HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1271
135
Perform the following configurations on all routers in the PIM domain.
To configure state-refresh parameters:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter public network PIM view or
VPN instance PIM view. pim
[ vpn-instance
vpn-instance-name ] N/A
3.
Configure the interval between
state-refresh messages. state-refresh-interval
interval Optional
60 seconds by default
4. Configure the time to wait before
receiving a new state-refresh
message....](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1270.png "Page 1271
135
Perform the following configurations on all routers in the PIM domain.
To configure state-refresh parameters:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter public network PIM view or
VPN instance PIM view. pim
[ vpn-instance
vpn-instance-name ] N/A
3.
Configure the interval between
state-refresh messages. state-refresh-interval
interval Optional
60 seconds by default
4. Configure the time to wait before
receiving a new state-refresh
message....")
135 Perform the following configurations on all routers in the PIM domain. To configure state-refresh parameters: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view or VPN instance PIM view. pim [ vpn-instance vpn-instance-name ] N/A 3. Configure the interval between state-refresh messages. state-refresh-interval interval Optional 60 seconds by default 4. Configure the time to wait before receiving a new state-refresh message. state-refresh-rate-limit interval Optional 30 seconds by default 5. Configure the TTL value of state-refresh messages. state-refresh-ttl ttl-value Optional 255 by default Configuring PIM-DM graft retry period In PIM-DM, graft is the only type of message that uses the acknowledgment mechanism. In a PIM-DM domain, if a router does not receive a graft-ack mess age from the upstream router within the specified time after it sends a graft message, the router ke eps sending new graft messages at a configurable interval (namely graft retry period), until it receives a graft-ack message from the upstream router. To configure the graft retry period: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the graft retry period. pim timer graft-retry interval Optional 3 seconds by default For more information about the configuration of other timers in PIM-DM, see Configuring PIM common timer s . Configuring PIM-SM PIM-SM configuration task list Task Remarks Enabling PIM-SM Required. Configuring an RP Configuring a static RP Required. Use any a pproach. Configuring a C-RP Enabling auto-RP
136 Task Remarks Configuring C-RP timers globally Optional. Configuring a BSR Configuring a C-BSR Required. Configuring a PIM domain border Optional. Configuring global C-BSR parameters Optional. Configuring C-BSR timers Optional. Disabling BSM semantic fragmentation Optional. Configuring administrative scoping Enabling administrative scoping Optional. Configuring an admin-scope zone boundary Optional. Configuring C-BSRs for each admin-scope zone and the global-scope zone Optional. Configuring multicast source registration Optional. Disabling SPT switchover Optional. Configuring PIM common features Optional. Configuration prerequisites Before you configure PIM-SM, complete the following tasks: • Configure any unicast routing protocol so that a ll devices in the domain are interoperable at the network layer. • Determine the IP address of a static RP and the ACL rule defining the range of multicast groups to be served by the static RP. • Determine the C-RP priority and the ACL rule defining the range of multicast groups to be served by each C-RP. • Determine the legal C-RP address range and the ACL rule defining the range of multicast groups to be served. • Determine the C-RP-Adv interval. • Determine the C-RP timeout. • Determine the C-BSR priority. • Determine the hash mask length. • Determine the ACL rule defining a legal BSR address range. • Determine the BS period. • Determine the BS timeout. • Determine the ACL rule for register message filtering. • Determine the register suppression time. • Determine the register probe time. • Determine the ACL rule and sequencing ru le for disabling an SPT switchover.
137 Enabling PIM-SM With PIM-SM enabled, a router sends hello messages periodically to discover PIM neighbors and processes messages from the PIM neighbors. To deploy a PIM-SM domain, enable PIM-SM on all non-border interfaces of the routers. IMPORTANT: All the interfaces in the same VPN instance on the same router must operate in the same PIM mode. Enabling PIM-SM globally on the public network Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IP multicast routing. multicast routing-enable Disabled by default 3. Enter interface view. interface interface-type interface-number N/A 4. Enable PIM-SM. pim sm Disabled by default Enabling PIM-SM in a VPN instance Step Command Description 1. Enter system view. system-view N/A 2. Create a VPN instance and enter VPN instance view. ip vpn-instance vpn-instance-name N/A 3. Configure an RD for the VPN instance. route-distinguisher route-distinguisher Not configured by default. 4. Enable IP multicast routing. multicast routing-enable Disabled by default. 5. Enter interface view. interface interface-type interface-number N/A 6. Bind the interface with a VPN instance. ip binding vpn-instance vpn-instance-name By default, an interface belongs to the public network, and is not bound with any VPN instance. 7. Enable PIM-SM. pim sm Disabled by default. For more information about the ip vpn-instance, route-distinguisher , and ip binding vpn-instance commands, see IP Routing Command Referenc e. For more information about the multicast routing-enable command, see IP Multicast Command Reference . Configuring an RP An RP can be manually configured or dynamically elected through the BSR mechanism. For a large PIM network, static RP configuration is a tedious job. Ge nerally, static RP configuration is just a backup method for the dynamic RP election mechanis m to enhance the robustness and operational manageability of a multicast network.
138 IMPORTANT: In a PIM network, if both PIM-SM and BIDIR-PIM are enabled, do not configure the same RP to serve PIM-SM and BIDIR-PIM simultaneously to avoid PIM routing table errors. Configuring a static RP If only one dynamic RP exists in a network, manually configuring a static RP can avoid communication interruption because of single-point failures. It can also avoid frequent message exchange between C-RPs and the BSR. IMPORTANT: To enable a static RP to work normally, you must pe rform this configuration on all the routers in the PIM-SM domain and specify the same RP address. Perform the following configuration on all the routers in the PIM-SM domain. To configure a static RP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view or VPN instance PIM view. pim [ vpn-instance vpn-instance-name ] N/A 3. Configure a static RP for PIM-SM. static-rp rp-address [ acl-number ] [ preferred ] No static RP by default Configuring a C-RP In a PIM-SM domain, you can configure routers that intend to become the RP as C-RPs. The BSR collects the C-RP information by receiving the C-RP-Adv messages from C-RPs or auto-RP announcements from other routers and organizes the information into an RP-set, which is flooded throughout the entire network. Then, the other routers in the network calculate the mappings between specific group ranges and the corresponding RPs based on the RP-set. HP recomme nds you to configure C-RPs on backbone routers. To guard against C-RP spoofing, you must configure a legal C-RP address range and the range of multicast groups to be served on the BSR. In addition, because every C-BSR can become the BSR, you must configure the same filtering policy on all C-BSRs in the PIM-SM domain. To configure a C-RP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view or VPN instance PIM view. pim [ vpn-instance vpn-instance-name ] N/A 3. Configure an interface to be a C-RP for PIM-SM. c-rp interface-type interface-number [ group-policy acl-number | priority priority | holdtime hold-interval | advertisement-interval adv-interval ] * No C-RPs are configured by default. 4. Configure a legal C-RP address range and the range of multicast groups to be served. crp-policy acl-number Optional. No restrictions by default.
139 NOTE: • When you configure a C-RP, ensure a relatively large bandwidth between this C-RP and the other devices in the PIM-SM domain. • An RP can serve multiple multicast groups or all multicast groups. Only one RP can forward multicast traffic for a multicast group at a moment. Enabling auto-RP Auto-RP announcement and discovery messages are addressed to the multicast group addresses 224.0.1.39 and 224.0.1.40. With auto-RP enabled on a device, the device can receive these two types of messages and record the RP information carried in such messages. To enable auto-RP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view or VPN instance PIM view. pim [ vpn-instance vpn-instance-name ] N/A 3. Enable auto-RP. auto-rp enable Disabled by default Configuring C-RP timers globally To enable the BSR to distribute the RP-set informatio n within the PIM-SM domain, C-RPs must periodically send C-RP-Adv messages to the BSR. The BSR learns the RP-set information from the received messages, and encapsulates its own IP address together with th e RP-set information in its bootstrap messages. The BSR then floods the bootstrap messages to all PIM routers in the network. Each C-RP encapsulates a timeout value in its C-RP -Adv messages. After receiving a C_RP-Adv message, the BSR obtains this timeout value and starts a C-RP ti meout timer. If the BSR fails to hear a subsequent C-RP-Adv message from the C-RP when this timer time s out, the BSR assumes the C-RP to have expired or become unreachable. The C-RP timers need to be configured on C-RP routers. To configure C-RP timers globally: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view or VPN instance PIM view. pim [ vpn-instance vpn-instance-name ] N/A 3. Configure the C-RP-Adv interval. c-rp advertisement-interval interval Optional 60 seconds by default 4. Configure C-RP timeout time. c-rp holdtime interval Optional 150 seconds by default For more information about the configurat ion of other timers in PIM-SM, see Configuring PIM common timer s .
140
Configuring a BSR
Configuration guidelines
Before you configure a BSR, make sure that you are familiar with BSR election process, BSR legal address
against BSR spoofing, PIM domain border, global C-BSR parameters, C-BSR timers, and bootstrap
message fragments (BSMFs).
• BSR election process
A PIM-SM domain can have only one BSR, but must have at least one C-BSR. Any router can be
configured as a C-BSR. Elected from C-BSRs, the BSR is responsible for collecting and advertising
RP information in the PIM-SM domain.
C-BSRs should be configured on routers in the backbone network. When you configure a router as
a C-BSR, be sure to specify a PIM-SM-enabled inte rface on the router. The BSR election process is
summarized as follows:
a. Initially, every C-BSR assumes itself to be the BS R of this PIM-SM domain and uses its interface
IP address as the BSR address to send bootstrap messages.
b. When a C-BSR receives the bootstrap message of another C-BSR, it first compares its own
priority with the other C-BSR’s priority carried in the message. The C-BSR with a higher priority
wins. If a tie exists in the priority, the C-BSR with a higher IP address wins. The loser uses the
winner’s BSR address to replace its own BSR addres s and no longer assumes itself to be the
BSR, and the winner retains its own BSR address and continues to assume itself to be the BSR.
• BSR legal address against BSR spoofing
Configuring a legal range of BS R addresses enables filtering of bootstrap messages based on the
address range, thereby preventing a maliciously co nfigured host from masquerading as a BSR.
You must make the same configuration on all routers in the PIM-SM domain. The typical BSR
spoofing cases and the corr esponding preventive measures are as follows:
{ Some maliciously configured hosts can forge boot strap messages to fool routers and change RP
mappings. Such attacks often occur on border routers. Because a BSR is inside the network
whereas hosts are outside the network, you can protect a BSR against attacks from external
hosts by enabling the border routers to perfor m neighbor checks and RPF checks on bootstrap
messages and to discard unwanted messages.
{ When an attacker controls a router in the networ k or when an illegal router is present in the
network, the attacker can configure this router as a C-BSR and make it win BSR election to
control the right of advertising RP information in the network. After a router is configured as a
C-BSR, it automatically floods the network with bootstrap messages. Because a bootstrap
message has a TTL value of 1, the whole network will not be affected as long as the neighbor
router discards these bootstrap messages. Therefore, with a legal BSR address range
configured on all routers in the entire network, all these routers will discard bootstrap messages
from out of the legal address range.
These preventive measures can partially protect the security of BSRs in a network. However, if an
attacker controls a legal BSR, the problem will still occur.
Because a large amount of information needs to be exchanged between a BSR and the other
devices in the PIM-SM domain, a relatively la rge bandwidth should be provided between the
C-BSRs and the other devices in the PIM-SM domain.
• PIM domain border
As the administrative core of a PIM-SM domain, th e BSR sends the collected RP-set information in
the form of bootstrap messages to all routers in the PIM-SM domain.
141
A PIM domain border is a bootstrap message boundary. Each BSR has its sp ecific service scope.
A number of PIM domain border interfaces parti tion a network into different PIM-SM domains.
Bootstrap messages cannot cross a doma in border in either direction.
• C-BSR parameters
In each PIM-SM domain, a unique BSR is electe d from C-BSRs. The C-RPs in the PIM-SM domain
send advertisement messages to the BSR. The BSR summarizes the advertisement messages to form
an RP-set and advertises it to all routers in the PIM-SM domain. All the routers use the same hash
algorithm to get the RP address that corresponds to specific multicast groups.
You can configure the hash mask length and C-BSR priority globally, in an admin-scope zone, and
in the global scope zone.
{ The values configured in the global scope zone or admin-scope zone have preference over the
global values.
{ If you do not configure these parameters in the global scope zone or admin-scope zone, the
corresponding global values will be used.
For configuration of C-BSR parameters for an admin-scope zone and global scope zone, see
Configuring C-BSRs for each admin-sco pe zone and the global-scope zone.
• C-BSR timers
The BSR election winner multicasts its own IP address and RP-set information through bootstrap
messages within the entire zone it serves. The BSR floods bootstrap messages throughout the
network at the interval of BS (BSR state) peri od. Any C-BSR that receives a bootstrap message
retains the RP-set for the length of BS timeout, during which no BSR election takes place. If no
bootstrap message is received from the BSR be fore the BS timeout timer expires, a new BSR
election process is triggered among the C-BSRs.
About the BS period:
{ By defau l t, the BS perio d i s determi ne d by thi s formu l a: BS perio d = ( BS ti me out – 10) / 2. The
default BS timeout is 130 seconds, so the defaul t BS period = (130 – 10) / 2 = 60 (seconds).
{ If this parameter is manually configured, the system will use the configured value.
About the BS timeout timer:
{ By default, the BS timeout value is determined by this formula: BS timeout timer = BS period ×
2 + 10. The default BS period is 60 seconds, so the default BS timeout timer = 60 × 2 + 10 =
13 0 ( s e c o n d s ) .
{ If this parameter is manually configured, the system will use the configured value.
In the configuration, make sure that the BS peri od value is smaller than the BS timeout value.
• Bootstrap message fragments (BSMFs)
Generally, a BSR periodically distributes the RP-s et information in bootstrap messages within the
PIM-SM domain. It encapsulates a BSM in an IP datagram and might split the datagram into
fragments if the message exceeds the maximum transmission unit (MTU). In respect of such IP
fragmentation, loss of a single IP fragment le ads to unavailability of the entire message.
Semantic fragmentation of BSMs can solve this issu e. When a BSM exceeds the MTU, it is split to
multiple bootstrap message fragments (BSMFs).
{ After receiving a BSMF that contains the RP-set information of one group range, a non-BSR
router updates corresponding RP -set information directly.
{ If the RP-set information of one group range is carried in multiple BSMFs, a non-BSR router
updates corresponding RP-set information after receiving all these BSMFs.
142 Because the RP-set information contained in each segment is different, loss of some IP fragments will not result in dropping of the entire message. The function of BSM semantic fragmentation is en abled by default. Devices not supporting this function might deem a fragment as an entire mess age and learn only part of the RP-set information. Therefore, if such devices exist in the PIM- SM domain, you need to disable the semantic fragmentation function on the C-BSRs. Generally, a BSR performs BSM semantic fragmentat ion according to the MTU of its BSR interface. However, the semantic fragmentation of BSMs originated because of learning of a new PIM neighbor is performed according to th e MTU of the outgoing interface. Configuring a C-BSR Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view or VPN instance PIM view. pim [ vpn-instance vpn-instance-name ] N/A 3. Configure an interface as a C-BSR. c-bsr interface-type interface-number [ hash-length [ priority ] ] No C-BSRs are configured by default. 4. Configure a legal BSR address range. bsr-policy acl-number Optional. No restrictions on BSR address range by default. Configuring a PIM domain border Perform the following configuration on routers that you want to configure as a PIM domain border. To configure a PIM domain border: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure a PIM domain border. pim bsr-boundary By default, no PIM domain border is configured. Configuring global C-BSR parameters Perform the following configuration on C-BSR routers. To configure C-BSR parameters: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view or VPN instance PIM view. pim [ vpn-instance vpn-instance-name ] N/A 3. Configure the hash mask length. c-bsr hash-length hash-length Optional. 30 by default.
143 Step Command Remarks 4. Configure the C-BSR priority. c-bsr priority priority Optional. By default, the C-BSR priority is 64. Configuring C-BSR timers Perform the following configuration on C-BSR routers. To c o n fig u re C - BS R t i me rs : Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view or VPN instance PIM view. pim [ vpn-instance vpn-instance-name ] N/A 3. Configure the BS period. c-bsr interval interval Optional. For the default value, see the note after this table. 4. Configure the BS timeout timer. c-bsr holdtime interval Optional. For the default value, see the note after this table. Disabling BSM semantic fragmentation Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view or VPN instance PIM view. pim [ vpn-instance vpn-instance-name ] N/A 3. Disable the BSM semantic fragmentation function. undo bsm-fragment enable By default, the BSM semantic fragmentation function is enabled. Configuring administrative scoping When administrative scoping is disabled, a PIM-SM domain has only one BSR. The BSR manages the whole network. To manage your network more effectively and specifically, partition the PIM-SM domain into multiple admin-scope zones. Each admin-scope zone maintains a BSR, which serves a specific multicast group range. The global scope zone also maintains a BSR, which serves all the remaining multicast groups. Enabling administrative scoping Before you configure an admin-scope zone, you must enable administrative scoping. Perform the following configuration on all routers in the PIM-SM domain. To enable administrative scoping: Step Command Remarks 1. Enter system view. system-view N/A
144
Step Command Remarks
2. Enter public network PIM view
or VPN instance PIM view. pim
[ vpn-instance
vpn-instance-name ] N/A
3.
Enable administrative
scoping. c-bsr admin-scope
Disabled by default
Configuring an admin-scope zone boundary
ZBRs form the boundary of each admin-scope zone . Each admin-scope zone maintains a BSR, which
serves a specific multicast group range. Multicas t protocol packets (such as assert messages and
bootstrap messages) that belong to this range cannot cross the admin-scope zone boundary.
Perform the following configuration on routers that you want to configure as a ZBR.
To configure an admin-scope zone boundary:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3.
Configure a multicast
forwarding boundary. multicast boundary
group-address
{ mask | mask-length } By default, no multicast forwarding
boundary is configured.
NOTE:
The
group-address { mask | mask-length } parameter of the multicast boundary command can be used to
specify the multicast groups an admin-scope zone serves, in the range of 239.0.0.0/8. For more
information about the multicast boundary command, see
IP Multicast Command Reference.
Configuring C-BSRs for each admin-sc ope zone and the global-scope zone
In a network with administrative scoping enabled, group-range-specific BSRs are elected from C-BSRs.
C-RPs in the network send advertisement messages to the specific BSR. The BSR summarizes the
advertisement messages to form an RP-set and advertises it to all routers in the specific admin-scope zone.
All the routers use the same hash al gorithm to get the RP address corresponding to the specific multicast
group.
Configure C-BSRs for each admin-scope zone and the global-scope zone.
You can configure the hash mask length and C-BSR priority globally, in an admin-scope zone, and in the
global scope zone.
• The values configured in the global scope zone or admin-scope zone have preference over the
global values.
• If you do not configure these parameters in the global scope zone or admin-scope zone, the
corresponding global values will be used.
For configuration of global C-BSR parameters, see Configuring global C-BSR parameters.
• Configure C-BSRs for each admin-scope zone
Perform the following configuration on the router s that you want to configure as C-BSRs in
admin-scope zones.
To configure a C-BSR for an admin-scope zone: