HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 326
115
Configuration procedure
1. Configure PE 1:
# Configure the destination multicast MA C address for BPDUs as 0x0100-0CCD-CDD0.
system-view
[PE1] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0
# Configure GigabitEthernet 1/0/1 as a tr unk port and assign it to all VLANs.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk permit vlan all
# Disable STP on GigabitEthernet 1/0/1, and th en enable BPDU tunneling for STP and PVST on...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-325.png "Page 326
115
Configuration procedure
1. Configure PE 1:
# Configure the destination multicast MA C address for BPDUs as 0x0100-0CCD-CDD0.
system-view
[PE1] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0
# Configure GigabitEthernet 1/0/1 as a tr unk port and assign it to all VLANs.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk permit vlan all
# Disable STP on GigabitEthernet 1/0/1, and th en enable BPDU tunneling for STP and PVST on...")
![Page 331
120
VLAN interface configuration example
Network requirements
As shown in Figure 39, PC A is assigned to VLAN 5. PC B is assigned to VLAN 10. The PCs belong to
different IP subnets and cannot communicate with each other.
Configure VLAN interfaces on Switch A and configure the PCs to enable Layer 3 communication
between the PCs.
Figure 39 Network diagram
Configuration procedure
1. Configure Switch A:
# Create VLAN 5 and assign GigabitEthernet 1/0/1 to it.
system-view
[SwitchA] vlan 5...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-330.png "Page 331
120
VLAN interface configuration example
Network requirements
As shown in Figure 39, PC A is assigned to VLAN 5. PC B is assigned to VLAN 10. The PCs belong to
different IP subnets and cannot communicate with each other.
Configure VLAN interfaces on Switch A and configure the PCs to enable Layer 3 communication
between the PCs.
Figure 39 Network diagram
Configuration procedure
1. Configure Switch A:
# Create VLAN 5 and assign GigabitEthernet 1/0/1 to it.
system-view
[SwitchA] vlan 5...")
![Page 332
121
2.
Display brief information about Layer 3 interfaces on Switch A to verify the configuration.
display ip interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IP Address Descript\
ion
Vlan-interface5 up up 192.168.0.10 Vlan-int\
e...
Vlan-interface10 up up 192.168.1.20 Vlan-int\
e...
Configuring port-based VLANs
Introduction to port-based VLAN
Port-based VLANs group VLAN...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-331.png "Page 332
121
2.
Display brief information about Layer 3 interfaces on Switch A to verify the configuration.
display ip interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IP Address Descript\
ion
Vlan-interface5 up up 192.168.0.10 Vlan-int\
e...
Vlan-interface10 up up 192.168.1.20 Vlan-int\
e...
Configuring port-based VLANs
Introduction to port-based VLAN
Port-based VLANs group VLAN...")
120 VLAN interface configuration example Network requirements As shown in Figure 39, PC A is assigned to VLAN 5. PC B is assigned to VLAN 10. The PCs belong to different IP subnets and cannot communicate with each other. Configure VLAN interfaces on Switch A and configure the PCs to enable Layer 3 communication between the PCs. Figure 39 Network diagram Configuration procedure 1. Configure Switch A: # Create VLAN 5 and assign GigabitEthernet 1/0/1 to it. system-view [SwitchA] vlan 5 [SwitchA-vlan5] port GigabitEthernet 1/0/1 # Create VLAN 10 and assign GigabitEthernet 1/0/2 to it. [SwitchA-vlan5] vlan 10 [SwitchA-vlan10] port GigabitEthernet 1/0/2 [SwitchA-vlan10] quit # Create VLAN-interface 5 and conf igure its IP address as 192.168.0.10/24. [SwitchA] interface vlan-interface 5 [SwitchA-Vlan-interface5] ip address 192.168.0.10 24 [SwitchA-Vlan-interface5] quit # Create VLAN-interface 10 and configure its IP address as 192.168.1.20/24. [SwitchA] interface vlan-interface 10 [SwitchA-Vlan-interface10] ip address 192.168.1.20 24 [SwitchA-Vlan-interface10] return 2. Configure PC A: # Configure the default gateway of the PC as 192.168.0.10. 3. Configure PC B: # Configure the default gateway of the PC as 192.168.1.20. Verifying the configurations 1. The PCs can ping each other.
