HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 486
4
Step Command Remarks
2. Configure a static ARP
entry.
• Configure a long static ARP entry:
arp static ip-address mac-address vlan-id
interface-type interface-number [ vpn-instance
vpn-instance-name ]
• Configure a short static ARP entry:
arp static ip-address mac-address [ vpn-instance
vpn-instance-name ] Use either command.
Only HP 5500 EI
Switch Series supports
the
vpn-instance
vpn-instance-name
option
Configuring the maximum number of dynamic ARP
entries for an...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-485.png "Page 486
4
Step Command Remarks
2. Configure a static ARP
entry.
• Configure a long static ARP entry:
arp static ip-address mac-address vlan-id
interface-type interface-number [ vpn-instance
vpn-instance-name ]
• Configure a short static ARP entry:
arp static ip-address mac-address [ vpn-instance
vpn-instance-name ] Use either command.
Only HP 5500 EI
Switch Series supports
the
vpn-instance
vpn-instance-name
option
Configuring the maximum number of dynamic ARP
entries for an...")
![Page 489
7
CAUTION:
•
Clearing ARP entries from the ARP table may cause communication failures.
• The verbose keyword is available only on the HP 5500 EI Switch Series.
Task Command Remarks
Display ARP entries in the ARP
table. display arp [ [
all | dynamic | static ] [ slot
slot-number ] | vlan vlan-id | interface
interface-type interface-number ] [ count |
verbose ] [ | { begin | exclude | include }
regular-expression ] Available in any view
Display the ARP entry for a...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-488.png "Page 489
7
CAUTION:
•
Clearing ARP entries from the ARP table may cause communication failures.
• The verbose keyword is available only on the HP 5500 EI Switch Series.
Task Command Remarks
Display ARP entries in the ARP
table. display arp [ [
all | dynamic | static ] [ slot
slot-number ] | vlan vlan-id | interface
interface-type interface-number ] [ count |
verbose ] [ | { begin | exclude | include }
regular-expression ] Available in any view
Display the ARP entry for a...")
![Page 490
8
Figure 4 Network diagram
Configuration procedure
Configure the switch:
# Create VLAN 10.
system-view
[Switch] vlan 10
[Switch-vlan10] quit
# Add interface GigabitEthernet 1/0/1 to VLAN 10.
[Switch] interface GigabitEthernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 10
[Switch-GigabitEthernet1/0/1] quit
# Create interface VLAN-interface 10 and configure its IP address.
[Switch] interface vlan-interface 10...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-489.png "Page 490
8
Figure 4 Network diagram
Configuration procedure
Configure the switch:
# Create VLAN 10.
system-view
[Switch] vlan 10
[Switch-vlan10] quit
# Add interface GigabitEthernet 1/0/1 to VLAN 10.
[Switch] interface GigabitEthernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 10
[Switch-GigabitEthernet1/0/1] quit
# Create interface VLAN-interface 10 and configure its IP address.
[Switch] interface vlan-interface 10...")
9 • Add GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 into VLAN 1, and specify IP address 16 .1.1. 3 0 / 2 4 f o r V L A N - i n t e r f a c e 1. • Add GigabitEthernet 1/0/1 and GigabitEthernet 1/0/4 into VLAN 2, and specify IP address 17.1.1.1 / 2 4 f o r V L A N - i n t e r f a c e 2 . • S p e c i f y 17.1.1.1 / 2 4 a s t h e d e f a u l t g a t e w a y o f H o s t A a n d H o s t B . • Specify 16.1.1.30/24 as the default gateway of Server A and Server B. • Disable the ARP entry check function so that the switch can learn dynamic ARP entries containing multicast MAC addresses. • Configure a static multicast MAC address entry so that only interfaces GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 can receive multicast information. Figure 5 Network diagram Configuration procedure This example only describes multicast ARP configuration on the switch, and is only applicable to multicast NLB. For NLB configuration on the servers, see the related documents of the Windows Server. # Specify an IP address for VLAN-interface 2. system-view [Switch] vlan 2 [Switch-vlan2] port GigabitEthernet 1/0/4 [Switch-vlan2] port GigabitEthernet 1/0/1 [Switch-vlan2] quit [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 17.1.1.1 255.255.255.0 [Switch-Vlan-interface2] quit # Specify an IP address for VLAN-interface 1. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 16.1.1.30 255.255.255.0 [Switch-Vlan-interface1] quit # Disable the ARP entry check function. [Switch] undo arp check enable # Configure a static multicast MAC address entry. [Switch] mac-address multicast 03bf-1001-0164 interface GigabitEthernet \ 1/0/2 Gigabi tEthernet 1/0/3 vlan 1
10 Verifying the configuration • NLB load sharing —Enables the FTP server function of Server A and Server B. Host A and Host B send requests to the virtual IP address and each of them logs in to a different server. • NLB redundancy —Disables the network interface card of Server A. Host A and Host B send requests to the virtual IP address and both log in to the FTP server on Server B.
11 Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply. • Inform other devices of a change of its MAC address. Gratuitous ARP packet learning This feature enables a device to create or update ARP entries by using the sender IP and MAC addresses in received gratuitous ARP packets. With this feature disabled, the device uses received gratuitous ARP packets to update existing ARP entries only. Periodic sending of gratuitous ARP packets Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their corresponding ARP entries or MAC entries in time. This feature can be used to: • Prevent gateway spoofing. When an attacker sends forged gratuitous ARP packets to the hosts on a network, the traffic destined for the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the external network. To prevent gateway spoofing attacks, enable the gateway to send gratuitous ARP packets containing its primary IP address and manually co nfigured secondary IP addresses at a specific interval, so hosts can learn correct gateway address information. • Prevent ARP entries from aging out. If network traffic is heavy or if a host’s CPU usage is high on a host, received ARP packets may be discarded or not be processed in time. Eventually , the dynamic ARP entries on the receiving host age out, and the traffic between the host and the corresponding devices is in terrupted until the host re-creates the ARP entries. To prevent this problem, enable the gateway to send gratuitous ARP packets periodically. The gratuitous ARP packets contain the gateways primar y IP address or one of its manually configured secondary IP addresses, so the receiving host can update ARP entries in time, ensuring traffic continuity. • Prevent the virtual IP address of a VRRP group from being used by a host. The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the local network, so that the hosts can update local ARP entries and avoid using the virtual IP address of the VRRP group.
12 If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender MAC address in the gratuitous ARP packet takes the virtual MAC address of the virtual router. If the virtual IP address of the VRRP group is associated with the real MAC address of an interface, the sender MAC address in the gratuitous ARP packet takes the MAC address of the interface on the master router in the VRRP group. For more information about VRRP, see High Availability Configuration Guide. Configuration guidelines Follow these guidelines when you configure gratuitous ARP: • You can enable periodic sending of gratuitous ARP packets in VLAN interface view or Layer 3 Ethernet port view. • You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces. • Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes up and an IP address has been assigned to the interface. • If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next sending interval. • The frequency of sending gratuitous ARP packets may be much lower than is expected if this function is enabled on multiple interfaces, if each interface is configured with multiple secondary IP addresses, or if a small sending interval is configured in such cases. Configuration procedure To c o n fig u re g ra t u i to us A R P : Step Command Remarks 1. Enter system view. system-view N/A 2. Enable learning of gratuitous ARP packets. gratuitous-arp-learning enable Optional. Enabled by default. 3. Enable the device to send gratuitous ARP packets upon receiving ARP requests from another subnet. gratuitous-arp-sending enable By default, a device does not send gratuitous ARP packets upon receiving ARP requests from another subnet. 4. Enter interface view. interface interface-type interface-number N/A 5. Enable periodic sending of gratuitous ARP packets and set the sending interval. arp send-gratuitous-arp [ interval milliseconds ] Disabled by default.
13 Configuring proxy ARP Overview Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they do on the same network. Proxy ARP includes common proxy ARP and local proxy ARP. • Common proxy ARP —Allows communication between hosts that connect to different Layer-3 interfaces and reside in different broadcast domains. • Local proxy ARP —Allows communication between hosts that connect to the same Layer-3 interface and reside in different broadcast domains. Common proxy ARP A proxy ARP enabled device allows hosts that reside on different subnets to communicate. As shown in Figure 6, S witch connects to two subnets through VLAN-interface 1 and VLAN-interface 2. The IP addresses of the two interfaces are 192.168.10.99/24 and 192.168.20.99/24. Host A and Host B are assigned the same prefix 192.168.0.0. Host A connects to VLAN-interface 1 and Host B connects to VLAN-interface 2. Figure 6 Application environment of proxy ARP Because Host A and Host B have the same prefix 192.168.0.0, Host A considers that Host B is on the same network, and it broadcasts an ARP request for the MAC address of Host B. However, Host B cannot receive this request because it is in a different broadcast domain. You can enable proxy ARP on VLAN-interface 1 of the switch so that the switch can reply to the ARP request from Host A with the MAC address of VLAN-interface 1, and forward packets sent from Host A to Host B. In this case, the switch acts as a proxy of Host B. A main advantage of proxy ARP is that you can enable it on a single switch without disturbing routing tables of other routers in the network. Proxy ARP acts as the gateway for hosts that are not configured with a default gateway or do not have routing capability. Local proxy ARP As shown in Figure 7, Ho st A and Host B belong to VLAN 2, but are isolated at Layer 2. Host A connects to GigabitEthernet 1/0/3 while Host B connects to GigabitEthernet 1/0/1. Enable local proxy ARP on Switch A to allow Layer 3 communication between the two hosts.
14
Figure 7 Application environment of local proxy ARP
Enable local proxy ARP in one of the following cases:
• Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at
Layer 3.
• If a super VLAN is configured, hosts in different sub VLANs of the super VLAN need to communicate
at Layer 3.
• If an isolate-user-VLAN is configured, hosts in different secondary VLANs of the isolate-user-VLAN
need to communicate at Layer 3.
Enabling common proxy ARP
To enable common proxy ARP in VLAN interface view /Layer 3 Ethernet port view/Layer 3 aggregate
interface view:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type interface-number N/A
3. Enable proxy ARP.
proxy-arp enable Disabled by default
Enabling local proxy ARP
To enable local proxy ARP in VLAN interface view /Layer 3 Ethernet port view/Layer 3 aggregate
interface view:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type interface-number N/A
3. Enable local proxy ARP.
local-proxy-arp enable [ ip-range startIP to endIP ] Disabled by default
15
Displaying and maintaining proxy ARP
Task Command Remarks
Display whether proxy ARP is
enabled. display proxy-arp [
interface interface-type
interface-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display whether local proxy ARP is
enabled. display local-proxy-arp
[ interface
interface-type interface-number ] [ | { begin
| exclude | include } regular-expression ] Available in any view
Proxy ARP configuration examples
Common proxy ARP configuration example
Network requirements
As shown in Figure 8, Ho st A and Host D have the same IP prefix and mask (IP addresses of Host A and
Host D are 192.168.10.100/16 and 192.168.20.200/16 respectively), but they are located on different
subnets separated by the switch (Hos t A belongs to VLAN 1 while Host D belongs to VLAN 2). As a result,
Host D cannot receive or respond to any ARP request from Host A.
You must configure proxy ARP on the switch to enable communication between the two hosts.
Figure 8 Network diagram
Configuration procedure
# Create VLAN 2.
system-view
[Switch] vlan 2
[Switch-vlan2] quit
16 # Specify the IP address of interface VLAN-interface 1. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.10.99 255.255.255.0 # Enable proxy ARP on interface VLAN-interface 1. [Switch-Vlan-interface1] proxy-arp enable [Switch-Vlan-interface1] quit # Specify the IP address of interface VLAN-interface 2. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0 # Enable proxy ARP on interface VLAN-interface 2. [Switch-Vlan-interface2] proxy-arp enable After completing preceding configurations, use the ping command to verify the connectivity between Host A and Host D. Local proxy ARP configuration example in case of port isolation Network requirements As shown in Figure 9 , Host A and Host B belong to the same VLAN, and connect to Switch B via GigabitEthernet 1/0/3 and GigabitEthernet 1/0/1 respectively. Switch B connects to Switch A via GigabitEthernet 1/0/2. Configure port isolation on GigabitEthernet 1/0/3 and GigabitEthernet 1/0/1 of Switch B to isolate Host A from Host B at Layer 2. Enable local proxy ARP on Switch A to allow communication between Host A and Host B at Layer 3. Figure 9 Network diagram Configuration procedure 1. Configure Switch B: # Add GigabitEthernet 1/0/3, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to VLAN 2. Configure port isolation on Host A and Host B. system-view [SwitchB] vlan 2 [SwitchB-vlan2] port GigabitEthernet 1/0/3 GE1/0/2 VLAN 2 Vlan-int2 192.168.10.100/16 Switch B GE1/0/3 GE1/0/1 GE1/0/2 Host A192.168.10.99/16 Host B192.168.10.200/16 VLAN 2 port-isolate group Switch A
17 [SwitchB-vlan2] port GigabitEthernet 1/0/1 [SwitchB-vlan2] port GigabitEthernet 1/0/2 [SwitchB-vlan2] quit [SwitchB] interface GigabitEthernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] port-isolate enable [SwitchB-GigabitEthernet1/0/3] quit [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port-isolate enable [SwitchB-GigabitEthernet1/0/1] quit 2. Configure Switch A: # Create VLAN 2, and add GigabitEthernet 1/0/2 to VLAN 2. system-view [SwitchA] vlan 2 [SwitchA-vlan2] port GigabitEthernet 1/0/2 [SwitchA-vlan2] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.10.100 255.255.0.0 F r o m H o s t A , p i n g H o s t B . T h e p i n g o p e r a t i o n i s unsuccessful because they are isolated at Layer 2. # Configure local proxy ARP to allow communicati on between Host A and Host B at Layer 3. [SwitchA-Vlan-interface2] local-proxy-arp enable From Host A, ping Host B. The ping operation is successful after the configuration. Local proxy ARP configuration example in super VLAN(only available on the HP 5500 EI) Network requirements Figure 10 shows a super VLAN, VLAN 10, with the interface IP address 192.168.10.100/16 and sub-VLANs (VLAN 2 and VLAN 3). GigabitEthernet 1/0/2 belongs to VLAN 2 and GigabitEthernet 1/0/1 belongs to VLAN 3. Host A belongs to VLAN 2 and connects to GigabitEthernet 1/0/2 of the switch. Host B belongs to VLAN 3 and connects to GigabitEthernet 1/0/1 of the switch. As Host A and Host B belong to different Sub-VLANs, they are isolated at Layer 2. Configure local proxy ARP on the switch to allow Layer 3 communication between Host A and Host B. Figure 10 Network diagram Host B192.168.10.200/16 Host A192.168.10.99/16 Switch GE1/0/2 VLAN 2 Sub VLAN VLAN 10 Super VLAN Vlan-int10 192.168.10.100/16 GE1/0/1 VLAN 3 Sub VLAN
18 Configuration procedure # Create the super VLAN and the sub-VLANs. Add GigabitEthernet 1/0/2 to VLAN 2 and GigabitEthernet 1/0/1 to VLAN 3. Configure the IP address 192.168.10.100/16 for the interface of VLAN 10. system-view [Switch] vlan 2 [Switch-vlan2] port GigabitEthernet 1/0/2 [Switch-vlan2] quit [Switch] vlan 3 [Switch-vlan3] port GigabitEthernet 1/0/1 [Switch-vlan3] quit [Switch] vlan 10 [Switch-vlan10] supervlan [Switch-vlan10] subvlan 2 3 [Switch-vlan10] quit [Switch] interface vlan-interface 10 [Switch-Vlan-interface10] ip address 192.168.10.100 255.255.0.0 From Host A, ping Host B. The ping operation is unsuccessful because they are isolated at Layer 2. # Configure local proxy ARP to implement Layer 3 communication between sub-VLANs. [Switch-Vlan-interface10] local-proxy-arp enable From Host A, ping Host B. The ping operation is successful after the configuration. Local proxy ARP configuration example in isolate-user-VLAN Network requirements As shown in Figure 11, Switch B is attached to Switch A. VLAN 5 on Switch B is an isolate -user-VLAN, which includes uplink port GigabitEthernet 1/0/2 and two secondary VLANs, VLAN 2 and VLAN 3. GigabitEthernet 1/0/3 belongs to VLAN 2, and GigabitEthernet 1/0/1 belongs to VLAN 3. Host A belongs to VLAN 2 and connects to GigabitEth ernet 1/0/3 of Switch B. Host B belongs to VLAN 3 and connects to GigabitEthernet 1/0/1 of Switch B. As Host A and Host B belong to different secondary VL ANs, they are isolated at Layer 2. Configure local proxy ARP on Switch A to implement Layer 3 communication between Host A and Host B.