Zxr10 5960 Switch

ZXR10 5900/5200 Series
All Gigabit-Port Intelligent Routing Switch

User Manual (Basic Configuration Volume)
Version 2.8.23.A
ZTE CORPORATION
ZTE Plaza, Keji Road South,
Hi-Tech Industrial Park,
Nanshan District, Shenzhen,
P. R. China
518057
Tel: (86) 755 26771900
Fax: (86) 755 26770801
URL: http://ensupport.zte.com.cn
E-mail: [email protected]
LEGAL INFORMATION
Copyright © 2006 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or distribution of
this document or any portion of this document, in any form by any means, without the prior written consent of ZTE CORPO-
RATION is prohibited. Additionally, the contents of this document are protected by contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE CORPORATION
or of their respective owners.
This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions are dis-
claimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose, title or non-in-
fringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the use of or reliance on the
information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications covering the subject
matter of this document. Except as expressly provided in any written license between ZTE CORPORATION and its licensee,
the user of this document shall not acquire any license to the subject matter herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
Revision No. Revision Date Revision Reason

R1.2 20091015 Edition update
Serial Number: sjzl20095126

About This Manual.............................................. i
Safety Description .............................................1
Safety Introduction ......................................................... 1
Symbol Descriptions ....................................................... 1
Usage and Operation .........................................3
Configuration Mode......................................................... 3
Configuring Through Console Port ................................. 4
Telnet Connection Configuration ................................... 7
SSH Connection Configuration ...................................... 9
Simple Network Management Protocol (SNMP) ..............11
Command Mode Function................................................12
Command Line Function .................................................13
Online Help Command................................................13
Command Abbreviation ..............................................14
History Commands ....................................................14
System Management ....................................... 17
File System...................................................................17
Introduction to File System .........................................17
Operating File System Management .............................18
FTP/TFTP Overview ........................................................19
Configuring Switch as an FTP Client .............................19
Configuring Switch as an TFTP Client............................20
Backing up Data and Restoring Data ................................22
Backing Up Configuration File ......................................22
Restoring Configuration File ........................................22
Backing Up Version File ..............................................22
Restoring Version File.................................................22
Software Version Upgrade...............................................23
Upgrading the Version at Abnormality...........................23
Upgrading the Version at Normality ..............................25
Configuring System Parameters .......................................26
Setting a Hostname of System ....................................26
Setting Welcome Message upon System Boot ................26
Setting Privileged Mode Key ........................................26
Setting Telnet Username and Password.........................26
Setting System Time..................................................27
Setting System Console User Connection
Parameters .......................................................27
Setting System Telnet User Connection Parameters .........27
Allowing Multiple Users to Configure System at the
Same Time .......................................................27
Viewing System Information ...........................................28
Viewing Hardware and Software Versions of the
System ............................................................28
Viewing Running Configuration ....................................28
Interface Configuration ................................... 29
Basic Port Configuration .................................................29
Disabling/Enabling an Ethernet port .............................30
Enabling/Disabling Auto-Negotiation on an Ethernet
Port .................................................................31
Configuring Automatic Negotiation Notification on an
Ethernet Port ...................................................31
Setting Ethernet port Duplex Mode ..............................32
Setting Ethernet Port Speed ........................................32
Setting Flow Control on an Ethernet Port ......................32
Allowing/Prohibiting Jumbo Fame on an Ethernet
Port .................................................................33
Setting Port Alias on an Ethernet Port...........................33
Setting Broadcast Storm Suppression on an Ethernet
Port .................................................................33
Setting Multicast Packet Suppression on an Ethernet
Port .................................................................34
Setting Unknowcast Packet Suppression on an Ethernet
Port .................................................................34
Viewing Layer 2 Interface Physical Status .....................34
Displaying Port Information.........................................36
Diagnosing and Analyzing Lines ...................................36
Port Mirroring Configuration ............................................37
Port Mirroring Overview ..............................................37
Configuring Port Mirroring ...........................................38
Port Mirroring Configuration Example ...........................38
Loopback Detection Configuration ....................................40
Port Loopback Detection Overview ...............................40
Configuring Port Loopback Detection ............................40
Port Loop Detection Example.......................................41
DOM Configuration ........................................................42
DOM Function Overview .............................................42
Configuring DOM .......................................................43
Enabling DOM Function on Port ...........................43
Viewing Current Optical Module Information .........43
Viewing Module Threshold Information.................44
Viewing the Record Information That Module
Exceeds Threshold .................................45
Network Protocol Configuration ...................... 47
IP Address Configuration ................................................47
IP Address Overview ..................................................47
Configuring IP Address ...............................................49
IP Address Configuration Example................................49
ARP Configuration..........................................................49
ARP Overview ...........................................................49
Configuring ARP ........................................................50
ARP Configuration Example .........................................50
Switch Stack System ....................................... 53
Switch Stack System Introduction....................................53
Member Specification of Switch Stack System ..............54
Stack System Main Device Election and Renewed
Election ............................................................54
Stack System Member ID ...........................................55
Stack System MAC Address.........................................55
Stack Member Device Priority......................................55
Stack Member Device Software Version Check and
Automatic Upgrade ...........................................56
Stack System Configuration File ..................................56
Stack System Active/Standby Changeover ....................56
Configuring Switch Stack System.....................................57
Accessing the Specific Stack Member by Command
Line .....................................................................57
Viewing Switch Stack System Information.........................58
ACL Configuration............................................ 59
ACL Overview ...............................................................59
Configuring ACL ............................................................60
Configuring Time Range .............................................60
Configuring ACL Rule .................................................60
Configuring Basic ACL Rule.................................61
Configuring Extended ACL ..................................61
Configuring L2 ACL............................................62
Configuring Hybrid ACL ......................................63
Configuring Basic IPV6 ACL ................................64
Configuring Extended IPV6 ACL...........................64
Applying ACL on Physical Port......................................65
Applying ACL on VLAN................................................65
Configuring an ACL to Support Renaming......................66
ACL Configuration Example .............................................66
ACL Maintenance and Diagnosis.......................................68
QoS Configuration ........................................... 69
QoS Overview ...............................................................69
Traffic Classification ...................................................69
Traffic Policing ...........................................................70
Traffic Shaping ..........................................................71
Queue Bandwidth Limit ..............................................71
Queue Scheduling and Default 802.1p ..........................71
Redirection and Policy Routing.....................................72
Priority Marking.........................................................72
Marking Outside Vlan Value.........................................73
Traffic Mirroring .........................................................73
Traffic Statistics.........................................................73
Configuring QoS ............................................................73
Configuring Traffic Polices ...........................................73
Configuring Traffic Shaping .........................................74
Configuring Queue Bandwidth Limit..............................74
Configuring Queue Scheduling and Default 802.1p of
the Port............................................................75
Configuring Redirection and Policy Routing ....................75
Configuring Priority Marking ........................................76
Configuring Outer VLAN Value .....................................76
Configuring Traffic Mirroring ........................................77
Configuring Tail-Drop .................................................77
Configuring Traffic Statistics ........................................77
QoS Configuration Example.............................................78
Typical QoS Configuration Example ..............................78
Policy Routing Configuration Example ...........................79
QoS Maintenance and Diagnosis ......................................80
DHCP Configuration ......................................... 83
DHCP Overview .............................................................83
Configuring DHCP ..........................................................84
Configuring IP Pool ....................................................84
Configuring DHCP POOL .............................................86
Configuring DHCP POLICY ...........................................88
Configuring DCHP Server ............................................89
Configuring DHCP Snooping ........................................91
Configuring DHCP Relay..............................................94
Configuring DHCP Client .............................................98
DHCP Configuration Example...........................................99
DHCP Server Configuration Example ............................99
DHCP Relay Configuration Example ............................ 100
DHCP Snooping Configuration Example....................... 101
DHCP Snooping Prevent Static IP Configuration
Example ......................................................... 102
DHCP Maintenance and Diagnosis .................................. 103
VRRP Configuration ....................................... 105
VRRP Overview ........................................................... 105
Configuring VRRP ........................................................ 106
VRRP Configuration Example ......................................... 107
Basic VRRP Configuration Example ............................. 107
Symmetric VRRP Configuration Example ..................... 108
VRRP Maintenance and Diagnosis................................... 109
Network Management Configuration ............. 111
NTP Configuration........................................................ 111
NTP Overview ......................................................... 111
Configuring NTP ...................................................... 111
NTP Configuration Example ....................................... 112
RADIUS Configuration .................................................. 113
RADIUS Overview .................................................... 113
Configuring RADIUS................................................. 113
RADIUS Configuration Example ................................. 115
SNMP Configuration ..................................................... 115
SNMP Overview ....................................................... 115
Configuring SNMP .................................................... 115
SNMP Configuration Example .................................... 118
RMON Configuration..................................................... 119
RMON Overview ...................................................... 119
Configuring RMON ................................................... 119
RMON Configuration Example .................................... 120
SysLog Configuration ................................................... 121
SysLog Overview ..................................................... 121
Configuring SysLog .................................................. 121
Syslog Configuration Example ................................... 123
TACACS+ Configuration ................................................ 124
TACACS+ Overview ................................................. 124
Configuring TACACS+ .............................................. 124
TACACS Configuration Example ................................. 127
DOT1X Configuration ..................................... 129
DOT1x Overview ......................................................... 129
Configuring DOT1X ...................................................... 130
Configuring AAA ...................................................... 130
Configuring DOT1X Parameter ................................... 132
Configuring Local Authentication User......................... 133
Managing DOT1X Authentication Access User .............. 134
Managing Multiple Domains Configuration ................... 135
Configuring 802.1x VLAN Hopping ............................. 136
DOT1X Configuration Example....................................... 137
Dot1x Radius Authentication Application ..................... 137
Dot1x Trunk Authentication Application....................... 138
Dot1x Local Authentication Application ....................... 139
DOT1X Multiple Domains Function.............................. 140
DOT1X Maintenance and Diagnosis ................................ 140
Cluster Management Configuration ............... 143
Cluster Management Overview ...................................... 143
Configuring Cluster Management ................................... 145
Configuring ZDP Neighbor Discovery Protocol .............. 145
Configuring ZTP Topology Collection Protocol ............... 146
Establishing Cluster ................................................ 147
Maintaining Cluster .................................................. 148
Cluster Management Configuration Example.................... 149
Cluster Management Maintenance and Diagnosis ............. 149
IPTV Configuration ........................................ 151
Internet Protocol Television Overview ............................. 151
Configuring IPTV ......................................................... 151
Configuring IPTV Global Parameters ........................... 151
Configuring IPTV Channels........................................ 152
Configuring Channel Access Control (CAC) .................. 153
Configuring Administrative Command of IPTV
Users ............................................................. 154
IPTV Configuration Example .......................................... 154
IPTV Maintenance and Diagnosis.................................... 155
VBAS Configuration ....................................... 157
VBAS Overview ........................................................... 157
Configuring VBAS ........................................................ 157
Enabling/Disabling VBAS .......................................... 157
Enabling/Disabling VBAS in VLAN Mode ...................... 158
Configuring VBAS Trust Interface ............................... 158
Configuring VBAS Interface as User Interface or
Network Interface............................................ 158
VBAS Configuration Example ......................................... 158
VBAS Maintenance and Diagnosis .................................. 159
ZESR/ZESR+ Configuration ........................... 161
ZESR/ZESR+ Overview ................................................ 161
Configuring ZESR/ZESR+ ............................................. 162
Configuring ZESR Area Protection Instance ................. 162
Configuring Major-level Ring ZESR ............................. 162
Configuring Access Ring ZESR ................................... 164
Configuring ZESR Restart-Time ................................. 165
ZESR/ZESR+ Configuration Example .............................. 165
ZESR Configuration Example ..................................... 165
ZESR and ZESR+ Hybrid Configuration Example .......... 168
Security Configuration................................... 171
IP Source Guard .......................................................... 171
IP Source Guard Overview ........................................ 171
Configuring IP Source Guard ..................................... 171
IP Source Guard Configuration Example...................... 172
IP Source Guard Configuration based on IP
Address .............................................. 172
IP Source Guard Configuration based on MAC
Address .............................................. 172
Address and MAC address ..................... 173
Control Plane Security Configuration .............................. 174
Control Plane Security Overview ................................ 174
Command Configuration ........................................... 174
Configuration Example ............................................. 176
Maintenance and Diagnosis ....................................... 176
DAI Configuration ........................................................ 177
DAI Overview.......................................................... 177
Configuring DAI....................................................... 178
DAI Maintenance and Diagnosis................................. 178
DAI Configuration Example ....................................... 179
MFF Configuration........................................................ 180
MFF Overview ......................................................... 180
Configuring MFF ...................................................... 180
MFF Configuration Example ....................................... 181
MFF maintenance and diagnosis ................................ 182
POE Configuration ......................................... 185
POE Overview ............................................................. 185
Configuring PoE........................................................... 186
PoE Configuration Example ........................................... 187
PoE Maintenance ......................................................... 188
Figures .......................................................... 189
Tables ........................................................... 191
Glossary ........................................................ 193
About This Manual
Purpose ZXR10 5900/5200 (V2.8.23.A) Series All Gigabit-Port Intelligent

Routing Switch User Manual (Basic Configuration Volume) provides
procedures and guidelines that support the operation on ZXR10
5900/5200 Series All Gigabit-Port Intelligent Routing Switch, in-
cluding:
� ZXR10 5924 Gigabit Routing Switch
� ZXR10 5928–Fi Gigabit Routing Switch
� ZXR10 5224 Gigabit Convergence Switch
� ZXR10 5228–FI Gigabit Convergence Switch
� ZXR10 5928–PS Gigabit Convergence Switch
Intended This manual is intended for engineers and technicians who per-
Audience form operation activities on ZXR10 5900/5200 All Gigabit-Port In-
telligent Routing Switches.
Prerequisite Skill To use the Basic Configuration Volume effectively, users should
and Knowledge have a general understanding of OSI Model. Familiarity with the
following is helpful,
� Protocols
� Routing concepts and Data Communication Terminologies
What Is in This The Basic Configuration Volume contains the following chapters:
Manual
TABLE 1 CHAPTER SUMMARY
Chapter Summary
Chapter 1 Safety This chapter describes the safety

Description instructions and signs.
Chapter 2 Usage and This chapter describes ZXR10 5900/5200

Operation configuration mode in common use.
Chapter 3 System This chapter introduces file system

Management management, file backup and restoration,
software version upgrade.
Chapter 4 Interface This chapter describes port parameters

Configuration configuration , port mirroring function,
loopback detection and DOM configuration.
Chapter 5 Network This chapter describes IP address

Protocol Configuration configuration and ARP configuration.
Confidential and Proprietary Information of ZTE CORPORATION i

ZXR10 5900/5200 Series User Manual (Basic Configuration Volume)
Chapter Summary
Chapter 6 Switch Stack This chapter describes the content and

System related knowledge of stack system and
related configuration.
Chapter 7 ACL This chapter introduces ACL and related

Configuration configuration.
Chapter 8 QoS This chapter introduces QOS and related

Chapter 9 DHCP This chapter introduces DHCP and related

Chapter 10 VRRP This chapter introduces VRRP and related

Chapter 11 Network This chapter introduces Network

Management management configuration.
Configuration
Chapter 12 DOT1X This chapter introduces DOT1Xt

Chapter 13 Cluster This chapter introduces Cluster

Management Management configuration.
Configuration
Chapter 14 IPTV This chapter describes the content and

Configuration related knowledge of IPTV and related
configuration.
Chapter 15 VBAS This chapter introduces VBAS configuration.

Configuration
Chapter 16 ZESR This chapter introduces ZESR configuration.

Configuration
Chapter 17 Security This chapter introduces Security

Chapter 18 POE This chapter describes the content and

Configuration related knowledge of POE and related
configuration.
Related The following documentation is related to this manual:

Documentation
� ZXR10 5900/5200(V2.8.23.A) Series All Gigabit-Port Intelli-
gent Routing Switch Hardware Manual
gent Routing Switch User Manual (Ethernet Switching Volume)
gent Routing Switch User Manual (Basic Configuration Volume)
gent Routing Switch User Manual (IPv4 Routing Volume)
gent Routing Switch User Manual (IPv6 Routing Volume)
� ZXR10 Router-Ethernet Switch Command Manual - Command
Index
ii Confidential and Proprietary Information of ZTE CORPORATION

About This Manual
� ZXR10 Router-Ethernet Switch Command Manual - System

Management
� ZXR10 Router-Ethernet Switch Command Manual - Functional
System I
System Volume II
System Volume III
� ZXR10 Router/Ethernet Switch Command Manual — Functional
System IV
� ZXR10 Router/Ethernet Switch Command Manual — Protocol
Stack I
Stack II
Stack III
� ZXR10 Router/Ethernet Switch Information Manual
Confidential and Proprietary Information of ZTE CORPORATION iii

This page is intentionally blank.
iv Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1
Safety Description
Table of Contents
Safety Introduction............................................................. 1
Symbol Descriptions ........................................................... 1
Safety Introduction
Only qualified professionals are allowed to perform installation,
operation and maintenance due to the high temperature and high
voltage of the equipment.
Observe the local safety codes and relevant operation procedures
during equipment installation, operation and maintenance to pre-
vent personal injury or equipment damage. Safety precautions
introduced in this manual are supplementary to the local safety
codes.
ZTE bears no responsibility in case of universal safety operation
requirements violation and safety standards violation in designing,
manufacturing and equipment usage.
Symbol Descriptions
Contents deserving special attention during ZXR10 5900/5200
configuration are explained as follow.
Caution:
It indicates that the fault will happen if safety is ignored.
Note:
It provides additional information.
Confidential and Proprietary Information of ZTE CORPORATION 1

2 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 2
Usage and Operation
Table of Contents
Configuration Mode............................................................. 3
Command Mode Function ...................................................12
Command Line Function .....................................................13
Configuration Mode
As shown in Figure 1 , ZXR10 5900/5200 offers multiple configu-
ration modes. A user can select configuration mode based on the
connected network.
1. Configuration of Console Port Connection
2. TELNET Connection Configuration
3. SSHSecure Shell Connection Configuration
4. SNMP Connection Configuration
FIGURE 1 ZXR10 5900/5200 CONFIGURATION MODES

Configuring Through Console Port

This is main configuration mode of ZXR10 5900/5200. ZXR10
5900/5200 debugging configuration is implemented through the
console port connection. The console port connection configura-
tion adopts the VT100 terminal mode.
1. Select Start > Programs > Accessories > Communica-
tions > HyperTerminalon the PC screen to start the Hyper-
Terminal, as shown in Figure 2 .
FIGURE 2 STARTING THE HYPERTERMINAL
2. Input the related local information in the interface as shown

in Figure 3.
FIGURE 3 LOCATION INFORMATION

Chapter 2 Usage and Operation
3. After the Connection Description dialog box appears, enter

a name and choose an icon for the new connection, as shown
in Figure 4.
FIGURE 4 SETTING UP A CONNECTION
4. Based on serial port connection to the console cable, choose

COM1 or COM2 as the serial port is to be connected, as shown
in Figure 5 .

FIGURE 5 CONNECTION CONFIGURATION
5. Enter the properties of the selected serial port as shown in

Figure 6 . The port property configuration includes: Bits per
Second 9600, Data bit 8, Parity None, Stop bit 1, Data flow
control None.

FIGURE 6 COM1 PROPERTIES
Power on and boot ZXR10 5900/5200 to initialize the system and

to enter into configuration for operational use.
Telnet Connection Configuration

Telnet is the main remote configuration mode for the ZXR10
5900/5200.
Telnet access is set through user name and password. This enables
unauthorized users from accessing the switch through Telnet. Use
the following command to configure the user name and password.
username <username> password <password>
To strengthen the security of the switch, switch can limit telnet
login of the users. Use the following command to admit or refuse
telnet’s IP address.
line telnet access-class <basic access list>
1. Connect the host directly to the switch and Telnet to the switch.

i. Configure the Telnet login user name and password through

the console port.
ii. Configure the Telnet login user name and password through
the console port.
iii. Connect the host network port to the Ethernet port of the
switch.
iv. Set the host IP address to one in the same network seg-
ment as that of the VLAN interface so that the host can ping
the IP address of the VLAN interface.
v. Run the telnet command on the host and input the IP ad-
dress of the VLAN interface to log in to the switch, as shown
inFigure 7 .
FIGURE 7 RUN TELNET
vi. Click OK to enter the interface as shown inFigure 8 .
FIGURE 8 TELNET LOGIN
vii.Type the correct user name and password at the prompt to

enter into switch configuration status.

Note:
i. ZXR10 5900/5200 allows up to four Telnet users at a time.
ii. Never modify/delete the IP address of the management
Ethernet port during Telnet configuration through the man-
agement port; otherwise, the Telnet connection will be bro-
ken.
2. Telnet to the switch from other devices (such as a switch or

router).
i. Configure the IP addresses and interface of the VLAN
through the console port.
ii. Configure the Telnet login user name and password through
the console port.
iii. Consider router as an example. Connect the router and the
switch, ensuring that the router can ping the IP address of
the switch VLAN interface.
iv. Run the telnet command on the router and input the IP
address of the VLAN interface to log in to the switch.
SSH Connection Configuration

Telnet and FTP connections are not safe because they use the plain
text to transmit the password and data on the network. This re-
sults in data to be easily intercepted by attackers. A disadvantage
of the Telnet/FTP security authentication is that it is easily attacked
by the man-in-the-middle. This imitates the server to receive the
data sent by the client and imitates the client to transmit the data
to the real server.
SSH can solve this hidden trouble. The SSH sets up a security
channel for the remote login on non-security network and other
network to encrypt and compress all transmitted data. In this
way, no useful information can be obtained in the interception.
The current SSH protocol has two versions that incompatible each
other: SSH v1.x and SSH v2.x. ZXR10 5900/5200 supports the
SSH v2.0 that provides a safe remote login function.
SSH consists of server and client, ZXR10 5900/5200 serves as SSH
server and the host runs SSH client to log in to the switch.
1. Execute the following command to enable the SSH server in
ZXR10 5900/5200. By default, SSH server function is disabled.
ssh server enable
2. Connect the host network interface to the switch Ethernet in-
terface so that the host can ping the IP of the switch VLAN
interface.
3. Run the SSH client software (putty) on the host.
i. Set the IP and port number of the SSH server, as shown
inFigure 9 .

FIGURE 9 SETTING IP ADDRESS AND PORT NUMBER OF

SSH SERVER
ii. Set the SSH version numberas shown inFigure 10 .

FIGURE 10 SETTING THE SSH VERSION NUMBER
4. Click Open to log in to the switch and input the correct user
name and password following the prompt.
The user enters switch configuration interface upon successful lo-
gin.
Simple Network Management

Protocol (SNMP)
Simple Network Management Protocol (SNMP) is one of the most
popular network protocols. An NM server can manage all devices
on the network through this protocol.
SNMP adopts the management. That is based on the server and
client. Background NM server serves as SNMP server and the
foreground network device ZXR10 5900/5200 serves as the SNMP
client. Foreground and background shares one MIB management
database and the SNMP is used for communications.
NMS software supporting the SNMP shall be installed in the back-
ground NM server to manage and configure ZXR10 5900/5200.

Command Mode Function

ZXR10 5900/5200 allocates the commands to various modes
based on the function. In order to authorize the facilitation to
user’s configuration and management for the switch only one
command can be executed in the special mode.
Input a “?” mark in any command mode to view allowed commands
in this mode. The main commands of the ZXR10 5900/5200 are
shown in Table 2.
TABLE 2 COMMAND MODES
Mode Prompt Entry Command
User mode ZXR10> Directly enter it after logging in to the

system
Privileged mode ZXR10# enable (user mode )
Global configura- ZXR10(config)# configure terminal (privileged mode)

tion mode
Port configuration ZXR10(config-gei_1/x)# interface {<interface-name>|byname

mode <by-name>} (global configuration mode)
VLAN database ZXR10(vlan)# vlan databaseprivileged mode

configuration mode
VLAN configuration ZXR10(config-vlan)# vlan {<vlan-id>|<vlan-name>} global

mode configuration mode
VLAN interface ZXR10(config-if)# interface {vlan <vlan-id>|<vlan-if>}

configuration mode global configuration mode
MSTP configuration ZXR10(config-mstp)# spanning-tree mst configurationglobal

Standard ACL ZXR10(config-std-acl)# acl standard {number <acl-number>|

configuration mode name <acl-name>} global configuration
mode
Extended ACL ZXR10(config-ext-acl)# acl extended {number <acl-number>|

mode
L2 ACL ZXR10(config-link-acl)# acl link {number <acl-number>| name

configuration mode <acl-name>}global configuration mode
Hybrid ACL ZXR10(config-hybd-acl)# acl hybrid {number <acl-number>|

mode
RIP configuration ZXR10(config-router)# router ripglobal configuration mode

mode
RIP address ZXR10(config-router-af)# address-family ipv6 vrf <vrf-name>RIP

configuration mode routing configuration mode
OSPF configuration ZXR10(config-router)# router ospf < process-id> global


Mode Prompt Entry Command
IS-IS configuration ZXR10(config-router)# router isisglobal configuration mode

mode
BGP configuration ZXR10(config-router)# router bgp <as-number> global

BGP address ZXR10(config-router-af)# address-family {vpnv4 |{ipv4 vrf

configuration mode <vrf-name>}}BGP configuration mode
BGP configuration ZXR10(config-router)# router pimsmglobal configuration mode

mode
Route map ZXR10(config-route-map)# route-map <map-tag>[permit|deny][<s

configuration mode equence-number>] global configuration
mode
Diagnosis test ZXR10(diag)# diagnoseprivileged mode

mode
In any command mode, input a “?” mark behind the system

prompt to view the list of available commands in this command
mode.
In the privileged mode, execute the disable command to return to
the user mode.
In the user mode and privileged mode, execute the exit command
to exit the switch. In other command mode, execute the exit com-
mand to return to the previous mode.
In command modes other than the user mode and privileged
mode, execute the end command or press<Ctrl+z>to return to
the privileged mode.
Command Line Function

Online Help Command
1. Input a “?” mark behind the prompt of any command mode to
view all commands and brief descriptions of this mode.
ZXR10>?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
login Login as a particular user
logout Exit from the EXEC
ping Send echo messages
quit Quit from the EXEC
show Show running system information
telnet Open a telnet connection
trace Trace route to destination
who List users who are logining on
2. Input the question mark behind a character or character string
to view the list of commands or keywords beginning with that

character or character string. There is no space between the

character (character string) and the question mark.
ZXR10#co?
configure copy
ZXR10#co
3. Press Tab behind the character string. If the command or
keyword beginning with this character string is unique. This
will complete the character string with space at the end.
ZXR10#con<Tab>
ZXR10#configure (there is a space between the configure and cursor.)
4. Input ? behind the command, keyword and parameter. It
shows the keyword or parameter to be input next and its brief
explanation. There is a space in front of the question mark.
ZXR10#configure ?
terminal Enter configuration mode
ZXR10#configure
5. If incorrect command, keyword or parameter is input, the error
isolation is offered with ^ in the user interface after you press
ENTER. The ^ is below the first character of the input incorrect
command, keyword or parameter. An example is given below.
ZXR10#von ter
^
% Invalid input detected at ’^’ marker.
ZXR10#
An example of system clock is given below.

ZXR10#cl?
clear clock
ZXR10#clock ?
set Set the time and date
ZXR10#clock set ?
hh:mm:ss Current Time
ZXR10#clock set 13:32:00
% Incomplete command.
At the end of the above example, the system prompts that the
command is not complete and other keyword or parameter should
be input.
Note:
All commands in the command line operation are case-insensitive.
Command Abbreviation
ZXR10 5900/5200 allows the command or keyword to be abbre-
viated into a character or character string that uniquely identifies
this command or keyword. For example, the show command can
be abbreviated to sh or sho.
History Commands
The input command can be recorded in the user interface. Up to
10 history commands can be recorded and this function is useful
for invoking a long or complicated command again.

Execute one of the following operations to re-invoke a command

from the record buffer, as shown inTable 3.
TABLE 3 INVOKING A COMMAND
Command Function
<Ctrl+P> or <-
-> Invoke a history command in the
buffer forward
<Ctrl+N> or <¯
¯> Invoke a history command in the
buffer backward
In the privileged mode, execute the show history command to

list the commands input the latest in this mode.


Chapter 3
System Management
Table of Contents
File System.......................................................................17
FTP/TFTP Overview ............................................................19
Backing up Data and Restoring Data ....................................22
Software Version Upgrade...................................................23
Configuring System Parameters...........................................26
Viewing System Information ...............................................28
File System
Introduction to File System
In ZXR10 5900/5200, FLASH is used as the major storage device
for storing version files and configuration files. Operations, such
as version upgrading and configuration saving, must be conducted
in flash.
There are three directories in Flash by default.
1. IMGSystem mapping files (that is, image files) are stored un-
der this directory. The extended name of the image files is
.zar. The image files are dedicated compression files. Version
upgrade means to change the corresponding image files under
the directory.
2. CFGThis directory is for saving configuration files, whose name
is startrun.dat. Information is saved in the Memory when using
command to modify the switch configuration. To prevent the
configuration information loss at the time of switch restart, use
write command to write the information in the Memory into
FLASH, and save the information in the startrun.dat file. When
there is a need to clear the old configuration in the switch to
reconfigure data, use delete command to delete startrun.dat
file, then restart the switch.
3. DATAThis directory is for saving log.dat file which records alarm
information.

Operating File System Management

ZXR10 5900/5200 provides many commands for file operations.
Command format is similar to DOS commands as present in Mi-
crosoft Windows Operating System.
1. To copy files between Flash and FTP/TFTP server, use the fol-
lowing command.
copy <source-device><source-file><destination-device><de
stination-file>
2. To view current directory path, use the following command.
pwd
3. To view files and subdirectories of a specified device or under
a specified directory, use the following command.
dir [<directory>]
4. To delete a file under a designated directory of the current
device, use the following command.
delete <filename>
5. To enter into specific directory, use the following command.x
cd <directory>
6. To make directory in flash, use the following command.
mkdir<directory>
7. To delete a directory in flash, use the following command.
rmdir<directory>
8. To modify the name of directory in flash, use the following com-
mand.
rename <source-filename><destination-filename>
1. This example shows how to view the current files in the Flash.
ZXR10#dir
Directory of flash:/
attribute size date time name
1 drwx 512 MAY-17-2004 14:22:10 IMG
2 drwx 512 MAY-17-2004 14:38:22 CFG
3 drwx 512 MAY-17-2004 14:38:22 DATA
65007616 bytes total (48863232 bytes free)
ZXR10#cd img /*Enter the directory img*/
ZXR10#dir /*Show the current directory information*/
Directory of flash:/img
1 drwx 512 MAY-17-2004 14:22:10 .
2 drwx 512 MAY-17-2004 14:22:10 ..
3 -rwx 15922273 MAY-17-2004 14:29:18 ZXR10.ZAR
2. This example shows how to create a directory ABC in the Flash

and then delete it.
ZXR10#mkdir ABC /*Add a sub-directory of ABC in
current directory*/
ZXR10#dir /*view the information in current directory
and find the sub-directory of ABC*/
1 drwx 512 MAY-17-2004 14:22:10 IMG
2 drwx 512 MAY-17-2004 14:38:22 CFG
3 drwx 512 MAY-17-2004 14:38:22 DATA

Chapter 3 System Management
4 drwx 512 MAY-17-2004 15:40:24 ABC

ZXR10#rmdir ABC /*remove the sub-directory of ABC*/
ZXR10#dir /*Show the current directory information and
find sub-directory of ABC which has been removed*/
1 drwx 512 MAY-17-2004 14:22:10 IMG
2 drwx 512 MAY-17-2004 14:38:22 CFG
3 drwx 512 MAY-17-2004 14:38:22 DATA
FTP/TFTP Overview
ZXR10 5900/5200 can server as an FTP/TFTP client. Files can be
used as backup and restore purpose. Files can also be used as
import/export configurations.
Configuring Switch as an FTP Client

Enable FTP server on the background host, and access the ZXR10
5900/5200 as an FTP client from the FTP server.
1. Run wftpd on the background host, and an interface as
shownFigure 11 .
FIGURE 11 WFTPD INTERFACE
2. Select SecuritySelect User/Rights…and perform the follow-

ing operations on the popup dialog box:

i. Click New User… to create a user, type target for an ex-

ample, and set password for it
ii. Select target from the User Name drop-down list
iii. Type the directory of the version/configuration file in the
Home Directory text box, such as D:\IMG.
After these setting, dialog box appears as shown in Figure 12 .
FIGURE 12 USER/RIGHTS SECURITY DIALOG BOX
3. Click Done to finish the settings.
Configuring Switch as an TFTP Client

Start TFTP server on the background host, and access the ZXR10
5900/5200 as a TFTP client from the TFTP server.
1. Run tftpd on the background host, and an interface as shown
in Figure 13..

FIGURE 13 TFTPD INTERFACE
2. Select Tftpd®®Configure click Browse on the popup dialog

box and select a directory to store the version/configuration
file, such as D:\IMG.
The following dialog box will appear as shown in Figure 14 .
FIGURE 14 CONFIGURING DIALOG BOX
3. Click OK to finish the settings.

Background of TFTP server is implemented. Start the TFTP server,
and run copy on the switch to backup/restore files or import/ex-
port configurations.

Backing up Data and

Restoring Data
With FTP/TFTP, you can backup the software version file, config-
uration file and log file of ZXR10 5900/5200 to the background
server, or restore backup files from the background server.
Backing Up Configuration File

After saving the configuration information to startrun.dat with
the write command, you can backup the file to the background
FTP/TFTP to keep the file intact and available for restoration.
Run the following command to back up the configuration file in the
Flash to the background TFTP server:
ZXR10#copy flash: /cfg/startrun.dat
tftp: //168.1.1.1/startrun.dat
Restoring Configuration File

Run the following command to restore the backup of the configu-
ration file from the background TFTP server:
ZXR10#copy tftp: //168.1.1.1/startrun.dat
flash: /cfg/startrun.dat
Backing Up Version File

Take a backup of the running version file to the background server
prior to version upgrade, so that the original version can be re-
stored in case the new version loading fails. To backup the soft-
ware version file is similar to backing up the configuration file.
Run the following command to backup the software version file in
the Flash to img under the background TFTP server’s root direc-
tory:
ZXR10#copy flash: /img/zxr10.zar
tftp: //168.1.1.1/img/zxr10.zar
Restoring Version File

Version restoration is to transfer the backup of the software ver-
sion file from the background server to the foreground Flash of
the switch over FTP/TFTP. Version restoration is important when
the upgrade fails.

Procedure of version restoration is basically the same as version

upgrade.
As mentioned previously, the ZXR10 5900/5200 supports config-
uration file import/export. Copy the configuration file startrun.dat
to the background host over FTP/TFTP, where edit the file with a
certain text editor, and then copy the file back to the foreground
Flash’s CFG directory over FTP/TFTP. The file will take effect the
next time the system is rebooted.
Note:
1. When use copy command to transfer FTP file between back
host and switch, fisrt configure host ip address in the same
network segment that VLAN interface ip address is in and the
interface which host connects belongs to the vlan and can ping
through Vlan ip address.
2. Pay attention to the format requirement while editing
startrun.dat with a text editor.
Software Version Upgrade

Normally, version upgrade is needed only when the original ver-
sion does not support some functions or the equipment cannot
run normally due to some special reasons. If version upgrade op-
erations are performed improperly, upgrade failure may occur or
the system fails to start. Therefore, before version upgrade, the
maintenance personnel must be familiar with the principles and
operations of the ZXR10 5900/5200 and learn the upgrade steps
earnestly.
Upgrading the Version at Abnormality

To upgrade the version for ZXR10 5900/5200 in abnormal case,
perform the following steps.
1. Set the switch management Ethernet port IP address and back-
ground host in the same network section.
2. Refer to FTP/TFTP Overview , start the background FTP server
3. Reboot ZXR10 5900/5200, and press any key at prompt in a
HyperTerminal session to enter the Boot state. The display is
as follows:
ZXR10 System Boot Version: 1.0
Creation date: Dec 31 2002, 14:01:52
(Omitted)
Press any key to stop for change parameters...
2
[ZXR10 Boot]:
Type “c” in the Boot state, and press ENTER to enter the param-
eter modification state. Change the boot mode to booting from
the background FTP; change the FTP server address to that of
the background host; change the client and gateway addresses

to that of the management Ethernet port of the switch; set the

subnet mask and FTP user name and password pair. After the
modification, the prompt ZXR10 Boot: appears.
[ZXR10 Boot]:c
’.’ = clear field; ’-’ = go to previous field; ^D = quit
Boot Location [0:Net,1:Flash] : 0
/*0 means booting from the background FTP, 1 means botting from Flash*/
Port Number : 24
Client IP [0:bootp]: 168.4.168.168
/*Management Ethernet port address*/
Netmask: 255.255.0.0
Server IP [0:bootp]: 168.4.168.89
/*Background FTP server address*/
Gateway IP: 168.4.168.168
/*Management Ethernet port address*/
FTP User: target
/*FTP user name target*/
FTP Password:
/*Password of target*/
FTP Password Confirm:
Boot Path: zxr10.zar /*Default/
Enable Password: /*Default*/
Enable Password Confirm: /*Default*/
[ZXR10 Boot]:
4. Type @, and press ENTER. Then the system automatically boot

from the background FTP server.
[ZXR10 Boot]:@
Loading... get file zxr10.zar[15922273] successfully!
file size 15922273.
/*Omitted*/
**********************************************************
Welcome to ZXR10 5928 Switch of ZTE Corporation
**********************************************************
ZXR10>
5. If the system starts successfully, the user can use the show
version command to check whether the new version is running
in the memory. If not, booting from the background server
failed. The user must repeat steps 1 to 5.
6. Delete the old version file (zxr10.zar) from the Flash’s IMG
directory with the delete command. If there is enough space
in the Flash, the user can reserve the old version with another
name.
7. Copy the new version file on the background FTP server to the
Flash’s IMG directory with the filename as zxr10.zar.
i. Set temporary Vlan interface which is interworking with the
host (suppose IP address is 168.4.168.1).
ii. Set the host ip address (suppose ip address is
168.4.168.89) in the same network segment that Vlan
interface ip address is in. The interface which host
connects belongs to the vlan and can ping through Vlan
ip address.
iii. Use copy command at the privileged mode.
ZXR10#copy ftp: //168.4.168.89/zxr10.zar@target:target
flash: /img/zxr10.zar
Starting copying file
.................................................................
.................................................................
......................................
file copied successfully.
ZXR10#

8. Check for the new version file in the Flash. If not found, the
copying failed, when must repeat step 8 to copy the version
again.
9. Reboot ZXR10 5900/5200, and follow step 4 to change the
boot mode to booting from Flash, when Boot path changes to
/flash/img/zxr10.zar automatically.
Note:
can also change the boot mode to booting form Flash with the
nvram imgfile-location local command in the global config-
uration mode.
10. Type @ at the prompt ZXR10 Boot: and press ENTER to boot
the system with the new version in the Flash.
11. When the system is booted successfully, check the running ver-
sion to confirm the success of upgrade.
Upgrading the Version at Normality

Upgrade the software version in several different ways when the
switch is working properly, including copying the version to the
switch acting as an FTP/TFTP client and remote upgrade over FTP.
The local upgrade procedure is as follows when the switch serving
as an FTP client.
1. Connect the ZXR10 5900/5200’s console port (on the main
control board) to the serial port of the background host with a
console cable attached to the switch; connect the management
Ethernet port (10/100 M Ethernet port on the main control
board) to the background host’s network port with a straight
through network cable. Make sure that both connections are
correct.
2. Set the background host for upgrade to be in the network seg-
ment as the switch’s management Ethernet port, so that the
background host can ping the management Ethernet port.
3. Refer to FTP/TFTP Overview , Start the background FTP server
4. View the running version.
5. Use Delete command to the old version file from the Flash’s
IMG directory with the delete command. If there is enough
space in the Flash, you can also reserve the old version with
another name.
6. Copy the new version file on the background FTP server to the
Flash’s IMG directory with the filename as zxr10.zar.
7. Check for the new version file in the Flash’s IMG directory. If
the new version file is not found, the copy failed. The user
must repeat step 5 to copy the version again.
8. When the system is rebooted successfully, check the running
version to confirm the success of upgrade.

Configuring System
Parameters
Setting a Hostname of System
The default hostname of system is ZXR10. Use hostname <netw
ork-name> in global configuration mode to modify the hostname .
Log on to router again after hostname modification and the prompt
will include the new hostname.
Setting Welcome Message upon

System Boot
Use banner to set welcome message upon system boot . Welcome
message begins and ends with custom character. The example is
as follows.
ZXR10(config)# banner incoming C
Enter TEXT message. End with the character ’C’.
***********************************
Welcome to ZXR10 Switch World
**********************************
C
ZXR10(config)#
Setting Privileged Mode Key

To prevent an unauthorized user from modifying the configuration,
use the following command.
Command Function
ZXR10(config)#enable secret {0 <password>|5 This sets password.

<password>|<password>}
Setting Telnet Username and

Password
Command Function
ZXR10(config)#username <username> password This sets Telnet user and

<password> password.

Setting System Time
Command Function
ZXR10#clock set <current-time><month><day><year> This sets system time.
Setting System Console User

Connection Parameters
Command Function
ZXR10(config)#line console idle-timeout <idle-timeout> This sets idle-timeout time.
ZXR10(config)#line console absolute-timeout This sets absolute-timeout time.

<absolute-timeout>
Setting System Telnet User

Connection Parameters
Command Function
ZXR10(config)#line telnet access-class <access-list-nu This configures access-class.

mber>
ZXR10(config)#line telnet idle-timeout <idle-timeout> This configures dle-timeout

time.
ZXR10(config)#line telnet absolute-timeout This configures absolute-timeout

<absolute-timeout> time.
There are parameters absolute-timeout and absolute-timeout af-

ter line console and line telnet. absolute-timeout refers to the
time which is from the begin of connection to connection timeout.
idle-timeout refers to the idle timeout that after user last oper-
ation. System will disconnect automatically when timeout. User
should logon again if they need to continue operating switch sys-
tem process. By default, absolute-timeout is 1440 minutes and
idle-timeout is 120 minutes.
Allowing Multiple Users to Configure

System at the Same Time
multi-user configure

be care for the reason that the configuration could bring switch
configuration disorder.
Viewing System Information

Viewing Hardware and Software
Versions of the System
The following information is displayed after carrying out show
version command.
ZXR10#show version
ZXR10 Router Operating System Software, ZTE Corporation
ZXR10 ROS Version V4.08.23
ZXR10_5952 Software, Version ZXR10 5900 V2.8.23.A.12,
RELEASE SOFTWARE
Copyright (c) 2000-2007 by ZTE Corporation
Compiled Jun 14 2009, 11:47:14
System image files are flash:<//flash/img/zxr10.zar>
System uptime is 2 days, 18 hours, 19 minutes
[MPU]
Main processor: ZXR10 MPC8270, 450M - PCI with
256M bytes of memory
512K bytes of non-volatile configuration memory
16M bytes of processor board System flash (Read/Write)
ROM: System Bootstrap, Version: V1.12 , RELEASE SOFTWARE
Hardware Version: V1.8, CPLD Version: V1.4
System serial: 5952
Viewing Running Configuration

show running-config

Chapter 4
Interface Configuration
Table of Contents
Basic Port Configuration .....................................................29
Port Mirroring Configuration ................................................37
Loopback Detection Configuration ........................................40
DOM Configuration ............................................................42
Basic Port Configuration

The ZXR10 5900/5200 provides GE and XGE ports
� The GE electrical port supports full/half duplex, 10/100/1000
M adaptation and MDI/MDIX adaptation. It woks in auto-ne-
gotiation mode by default, consulting work mode and rate with
the peer end.
� The GE optical port must work at 1000 M full duplex, it can’t
be configured duplex mode and rate but can be configured to
work in the auto-negotiation mode.
� The XGE electrical port supports 10000M full duplex, it can’t be
configured to work in auto-negotiation, duplex mode and rate.
� The XGE optical port supports 10000M full duplex, it can’t be
configured to work in auto-negotiation, duplex mode and rate.
The system automatically adds ports: When you insert an inter-
face board to a proper slot and start the board, ports of the board
are automatically added to the port list.
Note:
The GE port and XGE port can’t support hot swap.
ZXR10 5900/5200 names ports as follows:

<Port type>_<Slot No.>/<Port No.>
� <Port type> : gei (1000M Ethernet interface) and xgei
(10000M Ethernet interface).
� <Slot No.>
ZXR10 5924/5224 only has one slot.
ZXR10 5928/5228/5928-FI/5228-FI/5952/5252 has 5 slots.
There are 4 slots at the back of device. Slots numbered from

left to right are slot 2, slot 3, slot 4 and slot 5. Slot1 is GE

port in front of the device.
� <Port No.>
The No. of the port on the interface board, starting from 1.
Example:
� Gei_1/8 Port 8 on the GE interface board in slot 1.
� Xgei_3/1 Port 1 on the XGE interface board in slot 3.
The ports are named differently because the number of boards
and the number of ports on each board are different for specific
devices.
1. ZXR10 5928/5228/5928-FI/5228-FI
� The 24 ports in the front of the switch correspond to gei_1/1
to gei_1/24.
� The 4 xgei Ethernet interface board at the back of
switch are arranged from left to right, corresponding to
xgei_2/1 xgei_3/1xgei_4/1xgei_5/1
2. ZXR10 5952/5252
� The 48 ports correspond to gei_1/1gei_1/48.
� The 4 xgei Ethernet interface board at the back of
switch are arranged from left to right, corresponding to
xgei_2/1 xgei_3/1xgei_4/1xgei_5/1
3. ZXR10 5924/5224
� The 24 ports in the front of the switch correspond to gei_1/1
to gei_1/24.
Disabling/Enabling an Ethernet port
Step Command Function
1 ZXR10(config)#interface <port-name> This enters interface

configuration mode.
2 ZXR10(config-gei_1/x)#shutdown/no shutdown This disables/enables an

Ethernet port.
shutdown command sets the physical link state of the port to

down, when the port’s link indicator goes off. All ports are enabled
by default.

Chapter 4 Interface Configuration
Enabling/Disabling Auto-Negotiation
on an Ethernet Port

configuration mode.
2 ZXR10(config--gei_1/x)#negotiation auto/ no This enables/disables

negotiation auto auto-negotiation on an
Ethernet port.
Enable auto-negotiation on an Ethernet port when GE work on

1000M.
Configuring Automatic Negotiation

Notification on an Ethernet Port
Command Function
ZXR10(config-gei_1/x) #negotiation auto [ speed This configures automatic

[10|100]] negotiation notification on an
Ethernet port to 10M or 100M.
When working mode of PHY is electrical interface, GE, FE, 10M,

half-duplex and full-duplex can be set if it can be notified.
When working mode of PHY is optical port, only half-duplex and
full-duplex can be set if it can be notified. The notification of speed
can’t be set.
Description:
negotiation auto speed 100
negotiation auto speed 10
negotiation auto
no negotiation auto
The four are in mutual exclusive relationship.
After configuring nego auto speed 100|10, speed and duplex of
port are not configured and only can be adaptive.

Setting Ethernet port Duplex Mode

configuration mode.
2 ZXR10(config-gei_1/x)#duplex {half|full} This sets Ethernet port to

working in duplex mode.
Setting Ethernet Port Speed

configuration mode.
2 ZXR10(config-gei_1/x)#speed {10|100} This sets Ethernet port speed.
Only GE port allows configuration of its duplex mode and rate.

Disable auto-negotiation on the port before the configuration.
Setting Flow Control on an Ethernet

Port

configuration mode.
2 ZXR10(config-gei_1/x)#flowcontrol {enable|disable} This sets flow control on an

Ethernet port.
Flow control is to restrict packet count sent to the Ethernet port

within certain time period. The port sends a pause packet when
the receive buffer is full to tell the remote port not to send any
more packet to it within certain period. The Ethernet port can also
receive pause packets from other devices and do as required by
the packets.

Allowing/Prohibiting Jumbo Fame on

an Ethernet Port

configuration mode.
2 ZXR10(config-gei_1/x)#jumbo-frame{enable|disab This allows/prohibits jumbo

le} fame on an Ethernet port.
By default, maximum fame allowed on an Ethernet port is 1560-

byte long and jumbo frames are prohibited. Maximum frame al-
lowed on an Ethernet port is 9216-byte long when jumbo frame
are permitted.
Setting Port Alias on an Ethernet Port

configuration mode.
2 ZXR10(config-gei_1/x)#byname <by-name> This sets port alias on an

Ethernet port.
Port alias is set to uniquely identify a port with a mnemonic name.

Port can be accessed with its alias instead of the port name.
Setting Broadcast Storm Suppression

on an Ethernet Port

configuration mode.
2 ZXR10(config-gei_1/x)#broadcast-limit<value> This sets broadcast storm

suppression on an Ethernet
port.
Broadcast traffic through an Ethernet port can be limited. Broad-

cast packets are dropped when the traffic exceeds the limit so that
the broadcast traffic through the Ethernet port is kept in a reason-
able range. This effectively suppresses broadcast storm, helps
avoid congestion and ensures normal provisioning of network ser-

vices. Broadcast storm suppression is implemented by setting the

rate parameter, the lower the rate the smaller the allowed broad-
cast traffic.
Setting Multicast Packet Suppression

on an Ethernet Port

configuration mode.
2 ZXR10(config-gei_1/x)#multicast-limit <value> This sets multicast packet

port.
When multicast packet suppression function of ZXR10 5900/5200

is enabled, port will take multicast packet suppression according
to configured allowed number of multicast packet on an Ethernet
port every second.
Setting Unknowcast Packet

Suppression on an Ethernet Port

configuration mode.
2 ZXR10(config-gei_1/x)#unknowcast-limit < value> This sets unknowcast storm

port.
When unknowcast packet suppression function of ZXR10

5900/5200 is enabled, port will take unknowcast packet sup-
pression according to configured allowed number of unknowcast
packet on an Ethernet port every second.
Viewing Layer 2 Interface Physical

Status
Short Description To view switch layer 2 physical interface running status such as if
the interface is up, duplex, and rate.

Command Function
ZXR10# show interface brief This views interface running

status.
Example The output of the viewing interface running status command is as

follows.
ZXR10#show interface brief
Interface portattribute mode BW(Mbits) Admin Phy Prot Description
gei_2/1 electric Duplex/full 1000 up up up none
gei_2/7 electric Duplex/full 1000 up down down none
gei_2/8 electric Duplex/full 1000 up down down none
Admin, Phy, and Prot indicate management, physical, and protocol

status of interface respectively. Only all three states are up, is
interface in normal working status.
At the interface configuration mode, input shutdown , the Admin
state of the interface will turn down.
lists some abnormal interface conditions and handling procedures.
TABLE 4 INTERFACE STATE ABNORMAL CONDITION
Interface State Analysis and Solution
Admin is DOWN This indicates that physical

Phy is UP connection is normal and the
corresponding interface maybe
Prot is DOWN is shutdown, carry out the no
shutdown command at the
interface mode.
Admin is UP This indicates that physical link

Phy is DOWN has problem, check physical link.
Prot is DOWN
Admin is UP Check interface configuration , the

Phy is UP problem maybe is that interface
parameter is not correct or is not
Prot is DOWN configured. refer to user manual
to solve the problem. if this
problem can’t be solved contact
ZTE client supporting engineer for
further handling.

Displaying Port Information
Command Function
ZXR10#show interface [<port-name>] This views Ethernet port state

information.
ZXR10#show running-config interface <port-name> This displays Ethernet port

configuration information.
Example
1. It shows the state and statistics for port gei_1/2
ZXR10#show int gei_1/2
gei_1/2 is up, line protocol is up
Description is none
Keepalive set:10 sec
The port is electric
Duplex full
Mdi type:auto
VLAN mode is access, pvid 10 BW 100000 Kbits
Last clearing of "show interface" counters 0Day 0Hour 3Min 8Sec
120 seconds input rate : 0 Bps, 0 pps
120 seconds output rate: 0 Bps, 0 pps
Interface peak rate :
input 40 Bps, output 0 Bps
Interface utilization: input 0%, output 0%
/* Forward packets input/output statistics,
including error packet statistics */
Input:
Packets : 19 Bytes : 1501
Unicasts : 19 Multicasts: 0
Broadcasts : 0 Undersize : 0
Oversize : 0 CRC-ERROR : 0
Dropped : 0 Fragments : 0
Jabber : 0 MacRxErr : 0
Output:
Packets : 0 Bytes : 0
Unicasts : 0 Multicasts: 0
Broadcasts : 0 Collision : 0
LateCollision: 0
Total:
64B : 0 65-127B : 19
128-255B : 0 256-511B : 0
512-1023B : 0 1024-2047B: 0
2. It shows the configuration information for port gei_1/2.

ZXR10#show run int gei_1/2
Building configuration...
interface gei_1/2
negotiation auto
switchport access vlan 10
switchport qinq normal
Diagnosing and Analyzing Lines

ZXR10 5900/5200 supports cable connection diagnosis and anal-
ysis to find out any abnormality and accurately locate the fault for
easy network management and troubleshooting.

FE electrical port and GE electrical port are both connected to other

devices with a network cable. There are four twisted pairs in a
network cable. There are four twisted pairs in a network cable.
The FE electrical port uses pairs 1-2 and 3-6, and the GE electrical
port uses all four pairs (1-2, 3-6, 4-5 and 7-8). Line detection is
to test the state of each twisted pair, which includes:
1. Open: open line
2. Short: short circuit
3. Good: normal line
4. Broken: open/broken line
5. Unknown: unknown line or no result
6. Crosstalk line coupling
7. Fail: detection failure
In case of line fault, the location of failure is output. If the line is
normal, the approximate length of the line is output. To diagnose
and analyze a line, run the show vct interface command in any
configuration modes other than user configuration mode.
Example: Detect the line of port gei_1/2.
ZXR10(config)#show vct int gei_1/2
CableStatus Good
Pair 1-2 3-6 4-5 7-8
Status Good Good Good Good
Length <50m <50m <50m <50m
Caution:
Line diagnosis and analysis will restart the tested port, when links
of the port is broken and then restored. This function is used only
for faulty ports, and is not recommended for ports connected to
users.
Port Mirroring Configuration

Port Mirroring Overview
Port mirroring is to copy data from one or more ports (mirrored
ports) of a switch to a specified destination port (monitor port).
This data is obtained from the mirrored port(s). It provides an
effective tool for the maintenance and monitoring of the switch.
Also it supports cross-equipment port mirroring (RSPAN).
Port mirroring function of ZXR10 5900/5200 complies with the fol-
lowing rules:
� Support up to one group of ports (eight mirrored ports to the
most).
� Support cross-board port mirroring, that is, the mirrored port
and monitor port can be on different interface boards.

� Support monitoring only sent/received data on the mirrored

port.
� Support cross-equipment port mirroring (RSPAN), that is, mir-
rored port and monitor port can be on different equipment.
Configuring Port Mirroring
1 ZXR10(config-gei_1/x)#monitor session This sets mirror port for

<session-number> source [direction {both|tx|rx}] capturing in/out traffic of
monitor port.
2 ZXR10(config-gei_1/x)#monitor session This sets monitor port.

<session-number> desination
3 ZXR10(config-gei_1/x)#monitor session This sets RSPAN monitor port.

<session-number> desination [rspan-vlanid
<vlanid>][priority < priorityid >]
4 ZXR10(config-gei_1/x)#show monitor session This displays statistics of port

|<session-number> mirroring.
5 ZXR10(config-gei_1/x)#no monitor session This deletes port from port

mirroring.
Port Mirroring Configuration Example

1. This example shows single device port mirroring configuration.
Port gei_1/3 is connected to a computer, data received is on
gei_1/1 and data received/sent is on gei_1/2 are to be moni-
tored. This is shown in Figure 15.

FIGURE 15 PORT MIRRORING EXAMPLE
Configuration of switch:
ZXR10(config)#interface gei_1/1
ZXR10(config-gei_1/1)#monitor session 1 source direction rx
ZXR10(config-gei_1/1)#exit
ZXR10(config-gei_1/2)#monitor session 1 source
ZXR10(config-gei_1/3)#monitor session 1 destination
Show Port Mirroring Configuration:

ZXR10(config)#show monitor session 1
Session 1
-----------------------------------------------
Source Ports:
Port: gei_1/1 Monitor Direction: rx
Port: gei_1/2 Monitor Direction: both
Destination Port:
Port: gei_1/3
Rspan_vlanid : 0
Rspan_priority: 0
-----------------------------------------------
ZXR10(config)#
2. The following example shows RSPAN mirroring configuration.

As shown in Figure 16, port gei_1/3 is connected to other
equipment’s mirroring out port, data received is on gei_1/1 and
data received/sent is on gei_1/2 are to be monitored, RSPAN’s
Vlan is Vlan 10 and the priority is 1.

FIGURE 16 PORT RSPAN MIRRORING EXAMPLE
Configuration of Switch A:
ZXR10(config-gei_1/1)#monitor session 1 source direction rx
ZXR10(config-gei_1/2)#monitor session 1 source
ZXR10(config-gei_1/3)#monitor session 1 destination rspan-vlanid 10 priority 1
Loopback Detection
Configuration
Port Loopback Detection Overview
ZXR10 5900/5200 supports single port loopback detection. This
function can detect the loopback of user which connects to the
switch and switch itself. Then it can solve this problem. It can
avoid broadcast storm in result of loopback.
ZXR10 5900/5200 detects loopback of a few ports or all ports. By
default it is not detected. It supports loopback detection in Vlan.
One port supports up to loopback detection of 8 Vlans at the same
time.
Configuring Port Loopback Detection
1 ZXR10(config)#loop-detect interface <port-name>[e This enables the loopback

nable | disable] detection function of one port
or multiple ports.

2 ZXR10(config)#loop-detect interface <port-name> This configures the loopback

vlan <vlan-id>[enable | disable] detection of Vlan in one port.
3 ZXR10(config)#loop-detect protect-interface This configures the loopback

<port-name><enable | disable> detection port interface.
When a switch detects
a loopback of one port,
switch deal with it
according to parameter
protect-interface. When
parameter protect-interface
is enable, switch sets a
alarm it has detected a
loopback but there will be
no operation. When the
parameter protect-interface
is disable, the switch will
shutdown the port. After
enabling loopback detection,
the default parameter
protect-interface is disable.
4 ZXR10(config)#loop-detect reopen-time <interval> This configures the

reopen-time when the port
was shut down as a result of
loopback detection.
5 ZXR10(config)#show loop-detect interface This enables the loopback

detection function.
6 ZXR10(config)#show loop-detect interface-detail This displays detail of port

<port-name> which enables loopback
detection.
7 ZXR10(config)#show loop-detect protect-interface This displays the port which

enables loopback detection
protection.
8 ZXR10(config)#show loop-detect reopen-time This displays the reopen-time

when one port has been
shutdown in result of loopback
detection.
Port Loop Detection Example

As shown in Figure 17, port gei_1/3 is connected to a computer,
telnet into the switch A. Port gei_1/1 is in Vlan1 and Vlan2. Enable
loopback detection in port gei_1/1. Loopback detection is done in
Vlan1 and Vlan2 at the same time. Switch A is connected to Switch
B with gei_1/1 port. Switch B shuts spanning-tree protocol and
loop two ports with one network line. The two ports in loop and
the port which connect to switch are in the same Vlans as gei_1/1.

FIGURE 17 PORT LOOPBACK DETECTION EXAMPLE
Configuration of Switch A:
ZXR10(config-gei_1/1)#switchport mode trunk
ZXR10(config-gei_1/1)#switchport trunk vlan 1-2
ZXR10(config)#loop-detect interface gei_1/1 enable
ZXR10(config)#loop-detect protect-interface gei_1/1 enable
ZXR10(config)#loop-detect reopen-time 5
ZXR10(config)#loop-detect interface gei_1/1 vlan 1-2 enable
This displays detail of port which enables loopback detection.

ZXR10(config)#show loop-detect interface
gei_1/1
ZXR10(config)#show loop-detect interface-detail gei_1/1
isUp isMonitor isLoop isProtected
Yes Yes Yes Yes
reopenTime loopvlan vlanRange
300 2 1-2
DOM Configuration
DOM Function Overview
DOMdigital optical monitoring is a part of optical module specifica-
tion. The optical module with DOM function can read temperature,
voltage, current, sending and receiving power of optical module.
In addition, each optical module sets some threshold values of
module (include alarm threshold and warning threshold ) when
leaving the factory. After DOM function is enabled, the module
running state value can be polled by I2C bus of optical module. It
is compared with threshold value. When the current value exceeds
the threshold value that manufacturer sets, the alarm will be sent
by syslog and SNMP trap.

Configuring DOM
Enabling DOM Function on Port

Command Function
ZXR10(config-gei_1/x)#optical-inform monitor {enable | SFP DOM polling test function

disable} need to be enabled or disabled
on interface by command
line. The default is disabled.
The polling diagnosis related
information will be viewed
after it is enabled. Otherwise
the related optical module
information can’t be showed.
Only support physical interface, 100M port, gigabit port and 10G
port.
Viewing Current Optical Module Information

Command Function
ZXR10#show optical-info brief This views brief information of

interface optical module includes
temperature, voltage, current,
sending and receiving power.
This supports single interface
view and single board view.
Only support physical interface.

Example This views optical module information of an interface.
ZXR10#Show optical-inform brief
Optical Optical
Interface Temperature Voltage Current Tx Power Rx Power
Name (Celsius) (Volts) (mA) (mW) (mW)
------------------------------------------------------------
gei_2/1/21 12.00 5.00 60.00 0.00 1.00
gei_2/1/22 12.00 5.00 60.00 0.00 1.00
gei_2/1/23 12.00 5.00 60.00 0.00 1.00
gei_2/1/24 12.00 5.00 60.00 0.00 1.00
ZXR10#Show optical-inform brief interface

gei_2/1/23
Optical Optical
Interface Temperature Voltage Current Tx Power Rx Power
Name (Celsius) (Volts) (mA) (mW) (mW)
-------------------------------------------------------------
gei_2/1/23 12.00 5.00 60.00 0.00 1.00
The threshold is related to hardware optical module. If optical

module and manufacturer are different the viewed information will
be different.

Viewing Module Threshold Information

Command Function
ZXR10#show optical-inform detail [ temperature This views detailed threshold

voltage current rx-power tx-power ][interface information of interface optical
<interface-name>] module includes temperature,
voltage, current, sending and
receiving power. This supports
single interface view and single
board view.
Command parameter description+:
Parameter Description
interface <interface-name> interface name
temperature Optical module temperature
voltage Optical module voltage
current Optical module current
rx-power receiving power of optical module
tx-power sending power of optical module

Example This views threshold information of interface optical module.
ZXR10#show optical-inform detail temperature
High Alarm High Warn Low Warn Low Alarm
Temperature Threshold Threshold Threshold Threshold
Port (Celsius) (Celsius) (Celsius) (Celsius) (Celsius)
-----------------------------------------------------------
gei_1/1 48.1 100.0 100.0 0.0 0.0
gei_1/2 34.9 100.0 100.0 0.0 0.0
ZXR10#Show optical-inform detail Voltage

High Alarm High Warn Low Warn Low Alarm
Voltage Threshold Threshold Threshold Threshold
Port (Volts) (Volts) (Volts) (Volts) (Volts)
------------------------------------------------------
gei_1/1 3.30 6.50 6.50 3.50 3.50
gei_1/2 3.30 6.50 6.50 3.50 3.50
The threshold is related to hardware optical module.If optical mod-

ule and manufacturer are different the viewed information will be
different.

Viewing the Record Information That Module

Exceeds Threshold
Command Function
ZXR10#show optical-inform threshold-alarm [interface This views threshold information

<interface-name>] of interface optical module
includes temperature, voltage,
current, sending and receiving
power. This supports single
interface view and single board
view.

Example This views alarm information that optical module exceeds thresh-
old.
ZXR10#Show optical-inform threshold-alarm
Description:
tem : temperature vol : volage cur: current
tx : transmit power rx : receive power
h-w : high-warning(+) h-a : high-alarm(++)
l-w : low-warning(-) l-a : low-alarm(--)
Interface Time in slot Threshold Violation Type(s) of Last Known
Name (DDDD:HH:MM:SS) (DDDD:HH:MM:SS) Threshold Violation
-------------------------------------------------------------
gei_2/1/22 14:57:27 04/29/2008 14:57:07 04/29/2008
tem h-w -52.00C>=-52.00C
14:57:07 04/29/2008 vol h-w 5.00V>=5.00V
14:57:07 04/29/2008 cur l-w 60.00mA<=80.00mA
14:57:07 04/29/2008 rx l-a -440.00dBm<=-333.01dBm
14:57:07 04/29/2008 rx l-a -440.00dBm<=-333.01dBm
gei_2/1/23 14:57:27 04/29/2008 14:57:07 04/29/2008
tem h-w -52.00C>=-52.00C
14:57:07 04/29/2008 vol h-w 5.00V>=5.00V
14:57:07 04/29/2008 cur l-w 60.00mA<=80.00mA
14:57:07 04/29/2008 rx l-a -440.00dBm<=-333.01dBm
14:57:07 04/29/2008 rx l-a -440.00dBm<=-333.01dBm
The threshold is related to hardware optical module. If optical

module and manufacturer are different the viewed information will
be different.


Chapter 5
Network Protocol
Configuration
Table of Contents
IP Address Configuration ....................................................47
ARP Configuration..............................................................49
IP Address Configuration
IP Address Overview
Network addresses in the IP protocol stack refer to IP addresses.
IP address is composed of two parts: Network bit identifying the
network to which this IP address belongs. Host bit identifying a
certain host in the network.
IP addresses are divided into five classes: Class A, Class B, Class
C, Class D and Class E. Classes A, B and C are the most common
ones. Class D is the network multicast address and Class E is
reserved for future use.Table 5lists range of each class.
TABLE 5 IP ADDRESS RANGE FOR EACH CLASS
Class Prefix Network Bit Host Bit Range

Characteristic
Bit
Class A 0 8 24 0.0.0.0~
127.255.255.255
Class B 10 16 16 128.0.0.0~
191.255.255.255
Class C 110 24 8 192.0.0.0~

223.255.255.255

Class Prefix Network Bit Host Bit Range

Characteristic
Bit
Class D 1110 Multicast Address 224.0.0.0~

239.255.255.255
Class E 1111 Reserved 240.0.0.0~

255.255.255.255
Some Class A, B and C addresses are reserved for private net-

works. It is recommended that the internal network should use
the private network address. These addresses refer to:
� Class A:10.0.0.0~10.255.255.255
� Class B:172.16.0.0~172.31.255.255
� Class C:192.168.0.0~192.168.255.255
This address classification method is to facilitate routing protocol
designing. From this method it can be known the network type just
by the prefix characteristic bit of the IP address. This method,
however, cannot make the best of the address space. With the
dramatic expansion of Internet, problem of address shortage be-
comes increasingly serious.
To make most of IP addresses, network can be divided into multiple
subnets. Borrow some bits from the highest bit of the host bit as
the subnet bit. Remaining part of the host bit still serves as the
host bit. Thus, the structure of an IP address consists of three
parts: Network bits, subnet bits and host bits.
The network bits and subnet bits are used to uniquely identify a
network. Use the subnet mask to find which part in the IP address
indicates network bits and subnet bits and which part stands for
host bits. The part with subnet mask of "1" corresponds to the
network bits and subnet bits of the IP address, while the part with
subnet mask of "0" corresponds to host bits.
The division of the subnet greatly improves the utilization of IP
address, and alleviates the problem of IP address shortage.
Regulations on IP addresses:
1. 0.0.0.0 is used when a host without an IP address is started.
RARP, BOOTP and DHCP are used to obtain the IP address. The
address serves as the default route in the routing table.
2. 255.255.255.255 is a destination address used for broadcast
and cannot serve as a source address.
3. 127.X.X.X is called the loop-back address.
4. Only an IP address with host bits being all "0" indicate the
network itself. An IP address with host bits being all "1" serves
as the broadcast address of the network.
5. For a legal host IP address, the network part or the host part
should not be all "0" or all "1".

Chapter 5 Network Protocol Configuration
Configuring IP Address
1 ZXR10(config)#interface <interface-name> This enters nterface

configuration mode.
2 ZXR10(config-if-vlanX)#ip address <ip-address><net This sets IP address.

-mask>[<broadcast-address>][secondary]
One interface allows multiple IP addresses.
IP Address Configuration Example

Suppose that a layer 3 interface vlan1 is created on ZXR10
5900/5200. IP address to 192.168.3.1, and mask to
255.255.255.0 needs to be set. The detailed configuration is as
follows:
ZXR10(config)#interface vlan 1
ZXR10(config-if-vlan1)#ip address 192.168.3.1 255.255.255.0
The show ip interface command can be used to view the IP ad-

dress of the interface.
ZXR10(config-if-vlan1)#show ip interface
vlan1 AdminStatus is up, PhyStatus is up, line protocol is up

Internet address is 10.1.1.1/24
Broadcast address is 255.255.255.255
IP MTU is 1500 bytes
ICMP unreachables are always sent
ICMP redirects are never sent
ARP Timeout: 00:10:00
ARP Configuration
ARP Overview
Network device when sends data to another network device. It
should know the IP address and physical address (MAC address)
of the destination device. ARP is to map the IP address to the
physical address, to ensure smooth communication.
At first, the source device broadcasts the ARP request with the IP
address of the destination device. Then, all the devices on the net-
work receive this ARP request. If one device finds the IP address
in the request matches with its IP address, it sends a reply con-
taining the MAC address to the source device. The source device
obtains the MAC address of the destination device through this re-
ply.

To reduce ARP packets on the network and send data faster, the
mapping between IP address and MAC address is cached in the
local ARP table. When a device wants to send data, it looks up the
ARP table according to the IP address first. If the MAC address of
the destination device is found in the ARP table, it is unnecessary
to send the ARP request again. The dynamic entry in the ARP table
will be automatically deleted after a period of time, which is called
the aging time of the ARP.
Configuring ARP
1 ZXR10(config)#arp protect {interface | mac | whole} This configures ARP

limit-num <number> protection.
2 ZXR10(config)#arp to-static This sets dynamic arp entries

to static arp.
3 ZXR10(config)#interface vlan <vlan-id> This enters Layer 3 VLAN

interface.
4 ZXR10(config-if-vlanX)#arp timeout <timeout> This configures the aging time

of ARP entry in the ARP buffer
area.
5 ZXR10(config-if-vlanX)#set arp {static|permanent This adds arp entry in

}<ip-address><hardware-address> static/permanent binding.
To delete arp entry, use the following command.
Command Function
ZXR10#clear arp-cache interface{supervlan<id>|vlan<i This deletes all dynamic arp

d>}[<ipaddress>|dynamic|permanet|static] entries in from specific interface
ARP buffer.
ARP Configuration Example

ARP configuration example is shown as follows.
ZXR10(config-if-vlan1)#arp timeout 1200
ARP entry of designated interface can be viewed with show arp

[<interface-name>] command.
The following example shows the ARP table of the layer 3 interface
VLAN1.
ZXR10#show arp
Address Age(min) Hardware Addr Interface
10.1.1.1 - 000a.010c.e2c6 vlan1
10.1.100.100 18 00b0.d08f.820a vlan1
10.10.10.2 S 0000.1111.2222 vlan1
10.10.10.3 P 0000.1111.2221 vlan1
ZXR10#

Chapter 5 Network Protocol Configuration
The “-”of Age in the result indicates that it is the ARP of the switch
vlan interface. The arp is generated in the process of configuring
switch vlan interface address. “s” indicates that it is a static ARP,
and “P” indicates that it is a permanent ARP added manually. The
number means the time since ARP updates last time.


Chapter 6
Switch Stack System
Table of Contents
Switch Stack System Introduction........................................53
Configuring Switch Stack System.........................................57
Accessing the Specific Stack Member by Command Line .........57
Viewing Switch Stack System Information.............................58
Switch Stack System

Introduction
Switch stack system means the collection of multiple switches
which is implemented by connecting the switch stack port with
stack cable. The multiple switches in stack system work together
as one switch. Layer 2 and Layer 3 protocols act as an entity in
the network. 59 series switch support at most stack of 9 devices
in which one switch is main device that can configure and manage
all members in stack system.
All the features that main switch supports can be supported in
stack system. Main switch saves configuration file of stack system.
When configuration is saved, configuration fill will be copied to all
stack member for backup. When stack system acts as layer 3
device, the MAC address of stack system is the unique ID in the
network. The MAC address of main device in stack system is that
of the whole stack system. Each stack member is identified by its
stack member ID.
Any one of stack members can be main device. When main de-
vice isn’t applicable, a new main device will be designated among
other member devices according to a specific rule. The rule will
be introduced as follows.
Stack system can be managed with a IP address which is not re-
lated to specific main device and other stack members but is a
system level configuration. Even if main device or other stack
members leave form stack system, stack system can be managed
with this IP address.
There are two modes for managing stack system:
� The serial port cable is connected to any serial port of stack
member. Management is implemented by CLI.
� Management is implemented by SNMP.

Member Specification of Switch

Stack System
At most 9 devices compose a stack system by stack port. Each
stack system only has one main device.
If an independent device enables stack it is stack system itself and
the main device is itself. If two stack systems can be combined
together an independent switch can be added into an existing stack
system to increase the member number of this stack system.
If a stack member in the stack system is replaced by the switch
with the same model and the member ID of this switch is same as
that of the original stack member, this switch will implement the
same configuration that is same as the configuration of replaced
stack member.
When two running stack systems combine together, a main de-
vice will be selected from the two main devices for the reason
that the two stack systems have their own main devices. The se-
lection rule is same as the one that the main device is selected
from stack members. The main device selected again and roles
and configuration of all stack members in which the main device
is. All members of the stack system which fails in selection will
restart and join this stack system. During this joining process,
these switch member IDs will possibly be allocated again. After
joining, they will implement the configuration of the main device
selected again.
If neither original main device nor original standby device is in
the separate stack system all members of this stack system will
restart. In addition, because the configuration of each stack sys-
tem is same IP address will be in collision. IP address of the new
stack system need to be modified. If the stack system is not be
divided intentionally the operation is as follows:
1. Turn off powers of all switches in the new stack system.
2. Connect these switches with the original stack system.
3. Open the power of these switches.
Stack System Main Device Election

and Renewed Election
Stack system main device election and renewed election will com-
ply with the following rules:
1. The current switch is main device of stack system.
2. The switch member priority is the highest. When you want
a switch to be the main device of stack system, configure its
priority the highest.
3. The MAC address of the switch is the smallest when member
priorities are same.
Main device will change when the following happen.
� The main device leaves from the current stack system.

Chapter 6 Switch Stack System
� Main device restarts or powers off.

� Stack system is reset.*
� Other stack system is combined with the current stack sys-
tem.*
As for the two conditions with *, the current main device will be
joined into the process of main device renewed election and pos-
sibly be elected main device again.
When all switches in the stack system are opened or stack system
is reset, only some stack members can join main device election. If
stack member start time gap is in 15s it can join the main device
election. Otherwise the device only can become stack member.
All stack members can join the process of main device renewed
election.
When the main device has been elected and the original main de-
vice has joined stack system again, the original main device can
not be the current main device again but member device.
Stack System Member ID

Stack member ID , from 1 to 9, identifies each member in stack
system. The interface configuration of each stack member is based
on this member ID. Meanwhile, each stack member ID can be
viewed by command line. If a device hasn’t configured ID before
joining stack system it will has default ID 1. In a stack system,
two or multiple devices can’t have the same IDs.
The command nvram stack-machine-id modifies stack device
ID which is valid after restarting the device. When a device joins
a stack system, if its ID is different from the ID of any member
in this stack system the ID can be saved. Otherwise, it will be
allocated the smallest and unused ID.
Stack System MAC Address

The MAC address of stack system uses that of main device. When
main device leaves, the MAC address of main device which is newly
elected will be the MAC address of stack system. MAC switch func-
tion sets MAC address switching time. If the device is configured
this function, when main device leaves, the MAC address of stack
system will be that of the original main device. At the setting time,
if original main device returns to stack system again the MAC ad-
dress of stack system will retain unchanged. Otherwise, it will be
changed to the MAC address of new main device.
Stack Member Device Priority

The higher the switch priority, the greater the possibility of being
main device during main device election. The priority range is

from 0 to 255. The default is 255. Priority information of all stack

member devices can be viewed by show switch all-status.
The priority can be modified by nvram stack-member-priority.
It can not be valid until the device restarts.
Stack Member Device Software

Version Check and Automatic
Upgrade
The software version in each member of stack system should be
the same. When stack system starts and main device is elected,
software version number of each member device will be automat-
ically checked. If the version number of stack member is different
from that of main device , the main device will synchronize the
software to member device. After synchronizing, member device
will restart and join the stack system again.
It is recommended that the priority of the device with the high-
est software version is configured the highest. Therefore it can
be the main device and other member devices can automatically
upgrades the latest software.
Stack System Configuration File

The configuration file of stack system applies configuration file of
main device. The name of configuration file is stackcfg.dat. When
system starts, it reads configuration file from flash of main de-
vice and recovers according to the record of this configuration file.
When write is used, configuration file is not only saved in this
device but also synchronized to other devices, that is , the same
configuration file will be saved in flash of other devices. If member
device leaves it will automatically load this configuration file after
starting.
Stack System Active/Standby

Changeover
There is a main device and a standby device in stack system ( if
there is only one device, that is main device). The command can
be carried out in main device to configure the whole stack system.
Meanwhile these configure will be synchronized to standby device,
that is , the standby device will record these configuration. When
main device has running fault or leaves, standby device will be-
come main device and a new standby device will be elected from
the rest of member devices. Therefore stack system configuration
won’t lost and the effect on traffic forwarding will be minimized.

Chapter 6 Switch Stack System
Configuring Switch Stack

System
1 ZXR10(config)#mac switch-time <0-300> This configures time delayed

parameter. The unit is second.
The maximum value is 300s.
0, the default value, means
when main device leaves MAC
address is switched to new
main device MAC address.
2 ZXR10(config)#show running-config This views configured MAC

switching time from the
current configuration content.
If this command is set mac
switch-time will be viewed.
Reference Information
1. The function of enabling MAC switching.
In stack system, the MAC address of main device is that of
whole system. When main device leaves, standby device will
be the main device. Meanwhile, its MAC address will replace
MAC address of original main device to be that of the whole
system. Now a time delay 1-300s can be configured by MAC
switching function after device leaves. In this time, if the orig-
inal main device joins this stack system again the MAC address
of original main device will become that of stack system and
whole system MAC address is not switched; If original main
device doesn’t join this stack system the MAC address of new
main device will become that of stack system.
2. Default Configuration
Feature Default Configuration
Enable/Disable stack Disable
nvram stack-machine-id 1
nvram stack-member-priority 255
set interface stack-enable/stack-disable stack-port Disable
Accessing the Specific Stack

Member by Command Line
In stack system, all devices can log in to other devices by session
to operate other devices. When logging in to member device,
show operation or operation on file system will be carried out and
configuring command operation can’t be carried out. That mem-

ber device logging in to main device need the authentication of

username and password which can be configured on main device.
Command Function
ZXR10#session <device id> The parameter is the ID of the

device that will be log in to.
After the command is carried
out, the corresponding device
can be operated.
Viewing Switch Stack

System Information
1 ZXR10#show switch all-status This views the whole stack

system information.
2 ZXR10#show switch all-neighbours This views the whole stack

system neighbor relationship.
3 ZXR10#show switch neighbours stack-member-nu This views neighbor

mber relationship of designated
device. The parameter is
device ID.
4 ZXR10#show switch stack-ports This views current device

stack interface information
including sending/receiving
packet statistics.
5 ZXR10#show switch stack-ports stack-member-nu This views specific device

mber stack interface information
including sending/receiving
packet statistics. The
parameter is device ID.
6 ZXR10#show switch status This views current device

topology related content.
7 ZXR10#show switch status stack-member-number This views designated device

topology content. The
parameter is device ID.

Chapter 7
ACL Configuration
Table of Contents
ACL Overview ...................................................................59
Configuring ACL ................................................................60
ACL Configuration Example .................................................66
ACL Maintenance and Diagnosis...........................................68
ACL Overview
Packet filtering can help limit network traffic and restrict network
use by certain users or devices. ACL’s can filter traffic as it passes
through a router and permit or deny packets at specified inter-
faces.
An ACL is a sequential collection of permit and deny conditions
that apply to packets. When a packet is received on an interface,
the switch compares the fields in the packet against any applied
ACL’s to verify that the packet has the required permissions to be
forwarded, based on the criteria specified in the access lists. It
tests packets against the conditions in an access list one by one.
The first match determines whether the switch accepts or rejects
the packets because the switch stops testing conditions after the
first match. The order of conditions in the list is critical. If no
conditions match, the switch rejects the packets. If there are no
restrictions, the switch forwards the packet; otherwise, the switch
drops the packet.
Packet matching rules defined by the ACL are also used in other
conditions where distinguishing traffic is needed. For instance, the
matching rules can define the traffic classification rule in the QoS.
ZXR10 5900/5200 provides the following six types of ACLs:
� Standard ACL: Only match the source IP address.
� Extended ACL: Match the following items: Source IP address,
destination IP address, IP protocol type, TCP source port num-
ber, TCP destination port number, UDP source port number,
UDP destination port number, ICMP type, ICMP Code, DiffServ
Code Point (DSCP), ToS and Precedence.
� L2 ACL: Match source MAC address, destination MAC address,
source VLAN ID, L2 Ethernet protocol type and 802.1p priority
value.
� Hybrid ACL: Match source MAC address, destination MAC ad-
dress, source VLAN ID, source IP address, destination IP ad-

dress, TCP source port number, TCP destination port number,

UDP source port number, UDP destination port number.
� Standard IPv6ACL: Only match the IPv6 source IP address.
� Extended IPv6ACL: Only match the IPv6 source and destination
IP address.
Each ACL has an access list number to identify. The access list
number is a number. The access list number ranges of different
types of ACLs are shown as follows:
� standard ACL: 1~99
� Extended ACL: 100~199
� L2 ACL : 200~299
� Hybrid ACL: 300~349
� Standard IPv6ACL: 2000~2499
� Extended IPv6ACL : 2500~2999
Each ACL has at best 100 rules, with the rule number range from
1 to 100.
Configuring ACL
Configuring Time Range
Command Function
ZXR10(config)#time-range <timerange-name>{<hh:mm This enables time range.

:ss> to <hh:mm:ss><days-of-the-week>|from <hh:mm
:ss><mm-dd-yyyy>[to <hh:mm:ss><mm-dd-yyyy>]}
There are several conditions in time-range configuration.