121 2. Display brief information about Layer 3 interfaces on Switch A to verify the configuration. display ip interface brief *down: administratively down (s): spoofing Interface Physical Protocol IP Address Descript\ ion Vlan-interface5 up up 192.168.0.10 Vlan-int\ e... Vlan-interface10 up up 192.168.1.20 Vlan-int\ e... Configuring port-based VLANs Introduction to port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods: • An access port belongs to only one VL AN and sends traffic untagged. It is usually used to connect a terminal device unable to identify VLAN ta gged-packets or when separating different VLAN members is unnecessary. • A trunk port can carry multiple VLANs to receive and send traffic for them. Except traffic from the port VLAN ID (PVID), traffic sent through a trunk port will be VLAN tagged. Usually, ports that connect network devices are configured as trunk ports. • Like a trunk port, a hybrid port can carry multiple VLANs to receive and send traffic for them. Unlike a trunk port, a hybrid port allows traffic of all VLANs to pass through VLAN untagged. You can configure a port connected to a network device or user terminal as a hybrid port. PVID By default, VLAN 1 is the PVID for all ports. You can configure the PVID for a port as required. When you configure the PVID on a port, use the following guidelines: • An access por t can join only one VL AN. The VL AN to which the access por t belongs is the PVI D of the port. The PVID of the access port changes along with the VLAN to which the port belongs. • A trunk or hybrid port can join multiple VLANs. You can configure a PVID for the port. • You can use a nonexistent VLAN as the PVID for a hy brid or trunk port but not for an access port. After you use the undo vlan c ommand to remove the VL A N that an ac c ess por t res ides i n, the P VI D of the por t changes to VL AN 1. The removal of the VL AN specified as the PVI D of a trunk or hybrid port, however, does not affect the PVID setting on the port. When you configure a PVID, follow these guidelines: • Do not set the voice VLAN as the PVID of a port in automatic voice VLAN assignment mode. For information about voice VLAN, see Configuring a voice VLAN. • HP recommends that you set the same PVID ID for local and remote ports. • M a ke s u re t h a t a p o r t i s a s s i g n e d t o i t s P V I D. O t h e r wi s e, w h e n t h e p o r t re c e i ve s f r a m e s t a g g e d wi t h the PVID or untagged frames (including protocol pac kets such as MSTP BPDUs), the port filters out these frames. The following table shows how ports of different link types handle frames:
122 Port type Actions (in the inbound direction) Actions (in the outbound direction) Untagged frame Tagged frame Access Tags the frame with the PVID tag. • Receives the frame if its V L A N I D i s t h e s a m e a s t h e PVID. • Drops the frame if its VLAN ID is different from the PVID. Removes the VLAN tag and sends the frame. Trunk Checks whether the PVID is permitted on the port: • If yes, tags the frame with the PVID tag. • If not, drops the frame. • Receives the frame if its VLAN is carried on the port. • Drops the frame if its VLAN is not carried on the port. • Removes the tag and send the frame if the frame carries the PVID tag and the port belongs to the PVID. • Sends the frame without removing the tag if its VLAN is carried on the port but is different from the PVID. Hybrid Sends the frame if its VLAN is carried on the port. The frame is sent with the VLAN tag removed or intact depending on your configuration via the port hybrid vlan c o m m a n d . T h i s i s t r u e o f t h e PVID. Assigning an access port to a VLAN You can assign an access port to a VLAN in VLAN view, interface view (including Layer 2 Ethernet interface view, and Layer 2 aggregate in terface view), or port group view. To assign one or multiple access ports to a VLAN in VLAN view: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id If the specified VLAN does not exist, this command creates the VLAN first. 3. Assign one or a group of access ports to the VLAN. port interface-list By default, all ports belong to VLAN 1. To assign an access port (in interface view) or multiple access ports (in port group view) to a VLAN: Step Command Remarks 1. Enter system view. system-view N/A
123 Step Command Remarks 2. Enter interface view or port group view. • Enter Layer 2 Ethernet interface view: interface interface-type interface-number • Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number • Enter port group view: port-group manual port-group-name Use any command. • The configuration made in Layer 2 Ethernet interface view applies only to the port. • The configuration made in port group view applies to all ports in the port group. • The configuration made in Layer 2 aggregate interface view applies to the aggregate interface and its aggregation member ports. If the system fails to apply the configuration to the aggregate interface, it stops applying the configuration to aggregation member ports. If the system fails to apply the configuration to an aggregation member port, it skips the port and moves to the next member port. 3. Configure the link type of the ports as access. port link-type access Optional. By default, all ports are access ports. 4. Assign the access ports to a VLAN. port access vlan vlan-id Optional. By default, all access ports belong to VLAN 1. NOTE: • Before you assign an access port to a VLAN, create the VLAN. • In VLAN view, you can assign only Layer 2 Ethernet interfaces to the VLAN. Assigning a trunk port to a VLAN A trunk port can carry multiple VLANs. You can assign it to a VLAN in interface view (including Layer 2 Ethernet interface view, and Layer 2 aggreg ate interface view) or port group view. To assign a trunk port to one or multiple VLANs: Step Command Remarks 1. Enter system view. system-view N/A
124
Step Command Remarks
2. Enter
interface
view or port
group view.
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number
• Enter port group view:
port-group manual
port-group-name Use any command.
•
The configuration made in Layer 2 Ethernet
interface view applies only to the port.
• The configuration made in port group view
applies to all ports in the port group.
• The configuration made in Layer 2
aggregate interface view applies to the
aggregate interface and its aggregation
m e m b e r p o r t s . I f t h e sys t e m f a i l s t o a p p l y t h e
configuration to the aggregate interface, it
stops applying the configuration to
aggregation member ports. If the system
fails to apply the configuration to an
aggregation member port, it skips the port
and moves to the next member port.
3. Configure the
link type of
the ports as
trunk. port link-type
trunk By default, all ports are access ports.
To change the link type of a port from trunk to
hybrid or vice versa, you must set the link type
to access first.
4. Assign the
trunk ports to
the specified
VLANs. port trunk permit vlan
{ vlan-id-list |
all } By default, a trunk port carries only VLAN 1.
5.
Configure the
PVID of the
trunk ports. port trunk pvid vlan
vlan-id Optional.
By default, the PVID is VLAN 1.
NOTE:
After configuring the PVID for a trunk port, you must use the port trunk permit vlan command to configure
the trunk port to allow packets from the PVID to pass throu
gh, so that the egress port can forward packets
from the PVID.
Assigning a hybrid port to a VLAN
A hybrid port can carry multiple VLANs. You can assign it to a VLAN in interface view (including Ethernet
interface view, and Layer 2 aggregate interface view) or port group view.
To assign a hybrid port to one or multiple VLANs:
Step Command Remarks
1. Enter system
view. system-view
N/A
125
Step Command Remarks
2. Enter interface
view or port
group view.
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number
• Enter port group view:
port-group manual
port-group-name Use any command.
•
The configuration made in Ethernet
interface view applies only to the port.
• The configuration made in port group
view applies to all ports in the port group.
• The configuration made in Layer 2
aggregate interface view applies to the
aggregate interface and its aggregation
member ports. If the system fails to apply
the configuration to the aggregate
interface, it stops applying the
configuration to aggregation member
ports. If the system fails to apply the
configuration to an aggregation member
port, it skips the port and moves to the
next member port.
3. Configure the
link type of the
ports as hybrid. port link-type
hybrid By default, all ports are access ports.
To change the link type
of a port from trunk to
hybrid or vice versa, you must set the link
type to access first.
4. Assign the
hybrid ports to
the specified
VLANs. port hybrid
vlan vlan-id-list { tagged |
untagged } By default, a hybrid port allows only packets
of VLAN 1 to pass through untagged.
5.
Configure the
PVID of the
hybrid ports. port hybrid pvid vlan
vlan-id Optional.
By default, the PVID is VLAN 1.
NOTE:
• Before you assign a hybrid port to a VLAN, create the VLAN.
• After configuring the PVID for a hybrid port, you must use the port hybrid vlan command to confi
gure
the hybrid port to allow packets from the PVID to pass through, so that the egress port can forward
packets from the PVID.
Port-based VLAN configuration example
Network requirements
As shown in Figure 40:
• Ho
st A and Host C belong to Department A, and access the enterprise network through different
devices. Host B and Host D belong to Department B. They also access the enterprise network
through different devices.
• To ensure communication security and avoid broadcast storms, VLANs are configured in the
enterprise network to isolate Layer 2 traffic of different departments. VLAN 100 is assigned to
Department A, and VLAN 200 is assigned to Department B.
• Make sure that hosts within the same VLAN can communicate with each other. Host A can
communicate with Host C, and Host B can communicate with Host D.
126
Figure 40 Network diagram
Configuration procedure
1. Configure Device A:
# Create VLAN 100, and assign port GigabitEthernet 1/0/1 to VLAN 100.
system-view
[DeviceA] vlan 100
[DeviceA-vlan100] port gigabitethernet 1/0/1
[DeviceA-vlan100] quit
# Create VLAN 200, and assign port GigabitEthernet 1/0/2 to VLAN 200.
[DeviceA] vlan 200
[DeviceA-vlan200] port gigabitethernet 1/0/2
[DeviceA-vlan200] quit
# Configure port GigabitEthernet 1/0/3 as a trunk port, and assign it to VLANs 100 and 200, to
enable GigabitEthernet 1/0/3 to forward traffic of VLANs 100 and 200 to Device B.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-GigabitEthernet1/0/3] port trunk permit vlan 100 200
Please wait... Done.
2. Configure Device B as you configure Device A.
3. Configure Host A and Host C to be on the same IP subnet, 192.168.100.0/24, for example.
Configure Host B and Host D to be on the same IP subnet, 192.168.200.0/24, for example.
Verifying the configurations
1. Host A and Host C and ping each other successfully, but they both fail to ping Host B. Host B and
Host D and ping each other successfully, but they both fail to ping Host A.
2. Determine whether the configuration is successful by displaying relevant VLAN information.
# Display information about VLANs 100 and 200 on Device A.
[DeviceA-GigabitEthernet1/0/3] display vlan 100
VLAN ID: 100
VLAN Type: static
Route Interface: not configured
Description: VLAN 0100
Name: VLAN 0100
Tagged Ports:
GigabitEthernet1/0/3
Untagged Ports:
GigabitEthernet1/0/1
127
[DeviceA-GigabitEthernet1/0/3] display vlan 200
VLAN ID: 200
VLAN Type: static
Route Interface: not configured
Description: VLAN 0200
Name: VLAN 0200
Tagged Ports:
GigabitEthernet1/0/3
Untagged Ports:
GigabitEthernet1/0/2
Configuring MAC-based VLANs
Introduction to MAC-based VLAN
The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is
us u ally use d in c onju nction wi th secu ri t y te chnol o gies such as 802.1 X to provide secu re, flexi bl e net work
access for terminal devices.
Static MAC-based VLAN assignment
Static MAC-based VLAN assignment applies to networks containing a small number of VLAN users. In
such a network, you can create a MAC address-to-VLAN map containing multiple MAC
address-to-VLAN entries on a port, enable the MAC-based VLAN feature on the port, and assign the port
to MAC-based VLANs.
With static MAC-based VLAN assignment configured on a port, the device processes received frames by
using the following guidelines:
• When the port receives an untagged frame, the device looks up the MAC address-to-VLAN map
based on the source MAC address of the frame for a match.
a. The device first performs a fuzzy match. In the fuzzy match, the device searches the MAC
address-to-VLAN entries whose masks are not all- Fs and performs a logical AND operation on
the source MAC address and each mask. If th e result of an AND operation matches the
corresponding MAC address, the de vice tags the frame with the corresponding VLAN ID. Only
the 5500 EI Switch Series supports fuzzy match.
b. If the fuzzy match fails, the device performs an exact match. In the exact match, the device
searches the MAC address-to-VLAN entries whos e masks are all-Fs. If the MAC address of a
MAC address-to-VLAN entry matches the source MAC address of the untagged frame, the
device tags the frame with the corresponding VLAN ID.
c. If no match is found, the device assigns a VLAN to the frame by using other criteria, such as IP
subnet or protocol, and forwards the frame.
d. If no VLAN is available, the device tags the frame with the PVID of the receiving port and
forwards the frame.
• When the port receives a tagged frame, the port forwards the frame if the VLAN ID of the frame is
permitted by the port, or otherwise drops the frame.
Dynamic MAC-based VLAN assignment
When you cannot determine the target MAC-based VLANs of a port, you can use dynamic MAC-based
VLAN assignment on the port. To do that, you can create a MAC address-to-VLAN map containing
128 multiple MAC address-to-VLAN entries, and enable the MAC-based VLAN feature and dynamic MAC-based VLAN assignment on the port. Dynamic MAC-based VLAN assignment uses the following workflows. 1. When the port receives a frame, the port first determines whether the frame is tagged. • If yes, the port reports the source MAC address of the frame. • If not, the port selects a VLAN for the frame by tagging the untagged frame with the PVID tag and obtaining the tag, and then reports the source MAC address of the frame. 2. After reporting the source MAC address of the fr ame, the port looks up the source MAC address in the MAC-to-VLAN map, and pr ocesses the frame as follows: • If the source MAC address of the frame matches a MAC address-to-VLAN entry configured on the port, the port checks whether the VLAN ID of the frame is the same as the VLAN in the MAC-to-VLAN entry. a. If yes, the port dynamically joins the VLAN and forwards the frame. b. If not, the port drops the frame. • If the source MAC address of the frame matches no MAC-to-VLAN entry, the port processes the frame depending on whether the VLAN ID of the frame is the PVID. c. If yes, the port determines whether it allows PVID : if yes, the port tags the frame with the PVID and forwards the frame; if not, the port drops the frame. d. If not, the port assigns a VLAN to the frame by us ing other criteria, such as IP subnet or protocol, and forwards the frame. If no VLAN is available, the port drops the frame. Figure 41 Flowchart for processing a frame in dynamic MAC-based VLAN assignment When you configure dynamic MAC-based VLAN assignment, follow these guidelines:
129 • When a port is assigned to the corresponding VLAN in a MAC address-to-VLAN entry, but has not been assigned to the VLAN by using the port hybrid vlan command, the port sends packets from the VLAN with VLAN tags removed. • If you configure both static and dynamic MAC-based VLAN assignment on the same port, dynamic MAC-based VLAN assignment applies. Dynamic MAC-based VLAN You can use dynamic MAC-based VLAN with access authentication (such as 802.1X authentication based on MAC addresses) to implement secure, flexible terminal access. After configuring dynamic MAC-based VLAN on the device, you must configure the username-to-VLAN entries on the access authentication server. When a user passes authentication of the access authentication server, the device obtains VLAN information from the server, generates a MAC address-to-VLAN entry by using the source MAC address of the user packet and the VLAN information, and assigns the port to the MAC-based VLAN. When the user goes offline, the device automatically delete s the MAC address-to-VLAN entry, and removes the port from the MAC-based VLAN. For more information ab out 802.1X, MAC, and portal authentication, see Security Configuration Guide . Configuration restrictions and guidelines When you configure a MAC-based VLAN, follow these guidelines: • MAC-based VLANs are available only on hybrid ports. • You cannot configure super VLANs in the MAC address-to-VLAN entries. • With dynamic MAC-based VLAN assignment enabled, packets are delivered to the CPU for processing. The packet processing mode has the highest priority and overrides the configuration of MAC learning limit and disabling of MAC address learning. When dynamic MAC-based VLAN assignment is enabled, do not configure the MA C learning limit or disable MAC address learning. • Do not use dynamic MAC-based VLAN assignment together with 802.X and MAC authentication. • In dynamic MAC-based VLAN assignment, the port that receives a packet with an unknown source MAC address can be successfully assigned to the matched VLAN only when the matched VLAN is a static VLAN. • The MAC-based VLAN feature is mainly configured on the downlink ports of the user access devices. Do not enable this function together with link aggregation. • With MSTP enabled, if a port is blocked in the MST instance (MSTI) of the target MAC-based VLAN, the port drops the received packets, instead of delivering them to the CPU. As a result, the receiving port will not be dynamically assigned to the corresponding VLAN. Do not configure dynamic M AC - b as e d VL A N ass ig n me nt to g e t h e r wi t h MST P, b e c ause t h e fo rm e r i s m a i n ly c o n fig u re d o n t h e access side. • When you configure MAC-to-VLAN entries, if you specify the 802.1p priority for the VLAN of a MAC address, you must configure the qos trust dot1p command on the corresponding port, so that the port trusts the 802.1p priority of incoming packets and your configuration takes effect. For more information about the qos trust dot1p command, see ACL and QoS Command Reference . Configuration procedure To configure static MAC-based VLAN assignment: