HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 356
145
# Create VLAN 2, and assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to it.
[Sysname] vlan 2
[Sysname-vlan2] port gigabitethernet 1/0/1 gigabitethernet 1/0/2
[Sysname-vlan2] quit
# Create VLAN 3, and assign GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to it.
[Sysname] vlan 3
[Sysname-vlan3] port gigabitethernet 1/0/3 gigabitethernet 1/0/4
[Sysname-vlan3] quit
# Create VLAN 5, and assign GigabitEthernet 1/0/5 and GigabitEthernet 1/0/6 to it.
[Sysname] vlan 5
[Sysname-vlan5] port...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-355.png "Page 356
145
# Create VLAN 2, and assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to it.
[Sysname] vlan 2
[Sysname-vlan2] port gigabitethernet 1/0/1 gigabitethernet 1/0/2
[Sysname-vlan2] quit
# Create VLAN 3, and assign GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to it.
[Sysname] vlan 3
[Sysname-vlan3] port gigabitethernet 1/0/3 gigabitethernet 1/0/4
[Sysname-vlan3] quit
# Create VLAN 5, and assign GigabitEthernet 1/0/5 and GigabitEthernet 1/0/6 to it.
[Sysname] vlan 5
[Sysname-vlan5] port...")
![Page 361
150
Task Command Remarks
Display the mapping between an
isolate-user-VLAN and its secondary
VLANs. display isolate-user-vlan
[ isolate-user-vlan-id
] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Isolate-user-VLAN configuration example
Network requirements
As shown in Figure 47:
• C
onnect Device A to downstream devices Device B and Device C.
• Configure VLAN 5 on Device B as an isolate-user-VLAN, assign the uplink port GigabitEthernet
1/0/5 to...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-360.png "Page 361
150
Task Command Remarks
Display the mapping between an
isolate-user-VLAN and its secondary
VLANs. display isolate-user-vlan
[ isolate-user-vlan-id
] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Isolate-user-VLAN configuration example
Network requirements
As shown in Figure 47:
• C
onnect Device A to downstream devices Device B and Device C.
• Configure VLAN 5 on Device B as an isolate-user-VLAN, assign the uplink port GigabitEthernet
1/0/5 to...")
![Page 362
151
[DeviceB-GigabitEthernet1/0/5] quit
# Assign downlink ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to VLAN 3 and
VLAN 2, respectively, and configure the ports to operate in host mode.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port access vlan 3
[DeviceB-GigabitEthernet1/0/1] port isolate-user-vlan host
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port access vlan 2...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-361.png "Page 362
151
[DeviceB-GigabitEthernet1/0/5] quit
# Assign downlink ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to VLAN 3 and
VLAN 2, respectively, and configure the ports to operate in host mode.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port access vlan 3
[DeviceB-GigabitEthernet1/0/1] port isolate-user-vlan host
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port access vlan 2...")
150
Task Command Remarks
Display the mapping between an
isolate-user-VLAN and its secondary
VLANs. display isolate-user-vlan
[ isolate-user-vlan-id
] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Isolate-user-VLAN configuration example
Network requirements
As shown in Figure 47:
• C
onnect Device A to downstream devices Device B and Device C.
• Configure VLAN 5 on Device B as an isolate-user-VLAN, assign the uplink port GigabitEthernet
1/0/5 to VLAN 5, and associate VLAN 5 with secondary VLANs VLAN 2 and VLAN 3. Assign
GigabitEthernet 1/0/2 to VLAN 2 and GigabitEthernet 1/0/1 to VLAN 3.
• Configure VLAN 6 on Device C as an isolate-user-VLAN, assign the uplink port GigabitEthernet
1/0/5 to VLAN 6, and associate VLAN 6 with secondary VLANs VLAN 3 and VLAN 4. Assign
GigabitEthernet 1/0/3 to VLAN 3 and GigabitEthernet 1/0/4 to VLAN 4.
• As far as Device A is concerned, Device B only has VLAN 5 and Device C only has VLAN 6.
Figure 47 Network diagram
Configuration procedure
The following part provides only the configuration on Device B and Device C.
1. Configure Device B:
# Configure the isolate-user-VLAN.
system-view
[DeviceB] vlan 5
[DeviceB-vlan5] isolate-user-vlan enable
[DeviceB-vlan5] quit
# Create secondary VLANs.
[DeviceB] vlan 2 to 3
# Configure the uplink port GigabitEthernet 1/0/ 5 to operate in promiscuous mode in VLAN 5.
[DeviceB] interface gigabitethernet 1/0/5
[DeviceB-GigabitEthernet1/0/5] port isolate-user-vlan 5 promiscuous
151 [DeviceB-GigabitEthernet1/0/5] quit # Assign downlink ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to VLAN 3 and VLAN 2, respectively, and configure the ports to operate in host mode. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port access vlan 3 [DeviceB-GigabitEthernet1/0/1] port isolate-user-vlan host [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port access vlan 2 [DeviceB-GigabitEthernet1/0/2] port isolate-user-vlan host [DeviceB-GigabitEthernet1/0/2] quit # Associate the isolate-user-VLAN with the secondary VLANs. [DeviceB] isolate-user-vlan 5 secondary 2 to 3 2. Configure Device C: # Configure the isolate-user-VLAN. system-view [DeviceC] vlan 6 [DeviceC-vlan6] isolate-user-vlan enable [DeviceC-vlan6] quit # Create secondary VLANs. [DeviceC] vlan 3 to 4 # Configure the uplink port GigabitEthernet 1/0/ 5 to operate in promiscuous mode in VLAN 6. [DeviceC] interface gigabitethernet 1/0/5 [DeviceC-GigabitEthernet1/0/5] port isolate-user-vlan 6 promiscuous [DeviceC-GigabitEthernet1/0/5] quit # Configure downlink ports GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to VLAN 3 and VLAN 4, respectively, and configure the ports to operate in host mode. [DeviceC] interface gigabitethernet 1/0/3 [DeviceC-GigabitEthernet1/0/3] port access vlan 3 [DeviceC-GigabitEthernet1/0/3] port isolate-user-vlan host [DeviceC-GigabitEthernet1/0/3] quit [DeviceC] interface gigabitethernet 1/0/4 [DeviceC-GigabitEthernet1/0/4] port access vlan 4 [DeviceC-GigabitEthernet1/0/4] port isolate-user-vlan host [DeviceC-GigabitEthernet1/0/4] quit # Associate the isolate-user-VLAN with the secondary VLANs. [DeviceC] isolate-user-vlan 6 secondary 3 to 4 Verifying the configuration # Display the isolate-user-VLAN configuration on Device B. [DeviceB] display isolate-user-vlan Isolate-user-VLAN VLAN ID : 5 Secondary VLAN ID : 2-3 VLAN ID: 5 VLAN Type: static Isolate-user-VLAN type : isolate-user-VLAN
152
Route Interface: not configured
Description: VLAN 0005
Name: VLAN 0005
Tagged Ports: none
Untagged Ports:
GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/5
VLAN ID: 2
VLAN Type: static
Isolate-user-VLAN type : secondary
Route Interface: not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged Ports: none
Untagged Ports:
GigabitEthernet1/0/2 GigabitEthernet1/0/5
VLAN ID: 3
VLAN Type: static
Isolate-user-VLAN type : secondary
Route Interface: not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged Ports: none
Untagged Ports:
GigabitEthernet1/0/1 GigabitEthernet1/0/5
153 Configuring a voice VLAN Overview A voice VLAN is configured for voice traffic. After assigning the ports that connect to voice devices to a voice VLAN, the system automatically configures quality of service (QoS) parameters for voice traffic, to improve the transmission priority of voice traffic and ensure voice quality. Common voice devices include IP phones and integrated access devices (IADs). Only IP phones are used in the voice VLAN configuration examples in this document. OUI addresses A device determines whether a received packet is a voice packet by evaluating its source MAC address. A packet whose source MAC address complies with the Organizationally Unique Identifier (OUI) address of the voice device is regarded as voice traffic. You can remove the default OUI address of a device manually and then add new ones manually. You can configure the OUI addresses of a device in advance or use the default OUI addresses. Tabl e 15 li sts the default OUI address for each vendor’s devices. Table 15 The default OUI addresses of different vendors Number OUI address Vendor 1 0001-E300-0000 Siemens phone 2 0003-6B00-0000 Cisco phone 3 0004-0D00-0000 Avaya phone 4 00D0-1E00-0000 Pingtel phone 5 0060-B900-0000 Philips/NEC phone 6 00E0-7500-0000 Polycom phone 7 00E0-BB00-0000 3Com phone In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique identifier that IEEE assigns to a vendor. In this document, however, OUI addresses are addresses that the system uses to determine whether a received packet is a voice packet. They are the results of the AND operation of the arguments mac-address and oui-mask in the voice vlan mac-address command. Voice VLAN assignment modes A port can be assigned to a voice VLAN in one of the following modes: • Automatic mode —The system matches the source MAC address carried in the untagged packets sent when an IP phone is powered on against th e device’s OUI addresses. If the system finds a match, it automatically assigns the receiving port to the voice VLAN, issues ACL rules, and configures the packet precedence. You can configure a voice VLAN aging time on the device. The system will remove a port from the voice VLAN if no packet is received from the port during the aging time. The system automatically assigns ports to, or removes ports from, a voice VLAN.
154 Automatic mode is suitable for scenarios where PCs and IP phones connected in series access the network through the device and ports on the device transmit both voice traffic and data traffic at the same time, as shown in Figure 48. W hen the voice VLAN works normally, when the system reboots, the system reassigns ports in automatic voice VLAN assignment mode to the voice VLAN after the reboot, ensuring that existing voice connections can work normally. In this case, voice traffic streams do not trigger port assignment to the voice VLAN. Figure 48 PCs and IP phones connected in series access the network • Manual mode —You must manually assign an IP phone accessing port to a voice VLAN. Then, the system matches the source MAC addresses carried in the packets against the device’s OUI addresses. If the system finds a match, it issues ACL rules and configures the packet precedence. In this mode, you must manually assign ports to, or remove ports from, a voice VLAN. Manual mode is suitable for scenarios where only IP phones a ccess the network through the device and ports on the device transmit only voice traffic, as shown in Figure 49. In this m ode, ports assigned to a voice VLAN transmit voice traffic exclusively, which prevents the impact of data traffic on the transmission of voice traffic. Figure 49 Only IP phones access the network Both modes forward tagged packets according to their tags. Tabl e 16 and Tabl e 17 list t he configurations required for port s of different link types to support tagged or untagged voice traffic sent from IP phones when different voice VLAN assignment modes are configured. • IP phones send tagged voice traffic Table 16 Required configurations on ports of different link types for them to support tagged voice traffic Port link t ype Voice VLAN assignment mode Support for tagged voice traffic Configuration requirements Access Automatic No N/A Manual Trunk Automatic Yes The PVID of the port cannot be the voice VLAN.
155 Port link t ype Voice VLAN assignment mode Support for tagged voice traffic Configuration requirements Manual The PVID of the port cannot be the voice VLAN. Configure the port to permit packets of the voice VLAN to pass through. Hybrid Automatic Yes The PVID of the port cannot be the voice VLAN. Manual The PVID of the port cannot be the voice VLAN. Configure the port to permit packets of the voice VLAN to pass through tagged. • IP phones send untagged voice traffic When IP phones send untagged voice traffic, you can only configure the voice traffic receiving ports on the device to operate in manual voice VLAN assignment mode. Table 17 Required configurations on ports of different link types for them to support tagged voice traffic Port link t ype Voice VLAN assignment mode Support for untagged voice traffic Configuration requirements Access Automatic No N/A Manual Yes Configure the PVID of the port as the voice VLAN. Trunk Automatic No N/A Manual Yes Configure the PVID of the port as the voice VLAN and assign the port to the voice VLAN. Hybrid Automatic No N/A Manual Yes Configure the PVID of the port as the voice VLAN and configure the port to permit packets of the voice VLAN to pass through untagged. When you configure the voice VLAN assignment modes, follow these guidelines: • If an IP phone sends tagged voice traffic and its accessing port is configured with 802.1X authentication and guest VLAN, assign different VLAN IDs for the voice VLAN, the PVID of the connecting port, and the 802.1X guest VLAN. • If an IP phone sends untagged voice traffic, to implement the voice VLAN feature, you must configure the PVID of the IP phone’s accessing port as the voice VLAN. As a result, you cannot implement 802.1X authentication. • The PVID is VLAN 1 for all ports by default. You can configure the PVID of a port and assign a port to certain VLANs by using commands. For more information, see Configuring VLANs. • U se the display interface command to display the PVID of a port and the VLANs to which the port is assigned. Security mode and normal mode of voice VLANs Depending on their inbound packet filtering mechan isms, voice VLAN-enabled ports operate in the following modes: • Normal mode —Voice VLAN-enabled ports receive packets that carry the voice VLAN tag, and forward packets in the voice VLAN without com paring their source MAC addresses against the OUI addresses configured for the device. If the PVID of the port is the voice VLAN and the port operates
156 in manual VLAN assignment mode, the port forwards all received untagged packets in the voice VLAN. In normal mode, voice VLANs are vulnerable to traffic attacks. Malicious users might send large quantities of forged voice packets to consume the voice VLAN bandwidth, affecting normal voice communication. • Security mode —Only voice packets whose source MAC addresses match the recognizable OUI addresses can pass through the voice VLAN-enabl ed inbound port, but all other packets are dropped. In a safe network, you can configure the voice VLANs to operate in normal mode, reducing the consumption of system resources due to source MAC addresses checking. TIP: HP does not recommend you transmit both voice traffic and non-voice traffic in a voice VLAN. If you mus t transmit both voice traffic and nonvoice traffic, make sure that the voice VLAN security mode is disabled. Table 18 How a voice VLAN-enabled port processes packets in security and normal mode Voice VLAN mode Packet type Packet processing mode Security mode Untagged packets If the source MAC address of a packet matches an OUI address configured for the device, it is forwarded in the voice VLAN; otherwise, it is dropped. Packets that carry the voice VLAN tag Packets that carry other tags Forwarded or dropped depending on whether the port allows packets of these VLANs to pass through Normal mode Untagged packets The port does not determine the source MAC addresses of inbound packets. In this way, both voice traffic and non-voice traffic can be transmitted in the voice VLAN. Packets that carry the voice VLAN tag Packets that carry other tags Forwarded or dropped depending on whether the port allows packets of these VLANs to pass through Configuration prerequisites Before you configure a voice VLAN, complete the following tasks: • Create a VLAN. • Configure QoS priority settings for voice VLAN traffic on an interface before you enable voice VLAN on the interface. If the configuration order is reversed, your priority configuration will fail. For more information, see Configuring QoS priority settings fo r voice traffic on a n interface. • Configure the voice VLAN assignment mode. For more information, see Configuring a port to operate in automatic voice VLAN assignment mode and Configuring a port to operate in manual voice VLAN assignment mode .
