Documente Academic
Documente Profesional
Documente Cultură
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
n
1、e-Learning Courses: Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
/e
o m
If you have the HCNA/HCNP certificate:You can access Huawei Career Certification and Basic Technology e-Learning
courses.
e i .c
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.
aw
Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and
hu
arn
Content: Huawei product training material and Huawei career certification training material.
//le
Method:Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
training material in the specific training introduction page.
p :
3、 Priority to participate in Huawei Online Open Class (LVC)
t t
s :h
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,
4、Learning Tools: rc e
Storage and so on, which are conducted by Huawei professional instructors.
u
s o
eNSP :Simulate single Router&Switch device and large network.
R e
WLAN Planner :Network planning tools for WLAN AP products.
n g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts ,
ni
share exam experiences with others or be acquainted with Huawei Products.
a r
Statement:
L e
r e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1
HCIE-R&S
Huawei Certification
HCIE-R&S
en
Huawei Certified Internetwork Expert-Routing and Switching
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
sou
Re
i n g
r n
e a
e L
or Huawei Technologies Co.,Ltd
M
HUAWEI TECHNOLOGIES
HCIE
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
e n
their respective holders.
/
o m
.c
Notice
e i
w
The information in this document is subject to change without notice. Every effort
a
has been made in the preparation of this document to ensure accuracy of the contents,
u
.h
but all statements, information, and recommendations in this document do not
constitute the warranty of any kind, expressed or implied.
i n g
r n
// lea
:
tp
Huawei Certification
t
: h
e s
HCIE-R&S
r c
o u
es
R
i n g
r n
e a
e L
or
M
HUAWEI TECHNOLOGIES
HCIE-R&S
Relying on its strong technical and professional training system, in accordance with
different customers at different levels of ICT technology, Huawei certification is
committed to provide customs with authentic, professional certification.
e n
Based on characteristics of ICT technologies and customers’needs at different levels,
/
Huawei certification provides customers with certification system of four levels.
o m
HCDA (Huawei Certification Datacom Associate) is primary for IP network
maintenance engineers, and any others who want to build an understanding ofethe IPi .c
network. HCDA certification covers the TCP/IP basics, routing, switchingw
common foundational knowledge of IP networks, together u a and other
. h with Huawei
maintenance.
i n g
communications products, versatile routing platform VRP characteristics and basic
r n
l e a
HCDP-Enterprise (Huawei Certification Datacom Professional-Enterprise) is aimed at
: //
enterprise-class network maintenance engineers, network design engineers, and any
t t
optimization technologies. HCDP-Enterprise consists
Switch Network), IERN (Implement h
:
Enterprise Routing Network), and IENP
r c products.
and switching technology principles,
u
well as the configuration of Huawei
o
HCIE-Enterprise (Huawei
e s Certified Internetwork Expert-Enterprise) is designed to
endue engineers with
diagnostics and g
Ra variety of IP technologies and proficiency in the maintenance,
i n troubleshooting of Huawei products, which equips engineers with
e a
eL
or
M
HUAWEI TECHNOLOGIES
HCIE
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s:h
r c e
sou
Re
i n g
r n
e a
e L
or
M
HUAWEI TECHNOLOGIES
HCIE-R&S
Referenced icon
e n
/
o m
Router L3 Switch L2 Switch Firewall
e i .c
Net cloud
aw
u
g .h
ni n
Ethernet line
rSerial line
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M
HUAWEI TECHNOLOGIES
HCIE
CONTENTS
RIP ..................................................................................................................................................... 7
IS-IS.................................................................................................................................................. 59
e n
BGP BASICS .................................................................................................................................... 196 /
o m
BGP ADVANCED AND INTERNET DESIGN ........................................................................................ 266
e i .c
w
ROUTE IMPORT AND CONTROL ...................................................................................................... 334
a
u
.h
VLAN .............................................................................................................................................. 393
g
ni n
LAN LAYER 2 TECHNOLOGIES ......................................................................................................... 448
r
lea
WAN LAYER 2 TECHNOLOGIES........................................................................................................ 496
: //
t p
STP ................................................................................................................................................. 548
t
:h
MULTICAST .................................................................................................................................... 636
s
r c e
IPv6 ................................................................................................................................................ 719
s ou
MPLS VPN ...................................................................................................................................... 805
Re
g
OTHER TECHNOLOGIES .................................................................................................................. 841
n i n
ar
L e
r e
o
M
HUAWEI TECHNOLOGIES
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
RIPv1 packet format
t t
:h
A RIP packet consists of two parts: Header and Route Entries.
s
The Header includes the Command and Version fields. Route
r ce
Entries include at most 25 routing entries. Each routing entry
contains the Address Family Identifier field, IP Address of
ou
target network, and Metric field.
es
The meaning of each field in a RIP packet is as follows:
Command: indicates whether the packet is a request or response.
R
The value is 1 or 2. The value 1 indicates a request, and the value 2
n g
indicates a response.
i
n
Version: specifies the used RIP version. The value 1 indicates a
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
RIPv2 packet format
t t
:h
A RIPv2 packet has the same format as a RIPv1 packet
s
except that RIPv2 uses some new and unused fields in RIPv1
r ce
to provide extended functions.
The meaning of the new fields is as follows:
ou
Route Tag: indicates external routes learned from other
es
protocols or routes imported into RIPv2.
Subnet Mask: identifies the subnet mask of an IPv4 address.
R
Next Hop: indicates a next-hop address that is better than
n
indicates that the advertising router address is the
On a broadcast network with more than two devices, the Next Hop field
e n
changes to optimize the path.
/
m
.i co
In MD5 authentication, the AND operation is performed on route entries
and shared key. A router then sends the AND operation results and
route entries to the neighbor.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
RI mainly uses three timers:
t t
:h
Update timer: defines the interval between two route updates.
s
It periodically triggers the transmission of route updates at a
r ce
default interval of 30 seconds.
Aging timer: specifies the aging time of routes. If a RIP device
ou
does not receive the update of a route from its neighbor within
es
the aging time, the RIP device considers the route as
unreachable. After the aging timer expires, the RIP device sets
R
the metric of the route to 16.
i n g
Garbage-collect timer: specifies the interval between a route is
n
marked as unreachable and the route is deleted from the
M table.
Relationship between three timers:
RIP route update advertisement is controlled by the update
timer. A route update is sent at a default interval of 30 seconds.
Each routing entry has two timers: aging timer and garbage-
collect timer. When a route is learned and added to the routing
table, the aging timer starts. If a RIP device does not receive
the update of the route from a neighbor when the aging timer
expires, the device sets the metric of the route to 16
(indicatingan unreachable route) and starts the garbage-collect
timer.
If the device still does not receive the update of the
unreachable route from the neighbor when the garbage-collect
timer expires, the device deletes the route from the routing
table.
Precautions
If a RIP device does not have the triggered update function, it
e n
deletes an unreachable route from the routing table after a
/
maximum of 300 seconds (aging time plus garbage-collect
m
.i co
time).
If a RIP device has the triggered update function, it deletes an
unreachable route from the routing table after a maximum of
120 seconds (the garbage-collect time).
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Split horizon
t t
:h
RIP uses split horizon to reduce bandwidth consumption and
s
prevent routing loops.
Implementation
r ce
ou
R1 sends R2 a route to network 10.0.0.0/8. If split horizon is
es
not configured, R2 sends the route learned from R1 back to R1.
In this manner, R1 can learn two routes to network 10.0.0.0/8:
R
one direct route with zero hops and the other route with two
i n g
hops and R2 as the next hop.
However, only the direct route is active in the RIP routing table
r n of R1. When the route from R1 to network 10.0.0.0/8 becomes
or
that network 10.0.0.0/8 is reachable to R1. Subsequently, R1
receives incorrect route information and considers that it can
s
table of the peer end.
Implementation
r ce
ou
After receiving a route 10.0.0.0/8 from R1, R2 sets the metric
es
of the route to 16, indicating that the route is unreachable, if
poison reverse is configured. Then R1 does not use the route
R
10.0.0.0/8 learned from R2, preventing a routing loop.
i n g
n
Precautions
s
When a routing entry changes, a RIP device broadcasts the
r ce
change to other devices immediately without waiting for
periodic update. If triggered update is not configured, by
ou
default, invalid routes are retained in the routing table for a
time).
es
maximum of 300 seconds (aging time plus garbage-collect
R
Update is not triggered when the next-hop address becomes
i n g
unreachable.
r n
Implementation
or
Subsequently, the routing table of R2 is updated in a timely
manner.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Route summarization
t t
:h
RIPv2 supports route summarization. Because RIPv2 packets
s
carry the mask, RIPv2 supports subnetting. Route
r ce
summarization can improve scalability and efficiency of large
networks and reduce the routing table size.
ou
RIPv2 process-based classful summarization can implement
es
automatic summarization.
Interface-based summarization can implement manual
R
summarization.
i n g
If the routes to be summarized carry tags, the tags are deleted
n
after these routes are summarized into one summary route.
a r
Le Case
Two routes: route 10.1.0.0/16 (metric=10) and route
e
or
10.2.0.0/16 (metric=2) are summarized into one natural
network segment route 10.0.0.0/8 (metric=3).
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Working process analysis:
t t
:h
Initial state: A router starts a RIP process, associates an
s
interface with the RIP process, and sends as well as receives
r ce
RIP packets from the interface.
Build a routing table: The router builds its routing entries
ou
according to received RIP packets.
es
Maintain the routing table: The router sends and receive a
route update at an interval of 30 seconds to maintain its
R
routing entries.
i n g
Age routing entries: The router starts a 180-second timer for its
n
routing entries. If the router receives route updates within 180
M update of the route after 120 seconds, it deletes the route from
the routing table.
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Case description
t t
:h
In this case, R1, R2, and R3 reside on network 192.168.1.0/24;
s
R3, R4, and R5 reside on network 192.168.2.0/24. All the
r ce
routers run RIPv2 and advertise IP addresses of connected
interfaces. To control route selection on R3, modify the metric
ou
of routes.
Remarks
es
R
In the IP routing table, only some related routing entries are
i n g
displayed. In the Flags field of the route, R indicates an
n
iterated route, and D indicates that the route is delivered to the
a r FIB table.
s
route. After the route is added to the routing table, the metric of
r ce
the route is changed. Running this command affects route
selection of the local device and other devices.
ou
The rip metricout command increases the metric of an
es
advertised route. The metric of the route remains unchanged
in the routing table. Running this command does not affect
R
route selection of the local device but affects route selection of
i n g
other devices.
r n
View
e a Interface view
e L
or
Parameters
rip metricout { value | { acl-number | acl-name acl-name | ip-
Precautions
You can specify value1 to increase the metric of the advertised
RIP route that passes the filtering of an ACL or IP prefix list. If
a RIP route does not pass the filtering, its metric is increased
e n
by 1.
/
Running the rip metricin/metricout commands will affect
m
.i co
route selection of other devices.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
The topology in this case is the same as that in the previous
s
case. To prevent interfaces from sending or receiving route
r ce
updates, suppress the interfaces or run the undo rip
input/output commands.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
:h
The silent-interface command suppresses an interface to
s
allow it to receive but not send RIP packets. If an interface is
r ce
suppressed, direct routes of the network segment where the
interface resides can still be advertised to other interfaces.
ou
This command can be used together with the peer (RIP)
es
command to advertise routes to a specified device.
The undo rip output/input command prohibits an interface
R
from sending/receiving RIP packets.
i n g
n
View
ar
silent-interface: RIP view
e
or
Parameters
silent-interface { all | interface-type interface-number }
M Precautions
all: suppresses all the interfaces.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
The topology in this case is the same as that in the previous
s
case. To prevent a device from receiving routes from a
r ce
specified neighbor, run the filter-policy gateway command.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
:h
The filter-policy { acl-number | acl-name acl-name } import
s
command filters received routes based on an ACL.
r ce
The filter-policy gateway ip-prefix-name import command
filters routes based on the advertising gateway.
View
s ou
Re
filter-policy { acl-number | acl-name acl-name | ip-prefix ip-
prefix-name } import: RIP view
i n g
filter-policy gateway ip-prefix-name import: RIP view
r n
Parameters
or
filter the destination address of routes.
acl-name acl-name: specifies the name of an ACL. The
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
To reduce routing entries, Company A decides to summarize
s
routes. RIPv2 summarization includes automatic
r ce
summarization based on the main class network and manual
summarization. You can perform automatic summarization on
ou
R1 and manual summarization on R3 and R4.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
summary [ always ]: When the class summarization is enable,
s
summary routes are advertised to the natural network
r ce
boundary. In default the RIPv2 is enable. But If split horizon or
poison reverse is configured, summarization will become
ou
invalid. And when the always parameter is configured, no
es
matter how the split horizon or poison reverse situation is,
RIPv2 automatic summarization is enable.
R
i n g
rip summary-address ip-address mask [ avoid-feedback ]:
n
configures a RIP router to advertise a local summary IP
M View
summary [ always ]: RIP view
rip summary-address ip-address mask [ avoid-feedback ]:
interface view
Parameters
summary [ always ]
always: If the always parameter is not configured,
classful summarization becomes ineffective when split
horizonor poison reverse is configured.
Therefore, when summary routes are advertised to the natural
network boundary with no always, split horizon or poison
reverse must be disabled in corresponding views.
rip summary-address ip-address mask [ avoid-feedback ]
ip-address: specifies a summary IP address.
mask: specifies a network mask.
avoid-feedback: avoids learning the summary route to
e n
the advertised summary IP address from the interface.
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In this case, R1 and R2 connect over network 192.168.1.0/24.
s
R1 connects to network 10.0.0.0/24, and R2 connects to
r ce
network 172.16.0.0/24. Devices on the network run RIPv2 and
import the routes to networks where the devices reside. Only
ou
the display command output of R1 is provided and only
s
information about this case is displayed.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
timers rip update age garbage-collect: adjusts a timer.
rip authentication-mode md5 nonstandard password-
e s
key key-id: configures the MD5 authentication mode.
r c
Authentication packets use the nonstandard packet format.
ou
nonstandard indicates that MD5 authentication packets use
es
the nonstandard packet format (IETF standards).
rip replay-protect [ window-range ]: enables the replay-
R
protect function. window-range specifies the receive or
i n g
transmit buffer size for connections. The default value is 50.
r n
View
or
key key-id: interface view
rip replay-protect [ window-range ]: interface view
M Parameters
timers rip update age garbage-collect
update: specifies the interval for transmitting route
updates.
age: specifies the route aging time.
garbage-collect: specifies the interval at which an
unreachable route is deleted from the routing table, namely,
garbage-collect time defined in standards.
Precautions
If the three timers are configured incorrectly, routes become
unstable. The update time must be shorter than the aging time.
For example, if the update time is longer than the aging time, a
RIP router cannot notify route updates to neighbors within the
update time. In applications, the timeout period of the garbage-
collect timer is not fixed. When the update timer is set to 30
e n
seconds, the garbage-collect timer may range from 90 to 120
/
seconds. The reason is as follows: Before the RIP router
m
.i co
deletes an unreachable route from the routing table, it sends
Update packets four times to advertise the route and sets the
g
Assume that the Identification field (a field in an IP header) of
n
ni
the last RIP packet sent before a RIP interface goes Down is X.
r
After the interface becomes Up, the Identification file of the
a
RIP packet sent again becomes 0, and subsequent RIP
le
//
packets are discarded until a RIP packet with the Identification
:
field as X+1 is received. This, however, causes asynchronous
p
t
and lost RIP routing information between two ends. To
t
address this issue, configure the rip replay-protect command
:h
to enable the RIP interface to obtain the Identification field of
e s
the last RIP packet sent before the RIP interface goes Down
c
and increase the Identification field in the subsequent RIP
r
ou
packet by 1.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
1. Check whether ARP is working properly.
:h
2. Check whether related interfaces are Up.
s
3. Check whether RIP is enabled on the interfaces. Run the display
r ce
current-configuration configuration rip command to view
information about the RIP-enabled network segment. Check
ou
whether the interfaces reside on the network segment. The network
es
address specified in the network command must be a natural
network address.
R
4. Check whether versions of the RIP packets sent by the peer end
n g
and received by the local end match. By default, an interface sends
i
n
only RIPv1 packets but can receive RIPv1 and RIPv2 packets.
:h
current-configuration configuration rip command to view
s
information about the RIP-enabled network segment. Check
r ce
whether the interfaces reside on the network segment. The network
address specified in the network command must be a natural
ou
network address.
es
2. Check whether versions of the RIP packets sent by the peer end
and received by the local end match. By default, an interface sends
R
only RIPv1 packets but can receive RIPv1 and RIPv2 packets.
n g
When an inbound interface receives RIP packets of a different
i
n
version, RIP routes may fail to be correctly received.
a r
3. Check whether a routing policy is configured to filter received RIP
s
R1 connects to network 10.X.X.0/24, and R2 connects to
r ce
network 172.16.X.0/24.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Analysis process
t t
:h
In the pre-configurations of R1 and R2, the frame relay
s
configuration supports multicast.
r ce
R1 sends version 2 Update packets to R2 in multicast.
R1 and R2 can learn routes to each other.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
Generally, the peer command makes the routers send the
s
packets in unicast, but not surpress to sent packets in
r ce
multicast by default. Therefore, suggest configure the related
interfaces are silent mode when configure this command. So,
ou
the multicast packets is supress and only unicast packets can
s
be sent.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Results
t t
:h
The display rip route command displays the RIP routes
s
learned from other routers and values of timers for routes. The
r ce
Tag field indicates whether a RIP route is an internal or
external route. The default value is 0. The Flags field indicates
ou
whether a RIP route is active or inactive. The value RA
es
indicates an active RIP route, and the value RG indicates an
inactive RIP route and that the garbage-collect timer has been
R
started.
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Results
t t
:h
After the avoid-feedback keyword is specified, the local
s
interface does not learn the summary route to the advertised
r ce
summary IP address, preventing routing loops.
The filter-policy export command configures a filtering policy
ou
to filter the routes to be advertised. Only the filtered routes can
es
be added to the routing table and advertised through Update
packets.
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In this topology, R1, R2, and R3 connect to the same
s
broadcast domain. R3 connects to network 172.16.X.0/24 and
r ce
advertises routes to RIP.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Analysis process
t t
:h
In requirements 1 and 3, R1 is taken as an example. The
s
command output shows that R1 sends multicast packets and
r ce
does not start authentication.
Before meeting requirement 2, R1 can receive all routes to
ou
172.16.X.0/24.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Results
t t
:h
RIP authentication command can only be configured on an
s
interface. Huawei devices support standard MD5
r ce
authentication and Huawei proprietary authentication mode.
You can run the display rip process-id interface interface-
ou
type verbose command to view the authentication mode.
Parameters
es
R
rip authentication-
i n g
mode { simple password | md5 { nonstandard { password-
n
key1 key-id | keychain keychain-name } | usual password-
a r key2 } }
Precautions
Only one authentication password is used for each
authentication. If multiple authentication passwords are
configured, only the latest one takes effect. The authentication
e n
password does not contain spaces.
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Results
t t
:h
Only an ACL can be used but an IP prefix list cannot be used,
s
When defined ACLs make sure use the wild-mask. In this case,
r ce
need focus on the bits of wild-mask is 0, and the other bits is 1.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
RIPv2 multicasts Update packets by default. You can run the
s
rip version 2 broadcast command in the interface view to
r ce
configure RIPv2 to broadcast Update packets.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
IS-IS Overview
t t
:h
IS-IS is a dynamic routing protocol designed by the
s
International Organization for Standardization (ISO) for its
r ce
Connectionless Network Protocol (CLNP).
The Internet Engineering Task Force (IETF) extended and
ou
modified IS-IS so that IS-IS can be applied to TCP/IP and
es
OSI environments. This version of IS-IS is called Integrated
IS-IS.
IS-IS Terms R
i n g
Connectionless network service (CLNS)
CLNS consists of the following three protocols:
r n CLNP: is similar to the Internet Protocol (IP) of TCP/IP.
or
ES-IS: End System to Intermediate System ,is similar to
Address Resolution Protocol (ARP) and Internet Control
s
two-level hierarchy consisting of a backbone area and non-
r ce
backbone areas in an autonomous system (AS). Generally,
Level-1 routers are deployed in non-backbone areas,
ou
whereas Level-2 and Level-1-2 routers are deployed in the
es
backbone area. Each non-backbone area connects to the
backbone area through a Level-1-2 router.
R
Topology Introduction
i n g
The figure shows a network that runs IS-IS. The network
n
topology is similar to the multi-area topology of an OSPF
s
neighbor relationships with only Level-1 and Level-1-2
r ce
routers in the same area. A Level-1 router maintains a
Level-1 link state database (LSDB), which contains routes
ou
in the local area.
es
A Level-1 router forwards packets destined for other areas
to the nearest Level-1-2 router.
R
A Level-1 router connects to other areas through a Level-1-
i n g 2 router.
n
Level-2 Router
s
as a frame relay (FR) network, you need to configure sub-
r ce
interfaces and set the sub-interface type to point-to-point
(P2P). IS-IS cannot run on point-to-multipoint (P2MP) links.
ou
DIS
es
In a broadcast network, IS-IS needs to elect a designated
intermediate system (DIS) from all the routers.
R
The Level-1 DIS and Level-2 DIS are elected respectively.
i n g
The router with the highest DIS priority is elected as the
n
DIS. If there are multiple routers with the highest DIS
Le as the DIS.
You can set different DIS priorities for electing DISs of
e
or
different levels.
A router whose DIS priority is 0 can also participate in a
u
also takes part in DIS election. In an OSPF network, a
h
g .
router whose priority is 0 does not take part in DR election.
In an IS-IS broadcast network, when a new router that
ni n
meets the requirements of being a DIS connects to the
r
network, the router is elected as the new DIS, and the
a
le
previous pseudonode is deleted. This causes a new
//
flooding of LSPs. In an OSPF network, when a new router
:
connects to the network, it is not immediately elected as the
p
t
DR even if it has the highest DR priority.
t
:h
In an IS-IS broadcast network, all routers (including non-
DIS routers) of the same level and on the same network
e s
segment establish adjacencies.
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
NSAP
t t
:h
An NSAP consists of the initial domain part (IDP) and domain
s
specific part (DSP). The lengths of the IDP and DSP are variable.
r
length is 8 bytes. ce
The maximum length of the NSAP is 20 bytes and its minimum
ou
The IDP is similar to the network ID in an IP address. It is defined
es
by the ISO and consists of the authority and format identifier (AFI)
and initial domain identifier (IDI). The AFI indicates the address
R
allocation authority and address format, and the IDI identifies a
n g
domain.
i
n
The DSP is similar to the subnet ID and host address in an IP
ou
LAN ID fields, but has a Local Circuit ID field. The Priority field
es
indicates the DIS priority in a broadcast network, the LAN ID field
indicates the system ID of the DIS and pseudonode, and the
R
Local Circuit ID field indicates the local link ID.
i n g
IIHs are used for two neighbors to negotiate MTU by padding the
n
packets to the maximum size.
a r
LSP LSPs are similar to link-state advertisements (LSAs) in OSPF.
Le
Level-1 routers transmit Level-1 LSPs.
Level-2 routers transmit Level-2 LSPs.
e
or
Level-1-2 routers transmit both Level-1 and Level-2 LSPs.
The ATT, OL, and IS-Type fields are major fields in an LSP. The
p :
t
PDU type
t
• It identifies the PDU type.
:h
• Version
s
• It has a fixed value of 1.
e
• Reserve
r c
ou
• It is set to all zeros.
• Max areas
i n g
IIHs on a P2P link
IS supports a maximum of three areas.
r n Circuit type
e L System ID
If this field is set to 0, the PDU will be ignored.
or
• It indicates the system ID of the originating router
that sends the IIH.
M Holding time
• It indicates the interval for the peer router to wait for
the originating router to send the next IIH.
PDU length
• It indicates the PDU length.
Local circuit ID
• It is allocated to the local circuit by the originating
router when the router sends IIHs. This ID is unique
on the router interface. On the other end of the P2P
link, thecircuit ID contained in IIHs may be the same
as or different from the local circuit ID.
Area address TLV
• It indicates the area address of the originating router.
IP interface address TLV
• It indicates the interface address or IP address of the
router that sends the PDU.
Protocol supported TLV
• It indicates protocol types supported by the
e n
originating router, such as IP, CLNP, and IPv6.
/
Restart option TLV
m
.i co
• It is used for graceful restart.
Point-to-point adjacency state TLV
• It indicates that three-way handshake is supported.
Multi topology TLV
w e
• It indicates that multi-topology is supported.
u a
Padding TLV
. h
g
• It indicates that IIH padding is supported.
n
ni
LSP
r
PDU length
• It indicates the PDU length.
le a
//
Remaining lifetime
p :
• It indicates the time before an LSP expires
t
LSP ID
t
• It can be the system ID, pseudonode ID, or LSP
:h
number.
s
• The value 0000.0000.0001.00-00 indicates a
e
c
common LSP.
r
ou
• The value 0000.0000.0001.01-00 indicates a
pseudonode LSP.
i
n g Sequence number
• It indicates the sequence number of the LSP. The
e L Checksum
• It indicates the checksum. The checksum start after
or
from the LSP Remaining Time till the end.
P bit
M • It is used to repair segmented areas and is similar to
the OSPF virtual link. Most vendors do not support
this feature.
ATT bit
• It indicates that the originating router is connected to
one or multiple areas.
OL bit
• It identifies the overload state.
IS type
• It indicates the router type.
Protocol supported TLV
• It indicates protocol types supported by the
originating router, such as IP, CLNP, and IPv6.
Area address TLV
• It indicates the area address of the originating router.
IS reachability TLV
• It is used to list neighbors of the originating router.
e n
IP interface address TLV
/
• It indicates the interface address or IP address of the
m
.i co
router that sends the PDU.
IP internal reachability TLV
u a
mask information of the area that directly connects to
. h
the router that sends the LSP. A pseudonode LSP
does not contain this TLV.
n g
ni
CSNP and PSNP
PDU length
• It indicates the PDU length.
ar
Source-ID
//le
Start LSP-ID
p :
• It indicates the system ID of the originating router.
t t
• It starts from 0000.0000.0000.00-00.
:h
• It ends at ffff.ffff.ffff.ff-ff.
• LSP entries
e s
c
LSP summary information
r
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Routers of different levels cannot establish neighbor relationships.
:h
Level-2 routers cannot establish neighbor relationships with Level-1
s
routers. However, Level-1-2 routers can establish Level-1 neighbor
r ce
relationships with Level-1 routers in the same area, and establish
Level-2 neighbor relationships with Level-2 routers in the same area or
ou
in different areas.
es
R
Level-1 routers can only establish Level-1 neighbor relationships with
g
Level-1 or Level-1-2 routers in the same area.
n i n
r
IP addresses of IS-IS interfaces on both ends of a link must be on the
or
establish neighbor relationships may be on different network
segments. To solve this problem, Huawei devices check the
M network segment of routers to ensure that IS-IS neighbor
relationships are correctly established.
You can configure interfaces not to check IP addresses on a P2P
network if the network does not need to check the IP addresses.
In a broadcast network, you need to simulate Ethernet interfaces
as P2P interfaces before configuring the interfaces not to check
IP addresses.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Two routers running IS-IS need to establish a neighbor relationship
:h
before exchanging protocol packets to implement routing. On different
s
networks, the modes for establishing IS-IS neighbor relationships are
different.
r ce
ou
In a broadcast network, routers exchange LAN IIHs to establish
es
neighbor relationships. LAN IIHs are classified into Level-1 LAN IIHs
(with the multicast MAC address 01-80-C2-00-00-14) and Level-2 LAN
R
IIHs (with the multicast MAC address 01-80-C2-00-00-15). Level-1
n g
routers exchange Level-1 LAN IIHs to establish neighbor relationships.
i
n
Level-2 routers exchange Level-2 LAN IIHs to establish neighbor
a r
relationships. Level-1-2 routers exchange Level-1 LAN IIHs and Level-2
e
or
In this example, two Level-2 routers establish a neighbor relationship
on a broadcast link.
M
R1 multicasts a Level-2 LAN IIH (with the multicast MAC address
01-80-C2-00-00-15) with no neighbor ID specified.
R2 receives the packet and sets the status of the neighbor
relationship with R1 to Initial. R2 then responds to R1 with a
Level-2 LAN IIH, indicating that R1 is a neighbor of R2.
R1 receives the packet and sets the status of the neighbor
relationship with R2 to Up. R1 then responds to R2 with a Level-2
LAN IIH, indicating that R2 is a neighbor of R1.
R2 receives the packet and sets the status of the neighbor
relationship with R1 to Up. R1 and R2 successfully establish a
neighbor relationship.
The network is a broadcast network, so a DIS needs to be elected.
After the neighbor relationship is established, routers wait for two
intervals before sending Hello PDUs to elect the DIS. Hello PDUs
exchanged by the routers contain the Priority field. The router with the
highest priority is elected as the DIS. If the routers have the same
priority, the router with the largest interface MAC address is elected as
the DIS. In an IS-IS network, the DIS sends Hello PDUs at an interval
e n
of 10/3 seconds, and non-DIS routers send Hello PDUs at an interval of
/
10 seconds.
m
Differences between IS-IS Adjacencies and OSPF Adjacencies
In IS-IS, two neighbor routers establish an adjacency if they
e .i co
w
exchange Hello PDUs. In OSPF, two routers establish a neighbor
a
u
relationship if they are in 2-Way state, and establish an adjacency
if they are in Full state.
. h
g
In IS-IS, a router whose priority is 0 can participate in a DIS
n
ni
election. In OSPF, a router whose priority is 0 does not take part
r
in DR election.
a
In IS-IS, the DIS election is based on preemption. In OSPF, a
le
//
router cannot preempt to be the DR or BDR if the DR or BDR has
been elected.
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Unlike the establishment of a neighbor relationship on a broadcast
:h
network, the establishment of a neighbor relationship on a P2P network
s
is classified into two modes: two-way mode and three-way mode.
e
r c
Upon receivingu
Two-Way Mode
s o a P2P IIH from a peer router, a router
e
considers the peer router Up and establishes a neighbor
R withcommunication
relationship the peer router.
g
in Mode
Unidirectional may occur.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The process of synchronizing LSDBs between a newly added router
:h
and DIS on a broadcast link is as follows:
s
Assume that the newly added router R3 has established neighbor
r e
relationships with R2 (DIS) and R1.
c
R3 sends an LSP to a multicast address (01-80-C2-00-00-14 in a
ou
Level-1 area and 01-80-C2-00-00-15 in a Level-2 area). All
es
neighbors on the network can receive the LSP.
The DIS on the network segment adds the received LSP to its
R
LSDB. After the CSNP timer expires, the DIS sends CSNPs at an
n g
interval of 10 seconds to synchronize the LSDBs on the network.
i
n
R3 receives the CSNPs from the DIS, checks its LSDB, and
a r sends a PSNP to the DIS to request the LSPs it does not have.
Le The DIS receives the PSNP and sends the required LSPs to R3
for LSDB synchronization.
e
or The process of updating the LSDB of the DIS is as follows:
w e
checksum of the received LSP is larger than that of the LSP in the
u a
LSDB, the DIS replaces the local LSP with the received LSP and
. h
broadcasts the new LSDB. If the checksum of the received LSP is
g
smaller than that of the LSP in the LSDB, the DRB sends the local
n
ni
LSP to the inbound interface.
r
If the sequence number, remaining lifetime, and checksum of the
a
received LSP and those of the corresponding LSP in the LSDB
le
//
are the same, the LSP is not forwarded.
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The process of synchronizing LSDBs on a P2P network is as follows:
:h
After establishing a neighbor relationship, R1 and R2 send a
s
CSNP to each other. If the LSDB of the neighbor and the received
r ce
CSNP are not synchronized, the neighbor sends a PSNP to
request the required LSP.
ou
Assume that R2 requests the required LSP from R1. R1 sends
es
the required LSP to R2, starts the LSP retransmission timer, and
waits for a PSNP from R2 as an acknowledgement for the
R
received LSP.
n g
If R1 does not receive a PSNP from R2 after the LSP
i
n
retransmission timer expires, R1 resends the LSP until it receives
M local LSP to the neighbor and waits for a PSNP from the neighbor.
If the sequence number of the received LSP is larger than that of
the corresponding LSP in the LSDB, the router adds the received
LSP to its LSDB, sends a PSNP to acknowledge the received
LSP, and then sends the received LSP to all its neighbors except
the neighbor that sends the LSP.
If the sequence number of the received LSP is the same as that of
the corresponding LSP in the LSDB, the router compares the
remaining lifetime of the two LSPs.
If the remaining lifetime of the received LSP is smaller than that of
the LSP in the LSDB, the router replaces the local LSP with the
received LSP, sends a PSNP to acknowledge the received LSP,
and sends the received LSP to all neighbors except the neighbor
that sends the LSP. If the remaining lifetime of the received LSP
is larger than that of the LSP in the LSDB, the router sends the
local LSP to the neighbor and waits for a PSNP.
e n
If the sequence number and remaining lifetime of the received
/
LSP are the same as those of the corresponding LSP in the LSDB,
m
.i co
the router compares the checksums of the two LSPs. If the
checksum of the received LSP is larger than that of the LSP in the
LSDB, the router replaces the local LSP with the received LSP,
sends a PSNP to acknowledge the received LSP, and sends the
w e
u a
received LSP to all neighbors except the neighbor that sends the
. h
LSP. If the checksum of the received LSP is smaller than that of
g
the LSP in the LSDB, the router sends the local LSP to the
n
ni
neighbor and waits for a PSNP.
r
If the sequence number, remaining lifetime, and checksum of the
a
received LSP and those of the corresponding LSP in the LSDB
le
//
are the same, the LSP is not forwarded.
p :
t
On a P2P network, a PSNP has the following functions:
t
:h
It is used to acknowledge a received LSP.
It is used to request a required LSP.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
/ / le
:
t
Assume that R1 sends packets to R6.
tp The default situation is as
follows:
: h
s
As a Level-1 router, R1 does not know routes outside its area, so
e
c
it sends packets to other areas through the default route
r
generated by the nearest Level-1-2 router (R3). Therefore, R1
u
so the packets.
R1->R3->R5->R6,
selects the route which is not the optimal
e
route, to forward
R
i n g
To solve this question, IS-IS provide the Route Leaking. You can
configure access control lists (ACLs) and routing policies and mark
r n
routes with tags on Level-1-2 routers to select eligible routes. Then a
ea
Level-1-2 router can advertise routing information of other Level-1
s
but the LSPs are not used when routes that pass through a
e
c
router configured with the overload bit are calculated. That is,
r
ou
after the overload bit is set on a router, other routers ignore this
router when performing SPF calculation and calculate only the
es
direct routes of the router.
R
Topology
i n g
r nR2 forwards the packets from R1 to R3. If the overload bit on R2
a
is set to 1, R1 considers the LSDB of R2 incomplete and sends
s
changed nodes rather than all the nodes when the network
e
c
topology changes, with exception to where calculation is
r
ou
performed for the first time, at which time all nodes are involved,
thereby speeding up route calculation. I-SPF improves the SPF
es
algorithm. The shortest path tree (SPT) generated is the same as
R
that generated by the SPF algorithm. This decreases CPU usage
n g
and speeds up network convergence.
i
n
Partial route calculation (PRC): calculates only the changed
Le calculates only the changed routes, but it does not calculate the
e
shortest path. It updates routes based on the SPT
or
calculated by I-SPF. In route calculation, a leaf represents a
M
route, and a node represents a router. If the SPT changes
after I-SPF calculation, PRC processes all the leaves only on the
changed node. If the SPT remains unchanged, PRC processes
only the changed leaves. For example, if IS-IS is enabled on an
interface of a node, the SPT calculated by I-SPF remains
unchanged. PRC updates only the routes of this interface,
consuming less CPU resources.
Intelligent Timer
LSP generation intelligent timer: There is a minimum
interval restriction on LSP generation to prevent frequent
flapping of LSPs from affecting the network. The same LSP
cannot be generated repeatedly within the minimum
interval, which is 5 seconds by default. This restriction
significantly affects route convergence speed.
e n
In IS-IS, if local routing information changes,
/
a router generates a new LSP to advertise this change.
m
.i co
When local routing information changes frequently, the
newly generated LSPs consume a lot of system resources.
If the delay in generating an LSP is too long, the router
cannot advertise changed routing information to neighbors
w e
in time, reducing the network convergence speed. The
u a
. h
delay in generating an LSP for the first time is determined
g
by init-interval, and the delay in generating an LSP for the
n
ni
second time is determined by incr-interval. From the third
r
time on, the delay in generating an LSP increases twice
a
every time until the delay reaches the value specified by
le
//
max-interval. After the delay remains at the value specified
:
by max-interval for three times or the IS-IS process is
p
t
restarted, the delay decreases to the value specified by init-
t
interval. When only max-interval is specified, the intelligent
:h
timer functions as an ordinary one-time triggering timer.
s
SPF calculation intelligent timer: In IS-IS, routes are
e
c
calculated when the LSDB changes. However, frequent
r
ou
route calculations consume a lot of system resources and
decrease the system performance. Delaying SPF
es
calculation can improve route calculation efficiency. If the
R
delay in route calculation is too long, the route convergence
or
remains at the value specified by max-interval for three
times or the IS-IS process is restarted, the delay decreases
M to the value specified by init-interval. If incr-interval is not
specified, the delay in SPF calculation for the first time is
determined by init-interval. From the second time on, the
delay in SPF calculation is determined by max-interval.
After the delay remains at the value specified by max-
interval for three times or the IS-IS process is restarted, the
delay decreases to the value specified by init-interval.
When only max-interval is specified, the intelligent timer
functions as an ordinary one-time triggering timer.
LSP fast flooding: Because the number of LSPs is huge, IS-IS
periodically floods LSPs in batches to reduce the impact of LSP
flooding on network devices. By default, the minimum interval for
sending LSPs on an interface is 50 milliseconds and the
maximum number of LSPs sent at a time is 10. After the flash-
flood function is enabled, when LSPs change and cause SPF
recalculation, IS-IS immediately floods LSPs that cause SPF
e n
recalculation instead of sending the LSPs periodically. When the
/
network topology changes, LSDBs of all devices on the network
m
.i co
are inconsistent. This function effectively reduces the time during
which LSDBs are inconsistent and improves the network fast
convergence performance. When a network fault occurs, only a
small number of LSPs change although a large number of LSPs
w e
u a
exist. Therefore, IS-IS only needs to flood the changed LSPs and
consumes a few system resources.
. h
Priority-based Convergence
n g
ni
You can use the IP prefix list to filter routes and configure different
r
convergence priorities for different routes so that important routes
le a
are converged first, improving the network reliability.
//
The convergence priorities of IS-IS routes are classified into
:
critical, high, medium, and low in decreasing order.
p
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
In area authentication and routing domain authentication, you can
:h
configure a router to authenticate LSPs and SNPs separately in the
following ways:
e s
The router sends LSPs and SNPs carrying the authentication TLV
r c
and verifies the authentication information of the received LSPs
ou
and SNPs.
s
The router sends LSPs carrying the authentication TLV and
e
R
verifies the authentication information of the received LSPs. The
g
router sends SNPs carrying the authentication TLV but does not
n i n
verify the authentication information of the received SNPs.
The router sends LSPs carrying the authentication TLV and
or
SNPs.
M
The router sends LSPs and SNPs carrying the authentication TLV
but does not verify the authentication information of the received
LSPs and SNPs.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Concepts
t t
:h
Originating system: is a router that runs the IS-IS protocol. After
s
LSP fragment extension is enabled, you can configure virtual
process.
r ce
systems for the router. The originating system refers to the IS-IS
ou
System ID: is the system ID of the originating system.
s
Additional System ID: is configured for a virtual system after IS-IS
e
LSP fragment extension is enabled. A maximum of 256 extended
R
LSP fragments can be generated for each additional system ID.
i n g
Like a normal system ID, an additional system ID must be unique
n
in a routing domain.
a
r Virtual system: is a system identified by an additional system ID. It
w e
about links to each virtual system. Similarly, each virtual
u a
system advertises LSPs containing information about links
. h
to the originating system. Virtual systems look like the
g
physical routers that connect to the originating system.
n
ni
• The LSP sent by a virtual system contains the same area
r
address and overload bit as those in a common LSP. If the
a
LSPs sent by a virtual system contain TLVs specified in
le
//
other features, these TLVs must be the same as those in
•
common LSPs.
p :
t
The virtual system carries neighbor information indicating
t
that the neighbor is the originating system, with the metric
:h
equal to the maximum value (64 for narrow metric) minus 1.
e s
The originating system carries neighbor information
c
indicating that the neighbor is the virtual system, with the
r
ou
metric 0. This ensures that the virtual system is the
downstream node of the originating system when other
es
routers calculate routes.
•
R
As shown in the topology, R2 does not support LSP
or
the route from R1 to R1-1 and the cost of the route from R1
to R1-2 are both 0, the cost of the route from R2 to R1 is
M •
the same as the cost of the route from R2 to R1-1.
The LSPs that are generated by virtual systems contain
only the originating system as the neighbor (the neighbor
type is P2P). In addition, virtual systems are considered
only as leaves.
• Mode-2
• It is used when all the routers on the network support LSP
fragment extension. In this mode, virtual systems do not
participate in SPF calculation.
All the routers on the network know that the LSPs
generated by virtual systems actually belong to the
originating system.
• R2 supports LSP fragment extension, and R1 is configured
to support LSP fragment extension in mode-2. R1-1 and
R1-2 are virtual systems of R1 and send LSPs carrying
some routing information of R1.
e n
When receiving LSPs from R1-1 and R1-2, R2 obtains the IS
/
Alias ID TLV and knows that the originating system of R1-1
m
.i co
and R1-2 is R1. R2 then considers that information
advertised by R1-1 and R1-2 belongs to R1.
Precautions
After LSP fragment extension is configured, the system
w e
u a
prompts you to restart the IS-IS process if information is
. h
lost because LSPs overflow. After being restarted, the
g
originating system loads as much routing information as
n
ni
possible to LSPs, and adds the overloaded information to
r
the LSPs of the virtual system for transmission.
a
If there are devices of other vendors on the network, LSP
le
//
fragment extension must be set to mode-1, otherwise,
p :
devices of other vendors cannot identify the LSPs.
It is recommended that you configure LSP fragment
t t
extension and virtual systems before establishing IS-IS
:h
neighbor relationships or importing routes. If you establish
e s
IS-IS neighbor relationships or import routes, IS-IS will
c
carry a lot of information that cannot be loaded through 256
r
ou
fragments. You must configure LSP fragment extension
and virtual systems. The configuration takes effect only
es
after you restart the IS-IS router. Therefore, exercise
R
caution when you establish IS-IS neighbor relationships or
i n g import routes.
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
IS-IS Administrative Tag
t t
:h
Administrative tags control the advertisement of IP prefixes in an
s
IS-IS routing domain to simplify route management. You can use
r ce
administrative tags to control the import of routes of different
levels and different areas and control IS-IS multi-instances (tags)
ou
running on the same router.
Topology
es
Assume that R1 only needs to receive only Level-1 routing
R
information from R2, R3, and R4. To meet this requirement,
i n g
configure the same administrative tag for IS-IS interfaces on R2,
n
R3, and R4. Then configure the Level-1-2 router in area 47.0003
M attribute.
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case Description
t t
:h
In this case, the addresses for interconnecting devices are as
s
follows:
•
r ce
If RX interconnects with RY, their interconnection
addresses are XY.1.1.X and XY.1.1.Y respectively, network
ou
mask is 24.
Remarks
es
R4 and R5 are Level-1-2 routers. They take part in calculate the
R
routes of Level-1 and Level-2 at the same time, and maintain the
n g
Level-1 and Level-2 LSDB.
i
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command Usage
t t
:h
The is-level command sets the level of an IS-IS router. By
s
default, the level of an IS-IS router is Level-1-2.
interface.
r ce
The isis circuit-level command sets the link type of an
ou
View
es
is-level: IS-IS view
isis circuit-level: interface view
Parameters R
i
n g is-level { level-1 | level-1-2 | level-2 }
n
level-1: sets a router as a Level-1 router, which
Le LSDB.
level-1-2: sets a router as a Level-1-2 router, which
e
or
calculates Level-1 and Level-2 routes and maintains a
Level-1 LSDB and a Level-2 LSDB.
w e
effect on the interface only when the IS-IS system type is
u a
Level-1-2, otherwise, the level configured using the is-
level command is used as the link type.
. h
g
In a P2P network, the Circuit ID uniquely identifies a local
n
ni
interface. In a broadcast network, the Circuit ID is the
r
system ID and pseudonode ID.
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Case Description
t t
:h
The topology in this case is the same as that in the previous case.
s
It is required that no DIS can be elected between R4 and R6 or
r ce
between R5 and R6. That is, the links between R4 and R6 and
between R5 and R6 cannot be broadcast links.
ou
A priority that is as small as possible but can still enable a router
s
to participate in the DIS election is 0.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Command Usage
t t
:h
The isis dis-priority command sets the priority of the interface
s
that is a candidate for the DIS at a specified level.
interface to P2P.
r ce
The isis circuit-type command simulates the network type of an
ou
View
es
isis dis-priority: interface view
isis circuit-type: interface view
Parameters R
n g
isis dis-priority priority [ level-1 | level-2 ]
i
n
Specifies the priority for electing DIS. The value ranges from 0
a r to 127. The default value is 64. The greater the value of priority
s
Company A requires route control. When configuring tags, you
r ce
should also enable IS-IS wide metric on all devices in the network
so that the tags can be transmitted in the entire network. In
ou
addition, Level-2 routes cannot be directly leaked to Level-1 areas
s
and need to be configured manually.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command Usage
t t
:h
The import-route command configures IS-IS to import routes
s
from other routing protocols.
r ce
The import-route isis level-2 into level-1 command controls
route leaking from Level-2 areas to Level-1 areas. The command
ou
needs to be configured on Level-1-2 routers that are connected to
es
external areas.
The cost-style command sets the cost style of routes sent and
R
received by an IS-IS router.
View
i n g
n
import-route: IS-IS view
a
r import-route isis level-2 into level-1: IS-IS view
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Case Description
t t
:h
The topology in this case is the same as that in the previous case.
s
Company A reconstructs its network. IS-IS uses ACLs, IP prefix
r ce
lists, and tags to control routes.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command Usage
t t
:h
The filter-policy import command allows IS-IS to filter the
s
received routes to be added to the IP routing table.
View
r ce
filter-policy import: IS-IS view
ou
Parameters
s
filter-policy { acl-number | acl-name acl-name | ip-prefix ip-
e
prefix-name | route-policy route-policy-name } import
R
acl-number: specifies the number of a basic ACL.
n
ip-prefix ip-prefix-name: specifies the name of an IP
a r prefix list.
s
domain authentication, and interface authentication.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command Usage
t t
:h
The area-authentication-mode command configures an IS-IS
area to authenticate received Level-1 packets (LSPs and SNPs)
e s
using the specified authentication mode and password, or adds
r c
authentication information to Level-1 packets to be sent.
ou
The isis authentication-mode command configures an IS-IS
interface to authenticate Hello packets using the specified mode
s
and password.
e
R
View
area-authentication-mode: IS-IS view
n g
isis authentication-mode: interface view
i
Parameters
r n isis authentication-mode { simple password | md5 password-
L
simple password: indicates that the password is
e
transmitted in plain text.
or
md5 password-key: indicates that the password to be
transmitted is encrypted using MD5.
r
mode.
a
send-only: indicates that the router encapsulates sent
le
//
Hello packets with authentication information but does not
:
authenticate received Hello packets.
p
t
all-send-only: indicates that the router encapsulates
t
generated LSPs and SNPs with authentication information and
:h
does not authenticate received LSPs and SNPs.
e s
authentication-avoid: indicates that the router does not
c
encapsulate generated SNPs with authentication information
r
ou
or authenticates received SNPs. The router encapsulates
generated LSPs with authentication information and
es
authenticates received LSPs.
i g
Precautions
n
The area-authentication-mode command takes effect only on
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case Description
t t
:h
In this case, the addresses for interconnecting devices are as
s
follows:
•
r ce
If RX interconnects with RY, their interconnection
addresses are XY.1.1.X and XY.1.1.Y respectively, network
ou
mask is 24.
s
R2 connects to R3 and R1 through serial interfaces. R1 and R3
e
connect through Ethernet interfaces. R1 connects to network
R
10.0.0.0/24 through G0/0/1.
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
You can run the display isis peer command to check whether
s
neighbor relationships are established successfully.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
You can run the display isis interface command to view the
s
interface relationship.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
You can run the display ip routing-table command to view the
s
routing table.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g .
ni n
ar
// le
p :
Case Description
t t
:h
In this case, the network runs IS-IS.
s
Requirement analysis
e
The log prompt function of IS-IS is disabled by default.
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Results
t t
:h
The nexthop command sets the preferences of equal-cost routes.
s
After IS-IS calculates equal-cost routes using the SPF algorithm,
r ce
the next hop is chosen from these equal-cost routes based on the
value of weight. The smaller the value is, the higher the
ou
preference is.
Parameters
es
nexthop ip-address weight value
R
ip-address: indicates the next hop address.
n
an integer that ranges from 1 to 254. The default value
a r is 255.
Le
e
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Results
t t
:h
The summary ip-address mask avoid-feedback |
s
generate_null0_route command avoids learning the aggregation
prevent loops.
r ce
route again. It can also generate a route to the Null0 interface to
ou
You need to manually open logs of a neighbor.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
OSPF topology:
t t
:h
OSPF divides an Autonomous System (AS) into one or
s
multiple logical areas. All areas are connected to Area 0.Area
r ce
0 is backbone Area.
ou
Router type:
es
Internal router: All interfaces on an internal router belong to the
same OSPF area.
R
Area Border Router (ABR): An ABR belongs to two or more
i n g
areas, one of which must be the backbone area. An ABR is
n
used to connect the backbone area and non-backbone areas.
Le area.
Backbone router: At least one interface on a backbone router
e
or
belongs to the backbone area. Internal routers in Area 0 and
all ABRs are backbone routers.
:h
P2P: A network where the link layer protocol is PPP or HDLC
s
is a P2P network by default. On a P2P network, protocol
r ce
packets such as Hello packets, DD packets, LSR packets,
LSU packets, and LSAck packets are sent in multicast mode
ou
using the multicast address 224.0.0.5.
es
P2MP: No network is a P2MP network by default, no matter
what type of link layer protocol is used on the network. A
R
network can be changed to a P2MP network. The common
i n g
practice is to change a non-fully meshed NBMA network to a
n
P2MP network. On a P2MP network, Hello packets are sent in
w e
If Router Priority is set to 0, the router cannot be elected as
the DR or BDR.
u a
h
A larger value of Router Priority indicates a higher priority. If
.
g
the value of Router Priority is the same on two interfaces, the
n
ni
interface with a larger Router ID is elected.
The DR/BDR cannot preempt resources.
ar
If the DR is faulty, the BDR automatically becomes the new DR,
//le
and a new BDR is elected on the network. If the BDR is faulty,
:
the DR does not change, and a new BDR is elected.
p
t t
Differences between IS-IS DIS and OSPF DR/BDR
:h
On an IS-IS broadcast network, routers with priority 0 still
e s
participate in DIS election. On an OSPF network, routers with
c
priority 0 do not participate in DR election
r
ou
On an IS-IS broadcast network, when a new router meeting
DIS conditions joins the network, the router is elected as the
es
new DIS, and the original pseudonode is deleted. This causes
R
LSP flooding. On an OSPF network, a new router will not
i n g
immediately become the DR on the network segment even if
the router has the highest DR priority.
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Overview of OSPF packets
t t
:h
OSPF packets are transmitted at the network layer. The
s
protocol number is 89. There are five types of OSPF packets,
r ce
whose packet headers are in the same format.
OSPF packets except the Hello packet carry LSA information.
s ou
OSPF packet header information
Re
All OSPF packets have the same OSPF packet header.
Version: specifies the OSPF protocol number. This field must
i n g
be set to 2.
Type: specifies the OSPF packet type. There are five types of
r n OSPF packets.
or
Router ID: specifies the router ID of the router generating the
packet
Hello packet
Network Mask: specifies the network mask of the interface
sending Hello packets.
HelloInterval: specifies the interval for sending Hello packets, in
seconds.
Options: specifies optional functions supported by the OSPF
router sending the Hello packet. Detailed functions are not
mentioned in this course.
Rtr Pri: specifies the router priority on the interface sending
Hello packets. This field is used for electing the DR and BDR.
e n
RouterDeadInterval: specifies the interval for advertising that
/
the neighbor router does not run OSPF on the network
m
.i co
segment, in seconds. In most cases, the value of this field is
four times HelloInterval.
Designated Router: specifies the IP address of the DR elected
w e
by routers sending Hello packets. The value 0.0.0.0 of this field
indicates that the DR is not elected.
u a
h
Backup Designated Router: specifies the IP address of the
.
g
BDR elected by routers sending Hello packets. The value
n
ni
0.0.0.0 of this field indicates that the BDR is not elected.
Neighbor: specifies the neighbor router ID, indicating that the
ar
router has received valid Hello packets from neighbors.
// le
DD packet
p :
Interface MTU: specifies the maximum IP data packet size that
t t
an interface on the originating router can send without
:h
fragmentation. The value of this field is 0x0000 on a virtual link.
s
Options: is the same as that of the Hello packet.
e
c
I-bit: is set to 1 for the first DD packet in a series of sent DD
r
ou
packets. The I-bit fields of subsequent DD packets are 0.
M-bit: is set to 1 when the sent DD packet is not the last one.
es
The M-bit field of the last DD packet is set to 0.
R
MS-bit: advertises the router as the master router.
i n g
DD Sequence Number: specifies the sequence number of the
DD packet.
e a
e L LSR packet
Link State Advertisement Type: specifies the LSA type, which
or
can be router-LSA, network-LSA, or other LSA types.
Link State ID: varies depending on LSA types.
M Advertising Router: specifies the router ID of the originating
router that advertises LSAs.
LSU packet
Number of LSAs: specifies the number of LSAs in an LSU
packet.
LSA: specifies detailed LSA information.
LSU packet
Header of LSA: specifies LSA header information.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
LSA header information contained in all OSPF packets excluding Hello
:h
packets
s
LS age: specifies the age of the LSA, in seconds.
some OSPF areas.
r ce
Option: specifies optional performance that LSAs supported in
ou
LS type: identifies the format and functions of LSAs. There are
es
five types of commonly used LSAs.
Link State ID: varies with LSAs.
R
Advertising Router: specifies router ID in the first LSA.
n g
Sequence Number: increases with the generation of LSA
i
n
instances. This field allows other routers to identify latest LSA
a r instances.
r
Link State ID: specifies the IP address of the interface on a DR.
a
Network Mask: specifies the IP address or subnet mask used on
le
//
the network.
:
Attached router: lists router IDs of the DR and all routers that have
p
t
set up adjacency relationships with the DR on an NBMA network.
t
s :h
Network-summary-LSA and ASBR-summary-LSA
e
Link State ID: specifies the IP address of the network or subnet in
r c
a Type 3 LSA. In a Type 4 LSA, this field specifies the router ID of
ou
the ASBR.
s
Network Mask: specifies the IP address or subnet mask of the
Re
network in a Type 3 LSA. In a Type 4 LSA, this field has no
meaning and is set to 0.0.0.0.
g
Metric: specifies the metric of a route to the destination.
i n
r n
AS-external-LSA
e L
address.
or
Network Mask: specifies the destination IP address or subnet
mask.
M
E: specifies the type of the external route. The value 1 indicates
the E2 metric, and the value 0 indicates the E1 metric.
Metric: specifies the metric of a route and is set by an ASBR.
Forwarding Address: specifies the forwarding address (FA) of a
packet destined for a specific destination address. When this field
is set to 0.0.0.0, the packet is forwarded to the originating router.
External Route Tag: identifies an external route.
NSSA LSA
Forwarding Address: When an internal route is advertised
between an NSSA ASBR and the neighboring AS, this field is set
to the next-hop address of the local network. When the internal
route is not used for advertisement, this field is set to the interface
ip of the stub network,such as loopback,if have multi stub
network,choose the maximum ip address.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Options field:
t t
:h
DN: prevents loops on an MPLS VPN network. When a type 3, 5,
s
or 7 LSA is sent from a PE to a CE, the DN bit MUST be set.
r ce
When the PE receives, from a CE router, a type 3, 5, or 7 LSA
with the DN bit set, the information from that LSA MUST NOT be
ou
used during the OSPF route calculation.
s
O: indicates that the originating router supports Opaque LSAs
e
(Type 9, 10, and 11 LSAs).
R
DC-bit: indicates that the originating router supports OSPF
n g
capabilities of on-demand links.
i
n
EA: indicates that the originating router can receive and forward
a r External-Attributes-LSA(type8 LSA).
Le N-bit: exists only in Hello packets. The value 1 indicates that the
router supports Type 7 LSAs. The value 0 indicates the router
e
or
does not receive or send NSSA LSAs.
P-bit: exists only in NSSA LSAs. This field instructs an NSSA
M
ABR to convert the Type 7 LSA into a Type 5 LSA.
MC-bit: indicates that the originating router supports multicast,
this bit will be set.
E-bit: indicates that the originating router can receive AS external
LSAs. This field is set to 1 in all Type 5 LSAs and LSAs that are
sent from the backbone area and NSSA areas. This field is set to
0 in LSAs that are sent from stub areas. This field in a Hello
packet indicates that the interface can receive and send Type 5
LSAs.
MT-bit: indicates that the originating router supports MOSPF.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Neighbor status:
t t
:h
Down: It is the initial stage of setting up sessions between
neighbors. In this state, a router receives no message from its
neighbor.
e s
c
Init: A router has received Hello packets from its neighbor but is
r
ou
not in the neighbor list of the received Hello packets. The router
has not established bidirectional communication with its neighbor.
es
In this state, the neighbor is in the neighbor list of Hello packets.
R
2-Way: In this state, bidirectional communication has been
established but the router has not established the adjacency
n g
relationship with the neighbor. This is the highest state before the
i
adjacency relationship is established. When routers are located
e a
L
When the neighbor relationship is established, routers negotiate
e
parameters carrying in Hello packets.
or
If the network type of the interface receiving Hello packets is
P2MP or NBMA, the Network Mask field in Hello packets must
s
first DD packet to R2. Assume that in fields in this DD packet are
set as follows:
r ce
DD Sequence Number is set to 552A.
ou
I-bit is set to 1, indicating that the DD packet is the first DD packet.
es
M-bit is set to 1, indicating that more DD packets are to be sent.
MS-bit is set to 1, indicating that R1 advertises itself as the
R
master router.
n g
When the neighbor state machine is ExStart on R2, R2 sends the
i
n
first DD packet in which DD Sequence Number is set to 5528 to
. h
R2 to ensure information transmission reliability. LSAck packets
are flooded to acknowledge the receiving of LSAs.
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
OSPF can define areas as stub and totally stub areas. A stub area is a
:h
special area where ABRs do not flood the received AS external routes.
s
The ABR in a stub area maintains fewer routing entries and transmits
r ce
less routing information. The stub area is an optional configuration, but
not all areas can be configured as stub areas. Generally, a stub area is
ou
a non-backbone area with only one ABR and is located at the AS
es
boundary. To ensure the reachability of AS external routes, the ABR in
a stub area generates a Type 3 LSA carrying a default route and
R
advertises it within the entire stub area.
i n g
r n
a
Stub area
Le
The backbone area cannot be configured as a stub area.
If an area needs to be configured as a stub area, all the routers in
e
or
this area must be configured with stub attributes.
An ASBR cannot exist in a stub area. That is, AS external routes
M
are not flooded in the stub area.
A virtual link cannot pass through a stub area.
Type 5 LSAs cannot be advertised within a stub area.
A router in the stub area must learn AS external routes from the
ABR. The ABR automatically generates a Type 3 LSA carrying a
default route and advertises it within the entire stub area. The
router can then learn the AS external network from the ABR.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
To prevent a large number of external routes from consuming the
:h
bandwidth and storage resources of routers in a stub area, OSPF
defines that stub areas cannot import external routes. However, stub
e s
areas cannot meet the requirements of the scenario that requires the
c
import of external routes while preventing resources from being
r
ou
consumed by external routes. Therefore, NSSA areas are introduced.
Type 7 LSA
es
R
Type 7 LSAs are defined in an NSSA Area to describe AS
external routes.
n g
Type 7 LSAs are generated by an ASBR in an NSSA area and
i
advertised only within the NSSA area of this ASBR.
r n When receiving Type 7 LSAs, an ABR in an NSSA selectively
L
routes can be advertised in other areas of the OSPF network.
e
Type 7 LSAs can be used to carry default route information to
or
guide traffic to other ASs.
Precautions
Multiple ABRs may be deployed in an NSSA area. To prevent
routing loops, ABRs do not calculate the default routes advertised
e n
by each other.
/
m
.i co
NSSA and totally NSSA
A small number of AS external routes learned from the ASBR in an
NSSA area can be imported to the NSSA area. Type 5 LSAs
w e
cannot be advertised within the NSSA area, but routers can learn
the AS external routes from the ASBR.
u a
. h
Neither Type 3 nor Type 5 LSAs can be advertised within a totally
NSSA.
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Fast convergence
t t
:h
I-SPF improves this algorithm. With exception to where
s
calculation is performed for the first time, only changed nodes, as
r ce
opposed to all nodes, are involved in calculation. The SPT
ultimately generated is the same as that generated by the
ou
previous algorithm. This decreases the CPU usage and speeds
es
up network convergence.
Similar to I-SPF, PRC calculates only the changed routes. PRC,
R
however, does not calculate the shortest path. PRC updates
i n g
routes based on the SPT calculated by I-SPF. In route calculation,
n
a leaf represents a route, and a node represents a router. A
Le but changes in the SPT or leaf and routing information are not
dependent on each other. PRC processes routing information
e
or
based on the SPT or leaf changes:
• When the SPT is changed, the PRC processes routing
M •
information on all leaves of the changed nodes.
When the SPT is not changed, PRC does not process
routing information on nodes.
• When a leaf is changed, PRC processes routing
information on the changed leaf.
• When the leaf is not changed, PRC does not process
routing information on the leaf.
The OSPF intelligent timer controls the route calculation, LSA
generation, and receiving of LSAs to speed up network
convergence. The OSPF intelligent timer speeds up network
convergence in the following modes:
• On a network where routes are frequently calculated, the
OSPF intelligent timer dynamically adjusts the interval for
calculating
routes based on the user configuration and exponential
backoff technology. In this manner, the route calculation and
CPU resource consumption are decreased. Routes are
calculated after the network topology becomes stable.
• On an unstable network, if a router generates or receives
e n
LSAs due to frequent topology changes, the OSPF
/
intelligent timer can dynamically adjust the interval for
m
.i co
calculating routes. No LSA is generated or handled within
an interval, which prevents invalid LSAs from being
•
generated and advertised on the entire network.
w e
The OSPF intelligent timer helps calculate routes as follows:
• Based on the local LSDB, a router that runs OSPF
u a
calculates the SPT with itself as the root using the
. h
SPF algorithm, and determines the next hop to the
g
destination network according to the SPT. Changing
n
ni
the interval for SPF calculation can prevent the
r
bandwidth and resource consumption caused by
frequent LSDB changes.
le a
• On a network that requires short route convergence
: //
time, specify the interval for route calculation in
p
milliseconds to increase the route calculation
t t
frequency and speed up route convergence.
:h
• When the OSPF LSDB changes, the shortest path
needs to be recalculated. If a network changes
e s
frequently and the shortest path is calculated
r c
continually, a large number of system resources will
ou
be consumed, affecting router performance. You can
configure an intelligent timer and set a proper interval
n
specified by the parameter start-interval.
e
is larger than or equal to 2) time is equal to
e L hold-interval x 2 x (n – 1).
• When the interval specified by hold-interval x
or
2 x (n – 1) reaches the maximum interval
specified by max-interval, OSPF performs
M SPF calculation at the maximum interval for
three consecutive times. Then perform step 1
again for SPF calculation at the initial interval
specified by start-interval.
Priority-based convergence
Filter routes based on the IP prefix list. Set different priorities for
the routes so that routes with the highest priority are preferentially
converged, improving network reliability.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Setting the maximum number of non-default external routes on a router
:h
can prevent an OSPF database overflow. You must set the same
s
maximum number of non-default routes for all routers on an OSPF
r ce
network. If the number of external routes on a router reaches the
configured maximum number, the router enters the overflow state and
ou
starts the overflow timer. The router automatically leaves the overflow
seconds.
es
state after the overflow timer expires. The default timeout period is 5
R
The OSPF database overflow process is as follows:
i n g
When entering the overflow state, a router deletes all non-default
n
external routes that are generated by itself.
a
r When staying in the overflow state, the router does not generate
M
timer; if not, the router leaves the overflow state.
When leaving the overflow state, the router deletes the overflow
timer, generates non-default external routes, receives new non-
default external routes, replies with LSAck packets, and gets
ready to enter the overflow state again.
e n
/
m
e.i co
aw
hu
g .
ni n
ar
//le
p :
t t
During OSPF deployment, all non-backbone areas must be connected
:h
to the backbone area to ensure that all areas are reachable.
e s
r c
Two ABRs use a virtual link to directly transmit OSPF packets. The
ou
routers between the two ABRs only forward packets. Because the
s
destination of OSPF packets is not these routers, the routers
e
R
transparently forward the OSPF packets as common IP packets.
i n g
If a virtual link is not properly deployed, a loop may occur.
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
When the two authentication types exist, use authentication based on
:h
interfaces.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
The OSPF default route is generally applied to the following scenarios:
:h
An ABR in an area advertises Type 3 LSAs carrying the default
s
route within the area. Routers in the area use the received default
r e
route to forward inter-area packets.
c
An ASBR in an area advertises Type 5 or Type 7 LSAs carrying
ou
the default route within the AS. Routers in the AS use the
s
received default route to forward AS external packets.
e
Precautions R
n g
When no exactly matched route is discovered, a router can
i
n
forward packets through the default route. Due to hierarchical
Le
is higher than the priority of default Type 5 or Type 7 routes.
If an OSPF router has advertised LSAs carrying a default route,
e
or
the router does not learn this type of LSA advertised by other
routers, which carry a default route. That is, the router uses only
M
the LSAs advertised by itself to calculate routes. The LSAs
advertised by others are still saved in the LSDB.
If a router has to use a route to advertise LSAs carrying an
external default route, the route cannot be a route learned by the
local OSPF process. This is because a router in an area uses
default external routes to forward packets outside the area,
whereas the routes in the AS have the next hop pointing to
devices within the AS.
w e
• To advertise all the external routes using the ASBR in
u a
the NSSA area, configure a default Type 7 LSA on
. h
the ASBR and advertise this LSA in the entire NSSA
g
area. In this way, all the external routes are
n
ni
advertised using the ASBR in the NSSA area.
• The preceding configurations are performed using the
ar
same command in different views. The difference
//le
between these two configurations is described as
follows:
p :
t
An ABR will generate a default Type 7 LSA
t
regardless of whether the routing table contains the
:h
default route 0.0.0.0.
e s
An ASBR will generate a default Type 7 LSA only
c
when the routing table contains the default route
r
ou
0.0.0.0.
• An ABR does not translate Type 7 LSAs carrying a
i
•
n g Totally NSSA area
• All routers in the totally NSSA area must learn AS
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Route filtering
t t
:h
LSAs are not filtered during route learning. Route filtering can
s
only determine whether calculated routes are added to the
r ce
routing table. The learned LSAs are complete.
ou
Precautions
es
Stub areas and database overflow can also implement the
LSA filtering function.
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
This figure shows the process of establishing the neighbor relationship
:h
and process of neighbor status changes.
s
Down: It is the initial stage of setting up sessions between
r ce
neighbors. In this state, a router receives no message from its
neighbor. On an NBMA network, the router can still send Hello
ou
packets to the neighbor with static configurations. PollInterval
es
specifies the interval for sending Hello packets and its value is
usually the same as the value of RouterDeadInterval.
R
Attempt: This state exists only on the NBMA network and
i n g
indicates that the router receives no message from the neighbor.
n
In this state, the router periodically sends packets to the neighbor
M
has not established bidirectional communication with its neighbor.
In this state, the neighbor is in the neighbor list of Hello packets.
2-WayReceived: A router knows that bidirectional communication
with the neighbor has started, that is, the router is in the neighbor
list of Hello packets received from the neighbor. If the router
needs to establish the adjacency relationship with the neighbor,
the router enters the ExStart state and starts database
synchronization. If the router fails to establish the adjacency
relationship with the neighbor, the router enters the 2-Way state.
2-Way: In this state, bidirectional communication has been
established but the router has not established the adjacency
relationship with the neighbor.
This is the highest state before the adjacency relationship is established.
1-WayReceived: The router knows that it is not in the neighbor list
of Hello packets received from the neighbor. This is caused by the
restart of the neighbor.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
The state machines in the figure are described as follows:
:h
ExStart: This is the first step for establishing the adjacency
s
relationship. In this state, the router starts to send DD packets to
r ce
the neighbor. The two neighbors start to negotiate the
master/slave status and determine the sequence numbers of DD
ou
packets. DD packets transmitted in this state do not contain the
es
local LSDB.
Exchange: The router exchanges DD packets containing the local
R
LSDB with its neighbor.
n g
Loading: The router exchanges LSR packets with the neighbor for
i
n
requesting LSAs and exchanges LSU packets for advertising
a r LSAs.
Le Full: The local LSDBs on the two routers have been synchronized.
e
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
OSPF supports P2P, P2MP, NBMA, and multicast networks. IS-IS
:h
supports only P2P and broadcast networks.
s
OSPF works only at the network layer and the protocol number is
89.
r ce
sou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
When an OSPF neighbor relationship is established, the two
:h
routers check the mask, authentication mode, Hello/dead interval,
s
and area ID in Hello packets. The conditions for establishing an
r e
IS-IS neighbor relationship are relatively loose.
c
Establishing a neighbor relationship over an OSPF P2P link
ou
requires a three-way handshake. Establishing an IS-IS neighbor
es
relationship does require a three-way handshake. Huawei devices
are enabled with the three-way handshake function on an IS-IS
R
P2P network by default, which ensuring reliability for establishing
n g
the neighbor relationship.
i
n
An IS-IS neighbor relationship has level 1 and level 2.
a
r The election of an OSPF DR/BDR is based on the priority and IP
M
0, the router does not participate in the DR/BDR election.
The election of an IS-IS DIS is based on the priority and MAC
address. The elected DIS can be preempted. On an IS-IS network,
all routers establish adjacency relationships with each other. If the
priority of a router on the IS-IS network is 0, the router can still
participate in the DIS election and just has a lower priority.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t
IS-IS supports a few type of LSPs but provides good extension
t
:h
capabilities through the TLV field contained in LSPs.
e s
r c
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t
OSPF costs are calculated based on bandwidth. IS-IS
t
:h
supports the default cost, delay cost, overhead cost, and error
s
cost. IS-IS uses the default cost for implementation.
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case Description
t t
:h
The NBMA network topology is displayed in this case. Other
s
devices are connected based on the following rules:
r ce
• If RX is interconnected with RY, their interconnection
addresses are XY.1.1.X and XY.1.1.Y respectively,
ou
network mask is 24.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Command Usage
t t
:h
The peer command sets the IP address and DR priority of the
s
neighboring router on an NBMA network. On an NBMA network, a
r ce
router cannot discover neighboring routers by broadcasting Hello
packets. You must manually specify IP addresses and DR
ou
priorities of neighboring routers.
View
OSPF view
es
R
n g
Parameters
i
n
peer ip-address [ dr-priority priority ]
Le router.
dr-priority priority: specifies the priority for the neighbor
e
or
to select a DR.
M Precautions
In the routing table on R3, the routing entry mapping the IP
address 12.1.1.2/32 exits. This is caused by the PPP echo
function. When this function is disabled, the routing entry mapping
this 32-bit IP address does not exist.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case Description
t t
:h
The network topology in this case is the same as the previous
s
topology. Area 3 is not directly connected to Area 0, and
r ce
therefore cannot communicate with other areas.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g .
ni n
ar
// le
p :
Command Usage
t t
:h
The vlink-peer command creates and configures a virtual link.
s
View
OSPF area view
r ce
ou
Parameters
s
vlink-peer router-id
e
router-id: specifies the router ID of the virtual link
R
neighbor.
i n g
n
Configuration Verification
a
r Run the display ospf vlink command to view information about
e
or
Remarks
A virtual link needs to be configured for R4.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case Description
t t
:h
The network topology in this case is the same as the previous
s
topology. Company A requires control on the DR. To meet this
r ce
requirement, change the DR priorities of routers. The DR/BDR
cannot be preempted.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command Usage
t t
:h
The ospf dr-priority command sets the priority of an interface
s
that participates in the DR election.
View
r ce
ou
Interface view
Parameters
es
R
ospf dr-priority priority
n
participates in the DR/BDR election. A larger value
Le Precautions
e
or
If the DR priority of an interface on a router is 0, the router
cannot be elected as a DR or a BDR. In OSPF, the DR
Configuration Verification
Run the display ospf peer command to view information about
neighbors in OSPF areas.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case Description
t t
:h
The network topology in this case is the same as the previous
s
topology. This is the network extension requirement. On an
r ce
OSPF FR network, the default interval for sending Hello
packets is 30 seconds, and the default interval for sending is
ou
120 seconds. When the neighbor relationship is invalid, the
s
interval for sending Hello packets is 120 seconds.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command Usage
t t
:h
The ospf timer hello command sets the interval for sending Hello
s
packets on an interface.
r ce
The ospf timer poll command sets the poll interval for sending
Hello packets on an NBMA network.
View
s ou
Re
ospf timer hello: interface view
ospf timer poll: interface view
i n g
n
Parameters
a
r ospf timer hello interval
M Precautions
packets.
Remarks
e n
Perform the same interface configuration on R4 as that on
/
R2 and R3.
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case Description
t t
:h
This case is an extension to the original case. Perform
s
configurations on the basis of the original case. Imported
r c
cost value is 1.e
routes are advertised in E2 mode by default, and the default
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command Usage
t t
:h
The import-route command imports routes learned by other
s
routing protocols.
r
enabled interface. ce
The ospf cost command sets the cost of a route on an OSPF-
View
s ou
Re
import-route: OSPF view
ospf cost: interface view
i n g
n
Parameters
a
r import-route[ cost cost | type type ]
M Precautions
On a non-PE device, only EBGP routes are imported after the
import-route bgp command is configured. IBGP routes are also
imported after the import-route bgp permit-ibgp command is
configured. If IBGP routes are imported, routing loops may occur.
In this case, run the preference (OSPF) and preference (BGP)
commands to set the priority of OSPF ASE routes to lower than
that of IBGP routes.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case Description
t t
:h
This case is an extension to the original case. Perform
s
configuration on the basis of the original case. If R6 does not
3 LSAs on R5.
r ce
want to receive routes from network 172.16.X.0/24, filter Type
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command Usage
t t
:h
The filter-policy export command configures a filtering policy
s
to filter the imported routes when these routes are advertised
r ce
in Type 5 LSAs within the AS. This command can be
configured only on an ASBR to filter Type 5 LSAs.
ou
The filter-policy import command configures a filtering policy
es
to filter intra-area, inter-area, and AS external routes received
by OSPF. On routers within an area, this command can be
R
used to filter only routes; on an ABR, this command can be
i n g
used to filter Type 3 LSAs.
r n
View
or Parameters
e n
Precautions
/
Type 5 LSAs are generated on an ASBR to describe AS
m
.i co
external routes and advertised to all areas (excluding stub and
NSSA areas). The filter-policy command needs to be
w e
configured on an ASBR. To advertise only routing information
meeting specific conditions, run the filter-policy command to
set filtering conditions.
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Case Description
t t
:h
This case is an extension to the original case. Perform
s
configuration on the basis of the original case. Configure Area
r ce
1 as an NSSA area.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command Usage
t t
:h
The nssa command configures an OSPF area as an NSSA area.
View
e s
OSPF area view
r c
Parameters
s ou
e
nssa [ default-route-advertise | flush-waiting-timer interval-
R
value | no-import-route | no-summary | set-n-bit |suppress-
n g
forwarding-address | translator-always | translator-
i
n
interval interval-value | zero-address-forwarding ] *
w e
0.0.0.0 exists in the routing table, Type 7 LSAs carrying the default
route will be generated on an ABR. However, Type 7 LSAs
u a
. h
carrying the default route will be generated only when the route
0.0.0.0 exists in the routing table on an ASBR.
n g
ni
When the area to which the ASBR belongs is configured as an
r
NSSA area, invalid Type 5 LSAs from other routers in the area
a
where LSAs are flooded will be reserved. These LSAs will be
le
//
deleted only when the aging time reaches 3600 seconds. The
:
router performance is affected because the forwarding of a large
p
t
number of LSAs consumes the memory resources. The parameter
t
flush-waiting-timer is configured to generate Type 5 LSAs with
:h
the aging time of 3600 seconds. Invalid Type 5 LSAs on other
e s
routers are therefore cleared in a timely manner.
c
The parameter flush-waiting-timer does not take effect when the
r
ou
ASBR also functions as an ABR. In this way, Type 5 LSAs in non-
NSSA areas will not be deleted.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Case Description
t t
:h
This case is an extension to the original case. Perform
s
configuration on the basis of the original case. Note that the
r ce
virtual link belongs to Area 0.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command Usage
t t
:h
The authentication-mode command sets the authentication
s
mode and password for an OSPF area. After this command is
r ce
executed, interfaces on all routers in an OSPF area use the same
authentication mode and password.
View
s ou
OSPF view
Re
n g
Parameters
i
n
authentication-mode { md5 | hmac-md5 } [ key-
e n
Precautions
/
The authentication modes and passwords of all the devices must
m
.i co
be the same in an area, but can be different in different areas.
The authentication-mode command used in the interface view
takes precedence over the authentication-mode command used
in the OSPF area view.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Case Description
t t
:h
If RX is interconnected with RY, their interconnection
s
addresses are XY.1.1.X/24 and XY.1.1.Y/24 respectively.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Configuration Verification
t t
:h
Run the display ospf peer brief command to check whether
s
the neighbor relationship is established.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Configuration Verification
t t
:h
Run the tracert command to trace traffic on R3. The command
s
output shows that traffic on R3 reaches S0/0/0 on R1 through
r ce
the Ethernet link.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Configuration Verification
t t
:h
Run the display ip routing-table command to view the routing
s
table. During the route summarization, original tags are
r c
summarization.e
removed. Therefore, tags need to be added in the next route
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Case Description
t t
:h
The network runs OSPF.
e s
r c
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Analysis
t t
:h
To make R1 select the path through area 2 to reach the
s
networks in area 1,we must make the path through area2 work
r ce
as it is passing through area 0.virtual link meet the
needs.when virtual link is established,R1 will compare the cost
ou
of the two path and choose the path with lower cost as the
best.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Configuration Verification
t t
:h
Only the external LSA (10.0.0.0) exists in the LSDB on R2.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Configuration Verification
t t
:h
All neighbor relationships on R3 are correct, indicating
s
successful authentication.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
BGP is a dynamic routing protocol used between ASs. BGP-1 (defined
:h
in RFC 1105), BGP-2 (defined in RFC 1163), and BGP-3 (defined in
s
RFC 1267) are three earlier-released BGP versions. BGP exchanges
r ce
reachable inter-AS routes, establishes inter-AS paths, avoids routing
loops, and applies routing policies between ASs. The current BGP
ou
version is BGP-4 defined in RFC 4271.
es
As an external routing protocol on the Internet, BGP is widely used
R
among Internet Service Providers (ISPs).
n g
BGP has the following characteristics:
i
BGP is an EGP. Different from Interior Gateway Protocols
r n (IGPs) such as Open Shortest Path First (OSPF) and Routing
or
or calculate routes.
BGP uses the Transport Control Protocol (TCP) with listening
routes.
w e
BGP provides rich routing policies to flexibly filter and select
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
An AS is a group of routers that are managed by a single technical
:h
administration and use the same routing policy.
An AS is a group of routers that are managed by a single technical
e s
administration and use the same routing policy.
r c
Each AS has a unique AS number, which is assigned by the
ou
Internet Assigned Numbers Authority (IANA).
es
An AS number ranges from 1 to 65535. Values 1 to 64511 are
registered Internet numbers, while values 64512 to 65535 are
R
private AS numbers.
i n g
Each AS on a BGP network is assigned a unique AS number to
n
identify the AS. Currently, 2-byte AS and 4-byte AS numbers are
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
EBGP and IBGP
t t
:h
IBGP: runs within an AS. To prevent routing loops within an AS, a
s
BGP device does not advertise the routes learned from an IBGP
r ce
peer to other IBGP peers, and establishes full-mesh connections
with all the IBGP peers.
ou
EBGP: runs between ASs. To prevent routing loops between ASs, a
es
BGP device discards routes containing the local AS number when
receiving routes from EBGP peers.
R
n g
Device roles in BGP message exchange
i
Speaker: The device that sends BGP messages is called a BGP
r n
speaker. The speaker receives and generates new routes, and
e L Peer: The speakers that exchange messages with each other are
or
called BGP peers. A group of peers sharing the same policies can
form a peer group.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
BGP peers exchange five types of messages: Open, Update, Keepalive,
:h
Notification, and Route-Refresh messages.
Open message: is used to establish BGP peer relationships. It is
e s
the first message sent after a TCP connection is set up. After a
r c
BGP peer receives an Open message and the peer negotiation
ou
succeeds, the BGP peer sends a Keepalive message to confirm
es
and maintain the peer relationship. Subsequently, BGP peers can
exchange Update, Notification, Keepalive, and Route-refresh
messages. R
i n g
Update message: is used to exchange routes between BGP peers.
n
Update messages can be used to advertise multiple reachable
Le routes.
• An Update message can be used to advertise multiple
e
or
reachable routes with the same attributes. These
routes can share a group of route attributes. The route
. h
message, the BGP peers resend their routing information to the
g
local BGP router. In this manner, the BGP routing table can be
n
ni
dynamically updated, and the new routing policy can be used
r
without terminating BGP connections. A BGP peer notifies its peer
a
of its Route-Refresh capability by sending an Open message.
le
//
BGP message applications
:
BGP uses TCP port 179 to set up a connection. BGP connection
p
t
setup requires a series of dialogues and handshakes. TCP
t
advertises parameters such as the BGP version, BGP connection
:h
holdtime, local router ID, and authorization information in an Open
e s
message during handshake negotiation.
c
After a BGP connection is set up, a BGP router sends the BGP
r
ou
peer an Update message that carries the attributes of a route to be
advertised. This helps the BGP peer select the optimal route. When
es
local BGP routes change, a BGP router sends an Update message
R
to notify the BGP peer of the changes.
i n g
After two BGP peers exchange routes for a period of time, they do
not have new routes to be advertised and need to periodically send
r n
Keepalive messages to maintain the validity of the BGP connection.
e a If the local BGP router does not receive any BGP message from the
e L BGP peer within the holdtime, the local BGP router considers that
the BGP connection has been terminated, tears down the BGP
or
connection, and deletes all the BGP routes learned from the peer.
When the local BGP router detects an error during the operation, for
M example, it does not support the peer BGP version or receives an
invalid Update message, it sends the BGP peer a Notification
message to report the error. Before terminating a BGP connection
with the peer, the local BGP router also needs to send a Notification
message to the peer.
r
setup, two BGP peers need to negotiate the holdtime and keep the
a
holdtime consistent. If two BGP peers have different holdtime
le
//
periods configured, the shorter holdtime is used. If the local BGP
:
router does not receive a Keepalive message from the peer within
p
t
the holdtime, it considers that the BGP connection is terminated. If
t
the holdtime is 0, no Keepalive message is sent.
:h
BGP Identifier: Indicates the router ID of a BGP router. It is
e s
expressed as an IP address to identify a BGP router.
c
Opt Parm Len (Optional Parameters Length): Indicates the optional
r
ou
parameter length. The value 0 indicates that no optional parameters
are available.
es
Optional Parameters: These are used for BGP authentication or
R
Multiprotocol Extensions. Each parameter is a 3-tuple (Parameter
i n g
Type-Parameter Length-Parameter Value).
r n
Update message format
e L the total length of the Withdrawn Routes field. The value 0 indicates
that the Withdrawn Routes field is not present in this Update
or
message.
Withdrawn Routes: A variable-length field that contains a list of IP
M address prefixes for the routes to be withdrawn. Each IP address
prefix is in <length, prefix> format. For example, <19,198.18.160.0>
indicates a network at 198.18.160.0 255.255.224.0.
Path Attribute Length: A 2-byte unsigned integer that indicates the
total length of the Path Attribute field. The value 0 indicates that the
Path Attribute field is not present in an Update message.
Network Layer Reachability Information: Contains a list of IP
address prefixes. This variable length field is in the same format as
the Withdrawn Routes: <length, prefix>.
Keepalive message format
A Keepalive message has only the message header.
By default, the interval for sending Keepalive messages is 60
seconds, and the holdtime is 180 seconds. Each time a BGP router
receives a Keepalive message from its peer, it resets the hold timer.
If the hold timer expires, it considers the peer to be 'down'.
e n
Notification message format
/
Errorcode: A 1-byte field that uniquely identifies an error. Each error
m
.i co
code may have one or more error subcodes. If no error subcode is
defined for an error code, the Error Subcode Field is all 0s.
Errsubcode: Indicates an error subcode.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
A BGP finite state machine (FSM) has six states: Idle, Connect, Active,
:h
OpenSent, OpenConfirm, and Established.
The Idle state is the initial BGP state. In Idle state, a BGP
e s
device refuses all the connection requests from neighbors.
r c
The BGP device initiates a TCP connection with its BGP peer
ou
and changes its state to ‘connect’ only after receiving a start
es
event from the system.
• A start event occurs when an operator configures a
R BGP process, resets an existing BGP process or when
or
In the connect state, the BGP device starts the ConnectRetry
timer and waits to establish a TCP connection. The
g
received Open message, including the AS number, version,
n
ni
and authentication password.
• If the received Open message is valid, the BGP device
ar
sends a Keepalive message and changes to the
OpenConfirm state.
//le
:
• If the received Open message is invalid, the BGP
p
t
device sends a Notification message to the peer and
t
returns to the Idle state.
:h
In OpenConfirm state, the BGP device waits for a Keepalive or
e s
Notification message from the peer. If the BGP device receives
c
a Keepalive message, it transitions to the Established state. If
r
ou
it receives a Notification message, it returns to the Idle state.
In Established state, the BGP device exchanges Update,
es
Keepalive, Route-Refresh, and Notification messages with the
R
peer.
or
• If the BGP device receives a Route-refresh message, it
does not change its state.
M • If the BGP device receives a Notification message, it
returns to the Idle state.
• If the BGP device receives a TCP connection
termination notification, it terminates the TCP
connection with the peer and returns to the Idle state.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
A BGP device adds optimal routes to the BGP routing table to generate
:h
BGP routes. After establishing a BGP peer relationship with a neighbor,
s
the BGP device follows the following rules to exchange routes with the
peer:
r ce
Advertises the BGP routes received from IBGP peers
s ou
only to its EBGP peers.
Re Advertises the BGP routes received from EBGP peers
i n g
to all its EBGP peers and IBGP peers.
Advertises the optimal route to its peers when there
r n
e a are multiple valid routes to the same destination.
or
change.
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t
BGP routing information processing
t
:h
When receiving Update messages from peers, a BGP router
s
saves the Update messages to the routing information base
r ce
(RIB) and specifies the Adj-RIB-In of the peer from which the
Update messages are received. After these Update messages
ou
are filtered by the inbound policy engine, the BGP router
es
determines the optimal route for each prefix according to the
route selection algorithm.
R
The optimal routes are saved in the local BGP RIB (Loc-RIB)
i n g
and then submitted to the local IP route selection table (IP-
n
RIB).
Le also contains the BGP prefixes that are selected as the optimal
routes and injected by the current router (locally originated
e
or
routes). Before the routes in Loc-RIB are advertised to other
peers, these routes must be filtered by the outbound policy
M engine. Only the routes that pass the filtering of the outbound
policy engine can be installed to the RIB (Adj-RIB-Out).
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Synchronization is performed between IBGP and IGP to prevent
:h
misleading routers in other ASs.
e s
Topology description (when synchronization is enabled)
r c
R4 learns the route to 10.0.0.0/24 advertised by R1 through
ou
BGP and checks whether local IGP routing tables contain the
es
route. If so, R4 advertises the route to R5. If not, R4 does not
advertise the route to R5.
R
i n g
Precautions: By default synchronization is disabled on VRP
platform, and it can not be changed. Only under two
r n
conditions,we can disable the synchronization:
or
connections.
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
BGP route attributes are a set of parameters that further describe BGP
:h
routes. Using BGP route attributes, BGP can filter and select routes.
e s
Common attributes are as follows:
r c
Origin: A well-known mandatory attribute.
ou
AS_Path: A well-known mandatory attribute.
es
Next_Hop: A well-known mandatory attribute.
Local_Pref: A well-known discretionary attribute.
R
Community: An optional transitive attribute.
i n g
MED: An optional non-transitive attribute.
Originator_ID: An optional non-transitive attribute.
r n
Cluster_List: An optional non-transitive attribute.
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
The Origin attribute defines the origin of a route and marks the path of a
:h
BGP route. The Origin attribute is classified into the following types:
e s
IGP: A route with the Origin attribute IGP is an IGP route and
r c
has the highest priority. For example, the Origin attribute of the
ou
routes injected to the BGP routing table using the network
es
command is IGP.
EGP: A route with the Origin attribute EGP is an EGP route
R
and has the secondary highest priority.
i n g
Incomplete: A route with the Origin attribute Incomplete is
n
learned by other means and has the lowest priority. For
e
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
The AS_Path attribute records all the ASs that a route passes through
:h
from a source to a destination in the distance-vector order. To prevent
s
inter-AS routing loops, a BGP device does not accept the EBGP routes
r ce
of which the AS_Path list contains the local AS number.
Assume that a BGP speaker advertises a local route:
ou
When advertising the route to other ASs, the BGP speaker
es
adds the local AS number to the AS_Path list, and then
advertises it to neighboring routers in Update messages.
R
When advertising the route to the local AS, the BGP speaker
i n g
creates an empty AS_Path list in an Update message.
r n
Assume that a BGP speaker advertises a route learned in the Update
e L
or
When advertising the route to other ASs, the BGP speaker
adds the local AS number to the leftmost of the AS_Path list.
:h
through. The Next_Hop attribute of BGP is different from that of an IGP
s
because it may not be the neighbor IP address. A BGP speaker
r ce
processes the Next_Hop attribute based on the following rules:
When advertising a locally originated route to an IBGP peer,
ou
the BGP speaker sets the Next_Hop attribute of the route to be
es
the IP address of the local interface through which the BGP
peer relationship is established.
R
When advertising a route to an EBGP peer, the BGP speaker
i n g
sets the Next_Hop attribute of the route to be the IP address of
n
the local interface through which the BGP peer relationship is
a r established.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Local_Pref attribute
t t
:h
This attribute indicates the BGP preference of a router. It is
s
exchanged only between IBGP peers and not advertised to
other ASs.
r ce
This attribute helps determine the optimal route when traffic
ou
leaves an AS. When a BGP router obtains multiple routes to
es
the same destination address but with different next hops from
IBGP peers, the router prefers the route with the highest
R
Local_Pref.
i n g
n
Topology description
a r
R1,R2,R3 are IBGP Peers of each other in AS 100, R2 establish EBGP
M Local_Pref with R2 and R3: one with Local_Pref value 300 from R2 and
the other with Local_Pref value 200 from R3. R1 prefers the route
learned from R2.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
The MED attribute helps determine the optimal route when traffic enters
:h
an AS. When a BGP router obtains multiple routes to the same
s
destination address but with different next hops from EBGP peers, the
r ce
router selects the route with the smallest MED value as the optimal
route if the other attributes of the routes are the same.
s ou
The MED attribute is exchanged only between two neighboring ASs.
Re
The AS that receives this attribute does not advertise the attribute to
any other AS. This attribute can be manually configured. If the MED
n g
attribute is not configured for a route, the MED attribute of the route
i
n
uses the default value 0.
a r
Le Topology description
R1 and R2 advertise routes 10.0.0.0/24 to their respective
e
or
EBGP peers R3 and R4. When other routing rules are the
same, R3 and R4 prefer the route with a smaller MED value.
:h
same characteristics. It is expressed as a 4-byte list and in the aa:nn or
s
community number format.
r ce
aa:nn: The value of aa or nn ranges from 0 to 65535. The
administrator can set a specific value as required. Generally,
ou
aa indicates the AS number and nn indicates the community
es
identifier defined by the administrator. For example, if a route
is from AS 100 and its community identifier defined by the
R
administrator is 1, the Community attribute is 100:1.
i n g
Community number: An integer that ranges from 0 to
n
4294967295. As defined in RFC 1997, numbers from 0
e
or
The Community attribute helps simplify application, maintenance, and
management of routing policies. With the community, a group of BGP
M routers in multiple ASs can share the same routing policy. This attribute
is a route attribute and is transmitted between BGP peers without being
restricted by ASs. Before advertising a route with the Community
attribute to peers, a BGP router can change the original Community
attribute of this route.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
BGP routing rules
t t
:h
The next-hop addresses of routes must be reachable.
The PrefVal attribute is a Huawei proprietary attribute and is
e s
valid only on the device where it is configured.
r c
If a route does not have the Local_Pref attribute, the
ou
Local_Pref attribute of the route uses the default value 100.
es
You can use the default local-preference command to
change the default local preference of BGP routes.
R
Locally generated routes include the routes imported using the
i n g
network or import-route command, manually summarized
n
routes, and automatically summarized routes.
Le summarized routes.
• Manually summarized routes generated using the
e
or
aggregate command have a higher priority than
automatically summarized routes generated using the
r
from peers in different ASs. Do not use this command
a
unless different ASs use the same IGP and route
le
//
selection mode, otherwise routing loops may occur.
:
• After the bestroute med-confederation command is
p
t
executed, BGP compares the MED values of routes
t
only when the AS_Path does not contain external AS
:h
numbers (sub-ASs that do not belong to a
e s
confederation) and the first AS number in
c
AS_CONFED_SEQUENCE is the same.
r
ou
• After the deterministic-med command is executed,
routes are not selected in the sequence in which routes
es
are received.
R
i n g
Load Balancing
or
balancing only when the rules before the attibutes "Prefers the
route with the lowest IGP metric“ are the same.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
BGP security
t t
:h
MD5: BGP uses TCP as the transport layer protocol. To
s
ensure BGP security, you can perform MD5 authentication
r ce
during the TCP connection setup. MD5 authentication,
however, does not authenticate BGP messages. Instead, it
ou
sets the MD5 authentication password for a TCP connection,
es
and the authentication is performed by TCP. If the
authentication fails, no TCP connection is set up.
R
After GTSM is enabled for BGP, an interface board checks the
i n g
TTL values in all BGP messages. In actual networking,
n
packets whose TTL values are not within the specified range
:h
cases, BGP is used on complex networks where route flapping occurs
s
frequently. To prevent frequent route flapping, BGP uses route
r ce
dampening to suppress unstable routes.
ou
Route dampening measures the stability of a route using a penalty
es
value. A larger penalty value indicates a less stable route. Each time
route flapping occurs, BGP increases the penalty of a route by a value
R
of 1000. During route flapping, a route changes from active to inactive.
n g
When the penalty value of the route exceeds the suppression threshold,
i
n
BGP suppresses this route and does not add it to the IP routing table or
a r
advertise any Update message to BGP peers.
Le After a route is suppressed for a period of time (half life), the penalty
e
or
value is reduced by half. When the penalty value of a route decreases
to the reuse threshold, the route becomes reusable and is added to the
Route dampening applies only to EBGP routes but not IBGP routes.
IBGP routes often include the routes from the local AS, which requires
that the forwarding tables of devices within an AS be the same. In
addition, IGP fast convergence aims to achieve information
synchronization.
If IBGP routes were dampened, forwarding tables on devices would be
inconsistent when these devices have different dampening parameters.
Route dampening therefore does not apply to IBGP routes.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
IP addresses used to interconnect devices are designed as
s
follows:
r ce
• If RTX connects to RTY, interconnected addresses are
XY.1.1.X and XY.1.1.Y.Network mask is 24.
ou
• Loopback interface addresses of R1, R2, R3, R6, and
Case analysisR
i n g
To establish stable IBGP peer relationships, use loopback
n
interface addresses and static routes within an AS.
Le addresses.
e
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The peer as-number command sets the AS number of a
s
specified peer (or peer group).
r ce
The peer connect-interface command specifies a source
interface that sends BGP messages and a source address
ou
used to initiate a connection.
es
The peer next-hop-local command configures a BGP device
to set its IP address as the next hop of routes when it
R
advertises the routes to an IBGP peer or peer group.
i n g
n
View
ar
BGP process view
L e Parameters
e
or
peer ipv4-address as-number as-number
ip-address: specifies the IPv4 address of a peer.
Precautions
When using a loopback interface to send BGP messages:
• Ensure that the loopback interface address of the BGP
peer is reachable.
• In the case of an EBGP connection, you need to run
e n
the peer ebgp-max-hop command to enable EBGP to
/
establish the peer relationship in indirect mode.
m
.i co
The peer next-hop-local and peer next-hop-invariable
commands are mutually exclusive.
The PrefRcv field in the display bgp peer command output
w e
indicates the number of route prefixes received from the peer.
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
The topology in this case is the same as that in the previous
s
case. Perform the configuration based on the configuration in
r ce
the previous case.
R1 prefers routes to 10.0.X.0/24 with next hop R2 because
ou
BGP prefers the route advertised by the router with the
s
smallest router ID.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The peer route-policy command specifies a route-policy to
s
control routes received from, or to be advertised to a peer or
peer group.
r ce
ou
View
s
BGP view
e
Parameters R
i n g
peer ipv4-address route-policy route-policy-
n
name { import | export }
Configuration verification
Run the display bgp routing-table command to view the BGP
routing table.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
The topology in this case is the same as that in the previous
s
case. Company A requires that R1 access network 10.0.1.0/24
r ce
through R7. To meet this requirement, you can enable R4 to
access network 10.0.1.0/24 through R7 using the MED
ou
attribute.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The peer route-policy command specifies a route-policy to
s
control routes received from, or to be advertised to a peer or
peer group.
r ce
ou
View
s
BGP view
e
Parameters R
i n g
peer ipv4-address route-policy route-policy-
n
name { import | export }
Configuration verification
Run the display bgp routing-table command to view the BGP
routing table.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
The topology in this case is the same as that in the previous
s
case. To meet the requirement, use the Community attribute.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The peer route-policy command specifies a route-policy to
s
control routes received from, or to be advertised to a peer or
peer group.
r ce
ou
View
s
BGP view
e
Parameters R
i n g
peer ipv4-address route-policy route-policy-
n
name { import | export }
Configuration verification
Run the display bgp routing-table community command to
view the attributes in the BGP routing table.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
This case is an extension to the previous case. Perform the
s
configuration based on the configuration in the previous case.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The peer route-policy command specifies a route-policy to
s
control routes received from, or to be advertised to a peer or
peer group.
r ce
The peer default-route-advertise command configures a
ou
BGP device to advertise a default route to its peer or peer
View
group.
es
R
peer route-policy: BGP view
i n g
peer default-route-advertise: BGP view
r n
Parameters
or
ipv4-address: specifies an IPv4 address of a peer.
route-policy-name: specifies a route-policy name.
u a
Configuration verification
. h
g
Run the display ip routing-table command to view IP routing
n
ni
table information.
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
This case is an extension to the previous case. Perform the
s
configuration based on the configuration in the previous case.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The maximum load-balancing command configures the
s
maximum number of equal-cost routes.
View
r ce
ou
BGP view
Parameters
es
R
maximum load-balancing [ ebgp | ibgp ] number
n
ibgp: implements load balancing among IBGP routes.
e
or
Precautions
The maximum load-balancing number command cannot be
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
This case is an extension to the previous case. Perform the
s
configuration based on the configuration in the previous case.
should be 1.
r ce
After GTSM is enabled between R6 and R8, the hop count
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The peer valid-ttl-hops command applies the GTSM function
s
on the peer or peer group.
r ce
The gtsm default-action command configures the default
action to be taken on the packets that do not match the GTSM
ou
policy.
es
The gtsm log drop-packet command enables the log function
on a board to log information about the packets discarded by
R
GTSM on the board.
i n g
n
View
ar
peer valid-ttl-hops: BGP view
Precautions
GTSM and EBGP-MAX-HOP affect the TTL values of sent
e n
BGP packets. The two functions are mutually exclusive.
/
If the default action is configured but the GTSM policy is not
m
.i co
configured, GTSM does not take effect.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In the topology, among the IP addresses that are not marked,
s
Rx and Ry connect using IP addresses XY.1.1.X/24 and
XY.1.1.Y/24.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g .
ni n
ar
//le
p :
Results
t t
:h
Run the displayvlan command to view the results.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
Run the display bgp peer command to view the BGP peer
s
relationship.
r ce
sou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
Run the display bgp routing-table command to view the BGP
s
routing table. The command output shows that 2.2.2.2/32 and
r ce
3.3.3.3/32 have been advertised.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
The loop is the result of inconsistency between IGP route
s
selection and BGP route selection.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In the topology, among the IP addresses that are not marked,
s
Rx and Ry connect using IP addresses XY.1.1.X/24 and
XY.1.1.Y/24.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Analysis process
t t
:h
Run the display bgp routing-table community command to
s
view the attributes.
r ce
sou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
You will notice that the Community attribute of route
s
10.0.0.0/24 is labeled as <400:1>, no-export on R2.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
You can add the AS_Path Attribute to change the route
s
selection of R3.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
To ensure connectivity between IBGP peers, you need to establish full-
:h
mesh connections between IBGP peers. If there are n routers in an AS,
s
you need to establish n(n-1)/2 IBGP connections. When there are a
r ce
large number of IBGP peers, many network resources and CPU
resources are consumed. A route reflector (RR) can be used between
ou
IBGP peers to solve this problem.
es
In an AS, a router functions as an RR, and other routers function as
R
clients. The RR and its clients establish IBGP connections and form a
n g
cluster. The RR reflects routes to clients, removing the need to
i
n
establish BGP connections between clients.
a r
Le RR concepts
RR: a BGP device that can reflect the routes learned from an
e
or
IBGP peer to other IBGP peers.
Client: an IBGP device of which routes are reflected by an RR
:h
rules:
The RR advertises the routes learned from an EBGP peer to
e s
all the clients and non-clients.
r c
The RR advertises the routes learned from a non-client IBGP
ou
peer to all the clients.
es
The RR advertises the routes learned from a client to all the
other clients and all the non-clients.
R
n g
An RR is easy to configure because it needs to be configured only on
i
n
the device that functions as a reflector, and clients do not need to know
a r
that they are clients.
:h
an RR to prevent routing loops in a cluster.
When an RR reflects a route for the first time, the RR adds the
e s
Originator_ID attribute to this route. The Originator_ID attribute
r c
identifies the originator of the route. If the route already
ou
contains the Originator_ID attribute, the RR retains this
es
Originator_ID attribute.
When a device receives a route, the device compares the
R
originator ID of the route with the local router ID. If they are the
i n g
same, the device discards the route.
r n
An RR and its clients form a cluster, which is identified by a unique
e a cluster ID in an AS.
or
attribute to record the cluster IDs of all the clusters that a route
passes through.
Backup RR
s :h
r ce
On the VRP, you need to run the reflector cluster-id
command to set the same cluster ID for all the RRs in the
ou
same cluster.
es
When redundant RRs exist, a client receives multiple routes to
the same destination from different RRs and then selects the
R
optimal route according to BGP route selection policies.
i n g
The Cluster_List attribute prevents routing loops between
n
different RRs in the same AS.
a r
Le Topology description
When Client1 receives an updated route 10.0.0.0/24 from an
e
or
external peer, it advertises the route to RR1 and RR2 through
IBGP.
:h
clusters are non-clients and establish full-mesh connections with one
s
other. Although each client only establishes an IBGP connection with
information.
r ce
its RR, all the BGP routers in the AS can receive reflected routing
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
A level-1 RR (RR1) is deployed in Cluster1, while RRs (RR2 and RR3)
:h
in Cluster2 and Cluster3 function as clients of RR1.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Confederation
t t
:h
A confederation divides an AS into sub-ASs. Full-mesh IBGP
s
connections are established in each sub-AS, while EBGP
r ce
connections are established between sub-ASs. ASs outside a
confederation still consider the confederation as an AS.
ou
After a confederation divides an AS into sub-ASs, it assigns a
es
confederation ID (the AS number) to each router within the AS.
The original IBGP attributes are retained, including the
R
Local_Pref attribute, MED attribute, and Next_Hop attribute.
i n g
Confederation-related attributes are automatically deleted
n
when being advertised outside a confederation. The
:h
of ASs and has the following types:
AS_SET: comprises a series of ASs in a disorderly manner
e s
and is carried in an Update message. When network
r c
summarization occurs, you can use policies to prevent path
ou
information loss using AS_SET.
es
AS_SEQUENCE: comprises a series of ASs in sequence and
is carried in an Update message. Generally, the AS_Path type
R
is AS_SEQUENCE.
i n g
AS_CONFED_SEQUENCE: comprises a series of member
n
ASs in a confederation in sequence and is carried in an
:h
A confederation requires an AS to be divided into sub-ASs,
s
changing the network topology a lot.
r ce
Only an RR needs to be configured, and clients do not need to
be configured. The confederation needs to be configured on all
ou
the devices.
es
RRs must establish full-mesh IBGP connections.
Route reflectors are widely used, while confederations are
R
seldom used.
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
The BGP routing table of each device on a large network is large. This
:h
burdens devices, increases the route flapping probability, and affects
s
network stability.
r ce
Route summarization is a mechanism that combines multiple routes
ou
into one route. This mechanism allows a BGP device to advertise only
es
the summarized route but not all the specific routes to peers. It reduces
the BGP routing table size. If the specific routes flap, the network is not
R
affected, therefore improving network stability.
i n g
n
Route summarization uses the Aggregator attribute. This attribute is an
a r
optional transitive attribute and identifies the node where route
s
imported by BGP, including direct routes, static routes, RIP
r ce
routes, OSPF routes, and IS-IS routes. After summarization is
configured, BGP summarizes routes according to the natural
ou
network segment and suppresses specific routes in the BGP
es
routing table. This command is only valid for the routes
imported using the network command.
R
BGP advertises only summarized routes to peers.
i n g
BGP does not start automatic summarization by default.
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Manual summarization
t t
:h
Summarized routes do not carry the AS_Path attribute of detail
s
routes.
r ce
Using the AS_SET attribute to carry the AS number can
prevent routing loops. Differences between AS_SET and
ou
AS_SEQUENCE are as follows: In AS_SET, the AS list is
es
often used to perform route summarization, and AS numbers
are added to the AS list in a disorderly manner. In
R
AS_SEQUENCE, AS numbers are added to the AS list in the
i n g
sequence in which a route passes through.
Adding the AS_SET attribute to summarized routes may cause
r n routing flapping.
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
RFC 5291 and RFC 5292 define the prefix-based BGP outbound route
:h
filtering (ORF) capability to advertise required BGP routes. BGP ORF
s
allows a device to send prefix-based inbound policies in a Route-
r ce
Refresh message to BGP peers. BGP peers then construct outbound
policies based on these inbound policies to filter routes before sending
ou
these routes. This capability has the following advantages:
es
Prevents the local device from receiving a large number of
unnecessary routes.
R
Reduces CPU usage of the local device.
i n g
Simplifies the configuration of BGP peers.
Improves link bandwidth efficiency.
r n
e aCase description
or
prefix-based ORF capability with R1, Client2 adds local prefix-
based inbound policies to a Route-Refresh message and
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Active-Route-Advertise
t t
:h
Once a route is preferred by BGP, the route can be advertised
s
to peers by default. When Active-Route-Advertise is configured,
r ce
only the route preferred by BGP and also active at the routing
management layer is advertised to peers.
ou
Active-Route-Advertise and the bgp-rib-only command are
es
mutually exclusive. The bgp-rib-only command prohibits BGP
routes from being advertised to the IP routing table.
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
BGP dynamic update peer-groups
t t
:h
BGP sends routes based on peers by default, even though the
s
peers have the same outbound policies.
r ce
After this feature is enabled, BGP groups each route only once
and then sends the route to all the peers in the update-group,
ou
improving grouping efficiency exponentially.
es
Topology description
R
RR1 has three clients and needs to reflect 100,000 routes to these
n g
clients. If RR1 sends the routes grouped per peer to the three clients,
i
n
the total number of times that all routes are grouped is 300,000
a r
(100,000 x 3). After the dynamic update peer-groups feature is used,
e s
New session: a BGP connection between new speakers
r c
Old session: a BGP connection between a new speaker and
ou
an old speaker, or between old speakers.
es
Protocol extension
R
Two new optional transitive attributes, AS4_Path with attribute
i n g
code 0x11 and AS4_Aggregator with attribute code 0x12, are
n
defined to transmit 4-byte AS numbers in old sessions.
Topology description
e n
R2 receives a route with a 4-byte AS number 10.1 from R1.
/
R2 establishes a peer relationship with R3 and needs to
m
.i co
enable R3 to consider the AS number of R2 as AS_TRANS.
When advertising a route to R3, R2 records AS_TRANS in the
AS_Path attribute of the route and records 10.1 and its AS
number 20.1 to the AS4_Path attribute in the sequence
w e
required by BGP.
u a
R3 retains the unrecognized AS4_Path attribute and
. h
g
advertises the route to R4 according to BGP rules and
n
ni
considers the AS number of R2 as AS_TRANS.
When receiving the route from R3, R4 replaces AS_TRANS
ar
with the IP address recorded in the AS4_Path attribute and
//le
records the AS4_Path as 30 20.1 10.1.
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Next-hop iteration based on routing policy
:h
BGP needs to iterate indirect next hops. If indirect next hops
s
are not iterated according to the routing policy, routes may be
r ce
iterated to incorrect forwarding paths. Next hops should
therefore be iterated according to certain conditions to control
ou
the iterated routes. If a route cannot pass the routing policy,
s
the route is ignored and route iteration fails.
e
R
Topology description
i n g
IBGP peer relationships are established between R1 and R2,
n
and between R1 and R3 through loopback interfaces. R1
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Session setup between peers
t t
:h
A session can be set up between BGP speakers through
s
directly connected or loopback interfaces. Generally, IBGP
r ce
neighbors establish peer relationships through loopback
interfaces, while EBGP neighbors establish peer relationships
ou
through directly connected physical interfaces.
es
You can configure authentication to ensure security for
sessions between peers.
R
Logical full-mesh connections must be set up between IBGP
e L network command.
or
Routing policy optimization
You can optimize BGP routes using inbound policies,
s
a network fault occurs.
Traffic symmetry
r ce
Scientific network design and policy application can ensure
ou
consistent paths for incoming and outgoing traffic.
Load balancing
es
When multiple paths to the same destination exist, traffic can
R
be load balanced through policies to fully utilize bandwidth.
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Interaction between non-BGP routes and BGP routes
:h
Generally, non-BGP routes can be imported into the BGP
s
routing table using the import-route or network command.
r ce
Control of default routes
Default routes can be advertised or received according to
ou
conditions of routing policies.
es
Policy-based routing
Traffic paths can be optimized through PBR.
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Dynamic update peer-groups: greatly improves router performance.
:h
Route reflector and confederation: reduces the number of IBGP
s
sessions and optimizes large BGP networks.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Reduce unstable routes
t t
:h
Use stable IGPs.
Improve router performance.
e s
Reduce manual errors.
r c
Expand link bandwidth.
ou
Improve BGP stability
es
Use BGP soft reset when using new BGP policies.
Punish unstable routes correctly to reduce the impact of these
R
routes on BGP.
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
IP addresses used to interconnect devices are as follows:
• If RTX connects to RTY, interconnected addresses are
e s
XY.1.1.X and XY.1.1.Y. Network mask is 24.
r c
If OSPF runs normally and the interconnected addresses and
ou
loopback interface addresses have been advertised into OSPF.
es
However 10.0.X.0/24, 172.15.X.0/24, and 172.16.X.0/24 are
not advertised into OSPF.
Case analysisR
i n g
EBGP peer relationships are established using loopback
n
interfaces.
a r
Le
e
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The peer as-number command sets an AS number for a
s
specified peer or peer group.
r ce
The peer connect-interface command specifies a source
interface that sends BGP messages and a source address
ou
used to initiate a connection.
es
The peer next-hop-local command configures a BGP device
to set its IP address as the next hop of routes when it
R
advertises routes to an IBGP peer or peer group.
i n g
The group command creates a peer group.
r n
View
e L
or
Parameters
peer ipv4-address as-number as-number
e n
Precautions
/
When configuring a device to use a loopback interface as the
m
.i co
source interface of BGP messages, note the following points:
• The loopback interface of the device's BGP peer must
be reachable.
• In the case of an EBGP connection, the peer ebgp-
w e
max-hop command must be executed to enable the
u a
. h
two devices to establish an indirect peer relationship.
The peer next-hop-local and peer next-hop-invariable
n g
ni
commands are mutually exclusive.
The Rec field in the display bgp peer command output
ar
indicates the number of route prefixes received from the peer.
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Case description
t t
:h
The topology in this case is the same as that in the previous
s
case. Perform the configurations based on the configuration in
r ce
the previous case.
If all the clients of the RR have established logically full-mesh
ou
connections, the clients can transmit routes to each other
es
without requiring the RR to reflect routes to them. In this
situation, prohibit the RR from reflecting routes to clients so as
R
to reduce the RR load.
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The undo reflect between-clients command prohibits an RR
s
from reflecting routes to clients. This command is executed on
r ce
an RR. After this command is executed, clients can directly
exchange BGP messages, while R2 does not need to reflect
ou
routes to these clients. However, R2 still reflects the routes
s
that are advertised by non-clients.
e
View R
i n g
BGP view
r n
Configuration verification
e L peer information.
or
To reduce the RR load, prohibit BGP routes from being added
to the IP routing table and prevent the RR from forwarding
s
case. To meet the first requirement, use a route-policy to
r ce
advertise interface routing information.
To meet the second requirement, use an IP prefix list to filter
ou
routes.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
:h
The peer ip-prefix command configures a route filtering policy
s
based on an IP prefix list for a peer or peer group.
View
r ce
ou
BGP view
Parameters
es
R
peer { group-name | ipv4-address } ip-prefix ip-prefix-
i n g
name { import | export }
n
group-name: specifies the name of a peer group.
Configuration verification
Run the display bgp routing-table command to view the BGP
routing table.
For the same node in a route-policy, the relationship between
if-match clauses is AND. A route needs to meet all the
matching rules before the actions defined by apply clauses
are performed.
The relationship between the if-match clauses in the if-match route-
type and if-match interface commands is "OR", but the relationship
between the if-match clauses in the two commands and other
commands is "AND".
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
This case is an extension to the previous case. Perform the
s
configuration based on the configuration in the previous case.
r ce
In requirement 2, the delivery of a default route depends on
route 172.16.0.0/16. If route 172.16.0.0/16 disappears, the
ou
default route also disappears.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The peer route-policy command specifies a route-policy to
s
control routes received from or to be advertised to a peer or
peer group.
r ce
The peer default-route-advertise command configures a
ou
BGP device to advertise a default route to its peer or peer
group.
es
View R
i n g
peer route-policy: BGP view
peer default-route-advertise: BGP view
r n
Parameters
or
ipv4-address: specifies an IPv4 address of a peer.
route-policy-name: specifies a route-policy name.
u a
Configuration verification
. h
Run the display ip routing-table command to view
n g
ni
information about the IP routing table.
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
This case is an extension to the previous case. Perform the
s
configuration based on the configuration in the previous case.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The aggregate command creates an aggregated route in the
s
BGP routing table.
View
r ce
ou
BGP view
Parameters
es
R
aggregate ipv4-address { mask | mask-length } [ as-
i n g
set | attribute-policy route-policy-name1 | detail-
n
suppressed | origin-policy route-policy-name2 | suppress-
a r policyroute-policy-name3 ] *
Precautions
During manual or automatic summarization, routes pointing to
NULL0 are generated locally.
e n
/
Configuration verification
m
.i co
Run the display ip routing-table protocol bgp command to
view the routes learned by BGP.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
This case is an extension to the previous case. Perform the
s
configuration based on the configuration in the previous case.
r ce
BGP on-demand route advertisement requires ORF to be
enabled on R4, R5, and R6.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The peer capability-advertise orf command enables prefix-
s
based ORF for a peer or peer group.
View
r ce
ou
BGP view
Parameters
es
R
peer { group-name | ipv4-address } capability-advertise
i n g
orf [ cisco-compatible ] ip-prefix { both | receive | send }
n
group-name: specifies the name of a peer group.
M Precautions
send: allows the device to send only ORF packets.
BGP ORF has three modes: send, receive, and both. In send
mode, a BGP device can send ORF information. In receive
mode, a BGP device can receive ORF information. In both
mode, a BGP device can send and receive ORF information.
To enable a BGP device that advertises routes to receive ORF
IP-prefix information, configure this device to work in receive or
both mode and the peer device to work in send or both mode.
Configuration verification
Run the display bgp peer 1.1.1.1 orf ip-prefix command to
view prefix-based BGP ORF information received from a
e n
specified peer.
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
IP addresses used to interconnect devices are as follows:
• If RTX connects to RTY, interconnected addresses are
e s
XY.1.1.X and XY.1.1.Y.Network mask is 24.
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g .
ni n
ar
//le
p :
Results
t t
:h
The configuration is the basic OSPF configuration.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
Run the display bgp peer command to view the BGP peer
s
status.
r ce
Run the display bfd session all command to view the BFD
session. In the command output, D_IP_IF indicates that a BFD
ou
session is dynamically created and bound to an interface.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
Run the display bgp routing-table command to view BGP
s
routing entries. The command output shows that R3 learns two
r ce
routes 10.0.0.0/24 from R2 and R4. According to BGP routing
rules, R3 prefers the route 10.0.0.0/24 learned from R2.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
This case is an extension to the previous case. Perform the
s
configuration based on the configuration in the previous case.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Analysis process
t t
:h
You can use commands peer groups to reduce the RR load.
e s
r c
sou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
Run the display bgp routing-table community command to
s
view the Community attribute.
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
Run the display bgp routing-table community command to
s
view the Community attribute. The Community attribute is no-
r ce
export. That is, the route is not advertised to EBGP peers.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
ACL
t t
:h
An ACL is a series of sequential rules composed of permit and
s
deny clauses. These rules match packet information to classify
packets.
r ce
packets. Based on ACL rules, Routers permits or denies
ou
An Access Control List (ACL) is a set of sequential rules. The
es
ACL filters packets according to the specified rules. With the
rules applied to a device, the device permits or denies the
R
packets according to the rules.
i n g
n
IP prefix list
Community filter
Community filters are exclusively used in BGP. Each BGP
route contains a community domain to identify a
community.Community filters specify matching rules
regarding community domains.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
ACL management rule
t t
:h
An ACL can contain multiple rules.
A rule is identified by a rule ID, which can be set by a user or
e s
automatically generated based on the ACL step. All the rules
r c
in an ACL are arranged in ascending order of rule IDs.
ou
There is a step between rule IDs. If no rule ID is specified, the
es
step is determined by the ACL step. You can add new rules to
a rule group based on the rule ID.
R
n g
ACL rule management
i
When a packet reaches a device, the search engine retrieves
r n information from the packet to constitute the key value and
e L rule is found, the system stops the matching, and the packet
or
matches the rule.
If no matching rule is found, the packet does not match any
M rule.
The action defined in the last rule of a Huawei ACL is permit by default.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Interface-based ACL
t t
:h
Match packets based on the rules defined on the inbound
s
interface of packets. You can run the traffic-filter command to
r ce
reference an interface-based ACL.
ou
Basic ACL
es
Define rules based on the source IP address, VPN instance,
fragment flag, and time range of packets.
R
n g
Advanced ACL
i
Define rules based on the source IP address, destination IP
r n address, IP preference, ToS, DSCP, IP protocol type, ICMP
or
define more accurate, abundant, and flexible rules than a basic
ACL.
M Layer 2 ACL
Define rules based on Ethernet frame header information in a
packet, including the source MAC address, destination MAC
address, and Ethernet frame protocol type.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
ACL matching order
t t
:h
An ACL is composed of a list of rules. Each rule contains a
s
deny or permit clause. These rules may overlap or conflict.
different.
r ce
One rule can contain another rule, but the two rules must be
ou
Devices support two types of matching order: configuration
es
order and automatic order. The matching order determines the
priorities of the rules in an ACL. Rule priorities resolve the
R
conflict between overlapping rules.
i n g
n
Automatic order
:h
In traditional packet filtering, only the first fragment of a packet
s
needs to match rules, while the other fragments are allowed to
r ce
pass through if the first fragment matches rules. In this
situation, network attackers may construct subsequent
ou
fragments to launch attacks.
es
In an ACL rule, the fragment parameter indicates that the rule
is valid for all fragmented packets. The none-first-fragment
R
parameter indicates that the rule is valid only for non-first
i n g
fragmented packets but not for non-fragmented packets or the
n
first fragmented packet. The rules that do not contain
e
or
ACL time range
You can make ACL rules valid only at the specified time or
s
node. The system matches a route against nodes by the index
r ce
in ascending order. If the route matches a node, the system
does not match the route against the other nodes. If the route
ou
does not match any node, the system filters the route.
es
According the matching prefix, an IP prefix list can be used for
accurate matching, or matching within a specified mask length
R
range.
i n g
An IP prefix list can implement accurate matching, or matching
n
within a specified mask length range. You can configure
:h
received based on the AS_Path attributes contained in the BGP
s
routes.
r ce
Since the number of the last AS that a route passes through is added to
ou
the leftmost of an AS_Path list, configure an AS_Path filter with
caution:
es
If a route originating from an AS passes through AS 300, AS
R
200, and AS500, and then reaches AS 600, the AS_Path
i n g
attribute of the route is (500 200 300 100).
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
A Community filter is only used to filter BGP routes to be advertised or
:h
received based on the Community attributes contained in the BGP
s
routes.
r ce
The Community attribute includes basic and advanced community
ou
attributes.
es
Self-defined community attributes and well-known
communities are basic community attributes.
R
RT and SOO in MPLS VPN are extended community attributes.
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
A route policy is used to filter routes and set attributes for routes. By
:h
changing route attributes (including reachability), a route policy
s
changes the path that network traffic passes through.
r ce
A route policy is often used in the following scenarios:
ou
Control route importing.
es
• Using a route policy, you can preventing sub-optimal
routes and routing loops during the import of routes.
R
Control route receiving and advertising.
n
specified routes according to network requirements.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
In the topology, dual-node bidirectional route advertisement is
:h
implemented.
In the topology, R1 imports route 10.0.0.1/24 into OSPF. R3
e s
imports OSPF routes into IS-IS, and R2 learns routes
r c
10.0.0.0/24 through IS-IS. In this case, R2 learns two routes
ou
10.0.0.0/24 through OSPF and IS-IS. R2 prefers the route
es
learned through IS-IS because this route has a higher priority
than the external route learned through OSPF. Therefore, R2
R
reaches 10.0.0.0/24 along the path R4→R3→R1. To optimize
i n gthe path, modify the OSPF ASE priority to be higher than the
n
IS-IS priority using a route policy. This modification prevents
:h
Only necessary and valid routes are received, which limits the
s
routing table size and improves network security.
Topology description
r ce
ou
R4 imports routes 10.0.X.0/24 into OSPF. According to service
es
requirements, R1 can only receive routes 10.0.0.0/24 and
10.0.1.0/24, while R2 can only receive routes 10.0.2.0/24 and
R
10.0.3.0/24. You can use a filter policy to meet this
i n g
requirement.
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
Generally, only routing information is filtered, but link state information
:h
is not filtered.
In OSPF, incoming and outgoing Type 3, Type 5, and Type 7
e s
LSAs can be filtered.
r c
Link-state routing protocols, such as OSPF and IS-IS, can filter
ou
only incoming routes but not LSAs that carry these routes.
es
That is, OSPF and IS-IS do not add the filtered routes to the
local routing tables, but LSAs of these routes are still
R
transmitted in the OSPF or IS-IS area.
i n g
The routes imported from other protocols can also be filtered.
n
For example, you can use the filter-policy export command to
M direction.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Topology description
t t
:h
You can modify the Local_Pref attribute contained in a route
s
using a route policy to change the path of traffic. R2 learn the
r ce
route 10.0.0.0/24 from EBGP and modify the Local Pref value
300, R3 learn the route 10.0.0.0/24 from EBGP and modify the
ou
Local Pref value 200. R1,R2,R3 have routes of each other
s
from IBGP, ultimate AS100 prefers R2 to reach the 10.0.0.0/24.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
PBR is a mechanism that selects routes based on user-defined policies.
:h
It includes local PBR, interface PBR, and SPR. This course discusses
s
only local PBR.
r ce
IP unicast PBR has the following advantages:
ou
Allows you to define policies for route selection according to
es
service requirements, which improves route selection flexibility
and controllability.
R
Sends different data flows through different links, which
i n g
improves link efficiency.
Uses low-cost links to transmit service data without affecting
r n service quality, which reduces the cost of enterprise data
e a services.
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Matching process
t t
:h
If a device finds a matching local PBR node, the device
s
processes packets as follows:
r ce
Step 1 Checks whether the priority of packets has been set.
• If so, the device applies the configured priority
ou
to the packets and performs step 2.
n
outbound interface.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
IP addresses used to interconnect devices are as follows:
• If RTX connects to RTY, interconnected addresses are
e s
XY.1.1.X and XY.1.1.Y. Network mask is 24.
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Command usage
t t
:h
The route-policy command creates a route policy and
s
displays the route-policy view.
View
r ce
ou
System view
Parameters
es
R
route-policy route-policy-name { permit | deny } node node
n
permit: specifies the matching mode of the route policy
Precautions
A route policy is used to filter routes and set attributes for the routes
that match the route policy. A route policy consists of multiple nodes.
One node contains multiple if-match and apply clauses.
The if-match clauses define matching conditions for this node, and the
apply clauses define the actions to be performed on the routes that
meet the matching conditions. The relationship between if-match
clauses is AND. That is, a route must match all the if-match clauses of
a node. The relationship between the nodes of a route policy is OR.
That is, if a route matches a node, the route matches the route policy. If
e n
a route does not match any node, the route does not match the route
/
policy.
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
The topology in this case is the same as that in the previous
s
case. Perform the configuration based on the configuration in
r ce
the previous case.
In requirement 2, use the least number of commands to
ou
implement the optimal configuration.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
:h
The filter-policy export command filters imported routes to be
s
advertised according to the policy.
View
r ce
ou
System view
Parameters
es
R
filter-policy { acl-number | acl-name acl-name | ip-prefix ip-
i n g
prefix-name } export [ protocol [ process-id ] ]
n
acl-number: specifies the number of a basic ACL.
Precautions
After external routes are imported into OSPF using the import-
route command, you can run the filter-policy export
command to filter the imported routes to be advertised.
This configuration allows only the external routes that meet the
matching conditions to be translated into Type 5 LSAs (AS-
external-LSAs) and advertised. In this case, routing loops are
prevented.
You can specify protocol or process-id to filter the routes of a
specified protocol or process. If no protocol or process-id is
specified, OSPF filters all of the imported routes.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
The topology in this case is the same as that in the previous
s
case. After meeting the requirements, check whether sub-
r ce
optimal routes and routing loops exist.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
After routing protocols import routes from each other, R4
s
reaches 172.16.X.0/24 through a sub-optimal route (OSPF
r ce
route 172.16.X.0/24). This is because R4 first learns OSPF
route 172.16.X.0/24 and then learns RIP route 172.16.X.0/24.
ou
In fact, the optimal route is OSPF route 172.16.X.0/24.
es
However, the preference of OSPF external routes is 150,and
the preference of RIP is 100,so R4 reaches 172.16.X.0/24
R
through a sub-optimal route.
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
This case is an extension to the previous case. Perform the
s
configuration based on the configuration in the previous case.
r ce
To meet requirement 1, ensure that R4 accesses
172.16.X.0/24 through RIP, to void reaches 172.16.X.0/24
ou
through a sub-optimal route.
es
To meet requirement 2, use tags to control dual-node
bidirectional route importing so as to prevent routing loops.
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Results
t t
:h
If we do not filter routes when bidirectional route importing,
s
routing loops occur when network environments change. In
r ce
order to avoid the loop should ensure that routing protocols
between imported only importing in the routing domain self
ou
routing. Based on the configuration in the previous, the
es
advantage of using TAG is not required to specify the routing
entries specifically. When routing domain specific item or
R
routing, the routing entries and restrictions will change, does
i n g
not need manual intervention, and has a good scalability.
Though the configuration in the previous could avoid routing
r n loops, but the sub-optimal route is still exist.
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t
The reason of sub-optimal route is when dual-node bidirectional route
t
:h
importing one of R3 and R4 will learn network 172.16.X.0/24 from both
s
OSPF and RIP, and the preference of OSPF external routes is greater
r ce
than RIP, R3 or R4(one of them ) reaches 172.16.X.0/24 through a sub-
optimal. To slove this you need to modify the preference of OSPF
ou
external routes is smaller than RIP. The preference value of OSPF
s
external routes smaller than the OSPF internal routes is unreasonable.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
This case is an extension to the previous case. Perform the
s
configuration based on the configuration in the previous case.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
When only route summarization is performed, two problems
s
exist: R5 learns the summary route, and a routing loop occurs
r ce
between R3 and R4 when R2 pings a nonexistent IP address.
The reason why the first problem occurs is as follows: After R3
ou
and R4 learn the summary routes generated by themselves,
es
they import the summary routes into the RIP area again.
The reason why the second problem occurs is as follows: After
R
R3 and R4 learn the summary routes generated by themselves,
i n g
they add the summary routes to their routing tables.
To address the two problems, prevent R3 and R4 from
r n learning the summary routes generated by them and from
e a importing the routes into the OSPF area. That is, filter the
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t
Configuration filter policy on R3 and R4, avoid receive specify
t
:h
summary routes of OSPF to ensure not importing this to the
s
domain of RIP for avoiding routing loops.
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
This case is an extension to the previous case. Perform the
s
configuration based on the configuration in the previous case.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The policy-based-route command creates or modifies a PBR.
The ip local policy-based-route command enables local PBR.
e s
View
r c
ou
policy-based-route: system view
s
ip local policy-based-route: system view
e
Parameters R
i n g
policy-based-route policy-name { permit | deny } node node-
n
id
Precautions
When deploying PBR, do not configure a broadcast interface
such as an Ethernet interface as the outbound interface of
packets.
Configuration verification
Run the display bgp peer 1.1.1.1 orf ip-prefix command to
view prefix-based BGP ORF information received from a
specified peer.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
IP addresses used to interconnect devices are designed as
s
follows:
r ce
• If RTX connects to RTY, interconnected addresses are
XY.1.1.X and XY.1.1.Y. Network mask is 24.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
When R5 imports routes, accurate matching must be
s
performed.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
When you tracert a nonexistent IP address that belongs to
s
10.0.0.0/16, a routing loop occurs. This is because no route
r
summary route. ce
pointing to Null0 is generated when OSPF generates a
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
You can configure static routes pointing to Null0 on R5 using a
s
command to prevent routing loops.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Case description
t t
:h
This case is an extension to the previous case. Perform the
s
configuration based on the configuration in the previous case.
follows:
r ce
IP addresses used to interconnect devices are designed as
ou
• If RTX connects to RTY, interconnected addresses are
n
S0/0/1 is 21.1.1.1/24.
a r
Le
e
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Results
t t
:h
Use the ACL and route-policy commands to import two
s
network segment into IS-IS, usually use the filter-policy XXX
r ce
export command to import routes.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
After you use tags to prevent routing loops, If IS-IS support
s
Tags is necessary , the cost type must wide, otherwise the
r ce
routes of IS-IS can not be tagged.
To prevent the sub-optimal route, modify the preference of
ou
OSPF external route 10.0.0.0/16 to be smaller than that of IS-
s
IS routes.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
Configuration on this case avoid sub-optimal routes of R3 and
s
R4. The difference of importing time cause one of R3 and R4
r ce
will learn 10.0.0.0/16 from ISIS or OSPF at the same time, If
R3 imported routes earlier, R4 will learn 10.0.0.0/16 from ISIS
ou
and OSPF at the same time, and compare their preference,
es
the preference of OSPF external routes is 150, preference of
ISIS is 15, so R4 prefer ISIS to reach the network 10.0.0.0/16,
R
but this one is sub-optimal route. So mofidy the preference of
i n g
10.0.0.0/16 on R4 smaller than the preference value of ISIS
n
can eliminate sub-optimal routes. The preference value of
Le unreasonable.
e
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Results
t t
:h
Use local PBR to meet this requirement.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
VLAN technology brings the following benefits:
:h
Limits broadcast domains. A broadcast domain is limited in a
s
VLAN. This saves bandwidth and improves network
r ce
processing capabilities.
Enhances network security. Packets from different VLANs are
ou
separately transmitted. Hosts in a VLAN cannot directly
es
communicate with hosts in another VLAN.
Improves network robustness. A fault in a VLAN does not
R
affect hosts in other VLANs.
i n g
Flexibly sets up virtual groups. With VLAN technology, hosts in
n
different geographical areas can be grouped together. This
Le Topology description
e
or
S1 and S2 are located in different positions. Each switch
connects to two computers and the computers belongs to two
s
specified Ethernet frame format. It adds the 4-byte 802.1Q Tag
r ce
field between the Source address and the Length/Type fields
of the original frame.
s ou
Subfields in the 802.1q Tag field:
Re
TPID: is short for Tag Protocol Identifier and indicates the
frame type, which has 2 bytes. The value 0x8100 indicates an
i n g
802.1Q-tagged frame. An 802.1Q-incapable device discards
n
the received 802.1Q frame.
a r PRI: is short for priority and indicates the frame priority, which
Le has 3 bits. The value ranges from 0 to 7. The greater the value,
the higher the priority. When QoS is deployed on a switch, the
e
or
switch first sends data frames with higher priority.
CFI: is short for Canonical Format Indicator and indicates
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The following link types are available:
:h
Access link: Usually connects a host to a switch. Generally,
a host does not need to know which VLAN it belongs to,
e s
and host hardware cannot distinguish frames with VLAN
r c
tags. Hosts therefore send and receive only untagged
ou
frames along access links.
es
Trunk link: Usually connects a switch to another switch or
a router. Data of different VLANs is transmitted along a
R
trunk link. The two ends of a trunk link must be able to
i n g
distinguish frames using VLAN tags, and so only tagged
frames are transmitted along trunk links.
r n
e aTopology description
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Interface types
t t
:h
An access interface on a switch connects to an interface on a
s
host. It can only connect to access links.
r ce
• The access interface allows only the VLAN whose ID is
the same as the Port Default VLAN ID (PVID).
ou
• If the access interface receives untagged frames from
e L to pass through.
or
• If the tag in the frame sent by the trunk interface is the
same as the PVID, the switch removes the tag from the
e s
interface, that is, an interface belongs to a VLAN by default.
r c
• When an untagged data frame reaches a switch
ou
interface that has the PVID configured, the PVID is
e a
e L MAC address-based VLAN assignment
or
VLANs are assigned based on MAC addresses.
The network administrator needs to configure the mappings
g
terminals matching conditions can be added to a specified
n
ni
VLAN. After terminals matching conditions are added to the
r
VLAN, changes of the IP addresses or MAC addresses may
a
cause the terminals to be removed from the VLAN.
le
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Topology description
t t
:h
To implement intra-communication in VLAN 2 and VLAN 3
s
through the trunk link between S1 and S2, add Port 2 on S1
r ce
and Port 1 on S2 to VLAN 2 and VLAN 3.
PC1 sends a frame to PC2 as follows:
ou
• The frame is first sent to Port 4 on S1.
es
• Port 4 adds a tag to the frame. The VID field of the tag
is 2, that is, the ID of the VLAN to which Port 4 belongs.
R
• S1 sends the frame to all interfaces in VLAN 2 except
or
• Port 3 sends the frame to PC2.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Topology description
t t
:h
R1 is a Layer 3 switch supporting sub-interfaces, and S1 is a
s
Layer 2 switching device. LANs are connected using the
r ce
switched Ethernet interface on S1 and the routed Ethernet
interface on R1. To implement inter-VLAN communication,
ou
perform the following operations:
es
• Create two sub-interfaces on the Ethernet interfaces
connecting R1 and S1, and configure 802.1Q
R encapsulation on sub-interfaces corresponding to
or
frames from VLAN 2 and VLAN 3 to pass through.
• Configure the default gateway address as the IP
r
PC2 are sent to R1 first for Layer 3 forwarding.
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t
A routing table must have correct routing entries so that new
t
:h
data flows can be correctly forwarded. You can deploy VLANIF
interfaces and routing protocols on Layer 3 switches to
e s
implement Layer 3 connectivity.
r c
ou
Topology description
es
VLAN 2 and VLAN 3 are assigned. To implement inter-
VLAN communication, perform the following operations:
R
• Create two VLANIF interfaces on S1 and configure
w
packet from PC1 to PC2. All packets sent from PC1 e
a
to PC2 are sent to S1 first for Layer 3 forwarding.
u
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
VLAN aggregation, also known as the super-VLAN, partitions a
:h
broadcast domain using multiple VLANs on a physical network so
s
that different VLANs can belong to the same subnet.
r ce
Super-VLAN: is a set of multiple sub-VLANs. In a super-VLAN,
only Layer 3 interfaces are created, and no physical interface
ou
exists.
es
Sub-VLAN: is used to isolate broadcast domains. In the sub-
VLAN, only physical interfaces exist and Layer 3 VLAN
R
interfaces cannot be created. The super-VLAN is used to
i n g
implement Layer 3 switching.
A super-VLAN can contain one or more sub-VLANs. IP
r n addresses of hosts in sub-VLANs of the super-VLAN belong to
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Topology description
t t
:h
The super-VLAN (VLAN 10) contains the sub-VLANs (VLAN 2
s
and VLAN 3).
r ce
Proxy ARP between sub-VLANs is enabled on S1. The
communication process is as follows:
ou
• After comparing PC2’s IP address (1.1.1.20) with its IP
es
address, PC1 finds that both IP addresses are on the
same network segment. The ARP table of PC1
R however has no corresponding entry for PC2.
or
VLANs, therefore after receiving the ARP Request
packet from PC1, the gateway finds that PC2’s IP
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Topology description
t t
:h
The frame that enters S1 through Port 1 on PC1 is tagged with
s
the ID of VLAN 2. The VLAN ID, however, is not changed to
r ce
the ID of VLAN 10 on S1 even if VLAN 2 is the sub-VLAN of
VLAN 10. After passing through Port 3, which is a trunk
ou
interface, this frame still carries the ID of VLAN 2. S1 discards
es
the frames of VLAN 10 that are sent to S1 by other devices
because S1 has no physical interface corresponding to VLAN
10. R
n g
A super-VLAN has no physical interface:
i
If you configure a super-VLAN and then a trunk interface, the
r n frames of a super-VLAN are filtered automatically according to
or
interface to allow all VLANs to pass through, you cannot
configure the super-VLAN on the device. The root cause is
s
and common VLAN 10. S1 is configured with two common
r ce
VLANs, namely, VLAN 10 and VLAN 20. S2 is configured with
the route to the network segment 1.1.3.0/24, and S1 is
ou
configured with the route to the network segment 1.1.1.0/24.
es
PC1 in sub-VLAN 2 of super-VLAN 4 then needs to
communicate with PC3 on connected to S1.
R
• After comparing PC3’s IP address (1.1.3.2) with its IP
n
different network segments.
:h
The subordinate VLAN is classified into the separate VLAN and group
s
VLAN.
r ce
Principal VLAN: A principal interface can communicate with all
interfaces in a MUX VLAN.
ou
Subordinate VLAN
es
• Separate VLAN: A separate interface can communicate
only with a principal interface and is isolated from other
R types of interfaces. A separate VLAN must be bound to
i n g a principal VLAN.
• Group VLAN: A group interface can communicate with
r n a principal interface and other interfaces in the same
or
VLAN must be bound to a principal VLAN.
M Topology description
The principal interface connects to the enterprise server;
separate interfaces connect to enterprise customers; group
interfaces connect to enterprise employees. In this manner,
enterprise customers and enterprise employees can access
the enterprise server, enterprise employees can communicate
with each other, enterprise customers cannot communicate
with each other, and enterprise customers and enterprise
employees cannot communicate with each other.
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
To meet requirement 2, configure VLAN 2 and VLAN 3 to be
s
permitted by the trunk link.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
:h
The port link-type command sets the link type of an interface.
The port trunk allow-pass vlan command adds a trunk
e
interface to VLANs. s
r c
The port hybrid untagged vlan command adds a hybrid
ou
interface to VLANs. Frames of the VLANs then pass through
s
the hybrid interface in untagged mode.
e
View R
i n g
Interface view
n
Parameters
M Precautions
hybrid: configures the link type of an interface as hybrid.
trunk: configures the link type of an interface as trunk.
s
MAC addresses are identified. Assign VLANs based on MAC
r ce
addresses to meet the requirement.
Before configuring MAC address-based VLAN assignment,
ou
ensure that the link type of the Layer 2 interface is hybrid.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The mac-vlan mac-address command associates a MAC
address with a VLAN.
e s
The mac-vlan enable command enables MAC address-
r c
based VLAN assignment on an interface.
Precautions
s ou
Re
After a MAC address is associated with a VLAN, it cannot
be associated with other VLANs.
i n g
If MAC address-based assignment is enabled on an
interface:
r n• When receiving an untagged packet, the interface
e s
that the link type of the Layer 2 interface is hybrid.
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The ip-subnet-vlan command associates an IP subnet
with a VLAN.
e s
The ip-subnet-vlan enable command enables IP subnet-
r c
based VLAN assignment on an interface.
Precautions
s ou
Re
The ip-subnet-vlan command associated with a VLAN
cannot be a multicast network segment or multicast
i n g
address.
IP subnet-based assignment can be configured only on
rn hybrid interfaces.
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
Protocol-based assignment can be configured only on
s
hybrid interfaces.
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The protocol-vlan command associates a protocol with a
s
VLAN.
r ce
The protocol-vlan vlan command associates an interface with
a protocol-based VLAN.
Precautions
s ou
Re
Protocol-based assignment can be configured only on hybrid
interfaces.
i n g
When protocol-based assignment is used on an interface, the
n
switch needs to parse the protocol type in the received packet
Le
e
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
You can use the VLANIF interface or sub-interface to
s
implement communication between VLANs.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The interface vlanif command creates a VLANIF interface
and displays the VLANIF interface view.
e s
The dot1q termination vid command configures the single
r c
VLAN ID of dot1q encapsulation on a sub-interface.
ou
The arp broadcast enable command enables ARP
s
broadcast on a sub-interface.
e
Precautions R
i n g
Before running the interface vlanif command, you must run
n
the vlan command to create a VLAN specified by vlan-id.
a r
Le
e
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
Configure VLAN aggregation to meet the requirements.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The aggregate-vlan command configures a VLAN as a
super-VLAN.
e s
The access-vlan command adds one or more sub-VLANs
r c
to a super-VLAN.
Precautions
sou
Re
VLAN 1 cannot be configured as a super-VLAN.
The super-VLAN must be different from all its sub-VLANs.
i n g
A VLAN can be added to only one super-VLAN.
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
Configure the MUX VLAN to meet the requirements.
e s
r c
sou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The mux-vlan command configures a VLAN as a principal
s
VLAN.
r ce
The subordinate group command configures subordinate
group VLANs for a principal VLAN.
ou
The subordinate separate command configures a
s
subordinate separate VLAN for a principal VLAN.
e
R
Precautions for the principal VLAN
i n g
The super-VLAN, sub-VLAN, or subordinate VLAN cannot be
n
configured as a principal VLAN.
separate VLAN.
u a
A subordinate separate VLAN must be different from the
. h
principal VLAN.
n g
ni
A subordinate separate VLAN must be different from a
r
subordinate group VLAN.
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Check whether MAC address entries on the switch are correct.
:h
Run the display mac-address command on the switch to
s
check whether the MAC addresses, interfaces, and VLANs in
r ce
the learned MAC address entries are correct. If the learned
MAC address entries are incorrect, run the undo mac-
ou
address mac-address vlan vlan-id command on the interface
es
to delete the existing entries so that the switch can learn MAC
address entries again.
R
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
To implement communication between VLANs through RIPv2,
s
configure at least two VLANIF interfaces on the switch.
r ce
sou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Result
t t
:h
Perform the ping operation. PC1 in VLAN 2 and VLAN 3 can
s
communicate with each other.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Result
t t
:h
To implement communication between VLANs through RIPv2,
s
configure at least two VLANIF interfaces on the switch.
r ce
sou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Proxy ARP
t t
:h
Routed proxy ARP: Routed proxy ARP enables network
s
devices on the same network segment but on different
r ce
physical networks to communicate.
Intra-VLAN proxy ARP: If two hosts belong to the same VLAN
ou
where user isolation is configured, enable intra-VLAN proxy
es
ARP on an interface associated with the VLAN to allow the
hosts to communicate.
R
Inter-VLAN proxy ARP: If two hosts belong to different VLANs,
i n g
enable inter-VLAN proxy ARP on interfaces associated with
n
the VLANs to implement Layer 3 communication between the
a r two hosts.
Le Topology Description
e
or
Routed proxy ARP
• The IP addresses of PC1 and PC2 are on the same
w
receives an ARP Request packet destined for another e
interfaces of S1. After S1's interface connected to PC1
u a
address, S1 does not discard the packet but searches
. h
for the ARP entry corresponding to PC2. If the ARP
g
entry corresponding to PC2 exists, S1 sends its MAC
n
ni
address to PC1 and forwards packets sent from PC1 to
r
PC2. S1 functions as the proxy of PC2.
Inter-VLAN proxy ARP
le a
• This function is used in VLAN aggregation. Refer to the
VLAN documentation.
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Gratuitous ARP provides the following functions:
:h
Checks for duplicate IP addresses: Normally, a host does not
s
receive an ARP Reply packet after sending an ARP Request
r ce
packet with the destination address as its own IP address. If
the host receives an ARP Reply packet, another host has the
ou
same IP address.
es
Advertises a new MAC address: If the MAC address of a host
changes because its network adapter is replaced, the host
R
sends a gratuitous ARP packet to notify all hosts of the change
i n g
before the ARP entry is aged out.
Notifies of an active/standby switchover in a VRRP group:
r n After an active/standby switchover is performed, the master
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
After the system is reset or the interface card is hot swapped or reset,
:h
the dynamic entries will be lost but the static and the blackhole entries
s
are not lost.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Secure MAC addresses are classified into the following types:
:h
• Secure dynamic MAC address: is learned on an
s
interface where port security is enabled but the sticky
r ce
MAC function is disabled. After port security is enabled
on an interface, dynamic MAC address entries that
ou
have been learned on the interface are deleted and
es
MAC address entries learned subsequently turn into
secure dynamic MAC address entries. Secure dynamic
R
MAC addresses will not be aged out by default. After
n
are lost and need to be learned again.
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
MAC address anti-flapping
t t
:h
Increasing the MAC address learning priority of an interface:
s
When the same MAC address entry is learned by interfaces
r ce
with different priorities, the MAC address entry learned by the
interface with the highest priority overwrites the one learned by
ou
other interfaces.
es
Preventing MAC address overwriting on interfaces with the
same priority: If the priority of an interface on a bogus device is
R
the same as that on the authorized device, the MAC address
i n g
of the bogus device learned later does not overwrite the
n
correct MAC address. If the device powers off, the MAC
s
If S2 and S4 are incorrectly connected with a network cable, a
r ce
loop occurs between S2, S3, and S4. When a broadcast
packet is sent, the packet is forwarded to S3 and received by
ou
Port1 on S1. When MAC address flapping detection is
es
configured on Port1, S1 detects that the source MAC address
of the broadcast packet flaps between interfaces. If the MAC
R
address flaps between interfaces frequently, S1 considers that
i n g
MAC address flapping occurs. The interface associated with
n
S1 can enter the error-down state or be removed from the
a r VLAN.
M flapping occurs.
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Link aggregation has the following advantages:
:h
Increased bandwidth: The bandwidth of the link aggregation
s
interface is the sum of bandwidth of member interfaces.
r ce
Higher reliability: When the physical link of a member interface
fails, the traffic can be switched to another available member
ou
link, improving reliability of the link aggregation interface.
es
Load balancing: In a Link Aggregation Group (LAG), traffic is
load balanced among active member interfaces.
R
Basic concepts of Ethernet link aggregation
i n g
Eth-Trunk: An LAG is the logical link bundled by many
n
Ethernet links, and is short for Eth-Trunk.
s
the MAC sub-layer. Therefore, frames transmitted at the MAC
r ce
sub-layer only need to be delivered to the Eth-Trunk module.
ou
Eth-Trunk forwarding entries:
es
HASH-KEY value: is calculated through the hash algorithm on
the MAC address or IP address in the packet.
R
Interface number: Eth-Trunk forwarding entries are relevant to
i n g
the number of member interfaces in an Eth-Trunk. Different
n
HASH-KEY values are mapped to different outbound
a r interfaces.
Le Figure description
e
or
For example, If three physical interfaces, 1, 2, and 3, are
bundled into an Eth-Trunk, the Eth-Trunk forwarding table
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Mis-sequencing in common load balancing mode
:h
Because there are multiple physical links between devices of
s
an Eth-Trunk, the first data frame of the same data flow is
r ce
transmitted on one physical link, and the second data frame
may be transmitted on another physical link. In this case, the
ou
second data frame may arrive at the peer device earlier than
s
the first data frame. As a result, packet mis-sequencing occurs.
e
R
Eth-Trunk load balancing
i n g
The Eth-Trunk uses the load balancing mechanism. This
n
mechanism uses the hash algorithm to calculate the address
s
traffic evenly. If a high link bandwidth between two directly
r ce
connected devices is required but the device does not support
the LACP protocol, you can use the manual load balancing
ou
mode.
LACP mode
es
R
LACP uses a standard negotiation mechanism for switching
i n g
devices. LACP enables switching devices to automatically
n
create and enable aggregated links based on their
M LACP concepts
LACP system priority: The LACP system priority (default value
of 32768) is used to differentiate priorities of devices at both
ends of an Eth-Trunk. In LACP mode, active interfaces
selected by both devices must be consistent; otherwise, the
LAG cannot be established. To keep active interfaces
consistent at both ends, set a higher priority for one end.
In this manner, the other end selects active member
interfaces based on the selection of the peer. The smaller the
LACP system priority value, the higher the LACP system
priority. When LACP system priorities are the same, the device
with smaller MAC address functions as the Actor.
LACP interface priority: The LACP interface priority (default
value of 32768) is used to determine whether a member
e n
interface can be selected as an active interface. The smaller
/
the LACP interface priority value, the higher the LACP
m
.i co
interface priority.
In LACP mode, LACP determines active and inactive links in
u a
backup links. This mode guarantees high reliability and allows
. h
load balancing to be carried out across M active links.
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
LACP implementation
t t
:h
After member interfaces are added to an Eth-Trunk in LACP
s
mode, each end sends LACPDUs to inform its peer of its
r ce
system priority, MAC address, interface priority, interface
number, and keys. After being informed, the peer compares
ou
this information with that saved on itself, and selects which
es
interfaces to be aggregated. Both ends determine active
interfaces and links.
R
n g
Negotiation process
i
Devices at both ends send LACPDUs to each other.
r n • Create an Eth-Trunk in LACP mode on S1 and S2 and
or
both ends send LACPDUs to each other.
Determine the Actor and active links.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
GVRP
t t
:h
GVRP is based on GARP and is used to maintain VLAN
s
attributes dynamically on devices. Through GVRP, VLAN
r ce
attributes of one device can be propagated throughout the
entire switching network. GVRP enables network devices to
ou
dynamically deliver, register, and propagate VLAN attributes,
es
reducing the workload of network administrators and ensuring
correct configuration.
R
GVRP applies to only trunk links.
i n g
GVRP uses the multicast MAC address of 01-80-C2-00-00-21.
r n
Participant
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
GARP participants exchange attribute information by sending
:h
messages. GVRP messages fall into Join, Leave, and LeaveAll
s
messages.
r ce
Join message: When a GARP participant requires that other
devices register its attributes, receives Join messages from
ou
other GARP participants, or have attributes configured
es
statically, it sends Join messages.
Leave message: A GARP participant sends Leave messages
R
to have its attributes deregistered from other devices. The
i n g
GARP participant also sends Leave messages when
n
receiving Leave messages from other GARP participants or
e s
Join message twice. When sending the first Join message,
r c
the GARP participant starts the Join timer. If a Join
ou
message is received before the Join timer expires, the
es
GARP participant does not send the second Join message.
If not, the GARP participant re-sends the Join message.
R
The Join timer is configured on a per-port basis.
i n g
n
Hold timer
r
creating unnecessary traffic. To avoid this problem, the actual
a
LeaveAll timer value of a participant is a random value
le
//
between the LeaveAll timer value and the LeaveAll timer value
:
multiplied by 1.5. A LeaveAll event is equivalent to
p
t
deregistering all attributes network wide by sending Leave
messages.
t
:h
The LeaveAll timer value must be at least larger than the
e
Leave timer value.
s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
One-way registration of VLAN attributes
:h
Manually create static VLAN 2 on S1. In response to this
s
action, GVRP automatically assigns the GVRP-enabled ports
r ce
on S2 and S3 to VLAN 2 through one-way registration. The
process is as follows:
ou
• After VLAN 2 is created on S1, E1 on S1 starts the Join
es
timer and Hold timer. When the Hold timer expires, S1
sends the first JoinEmpty message to S2. When the
R Join timer expires, E1 restarts the Hold timer. When the
n
JoinEmpty message.
g
added to dynamic VLANs. To transmit traffic of VLAN 2 in both
n
ni
directions, VLAN registration from S3 to S1 is required. The
r
process is as follows:
a
• After one-way registration is complete, static VLAN 2 is
le
//
created on S3 (the dynamic VLAN is replaced by the
:
static VLAN). E4 on S3 starts the Join timer and Hold
p
t
timer. When the Hold timer expires, E4 on S3 sends
t
the first JoinIn message (because it has registered
:h
VLAN 2) to S2. When the Join timer expires, E4
e s
restarts the Hold timer. When the Hold timer expires,
c
E4 sends the second JoinIn message.
r
ou
• After E3 on S2 receives the first JoinIn message, S2
adds E3 to VLAN 2 and requests E2 to start the Join
es
timer and Hold timer. When the Hold timer expires, E2
or
JoinEmpty messages to S2. Every time the LeaveAll
timer expires or a LeaveAll message is received, each
M device restarts the LeaveAll timer, Join timer, Hold
timer, and Leave timer. E1 on S1 sends a JoinIn
message to S2 when the Hold timer expires.
• S2 sends a JoinIn message to S3.
• After receiving the JoinIn message, S3 does not create
dynamic VLAN 2 because static VLAN 2 has been
created.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
One-way deregistration of VLAN attributes
:h
When VLAN 2 is not required on devices, the devices can
s
deregister VLAN 2. The process is as follows:
r ce
• After static VLAN 2 is manually deleted from S1, E1 on
S1 starts the Hold timer. When the Hold timer expires,
ou
E1 sends a LeaveEmpty message to S2. E1 needs to
es
send only one LeaveEmpty message.
• After E2 on S2 receives the LeaveEmpty message, it
Rstarts the Leave timer. When the Leave timer expires,
n
2, but VLAN 2 is not deleted from S2 because E3 is still
:h
created using GVRP are called dynamic VLANs.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
To enable PC1 and PC2 whose interfaces are isolated in
s
VLAN 2 to communicate with each other, enable intra-VLAN
r ce
proxy ARP on S1.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
:h
The port-isolate enable command enables port isolation.
The arp-proxy inner-sub-vlan-proxy enable command
e s
enables intra-VLAN proxy ARP.
r c
ou
View
s
Interface view
e
Parameters R
i n g
port-isolate enable [ group group-id ]
n
group-id: specifies the ID of a port isolation group. The
a r default value is 1.
Le Precautions
You can use the display port-isolate command to view the
e
or
port isolation group configuration.
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
Preemption needs to be enabled to meet requirement 3.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The mode command configures the working mode of an Eth-
s
Trunk.
r ce
The eth-trunk command adds an interface to an Eth-Trunk.
The load-balance command sets a load balancing mode of an
ou
Eth-Trunk.
es
The max active-linknumber command sets the upper
threshold for the number of active member links on an Eth-
Trunk. R
i n g
The lacp priority command sets the LACP system or interface
n
priority.
e
or
Precautions
When adding an interface to an Eth-Trunk, pay attention to the
M following points:
• An Eth-Trunk contains a maximum of 8 member
interfaces.
• A member interface cannot be configured with any
service or static MAC address.
• The link type of the member interface added to the Eth-
Trunk must be hybrid.
• An Eth-Trunk cannot be nested, that is, its member
interface cannot be an Eth-Trunk.
• An Ethernet interface can be added to only one Eth-
Trunk. To add the Ethernet interface to another Eth-
Trunk, delete it from the original Eth-Trunk first.
• Member interfaces of an Eth-Trunk must be of the
same type. That is, FE and GE interfaces cannot join
e n
the same Eth-Trunk.
/
• Ethernet interfaces on different LPUs can join the same
m
.i co
Eth-Trunk.
• The remote interface directly connected to the local
communicate.
u a
• When member interfaces use different rates,
. h
g
congestion may occur on the low-rate interface,
n
ni
causing packet loss.
•
r
After interfaces are added to an Eth-Trunk, MAC
a
addresses are learned on the Eth-Trunk but not the
le
//
member interfaces.
•
:
When all member interfaces of an Eth-Trunk work in
p
t
half-duplex mode, the Eth-Trunk cannot negotiate an
Up state.
t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
Deploy GVRP to meet requirement 2.
e s
r c
sou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The gvrp command enables GVRP globally or on an interface.
s
Precautions
r ce
Before enabling GVRP on an interface, you must set the link
type of the interface to trunk.
ou
The display gvrp vlan-operation command displays the
s
dynamic VLANs to which an interface is added.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
PPP includes three protocols:
t t
:h
Link Control Protocol (LCP): is used to establish, monitor, and
s
tear down PPP data links. LCP can automatically detect the
r ce
link environment, for example, check whether there are loops.
It also negotiates link parameters such as the maximum
ou
packet length and authentication protocol to be used.
es
Compared with other data link layer protocols, PPP has an
important feature, that is, it can provide the authentication
R
function. The two ends of a link can negotiate the
i n g
authentication protocol to be used and implement
n
authentication. The ends can be connected only when the
ou
devices connected by using PPP do not need to know the
data link layer address of each other because PPP is used
es
on P2P links. This field must be filled with a broadcast
address of all 1s and is of no significance to PPP.
•
R
Control field
e L •
packet, so the PPP packet header value is FF03.
Protocol field
or
• The Protocol field identifies the datagram
encapsulated in the Information field of a PPP data
M
packet.
LCP packet format
Code field
• The Code field is 1 byte in length and identifies the
LCP packet type.
Identifier field
• The Identifier field is 1 byte long. It is used to match
request and response packets. If a device receives a
packet with an invalid Identifier field, the device
discards the packet.
• The sequence number of a Configure-Request
packet usually begins with 0x01 and increases by 1
each time a Configure-Request packet is sent. After
a receiver receives a Configure-Request packet, it
e n
must send a response packet with the same
/
m
sequence number as that of the received Configure-
.i co
Request packet.
Length field
• The Length field specifies the total number of bytes
w e
in the LCP packet. It specifies the length of an LCP
packet, including the Code, Identifier, Length and
Data fields.
u
• The Length field value cannot exceed the maximum a
. h
receive unit (MRU) of the link. Bytes outside the
g
range of the Length field are treated as padding and
n
ni
are ignored after they are received.
Data field
ar
• The Type field specifies the negotiation option type.
• The Length field specifies the total length of the Data
//le
field, including Type, Length, and Data.
• The Data field contains the contents of the
negotiation option.
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
The PPP link establishment process is as follows:
:h
Dead: PPP starts and ends with the Dead phase. After the physical
s
status of two communicating devices becomes Up (marked as UP in
r ce
the figure), PPP enters the Establish phase.
Establish: The two devices negotiate link layer parameters in the
ou
Establish phase. If negotiation of link layer parameters fails (marked as
es
FAIL in the figure), a PPP connection cannot be established and PPP
returns to the Dead phase. If negotiation of link layer parameters
R
succeeds (marked as OPENED in the figure), PPP enters the
n g
Authenticate phase.
i
Authenticate: In the Authenticate phase, the authenticating party
r n
authenticates the authenticated party. If authentication fails (marked as
or
configured, PPP enters the Network phase.
Network: In the Network phase, the two devices use NCP to negotiate
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
3 Type packets of LCP Protocal:
t t
:h
1.Link configure packet, used to establish and configure links:
s
Configure-Request, Configure-Ack, Configure-Nak, Configure-Reject.
Terminate-Ack.
r ce
2.Link disconnection packet, used to end links: Terminate-Request,
ou
3.Link maintenance packet, used to management and debug links:
Request.
es
Code-Reject, Protocol-Reject, Echo-Request, Echo-Reply, Discard-
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
LCP is used to negotiate the following parameters:
:h
MRU is used on the Versatile Routing Platform (VRP) to indicate the
s
maximum transmission unit configured on an interface.
r ce
The PPP authentication protocols include PAP and CHAP. Two ends
of a PPP link can use different protocols to authenticate the peer.
ou
However, the authenticated party must support the authentication
es
protocol used by the authenticating party and have authentication
information such as the user name and password correctly configured.
R
LCP uses the magic number to detect link loops and other exceptions.
n g
A magic number is a randomly generated digit. It should be ensured
i
n
that the two ends do not generate the same magic number.
a r
After a device receives a Configure-Request packet, it compares the
s
PPP. When the physical status of the link becomes Up, R1 and R2
r c
sends an LCP packet.e
use the LCP to negotiate link layer parameters. In this example, R1
ou
R1 sends a Configure-Request packet to R2, carrying link-layer
es
parameters configured on the sender (R1). The link-layer
parameters use the Type, Length, Value structure.
R
After receiving the Configure-Request packet, R2 sends a
n g
Configure-Ack packet to R1 if it can identify all the link-layer
i
n
parameters in the packet and determines that the value of each
a r parameter is acceptable.
s
Configure-Nak packet to R1 if R2 can identify all the link-layer
r ce
parameters in the packet, but determines that all or some of the
parameter values are unacceptable, indicating that parameter
ou
negotiation fails.
es
The Configure-Nak packet contains only the parameters whose
values are unacceptable, and the value of each parameter is changed
R
to a value or value range that is acceptable on R2.
i n g
After receiving the Configure-Nak packet, R1 changes the parameter
n
values used locally based on the values in the Configure-Nak packet,
a r
and then sends a Configure-Request packet.
Le If negotiation still fails after the Configure-Request packet is sent for
five consecutive times, the parameters are disabled and parameter
e
or
negotiation stops.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The link negotiation parameters cannot be identified.
:h
After receiving a Configure-Request packet from R1, R2 sends a
s
Configure-Reject packet to R1 if R2 cannot identify all or some link-
r ce
layer parameters in the packet.
The Configure-Reject packet contains only the parameters that
ou
cannot be identified.
es
After receiving the Configure-Reject packet, R1 sends a Configure-
Request packet to R2, carrying only parameters that can be identified
by R2. R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The link state detection process is as follows:
:h
After a connection is set up using LCP, Echo-Request and Echo-
s
Reply packets can be used to detect the link status. If a device
r ce
replies an Echo-Reply packet each time it receives an Echo-
Request packet, the link status is normal.
ou
By default, the VRP platform sends an Echo-Request packet once
s
every 10 seconds.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
The process of tearing down a connection is as follows:
:h
LCP can tear down an existing connection if the authentication fails or
s
an administrator manually shuts down the connection.
r ce
LCP uses Terminate-Request and Terminate-Ack packets to
disconnect a connection. The Terminate-Request packet is used to
ou
request the peer to disconnect the connection. After receiving a
es
Terminate-Request packet, the device replies a Terminate-Ack packet
to confirm that the connection is to be disconnected.
R
If a device fails to receive a Terminate-Ack packet, it re-transmits a
n g
Terminate-Request packet once every 3 seconds. If the device still
i
n
does not receive a Terminate-Ack packet after sending the Terminate-
a r
Request packet twice consecutively, it determines that the peer is
e
or
M
e n
/
m
e.i co
aw
hu
g .
ni n
ar
//le
p :
t t
A PAP packet is encapsulated in the PPP packet directly.
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The PAP authentication process is as follows:
:h
The authenticated party sends an Authenticate-Request
s
packet carrying the user name and password in plaintext to
r ce
the authenticating party. In this example, the user name
and password are huawei and hello.
ou
After receiving the user name and password from the
es
authenticated party, the authenticating party compares the
user name and password with those configured locally to
R
check whether they are correct. If the user name and
n
Authenticate-Ack packet, indicating that the authentication
:h
a 16-byte character string, which is the concatenation of
s
Identifier+password+challenge. The authenticated party adds the
r ce
calculated 16-byte character string to the Data field of the Response
packet and sends the packet to the authenticating party.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t
CHAP is a three-way handshake authentication protocol. The Request
t
:h
packet and Response packet exchanged between two communicating
devices during one CHAP process contain the same Identifier.
e s
r c
Unidirectional CHAP authentication is applicable to two scenarios: the
ou
authenticating party is configured with a user name, and the
es
authenticating party is not configured with a user name. It is
recommended that the authenticating party be configured with a user
name.
R
When the authenticating party is configured with a user name (that is,
i n
• g
the ppp chap user username command is configured on the interface):
The authenticating party initiates an authentication request
e a •
name to the authenticated party.
After receiving the Challenge packet on an interface, the
or
command is used on the interface. If this command is used,
the authenticated party uses MD5 to calculate the
concatenation of Identifier, password generated by the ppp
M chap password command, and a random number. The
authenticated party then sends a Response packet carrying
the calculated ciphertext password and local user name to
the authenticating party. If the ppp chap password
command is not configured, the authenticated party
searches the local user table for the password matching
the user name of the authenticating party in the received
Challenge packet, and encrypts the matching password by
using MD5 in a similar way. The authenticated party sends
a Response packet carrying the calculated ciphertext
password and local user name to the authenticating party.
• The authenticating party encrypts the locally saved
password of the authenticated party by using MD5. The
authenticating party then compares the generated
ciphertext password with that carried in the received
Response packet, and returns a response based on the
check result.
When the authenticating party is not configured with a user name
e n
(that is, the ppp chap user username command is not configured on
/
the interface):
m
.i co
• The authenticating party initiates an authentication
request by sending a Challenge packet.
• After receiving the Challenge packet, the
authenticated party uses MD5 to calculate the
w e
u a
concatenation of Identifier, password generated by
.
the ppp chap password command, and a random
h
g
number. It then sends a Response packet carrying
n
ni
the ciphertext password and local user name to the
r
authenticating party.
a
• The authenticating party encrypts the locally saved
le
//
password of the authenticated party by using MD5.
:
The authenticating party then compares the
p
t
generated ciphertext password with that carried in
t
the received Response packet, and returns a
:h
response based on the check result.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
IPCP negotiates IP addresses of two devices to transmit IP packets
:h
over PPP links.
s
IPCP and LCP have the same negotiation mechanism, packet type,
and working process.
Topology
r ce
ou
Configure two IP addresses 12.1.1.1/24 and 12.1.1.2/24 for the two
es
ends. (IPCP can be used to negotiate IP addresses even if they are
not on the same network segment.)
R
The static IP address negotiation process is as follows:
i
•
n g R1 and R2 send a Configure-Request packet carrying the
n
local IP address to each other.
M •
packet.
IPCP uses Configure-Request and Configure-Ack packets
to allow two ends at a PPP link to discover each other’s 32-
bit IP address.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
As shown in the figure, R1 requests the peer to allocate an IP address
:h
for it and R2 is configured with a static IP address 12.1.1.2/24. R2 is
s
enabled to allocate an IP address 12.1.1.1 to R1.
ce
The dynamic IP address negotiation process is as follows:
r
ou
R1 sends a Configure-Request packet carrying the IP address 0.0.0.0
to R2, requesting R2 to allocate an IP address for it.
es
After receiving the Configure-Request packet, R2 determines that the
R
IP address 0.0.0.0 is invalid and returns a Configure-Nak packet
i n g
carrying a new IP address 12.1.1.1 to R1.
After receiving the Configure-Nak packet, R1 updates the local IP
r n
address, and then sends a Configure-Request packet carrying the new
or
In addition, R2 also sends a Configure-Request packet carrying the
IP address 12.1.1.2 to R1. R1 determines that the IP address 12.1.1.2
M is valid, and returns a Configure-Ack packet to R2.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Multilink PPP fragments a packet and sends the fragments to the same
:h
destination over multiple PPP links.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
PPPoE overview
t t
:h
PPPoE allows a large number of hosts on an Ethernet to
s
connect to the Internet using a remote access device and
r ce
controls each host using PPP. PPPoE features a large
application scale, high security, and convenient accounting.
Topology
s ou
Re
A PPPoE session is set up between each PC and the
g
router on the carrier network. Each PC functions as a
Le
e
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The PPPoE session establishment process includes three stages:
:h
Discovery, Session, and Terminate.
Discovery stage:
s
A PPPoE client broadcasts a PPPoE Active Discovery
e
c
Initial (PADI) packet that contains service information
r
ou
required by the PPPoE client.
After receiving the PADI packet, all PPPoE servers
s
compare the requested service with the services they can
e
R
provide. The PPPoE servers that can provide the
requested service unicast PPPoE Active Discovery Offer
e a The PPPoE client selects the PPPoE server from which the
L
first PADO packet is received and unicasts a PPPoE Active
e
Discovery Request (PADR) packet to the PPPoE server.
or
The PPPoE server generates a unique session ID to
identify the PPPoE session with the PPPoE client. The
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Four types of FR interfaces are available:
:h
A user's device is called a DTE, and the corresponding
interface type is DTE.
s
A network device that provides access services for DTE
e
c
devices is called a DCE, and the corresponding interface
r
ou
type is DCE or NNI.
A UNI interface interconnects the DTE and DCE.
s
An NNI interface interconnects two FR switches.
e
R
A Virtual Circuit (VC) is a logical circuit established between two
network devices on the same network.
i n g
Based on establishment mode, VCs are classified into two
types:
L
automatically through negotiation.
The PVC status of the DTE is determined by the DCE. The
e
or
PVC status of the DCE is determined by the network.
VCs are identified by the DLCI and a DLCI takes effect only on a local
:h
The system supports three LMI protocols: ITU-T Q.933
s
Annex A, ANSI T1.617 Annex D, and non-standard
r ce
compatible protocol. The non-standard compatible protocol
is used for interconnection with a device from a vendor
ou
except Huawei.
es
The PVC status of the DTE is determined by the DCE. The
PVC status of the DCE is determined by the network.
R
When two network devices are directly connected, the PVC
n
The LMI negotiation process is as follows:
M When the DTE and DCE can normally send and receive
LMI negotiation messages, the link protocol status changes
to Up, and the PVC status changes to Active.
The FR LMI negotiation succeeds.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
After the FR LMI negotiation succeeds and the PVC status changes to
:h
Active, two devices on a PVC start the InARP negotiation process:
If a protocol address is configured on the local interface,
e s
the local device (for example, R1) sends an Inverse ARP
r c
Request packet to the peer device (for example, R2) over
ou
the VC. The Inverse ARP Request packet carries the
es
protocol address of R1.
After receiving the Inverse ARP Request packet, R2
R
obtains the protocol address of R1, generates an address
n
R1.
:h
network. One physical interface can contain multiple logical sub-
s
interfaces. Each sub-interface can connect to a remote router over one
r ce
or multiple DLCIs. The routers are connected over the FR network.
You can define logical sub-interfaces on the serial line.
ou
Every sub-interface uses one or multiple DLCIs to connect
es
to the remote router. After a DLCI is configured on a sub-
interface, the mapping between the destination protocol
R
address and this DLCI needs to be created.
i n g
As shown in the figure, R4 has only one physical serial
n
interface S0; however, DLCIs are defined on S0 to connect
Le respectively.
Two types of sub-interfaces are available:
e
or
P2P sub-interface: used to connect to a single remote
device. Each P2P sub-interface can be configured with only
e s
interface to enable R1 to send a Challenge packet to R2 carrying the
user name Huawei.
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
ppp authentication-mode: Configures the PPP authentication mode
:h
in which the local device authenticates the remote device.
e s
ppp chap user: Configures a user name for CHAP authentication.
ppp chap password: Configures a password for CHAP
authentication.
r c
ou
ip address ppp-negotiate: Configures IP address negotiation on an
interface to allow the interface to obtain an IP address from the remote
device.
es
remote address: Configures the local device to assign an IP address
R
or specify an IP address pool for the remote device.
i n g
Usage scenario
Interface view
r n
Parameters
or
ppp chap user username
username: Specifies a user name for CHAP authentication.
ppp chap password { cipher | simple } password
M cipher: Indicates a ciphertext password.
Simple: Indicates a plaintext password.
Password: Specifies the password for CHAP authentication.
remote address { ip-address | pool pool-name }
cipher: Indicates a ciphertext password.
Simple: Indicates a plaintext password.
Password: Specifies the password for CHAP authentication.
Precautions
In CHAP authentication, the authenticated party does not send the
password to the authenticating party.
The local device can use IPCP to learn the 32-bit host address from
the remote
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
interface mp-group: Creates an MP-Group interface and enters the
s
MP-Group interface view.
r ce
ppp mp mp-group: Binds an interface to the MP-Group interface so
that the interface works in MP mode.
ou
restart: Restarts the current interface.
Precautions
es
Data frames will be lost after you disable the interface. Exercise
R
caution when you use the restart command.
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
You need to get familiar with the configurations of the PPPoE
s
server and PPPoE client in this case.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
:h
virtual-template: Creates a VT interface and enters the VT interface
s
view.
r ce
pppoe-server bind virtual-template: Binds a specified VT interface
to an Ethernet interface and enables PPPoE on the Ethernet interface.
ou
remote address: Configures the local device to assign an IP address
es
or specifies an IP address pool for the remote device.
dialer-rule: Enters the dialer rule view.
R
dialer-rule: Specifies a dialer ACL for a dialer access group and
n g
defines conditions to initiate calls.
i
interface dialer: Creates a dialer interface and enters the dialer
r n
interface view.
or
dialer-group: Adds an interface to a dialer access group. That is, the
number of the dialer rule is specified.
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In the case of FR network, you do not need to manually
s
configure the mapping relationship for a P2P sub-interface.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g .
ni n
ar
// le
p :
Precautions
t t
:h
You do not need to manually configure the mapping
s
relationship if the sub-interface is a P2P sub-interface no
r ce
matter that has InARP disabled or not.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Topology Description
t t
:h
Broadcast storm
• Assume that STP is not enabled on the switching
e s
devices. If PC1 broadcasts a request, the request is
r c
received by port1 and forwarded by port2 on S1 and S2.
ou
On S1 and S2, port 2 receives the request broadcast
es
by the other switch and port1 forwards the request. As
such transmission repeats and resources on the entire
R network are exhausted, causing the network to break
i n g down.
MAC address table flapping
r n • Port2 on S1 can learn the MAC address of the PC2.
or
S1 continuously modifies its MAC address table,
causing flapping of the MAC address table.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
STP
t t
:h
STP can eliminate network loops. STP is used to build a loop-
s
free network (tree) to ensure the unique data transmission
r ce
path and prevent infinite looping of packets. STP works at the
data link layer of the OSI model.
ou
STP-capable switches exchange BPDUs and perform
es
distributed calculation to determine which ports need to be
blocked to prevent loops.
R
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Root bridge
t t
:h
The root bridge is the bridge with the smallest BID, which is
s
composed of the priority and MAC address.
Root Port
r ce
The root port is the port with the smallest root path to the root
ou
bridge, and is responsible for forwarding data to the root bridge.
es
The root port is determined based on the path cost. Among all
STP-capable ports on a network bridge, the port with the
R
smallest root path cost is the root port. There is only one root
i n g
port on an STP-capable device, but there is no root port on the
n
root bridge.
a r
Le Designated port and bridge
The bridge closest to the root bridge on each network segment
e
or
is used as the designated bridge. The port on the designated
bridge to the network segment is called designated port.
After the root bridge, root port, and designated port are selected
successfully, the entire tree topology is set up. When the topology is
stable, only the root port and the designated port forward traffic. All the
other ports are in Blocking state, and receive only STP BPDUs but not
forward user traffic.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
:h
A configuration BPDU is generated in one of the three following
s
scenarios:
r ce
When ports are enabled with STP, the designated ports send
configuration BPDUs at intervals specified by the Hello timer.
ou
When a root port receives configuration BPDUs, the device
es
where the root port resides sends a copy of the configuration
BPDUs to its designated port.
R
When receiving a configuration BPDU with a lower priority, the
i n g
designated port immediately sends its own configuration
n
BPDUs to the downstream device.
a r
Root identifier
r
bridge directly discards it. In this case, the network size
a
is considered too large and the non-root bridge
le
//
disconnects from the root bridge.
:
In real world situations, each time a configuration BPDU
p
t
passes through a bridge, the value of Message Age increases
by 1.
t
:h
The default value is 20.
Forward Delay
e s
c
The Forward Delay timer specifies the delay for interface
r
ou
status transition. The default value is 15 seconds.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
STP Topology Calculation
t t
:h
After all devices on the network are enabled with STP, each
s
device considers itself as the root bridge. Each device only
r ce
transmits and receives BPDUs but does not forward user
traffic. All ports are in Listening state. After exchanging
ou
configuration BPDUs, all devices participate in the selection of
es
the root bridge, root port, and designated port.
During network initialization, every device considers itself as
R
the root bridge and sets the root bridge ID as the device ID.
i n g
Devices exchange configuration BPDUs to compare the root
n
bridge IDs. The device with the smallest BID is elected as the
a r root bridge.
s
between S1 and S2, between S1 and S3, and between S2 and
r ce
S3 are 5, 10, and 4 respectively.
Initial configuration BPDUs on ports of S1, S2, and S3:
ou
S1: {0, 0, 0, PortA1} on PortA1 and {0, 0, 0, Port A2} on
es
Port A2
S2: {1, 0, 1, PortB1} on PortB1 and {1, 0, 1, Port B2} on
R Port B2
n
on Port C2
a r
Le
e
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
First exchange of configuration BPDUs
:h
Ports on S1, S2, and S3 send their configuration BPDUs. Each
s
network bridge considers itself as the root bridge, so the RPC
is 0.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Comparison for the first exchange of configuration BPDUs
:h
S1
s
• Port A1 receives the configuration BPDU {1, 0, 1, Port
e
c
B1} from Port B1 and finds that its configuration BPDU
r
ou
{0, 0, 0, Port A1} has higher priority than the
configuration BPDU {1, 0, 1, Port B1}, so Port A1
es
discards the configuration BPDU {1, 0, 1, Port B1}.
R
• Port A2 receives the configuration BPDU {2, 0, 2, Port
or
each port, S1 considers itself as the root bridge. S1
then sends configuration BPDUs from each port
M periodically without modifying the configuration BPDUs.
• The configuration BPDU {0, 0, 0, Port A1} on Port
A1 and configuration BPDU {0, 0, 0, Port A2} on
Port A2 are optimal.
• Because S1 is the root bridge, all ports on S1 are
designated ports.
S2
• Port B1 receives the configuration BPDU {0, 0, 0, Port
A1} from Port A1 and finds that its configuration BPDU
{0, 0, 0, Port A1} has a higher priority than the
configuration BPDU {1, 0, 1, Port B1}, so Port B1
updates its configuration BPDU.
• Port B2 receives the configuration BPDU {2, 0, 2, Port
e n
C2} from Port C2 and finds that its configuration BPDU
/
{1, 0, 1, Port B2} has a higher priority than the
m
.i co
configuration BPDU {2, 0, 2, Port C2}, so Port B2
discards the configuration BPDU {2, 0, 2, Port C2}.
• The configuration BPDU {0, 0, 0, Port A1} on Port
w
B1 and the configuration BPDU {1, 0, 1, Port B2} on e
Port B2 are optimal.
u a
• Comparison of configuration BPDUs on ports:
. h
g
• S2 compares the configuration BPDU on each
n
ni
port and finds that the configuration BPDU on
r
Port B1 has the highest priority, so Port B1 is
a
used as the root port and the configuration
le
//
BPDU on Port B1 remains unchanged.
:
• S2 calculates the BPDU {0, 5, 1, Port B2} for
p
t
Port B2 based on the configuration BPDU and
t
path cost of the root port, and compares the
:h
configuration BPDU {0, 5, 1, Port B2} with its
e s
configuration BPDU {1, 0, 1, Port B2} on Port
ou
BPDU has a higher priority, so Port B2 is used
as the designated port, and its configuration
i n g
S3
configuration BPDU is sent periodically.
or
updates its configuration BPDU.
• Port C2 receives the configuration BPDU {1, 0, 1, Port
M B2} from Port B2 and finds that the configuration BPDU
{1, 0, 1, Port B2} has a higher priority than its
configuration BPDU {2, 0, 2, Port C2}, so Port C2
updates its configuration BPDU.
• The configuration BPDU {0, 0, 0, Port A2} on Port
C1 and configuration BPDU {1, 0, 1, Port B2} on
Port C2 are optimal.
• Comparison of configuration BPDUs on ports:
• S3 compares the configuration BPDU on each
port and finds that the configuration BPDU on
Port C1 has the highest priority, so Port C1 is
e n
used as the root port and the configuration
/
BPDU on Port C1 remains unchanged.
m
.i co
• S3 calculates the configuration BPDU {0, 10, 2,
Port C2} for Port C2 based on the configuration
BPDU and path cost of the root port, and
compares the configuration BPDU {0, 10, 2,
w e
u a
Port C2} with its configuration BPDU {1, 0, 1,
. h
Port B2} on Port C2. S3 finds that the calculated
g
configuration BPDU has a higher priority, so
n
ni
Port C2 is used as the designated port and its
r
configuration BPDU is replaced by the
a
calculated configuration BPDU.
le
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Second exchange of configuration BPDUs
:h
S1 is the root bridge. Configuration BPDUs sent by S1
• The configuration BPDU sent by Port A1 is {0, 0, 0,
Port A1}.
e s
r c
• The configuration BPDU sent by Port A2 is {0, 0, 0,
ou
Port A2}.
es
Configuration BPDUs sent by S2
• S1 is the root bridge, so S2 does not send
Rconfiguration BPDUs to S1.
n
Port B2}.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Comparison for the second exchange of configuration BPDUs
:h
S2
s
• Port B1 receives the configuration BPDU {0, 0, 0, Port
e
c
A1} from Port A1 and finds that the received
r
ou
configuration BPDU is the same as its own
configuration BPDU, so Port B1 discards the received
es
one.
R
• Port B2 receives the configuration BPDU {0, 10, 2, Port
rn discards it.
L
on Port B1 and Port B2 are {0, 0, 0, Port A1} and {0,
e
5, 1, Port B2} respectively.
or
• Because the optimal configuration BPDU on each port
remains unchanged, the port role does not change.
M S3
• Port C1 receives the configuration BPDU {0, 0, 0, Port
A2} from S1 and finds that the received configuration
BPDU is the same as its own configuration BPDU, so
Port C1 discards the received one.
• Port C2 receives the configuration BPDU {0, 5, 1, Port
B2} from S1 and compares it with its configuration
BPDU {0, 10, 2, Port C2}.
Because the root bridge ID is the same, the root path
costs are compared. Port C2 finds that the received
configuration BPDU has a higher priority(10>9), so Port
C2 updates its BPDU as {0, 5, 1, Port B2}.
After comparison, the optimal configuration BPDUs
on Port C1 and Port C2 are {0, 0, 0, Port A2} and {0,
5, 1, Port B2} respectively.
e n
• Comparison of configuration BPDUs on each port:
/
• S3 compares the root path cost of Port C1 (root
m
.i co
path cost of 0 in the received configuration
BPDU + path cost 10 of the link) with the root
w
received configuration BPDU + path cost 4 of e
path cost of Port C2 (root path cost of 5 in the
u a
the link). The root path cost of Port C2 is
. h
smaller, so the configuration BPDU of Port C2
g
is preferred. Port C2 is used as the root port
n
ni
and its configuration BPDU remains unchanged.
• S3 calculates the configuration BPDU {0, 9, 2,
ar
Port C1} for Port C1 according to the
// le
configuration BPDU and path cost of the root
:
port, and compares the calculated configuration
p
t
BPDU with its configuration BPDU. S3 finds
t
that its configuration BPDU has a higher priority,
:h
so Port C1 is blocked and the configuration
e s
BPDU of S3 remains unchanged. In this case,
ou
spanning tree calculation may be triggered, for
example, the link between S2 and S3 becomes
es Down.
R
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Topology on the Left Side
t t
:h
According to the root bridge selection principle of STP, S1 is
s
the root bridge. Then determine the root port, designated port,
r ce
and alternate port.
E0 and E1 on S2 receive BPDUs {0, 0, 0, E0} and {0, 0, 0, E1}
ou
from S1. In the two BPDUs, only the transmit port is different.
es
The port with smaller PID has a higher priority, so E0 is the
root port and E1 is the alternate port.
R
Topology on the Right Side
i n g
According to the root bridge selection principle of STP, S1 is
n
the root bridge. Then determine the root port, designated port,
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Generally, only the root bridge generates and sends configuration
:h
BPDUs. Other non-root-bridges only forward the configuration BPDU
s
from the root port using their designated ports. The designated port on
r
with a lower priority. ce
a non-root-bridge sends the optimal BPDU only after receiving BPDUs
ou
Topology description:
s
Re
After S2 receives a BPDU with a lower priority from S4, S2
sends a configuration BPDU. This is because network bridges
i n g
save the optimal configuration BPDU.
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Topology Description
t t
:h
The figure on the left side shows the initial topology. The path
s
costs are the same. S1, S2, and S3 are connected, S1 is the
r ce
root port, and interconnected ports are in forwarding state. In
the figure on the right side, a link between S1 and S2 is added.
ou
After S2 receives BPDUs from S1 and S3, S2 considers that
es
the port connected to S1 is the new root port and the port
connected to S3 is the designated port. All ports are root ports
R
or designated ports in forwarding state. In this case, a loop
i n g
occurs. The loop can be eliminated only when configuration
n
BPDUs are transmitted to each network bridge and S2 blocks
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Forward Delay
t t
:h
The default interval for port status transition is 15 seconds.
There are specific calculation between Forwarding Delay, hello
e s
timer and Max Age, the default value is based on the diameter
r
7 calculating. c
s ou
Port Status Description
Re
After a port is enabled, the port enters the Listening state and
starts the spanning tree calculation.
i n g
If the port needs to be configured as the alternate port through
n
calculation, the port enters the Blocking state.
s
transitions from the MSTP mode to the STP mode, its STP-
r ce
capable port supports the same port states as those supported
by an MSTP-capable port, including the Forwarding, Learning,
ou
and Discarding states.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Port status transition
t t
:h
① The port is initialized or enabled.
e s
② The port is blocked or the link fails.
③ The port is selected as the root port or designated port.
r c
④ The port is no longer the root port or designated port.
ou
⑤ The Forward Delay timer expires.
s
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
TCN BPDU processing:
t t
:h
After the network topology changes, the downstream device
s
continuously sends a TCN BPDU to its upstream device which
r ce
the port status turn to forwarding.
After the upstream device receives the TCN BPDU from the
ou
downstream device, only the designated port processes it. The
es
other ports may receive the TCN BPDU but do not process it.
The upstream device sets the TCA bit of the Flags field in the
R
configuration BPDU to 1 and returns the configuration BPDU
i n g
to instruct the downstream device to stop sending TCN
n
BPDUs.
Le root bridge.
Steps 1 to 4 repeat until the root bridge receives the TCN
e
or
BPDU.
After receiving the TCN BPDU, the root bridge resets the TCA
. h
seconds (20 seconds + 15 seconds), S1 resets the TC bit in
g
the configuration BPDU. After receiving the configuration
n
ni
BPDU with the reset TC bit, each network bridge changes its
r
aging time of MAC address entries to 15 seconds.
a
When the topology change, the MAC address table will
le
//
established soon, which can avoid wasting of bandwidth.
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Root bridge failure:
t t
:h
When S1 becomes faulty, S2 and S3 cannot receive BPDUs
s
from the root bridge. S2 and S3 detect the root bridge failure
r ce
only after a Max Age period. S2 and S3 then determine the
new root bridge, root port, and designated port. The topology
ou
convergence period is 50 seconds (BPDU aging period plus
Link failure:
es
value twice the Forward Delay period).
R
When the link between S3 and S1 fails, S3 can immediately
n
the Listening state and sends the configuration BPDU with
s
granular manner. For example, ports in Listening and Blocking
r ce
states do not forward user traffic or learn MAC addresses.
The STP algorithm determines topology changes after the time
ou
set by the timer expires, which slows down network
es
convergence.
The STP algorithm requires a stable network topology. After
R
the root bridge sends configuration BPDUs, other devices
i n g
process the configuration BPDUs so that the configuration
n
BPDUs are advertised to the entire network.
a r
Le
e
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
RSTP has all functions of STP, and the RSTP-capable and STP-
:h
capable network bridges can work together.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
RSTP defines four port roles: root port, designated port, alternate port,
:h
and backup port.
s
The functions of the root port and designated port are the same as
as follows.
r ce
those defined in STP. The alternate port and backup port are described
ou
From the perspective of configuration BPDU transmission:
es
• An alternate port is blocked after learning the
configuration BPDUs with a higher priority from other
R bridges.
n
configuration BPDUs with a higher priority than itself.
:h
whether a port forwards user traffic and learns MAC addresses, the port
s
is in one of the following states:
r ce
If a port neither forwards user traffic nor learns MAC
addresses, the port is in Discarding state.
ou
If a port does not forward user traffic but learns MAC
es
addresses, the port is in Learning state.
If a port forwards user traffic and learns MAC addresses, the
R
port is in Forwarding state.
i n g
n
RSTP Calculation
:h
described based on the Flags field defined in STP. When compared
s
with STP, RSTP slightly redefines the format of configuration BPDUs.
r ce
The value of the Type field is no longer set to 0 but 2. The
STP-capable device therefore always discards the
ou
configuration BPDUs sent by an RSTP-capable device.
es
The 6 bits in the middle of the original Flags field are reserved.
Such a configuration BPDU is called an RST BPDU.
R
Flags field in an RST BPDU:
i n g
Bit 0 indicates the TC bit, which is the same as that in STP.
Bit 1 indicates the Proposal flag bit, indicating that the BPDU is
r n the Proposal packet in the fast convergence mechanism.
e a Bit 2 and bit 3 indicate the port role. The value 00 indicates the
e L unknown port; the value 01 indicates the root port; the value
or
10 indicates the alternate or backup port; the value 11
indicates the designated port.
:h
Transmission of configuration BPDUs after the topology
s
becomes stable
r ce
• In STP, after the topology becomes stable, the root
bridge sends configuration BPDUs at an interval set by
ou
the Hello timer. A non-root-bridge does not send
es
configuration BPDUs until it receives configuration
BPDUs sent from the upstream device. This renders
R the STP calculation complicated and time-consuming.
n
root-bridge sends configuration BPDUs at an interval
used in STP.
w e
priority more rapidly, independent of any timer that is
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
STP convergence
t t
:h
To eliminate loops, STP uses timers to complete convergence.
s
The default period from the time the port is enabled to the time
r ce
the port is in Forwarding state is 30 seconds. Shortening the
values of timers may cause the network to become unstable.
s ou
RSTP fast convergence
Edge port
Re
• In RSTP, a designated port on the network edge is
n
terminal and does not connect to any other switching
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Edge port
t t
:h
An edge port directly connects to a terminal. When the network
s
topology changes, loops do not occur on the edge port. The
r ce
edge port therefore can directly enter the Forwarding state
without waiting for two Forward Delay periods.
ou
An edge port does not receive configuration BPDUs, so it does
es
not participate in the RSTP calculation. It can directly change
from the Disabled state to the Forwarding state without any
R
delay, just like an STP-incapable port. If an edge port receives
i n g
bogus configuration BPDUs from attackers, it becomes a
n
common STP port. The STP recalculation is performed,
Le
e
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Fast switching of the root port
:h
In RSTP, an alternate port is the backup of the root port. When
s
the root port of a network bridge becomes discarding, the
e
c
optimal alternate port is used as the new root port and
r
ou
becomes Forwarding states. Because the network segment
connects to this alternate port must have a designated port
es
whitch can reach to the root bridge.
R
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
P/A mechanism
t t
:h
The Proposal/Agreement (P/A) mechanism enables a
s
designated port to rapidly enter the Forwarding state.
r ce
The P/A mechanism requires that the link between two
switching devices should be P2P and work in full-duplex mode.
ou
When P/A negotiation fails, the designated port is selected
es
after two Forward Delay periods. The negotiation process is
the same as that in STP.
R
After a new link is established, the negotiation process of the
i n g
P/A mechanism is as follows:
• p0 and p1 become designated ports and send RST
r n BPDUs.
or
a designated port. p1 then stops sending RST BPDUs.
• p0 on S1 enters the Discarding state and sends RST
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
The P/A negotiation with the downstream device as follows.
:h
When a link between S1 and S2 is added, the P/A mechanism works
s
as follows:
r ce
S1 sends an RST BPDU with the Proposal field of 1 to S2.
After receiving the RST BPDU, S2 determines that E2 is the
ou
root port. S2 blocks designated ports of E1 and E3, sets the
es
root port to the Forwarding state, and sends an Agreement
packet to S1.
R
After S1 receives the Agreement packet, its designated port
i n g
E1 immediately enters the Forwarding state.
The non-edge designated ports of E1 and E3 on S2 sends
r n Proposal packets.
or
Because the downstream port of S3 is the edge port, S3
directly sends an Agreement packet.
:h
topology changes.
s
After a switching device detects the topology change (TC), it performs
the following operations:
r ce
Start a TC While timer for every non-edge port. The TC While
ou
Timer value doubles the Hello timer value. All MAC address
es
entries learned by the ports whose status changes are cleared
before the timer expires. These ports send RST BPDUs with
R
the TC field of 1. Once the TC While timer expires, the ports
e a one that receives the RST BPDU. The switching device then
e L starts a TC While timer for all non-edge ports and the root port.
or
The process is similar.
In this manner, RST BPDUs flood the network.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
When a port switches from RSTP to STP, the port loses RSTP features
:h
such as fast convergence.
s
On a network where both STP-capable and RSTP-capable devices are
r ce
deployed, STP-capable devices ignore RST BPDUs; if a port on an
RSTP-capable device receives a configuration BPDU from an STP-
ou
capable device, the port switches to the STP mode after two intervals
es
specified by the Hello timer and starts to send configuration BPDUs. In
this manner, RSTP and STP are interoperable.
R
After STP-capable devices are removed, Huawei RSTP-capable
n g
datacom devices can switch back to the RSTP mode.
i
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
RSTP, an enhancement to STP, implements fast convergence of the
:h
network topology. There is a defect for both RSTP and STP: All VLANs
s
on a LAN use one spanning tree, and VLAN-based load balancing
r ce
cannot be performed. Once a link is blocked, it will no longer transmit
traffic, wasting bandwidth and causing the failure in forwarding certain
ou
VLAN packets.
es
Topology Description
R
STP or RSTP is deployed on the LAN. The broken line shows
i n g
the spanning tree; S6 is the root switching device; the links
n
between S1 and S4 and between S2 and S5 are blocked.
:h
devices and network segments between them. The switching devices
s
of one MST region have the following identical characteristics:
MSTP-enabled
Region name
r ce
ou
VLAN-MSTI mappings
s
MSTP revision level
e
R
An instance is a collection of VLANs. Binding multiple VLANs to an
n g
instance saves communication costs and reduces resource usage. The
i
n
topology of each MSTI is calculated independent of one another, and
a r
traffic can be balanced among MSTIs. Multiple VLANs that have the
:h
or RSTP, connects all switching devices on a switching network.
The CIST root is the network bridge with the highest priority on
e s
the entire network, that is, root bridge of the CIST.
r c
In the preceding topology, the lines in red in MSTIs and the
ou
lines in blue between MSTIs form a CIST. The root bridge of
s
the CIST is S1 in MST region 1.
e
R
A Common Spanning Tree (CST) connects all the MST regions on a
n g
switching network.
i
The CST is calculated by all nodes using STP or RSTP.
r n In the preceding topology, the lines in blue form a CST. The
e L
or
An Internal Spanning Tree (IST) resides within an MST region.
Each spanning tree in an MST region has an MSTI ID. An IST
The master bridge is the IST master, which is the switching device
closest to the CIST root in a region.
If the CIST root is in an MST region, the CIST root is the
master bridge of the region.
In the preceding topology, S1, S4, and S7 are master bridges.
s
called an MSTI. An MSTI regional root is the root of the MSTI.
r ce
Each MSTI has its own regional root.
MSTIs are independent of each other. An MSTI can map to
ou
one or more VLANs, but one VLAN can map to only one MSTI.
es
Each MSTI has an MSTI ID. The MSTI ID starts from 1, which
is distinguished with the IST (MSTI 0).
R
In the preceding topology, VLAN 2 maps to MSTI 2 and VLAN
n g
4 to MSTI 4.
i
r n
MSTI regional root
e a The MSTI regional root is the network bridge with the highest
or
different MSTIs.
In the preceding topology, assuming that S9 has the highest
:h
ports include the root port, designated port, alternate port, backup port,
s
edge port, master port, and regional edge port.
Master port
r ce
• A master port is on the shortest path connecting MST
ou
regions to the CIST root.
es
• BPDUs of an MST region are sent to the CIST root
through the master port.
R
• Master ports are special regional edge ports,
n
in instances.
:h
dot1s: BPDU format defined in IEEE 802.1s
legacy: private BPDU format
e s
In using the stp compliance command, you can configure a port
r c
on a Huawei datacom device to automatically adjust the MST
ou
BPDU format.
es
With exception to MSTP-specific fields, other fields in an intra-region or
R
inter-region MST BPDU are the same as those in an RST BPDU.
i n g
The Root ID field in an RST BPDU indicates the CIST root ID
n
in an MST BPDU.
a r The EPC field in an MST BPDU indicates the total path cost
Le from the MST region where the network bridge sending the
BPDU resides to the MST region where the CIST root resides.
e
or
The Bridge ID field in an MST BPDU indicates the regional
root ID in the CIST.
w
which has 16 bytes. Switches in an MST region e
• Config Digest: indicates the configuration digest,
r
This field is the digest calculated from the MST
le a
configuration table using the MD5 algorithm.
• Revision Level: indicates the revision level of an
: //
MST region, which has two bytes. The default
t p
value is all 0s. The value of the Config Digest
t
field is the digest of the MST configuration table,
:h
there is a low probability that MST configuration
e s
tables are different but the digest is the same.
ou
may be incorrectly considered in the same MST
region. It is recommended that different MST
ing
• CIST Internal Root Path Cost: indicates the total path
cost from the local port to the IST master. This value is
e L •
designated switching device on the CIST.
CIST Remaining Hops: indicates the remaining hops of
or
a BPDU in the CIST. This field is used to limit the MST
scale. A BPDU has the maximum hop count on the
M CIST regional root. The hop count decreases by 1
every time the BPDU passes a network bridge. The
network bridge discards the BPDU with the hop of 0.
• MSTI Configuration Messages(may be absent):
indicates an MSTI configuration message.
• MSTI Flag: has eight bits. Bits 1 to 7 are the
same as those in RSTP. Bit 8 indicates whether
the network bridge is the master bridge, and
replaces the TCA bit in RSTP.
• MSTI region Root ID: indicates the regional root
ID of the MSTI.
• MSTI IRPC: indicates the path cost from the
network bridge sending the BPDU to the MSTI
regional root.
• MSTI Bridge Priority: indicates the priority of the
network bridge that sends the BPDU.
e n
• MSTI Port Priority: indicates the priority of the
/
port that sends the BPDU.
m
.i co
• MSTI Remaining Hops: indicates the remaining
number of hops in an MSTI.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
MSTP Topology Calculation
t t
:h
In MSTP, the entire Layer 2 network is divided into multiple
s
MST regions, which are interconnected by a single CST. In an
r ce
MST region, multiple spanning trees are calculated, each of
which is called an MSTI. Among these MSTIs, MSTI 0 is also
ou
known as the internal spanning tree (IST). Like STP, MSTP
es
uses configuration BPDUs to calculate spanning trees, but the
configuration BPDUs are MSTP-specific.
R
Vectors
i n g
Root switching device ID: identifies the root switching device in
r n the CIST. The root switching device ID consists of the priority
e a value (16 bits) and MAC address (48 bits). The priority value is
or
External root path cost (ERPC): indicates the external root
path cost from the CIST regional root to the CIST root. ERPCs
. h
updates the global configuration message saved on the device. If the
g
priority of a vector carried in the configuration message of a BPDU
n
ni
received on a port is equal to or lower than the priority of the vector in
r
the configuration message saved on the port, the port discards the
BPDU.
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
CST Calculation
t t
:h
CST and IST calculation is similar to the calculation in RSTP.
s
During CST calculation, an MST region is considered as a
r c
regional root ID.e
network bridge and the ID of the network bridge is the IST
ou
CIST uses the following vectors: {root switching device ID,
es
ERPC, regional root ID, IRPC, designated switching device ID,
designated port ID, receiving port ID}. CST uses the following
R
vectors: {CIST root, ERPC, regional root ID, designated port ID,
i n g
receiving port ID}.
Topology description:
r n • Assume that S1, S4, and S7 are regional roots in
or
cost of each path is the same.
• Each MST region is considered as a network bridge,
s
MSTP calculates an IST for each MST region, and computes a
r ce
CST to interconnect MST regions. The CST and ISTs
constitute a CIST for the entire network.
ou
CIST uses the following vectors: {root switching device ID,
es
ERPC, regional root ID, IRPC, designated switching device ID,
designated port ID, receiving port ID}. IST uses the following
R
vectors: {CIST root, IRPC, designated bridge ID, designated
i n g
port ID, receiving port ID}.
Topology description:
r n • After CST calculation is complete, S1, S4, and S7 are
or
network bridge closest to the CIST root but not the
network bridge with the highest priority.
s
based on mappings between VLANs and MSTIs. Each MSTI is
r ce
calculated independently. The calculation process is similar to
the process for STP to calculate a spanning tree.
ou
Topology description:
es
• In Region1, VLAN 2 maps to MSTI 2, VLAN 4 to MSTI
4, and other VLANs to MSTI 0.
R
• Different priorities are specified for network bridges in
n
MSTI 2 and S3 is the root bridge in MSTI 4.
M to S1 is blocked.
MSTIs have the following characteristics:
The spanning tree is calculated independently for each MSTI,
and spanning trees of MSTIs are independent of each other.
MSTP calculates the spanning tree for an MSTI in a manner
similar to STP.
Spanning trees of MSTIs can have different roots and
topologies.
Each MSTI sends BPDUs in its spanning tree.
The topology of each MSTI is configured by using commands.
A port can be configured with different parameters for different
MSTIs.
A port can play different roles or have different statuses in
different MSTIs.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Region2 Calculation
t t
:h
Topology description:
• In Region2, VLAN 2 maps to MSTI 2, VLAN 3 to MSTI
e s
3, and other VLANs to MSTI 0.
r c
• Different priorities are specified for network bridges in
ou
different MSTIs. Assume that S5 is the root bridge in
es
MSTI 2 and S6 is the root bridge in MSTI 3.
• In MSTI 2, S5, S4, and S6 are in descending order of
R priority. Through calculation, the port on S6 connected
i n g to S4 is blocked.
• In MSTI 3, S6, S4, and S5 are in descending order of
r n priority. Through calculation, the port on S5 connected
e a to S4 is blocked.
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Region3 Calculation
t t
:h
Topology description:
• In Region3, VLAN 2 maps to MSTI 2, VLAN 4 to MSTI
e s
4, and other VLANs to MSTI 0.
r c
• Different priorities are specified for network bridges in
ou
different MSTIs. Assume that S9 is the root bridge in
es
MSTI 2 and S8 is the root bridge in MSTI 4.
• In MSTI 2, S9, S10, S8, and S7 are in descending
R order of priority. Through calculation, the port on S7
n
are blocked.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
MSTI Calculation
t t
:h
After CIST and MSTI calculations are complete, the mapping
s
between VLANs and MSTIs in each MST region is
independent.
r ce
On an MSTP-aware network, a VLAN packet is forwarded
ou
along the following paths:
es
• MSTI including the IST in an MST region
• CST among MST regions
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Interoperability between MSTP and RSTP
:h
An RSTP or STP-enabled network bridge considers an MST
s
region as the RSTP-enabled bridge with the bridge ID as the
r ce
regional root ID.
When an RSTP or STP-enabled network bridge receives an
ou
MST BPDU, it obtains the CIST root, ERPC, regional root ID,
es
and designated port ID in the MST BPDU as the RID, RPC,
BID, and PID.
R
When an MSTP-enabled network bridge receives an STP or
i n g
RST BPDU, it obtains the RID, RPC, BID, and PID as the
n
CIST root, ERPC, regional root ID, and designated port ID.
e
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
In MSTP, the P/A mechanism works as follows:
:h
The upstream device sends a Proposal packet to the
s
downstream device, requesting fast switching. After receiving
r ce
the Proposal packet, the downstream device sets its port
connecting to the upstream device to the root port and blocks
ou
all non-edge ports.
es
The upstream device continues to send an Agreement packet.
After receiving the Agreement packet, the root port enters the
R
Forwarding state.
i n g
The downstream device replies with an Agreement packet.
n
After receiving the Agreement packet, the upstream device
e
or
By default, Huawei datacom devices use the enhanced P/A mechanism.
To enable a Huawei datacom device to communicate with third-party
M devices that use the ordinary P/A mechanism, run the stp no-
agreement-check command to configure the ordinary P/A mechanism
on the Huawei datacom device.
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
S1, S2, and S3 must be in descending order of priority to meet
s
requirements 2 and 3.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The stp mode command sets the working mode of a spanning
s
tree protocol on a switching device.
r ce
The stp root command configures a switching device as the
root bridge or secondary root bridge of a spanning tree.
ou
The stp priority command sets the priority of the switching
es
device in a spanning tree.
The stp cost command sets the path cost of a port in a
R
spanning tree.
i n g
n
Parameters
. h
bridge is important on a network, the switching device with
g
high performance and network hierarchy is required to be
n
ni
selected as the root bridge. Such a device may not have high
r
priority, so you can run the stp root command to configure a
le a
switching device as the root bridge in a spanning tree.
A switching device in a spanning tree cannot function as both
: //
the primary and secondary root bridges.
t t p
After the stp root command is run to configure a switching
device as the primary root bridge, the priority value of the
:h
switching device is 0 in the spanning tree and the priority
e s
cannot be modified.
c
After the stp root command is run to configure a switching
r
ou
device as the secondary root bridge, the priority value of the
switching device is 4096 in the spanning tree and the priority
es
cannot be modified.
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In the preceding topology:
• Requirement 1 involves interoperability between RSTP
e
and STP.s
r c
• Requirement 2 involves the stp root command usage.
ou
• Requirement 3 involves the edge port, BPDU filtering,
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
:h
The stp mcheck command configures a port to automatically
s
switch from the STP mode back to the RSTP/MSTP mode.
r ce
The stp edged-port default command configures all ports on
a switching device as edge ports.
ou
The stp bpdu-filter default command configures all ports on a
es
switching device as BPDU-filter ports.
The stp bpdu-protection command enables BPDU protection
R
on a switching device.
i n g
The stp root-protection command enables root protection on
n
a port.
a r
Precautions
s
must be configured as the root bridge in MSTI3 to meet
r ce
requirement 3, the Alternate port as figure above. So, S1 need
be configured as the root bridge in MSTI2, S2, S3, and S4
ou
must be in descending order of priority; and S3 need be
es
configured as the root bridge in MSTI3, S1, S4, and S2 must
be in descending order of priority.
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
:h
The region-name command configures the MST region name
s
of a switching device.
r ce
The instance command maps a VLAN to an MSTI.
The revision-level command configures the revision level of
ou
an MST region of a switching device. The default value is 0.
es
The active region-configuration command activates the
configuration of an MST region.
R
The stp loop-protection command enables loop protection on
i n g
a port.
r n
Precautions
or
• MST region name
• Mappings between MSTIs and VLANs
w e
NMS. The root port will enter the Discarding state, and
u
the alternate port remains in Blocking state and noa
. h
longer forwards packets. This prevents loops on the
g
network. The root port or alternate port restores the
n
ni
Forwarding state after receiving BPDUs.
ar
// le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
If the topology of an MSTI changes, the forwarding paths of VLANs that
:h
are mapped to this MSTI change. As a result, ARP entries relevant to
s
these VLANs need to be updated. Based on methods for processing
r ce
ARP entries, the convergence modes of a spanning tree protocol are
classified into fast and normal:
ou
In fast mode, the switch directly deletes the ARP entries that
es
need to be updated in an ARP table.
In normal mode, the switch ages the ARP entries that need to
R
be updated in the ARP table. If the number of ARP probes for
n
ARP entries before aging them.
s
is proportional to the number of users that require the data. If a
r ce
large number of users require the same data, the multicast
source must send many copies of data to these users,
ou
consuming high bandwidth on the multicast source and
es
network. Therefore, the unicast mode is not suitable for batch
data transmission and is applicable only to networks with a
R
small number of users.
n
Broadcast
i g
In broadcast mode, data is sent to all hosts on a network
r n segment regardless of whether they require the data. This
or
suitable for data transmission from a source to specified
destinations. In addition, the broadcast mode wastes network
M bandwidth.
Multicast has the following advantages over unicast and broadcast:
Compared with the unicast mode, the multicast mode starts to
copy data and distribute data copies on the network node as
far from the source as possible. Therefore, the amount of data
and the level of network resource consumption will not
increase greatly when the number of receivers increases.
Compared with the broadcast mode, the multicast mode
transmits data only to receivers that require the data. This
saves network resources and enhances data transmission
security.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Multicast basic concepts
t t
:h
Multicast group: A group of receivers identified by an IP
s
multicast address. User hosts (or other receiver devices) that
r ce
have joined a multicast group become members of the group
and can identify and receive the IP packets destined for the
ou
multicast group address.
es
Multicast source: A sender of multicast data. The server in the
topology is a multicast source. A multicast source can
R
simultaneously send data to multiple multicast groups. Multiple
i n g
multicast sources can simultaneously send data to the same
n
multicast group. A multicast source does not need to join any
a r multicast groups.
:h
affect multicast sources. All multicast data packets sent from a
s
multicast source use the IP address of the multicast source as the
r ce
source IP address and use a multicast group address as the
destination address. Depending on whether receiver hosts can select
ou
multicast sources, two multicast models are defined: any-source
es
multicast (ASM) model and source-specific multicast (SSM) model. The
two models use multicast group addresses in different ranges.
R
ASM model: Receiver hosts can only specify the group they
i n g
want to join and cannot select multicast sources.
SSM model: Receiver hosts can specify the multicast sources
r n from which they want to receive multicast data when they join
e a a group. After joining the group, the hosts receive only the data
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Multicast addresses
t t
:h
IP addresses 224.0.0.0 to 224.0.0.255 are reserved as
s
permanent group addresses by the Internet Assigned
r ce
Numbers Authority (IANA). In this address range, 224.0.0.0 is
not allocated, and the other addresses are used by routing
ou
protocols for topology discovery and maintenance. These
es
addresses are locally valid. Packets with these addresses will
not be forwarded by routers regardless of the time-to-live (TTL)
R
values in the packets.
i n g
Addresses in the range of 224.0.1.0 to 231.255.255.255 and
n
233.0.0.0 to 238.255.255.255 are ASM group addresses and
:h
The first four bits of an IPv4 multicast address are 1110,
s
mapped to the leftmost 25 bits of a MAC multicast address.
r ce
Only 23 bits of the last 28 bits are mapped to a MAC address.
This means that 5 bits of the IP address are lost. As a result,
ou
32 multicast IP addresses are mapped to the same MAC
es
address. For example, IP multicast addresses 224.0.1.1,
224.128.1.1, 225.0.1.1, and 239.128.1.1 are all mapped to
R
MAC multicast address 01-00-5e-00-01-01. Address conflicts
i n g
must be considered in address assignment.
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
IGMP
t t
:h
IGMP is deployed between multicast routers and user hosts.
s
On a multicast router, IGMP is configured on interfaces
r ce
connected to hosts.
On hosts, IGMP allows group members to dynamically join and
ou
leave multicast groups. On routers, IGMP manages and
es
maintains group memberships and exchanges information with
upper-layer multicast routing protocols.
PIM R
i n g
PIM has two modes: PIM-DM and PIM-SM.
It must be enabled on all interfaces of all multicast routers.
r n It provides multicast routing and forwarding, and maintains the
e L IGMP snooping
or
IGMP snooping is deployed in VLANs on Layer 2 switches
between multicast routers and hosts.
s
the TCP/IP protocol suite. IP hosts use IGMP to report their
routers.
r ce
group memberships to any immediately-neighboring multicast
ou
IGMP is deployed between multicast routers and hosts. On a
to hosts.
es
multicast router, IGMP is configured on interfaces connected
R
On hosts, IGMP allows group members to dynamically join and
n g
leave multicast groups. On routers, IGMP manages and
i
n
maintains group memberships and exchanges information with
:h
following types of messages:
General Query: Sent by a querier to all hosts and routers on
e s
the shared network segment to discover which multicast
r c
groups have members on the network segment.
ou
Report: Sent by a host to request to join a multicast group or
es
respond to a General Query message.
How IGMPv1 works
R
IGMPv1 uses a query-report mechanism to manage multicast
i n g
groups. When multiple multicast routers exist on a network
n
segment, one router is elected as the IGMP querier to send
w
• The host with the timer expiring first sends a Report e
u
message for the multicast group. In this example,a
.
Timer-G1 on PC1 expires first, and PC1 sends a
h
g
Report message with the destination address as G1.
n
ni
When PC2 detects the Report message sent by PC1,
r
PC2 stops Timer-G1 and does not send any Report
a
messages for G1. This mechanism reduces the
le
//
number of Report messages transmitted on the
p :
network segment, lowering loads on multicast routers.
• When Timer-G2 on PC3 expires, PC3 sends a Report
t t
message with the destination address as G2 to the
:h
network segment.
s
• After the routers receive the Report message, they
e
c
know that multicast groups G1 and G2 have members
r
ou
on the local network segment. The routers use the
multicast routing protocol to create (*, G1) and (*, G2)
es
entries, in which * stands for any multicast source.
or
the Report message, the routers know that a member of G3
has connected to the network segment, and they create a (*,
M G3) entry. When the routers receive data sent to G3, they
forward the data to this network segment.
A member leaves a group
IGMPv1 does not define a Leave message. After a host leaves
a multicast group, it no longer responds to General Query
messages. Assume that PC4 has left group G3. It does not
send Report messages for G3 when receiving General Query
messages.
Because there is no other member of G3, routers no longer
receive Report message for G3. After a period of time (130
seconds, Membership timeout interval = IGMP general query
interval x Robustness variable + Maximum response time), the
routers delete the multicast forwarding entry of G3.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
IGMPv2 defines two types of new messages in addition to General
:h
Query and Report messages:
Group-Specific Query: sent by a querier to a specified group
e s
on the local network segment to check whether the group has
members.
r c
ou
Leave: sent by a host to notify routers on the local network
es
segment that it has left a group.
IGMPv2 modifies the General Query message format by
R
adding the Max Response Time field in the message. The field
i n g
value controls the response speed of group members and is
n
configurable.
a r
Querier election
w
expires, they reset the timer. If non-querier routerse
u
receive no Query message from the querier when thea
. h
timer expires, they trigger election of a new querier.
Leave mechanism
n g
ni
In IGMPv2 implementation, the following process occurs when
r
PC3 wants to leave multicast group G2 and if PC3 is the group
member of last response query:
le a
• PC3 sends a Leave message for G2 to all multicast
: //
routers on the local network segment. The destination
t p
address of the Leave message is 224.0.0.2.
t
• When the querier receives the Leave message, it
:h
sends Group-Specific Query messages for G2 at
e s
intervals to check whether G2 has other members on
c
the network segment. The sending interval and number
r
ou
of Group-Specific Query messages sent by the querier
are configurable. By default, the querier sends a total of
es
two Group-Specific Query messages, at an interval of 1
r n messages sent).
or
downstream interface connected to the network
segment from the (*, G2) entry. Then the routers no
M longer forward data of G2 to the network segment.
• If G2 has other members on the network segment, the
members send a Report message for G2 within the
maximum response time. The routers continue
maintaining membership of G2.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
IGMPv3 was developed to support the source-specific multicast (SSM)
:h
model. IGMPv3 messages can contain multicast source information so
s
that hosts can receive data sent from a specific source to a specific
group.
r ce
IGMPv3 also defines two types of messages: Query and Report.
ou
Compared with IGMPv2, IGMPv3 has the following changes:
es
In addition to General Query and Group-Specific Query
messages, IGMPv3 defines a new Query message type:
R
Group-and-Source-Specific Query. A querier sends a Group-
i n g
and-Source-Specific Query message to members of a specific
n
group on the shared network segment, to check whether the
:h
IS_IN
• Indicates that the source filter mode is INCLUDE for a
e s
multicast group. That is, members of the group want to
r c
receive only data sent from the specified sources.
ou
IS_EX
es
• Indicates that the source filter mode is EXCLUDE for a
multicast group. That is, members of the group want to
R receive data sent from multicast sources except the
i n g
TO_IN
specified sources.
or
multicast group.
TO_EX
M ALLOW
• Indicates that the source filter mode for a multicast
group has changed from INCLUDE to EXCLUDE.
w e
members send Report messages of a specified type to notify multicast
u a
routers that they have left a group. For example, if a member of group
. h
225.1.1.1 wants to leave the group, it sends a Report message with
(225.1.1.1, TO_IN, (0)).
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
If IGMPv1 or IGMPv2 is running between a host and its upstream router,
:h
the host cannot select multicast sources when it joins group G. The
s
host receives data from both S1 and S2, regardless of whether it
r ce
requires the data. If IGMPv3 is running between the host and its
upstream router, the host can choose to receive only data from S1
ou
using either of the following methods:
es
Method 1: Send an IGMPv3 Report (G, IS_IN, (S1)),
requesting to receive only the data sent from S1 to G.
R
Method 2: Send an IGMPv3 (G, IS_EX, (S2)), notifying the
i n g
upstream router that it does not want to receive data from S2.
n
Only data sent from S1 is then forwarded to the host.
a r
Le
e
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Compatibility with IGMPv1 routers
t t
:h
When IGMPv2 hosts discover an IGMPv1 router, they must
s
send IGMP Report messages to the router and cannot send
Leave messages.
r ce
If there are both IGMPv1 and IGMPv2 routers on a network
ou
segment, the querier must send IGMPv1 messages.
es
Compatibility with IGMPv1 hosts
IGMP v2 hosts must allow their Report messages to be
R
suppressed by IGMPv1 Report messages. Otherwise, the
i n g
querier will not know existence of IGMPv1 hosts on the shared
n
network segment. If the querier is an IGMPv2 router and
Le hosts in the group), the IGMPv1 hosts will not receive traffic for
this group.
e
or
If an IGMPv2 router detects IGMPv1 hosts on the local
network segment, the router ignores any subsequent Leave
M messages received.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
SSM mapping is implemented based on static SSM mapping entries. A
:h
multicast router converts (*, G) information in IGMPv1 and IGMPv2
s
Report messages to (S, G) information according to static SSM
r ce
mapping entries, so as to provide the SSM service for IGMPv1 and
IGMPv2 hosts. By default, SSM group addresses range from 232.0.0.0
ou
to 232.255.255.255.
es
IGMP SSM mapping does not apply to IGMPv3 Report messages. To
enable hosts running any IGMP version on a network segment to
R
obtain the SSM service, IGMPv3 must run on interfaces of multicast
n g
routers on the network segment.
i
r n
With SSM mapping entries configured, a router checks the group
or
If G is in the range of any-source multicast (ASM) group
addresses, the router provides the ASM service for the host.
. h
mapping entries. If a group address is mapped to multiple
g
sources, R1 generates multiple (S, G) entries. The following are
n
ni
entries generated according to information in Report messages
r
sent from PC2 and PC3:
• (10.10.1.1,232.1.2.2)
• (10.10.2.2,232.1.2.2)
le a
• (10.10.1.1,232.1.3.3)
: //
• (10.10.2.2,232.1.3.3)
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Report message to the upstream device. The upstream device can
:h
send multicast packets to the host after receiving the Report message.
s
IGMP messages are encapsulated in IP packets (Layer 3 packets).
r ce
Layer 2 devices between hosts and multicast routers, however, cannot
process Layer 3 information carried in IP packets. In addition, Layer 2
ou
devices cannot learn any MAC multicast address because the source
es
MAC addresses of link layer data frames are not MAC multicast
addresses. When a Layer 2 device receives a data frame with a
R
multicast destination MAC address, the device cannot find a matching
n g
entry in its MAC address table. Consequently, the device broadcasts
i
n
the multicast packet. This wastes bandwidth resources and poses
a r
threats to network security.
Le
e
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Concepts
t t
:h
A router port is a link layer device's port towards a
s
multicast router. The link layer multicast device
r ce
receives packets through the router port. Router ports
are classified into two types:
ou
• Dynamic router port: A port that can receive
n
exchanged between multicast devices and
r
group matching the IP multicast group that the user
wants to join.
le a
• If the MAC multicast group does not exist, the
: //
switch creates the MAC multicast group, adds
t p
the port that receives the Report message to
t
the MAC multicast group, and starts the aging
:h
timer on the port (Timer length = Robustness
e s
variable x General query interval + Maximum
r c
response time). In addition, the switch adds all
ou
router ports in the same VLAN as the member
port to the MAC multicast forwarding entry. It
i n g multicast group.
• If the MAC multicast group exists but the port
or
IP multicast group exists. If the IP multicast
group does not exist, the switch creates the IP
M multicast group and adds the port to it. If the IP
multicast group exists, the switch adds the port
to the group directly.
• If the MAC multicast group exists and the port
that receives the IGMP Report message is
already in the group, the switch resets the aging
timer on the port.
IGMP Leave message: When an Ethernet switch
receives an IGMP Leave message for a group on a
port, it sends an IGMP Group-Specific Query
message to the port to check whether the group has
other members on the port. At the same time, the
switch starts the query response timer (Timer length =
Group-specific query interval x Robustness variable).
e n
If the switch does not receive any IGMP Report
/
message for the group when the query response
m
.i co
timer expires, it deletes the port from the matching
MAC multicast group. If the MAC multicast group has
no member port, the switch requests the upstream
multicast router to delete this branch from the
w e
multicast tree.
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Layer 2 multicast
t t
:h
If users in different VLANs require the same multicast data, the
s
upstream router still has to send multiple copies of identical
r ce
multicast data to different VLANs.
Users in VLAN 2 and VLAN 3 need to receive the same
ou
multicast data flow. Multicast router R1 replicates the multicast
es
data in each VLAN and sends two copies of data to
downstream switch S1. This wastes bandwidth between the
R
router and Layer 2 device and increases loads on the router.
n g
Multicast VLAN
i
The multicast VLAN feature allows Layer 2 network devices to
r n replicate multicast data across VLANs.
or
sends only one copy to S1. As the router does not need to
replicate multicast data in VLAN 2 and VLAN 3, network
M Concepts
bandwidth is conserved and loads on the router are reduced.
:h
(IGMP). The IGMP protocol runs between receiver hosts and multicast
s
routers, whereas a multicast routing protocol needs to run between
routers.
r ce
A multicast routing protocol is used to create and maintain multicast
ou
routes, and to forward multicast data packets correctly and efficiently.
es
Multicast routes construct a unidirectional loop-free data transmission
path from a data source to multiple receivers. This transmission path is
R
a multicast distribution tree. Multicast routing protocols can be intra-
n g
domain or inter-domain protocols. This course introduces PIM, a typical
i
n
intra-domain multicast routing protocol.
a r
Le
e
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
PIM router
t t
:h
Routers with PIM enabled on interfaces are called PIM routers.
s
A multicast distribution tree contains the following types of PIM
routers:
r ce
• Leaf router: The PIM router directly connected to a user
ou
host, which may not be multicast group members.
es
• First-hop router: The PIM router directly connected to a
multicast source on the multicast forwarding path and
R responsible for forwarding multicast data from the
i n g multicast source.
• Last-hop router: The PIM router directly connected to a
r n multicast group member on the multicast forwarding
e L the member.
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Multicast distribution tree
t t
:h
On a PIM network, a point-to-multipoint multicast forwarding
s
path is set up for each multicast group on routers. The
r ce
multicast forwarding path is in a tree topology, so it is also
called a multicast distribution tree.
ou
There are two types multicast distribution trees: source tree
Source tree
es
and shared tree.
R
A source tree is rooted at a multicast source and combines the
i n g
shortest paths from the source to receivers.
Therefore, a source tree is also called a shortest path tree
r n (SPT). For a multicast group, routers need to establish an SPT
e L In this example, there are two multicast sources (S1 and S2)
or
and two receivers (PC1 and PC2). Therefore, two source trees
are established on the network.
s
path is set up for each multicast group on routers. The
r ce
multicast forwarding path is in a tree topology, so it is also
called a multicast distribution tree.
ou
There are two types multicast distribution trees: source tree
Shared tree
es
and shared tree.
R
A shared tree is rooted at a rendezvous point (RP) and
i n g
combines shortest paths from the RP and all receivers. It is
n
therefore also called a rendezvous point tree (RPT). Each
a r multicast group has only one shared tree. All multicast sources
s
is often used on small-scale networks with densely distributed
r ce
multicast group members. PIM-DM assumes that each
network segment has multicast group members. When a
ou
multicast source sends multicast packets, PIM-DM floods the
es
multicast packets to all PIM routers on the network and prunes
the branches with no members. PIM-DM establishes and
R
maintains a unidirectional loop-free SPT (source-specific
i n g
shortest path tree) through periodical flood-and-prune
n
processes. If a new group member connects to a leaf router on
:h
The multicast packet encapsulating a Hello message has a destination
s
IP address of 224.0.0.13 (indicating all PIM routers on a network
r ce
segment), and the source IP address is the IP address of the interface
sending the multicast packet. The TTL value of the multicast packet is 1.
ou
Hello messages are used to discover PIM neighbors, adjust PIM
es
protocol parameters, and maintain neighbor relationships.
Discovering PIM neighbors
R
• PIM routers on the same network segment must
n
224.0.0.13. By exchanging Hello messages, directly
. h
and deletes the neighbor from the neighbor list.
g
• Changes of PIM neighbors lead to changes in the
n
ni
multicast network topology. If an upstream or
r
downstream neighbor in the multicast distribution tree
a
is unreachable, multicast routes need to re-converge,
le
//
and the multicast distribution tree will change.
IGMPv1 querier election
p :
Routers on a PIM-DM network compare the priorities and IP
t t
addresses carried in Hello messages to elect a DR for each
:h
network segment. The DR functions as the IGMPv1 querier on
e s
the network segment.
c
If the DR fails, neighboring routers trigger a new DR election
r
ou
process when the Hello timeout timer expires.
Hello timers
es
The default Hello interval is 30 seconds.
R
The default Hello timeout interval is 105 seconds.
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
On a PIM-DM network, multicast packets sent from a multicast source
:h
are flooded throughout the entire network. When a PIM router receives
s
a multicast packet, the router performs an RPF check on the packet
r ce
against the unicast routing table. If the packet passes the RPF check,
the router creates an (S, G) entry, in which the downstream interface
ou
list contains all the interfaces connected to downstream PIM neighbors.
es
The router then forwards subsequent multicast packets through each
downstream interface.
R
n g
When multicast packets reach a leaf router, the leaf router processes
i
n
the packets as follows:
r
to PC1. R3 then forwards subsequent packets to PC1
a
R4 receives the multicast packet from R2. Because the
le
//
downstream network segment does not have group members
:
or PIM neighbors, R4 triggers a pruning process.
p
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
When a PIM router receives a multicast packet, it performs an RPF
:h
check on the packet. If the packet passes the RPF check but the
s
downstream network segment does not have any group member, the
r ce
PIM router sends a Prune message to the upstream router. After
receiving the Prune message from the downstream interface, the
ou
upstream router deletes the downstream interface from the downstream
es
interface list of the (S, G) entry. The multicast packets will not be
forwarded to this downstream interface. A pruning operation is initiated
R
by a leaf router. The Prune message is sent upstream hop by hop, and
n g
PIM routers receiving the Prune message deletes the downstream
i
n
interface from the (S, G) entry. Finally, the multicast distribution tree
a r
contains only branches with group members.
Le A PIM router starts a prune timer (210 seconds by default) for the
e
or
pruned downstream interface and resumes multicast forwarding on the
interface after the timer expires. Multicast packets are then flooded on
M the entire network, and new group members can receive multicast
packets. Subsequently, leaf routers without group members attached
trigger pruning processes. PIM-DM updates the SPT through periodic
flood-and-prune processes.
After a downstream interface of a leaf router is pruned:
If new members join the multicast group on the interface and
want to receive multicast packets before the next flood-and-
prune process, the leaf router initiates a grafting process.
If no member joins the multicast group and multicast
forwarding still needs to be suppressed on the interface, the
leaf router initiates a state refresh process.
e n
/
Topology description
m
.i co
R5 sends a Prune message to R1 to notify R1 that the
downstream network segment no longer needs to receive
multicast data.
After receiving the Prune message, R1 stops forwarding data
w e
through its downstream interface connecting to R5, and
u a
. h
deletes this downstream interface from the (S, G) entry. R1
g
has another downstream interface in forwarding state, so the
n
ni
pruning process ends. Subsequent multicast packets are only
r
forwarded to R2.
a
R4 sends a Prune message to R2 to notify R2 that the
le
//
downstream network segment no longer needs to receive
multicast data.
p :
After receiving the Prune message, R2 waits for 3 seconds
t t
(LAN-delay +override-interval). R3 also receives the Prune
:h
message sent by R4. Because R3 connects to a downstream
e s
receiver, R3 sends a Join message to override the Prune
message.
r c
ou
After R2 receives the Join message, it ignores the Prune
message sent from R4 and continues forwarding multicast
es
traffic to the downstream interface.
R
i n g
The LAN-delay and override-interval are explained as follows:
Hello messages carry the LAN-delay and override-interval
or
milliseconds by default).
If a router sends a Prune message upstream but other routers
M on the same network segment still need to receive multicast
data, they must send a Join message to override the pruning
operation within the override-interval.
If routers on a link have different override-interval values, the
maximum override-interval value used among the routers is
used on the link.
The total of LAN-delay and override-interval is the prune-
pending timer (PPT). After a router receives a Prune message
from a downstream interface, it waits until the PPT expires,
and then prune the downstream interface. If the router receives
a Join message from the downstream interface before the PPT
expires, it cancels the pruning operation.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
Multicast routers prune branches without group members to establish a
:h
new SPT according to received Prune messages. Although routers no
s
longer forward multicast packets to pruned branches, the
r ce
corresponding (S, G) entry still exists on each router. Once new
members join the group on the pruned branches, the downstream
ou
interfaces can be quickly added to the entry to resume multicast
forwarding.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
PIM-DM uses the grafting mechanism to enable new group members
:h
on a pruned network segment to rapidly obtain multicast data. A leaf
s
router can determine that a multicast group G has new members on a
r ce
network segment according to IGMP messages. The leaf router then
sends a Graft message to notify the upstream router that the
ou
downstream network segment needs multicast data. After receiving the
es
Graft message, the upstream router adds the downstream interface to
the downstream interface list of the (S, G) entry.
R
A grafting process is initiated by a leaf router and ends on the router
n g
that can receive multicast packets.
i
r n
Topology description
e L when the prune timer expires, but they must wait for 210
or
seconds before the prune timer expires. This is quite a long
time for new group members. To reduce the waiting time, a
:h
the prune timer expires, the first-hop router nearest to the multicast
s
source periodically sends a State-Refresh message throughout the
r ce
entire PIM-DM network. Other PIM routers reset the prune timer after
receiving the State-Refresh message. In this way, pruned downstream
ou
interfaces remain suppressed if leaf routers connected to the interfaces
s
have no new group members attached.
e
R
Topology description
i n g
R1 sends a State-Refresh message to R2 and R5 to initiate a
n
state refresh process.
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
If multicast PIM routers forward multicast packets to the same network
:h
segment after the multicast packets pass the RPF check, only one PIM
s
router can be selected through the assert mechanism to forward
r ce
multicast packets to the network segment. When a PIM router receives
a multicast packet that is the same as the multicast packet it sends to
ou
other neighbors, the PIM router sends an Assert message with the
es
destination address 224.0.0.13 to all other PIM routers on the same
network segment. When the other PIM routers receive the Assert
R
message, they compare local parameters with those carried in the
n g
Assert message for assert election. The assert election is performed
i
n
according to the following rules:
Le protocol wins.
If these routers have the same priority, the router with the
e
or
smallest route cost to the multicast source wins.
If these routers have the same priority and the same route cost
Topology description
w e
a
In this example, R2 has a smaller cost to the multicast source
u
than R3.
. h
g
R2 and R3 receive a multicast packet from each other through
n
ni
their downstream interfaces, but both the packets fail the RPF
r
check and are dropped. R2 and R3 then send an Assert
message to the network segment.
le a
R2 compares its routing information with that carried in the
: //
Assert message sent by R3 and finds that its own route cost to
t p
the multicast source is smaller. Therefore, R2 wins the election.
t
R2 continues forwards multicast packets to the network
:h
segment, whereas R3 drops subsequent multicast packets
e s
because these packets fail the RPF check.
c
R3 compares its routing information with that carried in the
r
ou
Assert message sent by R2 and finds that its own router cost
to the multicast source is larger. Therefore, R3 fails the
es
election. R3 then blocks multicast forwarding on its
R
downstream interface and deletes the interface from the
i n g
downstream interface list of the (S, G) entry.
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
PIM-SM applies to the any-source multicast (ASM) and source-specific
:h
multicast (SSM) models. In the ASM model, PIM-SM uses the pull
s
mode to forward multicast packets. This mode is used in networks with
follows:
r ce
a lot of sparsely distributed group members. PIM-SM is implemented as
ou
A PIM router works as the rendezvous point (RP) to serve
es
group members or multicast sources that appear on the
network. All PIM routers on the network know the RP's position.
R
When a new group member appears on the network (a host
n
G), the last-hop router sends a Join message to the RP. The
:h
multiple PIM routers. The PIM routers exchange Hello messages to set
s
up PIM neighbor relationships. The Hello message sent by a router
r ce
carries the DR priority of the router and IP address of the interface
connected to the network segment. Each PIM router compares its own
ou
information with the information carried in the Hello messages received
es
from its neighbors. The DR elected among the PIM routers is
responsible for forwarding multicast packets for the multicast source or
R
receivers. The DR is elected according to the following rules:
i n g
The PIM router with the highest DR priority wins (all routers on
n
the network segment support the DR priority).
M seconds by default).
:h
RP as the root and PIM routers that have group memberships as
s
leaves. In the topology shown in the figure, when a group member
r ce
appears on the network (a user sends an IGMP message to join a
multicast group G), the receiver DR sends a Join message to the RP.
ou
The Join message is transmitted hop by hop, and routers receiving the
up.
es
message create a (*, G) entry. Finally, an RPT rooted at the RP is set
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
On a PIM-SM network, any new multicast source must register on the
:h
RP so that the RP can forward multicast data from the multicast source
s
to group members. The multicast source registration process is as
follows:
r ce
A multicast source sends a multicast packet to the source DR
ou
(R1).
es
After receiving the multicast packet, the source DR
encapsulates the multicast packet into a Register message
R
and sends the Register message to the RP (R2).
i n g
The RP decapsulates the received Register message, creates
n
an (S, G) entry, and forwards the multicast packet to group
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
On a PIM-SM network, each multicast group can have only RP and one
:h
RPT. Before an SPT switchover, all multicast packets destined for a
s
multicast group must be encapsulated in Register messages and then
r ce
sent to the RP. The RP decapsulates Register messages and forwards
multicast packets along the RPT. All multicast packets pass through the
ou
RP. As the rate of multicast packets increases, the RP faces heavy
es
loads. To resolve this problem, PIM-SM allows the RP or the receiver
DR to trigger an SPT switchover.
R
n g
SPT switchover conditions
i
When the multicast traffic rate exceeds the specified threshold,
r n PIM-SM triggers an RPT-to-SPT switchover.
or
receiving the first multicast data packet from a multicast source.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
On a PIM-SM network, the root of a shared tree is an RP.
s :h
An RP provides the following functions:
receivers.
r ce
Forwards all multicast packets transmitted in the shared tree to
ou
Forwards multicast data of several or all multicast groups. A
es
network can have one or multiple RPs. You can configure an
RP to serve multicast groups in a specified range. An RP can
R
serve multiple multicast groups, but each multicast group can
i n g
have only one RP. Multicast packets sent from a multicast
n
source to all receivers of a group are aggregated on the RP.
a r
RP discovery:
:h
sends a Bootstrap message to the entire network. The Bootstrap
s
message carries the C-BSR address and priority. Each PIM router
r ce
receives Bootstrap messages from all C-BSRs and compares C-BSR
information to elect a BSR. The BSR is elected according to the
ou
following rules:
es
The C-BSR with the highest priority wins (larger priority value,
higher priority).
R
If C-BSRs have the same priority, the C-BSR with the largest
i n g
IP address wins.
r n
An RP election process is as follows:
or
of multicast groups the C-RP serves, and the C-RP priority.
The BSR summarizes the C-RP information in an RP-Set,
:h
IGMPv3/MLDv2. In this model, an SPT can be established from a
s
multicast source to group members without the need to maintain an RP,
r ce
establish an RPT, or register the multicast source.
In the SSM model, hosts can determine the location of the multicast
ou
sources. Therefore, they can specify the multicast sources from which
es
they want to receive multicast data when joining a multicast group.
After the receiver DR receives the request from a host, it sends a Join
R
message to the source DR. The Join message is then transmitted
n g
upstream hop by hop. An SPT is then set up from the multicast source
i
n
to the host.
a r
In the SSM model, PIM-SM uses the following mechanisms: neighbor
e
or
An SPT setup process is as follows:
R3 and R5 learn that hosts in the same multicast group
s
unicast routing table for the route to the source address of the
r ce
packet. After finding the route, the router checks whether the
outbound interface of the route is the same as the inbound
ou
interface of the multicast packet. If they are the same, the
es
router considers that the multicast packet is received from a
correct interface. This process is called an RPF check, which
R
ensures correct forwarding paths for multicast packets.
i n g
If multiple equal-cost routes are available, the route with the
n
largest next-hop address is used as the RPF route.
s
(Source) is R1. Therefore, multicast packets sent from Source
r ce
are forwarded along the path Source -> R1 -> R3. If you
configure a multicast static route on R3 and specify R2 as the
ou
RPF neighbor, the transmission path of multicast packets sent
es
from Source changes to Source-> R1-> R2-> R3. The
multicast path then diverges from the unicast path.
R
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In this case, interconnection IP addresses are configured
s
according to the following rule:
r ce
• If RTX connects to RTY, their interface IP addresses
used to connect to each other are XY.1.1.X and
ou
XY.1.1.Y, network mask is 24.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
:h
The multicast routing-enable command enables the
s
multicast routing function.
r ce
The pim dm command enables PIM-DM on an interface.
The pim hello-option dr-priority command sets the DR priority
ou
for a PIM interface.
es
The igmp enable command enables IGMP on an interface.
The igmp version command specifies the IGMP version
R
running on an interface.
n g
Precautions
i
In this network topology, R2 is the IGMP querier, and R3
r n forwards multicast packets to downstream receivers because
or
the PIM routing table.
The display pim routing-table fsm command displays
s
configuration. The network runs PIM-SM, and the transmission
r ce
scope of Bootstrap messages needs to be limited.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
The pim sm command enables PIM-SM on an interface.
The c-rp command configures a router to notify the BSR that it
is a C-RP.
e s
r c
The c-bsr command configures a C-BSR.
ou
The pim bsr-boundary command configures the BSR
Precautions
es
boundary of the PIM-SM domain on an interface.
R
In this network topology, R2 is the IGMP querier, and R3
i n g
forwards multicast packets to downstream receivers because
n
R3 is the assert winner.
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The method for checking the SPT in a PIM-SM network is similar to the
:h
method for checking the RPT.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The method for checking the SPT in a PIM-SM network is similar to the
:h
method for checking the RPT.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In this case, interconnection IP addresses are configured
s
according to the following rules:
r ce
• If RTX connects to RTY, their interface IP addresses
used to connect to each other are XY.1.1.X and
ou
XY.1.1.Y, network mask is 24.
s
• The loopback interface address of RTX is X.X.X.X/32.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Pre-configuration
t t
:h
This page provides the basic OSPF configuration. In this case,
s
R1 is the DR in the FR network.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results:
t t
:h
A Bootstrap message is transmitted from R1 to R2 and fails
s
the RPF check on R2, so R2 drops the message. To enable
r ce
Bootstrap messages to be forwarded by R2, configure a static
multicast route on R2 to change the RPF path.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Results:
t t
:h
A Bootstrap message is transmitted from R1 to R2 and fails
s
the RPF check on R2, so R2 drops the message. To enable
r ce
Bootstrap messages to be forwarded by R2, configure a static
multicast route on R2 to change the RPF path.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Results:
t t
:h
The ACL restricts the multicast address range.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t
IPv6 characteristics are as follows:
t
:h
Address space: An IPv6 address is 128 bits long. A 128-bit
s
address structure allows for 2128 (4.3 billion x 4.3 billion x 4.3
r ce
billion x 4.3 billion) possible addresses. The biggest advantage
of IPv6 is its almost infinite address space.
ou
Packet format: IPv6 uses a new protocol header format rather
es
than increasing the bits in the address field of an IPv4 packet
to 128 bits. The IPv6 data packets carry new packet headers.
R
An IPv6 packet header includes IPv6 basic and extension
i n g
headers. Some optional fields are moved to the extension
n
header following the IPv6 header. This enables intermediate
Le efficiently.
Autoconfiguration and readdressing: IPv6 provides address
e
or
autoconfiguration, which allows hosts to automatically discover
networks and obtain IPv6 addresses. This significantly
:h
colon (::). Otherwise, a computer cannot determine the number of zeros
s
in a group when restoring the compressed address to the original 128-
bit address.
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
If the first 3 bits of an IPv6 unicast address are not 000, the interface ID
:h
must be of 64 bits. If the first 3 bits are 000, there is no such limitation.
s
IEEE EUI-64 standards
r ce
The length of an interface ID is 64 bits. IEEE EUI-64 defines a
method to convert a 48-bit MAC address into a 64-bit IPv6
ou
interface ID. In the MAC address, c bits indicate the vendor ID,
es
d bits indicate the vendor number ID, and 0 bit indicates a
global/local bit. g specifies whether the interface ID indicates a
R
single host or a host group. The specific conversion algorithm
n
between c and d.
M an IPv6 address.
The defect of this method is that an IPv6 address can be easily
calculated based on a MAC address.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
IPv4 addresses are classified into unicast, multicast, and broadcast
:h
addresses. Compared to IPv4, IPv6 has no broadcast address and
s
introduces a new address type: anycast address. IPv6 addresses are
r ce
classified into unicast, multicast, and anycast addresses.
An IPv6 unicast address identifies an interface. Packets sent
ou
to an IPv6 unicast address are delivered to the interface
es
identified by the unicast address.
An IPv6 multicast address identifies a group of interfaces.
R
Packets sent to an IPv6 multicast address are delivered to all
or
unicast addresses use the same address space. The router
determines whether to send a packet in unicast mode or
M anycast mode.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Global unicast address
t t
:h
An IPv6 global unicast address is an IPv6 address with a
s
global unicast prefix, which is similar to an IPv4 public address.
r ce
IPv6 global unicast addresses support route prefix
summarization, helping limit the number of global routing
ou
entries.
es
A global unicast address consists of a global routing prefix,
subnet ID, and interface ID.
R
• Global routing prefix: is assigned by a service provider
n
48 bits. Currently, the first 3 bits of all the assigned
s
link-local address can be used only for communication
r ce
between nodes on the same link. A link-local address uses a
link-local prefix FE80::/10 as the first 10 bits (1111111010 in
ou
binary) and an interface ID as the last 64 bits.
es
When IPv6 runs on a node, each interface of the node is
automatically assigned a link-local address that consists of a
R
fixed prefix and an interface ID in EUI-64 format. This
i n g
mechanism enables two IPv6 nodes on the same link to
n
communicate without any additional configuration. Therefore,
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Unique local address
t t
:h
Unique local addresses are used only within a site. Site-local
s
addresses are deprecated in RFC 3879 and replaced by
r ce
unique local addresses in RFC 4193.
Unique local addresses are similar to IPv4 private addresses.
ou
Any organization that does not obtain a global unicast address
es
from a service provider can use a unique local address.
Unique local addresses are routable only within a local
R
network but not on the Internet.
i n g
Fields in a unique local address can be described as follows:
• Prefix: is fixed as FC00::/7.
r n • L: is set to 1 if the address is valid within a local
or
pseudo-randomly allocated (for details, see RFC 4193).
• Subnet ID: identifies a subnet within the site.
s
indicating that an interface or a node does not have an IP
r ce
address. It can be used as the source IP address of some
packets, such as Neighbor Solicitation (NS) message in
ou
duplicate address detection. Devices do not forward the
es
packets with the source IP address as an unspecified address.
Loopback address
R
An IPv6 loopback address is 0:0:0:0:0:0:0:1/128 or ::1/128.
i n g
Similar to IPv4 loopback address 127.0.0.1, the IPv6 loopback
n
address is used when a node needs to send IPv6 packets to
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
IPv6 multicast address
t t
:h
Like an IPv4 multicast address, an IPv6 multicast address
s
identifies a group of interfaces, which usually belong to
r ce
different nodes. A node may belong to any number of multicast
groups. Packets sent to an IPv6 multicast address are
ou
delivered to all the interfaces identified by the multicast
es
address.
An IPv6 multicast address is composed of a prefix, flag, scope,
R
and group ID (global ID):
or
Numbers Authority (IANA). The last bit 1 indicates a
non-permanently-assigned (transient) multicast
M address.
• Scope: is 4 bits long. It limits the scope where multicast
data flows are sent on the network.
• Group ID (global ID): is 112 bits long. It identifies a
multicast group. RFC 2373 does not define all the 112
bits as a group ID but recommends using the low-order
32 bits as the group ID and setting all the remaining 80
bits to 0s.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
IPv6 multicast addresses:
t t
:h
Like an IPv4 multicast address, an IPv6 multicast address
s
identifies a group of interfaces, which usually belong to
r ce
different nodes. A node may belong to any number of multicast
groups. Packets sent to an IPv6 multicast address are
ou
delivered to all the interfaces identified by the multicast
es
address.
An IPv6 multicast address is composed of a prefix, flag, scope,
R
and group ID (global ID):
or
Numbers Authority (IANA). The last bit 1 indicates a
non-permanently-assigned (transient) multicast
M address.
• Scope: is 4 bits long. It limits the scope where multicast
data flows are sent on the network.
• Group ID (global ID): is 112 bits long. It identifies a
multicast group. RFC 2373 does not define all the 112
bits as a group ID but recommends using the low-order
32 bits as the group ID and setting all the remaining 80
bits to 0s.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
IPv6 anycast address
t t
:h
Anycast addresses are exclusive to IPv6. An anycast address
s
identifies a group of interfaces, and this group of interfaces
r ce
often belong to different nodes. Packets sent to an anycast
address are delivered to the nearest interface that is identified
ou
by the anycast address, depending on the routing protocols.
es
The IPv6 anycast addresses can be used in One-to-One-of-
Many communications. The receiver can be one interface of a
R
group. For example, a mobile subscriber needs to connect to
i n g
the nearest receive station. Using anycast addresses, the
n
mobile subscriber is not limited by physical locations.
:h
IPv6 extension headers, and an upper-layer protocol data unit (PDU).
IPv6 basic header
e s
• Each IPv6 packet must have an IPv6 basic header,
r c
which is fixed as 40 bytes long.
ou
• The IPv6 basic header provides basic packet
n
may follow the IPv6 basic header. An IPv6 packet may
r
upper-layer PDU. This field indicates only the payload with the
a
maximum length of 65535 bytes. If the payload length exceeds
le
//
65535 bytes, the field is set to 0. The payload length is
:
expressed by the Jumbo Payload option in the Hop-by-Hop
p
t
Options header.
t
Next Header: is 8 bits long. This field identifies the type of the
:h
first extension header that follows the IPv6 basic header or the
e s
protocol type in the upper-layer PDU.
c
Hop Limit: is 8 bits long. This field is similar to the Time to Live
r
ou
field in an IPv4 packet, defining the maximum number of hops
that an IP packet can pass through. The field value is
es
decremented by 1 by each router that forwards the IP packet.
R
When the field value becomes 0, the packet is discarded.
i n g
Source Address: is 128 bits long, which indicates the address
of the packet originator.
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
IPv6 extension header
t t
:h
An IPv4 packet header has an optional field (Options), which
s
includes security, timestamp, and record route options. The
r ce
variable length of the Options field makes the IPv4 packet
header length range from 20 bytes to 60 bytes. When routers
ou
forward IPv4 packets with the Options field, many resources
es
need to be used. Therefore, these IPv4 packets are rarely
used in practice.
R
IPv6 uses extension headers to replace the Options field in the
i n g
IPv4 header. Extension headers are placed between the IPv6
n
basic header and upper-layer PDU. An IPv6 packet may carry
:h
for the Destination Options header. The Destination Options header
s
may occur at most twice (once before a Routing header and once
r ce
before the upper-layer header).
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
The Internet Control Message Protocol version 6 (ICMPv6) is one of the
:h
basic IPv6 protocols.
In IPv4, ICMP reports IP packet forwarding information and
e s
errors to the source node. ICMP defines certain messages
r c
such as Destination Unreachable, Packet Too Big, Time
ou
Exceeded, and Echo Request or Echo Reply to facilitate fault
es
diagnosis and information management. In addition to the
common functions provided by ICMPv4, ICMPv6 provides
R
mechanisms such as Neighbor Discovery (ID), stateless
i n g
address configuration including duplicate address detection,
n
and Path Maximum Transmission Unit (PMTU) discovery.
s :h
or the upper-layer protocol, the router or destination node
r ce
sends an ICMPv6 Destination Unreachable message to the
source node. In an ICMPv6 Destination Unreachable message,
ou
the value of the Type field is 1. The value of the Code field can
es
be 0, 1, 2, 3, and 4. Each value has a specific meaning
(defined in RFC2463)
R
• Code=0: No route to the destination device.
n
administratively prohibited.
e
or
Packet Too Big message
If a data packet cannot be sent to the destination node
M
because the size of the packet exceeds the link MTU of the
outbound interface, the router sends an ICMPv6 Packet Too
Big message to the source node. The link MTU of the
outbound interface is carried in the message. PMTU discovery
is implemented based on Packet Too Big messages. In a
Packet Too Big message, the value of the Type field is 2 and
the value of the Code field is 0.
Time Exceeded message
If a router receives a packet with the hop limit being 0, it
discards the data packet and sends an ICMPv6 Time
Exceeded message to the source node. In a Time Exceeded
message, the value of the Type field is 3. The value of the
Code field can be 0 or 1.
• Code=0: Hop limit exceeded in packet transmission
e n
• Code=1: Fragment reassembly timeout
/
m
Parameter Problem message
.i co
If an IPv6 node detects an error in the IPv6 packet header or
extension header, the IPv6 node discards the data packet and
sends an ICMPv6 Parameter Problem message to the source
node, specifying the location and type of the error. In a
w e
a
Parameter Problem message, the value of the Type field is 4.
u
h
The value of the Code field can be 0, 1, or 2. The 32-bit Point
.
g
field indicates the location of the error. The Code field is
defined as follows:
ni n
• Code=0: A field in the IPv6 basic header or extension
header is incorrect.
ar
le
• Code=1: The Next Header field in the IPv6 basic
//
:
header or extension header cannot be identified.
header.
t t p
• Code=2: Unknown options exist in the extension
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Echo Request messages
t t
:h
Echo Request messages are sent to destination nodes. After
s
receiving an Echo Request message, the destination node
r ce
responds with an Echo Reply message. In an Echo Request
message, the value of the Type field is 128 and the value of
ou
the Code field is 0. The Identifier and Sequence Number fields
es
are configured by the source host to match the Echo Reply
messages and Echo Request messages.
R
Echo Reply messages
i n g
After receiving an Echo Request message, the destination
n
ICMPv6 node responds with an Echo Reply message. In an
a r Echo Reply message, the value of the Type field is 129 and
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
IPv6 address resolution is completed at Layer 3. Layer 3 address
:h
resolution brings the following advantages:
Layer 3 address resolution enables Layer 2 devices to use the
e s
same address resolution protocol.
r c
Layer 3 security mechanisms, for example, IPSec, are used to
ou
prevent address resolution attacks.
es
Request packets are sent in multicast mode, reducing
performance requirements on Layer 2 networks.
R
n g
Neighbor Solicitation (NS) packets and Neighbor Advertisement (NA)
i
n
packets are used during address resolution.
u a
mode using the link-layer address of PC1). The Options field
. h
carries the link-layer address of PC2. This is the whole
address resolution process.
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
An IPv6 unicast address that is assigned to an interface but has not
:h
been verified by DAD is called a tentative address. An interface cannot
s
use the tentative address for unicast communication but will join two
multicast group.
r ce
multicast groups: ALL-nodes multicast group and Solicited-node
s ou
IPv6 DAD is similar to IPv4 gratuitous ARP. A node sends an NS
Re
message that requests the tentative address as the destination address
to the Solicited-node multicast group. If the node receives an NA Reply
n g
message, the tentative address is being used by another node. This
i
n
node will not use this tentative address for communication.
a r
DAD process
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
IPv6 supports stateless address autoconfiguration. Hosts obtain IPv6
:h
prefixes and automatically generate interface IDs. Router Discovery is
s
the basics for IPv6 address autoconfiguration and is implemented
r ce
through the following two messages:
Router Advertisement (RA) message: Each router periodically
ou
sends multicast RA messages that carry network prefixes and
es
identifiers on the network to declare its existence to Layer 2
hosts and routers. An RA message has a value of 134 in the
R
Type field.
i n g
Router Solicitation (RS) message: After being connected to the
n
network, a host immediately sends an RS message to obtain
e
or
Address autoconfiguration
The process of IPv6 stateless autoconfiguration is as follows:
:h
Redirection message to notify the sender that packets can be sent from
s
another gateway router. A Redirection message is contained in an
r ce
ICMPv6 message. A Redirection message has the value of 137 in the
Type field and carries a better next hop address and destination
ou
address of packets that need to be redirected.
es
The process of redirecting packets is as follows:
R
PC1 needs to communicate with PC2. By default, packets sent
i n g
from PC1 to PC2 are sent through R1. After receiving packets
n
from PC1, R1 finds that sending packets to R2 is much better.
:h
pressure on the transit device.
s
The PMTU protocol is implemented through ICMPv6 Packet Too Big
r ce
messages. A source node first uses the MTU of its outbound interface
as the PMTU and sends a probe packet. If a smaller PMTU exists on
ou
the transmission path, the transit device sends a Packet Too Big
es
message to the source node. The Packet Too Big message contains
the MTU value of the outbound interface on the transit device. After
R
receiving the message, the source node changes the PMTU value to
n g
the received MTU value and sends packets based on the new MTU.
i
n
This process is repeated until packets are sent to the destination
a r
address. Then, the source node obtains the PMTU of the destination
Le address.
e
or
The process of PMTU discovery.
Packets are transmitted through four links. The MTU values of
M the four links are 1500, 1500, 1400, and 1300 bytes
respectively. Before sending a packet, the source node
fragments the packet based on PMTU 1500. When the packet
is sent to the outbound interface with MTU 1400, the router
returns a Packet Too Big message that carries MTU 1400.
After receiving the message, the source node fragments the
packet based on MTU 1400 and sends the fragmented packet
again.
When the packet is sent to the outbound interface with MTU
1300, the router returns another Packet Too Big message that
carries MTU 1300. The source node receives the message
and fragments the packet based on MTU 1300. In this way, the
source node sends the packet to the destination address and
discovers the PMTU of the transmission path.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
RIPng made the following modifications to RIP:
:h
RIPng uses UDP port 521 (RIP uses UDP port 520) to send
s
and receive routing information.
r
(mask length). ce
RIPng uses the destination addresses with 128-bit prefixes
ou
RIPng uses 128-bit IPv6 addresses as next hop addresses.
es
RIPng uses the link-local address FE80::/10 as the source
address to send RIPng Update packets.
R
RIPng periodically sends routing information in multicast mode
i n g
and uses FF02::9 as the multicast address.
A RIPng packet consists of a header and multiple route table
r n entries (RTEs). In a RIPng packet, the maximum number of
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
OSPFv3 is based on links rather than network segments.
:h
OSPFv3 runs on IPv6, which is based on links rather than
s
network segments.
r ce
Therefore, you do not need to configure OSPFv3 on the
interfaces in the same network segment. It is only required that
ou
the interfaces enabled with OSPFv3 are on the same link. In
es
addition, the interfaces can set up OSPFv3 sessions without
IPv6 global addresses.
R
OSPFv3 does not depend on IP addresses.
i n g
This is to separate topology calculation from IP addresses.
n
That is, OSPFv3 can calculate the OSPFv3 topology without
r
local addresses to maintain neighbor relationships and update
a
LSDBs. Except Vlink interfaces, all OSPFv3 interfaces use
le
//
link-local addresses as the source address and that of the next
:
hop to transmit OSPFv3 packets. The advantages are as
p
t
follows:
t
• The OSPFv3 can calculate the topology without
:h
knowing the global IPv6 addresses so that topology
e s
calculation is independent of IP addresses.
c
• The packets flooded on a link are not transmitted to
r
ou
other links, which prevents unnecessary flooding and
saves bandwidth.
es
OSPFv3 packets do not contain authentication fields.
R
OSPFv3 directly adopts IPv6 authentication and security
i n g
measures. Thus, OSPFv3 does not need to perform
authentication. It only focuses on the processing of packets.
r n
OSPFv3 supports two new LSAs.
or
Intra Area Prefix LSA: A router advertises an intra-area prefix
LSA in the local OSPF area to inform the other routers in the
M area or the network, which can be a broadcast network or an
NBMA network, of its IPv6 global address.
OSPFv3 identifies neighbors based on router IDs only.
On broadcast, NBMA, and P2MP networks, OSPFv2 identifies
neighbors based on IPv4 addresses of interfaces.
OSPFv3 identifies neighbors based on router IDs only. Thus,
even if global IPv6 addresses are not configured or they are
configured in different network segments, OSPFv3 can still
establish and maintain neighbor relationships so that topology
calculation is not based on IP addresses.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Extended IS-IS for IPv6 is defined in the draft-ietf-isis-ipv6-05 of the
:h
IETF. To process and calculate IPv6 routes, IS-IS uses two new TLVs
s
and one network layer protocol identifier (NLPID).
r ce
The two TLVs are as follows:
ou
TLV 236 (IPv6 Reachability): describes network reachability by
es
defining the route prefix and metric.
TLV 232 (IPv6 Interface Address): is similar to the IP Interface
R
Address TLV of IPv4, except that it changes a 32-bit IPv4
i n g
address to a 128-bit IPv6 address.
r n
The NLPID is an 8-bit field that identifies the protocol packets of the
e anetwork layer. The NLPID of IPv6 is 142 (0x8E). If IS-IS supports IPv6,
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
To support multiple network layer protocols, BGP requires NLRI and
:h
Next_Hop attributes to carry information about network layer protocols.
s
Therefore, MP-BGP uses the following new optional non-transitive
attributes:
r ce
MP_REACH_NLRI: indicates the multiprotocol reachable NLRI.
ou
It is used to advertise reachable routes and next hop
es
information.
MP_UNREACH_NLRI: indicates the multiprotocol unreachable
R
NLRI. It is used to withdraw unreachable routes.
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Multicast Listener Discovery (MLD) is a protocol that manages IPv6
:h
multicast members. It has similar principles and functions as IGMP.
s
MLD is used to enable each IPv6 router to discover their directed
r ce
connected multicast listeners (nodes that expect to receive multicast
data) and learn the multicast addresses that the neighbor nodes are
ou
interested in. Then, MLD delivers the learnt information to the multicast
es
routing protocols used by the routers to ensure that multicast data can
be sent to all links where the receivers reside.
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Querier election mechanism
t t
:h
The working mechanism is similar to IGMPv2:
• Each MLD router considers itself as a querier when it
e s
starts and sends a General Query message with
r c
destination address FF02::1 to all hosts and routers on
ou
the local network segment.
es
• When the routers receive a General Query message,
they compare the source IPv6 address of the message
R with their own interface IPv6 address. The router with
n
the other routers are considered non-queriers.
M of a new querier.
u
segment can receive the Report message sent from a
. h
PC2 to G1. When PC3 receives this Report message, it
does not send the same Report message to G1
n g
ni
because MLD routers (R1 and R2) have known that G1
r
has members on the local network segment. This
a
mechanism suppresses duplicate Report messages,
le
//
reducing information traffic on the local network
segment.
p :
• PC1 still needs to multicast a Report message to G2,
t t
declaring that it belongs to G2.
:h
• After receiving the Report messages, MLD routers
e s
know that multicast groups G1 and G2 have members
c
on the local network segment. Then the routers use
r
ou
IPv6 multicast routing protocols (such as IPv6 PIM) to
create (*, G1) and (*, G2) entries for multicast data
es
forwarding, in which * stands for any multicast source.
R
• When IPv6 multicast data sent from an IPv6 multicast
or
Member Leave Mechanism
The host sends a Done message with destination
M address FF02::2 to all IPv6 multicast routers on the
local network segment.
When the MLD querier receives the Done message, it
sends a Multicast-Address-Specific Query message to
the IPv6 multicast group that the host wants to leave.
The destination address and group address of the
Query message are the address of this IPv6 multicast
group.
If the IPv6 multicast group has other members on the
e n
network segment, the members send a Report
/
message within the maximum response time.
m
.i co
If the querier receives the Report messages from other
members within the maximum response time, the
w e
querier continues to maintain memberships of the IPv6
multicast group. Otherwise, the querier considers that
u a
the IPv6 multicast group has no member on the local
. h
network segment and stops maintaining memberships
of the IPv6 multicast group.
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
IPv6 multicast source filtering
t t
:h
MLDv2 supports IPv6 multicast source filtering and defines two
s
filter modes: INCLUDE and EXCLUDE. When a host joins an
r ce
IPv6 multicast group G, the host can choose to accept or reject
IPv6 multicast data from a specific source S. When a host
ou
joins an IPv6 multicast group:
es
• If the host only needs to receive data sent from sources
S1, S2, and so on, the host can send a Report
R message with an INCLUDE Sources (S1, S2,…) entry.
n
S2, and so on, the host can send a Report message
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
IPv4/IPv6 dual stack is an efficient technology that implements IPv4-to-
:h
IPv6 transition. In IPv4/IPv6 dual stack, network devices support both
s
the IPv4 protocol stack and IPv6 protocol stack. The source device
r ce
selects a protocol stack according to the IP address of the destination
device. Network devices between the source and destination devices
ou
select a protocol stack to process and forward packets according to the
es
packet protocol type. IPv4/IPv6 dual stack can be implemented on a
single device or on a dual-stack backbone network. On a dual-stack
R
backbone network, all devices must support the IPv4/IPv6 dual stack,
n g
and interfaces connected to the dual-stack network must have both
i
n
IPv4 and IPv6 addresses configured.
a r
Le The topology is described as follows:
The host sends a DNS request to the DNS server for the IP
e
or
address of domain name www.huawei.com. The DNS server
replies with the requested IP address of the domain name. The
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
During early transition, IPv4 networks are widely deployed, while IPv6
:h
networks are isolated islands. IPv6 over IPv4 tunneling allows IPv6
s
packets to be transmitted on an IPv4 network, interconnecting all IPv6
islands.
r ce
ou
Principles are as follows:
es
IPv4/IPv6 dual stack is enabled and an IPv6 over IPv4 tunnel
is deployed on edge routing devices.
R
After an edge routing device receives a packet from the IPv6
i n g
network, the device appends an IPv4 header to the IPv6
n
packet to encapsulate the IPv6 packet as an IPv4 packet if the
The IPv4 address of the source end of an IPv6 over IPv4 tunnel must
be manually configured, but the IPv4 address of the destination end
can be manually configured or automatically obtained. An IPv6 over
IPv4 tunnel can be a manual or an automatic tunnel depending on how
the destination end of the tunnel obtains its IPv4 address.
Manual tunnel: The edge routing device cannot automatically
obtain the IPv4 address of the destination end, which must be
manually configured so that the packets can be correctly
forwarded to the tunnel end.
Automatic tunnel: The edge routing device can automatically
obtain the IPv4 address of the destination end and does not
require you to manually configure an IPv4 address for the
e n
destination end. In most cases, two interfaces on both ends of
/
an automatic tunnel use IPv6 addresses that contain
m
.i co
embedded IPv4 addresses so that the destination IPv4
address can be extracted from the destination IPv6 address of
IPv6 packets.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
If an edge routing device needs to set up a manual tunnel with multiple
:h
devices, multiple tunnels must be configured on the edge routing
s
device. Such configuration is complex. To simplify the configuration, a
r ce
manual tunnel is often set up between two edge routing devices to
connect two IPv6 networks.
s ou
The manual tunnel has advantages and disadvantages:
Re
Advantage: applies to any environment in which IPv6
traverses IPv4.
i n g
Disadvantage: must be manually configured.
r n
Packets are transmitted in an IPv6 over IPv4 manual tunnel as follows:
e L from an IPv6 network, the device searches for the IPv6 routing
or
table according to the destination address of the IPv6 packet.
If the packet is forwarded from the virtual tunnel interface, the
:h
technology to provide a point-to-point connection and requires tunnel
s
endpoint addresses to be manually configured. GRE tunnels have no
r ce
limitations on the encapsulation protocol and transport protocol, which
can be any protocol such as IPv4, IPv6, OSI, or Multiprotocol Label
ou
Switching (MPLS).
es
Packet forwarding on an IPv6 over IPv4 GRE tunnel is similar to that on
R
an IPv6 over IPv4 manual tunnel.
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
The destination address of IPv6 packets transmitted over an automatic
:h
IPv4-compatible IPv6 tunnel is an IPv4-compatible IPv6 address (the
s
special address used by the automatic tunnel). An IPv4-compatible
r ce
IPv6 address is an IPv6 unicast address that has zeros in the high-
order 96 bits and an IPv4 address in the low-order 32 bits.
ou
Disadvantages of an automatic IPv4-compatible IPv6 tunnel:
es
An automatic IPv4-compatible IPv6 tunnel requires that each
host on both ends should have a valid IP address and support
R
IPv4/IPv6 dual stack and automatic IPv4-compatible IPv6
i n g
tunnels. Therefore, automatic IPv4-compatible IPv6 tunnels
n
cannot be deployed in a large scale. Currently, automatic IPv4-
Le 6to4 tunnels.
Packet forwarding process is as follows:
e
or
After R1 receives an IPv6 packet destined for R2, R1 searches
for an IPv6 route according to destination address ::2.1.1.1,
M and finds that the next hop is a tunnel interface. The tunnel
configured on R1 is an automatic IPv4-compatible IPv6 tunnel.
Therefore, R1 encapsulates the IPv6 packet into an IPv4
packet. In the IPv4 packet, the source address is the tunnel
source address 1.1.1.1, and the destination address is the low-
order 32 bits of IPv4-compatible IPv6 address ::2.1.1.1,
namely, 2.1.1.1. The IPv4 packet is forwarded by the tunnel
interface on R1 over the IPv4 network to R2 at 2.1.1.1.
After R2 receives the IPv4 packet, it decapsulates the IPv4
packet to obtain the IPv6 packet and sends the IPv6 packet to
the IPv6 protocol stack for processing. An IPv6 packet is sent
from R2 to R1 following a similar process.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
An automatic 6to4 tunnel is also a kind of automatic tunnel and set up
:h
using the IPv4 address embedded in an IPv6 address. Unlike an
s
automatic IPv4-compatible IPv6 tunnel, the 6to4 automatic tunnel can
r ce
be set up from a router to a router, from a host to a router, from a router
to a host, and from a host to a host.
s ou
The address format is as follows:
Re
FP: is the format prefix of aggregatable global unicast
addresses and fixed as 001.
i n g
TLA: is short for top level aggregator and fixed as 0x0002.
SLA: is short for site level aggregator.
r n
e aA 6to4 address starts with the prefix 2002::/16 in the format of
or
which the first 48 bits (2002:a.b.c.d) are the IPv4 address assigned to a
router interface and cannot be changed, and the last 16 bits (SLA) can
:h
tunnel. If one edge router connects to multiple 6to4 networks and uses
s
the same IPv4 address as the tunnel source address, SLA IDs in 6to4
r ce
addresses are used to differentiate the 6to4 networks. These 6to4
networks, however, share the same 6to4 tunnel.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Common IPv6 networks need to communicate with 6to4 networks over
:h
IPv4 networks. This requirement can be met through 6to4 relays. A
s
6to4 relay is a next-hop device that forwards IPv6 packets of which the
r ce
destination address is not a 6to4 address but the next-hop address is a
6to4 address. The tunnel destination IPv4 address is obtained from the
ou
next-hop 6to4 address.
es
If a host on 6to4 network 2 needs to communicate with devices on the
R
IPv6 network, a route must be configured on the edge router, and the
n g
next-hop address of the route to the IPv6 network is specified as the
i
n
6to4 address of the 6to4 relay. The 6to4 address of the relay matches
a r
the source address of the 6to4 tunnel. Packets to be sent from 6to4
Le network 2 to the IPv6 network are first sent to the 6to4 relay according
to the next hop specified in the routing table. The 6to4 relay then
e
or
forwards the packet to the IPv6 network. When a packet needs to be
sent from the IPv6 network to 6to4 network , the 6to2 relay
:h
automatic tunneling mechanism. An ISATAP tunnel uses an IPv6
s
address with an embedded IPv4 address. An ISATAP address uses an
r ce
IPv4 address as the interface identifier, while a 6to4 address uses an
IPv4 address as the network prefix.
s ou
The address is described as follows:
Re
If the IPv4 address is globally unique, the u bit is 1. Otherwise,
the u bit is 0. The g bit indicates whether the IPv4 address is
i n g
unicast or multicast. An ISATAP address can be a global
n
unicast address, link-local address, unique local address, or
:h
deployed, while IPv4 networks are isolated islands over the world. You
s
can create a tunnel on an IPv6 network to connect isolated IPv4 sites
s ou
The forwarding process is described as follows:
Re
IPv4/IPv6 dual stack is enabled and an IPv4 over IPv6 tunnel
is deployed on edge routing devices.
i n g
After the edge routing device receives a packet from the
n
connected IPv4 network, it adds an IPv6 header to the IPv4
e s
devices are 2001:XY::X/64 and 2001:XY::Y/64
r c
respectively.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The commands and their functions are as follows:
:h
ripng: creates an RIPng process.
ripng enable: enable RIPng on an interface.
e s
ripng metricout: sets the metric that is added to the RIPng
r c
route sent by an interface.
ou
import-route: configures RIPng to import routes from other
es
routing protocols. You can use the route-policy parameter to
filter routes to be imported and configure route properties.
Precautions: R
i n g
The policy usage is similar to that in IPv4.
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Example description:
t t
:h
The device addresses are determined as follows:
• If RTX connects to RTY, the addresses of the two
e s
devices are 2001:XY::X/64 and 2001:XY::Y/64
r c
respectively.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The commands and their functions are as follows:
:h
router-id: configures the ID of the router running OSPFv3.
ospfv3 area: enables the OSPFv3 process on an interface
e s
and specifies the area the process belongs to.
r c
nssa: configures an OSPFv3 area as an NSSA.
ou
undo ipv6 nd ra halt: enables the system to send RA packets.
es
ipv6 address auto global: enables a device to automatically
generate a global IPv6 address through stateless
R
autoconfiguration.
i n g
n
Precautions:
Le
e
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Example description:
t t
:h
The device addresses are determined as follows:
• If RTX connects to RTY, the addresses of the two
e s
devices are 2001:XY::X/64 and 2001:XY::Y/64
r c
respectively.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The commands and their functions are as follows:
:h
ipv6 enable: enables the IPv6 capability of an IS-IS process.
ipv6 nd ra prefix: configures the prefix in an RA packet.
e s
isis ipv6 enable: enables the IS-IS IPv6 capability for an
r c
interface and specifies the ID of the IS-IS process to be
ou
associated with the interface.
es
ipv6 import-route isis level-2 into level-1: configures IPv6
route importing from Level-2 areas to Level-1 areas.
R
n g
Precautions:
i
IS-IS IPv6 has similar features as IS-IS IPv4.
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Example description:
t t
:h
The device addresses are determined as follows:
• If RTX connects to RTY, the addresses of the two
e s
devices are 2001:XY::X/64 and 2001:XY::Y/64
r c
respectively.
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The commands and their functions are as follows:
:h
peer{ipv6-address | group-name } as-number as-number:
s
creates a peer or configures an AS number for a specified
peer group.
r ce
ipv6-family: displays the IPv6 address family view of BGP.
ou
peer enable: enables a BGP device to exchange routes with a
es
specified peer or peer group in the address family view.
peer connect-interface: specifies a source interface from
R
which BGP packets are sent, and a source address used for
i n g
initiating a connection.
peer password: enables a BGP device to implement MD5
r n authentication for BGP messages exchanged during the
e L
or
Precautions:
BGP4+ has similar features as BGP.
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Example description:
t t
:h
IPv6 and IPv4 addresses have been specified.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The commands and their functions are as follows:
:h
interface tunnel: creates a tunnel interface and displays the
s
tunnel interface view.
r ce
tunnel-protocol ipv6-ipv4: sets the tunnel mode to IPv6 over
IPv4 manual tunnel.
ou
source { ipv4-address | interface-type interface-number }:
es
specifies the source interface of a tunnel.
destination { ipv4-address }: specifies the destination
R
interface of a tunnel.
i n g
ipv6 address { ipv6-address prefix-length }: configures IPv6
n
addresses for tunnel interfaces.
a r
Le
e
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
Example description:
t t
:h
IPv6 and IPv4 addresses have been specified.
e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The commands and their functions are as follows:
:h
interface tunnel: creates a tunnel interface and displays the
s
tunnel interface view.
GRE tunnel.
r ce
tunnel-protocol gre: sets the tunnel mode to IPv6 over IPv4
ou
source { ipv4-address | interface-type interface-number }:
es
specifies the source interface of the tunnel.
destination { ipv4-address }: specifies the destination
R
interface of a tunnel.
i n g
ipv6 address { ipv6-address prefix-length }: configures IPv6
n
addresses for tunnel interfaces.
a r
Le
e
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
MPLS VPN overview
t t
:h
A BGP/MPLS IP VPN is a Layer 3 Virtual Private Network
s
(L3VPN). It uses the Border Gateway Protocol (BGP) to
r ce
advertise VPN routes and uses Multiprotocol Label Switching
(MPLS) to forward VPN packets on the backbone network of
ou
the Service Provider (SP). This technology is called IP VPN
es
because IP packets are transmitted on VPNs.
The BGP/MPLS IP VPN model consists of the following
R
entities:
n
edge of a customer network and has interfaces directly
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Site
t t
:h
A site is a group of IP systems with IP connectivity, which can
s
be achieved independent of ISP networks.
r ce
Sites are configured based on topologies between devices but
not their geographic locations, although devices in a site are
ou
geographically adjacent to each other in most situation.
es
The devices in a site may belong to multiple VPNs. That is, a
site may belong to more than multiple VPNs.
R
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
Different VPN sites can use overlapping address spaces.
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
A PE device establishes and maintains a VPN instance for each
:h
directly connected site. A VPN instance contains VPN member
s
interfaces and routes of the corresponding site. Specifically, information
r ce
in a VPN instance includes the IP routing table, label forwarding table,
interface bound to the VPN instance, and VPN instance management
ou
information. VPN instance management information includes the route
es
distinguisher (RD), route filtering policy, and member interface list of
the VPN instance.
R
n g
A public routing and forwarding table and a VRF differ in the following
i
n
aspects:
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The PE devices use Multiprotocol Extensions for BGP-4 (MP-BGP) to
:h
advertise VPN routes and use the VPN-IPv4 address family to solve
s
the problem that BGP cannot distinguish VPN routes with the same IP
address prefix.
r ce
RDs distinguish the IPv4 prefixes with the same address space. The
ou
RD format enables SPs to allocate RDs independently. When CE
es
devices are dual-homed to PE devices, RD must be globally unique to
ensure correct routing.
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
A VPN target, also called the route target (RT), is a 32-bit BGP
:h
extension community attribute. BGP/MPLS IP VPN uses VPN targets to
s
control VPN routes advertisement.
r ce
A VPN instance is associated with one or more VPN target attributes.
ou
VPN target attributes are classified into the following types:
es
Export target: After a PE device learns IPv4 routes from
directly connected sites, it converts the routes to VPN-IPv4
R
routes and sets the export target attribute for those routes. The
i n g
export target attribute is advertised with the routes as a BGP
n
extended community attribute.
M A VPN target defines which sites can receive a VPN route and which
VPN routes of which sites can be received by a PE device.
The reasons for using the VPN target instead of the RD as the
extended community attribute is as follows:
A VPN-IPv4 route has only one RD, but can be associated
with multiple VPN targets. With multiple extended community
attributes, BGP can greatly improve the flexibility and
expansibility of a network.
VPN targets can be used to control route advertisement
between different VPNs on a PE device. With properly
configured VPN targets, different VPN instances on a PE
e n
device can import routes from each other.
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
Traditional BGP-4 defined in RFC 1771 can manage only the IPv4
:h
routes but cannot process VPN routes that have overlapping address
s
spaces.
r ce
To correctly process VPN routes, VPNs use MP-BGP defined in RFC
2858 (Multiprotocol Extensions for BGP-4). MP-BGP supports multiple
ou
network layer protocols. Network layer protocol information is contained
es
in the Network Layer Reachability Information (NLRI) field and the Next
Hop field of an MP-BGP Update message.
R
MP-BGP uses the address family to differentiate network layer
n g
protocols. An address family can be a traditional IPv4 address family or
i
n
any other address family, such as a VPN-IPv4 address family or an
a r
IPv6 address family. For the values of address families, see RFC 1700
Le (Assigned Numbers).
e
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The PE and CE devices exchange routing information through standard
:h
BGP, OSPF, IS-IS, RIP or static routes. During the process, the PE
s
device needs to store routes received from the CE devices to different
r ce
VRFs. Other operations are the same as those for common route
exchange. You can configure the same routing protocol for all the CE
ou
devices. However, you must configure different instances for each VRF
s
of a PE device. The instances do not interfere with each other.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
After a PE1 device receives an IPv4 route from a CE1 device, the PE
:h
device adds the manually configured RD of the VRF to the route to
s
change the IPv4 route into a VPNv4 route. Then the PE device
r ce
changes the Next_Hop attribute in the Route Advertisement message
to its own Loopback address and adds a VPN label (randomly
ou
generated by MP-IBGP) to the route. After that, the PE device adds the
es
Export Route Target attribute to the route and sends the route to all the
PE neighbors. In VRP5.3, after MPLS is enabled on PE1, PE1 uses
R
MP-BGP to allocate VPN labels to private network routes. PE devices
n g
can then correctly exchange VPN routes.
i
n
When multiple CE devices in a VPN site connect to different PE
a r
devices, VPN routes advertised from the CE devices to the PE devices
Le may be sent back to the VPN site after the routes traverse the
backbone network. This may cause routing loops in the VPN site. The
e
or
Site or Origin (SOO) specifies the source site and prevents routing
loops.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
After PE2 receives a VPNv4 route advertised by PE1, PE2 converts the
:h
VPNv4 route into an IPv4 route and adds the IPv4 route to the
s
corresponding VRF based on the import target attribute of the route.
r ce
The VPN label of the route is retained for packet forwarding. PE2
forwards the IPv4 route to the corresponding CE device through the
ou
routing protocol between the PE and CE devices. The next hop in the
s
route is the IP address of PE2's interface.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
The data to be exchanged to VPNs needs to be forwarded through the
:h
MPLS backbone network based on MPLS labels. The process for
s
allocating public network labels (outer labels) is as follows:
r ce
The PE and P routers learn BGP next hop IP addresses using an IGP,
assign outer labels using LDP, and establish LSPs. A label stack is
ou
used for packet forwarding. An outer label directs packets to the BGP
es
next hop. An inner label indicates the outbound interface for the packet
or the VPN instance to which the packet belongs. MPLS forwarding is
R
based on only outer labels and is irrelevant to the inner labels.
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
CE2 sends an IP packet destined for CE1. After receiving the packet,
:h
PE2 encapsulates an inner label 15362 and then an outer label 1024 to
s
the packet and forwards the packet to the P device. After receiving the
r ce
packet, the penultimate hop P pops out the outer label, retains the inner
label, and forwards the packet to PE1 based on the outer label. PE1
ou
determines the VPN site to which the packet belongs based on the
s
inner label, removes the inner label, and forwards the packet to CE1.
e
R
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In this case, the addresses for interconnecting devices are as
s
follows:
r ce
• If RTX interconnects with RTY, the addresses are
XY.1.1.X and XY.1.1.Y, network mask is 24.
ou
• Assume that PE1 is RT1, PE2 is RT2, P is RT3.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
ip binding vpn-instance: binds the current AC interface to a
s
specified VPN instance.
r ce
ipv4-family: enters the IPv4 address family view of BGP.
ou
Precautions
es
After a VPN instance is bound to or unbound from an interface,
Layer 3 features such as IP address and routing protocol are
R
deleted from the interface. If such features are required, you
i n g
need to re-configure them.
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In this case, the addresses for interconnecting devices are as
s
follows:
r ce
• If RTX interconnects with RTY, the addresses are
XY.1.1.X and XY.1.1.Y, network mask is 24.
ou
• Assume that PE1 is RT1, PE2 is RT2, P is RT3.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
ip binding vpn-instance: binds the current AC interface to a
s
specified VPN instance.
r ce
ipv4-family: enters the IPv4 address family view of BGP.
ou
Precautions
e
device.s
Specify a VPN instance for each RIP process on the PE
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In this case, the addresses for interconnecting devices are as
s
follows:
r ce
• If RTX interconnects with RTY, the addresses are
XY.1.1.X and XY.1.1.Y, network mask is 24.
ou
• Assume that PE1 is RT1, PE2 is RT2, P is RT3.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Command usage
t t
:h
ip binding vpn-instance: binds the current AC interface to a
s
specified VPN instance.
r ce
ipv4-family: enters the IPv4 address family view of BGP.
ou
Precautions
e
device.s
Specify a VPN instance for each IS-IS process on the PE
R
Deleting a VPN instance or disabling a VPN instance IPv4
i n g
address family will delete all the IS-IS processes bound to the
n
VPN instance or the VPN instance IPv4 address family on the
a r PE.
Le
e
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In this case, the addresses for interconnecting devices are as
s
follows:
r ce
• If RTX interconnects with RTY, the addresses are
XY.1.1.X and XY.1.1.Y, network mask is 24.
ou
• Assume that PE1 is RT1, PE2 is RT2, P is RT3.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
ip binding vpn-instance: binds the current AC interface to a
s
specified VPN instance.
Precautions
r ce
ipv4-family: enters the IPv4 address family view of BGP.
ou
Specify a VPN instance for each OSPF process on the PE
device.
es
Deleting a VPN instance or disabling a VPN instance IPv4
R
address family will delete all the OSPF processes bound to the
i n g
VPN instance or the VPN instance IPv4 address family on the
n
PE.
a r
Le
e
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Case description
t t
:h
In this case, the addresses for interconnecting devices are as
s
follows:
r ce
• If RTX interconnects with RTY, the addresses are
XY.1.1.X and XY.1.1.Y, network mask is 24.
ou
• Assume that PE1 is RT1, PE2 is RT2, P is RT3.
es
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Command usage
t t
:h
ip binding vpn-instance: binds the current AC interface to a
s
specified VPN instance.
r ce
peer substitute-as: replaces the AS number of the peer
specified in the AS_Path attribute with the local AS number.
Precautions
s ou
Re
VPN sites in the same AS or with different private AS numbers
can communicate over the BGP MPLS/IP VPN backbone
i n g
network. Sites in the same VPNs have the same AS number.
n
When a local CE device establishes an EBGP neighbor
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
To improve the HA of a device, increase MTBF and reduce MTTR.
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Concepts
t t
:h
Two network devices establish a BFD session to detect the
s
bidirectional forwarding paths between them and serve upper-layer
r ce
applications. BFD does not provide the neighbor discovery mechanism.
Instead, BFD obtains neighbor information from the upper-layer
ou
applications BFD serves. After the BFD session is established, the
es
local device periodically sends BFD packets. If the local device does
not receive a response from the peer device within the detection time, it
R
considers the forwarding path faulty. BFD then notifies the upper-layer
n g
application for processing.
i
BFD control messages are encapsulated in UDP packets. The
r n
destination port number is 3784 and source port number is a random
e L
or
BFD session establishment process
OSPF discovers neighbors using the hello mechanism and sets up
M connections to neighbors.
After setting up a neighbor relationship, OSPF notifies neighbor
information (including destination and source addresses) to BFD.
BFD sets up a session by using the received neighbor information.
After the BFD session is set up, BFD starts to detect link faults and
rapidly responds to link faults.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
The BFD sessions have the following status: Down, Init, Up, and Down.
:h
Down: indicates that a BFD session is in the Down state or has just
s
been set up.
r ce
Init: indicates that the local system can communicate with the peer
system, and the local system expects to make the session Up.
ou
Up: indicates that a session is established successfully.
s
AdminDown: indicates that a session is in the AdminDown state.
e
R
BFD session status transition:
i n g
R1 and R2 start BFD state machines respectively. The initial state of
n
BFD state machine is Down. R1 and R2 send BFD control messages
a r
with the State field as Down.
Le After receiving the BFD message with the State field as Down from
R1, R2 switches the session status to Init and sends a BFD message
e
or
with State field as Init.
After the local BFD session status of R2 changes to Init, R2 no longer
M processes the received BFD messages with the State field as Down.
The BFD session status change on R1 is the same as that on R2.
After receiving the BFD message with the State field as Init, R2
changes the local BFD session status to Up.
The BFD session status change on R1 is the same as that on R2.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Common Commands
t t
:h
Single-hop detection and multi-hop detection
• Single-hop or multi-hop detection:
s
• The bfd command enables the global BFD and
e
r cdisplays the BFD view.
• The bfd bind peer-ip command creates a BFD
r n
Association between BFD and interface status
L
displays the BFD view.
• The bfd bind peer-ip default-ip command binds the
e
or
physical status of a physical link to the BFD session.
• The discriminator command sets the local and remote
:h
their neighbor relationships are Down and then become Up again after
s
a period of time. This is the flapping of neighbor relationships. The
r ce
flapping of neighbor relationships causes route flapping, which leads to
black hole routes on the restarted router or causes data services from
ou
the neighbors to be transmitted bypass the restarted router. This
es
decreases the reliability on the network.
NSF is thus introduced to address route flapping issue. The following
R
requirements must be met:
i n g
Hardware: Dual control boards must be configured with redundant
RP. One is the active board and the other is the standby board. If the
r n
active board restarts, the standby board becomes the active one. The
e adistributed structure is used. That is, data forwarding and control are
or
System software: When the active control board is running, it
synchronizes configuration and interface state information to the
:h
data forwarding during an active/standby switchover or a protocol
s
restart. When a device is performing a protocol restart, it notifies
r ce
neighboring devices of its restart so that the neighboring relationships
and routes are stably maintained in a certain period. After the protocol
ou
restart is complete, the neighboring devices synchronize configurations
es
(including the topologies, routes, and sessions maintained by the GR-
related protocols) to the GR Restarter. The configurations on the GR
R
Restarter are quickly restored. During the protocol restart, route
n g
flapping will not occur and packet forwarding path is not changed. The
i
n
entire system continuously works.
a r
Le OSPF GR terms:
GR Restarter: indicates the GR-capable device where protocol restart
e
or
occurs.
GR Helper: indicates a device neighboring with the GR Restarter and
OSPF GR commands:
u a
The opaque-capability enable command enables the Opaque-LSA
. h
g
capability. After Opaque-LSA capability is enabled, an OSPF process
n
ni
can generate Opaque-LSAs and receive Opaque-LSAs from
r
neighboring devices.
The graceful-restart command enables OSPF GR.
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
IS-IS GR also uses the concepts of GR Restarter, GR Helper, and GR
:h
Session, which are the same as that used in OSPF GR.
s
To support the GR feature, IS-IS adds the Restart TLV field to hello
r ce
packets and defines three timers.
T1 timer is similar to the IIH timer used in the IS-IS protocol. When a
ou
device restarts, it creates a T1 timer on each interface and periodically
es
sends hello packets. The T1 timer on an interface is deleted only when
the interface receives all hello ACK packets and CSNP packets.
R
T2 defines the timeout period of LSDB synchronization after a device
n g
restarts. The T2 timer of a Level is deleted only when the LSDB of this
i
n
Level completes synchronization. If LSDB synchronization is not
a r
complete when the T2 timer expires, the T2 timer is deleted and GR
Le fails.
T3 defines the maximum time during which the GR Restarter
e
or
performs GR. If LSDB synchronization is not complete when the T3
timer expires, the T3 timer is deleted and GR fails.
w e
After restoring all routing entries, R1 starts to recalculate routes and
updates the FIB table.
u a
IS-IS GR command:
. h
The graceful-restart command enables IS-IS GR.
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
LAND attack
t t
:h
Because of the vulnerability in the 3-way handshake mechanism of
s
TCP, a LAND attacker sends SYN packets of which the source address
r ce
and port of a device are the same as the destination address and port
respectively. After receiving the SYN packet, the target host creates a
ou
null TCP connection with the source and destination addresses as the
es
address of the target host. The connection is kept until expiration. The
target host will create many null TCP connections, wasting resources or
R
causing device breakdown.
i n g
After defense against malformed packet attacks is enabled, the
n
device checks source and destination addresses in TCP SYN packets
a r
to prevent LAND attacks. The device considers TCP SYN packets with
s
handshake of TCP. During the 3-way handshakes of TCP, when
r ce
receiving the initial SYN message from the client, the server sends
back an SYN+ACK packet. When the server is waiting for the final ACK
ou
packet from the client, the connection stays in half-connected mode. If
es
the server fails to receive the ACK packet, it resends a SYN+ACK
packet to the client. If the server still cannot receive ACK packets, the
R
server closes the connection and updates the session status in memory.
n g
The interval from the sending of initial SYN+ACK packet to connection
i
n
closing is about 30 seconds.
a r
During this interval, the attacker may send more than 100 thousands
Le of SYN packets to the open interfaces and does not respond to the
SYN+ACK packets from the server. Then, memory of the server is
e
or
overloaded and cannot accept new connection requests. As a result,
the server closes all active connections.
M After defense against TCP SYN flood attacks is enabled, the device
limits the rate of TCP SYN packets so that system resources will not be
exhausted by attacks.
e s
the forwarding table contains the related entries and
r c
the interface of the default route matches the inbound
ou
interface of the packet.
es
• If route symmetry is ensured, you are advised to use
the URPF strict check. For example, if there is only one
R path between two network edge devices, URPF strict
i n g
Loose mode
check can be used to ensure network security.
or
• If route symmetry is not ensured, you are advised to
use the URPF loose check. For example, if there are
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
IPSG principles
t t
:h
IPSG matches IP packets against static or dynamic DHCP binding
s
table. Before a network device forwards an IP packet, it compares the
r ce
source IP address, source MAC address, interface, and VLAN
information in the IP packet with entries in the binding table. If a
ou
matching entry is found, the device considers the IP packet valid and
es
forwards it. Otherwise, the device considers the IP packet as an attack
packet and discards it.
R
n g
Working process
i
After IPSG is configured on S1, S1 checks the incoming IP packets
r n
against the binding table. When the packet information matches the
e abinding table, the packets are forwarded; otherwise, the packets are
e L discarded.
or IPSG commands
s
bogus ARP packet using the PC3's address as the source address to
r ce
PC1. PC1 records incorrect address mapping relationship of PC3 in the
ARP table. The attacker thus obtains the data sent by PC1 to PC3 and
ou
sent by PC3 to PC1. Therefore, information between PC1 and PC3
leaks.
es
To prevent MITM attacks, configure DAI on S1.
R
When an attacker connects to S1 and attempts to send bogus ARP
n g
packet to S1, S1 detects the attack behavior according to the DHCP
i
n
snooping binding table and discards the ARP packet. If the ARP
a r
discarding alarm is enabled on S1, when the number of discarded ARP
DAI command
The arp anti-attack check user-bind enable command enables DAI
on an interface or in a VLAN. That is, the device checks ARP packets
against the binding table.
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
QoS provides differentiated service qualities for different applications,
:h
for example, dedicated bandwidth, decreased packet loss ratio, short
s
packet transmission delay, and decreased delay and jitter.
r c
Best-effort service modele
ou
Routers and switches are packet switching devices. They
es
select transmission path for each packet based on TCP/IP and
use the statistics multiplexing method, but do not use the
R
dedicated connections like TDM. Traditionally, IP provides only
i n g
one service model (Best-Effort). In this model, all packets
n
transmitted on a network have the same priority. Best-Effort
M and jitter.
Best-Effort is not belongs to the QOS technical in strict, but is
the major service model used by today's Internet. So we need
know about it.
Due to the Best-Effort model, the Internet has made a lot of
achievements. However, with the development of the Internet,
the Best-Effort model cannot meet increasing requirements of
emerging applications. Therefore, the SPs have to provide
more types of service based on the Best-Effort model, to meet
requirements of each application.
IntServ model
The IntServ model, developed by IETF in 1993, supports
various types of service on IP networks. It provides both real-
time service and best-effort service on IP networks. The
IntServ model reserves resources for each information flow.
The source and destination hosts exchange RSVP messages
to establish packet categories and forwarding status on each
e n
node along the transmission path. The model maintains a
/
forwarding state for each flow, so it has a poor extensibility.
m
.i co
There are millions of flows on the Internet, which consume a
large number of device resources. Therefore, this model is not
widely used. In recent years, IETF has modified the RSVP
w e
protocol, and defines that RSVP can be used together with the
u a
DiffServ model, especially in the MPLS VPN field. Therefore,
. h
RSVP has a new improvement. However, this model still has
g
not been widely used. THe DiffServ model addresses
n
ni
problems in the IntServ mode, so the DiffServ model is a
r
widely used QoS technology.
le a
//
DiffServ model
:
The IntServ has a poor extensibility. After 1995, SPs and
p
t
research organizations developed a new mechanism that
t
supports various services. This mechanism has a high
:h
extensibility. In 1997, IETF recognized that the service model
e s
in use is not applicable to network operation, and there should
c
be a way to classify information flows and provide
r
ou
differentiated service for users and applications. Therefore,
IETF developed the DiffServ model, which classifies flow on
es
the Internet and provides differentiated service for them. The
R
DiffServ model supports various applications and is applicable
i n g
to many business models.
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Precedence field
t t
:h
The 8-bit Type of Service (ToS) field in an IP packet header
s
contains a 3-bit IP precedence field.
r ce
Bits 0 to 2 constitute the Precedence field, representing
precedence values 7, 6, 5, 4, 3, 2, 1 and 0 in descending order
ou
of priority. The highest priorities (values 7 and 6) are reserved
es
for routing and network control communication updates. User-
level applications can use only priority values 0 to 5. Bits 6 and
R
7 are reserved.
i n g
Apart from the Precedence field, a ToS field also contains the
n
D, T, and R sub-fields:
DSCP field
RFC 2474 redefines the TOS field. The right-most 6 bits
identify service type and the left-most 2 bits are reserved.
DSCP can classify traffic into 64 categories.
Each DSCP value matches a Behavior Aggregate (BA) and
each BA matches a PHB (such as forward and discard), and
then the PHB is implemented using some QoS mechanisms
(such as traffic policing and queuing technologies).
DiffServ network defines four types of PHB: Expedited
Forwarding (EF), Assured Forwarding (AF), Class Selector
(CS), and Default PHB (BE PHB). EF PHB is applicable to the
e n
services that have high requirements on delay, packet loss,
/
jitter, and bandwidth. AF PHBs are classified into four
m
.i co
categories and each AF PHB category has three discard
priorities to specifically classify services. The performance of
AF PHB is lower than the performance of EF PHB. CS PHBs
w e
originate from IP TOS, and are classified into 8 categories. BE
u
PHB is a special type in CS PHB, and does not provide any a
. h
guarantee. Traffic on IP networks belongs to this category by
default.
n g
Priority mapping configuration
r ni
a
Configure the trusted packet priorities: Run the trust command
le
//
to specify the packet priority to be mapped.
:
Configure the priority mapping table: Run the qos map-table
p
t
command to enter the 802.1p or DSCP mapping table view,
t
and run the input command to set the priority mappings.
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Token bucket
t t
:h
A token bucket with a certain capacity stores tokens. The
system places tokens into a token bucket at the configured
e s
rate. When the token bucket is full, excess tokens overflow
r c
and no token is added.
A token bucket forwards packets according to the number of
s ou
tokens in the token bucket. If there are sufficient tokens in the
token bucket for forwarding packets, the traffic rate is within
Re
the rate limit. Otherwise, the traffic rate is not within the rate
limit.
i n g
Single-rate-single-bucket
L
parameters:
• Committed Information Rate (CIR): indicates the rate of
e
or
putting tokens into bucket C, that is, the average traffic
rate permitted by bucket C.
s
indicate the number of tokens in the bucket. Single-rate-double-bucket
has three parameters:
r ce
• Committed Information Rate (CIR): indicates the rate of
ou
putting tokens into bucket C, that is, the average traffic
or
• If Tc is smaller than the CBS, Tc increases.
• If Tc is equal to the CBS and Te is smaller than the
M EBS, Te increases.
• If Tc is equal to the CBS and Te is equal to the EBS,
Tc and Te do not increase.
B indicates the size of an arriving packet:
• If B is smaller than or equal to Tc, the packet is colored
green, and Tc decreases by B.
• If B is greater than Tc and smaller than or equal to Te,
the packet is colored yellow and Te decreases by B.
• If B is greater than Te, the packet is colored red, and
Tc and Te remain unchanged.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
Double-Rate-Double-Bucket
t t
:h
Two token buckets are available: bucket P and bucket C. Tp and Tc
s
indicate the number of tokens in the bucket. Double-rate-double-bucket
has four parameters:
r ce
• Peak information rate (PIR): indicates the rate at which
ou
tokens are put into bucket P, that is, the maximum
n
rate permitted by bucket C.
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
Traffic policing discards excess traffic to limit traffic within a proper
:h
range and to protect network resources and enterprises' interests.
e s
Traffic policing consists of:
c
Meter: measures the network traffic using the token bucket
r
ou
mechanism and sends the measurement result to the marker.
Marker: colors packets in green, yellow, or red based on the
es
measurement result received from the meter.
Action: takes actions based on packet coloring results (packets in
R
green or yellow are forwarded and packets in red are discarded by
n g
default) received from the marker. The following actions are defined:
i • Pass: forwards the packets that meet network
r n requirements.
L
and forwards them.
• Discard: discards the packets that do not meet network
e
or
requirements.
M If the rate of a type of traffic exceeds the threshold, the device lowers
the packet priority and then forwards or directly discards the packets.
By default, these packets are discarded.
:h
range and to protect network resources and enterprises' interests.
ou
types and places them into different queues.
es
If the queue that packets enter is not configured with traffic shaping,
the packets are immediately sent. Packets requiring queuing proceed
R
to the next step.
i n g
The system places tokens to the bucket at the specified rate (CIR):
• If there are sufficient tokens in the bucket, the device
r n forwards the packets and the number of tokens
e a decreases.
or
places the packets into the buffer queue. When the
buffer queue is full, packets are discarded.
M When there are packets in the buffer queue, the system extracts the
packets from the queue and sends them periodically. Each time the
system sends a packet, it compares the number of packets with the
number of tokens till the tokens are insufficient to send packets or all
the packets are sent.
u a
command to apply the queue profile to an interface.
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
t t
If the rate of incoming packets on an interface is higher than the rate of
:h
outgoing packets, the interface is congested. If there is insufficient
s
space for storing the packets, some packets are discarded. When
to a vicious circle.
r ce
packets are discarded, hosts or routers retransmit the packets, leading
ou
When congestion occurs, multiple packets preempt resources. The
es
packets that cannot obtain resources are discarded. The bandwidth,
delay, and jitter of key services cannot be ensured. The core of
R
congestion management is to decide the resource scheduling policy
n g
that specifies the packet forwarding sequence. Generally, devices use
i
n
the queue technology to cope with congestion. The queue technology
a r
involves queue creation, traffic classifier, and queue scheduling.
Le Initially, there is only one queue scheduling policy, that is, First-in-First-
out. To meet different service requirements, more scheduling policies
e
or
are developed.
Queue scheduling mechanisms include hardware queue scheduling
Configuration commands:
Run the qos queue-profile queue-profile-name command to
w e
create a queue profile and display the queue profile view.
u a
On the WAN-side interface, run the schedule{ { pq start-
. h
g
queue-index [ to end-queue-index ] } | {wfq start-queue-index
n
ni
[ to end-queue-index ] } command to set a scheduling mode
r
for each queue on the WAN-side interface.
a
On the LAN-side interface, run the schedule{ { pq start-
le
//
queue-index [ to end-queue-index ] } | { drr start-queue-index
:
[ to end-queue-index ] } | {wrr start-queue-index [ to end-
p
t
queue-index ] } command to set a scheduling mode for each
t
queue on the LAN-side interface.
:h
Run the qos queue-profile queue-profile-name command to
e s
apply the queue profile to an interface.
r c
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
FIFP characteristics:
t t
:h
Advantages:
• Simple
Disadvantages:
e s
r c
• Unfair and no separation between flows. A large flow
ou
will occupy the bandwidth of other flows, which
n
lower transmission speed because it is a
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
RR
t t
:h
Advantages:
• Different flows are separated, and bandwidth is equally
e s
allocated to queues.
r c
• Available bandwidth is equally allocated to other
ou
queues.
es
Disadvantages:
• Weights cannot be configured for the queues.
R
• When queues have different packet lengths,
i n g scheduling is inaccurate.
• When scheduling rate is low, delay and jitter indicators
r n will deteriorate. For example, when a packet arrives at
or
scheduled. In this situation, jitter is serious. However, if
scheduling rate is high, the delay is short. The RR
:h
WRR scheduling, the scheduling chance obtained by a queue is in
s
direct proportion to the weight of the queue. During the WRR
r ce
scheduling, the empty queue is directly skipped. Therefore, when there
is a small volume of traffic in a queue, the remaining bandwidth of the
ou
queue is used by the queues according to a certain proportion.
es
Advantages:
• Bandwidth is allocated based on weights, and the
R remaining bandwidth of a queue is equally allocated to
n
in a timely manner.
a r • It is easy to implement.
s
Bottom. However, most devices support eight-level queues.
r ce
Packets in queues with a low priority can be scheduled only
after all packets in queues with a high priority have been
ou
scheduled. Therefore, PQ has obvious advantages and
es
disadvantages.
PQ ensures that the packets in high-priority queues obtain
R
high bandwidth, low delay and jitter; however, the packets in
i n g
low-priority queues cannot be scheduled in a timely manner or
n
even cannot be scheduled. As a result, the lower-priority
M mechanism.
• When the queue length is set to 0, the queue length
can be infinite. That is, the packets entering this queue
are not discarded by Tail Drop unless the memory
space is exhausted.
• The FIFO logic is used internal the queue.
• The packets in low-priority queues are scheduled only
after all packets in high-priority queues are scheduled.
PQ ensures high quality for specified service traffic, but does
not care about the quality of other services.
Advantages:
• Precisely controls the delay of high-priority queues.
• Easy to implement, differentiating services
Disadvantages:
• Cannot allocate bandwidth as required. When high-
priority queues have many packets, the packets in low-
priority queues cannot be scheduled.
e n
• It shortens the delay of high-priority queues by
/
compromising the service quality of low-priority queues.
m
.i co
• If a high-priority queue transmits TCP packets and a
low-priority queue transmits UDP packets, the TCP
packets are transmitted at a high speed, while UDP
packets cannot obtain sufficient bandwidth.
w e
u a
. h
n g
r ni
le a
: //
t t p
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
CQ
t t
:h
The number of bytes to be scheduled must be specified for
s
each queue. A packet can be scheduled only when its length
r ce
exceeds the specified byte size. If the configured byte size is
too small, the queue may be congested. If the configured byte
ou
size is small, bandwidth allocation is inaccurate. For example,
es
500 bytes is specified for a queue, while most packets in the
queue exceed 1000 bytes. Therefore, the bandwidth actually
R
allocated is higher than the expected bandwidth. If the number
i n g
of bytes specified is large, it is difficult to control the delay. CQ
n
can schedule multiple packets each time. The number of
s
an IP network, the packets with the same source IP addresses,
r ce
destination IP addresses, protocol numbers, and IP
precedence belong to the same flow. On an MPLS network,
ou
the packets with the same labels and EXP fields belong to the
es
same flow. WFQ assigns each flow to a queue, and tries to
assign different flows to different flows. When packets leave
R
the queues, WFQ allocates the bandwidth on the outbound
i n g
interface for each flow according to the weights. The smaller
n
the weight value of the flow is, the smaller the bandwidth the
a r flow obtains. The greater the weight value of the flow is, the
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
Congestion Avoidance
t t
:h
Tail drop is a traditional method in the congestion avoidance
s
mechanism. When the length of a queue reaches the
r ce
maximum value, all the packets are discarded. If too many
TCP packets are dropped, TCP times out. This may result in
ou
slow TCP start and trigger the congestion avoidance
es
mechanism so that the device slows down the transmission of
TCP packets. When queues drop several TCP-connection
R
packets at the same time, these TCP connections start
i n g
congestion avoidance and slow startup, which is referred to as
n
global TCP synchronization. Thus, these TCP connections
M the bottom and the peak. The delay and jitter of certain traffic
are affected.
The traditional packet loss policy uses the tail drop method.
When the queue length reaches the upper limit, the excess
packets (buffered at the queue tail) are discarded.
To prevent global TCP synchronization, Random Early
Detection (RED) is used. The RED technique randomly
discards packets to prevent the transmission speed of multiple
TCP connections from being reduced simultaneously. The
TCP rate and network traffic volume thus are stable.
The device provides Weighted Random Early Detection
(WRED) based on RED technology. WRED discards packets
in queues based on DSCP field or IP precedence. The upper
drop threshold, lower drop threshold, and drop probability can
be set for each priority. When the number of packets of a
priority reaches the lower drop threshold, the device starts to
discard packets. When the number of packets reaches the
e n
upper drop threshold, the device discards all the packets. A
/
higher threshold indicates a high drop probability. The
m
.i co
maximum drop probability cannot exceed the upper drop
threshold. WRED discards packets in queues based on the
drop probability, thereby relieving congestion.
WRED configuration:
w e
• Configure a drop profile.
u a
• Run the drop-profile drop-profile-name
. h
g
command to create a drop profile and enter the
n
ni
drop profile view.
• Run the dscp{ dscp-value1 [ to dscp-value2 ] }
ar
&<1-10> low-limit low-limit-percentage high-
//le
limit high-limit-percentage discard-percentage
:
discard-percentage command to set DSCP-
p
t
based WRED parameters.
t
• Run the ip-precedence { ip-precedence-value1
:h
[ to ip-precedence-value2 ] } &<1-10> low-limit
e s
low-limit-percentage high-limit high-limit-
ou
percentage command to set IP precedence-
based WRED parameters.
es
• Apply the drop profile.
or
profile-name command to bind a drop profile to
a queue in a queue profile.
M • Run the qos queue-profile queue-profile-name
command to apply the queue profile to an
interface.
e n
/
m
e .i co
aw
hu
g .
ni n
ar
// le
p :
t t
Traffic classification is used to identify the packets with certain
:h
characteristics according to a rule, and is the prerequisite and basis for
s
differentiated services. You can define rules to classify packets and
r ce
specify the relationships between rules:
AND: Packets match a traffic classifier only when the packets
ou
match all the rules. If a traffic classifier contains ACL rules,
es
packets match the traffic classifier only when the packets
match one ACL rule and all the non-ACL rules. If a traffic
R
classifier does not contain ACL rules, packets match the traffic
i n gclassifier only when the packets match all the non-ACL rules.
OR: Packets match a traffic classifier as long as the packets
r n match a rule.
e a
e L A traffic behavior refers to an action taken for packets. Performing
or
traffic classification is to provide differentiated services. A
traffic classifier takes effect only when it is associated with a
w e
behavior to a traffic classifier to a traffic behavior in a
traffic policy.
u a
Run the traffic-policy policy-name { inbound | outbound }
. h
g
command to apply a traffic policy to the interface or sub-
n
ni
interface in the inbound or outbound direction.
ar
//le
p :
t t
s :h
r ce
s ou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
SNMP model
t t
:h
NMS station is the manager in a network management system. It
s
uses the SNMP protocol to manage and monitor the network. The NMS
r ce
software runs on an NMS server.
Agent is a process on the managed device. The agent maintains data
ou
on the managed device, receives and processes the request packets
es
from the NMS, and then sends the response packets to the NMS.
Management object is the object to be managed. A device may have
R
multiple management objects, including a hardware component (such
n g
as an interface board) and parameters (such as a routing protocol)
i
n
configured for the hardware or software.
a r
MIB is a database specifying variables that are maintained by the
Le managed device and can be queried or set by the agent. MIB defines
attributes of the managed device, including the name, status, access
e
or
rights, and data type of objects.
M
e n
/
m
e .i co
aw
hu
g.
ni n
ar
//le
p :
Operations of SNMPv1 and SNMPv2c
t t
:h
Get: reads one or several parameter values from the MIB of the agent
s
process.
process.
r ce
GetNext: reads the next parameter value from the MIB of the agent
ou
Set: sets one or several parameter values in the MIB of the agent
process.
es
Response: returns one or more queried values. The agent performs
R
this operation that corresponds to the GetRequest, GetNextRequest,
n g
SetRequest, and GetBulkRequest operations. Upon receiving a Get or
i
n
Set request, the agent performs the Query or Modify operation using
a r
MIB tables and then sends the responses to the NMS.
s
agent.
r ce
The agent responds and returns requested parameters to the NMS.
The NMS sends a Get request carrying security parameters to the
ou
agent.
to the NMS.
es
The agent encrypts response packet and returns required parameters
R
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
NQA Principles
t t
:h
Creating a test instance
• NQA requires two test ends, an NQA client and an
e s
NQA server (or called the source and destination). The
r c
NQA client (or the source) initiates an NQA test. You
ou
can configure test instances through command lines or
esthe NMS. Then NQA places the test instances into test
queues for scheduling.
R
Starting the test instance
n
start the test instance immediately, at a specified time,
M protocol packet.
Processing a test instance
• After a test instance starts, the protocol-related running
status can be collected according to response packets.
The client adds a timestamp to a test packet based on
the local system time before sending the packet to the
server. After receiving the test packet, the server sends
a response packet to the client. The client then adds a
timestamp to the received response packet based on
the current local system time. This helps the client
calculate the round-trip time (RTT) of the test packet
based on the two timestamps.
An NQA ICMP test instance checks whether a route from the NQA
client to the destination is reachable. The ICMP test has a similar
function as the ping command, while the ICMP test provides more
output information:
By default, the command output shows the results of the latest five
tests.
The output includes the average delay, the packet loss ratio, and the
e n
time the last packet is correctly received.
/
m
.i co
Test Procedure
Source (R1) sends an ICMP echo request packet to the destination
(R2).
w
After receiving the ICMP echo request packet, the destination (R2)e
responds to the source (R1) with an ICMP echo reply packet.
u a
The source (R1) then can calculate the time of communication
. h
g
between the source (R1) and the destination (R2) by subtracting the
n
ni
time the source sends the ICMP echo request packet from the time the
r
source receives the ICMP echo reply packet. The calculated data can
a
reflect the network performance and operating status.
le
: //
t t p
s :h
r ce
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e .i co
aw
hu
g .
ni n
ar
//le
p :
NTP synchronization process
t t
:h
R1 sends an NTP packet to R2. The packet carries a timestamp,
s
10:00:00 am (T1), indicating the time it leaves R1.
r ce
When the NTP packet reaches R2, R2 adds a timestamp, 11: 00:01
am (T2), to the NTP packet, indicting the time R2 receives the packet.
ou
When the NTP packet leaves R2, R2 adds a transmit timestamp,
es
11:00:02 am (T3), to the NTP packet, indicating the time it leaves R2.
When R1 receives this response packet, it adds a new receive
R
timestamp, 10:00:03 am (T4), to the packet. R1 uses the received
n g
information to calculate the following two important parameters:
i • Roundtrip delay of the NTP packet: Delay = (T4 - T1) -
r n (T3 - T2)
or
After the calculation, R1 knows that the roundtrip delay is 2 seconds
and the clock offset of R1 is 1 hour. R1 sets its own clock based on
o m
If you have the HCNA/HCNP certificate:You can access Huawei Career Certification and Basic Technology e-Learning
courses.
e i .c
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.
aw
Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and
hu
arn
Content: Huawei product training material and Huawei career certification training material.
//le
Method:Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
training material in the specific training introduction page.
p :
3、 Priority to participate in Huawei Online Open Class (LVC)
t t
s :h
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,
4、Learning Tools: rc e
Storage and so on, which are conducted by Huawei professional instructors.
u
s o
eNSP :Simulate single Router&Switch device and large network.
R e
WLAN Planner :Network planning tools for WLAN AP products.
n g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts ,
ni
share exam experiences with others or be acquainted with Huawei Products.
a r
Statement:
L e
r e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1