Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 1181 to Favourites
    image text
    Enable zoom 
    							 45 
After the configuration is completed, Host A an d Host B send IGMP join messages for group 
224.1.1.1. Receiving the messages, Switch A send s a join message for the group out of port 
GigabitEthernet 1/0/1 (a router port) to Router A.  
Use the  display igmp-snooping group  command and the display igmp group  command to display 
information about IGMP snooping groups and IGMP multicast groups. For example:  
# Display information about IGMP snooping groups on Switch A. 
[SwitchA] display igmp-snooping group 
  Total 1 IP Group(s). 
  Total 1 IP Source(s). 
  Total 1 MAC Group(s). 
 
  Port flags: D-Dynamic port, S-Static port, C-Copy port, P-PIM port 
  Subvlan flags: R-Real VLAN, C-Copy VLAN 
  Vlan(id):100. 
    Total 1 IP Group(s). 
    Total 1 IP Source(s). 
    Total 1 MAC Group(s). 
    Router port(s):total 1 port. 
            GE1/0/1                (D) ( 00:01:23 ) 
    IP group(s):the following ip group(s) match to one mac group. 
      IP group address:224.1.1.1 
        (0.0.0.0, 224.1.1.1): 
          Host port(s):total 2 port. 
            GE1/0/3                (D) 
            GE1/0/4                (D) 
    MAC group(s): 
      MAC group address:0100-5e01-0101 
          Host port(s):total 2 port. 
            GE1/0/3 
            GE1/0/4 
# Display information about IGMP multicast groups on Router A. 
[RouterA] display igmp group 
Total 1 IGMP Group(s). 
Interface group report information of VPN-Instance: public net 
 GigabitEthernet1/0/1(10.1.1.1): 
   Total 1 IGMP Group reported 
    Group Address    Last Reporter    Uptime    Expires 
    224.1.1.1        0.0.0.0          00:00:06  00:02:04 
When Host A leaves the multicast group, it sends an IGMP leave message to Switch A. Receiving 
the message, Switch A removes port GigabitEthernet 1/0/4 from the member port list of the 
forwarding entry for the group; however, it do es not remove the group or forward the leave 
message to Router A because Host B is still in the group. Use the  display igmp-snooping group 
command to display information about IGMP snooping groups. For example:  
# Display information about IGMP snooping groups on Switch A. 
[SwitchA] display igmp-snooping group 
  Total 1 IP Group(s). 
  Total 1 IP Source(s). 
  Total 1 MAC Group(s).
    Add page 1182 to Favourites
    image text
    Enable zoom 
    							 46 
  Port flags: D-Dynamic port, S-Static port, C-Copy port, P-PIM port 
  Subvlan flags: R-Real VLAN, C-Copy VLAN 
  Vlan(id):100. 
    Total 1 IP Group(s). 
    Total 1 IP Source(s). 
    Total 1 MAC Group(s). 
    Router port(s):total 1 port. 
            GE1/0/1                (D) ( 00:01:23 ) 
    IP group(s):the following ip group(s) match to one mac group. 
      IP group address:224.1.1.1 
        (0.0.0.0, 224.1.1.1): 
          Host port(s):total 1 port. 
            GE1/0/3                (D) 
    MAC group(s): 
      MAC group address:0100-5e01-0101 
          Host port(s):total 1 port. 
            GE1/0/3 
Multicast source and user control policy configuration example 
Network requirements 
As shown in Figure 18 , Switch A is a Layer-3 switch. Switch A runs IGMPv2 and Switch B runs IGMPv2 
snooping. Multicast sources and hosts run 802.1X client.  
A multicast source control policy is configured on Switch A to block multicast flows from Source 2 to 
2 2 4 .1.1.1.   
A multicast user control policy is configured on Switch B so that Host A can join or leave only multicast 
g r o u p  2 2 4 .1.1.1.  
Figure 18  Network diagram  
 
 
Configuration procedures 
1. Configure IP addresses for interfaces:
    Add page 1183 to Favourites
    image text
    Enable zoom 
    							 47 
Configure an IP address and subnet mask for each interface as per  Figure 18. (Details not shown.) 
2. Configure Switch A: 
# Create VLAN 101 through VLAN 104 and assign GigabitEthernet 1/0/1 through 
GigabitEthernet 1/0/4 to the four VLANs respectively.  
 system-view 
[SwitchA] vlan 101 
[SwitchA-vlan101] port gigabitethernet 1/0/1 
[SwitchA-vlan101] quit 
[SwitchA] vlan 102 
[SwitchA-vlan102] port gigabitethernet 1/0/2 
[SwitchA-vlan102] quit 
[SwitchA] vlan 103 
[SwitchA-vlan103] port gigabitethernet 1/0/3 
[SwitchA-vlan103] quit 
[SwitchA] vlan 104 
[SwitchA-vlan104] port gigabitethernet 1/0/4 
[SwitchA-vlan104] quit 
# Enable IP multicast routing. Enable PIM-DM on  VLAN-interface 101, VLAN-interface 102 and 
VLAN-interface 104, and enable IGMP on VLAN-interface 104.  
[SwitchA] multicast routing-enable 
[SwitchA] interface vlan-interface 101 
[SwitchA-Vlan-interface101] pim dm 
[SwitchA-Vlan-interface101] quit 
[SwitchA] interface vlan-interface 102 
[SwitchA-Vlan-interface102] pim dm 
[SwitchA-Vlan-interface102] quit 
[SwitchA] interface vlan-interface 104 
[SwitchA-Vlan-interface104] pim dm 
[SwitchA-Vlan-interface104] igmp enable 
[SwitchA-Vlan-interface104] quit 
# Create QoS policy  policy1 to block multicast flows from Source 2 to 224.1.1.1. 
[SwitchA] acl number 3001 
[SwitchA-acl-adv-3001] rule permit udp source 2.1.1.1 0 destination 224.\
1.1.1 0 
[SwitchA-acl-adv-3001] quit [SwitchA] traffic classifier classifier1 
[SwitchA-classifier-classifier1] if-match acl 3001 
[SwitchA-classifier-classifier1] quit 
 [SwitchA] traffic behavior behavior1 
[SwitchA-behavior-behavior1] filter deny 
[SwitchA-behavior-behavior1] quit 
[SwitchA] qos policy policy1 
[SwitchA-qospolicy-policy1] classifier classifier1 behavior behavior1 
[SwitchA-qospolicy-policy1] quit 
# Create user profile  profile1, apply QoS policy  policy1 to the inbound direction in user profile 
view, and enable the user profile.  
[SwitchA] user-profile profile1 
[SwitchA-user-profile-profile1] qos apply policy policy1 inbound 
[SwitchA-user-profile-profile1] quit
    Add page 1184 to Favourites
    image text
    Enable zoom 
    							 48 
[SwitchA] user-profile profile1 enable 
# Create RADIUS scheme scheme1 ; set the service type for the RADIUS server to  extended; specify 
the IP addresses of the primary authentication/authorization server and accounting server as 
3.1.1.1; set the shared keys to 123321; specify th at no domain name is carried in a username 
sent to the RADIUS server.  
[SwitchA] radius scheme scheme1 
[SwitchA-radius-scheme1] server-type extended 
[SwitchA-radius-scheme1] primary authentication 3.1.1.1 
[SwitchA-radius-scheme1] key authentication 123321 
[SwitchA-radius-scheme1] primary accounting 3.1.1.1 
[SwitchA-radius-scheme1] key accounting 123321 
[SwitchA-radius-scheme1] user-name-format without-domain 
[SwitchA-radius-scheme1] quit 
# Create ISP domain  domain1; reference  scheme1 for the authentication, authorization, and 
accounting of LAN users; specify  domain1 as the default ISP domain. 
[SwitchA] domain domain1 
[SwitchA-isp-domian1] authentication lan-access radius-scheme scheme1 
[SwitchA-isp-domian1] authorization lan-access radius-scheme scheme1 
[SwitchA-isp-domian1] accounting lan-access radius-scheme scheme1 
[SwitchA-isp-domian1] quit 
[SwitchA] domain default enable domain1 
# Globally enable 802.1X and then enable it on GigabitEthernet 1/0/1 and GigabitEthernet 
1/0/2 respectively.  
[SwitchA] dot1x 
[SwitchA] interface gigabitethernet 1/0/1 
[SwitchA-GigabitEthernet1/0/1] dot1x 
[SwitchA-GigabitEthernet1/0/1] quit 
[SwitchA] interface gigabitethernet 1/0/2 
[SwitchA-GigabitEthernet1/0/2] dot1x 
[SwitchA-GigabitEthernet1/0/2] quit 
3. Configure Switch B: 
# Globally enable IGMP snooping.  
 system-view 
[SwitchB] igmp-snooping 
[SwitchB-igmp-snooping] quit 
# Create VLAN 104, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to this VLAN, 
and enable IGMP snooping in this VLAN.  
[SwitchB] vlan 104 
[SwitchB-vlan104] port gigabitethernet 1/0/1 to gigabitethernet 1/0/3 
[SwitchB-vlan104] igmp-snooping enable 
[SwitchB-vlan104] quit 
# Create a user profile  profile2 to allow users to join or leave  only one multicast group, 224.1.1.1. 
Then, enable the user profile.  
[SwitchB] acl number 2001 
[SwitchB-acl-basic-2001] rule permit source 224.1.1.1 0 
[SwitchB-acl-basic-2001] quit 
[SwitchB] user-profile profile2
    Add page 1185 to Favourites
    image text
    Enable zoom 
    							 49 
[SwitchB-user-profile-profile2] igmp-snooping access-policy 2001 
[SwitchB-user-profile-profile2] quit 
[SwitchB] user-profile profile2 enable 
# Create a RADIUS scheme  scheme2; set the service type for the RADIUS server to  extended; 
specify the IP addresses of the primary authenticati on/authorization server and accounting server 
as 3.1.1.1; set the shared keys  to 321123; specify that a username sent to the RADIUS server 
carry no domain name. 
[SwitchB] radius scheme scheme2 
[SwitchB-radius-scheme2] server-type extended 
[SwitchB-radius-scheme2] primary authentication 3.1.1.1 
[SwitchB-radius-scheme2] key authentication 321123 
[SwitchB-radius-scheme2] primary accounting 3.1.1.1 
[SwitchB-radius-scheme2] key accounting 321123 
[SwitchB-radius-scheme2] user-name-format without-domain 
[SwitchB-radius-scheme2] quit 
# Create an ISP domain  domain2; reference  scheme2 for the authentication, authorization, and 
accounting of LAN users; specify  domain2 as the default ISP domain. 
[SwitchB] domain domain2 
[SwitchB-isp-domian2] authentication lan-access radius-scheme scheme2 
[SwitchB-isp-domian2] authorization lan-access radius-scheme scheme2 
[SwitchB-isp-domian2] accounting lan-access radius-scheme scheme2 
[SwitchB-isp-domian2] quit 
[SwitchB] domain default enable domain2 
# Globally enable 802.1X and then enable it on GigabitEthernet 1/0/2 and GigabitEthernet 
1/0/3 respectively.  
[SwitchB] dot1x 
[SwitchB] interface gigabitethernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] dot1x 
[SwitchB-GigabitEthernet1/0/2] quit 
[SwitchB] interface gigabitethernet 1/0/3 
[SwitchB-GigabitEthernet1/0/3] dot1x 
[SwitchB-GigabitEthernet1/0/3] quit 
4. Configure the RADIUS server: 
On the RADIUS server, configure the parameters related to Switch A and Switch B. For more 
information, see the configuration guide of the RADIUS server.  
5. Verify the configuration: 
After the configurations, the two multicast source s and hosts initiate 802.1X authentication. After 
passing authentication, Source 1 sends multicast  flows to 224.1.1.1 and Source 2 sends multicast 
flows to 224.1.1.2; Host A sends messages to  join multicast groups 224.1.1.1 and 224.1.1.2. 
Use the  display igmp-snooping group  command to display information about IGMP snooping 
groups. For example:  
# Display information about IGMP snooping groups in VLAN 104 on Switch B. 
[SwitchB] display igmp-snooping group vlan 104 verbose 
  Total 1 IP Group(s). 
  Total 1 IP Source(s). 
  Total 1 MAC Group(s).
    Add page 1186 to Favourites
    image text
    Enable zoom 
    							 50 
  Port flags: D-Dynamic port, S-Static port, C-Copy port, P-PIM port 
  Subvlan flags: R-Real VLAN, C-Copy VLAN 
  Vlan(id):104. 
    Total 1 IP Group(s). 
    Total 1 IP Source(s). 
    Total 1 MAC Group(s). 
    Router port(s):total 1 port. 
            GE1/0/1                (D) ( 00:01:30 ) 
    IP group(s):the following ip group(s) match to one mac group. 
      IP group address:224.1.1.1 
        (0.0.0.0, 224.1.1.1): 
          Attribute:    Host Port 
          Host port(s):total 1 port. 
            GE1/0/3                (D) ( 00:04:10 ) 
    MAC group(s): 
      MAC group address:0100-5e01-0101 
          Host port(s):total 1 port. 
            GE1/0/3 
The output shows that GigabitEthernet 1/0/ 3 on Switch B has joined 224.1.1.1 but not 
224.1.1.2.  
Assume that Source 2 starts sending multicast traffic to 224.1.1.1. Use the  display multicast 
forwarding-table  to display the multicast forw arding table information.  
# Display information about 224.1.1.1 in the mu lticast forwarding table on Switch A.  
[SwitchA] display multicast forwarding-table 224.1.1.1 
Multicast Forwarding Table of VPN-Instance: public net 
 
Total 1 entry 
 
Total 1 entry matched 
00001. (1.1.1.1, 224.1.1.1) 
     MID: 0, Flags: 0x0:0 
     Uptime: 00:08:32, Timeout in: 00:03:26 
     Incoming interface: Vlan-interface101 
     List of 1 outgoing interfaces: 
       1: Vlan-interface104 
     Matched 19648 packets(20512512 bytes), Wrong If 0 packets 
     Forwarded 19648 packets(20512512 bytes) 
The output shows that Switch A maintains a multic ast forwarding entry for multicast packets from 
Source 1 to 224.1.1.1. No forwarding entry exists  for packets from Source 2 to 224.1.1.1, which 
indicates that multicast packets from Source 2 are blocked.
    Add page 1187 to Favourites
    image text
    Enable zoom 
    							 51 
Troubleshooting IGMP snooping 
Layer 2 multicast forwarding cannot function 
Symptom 
Layer 2 multicast forwarding cannot function.  
Analysis 
IGMP snooping is not enabled. 
Solution 
1. Use the  display current-configuration  command to check the running  status of IGMP snooping.  
2. If IGMP snooping is not enabled, use the  igmp-snooping command to enable IGMP snooping 
globally, and then use the  igmp-snooping enable command to enable IGMP snooping in VLAN 
view.  
3.  If IGMP snooping is disabled only for the corresponding VLAN, use the  igmp-snooping enable 
command in VLAN view to enable IGMP snooping in the corresponding VLAN. 
Configured multicast group policy fails to take effect 
Symptom 
Although a multicast group policy has been configured to allow hosts to join specific multicast groups, the 
hosts can still receive multicast data addressed to other multicast groups.  
Analysis 
•   The ACL rule is incorrectly configured.  
•   The multicast group policy is not correctly applied.  
•   The function of dropping unknown multicast data is not enabled, so unknown multicast data is 
flooded.  
Solution 
1. Use the  display acl  command to check the configured ACL rule. Make sure that the ACL rule 
conforms to the multicast group  policy to be implemented.  
2. Use the  display this  command in IGMP-snooping view or in the corresponding interface view to 
verify that the correct multicast group po licy has been applied. If not, use the group-policy or 
igmp-snooping group-policy command to apply the correct multicast group policy.  
3.  Use the  display current-configuration  command to verify that the function of dropping unknown 
multicast data is enabled. If not, use the  drop-unknown or igmp-snooping drop-unknown  
command to enable the function of dropping unknown multicast data.  
Appendix 
Processing of multicast protocol messages 
With Layer 3 multicast routing enabled, an IGMP snooping–enabled switch processes multicast protocol 
messages differently under different conditions, as follows:
    Add page 1188 to Favourites
    image text
    Enable zoom 
    							 52 
1.
 
If only IGMP is enabled on the switch, or if  both IGMP and PIM are enabled on the switch, the 
switch does the following: 
{  Maintains dynamic member ports or dynamic  router ports according to IGMP packets  
{ Maintains dynamic router ports according to PIM hello packets 
2. If only PIM is enabled on the switch, the following occur: 
{  The switch broadcasts IGMP messages as unknown messages in the VLAN.  
{ After receiving a PIM hello message, the switch maintains the corresponding dynamic router 
port. 
3. If IGMP is disabled on the swit ch, one of the following occurs:  
{ If PIM is disabled, the switch deletes all its dy namic member ports and dynamic router ports.  
{ If PIM is enabled, the switch deletes only its dynamic member ports but not its dynamic router 
ports.  
 
  NOTE: 
On a switch with Layer-3 multicast routing enabled, use the  display igmp group port-info command to 
display Layer-2 port information. For mo re information about this command, see 
IP Multicast Command 
Reference.  
4. If PIM is disabled on the switch , one of the following occurs:  
{ If IGMP is disabled, the switch dele tes all its dynamic router ports.  
{ If IGMP is enabled, the switch maintains all its dynamic member ports and dynamic router 
ports.
    Add page 1189 to Favourites
    image text
    Enable zoom 
    							 53 
Configuring PIM snooping 
Overview 
Protocol Independent Multicast (PIM) snooping runs on Layer 2 devices. It determines which ports are 
interested in multicast data by analyzing the received PIM messages, and adds the ports to a multicast 
forwarding entry to make sure that multicast data can  be forwarded to only the ports that are interested 
in the data.  
Figure 19  Multicast packet transmission without or with PIM snooping 
 
 
As shown in Figure 19, Source 1 sends multicast data to multicast group G1, and Source 2 sends 
multicast data to multicast group G2. Receiver 1 belo ngs to G1, and Receiver 2 belongs to G2. The Layer 
2 switch’s interfaces that connect to the PIM-capable routers are in the same VLAN.  
•   When the Layer 2 switch runs only IGMP snooping, it maintains the router ports according to the 
received PIM hello messages that PIM-capable rout ers send, broadcasts all other types of received 
Multicast packet transmission 
when only IGMP snooping runs Multicast packet transmission when
IGMP snooping and PIM snooping both run
Source 1
Source 2
Receiver 1 Receiver 2
Multicast packets (S1, G1) Join message (S1, G1)
Layer 2 switch
Source 1Source 2
Receiver 1 Receiver 2
Layer 2 switch
Multicast packets (S2, G2) Join message (S2, G2)
PIM
router 3 PIM
router 1 PIM
router 2
PIM
router 4 PIM
router 3 PIM
router 1 PIM
router 2
PIM
router 4
    Add page 1190 to Favourites
    image text
    Enable zoom 
    							 54 
PIM messages in the VLAN, and forwards all multicast data to all router po rts in the VLAN. Each 
PIM-capable router in the VLAN, whether interested  in the multicast data or not, can receive all 
multicast data and all PIM messag es except PIM hello messages. 
•   When the Layer 2 switch runs both IGMP snooping and PIM snooping, it determines whether 
PIM-capable routers are in terested in the multicast data addressed to a multicast group according 
to PIM messages received from the routers, and a dds only the ports for connecting the routers that 
are interested in the data to a multicast forwarding entry. Then, the Layer 2 switch forwards PIM 
messages and multicast data to only the routers th at are interested in the data, saving network 
bandwidth.  
For more information about IGMP snooping and the router port, see  Configuring IGMP snooping . 
  
For more information about PIM, see  Configuring PIM (available only on the HP 5500 EI)  
Configuring PIM snooping 
Configuration guidelines 
Before configuring PIM snooping for a VLAN, be sure to enable IGMP snooping globally and specifically 
for the VLAN.  
After you enable PIM snooping in a VLAN, PIM snooping works only on the member interfaces of the 
VLAN. 
PIM snooping does not work in the sub-VLANs of a multicast VLAN. For more information about multicast 
VLAN, see Configuring multicast VLANs . 
In a ne

twork with PIM snooping enabled switches, configure the size of each join/prune message no 
more than the path maximum transmission unit (MTU) on the PIM-enabled edge router on the receiver 
side. For more information about the join/prune messages, see  Configuring PIM (available only on the 
HP 5

500 EI) . 
Configuration procedure 
To configure PIM snooping:  
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Enable IGMP snooping 
globally and enter 
IGMP-snooping view.  igmp-snooping 
Disabled by default  
3.  Return to system view. 
quit N/A 
4.  Enter VLAN view. 
vlan vlan-id   N/A 
5.  Enable IGMP snooping in the 
VLAN.  igmp-snooping enable 
Disabled by default  
6.  Enable PIM snooping in the 
VLAN.  pim-snooping enable 
Disabled by default  
 
For more information about the  igmp-snooping and igmp-snooping enable  commands, see IP Multicast 
Command Reference .
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide