear iptv client slot lt s ot number gt This manages IPTV users index client index port lt port name gt vlan lt vian id gt IPTV Configuration Example Example User who connects to port gei_1 1 is a requesting user of multicast group 224 1 1 1 Vlan ID of this multicast group is 100 There is only one channel with ID of 0 Configuration is shown below Confidential and Proprietary Information of ZTE CORPORATION 145 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH ZXR10 config iptv control enable ZXR10 config iptv cac enable ZXR10 config iptv channel mvlan 100 group 224 1 1 1 ZXR10 config interface gei 1 1 ZXR10 config if iptv service start ZXR10 config if iptv control mode channel ZXR10 config if iptv channel i
126. le to the CPU or specific port to analyze and monitor packets during network fault diagnosis Traffic Statistics Traffic statistics is used to sum up packets of the specific service flow This is to understand the actual condition of the network and reasonably allocate network resources The main content of traffic statistics contains the number of packets received from the incoming direction of the port Queue Based Bandwidth Upper and Lower Threshold Due to limited queue buffer resources when network congestion occurs multiple packets will compete to use limited resources After configuring upper and lower threshold on outgoing inter face and when multiple flows compete for limited resources a cos queue flow can obtain a bandwidth which will not be less than bandwidth lower threshold or more than bandwidth upper thresh old In this way no flow can occupy the entire bandwidth which makes the other flows fail to obtain any bandwidth HQoS Hierarchical QoS HQoS is to schedule and control traffic by con figuring network topology extracted from actual network which ensures quality of network HQoS has the following functions Supporting hierarchical scheduling The most obvious characteristic of HQoS is hierarchical sched uling It is used to simulate complex networks Confidential and Proprietary Information of ZTE CORPORATION 95 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Supporting
127. log entries index time description 1 05 40 14 test SysLog Configuration oysLog Overview ZXR10 8900 series switch allows user to set and query logs Log information makes it easy for maintaining routing switch regu larly Log information allows viewing alarm information and port status changes on routing switch Logs can be displayed on the configured terminals in real time or saved on routing switch or a background log server in files It can enable SysLog protocol on ZXR10 8900 series switch to transmit logs by communicating with background syslog server through the protocol 136 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 13 Network Management Configuration Configuring SysLog To configure SysLog perform the following steps ZXR10 config logging on This enables log ZXR10 config logging buffer lt buffer size gt This set log buffer size ZXR10 config logging mode lt mode gt lt interval gt This sets a log cleanup mode ZXR10 config logging console lt eve gt This sets level of logs to be displayed on a console interface or telnet interface 5 ZXR10 config logging level lt eve gt This sets the level of logs to be saved in the log cache 0 config syslog on This enables SysLog protocol processing 0 config syslog level lt eve gt This sets a log level for SysLog protocol processing R10 config syslog server vrf lt vrf name gt mng This sets the param
128. login after logging out other users When users perform Telnet configuration through management port connecting to the switch the IP address of management port cannot be modified or deleted otherwise Telnet will be disconnected Confidential and Proprietary Information of ZTE CORPORATION 7 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Configuring To configure a telnet connection to a switch through a VLAN port Telnet Connection perform the following steps through Host 1 Configure IP addresses of VLAN and VLAN interface through Console port 2 Configure username and password of Telnet login through Con sole port 3 Connect the host network interface to the Ethernet port of switch 4 Set IP address of host enabling the host to ping the IP address of VLAN interface in the switch successfully 5 Execute telnet command in the host Input the IP address of VLAN interface login to the switch For the detailed proce dures please refer to Configuring Telnet Connection through Management Port Configuring To configure telnet connection through other devices such as Telnet Connection switch and router perform the following steps through Other Devices Such as 1 Configure IP address of VLAN and VLAN interface through Con Switch or Router sole port 2 Configure username and password of Telnet login through Con sole port 3 Take a router connected to a switch as an example from wh
129. m neighbor devices 3 Local device saves network management information received from neighbor devices in MIB Network management software can search the connection information of link layer in the MIB LLDP is neither a configuration protocol of remote systems nor a signal control protocol for ports LLDP only finds out the difference of Layer 2 protocol configuration on neighbor devices and reports the problem to upper layer It does not provide corresponding mechanism to solve the problems Generally speaking LLDP is a kind of neighbor discovery protocol providing a standard for devices in Ethernet such as switches routers and wireless LAN access points It helps the devices to tell the neighbors its existence and saves discovery information of the neighbors Information such as configuration and device identifier can be notified by LLDP LLDP defines a universal advertisement set a protocol for notify ing advertisement messages and a method to save received ad vertisement messages The devices can use a Link Layer Discov ery Protocol Data Unit LLDPDU to notify multiple advertisement messages The LLDPDU contains a short message unit of a variable length called Type Length Value TLV Type the type of the message to be sent Length the byte number of the message to be sent Value the effective information of the message to be sent Each LLDPDU includes four compulsory TLVs and an optional TLV Device ID TLV
130. mand In global configuration mode if a view is used this view can not be deleted Defaulti default2 and default3 can not be deleted 2 To configure discarding parameters of WFQ policy use the fol lowing command ZXR10 config wfq Weight 1 256 This configures discarding parameters of WFQ policy By default the weight is 1 Configuring Traffic Shaping To configure traffic shaping policy perform the following steps 1 To create or enter a traffic shaping policy use the following command Confidential and Proprietary Information of ZTE CORPORATION 105 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH ZXR10 config Shaping profile profile name level This creates or enters a traffic lt 2 4 gt shaping policy Instructions Users enter traffic shaping policy view after inputting this command If the policy does not exist users should input level to create a policy Each level has a default shaping They are default2 de fault3 and default 4 gt By default level 2 can be configured up to 254 policies level 3 can be configured up to 15 policies and level 4 can be configured up to 31 policies To delete a WRED policy use no shaping profile lt profile na me gt command In global configuration mode if a view is used this view can not be deleted Defaulti default2 and default3 can not be deleted 2 To configure discarding parameters of traffic shaping polic
131. me ZTERH ZXR10 config Show qos name lt ac name gt number This views QoS configuration lt acl number gt information Example This example shows how to view QoS configuration information ZXR10 config acl standard number 1 ZXR10 config std acl rule 1 permit 100 1 1 1 ZXR10 config std acl exit ZXR10 config traffic limit 1 rule id 1 cir 10000 cbs 2000 ebs 2000 mode blind ZXR10 config show qos traffic limit 1 rule id 1 cir 10000 cbs 2000 ebs 2000 mode blind 112 Confidential and Proprietary Information of ZTE CORPORATION Supplicant System Authentication System Chapter 11 DOT1x Configuration Table of Contents POTIS VSP VIEW qe m 113 COmigudiso DOTIK s issccexta vate euarec RES A Rr eR ERO ar PR prs 114 DOTI Configuration Examples sucede o E edu Fo E Ee ERR TER 117 DOTIx Maintenance and Diagnosis uuscecnne cain tme deve cio 120 DOT1x Overview DOT1X is IEEE 802 1x is a port based network access control pro tocol It optimizes the authentication mode and authentication architecture and solves the problems caused by traditional PPPoE and Web Portal authentication modes therefore it is more suit able for the broadband Ethernet IEEE 802 1x protocol architecture contains three major parts sup plicant system authenticator system and authentication server system Client system is a user terminal system where client software is often installed User originates IEEE802 1x protocol authent
132. mit de This defines ACL rule ny ip lt source gt any lt dest gt any time range lt timerange name gt 82 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 9 ACL Configuration ZXR10 config ext v 6acl move lt ru e no gt after This moves a rule before lt rule no gt ZXR10 config ext v6acl attach time range Time This binds a time range to a range name gt to lt rule id gt rule Example This example shows how to configure extended IPv6 ACL It de fines an ACL that allows packets from network segment 3000 16 to 4000 16 to pass ZXR10 config ipv6 acl extended 2500 ZXR10 config ext v6acl rule 1 permit 3000 16 4000 16 Defining Customized ACL To configure customized ACL perform the following steps ZXR10 config acl user defined number This enters basic ACL lt 3000 3499 gt name lt acl name gt alias lt configuration mode alias name ZXR10 config user acl rule rule id permit This defines ACL rule deny any tag tag num offset lt rule string rule mask amp 1 4 time range lt timerange name ZXR10 config user acl move rule no iafter This moves a rule before lt rule no gt ZXR10 config user acl attach time range Time This binds a time range to a range name gt to lt rule id gt rule Example This example shows how to configure extended IPv6 ACL A user defines an ACL to allow packets with
133. nabling ZTP To enable ZTE Topology Protocol ZTP perform the following 0 config 4ztp enable This enables ZTP function globally steps 0 config interface interface name This enters interface configuration mode 0 config if ztp enable This enables ZTP function on an interface 0 config if exit This exits interface configuration mode 0 config ztp vlan v anID This conducts ZTP topology collection on different VLANs 0 config ztp hop number This sets the number of hops of ZTP topology collection 0 config ztp hop delay lt time gt This sets each hop delay in sending ZTP protocol packets 0 config ztp port delay lt time gt This sets delay in sending ZTP protocol packets on the port 0 config ztp start This conducts once topology collection 0 config ztp timer time This sets ZTP timing topology collection time Setting up a Cluster To set up a cluster perform the following steps ZXR10 config group switch type candidate This configures the role of independent commander iip pooll lt ip addr a switch and assigns an IP maassk net mask gt Mengtth mask_len gt address pool to the cluster ZXR10 config group name lt name gt This changes the name of a cluster ZXR10 config group handtime lt time gt This configures the handshake time 4 ZXR10 config group holdtime time This configures holdtime between member switch and comm
134. nd Applying To apply NP based ACL to VLAN perform the following steps NP Based ACL to VLAN 1 ZXR10 config vlan v lan number This enters VLAN configuration mode 2 ZXR10 config vlan ip access group senior This applies NP based ACL to acl numbe acl name r gt in out VLAN To cancel application of NP based ACL to VLAN use no ip access group senior ac numbe acl name r in out command Applying To apply NP based ACL to Smartgroup interface perform the fol NP Based ACL lowing steps to Smartgroup Interface 1 ZXR10 config interface smartgroup number This enters Smartgroup interface configuration mode 2 ZXR10 config if ip access group senior ac numbe This applies NP based ACL to acl name r gt in out Smartgroup interface To cancel application of NP based ACL to Smartgroup interface use no ip access group senior ac numbe acl name r gt in out command Confidential and Proprietary Information of ZTE CORPORATION 87 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERHY ACL Configuration Example A company has an Ethernet switch to which users of both A and B department and servers are connected This is shown in Figure 26 The relevant provisions are as follows Users of both A and B department are forbidden to access the FTP server and the VOD server in work time 9 00 17 00 but can access the Mail server at any time Internal users can access
135. nd restrict network use by certain users or devices ACL can filter traffic as it passes through a router and permit or deny packets at specified inter faces An ACL is a sequential collection of permit and deny conditions that apply to packets When a packet is received on an interface the switch compares the fields in the packet against any applied ACL to verify that the packet has the required permissions to be for warded based on the criteria specified in the access lists It tests packets against the conditions in an access list one by one The first match determines whether the switch accepts or rejects the packets because the switch stops testing conditions after the first match The order of conditions in the list is critical When there are no conditions matched the switch rejects the packets If there are no restrictions the switch forwards the packet otherwise the switch drops the packet Packet matching rules defined by the ACL are also used in other conditions where distinguishing traffic is needed For instance the matching rules can define the traffic classification rule in the QoS ZXR10 8900 series switch provides seven types of ACLs Standard ACL Only source IP addresses are matched against the ACL Extended ACL Source destination IP address IP protocol type TCP source destination port number TCP control UDP source des tination port number ICMP type ICMP code DiffServ Code Point DSCP ToS and preceden
136. nfiguring URP Ekser rece eec ed ve nr rex e d pr v x Rr re Reik p eden 158 URPF Configuration Example c eeeeeeeeeeee eee eeeeeeneees 159 URPF Maintenance and Diagnosis eeseesssss 160 IPFIX Configuration LOL IPFIX OV6FVIGW siepe er eee ey ay dx eR PIRE vov x vt 161 IPFIX OVBErVIe W csi tr he eer e xx Ee rra RE E Tae RES 161 Sampling eee EDO e Dx corone e e e eer ca ced 162 Timeout MANAGEMENL cccecceeee eect sete eeee mmn 162 Data Output sees te E pi p RETI EE pU HEU 163 Configuring IPFIX exce ever deed eere i ued XE REY Aes rne 163 Basic Configuration cceceee eee ee cette teeta eee ee eae eeeeeed 163 Enabling Disabling IPFIX Module 163 Setting IPFIX Memory Entries ssssessss 163 Setting Aging Time of Active Stream 163 Setting Aging Time of Inactive Stream 164 Setting Sampling Rate sssesseseseeesee 164 Setting NM Server Address and L4 Port ID 164 Setting Source Address for Network Device Sending Packets ene 164 Setting Template Refresh Rate ssus 164 Configuring TOPN 5 sce y or be odd 165 Template Configuration cceceeeee eee ee eens eee ee eee eeeee 165 Setting Template sss 165 Setting Data Field Contained in Template Packet cce pute re n OR RE Rx s 165 Deleting Template orner aeeai 16
137. nformation use the following command Confidential and Proprietary Information of ZTE CORPORATION 35 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH zxR104Show diagnostic information detail module This displays information of the lt module name gt begin exclude include begin whole system for malfunction exclude include module lt module name gt be analysis when malfunction gin exclude include save occurs in the system or a module By default there is no parameter and brief system information is displayed page by page The displayed information is not saved by default Parameter descriptions Display detailed system information module lt module name gt Display information of designated module Display configuration information beginning with designated character or character string Display configuration information including designated character or character string Save current system information to flash Display configuration information excluding designated character or character string 36 Confidential and Proprietary Information of ZTE CORPORATION Chapter 4 CLI Privilege Classification Table of Contents CLI Privilege Classification Overview ssssssssesssrrerrnrrsessessns 37 Configuring CLI Privilege Classification csse 38 CLI Privilege Classification Configuration Example 42 Maintenance an
138. ng Telnet Connection 6 through Management Port To configure telnet connection through management Ethernet in terface 10 100Base TX on main board perform the following steps 1 Configure IP address of management port through Console port 2 Configure username and password of Telnet login through Con sole port 3 Use straight through Ethernet cable to connect host network interface and switch management Ethernet interface 4 Setthe IP address of the host that is a part of the same network segment with the switch management Ethernet interface Confidential and Proprietary Information of ZTE CORPORATION ZTE Chapter 2 Usage and Operation Execute telnet command in the host Input the IP address of switch management Ethernet port as shown in Figure 5 FIGURE 5 RUNNING TELNET Run Type the name of a program folder document or Internet resource and Windows will open it for you Open jtelnet 192 168 3 1 Click OK A window appears as shown in Figure 6 FIGURE 6 TELNET LOGIN SCHEMATIC DIAGRAM C WINNT system32 cmd exe telnet 192 16831 Welcome to ZXR18 18G Routing Switch of ZTE Coporation Input valid username and password to enter switch configura tion mode Note ZXR10 8900 series switch allows up to four Telnet users logging in simultaneously If appears after inputting username and password it indicates that the number of users reaches the limit please retry later or re
139. ng a certain host in the network IP addresses are divided into five classes A B C D and E Front three classes are commonly used Addresses of class D are net work multicast addresses and addresses of class E are reserved classes Range of each class is shown in Table 5 TABLE 5 IP ADDRESS FOR EACH CLASS Prefix Characteristic Network Bit Bit 128 0 0 0 to 191 255 255 255 192 0 0 0 to 223 255 255 255 0 0 0 0 to Confidential and Proprietary Information of ZTE CORPORATION 59 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Network Subnet and Host Bit Prefix j it Bit Class 224 0 0 0 to 1110 Multicast address 239 255 255 255 240 0 0 0 to Some addresses of Class A B and C are reserved for private net works It is recommended that the internal network should use the private network address They are Class A 10 0 0 0 to 10 255 255 255 Class B 172 16 0 0 to 172 31 255 255 a Class C 192 168 0 0 to 192 168 255 255 This address classification method is to facilitate routing protocol designing From this method it can be known the network type just by the prefix characteristic bit of the IP address This method however cannot make the best of the address space With the dramatic expansion of Internet problem of address shortage be comes increasingly serious To make most of IP addresses network can be divided into multiple subnets Borrow some bits from the highest bit of the host bit
140. ng to vlan100 Enable DHCP snooping function on the switch to prevent setting false DHCP server in the network as shown in Figure 21 At this time it is required to enable DHCP snooping function in vlan100 and set fei 1 1 as a trust port FIGURE 21 DHCP SNOOPING PREVENTING FALSE DHCP SERVER fei 1 1 fei 1 3 4 dh DHCP server 1 fei 1 2 PC DHCP server 2 Configuration on the switch ZXR10 config interface fei 1 1 ZXR10 config if sw ac vlan 100 ZXR10 config interface fei 1 2 ZXR10 config if sw ac vlan 100 ZXR10 config vlan 100 ZXR10 config vlan ip dhcp snooping ZXR10 config ip dhcp snooping enable ZXR10 config ip dhcp snooping vlan 100 ZXR10 config ip dhcp snooping trust fei 1 1 DHCP Snooping Preventing Static IP Configuration Example DHCP server belongs to vlan100 and the PCs belong to vlan200 The PC gets IP address through the server At this time it is nec essary to forbid the PCs to set static IP address through DHCP snooping and dynamic ARP inspection This is shown in Figure 22 70 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 7 DHCP Configuration FIGURE 22 DHCP SNOOPING PREVENTING STATIC IP a v DHCP server PC A ie PC Configuration on the switch ZXR10 config ip dhcp snooping enable ZXR10 config ip dhcp snooping vlan 100 ZXR10 config ip arp inspection vlan 100 DHCP Maintenance and Diagnosis To configure DHCP mai
141. nosis analysis test is used Link will disconnect and then becomes normal It is usually to test the faulty ports Be careful when the port is connected with users This example shows how to detect like of port gei 3 1 ZXR10 config show vct interface gei 3 1 CableStatus Fault Pair 1 2 3 6 4 5 7 8 Status Open Open Good Good Length 4m 4m 50m 50m ZXR10 config Confidential and Proprietary Information of ZTE CORPORATION 51 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Port Mirroring Configuration Port Mirroring Overview Port mirroring function copies the data of one or more ports mir rored ports in the switch to a designated port monitoring port It can retrieve the data of mirrored port in the monitoring port by mirroring Through which it can perform network flow analysis and error diagnosis Port mirroring function on ZXR10 8900 series switch complies with the following rules It supports up to 8 groups of port mirroring each can support up to 8 mirrored ports In one interface board one group of port mirroring can be configured at maximum Supports cross interface board port mirroring for example mirrored port and the monitoring port can be in different inter face boards here the switch can be configured with one port mirroring at most Monitor the data transmitted or received by the mirrored port only Configuring Port Mirroring To configure port mirro
142. ntenance and diagnosis perform the fol lowing steps zxR10 Show ip dhcp server user slot lt s ot id gt This displays list of current online users on DHCP server process module ZXR10 Show ip local pool lt poo name gt This displays configuration information of local address pools ZXR10 Show ip interface This displays configuration information of DHCP server relay related to an interface zxR10 Show ip dhcp snooping configure This displays DHPC snooping global configuration information ZXR10 Show ip dhcp snooping vlan v an id This displays configuration information of VLAN that enables DHCP snooping function ZXR10 Show ip dhcp snooping trust This displays configuration information of DHCP snooping trust interface Confidential and Proprietary Information of ZTE CORPORATION 71 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH ZXR10 Show ip dhcp snooping database slot This views information in lt slot id gt DHCP Snooping database ZXR10 Show ip arp inspection vlan v anl id This displays configuration information of VLAN that enables dynamic ARP inspection function zxR10 debug ip dhcp This tracks packet sending and receiving as well as processing on DHCP server relay 72 Confidential and Proprietary Information of ZTE CORPORATION Chapter 8 VRRP Configuration Table of Contents YRRP CGE VIEW ecd CONO VERRE Ry inre IRR PURIS ER re s TS Pan pe E e tauren 74 VRRP Config
143. olume ZTERH zZxR10 debug vbas n Note To disable VBAS use no vbas enable command in global con figuration mode To disable VBAS in a designated VLAN use no vbas enable command in vlan configuration mode To close a trust port use no vbas trust command in interface configuration mode VBAS Configuration Example This example describes how to start VBAS function on Switches Configure VBAS and enable vlan as vlani configure fei 1 1 as trust port its type is user ZXR10 config vbas enable ZXR10 config vlan 1 ZXR10 config vlan vbas enable ZXR10 config vlan exit ZXR10 config interface fei 1 1 ZXR10 config if vbas trust ZXR10 config if 4vbas port type user VBAS Maintenance and Diagnosis To configure of maintenance and diagnosis use the following com mand This starts VBAS debug function and outputs the debug information 150 Confidential and Proprietary Information of ZTE CORPORATION CPU Attack Protection Working Principle Chapter 16 CPU Attack Protection Configuration Table of Contents CPU Attack Protection OvervieW s ssssssrrsrrnesssrssrrnrrnennes 151 CPU Attack Protection POCIpIe iei eee reri err rentre 152 Configuring CPU Attack Protection eiie oen rne n RR RERe 152 CPU Attack Protection Configuration Examples 154 CPU Attack Protection Overview Wide use of Internet and IP technology are bringing great changes to the worl
144. ommunicate with outside world only when all routers in the VRRP group work abnormally These routers can be configured into multiple groups for mutual backup The hosts in the domain use different IP addresses as gateway to implement data load balance Confidential and Proprietary Information of ZTE CORPORATION 73 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDH Configuring VRRP To configure VRRP perform the following steps ZXR10 config interface vlan v an number ZXR10 config if vrrp group ip ip address sec ondary ZXR10 config if vrrp group priority priority ZXR10 config if vrrp group preempt delay seconds ZXR10 config if sVrrp group advertise msec lt interval gt ZXR10 config if vrrp group learn ZXR10 config if vrrp group authentication lt string gt ZXR10 config if vrrp group out interface lt interface name gt This enters Later 3 VLAN interface configuration mode This sets a VRRP virtual IP address and runs VRRP on an interface This configures a VRRP priority with 100 by default This configures whether to enable preempt This configures time interval for sending VRRP advertisements This learns the time interval from primary gateway to send VRRP messages This configures authentication character string This configures the out interface of VRRP messages n Note A VRRP group can be configured
145. on mark in any command mode prompt all commands and brief command descriptions of the mode are displayed For example ZXR10 gt Exec commands enable Turn on privileged commands exit Exit from the EXEC login Login as a particular user logout Exit from the EXEC ping Send echo messages quit Quit from the EXEC show Show running system information telnet Open a telnet connection trace Trace route to destination who List users who is logining on ZXR10 gt Input a question mark following character or character string the list of commands or key words with the character or character string as the prefix are displayed For example ZXR1LO CO configure copy ZXR1LO CO Note There is no space between character Character string and the question mark Press Tab after the character if the command or key word with the character string as the prefix is unique align it and add a space after it For example ZXR10 con lt Tab gt ZXR10 configure Note There is no space between character string and Tab Input a question mark after commands key words and parameters It is possible to list the key words or parameters to be input For example ZXR1O configure terminal Enter configuration mode ZXR10 configure 14 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 2 Usage and Operation n Note A space should be input before the question mark
146. onfigures the sending nform trap version 1 2c 3 lt community gt address port version and inform for the host Confidential and Proprietary Information of ZTE CORPORATION 133 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDH 7 ZXR10 config show snmp This displays the statistics on SNMP messages ZXR10 config show snmp config This displays configuration information of SNMP module n Note n For step 2 include or exclude adds or removes subtree ID from specified view Configurations are allowed for many times for the same lt view name gt which results in a set of cooperating commands For step 3 sysContact is a management variable in system group in MIB II It contains ID and contact of the person rele vant to a managed device For step 4 sysLocation is a management variable in system group in MIB II It contains the positions of managed devices For step 5 Trap is the information a managed device sends to Network Management System NMS without request It is used to report emergent and important events For step 6 ZXR10 8900 series switch supports 5 types of con ventional traps snmp bgp ospf rmon and stalarm SNMP Configuration Example This example describes the configuration of SNMP ZXR10 config snmp server view myViewName 1 3 6 1 2 1 included ZXR10 config snmp server community myCommunity view myview rw ZXR10 config snmp host 168 1 1 1 ver
147. permit ip any 192 168 3 100 0 0 0 0 ZXR10 config ext acl rule 3 permit ip any any ZXR10 config ext acl exit ZXR10 config priority mark 100 rule id 1 dscp 62 cos 7 To ensure the QoS of VOD change the 802 1p value to 7 ZXR10 config traffic limit 100 rule id 2 cir 5000 cbs 2000 ebs 3000 mode blind Limit the bandwidth of the access from Network A to the Internet ZXR10 config traffic statistics 100 rule id 2 pkt type all statistics type byte Collect the statistics on the traffic of Network A ZXR10 config interface gei 1 1 ZXR10 config if ip access group 100 in ZXR10 config if exit Apply ACL 100 to the interface connecting to Network A ZXR10 config acl extended number 101 ZXR10 config ext acl rule 1 permit tcp 192 168 2 0 0 0 0 255 192 168 4 70 0 0 0 0 ZXR10 config ext acl rule 2 permit ip any 192 168 3 100 0 0 0 0 ZXR10 config ext acl rule 3 permit ip any any ZXR10 config ext acl exit ZXR10 config priority mark 101 rule id 1 dscp 62 cos 7 To ensure the QoS of VOD change the 802 1p value to 7 ZXR10 config traffic limit 101 rule id 2 cir 10000 cbs 2000 ebs 3000 mode blind Limit the bandwidth of the access from Network B to the Internet ZXR10 config traffic statistics 101 rule id 2 pkt type all statistics type byte Collect the statistics on the traffic of Network B ZXR10 config interface gei 1 2 110 Confidential and Proprietary
148. ping To configure DHCP snooping perform the following steps Confidential and Proprietary Information of ZTE CORPORATION 67 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH 1 ZXR10 config ip dhcp snooping enable This enables DHCP snooping process ZXR10 config ip dhcp snooping vlan lt vian id gt This enables DHCP snooping in a VALN ZXR10 config tip dhcp snooping trust lt port number gt This configures an interface on DHCP server to be a trust interface ZXR10 config ip dhcp snooping binding lt mac ad This adds an entry to DHCP dress vlan lt vlan id gt lt ip address gt port number Snooping database expiry time 5 ZXR10 config ip arp inspection vlan v an id This configures dynamic ARP inspection DHCP Configuration Examples DHCP Server Configuration Example The switch acts as the DHCP server and default gateway The host obtains IP address through the DHCP dynamically as shown in Figure 19 FIGURE 19 DHCP SERVER CONFIGURATION EXAMPLE DNS server 10 10 2 2 24 10 10 1 1 24 FTP server 10 10 1 2 24 68 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 7 DHCP Configuration Configuration on the switch ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX A NVVN O config fip dhcp server dns 10 10 2 2 O config fip dhcp server leasetime 90 O config ip local pool dhep 10 10 1 3 10 10 1 254 255 255 255 0 O config finterfac
149. ple This example shows how to configure welcome message upon sys tem boot ZXR10 config banner incoming 4 Enter TEXT message End with the character CkCkCkckckckckckckckckckckckckck kk ok ck ck ck ck ck ck ck k kk ck ck ck ck k kk kk Welcome to ZXR10 Router World CkCkCkckck ck ck ck ck ck ck ck kckckck kk k ck ck ck ck ck ck ck ok kk ck ck ck kk k kk ZXR10 config Configuring a Password of Privileged Mode To prevent an unauthorized user from modifying the configuration use the following command ZXR10 config enable secret 0 lt password gt 5 This sets password password password Configuring Telnet Username and Password To set Telnet username and password use the following command Confidential and Proprietary Information of ZTE CORPORATION 29 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH ZXR10 config username username password This sets Telnet user and lt password gt password Configuring System Time To set system time use the following command ZXR10 config clock set lt current time gt lt month gt lt day This sets system time gt lt year gt Configuring Version Load Selection When users upgrade switch versions the old version files are usu ally kept in case of upgrade failure The operation steps are de scribed below 1 Modify the name of old version file 2 Upload new version file to the switch 3 Reboot the sw
150. prietary Information of ZTE CORPORATION 171 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 172 Confidential and Proprietary Information of ZTE CORPORATION List of Glossary AAA Authentication Authorization and Accounting ACL Access Control List ARP Address ResolutionProtocol BAS Broadband Access Server BOOTP BOOTstrap Protocol CBS Committed Burst Size CIR Committed Information Rate CLI Command Line Interface CoS Class of Service DHCP Dynamic Host Configuration Protocol DSCP Differentiated Services Code Point DSLAM Digital Subscriber Line Access Multiplexer DWRR Deficit Weighted Round Robin EAPOL Extensible Authentication Protocol Over LAN EBS Excess Burst Size FTP File Transfer Protocol ICMP Internet Control Message Protocol IP Internet Protocol IPTV Internet Protocol Television LLDP Link Layer Discovery Protocol LLDPDU Link Layer Discovery Protocol Data Unit MAC Media Access Control MIB Management Information Base NMS Network Management System NTP Network Time Protocol PBS Peak Burst Size PIR Peak Information Rate PVID Port VLAN ID QoS Quality of Service RADIUS Remote Authentication Dial In User Service RARP Reverse Address Resolution Protocol RFC Request For Comments RMON Remote Monitoring SNMP Simple Network Management Protocol SP Strict Priority Confidential and Proprieta
151. priority 5 To apply WFQ policy to a traffic class use the following com mand ZXR10 config qpolicy class wfq profile lt profile name gt This applies WFQ policy to a traffic class By default a traffic class is associated with a default WFQ pol icy of corresponding level If the WFQ policy does not exist system prompts error To cancel WFQ policy of a traffic class use no wfq profile command 6 To apply WRED policy to a traffic class use the following com mand ZXR10 config qpolicy class wred profile lt profile name gt This applies WRED policy to a traffic class By default a traffic class is associated with a default WRED policy of corresponding level To cancel WRED policy of a traffic class use no wred profile command 7 To apply shaping policy to a traffic class use the following com mand Confidential and Proprietary Information of ZTE CORPORATION 107 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDH ZXR10 config qpolicy class Shaping profile This applies shaping policy to a lt profile name gt traffic class By default a traffic class is associated with a default shaping policy of corresponding level Traffic class of level 1 can not be associated with a shaping policy To cancel shaping policy of a traffic class use no shaping pr ofile command 8 To apply sub policy to a traffic class use the following com mand This applies sub policy to a traff
152. r v This displays all dotix lan lt vian number gt slot lt s ot number gt index authenticated users lt index number gt statistics ZXR10 config nas Clear client slot lt s ot number gt This deletes a specified user index lt index number gt port lt port name gt vlan vlan id 116 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 11 DOT1x Configuration DOT1x Configuration Examples Dot1x Radius Authentication Application Workstation of a user is connected to Ethernet A of the Ethernet switch This is shown in Figure 30 FIGURE 30 DoTix RADIUS AUTHENTICATION APPLICATION Radius server 10 1 1 1 10 1 1 2 A Internet Authenticator The following procedures are required to be implemented on the switch Conduct user access authentication on each port to control the user s access to the Internet It is required that the access control mode is MAC address based access control mode All AAA access users belong to the default domain zte163 net This authentication and RADIUS authentication are conducted at the same time Disconnect the user and make it offline if RADIUS accounting fails Do not add the domain name after the user name during ac cess Connect the server group composed of two RADIUS servers to the switch IP addresses of these servers are 10 1 1 1 and 10 1 1 2 respectively It is required that the former serves as th
153. rash URPF is a technology to guard against such attacks Configuring URPF There are three types of URPF Strict URPF SRPF Loose URPF IRPF and URPF that ignores the default route InRPF To configure URPF perform the following steps ZXR10 config if ip verify strict loose This enables the URPF check loose ingoring default route function on an interface 2 ZXR10 config if urpf log on off This enables or disables the URPF log function 158 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 17 URPF Configuration e Note In step 1 the parameters are described below Strict means that if egress port found by source IP address is different from data ingress port it will be discarded otherwise it will be processed in primary way Loose means that if source IP address can find route and egress port and ingress port of default route are coincident it will be processed in the normal way otherwise it will be dis carded Loose ingoring default route means that if source IP ad dress can find route and the route is not by default it will be processed in the normal way Otherwise it will be discarded URPF Configuration Example URPF network topology is shown in Figure 39 FIGURE 39 URPF CONFIGURATION EXAMPLE VLANIO 192 168 0 1 24 Networks 192 168 0 0 24 SI VLAN30 VLAN20 133 1 0 1 24 100 1 1 2 24 uv fth ats VLAN20 100 1 1 1 24 Networks 133 1 0
154. re allowed or not and configures user quota ZXR10 config nas aaa rule id default isp This configures the default isp name ISP server name 1 ZXR10 config nas aaa lt rule id gt fullaccount This configures whether to enable disable contain ISP domain name in user name ZXR10 config nas aaa lt rule id gt groupname This configures a group name lt group name gt 114 Confidential and Proprietary Information of ZTE CORPORATION Step ie 0 config nas aaa lt rule id gt keepalive enable riod lt period value gt disable interval a 2j E ZTERHY Chapter 11 DOT1x Configuration ZXR10 config nas aaa rule id radius server This binds an AAA control accounting authentication lt group number gt entry with the radius server group 13 ZXR10 config nas aaa rule id authorization This configures the auto unauthorized authorized authorization mode Note To clear an AAA control entry use clear aaa lt rule id gt command Configuring DOT1x Parameters To configure DOT1x perform the following steps 0 config nas This enters nas configuration mode 0 config nas dotix re authentication enable This configures dotix riod lt period gt disable re authentication cycle 0 config nas dot1x quiet period period This configures quiet period of dotix authentication 0 config nas dotix tx period period This sets seconds for timeout and resending reque
155. ring perform the following steps ZXR10 config monitor session lt session number gt This creates a session x XR10 config if monitor session lt session number gt This sets mirrored port urce direction both cpu rx cup tx tx rx 0 config if monitor session lt session number gt This sets monitoring port stination 0 confi show monitor session all lt session This views configuration and number gt status of port mirroring Port Mirroring Configuration Example As shown in Figure 15 port gei_3 3 is connected with a monitoring computer 52 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 5 Port Configuration FIGURE 15 PORT MIRRORING CONFIGURATION EXAMPLE Switch Gei_3 3 Gei 1 1 Gei 1 2 p We To the data received by gei 1 1 as well as the data received and transmitted by gei 1 2 the configuration on the switch is shown below ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 config finterface gei 1 1 config if monitor session 1 source direction rx config finterface gei 1 2 config if monitor session 1 source config finterface gei 3 3 config if monitor session 1 destination To monitor the data received by gei 1 1 gei 1 2 and gei 2 2 the configuration on the switch can be configured either in interface configuration mode or global configuration mode Configuration in global configuration mode is shown below ZXR10 config monitor session 1 source
156. rohibited from passing When jumbo frame is allowed the maximum allowed length is 9216 bytes To prohibit jumbo frame to pass the Ethernet port use jumb o frame disable command Configuring Broadcast Storm Suppression To configure Ethernet port broadcast storm suppression perform the following steps ZXR10 config sinterface lt port name gt byname This accesses port configuration mode lt by name gt ZXR10 config if broadcast limit percent This configures Ethernet port lt percent gt value lt va ue gt broadcast storm suppression Note It is possible to limit the volume of broadcast flow that is al lowed to pass through the Ethernet port System discards the broadcast flow exceeding the set value to lower the rate of broadcast flow to a reasonable range It suppresses broadcast storm and avoids network congestion ensuring normal opera tion of network service Broadcast storm suppression ratio takes the line speed per centage of maximum flow as the parameter If percentage is lower then allowed broadcast flow is smaller as well 100 means that the broadcast storm passing through the port is not suppressed Configuring Multicast Suppression To configure multicast suppression of Ethernet port perform the following steps Confidential and Proprietary Information of ZTE CORPORATION 47 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDH ZXR10 config interface l
157. roprietary Information of ZTE CORPORATION 31 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH zxR10 write cmdlog flash sd start time This saves the contents in date time end time date time filename command log buffer as a file lt filepath file gt The file is saved in flash data directory Parameter descriptions start time date time The starting time when alarms begin to be recorded By default it is the time of the earliest alarm log in current alarm buffer end time date time The time when alarm occurs By default it is the time of the latest alarm log in current alarm buffer Command log file is saved to flash Log file is saved to SD card By default it is saved to flash filename lt fi epath file gt The path and name of log file within 32 characters By default the path and name is data cmd log Configuring Saving Time of Alarm Log Event information is kept in system buffer of a switch When the buffer is full system clears the earliest event information If sav ing time is configured system clears corresponding events auto matically when it is time When there are a lot of events and buffer is full before saving time comes events are cleared according to configuration of logging buffer clearing Error of saving time is within 1 minute Saving time can be 0 or a value in the range of 30 to 65335 minutes By default it is O indica
158. round host A window appears as shown in Figure 10 FIGURE 10 WFTPD WINDOW B No log file open WFTPD Ele Edit Yiew Logging Messages Security Help For Help press F1 1 socket 0 users 2 Click Security select User Rights and perform the fol lowing operations i Click New Use to create a new user such as target with password enabled ii Select user name target in the drop down list of User Name iii Input the directory saving version files or configuration files in the Home Directory box such as D MMG After configuration is completed a dialog box appears as shown in Figure 11 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 3 System Management FIGURE 11 USER RIGHTS SECURITY DIALOG Box User Rights Security Dialog User Name target Y m User target New User Delete Change Pass Home Directory p uiMG Restricted to home Help Rights 3 Click Done to complete the settings END OF STEPS Result FTP client is configured After enabling FTP server execute copy command in the switch to back up restore file and import export configuration Configuring a Switch as TFTP Client Terminal Prerequisites Enable TFTP server software in the background host and switch communication as client terminal Context To configure a switch serving as TFTP client terminal perform the following steps Steps 1 Run TFTPD software in t
159. rs of Department B ZXR10 config acl extend number 101 ZXR10 config ext acl rule 1 permit ip 192 168 2 100 0 0 0 0 any ZXR10 config ext acl rule 2 deny ip 192 168 2 0 0 0 0 255 192 168 4 60 0 0 0 0 time range working time ZXR10 config ext acl rule 3 deny tcp any eq 8888 192 168 4 70 0 0 0 0 time range working time ZXR10 config ext acl rule 4 permit ip any any Apply ACLs to the corresponding physical ports ZXR10 config interface fei 2 1 ZXR10 config if ip access group 100 in ZXR10 config if exit ZXR10 config interface fei 2 2 ZXR10 config if ip access group 101 in ZXR10 config if exit ACL Maintenance and Diagnosis To configure ACL maintenance and diagnosis perform the follow ing steps This displays the contents of all ACLs or of the ACL with specified list number zXR10 Show running config interface lt port name gt This displays the configuration information of an Ethernet port Confidential and Proprietary Information of ZTE CORPORATION 89 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 90 Confidential and Proprietary Information of ZTE CORPORATION Functions Chapter 10 QoS Configuration Table of Contents 00S OVSEC mm 91 Soa rk c Em 96 Configuring MOOS orrainn A E AE 103 QoS Configuration Exaimples cce eiduxe kx bau ru exe Rice ten daa 109 QoS Maintenance and Diagnosis aixiaiex cei cen rri hl E
160. rsion Load Selection s esses 30 Saving Command Log File esses 31 Configuring Saving Time of Alarm Log sss 32 System Information ViCW cccccceeceeeeeeeeee eee eeee eaten eae ennees 33 Viewing Hardware and Software Versions 33 Viewing Current Running Configuration Informa TON si Sots cate E ne eese pepe AN 33 Viewing CPU Information sssssssssrrssssrrrsrnrrrrsrrnessrrnns 34 Viewing Boot Information of Current Running BO are ML 34 Viewing System Diagnosis Information 34 CLI Privilege Classification 37 CLI Privilege Classification Overview eene 37 Configuring CLI Privilege Classification esesseeee 38 Configuring Telnet User esses 38 Configuring an Enabling Password esee 39 Configuring Privilege Level of a Command 40 CLI Privilege Classification Configuration Example 42 Maintenance and Diagnosis of CLI Privilege Glassifications s ze REG EIER EE 42 Port Configuration ee 43 Port Basic Configuration sausra a a a 43 Port Basic Configuration OvervieW sssssssssesssssersrerres 43 Enabling an Ethernet Port cececeeeeeeeeee eee eeeeeeeaeees 44 Enabling Auto Negotiation cesse 44 Configuring Duplex Mode cceceeeee eee e
161. ry Information of ZTE CORPORATION ZTEDY Chapter 5 Port Configuration ZXR10 config loop detect reopen time This configures the reopen lt 1 16777216 gt time of loop port zxR10 Show loop detect interface lt port name gt This views information on a port that enables loop detection function ie ZXxR10 Show loop detect reopen time This views reopen time Note In the command of step 1 the value of the parameter lt port_name gt can be a port or multiple port such as gei_1 1 and gei_1 1 4 In the command of step 2 The value of the parameter vlan id can be a VLAN or multiple VLANs such as vlan 1 and vlan 1 4 Inthe command of step 3 When the switch detects that there is a loop on a port the switch takes measures according to corresponding configuration If the configuration is block the data flow breaks off The state of the port does not turn down System generates an alarm If the configuration is normal the data flow breaks off and the state of the port turns down System generates an alarm If the configuration is protect the data flow does not break off The state of the port does not turn down System generates an alarm gt By default the configuration is normal Inthe command of step 4 by default the time is 10 minutes Port Loop Detection Configuration Example This example shows how to configure loop detection function As shown in Figure 18 gei 1 1 on S
162. ry Information of ZTE CORPORATION 173 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERHY SSH Secure Shell TCP Transmission Control Protocol TELNET Telecommunication Network Protocol TFTP Trivial File Transfer Protocol TLV Type Length Value ToS Type Of Service UDLD UniDirectional Link Detection UDP User Datagram Protocol URPF Unicast Reverse Path Forwarding VBAS Virtual Broadband Access Server VLAN Virtual Local Area Network VRRP Virtual Router Redundancy Protocol WRR Weighted Round Robin 174 Confidential and Proprietary Information of ZTE CORPORATION
163. s enabled automatically To configure linkage ACL rule perform the following steps ZXR10 config event list lt name gt This creates an event list ZXR10 config event interface lt interface name gt ad This sets the conditions of min physical protocol down up triggering event where port management state physical state and protocol state can be set 0 config event exit This exits event list ZXR10 config acl standard number number This enters standard access list 5 ZXR10 config std acl rule 1 permit lt source address This associates the ACL rule gt lt source wildcard gt event lt name gt with the event Example As shown in Figure 25 Switch A and Switch B back up for each other Switch C receives two same data flows To avoid this phe nomenon an event linkage ACL rule is configured Confidential and Proprietary Information of ZTE CORPORATION 85 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERHY FIGURE 25 CONFIGURING EVENT LINKAGE ACL RULE Switch A Switch B gei 1 1 Switch C Switch D How to configure 1 2 3 Define one event list The prerequisite of event trigger is that interface gei_1 1 is down Define one standard ACL where rule 1 permits all packets to pass through rule 2 denies all packets By associating rule 1 with event execute rule 1 when protocol on interface gei_1 1 is down Apply ACL on in direction of interface gei_1 2
164. series switch 34 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 3 System Management provides function to collect and save diagnosis information The directory and name of saved file can be configured By default the file directory is flash user and is named diag info txt Diagnosis information includes the following contents Current time Current version as well as configuration of boards and cards Current configuration Displaying log Interface configurations State of link aggregation groups VLAN configuration MAC table configuration ARP configuration Current routing table The latest 50 times of operations of FIB table IP traffic information Detailed memory usage information CPU usage ratio Process information Queue information IGMP snooping information IP multicast routing table Layer 3 multicast joining information IP multicast forwarding table File information in flash Detailed information of software abnormity Resetting information of main control board Changeover information of active and standby boards Abnormal information of main control board intermitting Software resetting information of line interface card Abnormal information of line interface card intermitting Spanning tree state on port Protocol VLAN information Selective QinQ information MPLS VPN LDP information MPLS VPN LSP information VPN routing information QoS information To view system diagnosis i
165. ss is cached in the local ARP table with the purpose of reducing ARP packets in the network to transmit data more rapid When the device needs to transmit data it will search ARP table according to IP address if MAC address of destination device is found in the ARP table transmitting ARP request is not needed Dynamic Confidential and Proprietary Information of ZTE CORPORATION 61 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDH entries in the ARP table will be deleted automatically after a period of time which is called ARP aging time Configuring ARP To configure ARP perform the following steps This configures aging time of ARP entries on a Layer 3 interface R10 clear arp cache permanent static This clears dynamic ARP interface interface name entries R10 config arp protect interface mac whole This configures ARP protection limit num imit number information ZXR10 config arp to static This turns dynamic ARP to static ARP ZXR10 config if set arp permanent This configures ARP binding static lt ip address gt lt mac address gt on a Layer 3 interface 0 config ip arp inspection vlan lt vian id gt This configures dynamic ARP inspection on a Layer 3 interface 7 ZXR10 config if arp learn This enables ARP learning on a Layer 3 interface ZXR10 config if arp source filtered This configures ARP source filtration on a Layer 3 interface ZXR10 config if ip proxy arp T
166. st for authentication ZXR10 config nas dot1x supplicant timeout This configures online period detection timeout time of the dotix user ZXR10 config nas dot1x server timeout period This configures the timeout of the dot1x authentication ZXR10 config nas dot1x max requests count This configures maximum request times of dotix authentication Configuring Local Authentication User To configure local authentication user perform the following steps Confidential and Proprietary Information of ZTE CORPORATION 115 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH 1 config nas This enters nas configuration mode 2 config nas create localuser user id name This creates a local user user nancsiibassword lt user password gt 3 XR10 config nas localuser lt user id gt port This binds the user with the ort name gt port XR10 config nas localuser lt user id gt vlan This binds the user with VLAN a id gt 5 0 config nas localuser lt user id gt mac This binds the user with MAC mac address address XR10 config nas localuser lt user id gt accounting This configures accounting enable disable attribute of users Note To delete a local user use clear localuser lt user id gt command Managing DOT1x Authentication User To manage access users of DOT1x authentication perform the fol lowing steps ZXR10 config show client port port numbe
167. stination port are unneces sary to be on one device and they can cross multiple network devices What s more it can pass through L3 network and is an ideal remote mirroring mode Source port device supports port mirroring or VLAN mirroring FIGURE 16 ERSPAN EXAMPLE ERSPAN implements the following functions mirroring of original traffic and GRE encapsulation on source port device common IP packet forwarding on intermediate device and mirroring on desti nation port device Function implementation on intermediate de vice is not illustrated here Source device Oirt traffic or vlan traffic can be used as source traffic of mirroring mirrored traffic is sent to intermediate de vice through designated port after GRE encapsulation Specify source port or mirroring source on source device Con figure soure IP and destination IP of GRE tunnel configure ERSPAN ID for this mirroring Additionally TTL ip pre dscp of mirrored packet and VRF ID can be specified Destination device De encapsulate mirrored GRE encapsu lated packets received on designated port and send them to test device through designated mirror destination port Specify mirror destination port on destination device configure destination IP of GRE tunnel specify corresponding ERSPAN ID for this mirroring 54 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 5 Port Configuration Configuring ERSPAN Establishing One ERSPAN Session
168. sword and when to use this password Administrators configure the privilege level to 1 for a user named test as shown below ZXR10 config username test password test privilege 1 The enabling password of privilege level 12 is configured to zte as shown below ZXR10 config enable secret level 12 zte When the user logs in to the switch and wants to change the priv ilege level to 12 the user should input the enabling password as shown below Username test Password this password should be test ZXR10 gt enable 12 Password this password should be zte ZXR10 Configuring Privilege Level of a Command By configuring privilege levels of commands administrators can control the range of commands that users can use When the privilege level of a user is higher or equals to the privilege level of a command the user can use the command By default the privilege level of administrators is 15 They can use all commands To configure the privilege level of a command use the following command ZXR10 config privilege ogic mode 1 all level This configures the privilege level lt evel gt lt command keywords gt level of a command Example This example shows how to configure the privilege level to 12 for all commands beginning with show interface 40 Confidential and Proprietary Information of ZTE CORPORATION ZTERR Chapter 4 CLI Privilege Classification View all commands beginning
169. t Console port of MP board of ZXR10 8900 series switch to the serial interface of background host by configuration cable delivered with the product Con nect management Ethernet interface of the device 10 100M Ethernet interface to network interface of background host by straight through Ethernet cable Make sure that both inter faces are connected in a proper way IP addresses of background host for upgrade and management Ethernet interface on the device are set to the same network segment Start the background FTP server When the users want to update the version without interrupting the system users can update the version through the secondary controlled switch board first and then switch over the primary controlled switch board and the secondary controlled switch board After that the users update the new secondary controlled switch Confidential and Proprietary Information of ZTE CORPORATION 27 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH board The line interface cards should be rebooted after the ver sion update To update the version without interrupting the system perform the following steps Steps 1 View the information of the current version 2 Delete the old version file in the directory IMG in FLASH with delete command The old version file can be renamed if there is sufficient space in FLASH 3 Copy the new version file in background FTP server to IMG directory in FLASH Version
170. t is recommended to isolate the broadcast domain of the public network and that of the private network on the command switch and shield the direct access to the private address The command switch provides a management and maintenance channel to the outside to manage the cluster in a centralized and unified manner A broadcast domain is composed of four kinds of switches Command switch Member switch Candidate switch Independent switch There is only one command switch in a cluster Command switch can collect equipment topology and establish a cluster automati cally After the cluster is established command switch provides a management channel for cluster to manage member switch Mem Confidential and Proprietary Information of ZTE CORPORATION 121 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDH ber switch serves as a candidate switch before being added into cluster Switch which does not support member switch is called independent switch Cluster management network is formed as shown in Figure 32 FIGURE 32 CLUSTER MANAGEMENT NETWORK g g as e TFTP Server NMS 110 1 1 2 platform 110 1 1 1 Public C 1001 10 M Pd bj P4 v P b Address pool C i Network 4 inside the cluster panne inside the 192 168 1 0 24 ae cluster Gi 5 Ss embe Member switch switch switch Member switch Network Independent outside the Candida
171. t isp ztel63 net ZXR10 config nas faaa 1 fullaccount disable ZXR10 config nas faaa 1 radius server authentication 1 ZXR10 config nas faaa 1 radius server accounting 1 Dot1x Relay Authentication Application Intranet topology of an enterprise is shown in Figure 31 FIGURE 31 DoT1x RELAY AUTHENTICATION APPLICATION d wd jas Ue Supplicant Supplicant 2826E Radius server 10 1 1 1 10 1 1 2826E 2 Authenticator 2826E The criterion is that only the authorized hosts are granted access to the Internet resources while the others can only get access to the Intranet resources Divide hosts in the enterprise into a sub network or multiple sub networks where the hosts can access each other 118 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 11 DOT1x Configuration Enable 802 1X relay function on Ethernet switch inside sub network and enable 802 1X authentication on Ethernet port of the sub network gateway Do not charge users inside enterprise and only authenticate them on the Radius server Master slave authentication servers are 10 1 1 1 10 1 1 2 respectively It is assumed that enterprise uses 2826E Ethernet switch inside it and uses ZXR10 8905 Ethernet switch as the gateway Configuration on 2826E Set dotlxreley enable Configuration on ZXR10 8905 ZXR10 config radius authentication group 1 ZXR10 config authgrp 1 server 1 10 1 1 1 master key aaaz
172. t means using double rate marking algorithm The value blind means switch works in color blindness mode The value aware means switch works in color sensitivity mode drop yellow It means switch discards packets marked yellow By default switch transmits packets 96 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Example Chapter 10 QoS Configuration forward red It means switch transmits packets marked red By default switch discards packets remark red It means remarking discarding priority of red packet dp Priority parameters are high medium and low remark red d It means remarking DSCP priority of red packet scp Priority parameters are 0 to 63 remark yello It means remarking discarding priority of yellow w dp packet Priority parameters are high medium and low remark yello It means remarking DSCP priority of yellow packet w dscp Priority parameters are 0 to 63 This example describes how to monitor and control traffic of pack ets with destination IP address 168 2 5 5 on port gei_5 1 Set the bandwidth to 10 M burst transmission rate to no greater than 1M and change the DSCP value to 23 for the part that exceeds the limit and set the discard priority to high this part of packets will be discarded at a higher priority in queue congestion ZXR10 config acl extend number 100 ZXR10 config ext acl rule 1 permit any 168 2 5 5 ZXR10 config ext acl exit ZXR10 config traf
173. t port name gt byname This accesses port lt by name gt configuration mode ZXR10 config if multicast limit percent This configures multicast lt percent gt value lt va ue gt suppression of Ethernet port Configuring Unknown Unicast Suppression To configure unknown unicast suppression of Ethernet port per form the following steps ZXR10 config interface lt port name gt byname This accesses port lt by name gt configuration mode ZXR10 config if unknowcast limit percent This configures unknown lt percent gt value lt va ue gt unicast suppression of Ethernet port Enabling Fast Port Detection Function To enable fast port detection function perform the following steps 1 ZXR10 config interface lt port name gt byname This accesses port lt by name gt configuration mode 2 ZXR10 config if Zfid interface lt port list gt This enables fast port detection function Note This function detects the change of the status on an interface for example from up to down and informs protocols such as ZESR ZESS and link aggregation of the change to speed up the running of the protocols As the function costs resource it is recommended to enable the function only on related ports 48 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 5 Port Configuration Configuring FEFI Function To configure FEFI function perform the following steps
174. t port name gt information of Ethernet port To clear port statistical information use clear counter command Example This example shows how to view status and statistic information of port gei_2 1 ZXR10 config show interface gei 2 1 gei_2 1 is down line protocol is down Description is none eepalive set 10 sec The port is electric Duplex half Mdi type auto vlan mode is access pvid 2 Vrpf All Discard Count 0 BW 1000000 Kbits Last clearing of show interface counters never 20 seconds input rate 0 Bps 0 pps 20 seconds output rate 0 Bps 0 pps nterface peak rate input 0 Bps output 0 Bps nterface utilization input output 0 Statistic of input output transmit message including statistic of error message nput Packets 338 Bytes 41572 Unicasts 0 Multicasts 328 Broadcasts 10 Undersize 0 Oversize 0 CRC ERROR 0 Dropped 0 Fragments 0 Jabber s MacRxErr 0 Output Packets 1017 Bytes 125470 Unicasts 0 Multicasts 1017 Broadcasts 0 Collision 0 LateCollision 0 Total 64B 20 65 1278 975 128 255B 360 256 511B i 0 512 1023B 0 1024 1518B 0 ZXR10 Example This example shows how to view configuration information of port fei 2 4 ZXR10 config show running config interface fei 2 4 Building configuration interface fei 2 4 negotiation auto broadcast limit 10 switchport access vlan 1 switchport ging normal ZXR10 config 50 Confidential and Proprietary Information
175. t the background FTP server To upgrade the version at abnormality perform the following steps 1 Start ZXR10 8900 series switch using HyperTerminal and press any key to enter Boot status The following content appears ZXR10 System Boot Version 1 0 Creation date Dec 31 2002 14 01 52 Omitted Press any key to stop for change parameters 2 ZXR10 Boot Input c in Boot status Enter parameter modification status after inputting an Enter i Change the boot mode to boot from background FTP ii Change the FTP server address to the corresponding back ground host address iii Change the client terminal address and gateway address to switch administrative Ethernet interface address iv Set corresponding subnet mask and FTP username and password ZXR10 Boot prompt appears after above parameter modifi cation is completed ZXR10 Boot c clear field go to previous field D quit Boot Location 0 Net 1 Flash 0 0 means booting from background FTP 1 means booting from FLASH Client IP 0 bootp 168 4 168 168 Corresponds to administrative Ethernet port address Netmask 255 255 0 0 Server IP 0 bootp 168 4 168 89 Corresponds to background FTP server address Gateway IP 168 4 168 168 Corresponds to administrative Ethernet port address FTP User target Corresponds to FTP username target FTP Password Corresponds to target user password FTP Password Confirm Boot
176. te Switch cluster switch Switching rule of four kinds of switches in the cluster is shown in Figure 33 122 Confidential and Proprietary Information of ZTE CORPORATION ZTERHY Chapter 12 Cluster Management Configuration FIGURE 33 SWITCHING RULE Member switch Join in the duster Specified as the independent switch Delete from the duster Speafied as the candidate switch Candidate Independent switch pecitied as switch independent switch Specified as the candidate switch without member Command switch Configuring Cluster Management Speafied as the command switch Specified as the independent switch without member Specified as the command switch Enabling ZDP To enable ZTE Discovery Protocol ZDP perform the following steps 1 ZXR10 config zdp enable This enable ZDP function globally 2 ZXR10 config interface interface name This enters interface configuration mode 3 ZXR10 config if zdp enable This enable ZDP function on an interface 5 ZX config zdp timer lt time gt This configures time interval of transmitting ZDP packets ZXR10 config zdp holdtime lt time gt This configures valid holding time of ZDP information 4 ZXR10 config if exit This exits interface configuration mode R1O Confidential and Proprietary Information of ZTE CORPORATION 123 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH E
177. te port 1812 ZXR10 config authgrp 1 server 2 10 1 1 2 key aaazte port 1812 ZXR10 config authgrp 1 fexit ZXR10 config nas ZXR10 config nas create aaa 1 port fei 1 1 ZXR10 config nas aaa 1 control dotlx enable ZXR10 config nas aaa 1 authorization auto ZXR10 config nas aaa 1 accounting disable ZXR10 config nas aaa 1 multiple hosts enable ZXR10 config nas aaa 1 default isp ztel63 net ZXR10 config nas aaa 1 fullaccount disable ZXR10 config nas aaa 1 radius server authentication 1 Dot1x Local Authentication Application In the applications of Dot1x radius authentication and Dotix relay authentication enterprise wants to register network card address of each host When user logs in from the dot1x client only MAC address of the network card is checked User can log in only when address is legal Enterprise numbers for each MAC address and Internet access du ration of the user is based on the number A ZXR10 8908 switch works as the authenticator and it can implement the application requirement The application configuration is shown below ZXR10 config nas ZXR10 config nas fcreate aaa 1 port fei 1 1 ZXR10 config nas aaa control dotlx enable ZXR10 config nas aaa authorization auto ZXR10 config nas aaa accounting disable ZXR10 config nas aaa multiple hosts enable ZXR10 config nas aaa default isp ztel63 net ZXR10 config nas aaa fullaccount disable ZXR10 config nas
178. ter of this document Except as expressly provided in any written license between ZTE CORPORATION and its licensee the user of this document shall not acquire any license to the subject matter herein ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice Users may visit ZTE technical support website http ensupport zte com cn to inquire related information The ultimate right to interpret this product resides in ZTE CORPORATION Revision History Revision No Revision Date Revision Reason Serial Number sjzl20093837 Contents About This Manual 11 Safety InstFUcllOns ase sexesusus ax csuxE sexus RUE ExbxPiI EE E D Safety Introduction cccccccesceeeeeeeeeeeeeeeseeesaeeeeaeeeanensaees 1 Safety Description ssssssrrsrrssssesserrnnnnrnaennrrnerrnnnaenaesnes 1 Usage and Operation 3 Configuration MOSS seen YA RR ea ERI aea Ex aaa EXE Fa Ka 3 Configuring Serial Interface Connection 4 Configuring Telnet Connection cceeceee escent eae eeeeeneeaes 6 Configuring SSH COnnection cccccceeeese eee eeaeeaeeaeeeaeeaes 9 Configuring SNMP Connection esee 11 Command MOES cecceceece cece eee eee eee eee eens nnn nnn 12 Command Line Usage cceceeeee eect eect nett em 14 Online HIP sdecisacts ES 14 Command Abbreviation cesses
179. thernet Interface Confidential and Proprietary Information of ZTE CORPORATION 43 ZXR10 8900 Series User Manual Basic Configuration Volume ITEmX GEI Gigabit Ethernet Interface XGEI 10 Gigabit Ethernet Interface Slot No ZXR10 8908 provides 10 plug in slots that are numbered from top to down where No 5 and No 6 are MP plug in slots and rest are the interface board module plug in slots Port No Interface board ports number starts from 1 fei_2 8 means the eighth port in the No 2 slot fast Ethernet interface board gei_6 1 means the first port in the No 6 slot gigabit Ethernet interface board xgei_7 2 means the second port in the No 7 slot 10 gigabit Ethernet interface board Enabling an Ethernet Port To enable an Ethernet port perform the following steps 1 ZXR10 config interface lt port name gt byname This accesses port lt by name gt configuration mode ZXR10 config if no shutdown This enables an Ethernet port ZXR10 config if hyname lt by name gt This sets port byname e Note To disable an Ethernet port use shutdown command The shutdown command makes the physical link status of the port change into down and the link LED of the port go dark All ports are open by default Port byname is to distinguish the ports for easier memorization It is possible to replace the port name with byname command when users perform operation over the port Enabling Auto Negotiation
180. ting that system clears events according to configuration of logging buffer clearing when buffer is full To configure saving time of alarm log use the following command ZXR10 config write alarmlog flash sd start time This saves contents in alarm log date time end time date time filename buffer in designated file form on other devices lt filepath file gt Parameter descriptions 32 Confidential and Proprietary Information of ZTE CORPORATION ZTEDX Chapter 3 System Management ash Alar log fle is saved to Rash sa Alarm log fle is saved to SD card start time date time The starting time of alarm to be recorded that occurs earliest end time date time The starting time of alarm to be recorded that occurs latest filename lt fi epath file gt The path and name of log file within 32 characters By default the path and name is data cmd log Example This example shows how to save alarm log to flash data alarm log ZXR10 config write alarmlog flash start time 6 12 2008 00 00 01 end time 6 12 2008 23 59 59 This example shows how to save alarm log to flash aaa log ZXR10 config write alarmlog flash start time 06 25 2008 15 03 00 end time 06 25 2008 15 04 45 filename aaa log oystem Information View System information view includes the following topics Viewing Hardware and Software Versions To view hardware and software versions of the system use
181. to platform in a high rate the module makes alarm This warns users that there may be some kind of Confidential and Proprietary Information of ZTE CORPORATION 151 ZXR10 8900 Series User Manual Basic Configuration Volume ZTEDH 152 protocol packets attacking CPU When such alarm appears disable protocol protection function to protect CPU from being attacked Note After protocol protection functions of SNMP and RADIUS are dis abled they are not affected and work normally For IPv4 and IPv6 protocols there is a threshold value By default the threshold value is 3000 that is system allows receiving 3000 messages of a protocol within 30 seconds When there are more than 3000 messages received alarm appears The threshold value can be configured CPU Attack Protection Principle Protocol protection is to protect the CPU of a switch If CPU is at tacked by many protocol messages CPU usage ratio will increase When protocol messages are sent to CPU at a high speed protocol protection module will count the protocol messages of each type Controlled by a timer the number of protocol messages sent to CPU during a cycle is compared with a configured threshold value For example the number of protocol messages sent to CPU within 30 seconds is bigger than the configured threshold value system sends a piece of alarm information in format of Receive too many packets of protocol message type from port port number
182. ts h This displays RMON istory statistics configuration and related Example Example RMON Configuration Example The following are several configuration examples of the RMON This example shows how to configure and start statistics control entries of the RMON ZXR10 config interface fei 1 1 ZXR10 config if rmon collection statistics 1 owner rmontest Assume n computers are linked to port fei_1 1 and when these computers communicate on the sub network traffic statistics can be viewed through NMS software and it can also be viewed with show command ZXR10 Show rmon statistics EtherStatsEntry 1 is active and owned by rmontest Monitors ifEntry 1 1 which has Received 60739740 octets 201157 packets 1721 broadcast and 9185 multicast packets 0 undersized and 0 oversized packets 0 fragments and 0 jabbers 0 CRC alignment errors and 32 collisions of dropped packet events due to lack of resources 511 of packets received of length in octets 64 92955 65 127 14204 128 255 1116 256 511 4479 512 1023 85856 1024 1518 2547 This example describes how to configure and enable RMON history control entry ZXR10 config interface fei 1 1 ZXR10 config if rmon collection history 1 bucket 10 interval 10 owner rmontest Confidential and Proprietary Information of ZTE CORPORATION 135 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH Use show command to view the RMON history information
183. ty Mapping To configure COS discarding priority mapping perform the follow ing steps ZXR10 config qoS cos drop map cos 0 drop priorit This configures parameters of y gt lt cos 1 drop priority gt lt cos 2 drop priority gt lt cos 3 COS discarding priority drop priority gt lt cos 4 drop priority gt lt cos 5 drop priori ty gt lt cos 6 drop priority gt lt cos 7 drop priority gt 2 ZXR10 config interface interface name This enters interface configuration mode 3 ZXR10 config if trust cos drop enable This applies COS discarding priority mapping function 100 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Example Chapter 10 QoS Configuration Note To disable COS discarding priority mapping function use trust c os drop disable command This example shows how to configure COS discarding priority map ping Configure COS discarding priority mapping on gei_1 1 Pri ority of queue 7 is high other priorities are low ZXR10 config qos cos drop map 11111112 ZXR10 config interface gei 1 1 ZXR10 config if trust cos drop enable Configuring COS Local Priority Mapping To configure COS local priority mapping function perform the fol lowing steps ZXR10 config qos cos local map lt cos 0 ocal priorit This configures parameters of y gt lt cos 1 local priority gt lt cos 2 local priority gt lt cos 3 COS local priority local priority gt lt cos 4 local
184. ty codes and relevant operation pro cedures during equipment installation operation and mainte nance to prevent personal injury or equipment damage Safety precautions introduced in this manual are supplementary to the local safety codes ZTE bears no responsibility in case of universal safety oper ation requirements violation and safety standards violation in designing manufacturing and equipment usage Safety Description Contents deserving special attention during configuration of ZXR10 8900 series switch are explained in the following table Note o Provides additional information Important e Provides great significance or consequence Result Provides consequence of actions Example O Provides instance illustration Confidential and Proprietary Information of ZTE CORPORATION 1 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 2 Confidential and Proprietary Information of ZTE CORPORATION Chapter 2 Usage and Operation Table of Contents Configuration ModE Senesni Ei 3 Command MIS CR 12 Command Line Usage serenos nri nE 14 Configuration Modes ZXR10 8900 series switch provides multiple configuration modes as shown in Figure 1 User can select appropriate configuration mode according to the connected network FIGURE 1 CONFIGURATION MODES A lt o lt SNMP FTP TFTP Telenet Network server host Management Serial interface
185. uced o show iptv control This shows global configuration of IPTV osshow iptv prw This shows global parameter configuration of IPTV preview o show iptv cdr This shows CDR configuration information o show iptv cdr record idlist lt cdr idlist gt This shows information of generated CDR records 146 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 14 IPTV Configuration xR104Show iptv channel all name channel name This shows the channel idlist channel idliset Y information of IPTV o show iptv package package name This shows the information of package name gt package id lt package id gt iptv package R10 show iptv view profile lt viewfile name gt This shows the information of view profile R10 Show iptv rule port port name vlan id v an i This shows CRC rules vlan name v an name channel package R104Show iptv rule statistics rule id lt ru e id gt This shows CRC rule statistics R10 Show iptv client 4 port lt port NPC lt This shows online IPTV users slob no gt vlan id lt vian id gt vlan name lt vlan name zxR10 Show iptv channel statistics channel id This shows channel statistics lt channel id gt Confidential and Proprietary Information of ZTE CORPORATION 147 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH This page is intentionally blank 148 Confidential an
186. ueues of a port can adopt different modes respectively SP SP is to strictly schedule data of each queue according to queue priority First send packets in the highest priority queue and after that send packets in the higher priority queue Similarly after that send packets in the lower priority queue and so on SP scheduling makes packets of key services processed preferen tially thus guaranteeing service quality of key services But the low priority queue may never be processed and starved WRR WRR makes each queue investigated possibly and not starved Each queue is investigated at different time that is has different weight indicating the ratio of resources obtained by each queue Packets in the high priority queue have more opportunities to be scheduled than the low priority queue DWRR DWRR makes each queue investigated possibly The weight of each queue is different The difference between DWRR and WRR is that the weight value of DWRR means the round scheduled bytes of eight queues on a port each time in its unit of kbyte while the weight value of WRR means the scheduled packet number of each queue Therefore DWRR does not effect much on bandwidth Data priority is contained in the 802 1P label If data entering the port is not marked with an 802 1P label a default 802 1p value will be assigned by the switch Policy Routing Redirecting is used to make the decision again about the forward ing of packets wit