157 Configuring QoS priority settings for voice traffic on an interface In voice VLAN applications, you can improve the quality of voice traffic by configuring the appropriate QoS priority settings, including the Class of Service (CoS) and Differentiated Services Code Point (DSCP) values, for voice traffic. Voice traffic carries its own QoS priority settings. You can configure the device either to modify or not to modi fy the QoS priority settings carried by incoming voice traffic. Configuration restrictions and guidelines Configure the QoS priority settings for voice traffic on an interface before you enable voice VLAN on the interface. If the configuration order is reversed, your priority trust setting will fail. Configuration procedure To configure QoS priority settings for voice traffic: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Configure the interface to trust the QoS priority settings in incoming voice traffic, but not to modify the CoS and DSCP values marked for incoming traffic of the voice VLAN. voice vlan qos trust Use either command. By default, an interface modifies the CoS value and the DSCP value marked for voice VLAN traffic into 6 and 46, respectively. The voice vlan qos command and the voice vlan qos trust command can overwrite each other, whichever is configured last. 4. Configure the interface to modify the CoS and DSCP values marked for incoming traffic of the voice VLAN into specified values. voice vlan qos cos-value dscp-value Configuring a port to operate in automatic voice VLAN assignment mode To set a port to operate in automatic voice VLAN assignment mode: Step Command Remarks 1. Enter system view. system-view N/A
158 Step Command Remarks 2. Set the voice VLAN aging time. voice vlan aging minutes Optional. By default, the aging time of a voice VLAN is 1440 minutes. The voice VLAN aging time configuration is only applicable on ports in automatic voice VLAN assignment mode. 3. Enable the voice VLAN security mode. voice vlan security enable Optional. By default, the voice VLAN security mode is enabled. 4. Add a recognizable OUI address. voice vlan mac-address oui mask oui-mask [ description text ] Optional. By default, each voice VLAN has default OUI addresses configured. For the default OUI addresses of different vendors, see Table 15. 5. Enter Ethernet interface view. interface interface-type interface-number N/A 6. Configure the port to operate in automatic voice VLAN assignment mode. voice vlan mode auto Optional. By default, the automatic voice VLAN assignment mode is enabled. The voice VLAN assignment modes on different ports are independent of one another. 7. Enable the voice VLAN feature. voice vlan vlan-id enable By default, the voice VLAN feature is disabled. NOTE: A protocol-based VLAN on a hybrid port can process only untagged inbound packets, whereas the voice VLAN in automatic mode on a hy brid port can process only tagged voice traffic. Do not configure a VLAN as both a protocol-based VLAN and a voice VLAN. For more information, see Configuring VLANs. Configuring a port to operate in manual voice VLAN assignment mode Configuration restrictions and guidelines • You can configure different voice VLANs on different ports at the same time. However, you can configure one port with only one voice VLAN, and this voice VLAN must be a static VLAN that already exists on the device. • You cannot enable voice VLAN on the member ports of a link aggregation group. For more information about the member ports, see Configuring Ethernet link aggregation. • T o m a ke voic e V L A N t a ke e f fe c t o n a p o r t t h a t i s e n a b l e d wi t h voic e V L A N a n d o p e ra t e s i n m a nu a l voice VLAN assignment mode, you must assign the port to the voice VLAN manually. Configuration procedure To set a port to operate in manual voice VLAN assignment mode:
159
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable the voice
VLAN security
mode. voice vlan security enable Optional.
By default, the voice VLAN security mode is
enabled.
3.
Add a
recognizable OUI
address. voice vlan mac-address
oui mask
oui-mask [ description text ] Optional.
By default, each voice VLAN has default OUI
addresses configured. For the default OUI
addresses of different vendors, see
Table 15.
4. Enter interface
view. interface
interface-type
interface-number N/A
5.
Configure the port
to operate in
manual voice
VLAN assignment
mode. undo voice vlan mode auto
By default, the manual voice VLAN assignment
mode is disabled.
6.
Assign the access,
trunk, or hybrid
port in manual
voice VLAN
assignment mode
to the voice VLAN. For the configuration procedure,
see
Configuring VLANs . After you assign an access port to the
voice
VLAN, the voice VLAN becomes the PVID of the
port automatically.
7. Configure the voice
VLAN as the PVID
of the trunk or
hybrid port. For the configuration procedure,
see
Configuring VLANs . Optional.
This operation is required for untagged
inbound voice traffic an d prohibited for tagged
inbound voice traffic.
8. Enable voice VLAN
on the port. voice vlan vlan-id
enable Disabled by default.
Displaying and maintaining voice VLAN
Task Command Remarks
Display the voice VLAN state. display voice vlan state [ |
{ begin | exclude |
include } regular-expression ] Available in any view
Display the OUI addresses that the
system supports. display voice vlan oui
[ | { begin | exclude |
include } regular-expression ] Available in any view
Voice VLAN configuration examples
Automatic voice VLAN mode configuration example
Network requirements
As shown in
Figure 50,