187. uration Examples cousine ke nk eue E REY ERR RERO ERR ARS conde 74 VRRP Maintenance and Diaghosis ssscuxecxicoxu nha on uoti e aea 76 VRRP Overview Host in a broadcast domain usually sets a default gateway as the next hop of routing data packets The host in the broadcast do main cannot communicate with the host in another network unless the default gateway works normally To avoid the single point of failure caused by the default gateway multiple router interfaces are configured in the broadcast domain and run the Virtual Router Redundancy Protocol VRRP in these routers VRRP is used to configure multiple router interfaces in a broadcast domain into a group to form a virtual router and assigns an IP address to the router to function as its interface address This interface address may be the address of one of router interfaces or the third party address If the interface address is used a router with the interface address acts as the master router Other routers act as the backup routers The router with high priority is used as the master router if the third party address is used If two routers have the same priority the one that sends VRRP message first wins Set the IP address of the virtual router to gateway on the host in this broadcast domain The master router is replaced with the backup router with the highest priority if the master router is faulty without affecting the host in this domain The host in this domain cannot c
188. used to synchronize the clocks of computers on a network or across multiple networks like the Internet Without adequate NTP synchronization organi zations cannot expect their network and applications to function properly ZXR10 8900 series switch acts as the NTP client Configuring NTP To configure NTP perform the following steps 1 ZXR10 config ntp server ip address version This defines a time server number XR10 config ntp enable This enables NTP function XR R Z 0 ZXR10 config ntp source lt p address gt This configures the source address ZXR10 config show ntp status This displays NTP running state Confidential and Proprietary Information of ZTE CORPORATION 129 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH NTP Configuration Example This example shows routing switch as an NTP client and assume that the NTP protocol version is 2 Network topology is shown in Figure 35 FIGURE 35 NTP CONFIGURATION EXAMPLE 192 168 2 2 24 vlan24 a 192 168 2 1 24 NTP server ZXR10 configuration ZXR10 config interface vlan24 ZXR10 config if ip address 192 168 2 2 255 255 255 0 ZXR10 config if exit ZXR10 config ntp enable ZXR10 config ntp server 192 168 2 1 version 2 RADIUS Configuration Radius Overview Remote Authentication Dial In User Service RADIUS is a stan dard AAA protocol AAA represents Authorization Authentication and A
189. w accounting local buffer all This displays all information in local buffer 3 ZXR10 debug radius all This displays RADIUS debugging information Note To clear all information in local buffer use clear accounting loca I buffer all command RADIUS Configuration Example This example describes how to configure a RADIUS accounting group Procedure of configuring a RADIUS authentication group is the same ZXR10 config 4radius accounting group 1 ZXR10 config acct group 1 algorithm round robin ZXR10 config acct group 1 calling station format 2 ZXR10 config acct group 1 fdeadtime 5 ZXR10 config acct group 1 local buffer enable ZXR10 config acct group 1 fmax retries 5 ZXR10 config acct group 1 nas ip address 10 1 1 4 ZXR10 config acct group 1 server 1 10 2 1 3 key uas ZXR10 config acct group 1 server 2 12 1 2 3 key uas ZXR10 config acct group 1 ftimeout 10 132 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH 0 config ct text gt R10 config on text gt R10 config mng vrf Chapter 13 Network Management Configuration SNMP Configuration SNMP Overview SNMP is one of the most popular network management protocols This protocol enables a network management server to manage all the devices in a network SNMP is managed based on server and client Background NMS server serves as SNMP server and foreground network device serves as SNMP client
190. with NP fastener subcard or ACL will not be valid NP processing mode based ACL is not conflicted with common processing mode based ACL That is the same object a physi 78 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 9 ACL Configuration cal port VLAN or Smartgroup virtual interface supports two ACL processing modes and can process packets in these two modes Configuring ACLs ACL configuration includes Define an ACL rule Configure a time range Apply the ACL to a port Defining ACLs The following issues are to be taken into account when defining ACL rules When a packet meets multiple rules first rule will be matched Rule sequence is very important Generally rules in a small range are put in the front and rules in a large range are put in the back Considering network security system will add an implicit deny rule to the end of each ACL automatically for denying all the packets A permit rule for allowing all packets should be de fined at the end of each ACL Defining Standard ACL To configure standard ACL perform the following steps ZXR10 config acl standard number lt ac number This enters standard ACL name ac name alias lt alias name gt match configuration mode order auto config ZXR10 config std acl rule lt ru e no gt permit deny This defines rules lt source gt lt source wildcard gt any time range lt timerange name gt
191. with multiple virtual addresses Hosts connected to it can use any one of them as gateway for communications VRRP Configuration Examples Basic VRRP Configuration Example This example shows that R1 and R2 run in the VRRP protocol between each other R1 interface address 10 0 0 1 is used as the VRRP virtual address therefore R1 is considered as a mas ter router This is shown in Figure 23 74 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 8 VRRP Configuration FIGURE 23 BASIC VRRP CONFIGURATION EXAMPLE 10 0 0 1 16 master 10 0 0 2 16 A px e e e PCI PC2 PC3 PC4 4 wd J Configuration on R1 ZXR10_R1 config interface vlan 1 ZXR10_R1l config if ip address 10 0 0 1 255 255 0 0 ZXR10_R1l config if vrrp 1 ip 10 0 0 1 Configuration on R2 ZXR10_R2 config interface vlan 1 ZXR10_R2 config if ip address 10 0 0 2 255 255 0 0 ZXR10_R2 config if vrrp 1 ip 10 0 0 1 Symmetric VRRP Configuration Example Two VRRP groups are booted in this example where PC1 and PC2 use virtual router in Group 1 as default gateway with ad dress 10 0 0 1 PC3 and PC4 use virtual router in Group 2 as default gateway with address 10 0 0 2 R1 and R2 serve as mu tual backup Four hosts cannot communicate with outside world until both routers become invalid This is shown in Figure 24 Confidential and Proprietary Information of ZTE CORPORATION 75 ZXR10 8900 Series User Manual
192. xyz ABCDEFGHI JKLMNOPQRSTUVWXYZ amp If version file is configured to boot from network file name can contain path in designated FTP directory For example the des ignated FTP directory is sysm a user has entered nets in sysm directory the version file name can contain path in nets directory The command to configure version load selection function can be used together with nvram boot password nvram boot serv er nvram boot username and nvram default gateway com mands This example shows how to configure booting from local device ZXR10 config nvram imgfile location local This example shows how to configure booting from network ZXR10 config nvram imgfile location network sys img Saving Command Log File A switch can save some log files However after a switch is re booted the log files before rebooting will be lost If log files are saved to flash or SD card they will not be lost after switch is rebooted The switch provides the function that log files can be saved and synchronized to flash and SD card Storage path file name and size can be configured The size of file ranges from 64K bytes to 1024K bytes By default it is 256K bytes When the size exceeds the maximum size the earliest parts of logs are deleted vb Note By default the file is saved in flash data directory and file name is logfile txt To save command log file use the following command Confidential and P
193. y use the following command ZXR10 config shaping cir lt 1 10000000 gt cbs 1024 1671 This configures discarding 1680 gt pir lt 1 10000000 gt pbs lt 1024 16711680 gt parameters of traffic shaping policy By default the value of CIR and PIR is 1 Configuring HQoS Policy To configure HQoS policy perform the following steps 1 To enter policy view use the following command ZXR10 config qoS policy policy name level 1 3 This enters policy view mode TUNNEL VLAN If the policy does not exist users should input level to create a policy The policy name is within 32 characters To delete a policy use no qos policy policy name com mand 2 To configure policy description use the following command 106 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 10 QoS Configuration ZXR10 config qpolicy description lt string gt This configures policy description The description is within 200 characters To delete policy description use no description command 3 To enter traffic class use the following command ZXR10 config qpolicy flow class class name This enters traffic class Each policy has a default traffic class named class default WRED WFQ and shaping of the default traffic class can be con figured 4 To configure queue priority use the following command ZXR10 config qpolicy class priority high low This configures queue
194. y Information of ZTE CORPORATION 41 ZXR10 8900 Series User Manual Basic Configuration Volume ZTERH CLI Privilege Classification Configuration Example Use user privilege level 15 to configure a user named test with privilege level of 10 The configuration is shown below ZXR10 config username test password test privilege 10 ZXR10 config enable secret level 10 test123 ZXR10 config privilege show all level 10 show run The configuration result is shown below ZXR10 config exit ZXR10 enable 10 ZXR10 show run Building configuration 1 urpf log off Maintenance and Diagnosis of CLI Privilege Classification To configure maintenance and diagnosis of CLI privilege classifica tion perform the following steps 1 ZXR10 Show privilege cur mode detail level This views the privilege level level node lt command keywords gt of commands in current mode 2 zxR10sShow privilege show mode detail level This views the privilege level level node lt command keywords gt of commands in show mode 42 Confidential and Proprietary Information of ZTE CORPORATION Port Naming Rules Chapter 5 Port Configuration Table of Contents Port Basic Configura HOM iuxta axe o XR aa E etl 43 Port Mirroring Config std OH screenies ce ect EC LEGE ERR C Ree E eR 52 ERSRAN Configuratii hee ed xk HO CRURA EET ROH ERU A CR RR 54 Lonttauring ERSPAN teure xxu sh ro E tepuA ke nre MERIT E REA bust Papi c pa 5
Download Pdf Manuals
Related Search