� Configure time range for each day: Specify the exact start time
and end time in a day.
� Configure period range: Specify the period to be a fixed day
of a week.
� Configure date range: Specify start date and end date. If not
configured, the start date is the day when configuration takes
effect and the end date is the max day that system can identify.
Configuring ACL Rule

When configuring ACL, it is needed to enter ACL configuration
mode firstly and then define ACL rules. The following items shall
be noted when defining ACL rules:

Chapter 7 ACL Configuration
1. If a packet matches multiple rules at the same time, the first

matched rule shall apply. Therefore, the sequence of these
rules is critical important. In usual cases, the rule with smaller
range is put ahead and the rule with larger range is put behind.
2. Taking network security into account, an implicit Deny rule is
automatically attached to the end of each ACL to deny all pack-
ets. Therefore, a Permit rule is usually configured at the end
of ACL to permit all packets to pass through.
Configuring Basic ACL Rule

1 ZXR10(config)#acl standard {number <acl-number This enters the standard ACL

>|name <acl-name>} configuration mode.
2 ZXR10(config-std-acl)#rule <1-100>{permit|deny This configures the rules of

}{<source>[<source-wildcard>]|any}[time-range ACL.
<timerange-name>]
3 ZXR10(config-std-acl)#move <rule-no>{after | This moves a rule behind of

before}<rule-no> another rule.
Example This example defines a standard ACL. The ACL permits packets
from the network segment 192.168.1.0/24 to pass, but reject
packets with the source IP address of 192.168.1.100.
ZXR10(config)#acl standard number 10
ZXR10(config-std-acl)#rule 1 deny 192.168.1.100 0.0.0.0
ZXR10(config-std-acl)#rule 2 permit 192.168.1.0 0.0.0.255
Configuring Extended ACL

1 ZXR10(config)#acl extend {number <acl-number>|n This enters the extended ACL

ame <acl-name>} configuration.
2 ZXR10(config-ext-acl)#rule <rule-no>{permit|d This configures the rules

eny}{<source><source-wildcard>|any}{<dest based on ICMP.
><dest-wildcard>|any}[<icmp-type>[icmp-code
<icmp-code>]][{[precedence <pre-value>][tos
<tos-value>]}|dscp <dscp-value>][fragment][time-
range <timerange-name>]
3 ZXR10(config-ext-acl)#rule <rule-no>{permit|deny This configures the rules

}{<ip-number>|ip}{<source><source-wildcard>|a based on IP or IP protocol
ny}{<dest><dest-wildcard>|any}[{[precedence number (excluded ICMP, TCP,
<pre-value>][tos <tos-value>]}|dscp <dscp-value UDP)
>][fragment][time-range <timerange-name>]
4 ZXR10(config-ext-acl)#rule <rule-no>{permit|den This configures the rules

y}{<source><source-wildcard>|any}[<rule><port based on TCP.
>]{<dest><dest-wildcard>|any}[<rule><port>][est
ablished][{[precedence <pre-value>][tos <tos-val
ue>]}|dscp <dscp-value>][fragment][time-range
<timerange-name>]

5 ZXR10(config-ext-acl)#rule <rule-no>{permit|den This configures the rules

y}{<source><source-wildcard>|any}[<rule><port based on UDP.
>]{<dest><dest-wildcard>|any}[<rule><port>][{[p
recedence <pre-value>][tos <tos-value>]}|dscp
<dscp-value>][fragment][time-range <timerange-
name>]
6 ZXR10(config-ext-acl)#move <rule-no>{after | This moves a rule behind

Example This shows an extended ACL to perform the following functions.

1. Permit UDP packets from the network segment
210.168.1.0/24, the destination IP address 210.168.2.10, the
source port 100 and the destination port 200 to pass.
2. Forbid the BGP packets from the network segment
192.168.2.0/24 passing.
3. Forbid all ICMP packets.
4. Forbid all packets with the IP protocol No. 8.
ZXR10(config)#acl extend number 150
ZXR10(config-ext-acl)#rule 1 permit udp 210.168.1.0 0.0.0.255
eq 100 210.168.2.10 0.0.0.0 eq 200
ZXR10(config-ext-acl)#rule 2 deny tcp 192.168.2.0 0.0.0.255
eq bgp any
ZXR10(config-ext-acl)#rule 3 deny icmp any any
ZXR10(config-ext-acl)#rule 4 deny 8 any any
Configuring L2 ACL
1 ZXR10(config)#acl link number <acl-number> This enters the L2 ACL

configuration mode.
2 ZXR10(config-link-acl)#Rule <rule-no>{permit|de This configures the rules of

ny}<protocol-number|any>[cos<value>][ingress ACL.
{<source-mac><source-mac-wildcard>|any}[vlan-id
<vlan>]][engress{<dest-mac><dest-mac-wildcard>|
any}][time-range <timerange-name>]
3 ZXR10(config-link-acl)#move <rule-no>{after | This moves a rule behind

Example In this example, define a L2 ACL to permit IP packets with the

source MAC address as 00d0.d0c0.5741 and the 802.1p as 5 from
VLAN 10.
ZXR10(config)#acl link number 200
ZXR10(config-link-acl)#rule 1 permit any cos 5 douter 10
ingress 00d0.d0c0.5741 0000.0000.0000

Configuring Hybrid ACL

1 ZXR10(config)#acl hybrid {number <acl-number>|n This enters the hybrid ACL

ame <acl-name>} configuration.
2 ZXR10(config-hybd-acl)#rule <rule-no>{permit|d This configures the rules

eny}{<ip-number>|ip}{<source><source-wildc based on IP or IP protocol
ard>|any}{<dest><dest-wildcard>|any}{[any number (excluded ICMP, TCP,
|<ether protocol>]}[cos <0-7>][<vlan-id>][ingress UDP).
<source-mac><source-mac-wildcard> egress
<dest-mac><dest-mac-wildcard>][time-range
<timerange-name>]
3 ZXR10(config-hybd-acl)#rule <rule-no>{pe This configures the rules

rmit|deny}{<source><source-wildcard>| based on TCP.
any}{[<dest-ip><dest-wildcard>| any {ethe
r-protocol}[<vlan-id>][cos<value>][egress
<dst-mac><dst-wildcard>][ingress <sor-mac><s
or-wildcard>][time-range<range-name>]][eq
<port-number>{<dst-mac><dst-wildcard>|
any}<ether-protocol>[<vlan-id>][cos<value
>][egress<dst-mac><dst-wildcard>][ingress
<sor-mac><sor-wildcard>][time-range
<range-name>]]}
4 ZXR10(config-hybd-acl)#rule <rule-no>{pe This configures the rules

rmit|deny}{<source><source-wildcard>| based on UDP.
any}{[<dest-ip><dest-wildcard>| any {ethe
r-protocol}[<vlan-id>][cos<value>][egress
<dst-mac><dst-wildcard>][ingress <sor-mac><s
or-wildcard>][time-range<range-name>]][eq
<port-number>{<dst-mac><dst-wildcard>|
any}<ether-protocol>[<vlan-id>][cos<value
>][egress<dst-mac><dst-wildcard>][ingress
<sor-mac><sor-wildcard>][time-range
<range-name>]]}
5 ZXR10(config-hybd-acl)#move <rule-no>{after | This moves a rule behind

Example This shows an extended ACL to perform the following functions:

1. Permit UDP packets from the network segment
210.168.1.0/24, the destination IP address 210.168.2.10,
destination MAC address 00d0.d0c0.5741, the source port
100 and the destination port 200 to pass.
2. Forbid the BGP packets from the network segment
192.168.3.0/24 passing.
3. Forbid all packets with the MAC address 0100.2563.1425.
ZXR10(config)#acl hybrid number 300
ZXR10(config-hybd-acl)#rule 1 permit udp 210.168.1.0 0.0.0.255 Eq
100 210.168.2.10 0.0.0.0 eq 200 any Egress
00d0.d0c0.5741 0000.0000.0000
ZXR10(config-hybd-acl)#rule 2 deny tcp 192.168.3.0 0.0.0.255
Eq BGP any any
ZXR10(config-hybd-acl)#rule 3 deny any any any ingress
0100.2563.1425 0000.0000.0000

Configuring Basic IPV6 ACL

1 ZXR10(config)#ipv6 acl standard {number This enters the basic ACL

<acl-number>|name <acl-name>} configuration mode.
2 ZXR10(config-std-v6acl)#rule <1-100>{permit|de This configures the rules of

ny}{<source>|any}[mac(<Source-mac><Source ACL.
wildcard bits>)][time-range <timerange-name>]
3 ZXR10(config-std-v6acl)#move <rule-no>{after | This moves a rule behind

Example In this example, define a ACL to permit IP packets with the network
segment as 10.0.0.0.0.0.0.0/16 to pass.
ZXR10(config)# ipv6 acl standard number 2000
ZXR10(config-std-v6acl)# rule 1 permit 10::/16
Configuring Extended IPV6 ACL

1 ZXR10(config)#ipv6 acl extended {number This enters ACL configuration

<acl-number>|name <acl-name>} mode.
2 ZXR10(config-ext-v6acl)#rule <1-maxRuleNo This configures the rules of

>{permit | deny}{(icmp {<source/prefix>| ACL.
any}{<destination/prefix>| any}) | (<protocol
>{<source/prefix>| any}{<destination/prefix>|
any}) | (tcp{<source/prefix>| any}[<rule>{<0-m
axPortNo>|<tcpporttype>}]{<destination/prefix>|
any}[<rule>{<0-maxPortNo>|<tcpporttype>}])
| (udp{<source/prefix>| any}[<rule>{<0-max
PortNo>|<udpporttype>}]{<destination/prefix>|
any}[<rule>{<0-maxPortNo>|<udpporttype>}])
}[ingress(<Source mac address><Source
wildcard bits>)][egress(<Destination mac
address><Destination wildcard bits> )][{time-range
<timerange-name>| event <event-name>}]
3 ZXR10(config-ext-v6acl)#move <rule-no>{after | This moves a rule behind

Example In this example, define a extended ipv6 ACL to permit IP packets

with the source ip network segment as 10.0.0.0.0.0.0.0/16 and
destination ip network segment as 20.0.0.0.0.0.0.0/16 to pass and
deny the packets with MAC address 0012.0001.0002 to pass.
ZXR10(config)# ipv6 acl extended 2500
ZXR10(config-ext-v6acl)# rule 1 permit 10::/16 20::/16
ZXR10(config-ext-v6acl)#rule 2 deny fragment any any ingress 0012
0001.0002 0000.0000.0000

Applying ACL on Physical Port

configuration mode.
2 ZXR10(config-gei_1/x)#ip access-group This applies ACL on physical

<acl-number> in port.
Note:
One physical port only can apply one ACL. The new configura-
tion will cover the old one. For example, on gei_1/1 configuration
mode, the following two commands are configured.
ip access-group 10 in
Only ACL 100 takes effects.
Applying ACL on VLAN

ACL can be applied on both physical port and VLAN after it is de-
fined.
1 ZXR10(config)#vlan <vlan-id> This enters VLAN

configuration mode.
2 ZXR10(config-vlanX)#ip access-group {<acl-numbe This applies ACL on VLAN.

r><acl-name>} in
Note:
1. Currently, ACL type that VLAN binds only supports IPv4 hybrid
ACL
2. One VLAN can only apply one ACL, the new configuration will
cover the old one. For example, in vlan configuration mode,
the following two commands are configured
only ACL 305 takes effects.

Configuring an ACL to Support

Renaming
To configure a name for ACL rule, use the following commands.
1 ZXR10(config)#acl standard {number <acl-number This enters ACL configuration

>|name <acl-name>} mode.
2 ZXR10(config-std-acl)#rule <1-100>{permit|deny This configures the rules of

}{<source>[<source-wildcard>]|any}[time-range ACL.
<timerange-name>]
3 ZXR10(config-std-acl)#rule-description This configures name for a

<1-100><rule-description> rule.
Example: Define a standard ACL, permitting packets from net-

work segment 192.168.1.0/24 to pass through and denying pack-
ets whose source IP addresses are 192.168.1.100. Rule 1 and rule
2 can be configured different name.
ZXR10(config-std-acl)#rule 1 deny 192.168.1.100 0.0.0.0
ZXR10(config-std-acl)#rule-description 1 test1
ZXR10(config-std-acl)#rule-description 2 test2
Note:
Currently only IPv4 standard ACL, IPv4 extended ACL, IPv4 hybrid
ACL and IPv4 layer 2 ACL support ACL renaming function.
ACL Configuration Example

A company has an Ethernet switch, to which users of both de-
partment A and department B and servers are connected. This is
shown in Figure 18. The relevant provisions as follows:
1. Users of both department A and department B are forbidden
to access the FTP server and the VOD server in work time
(9:00–17:00), but can access the Mail server at any time.
2. Internal users can access the Internet through proxy
192.168.3.100, but users of department A are forbidden to
access the Internet in work time.
3. General Managers of both department A and department B
(with their IP addresses as 192.168.1.100 and 192.168.2.100
respectively) may access the Internet and all servers at any
time.
The IP addresses of the servers are as follows:

Mail server: 192.168.4.50

FTP server: 192.168.4.60;
VOD server: 192.168.4.70.
FIGURE 18 ACL CONFIGURATION EXAMPLE
Configuration of switch:
/*Configure time range*/
ZXR10(config)#time-range en
ZXR10(config)#time-range working-time
ZXR10(config-tr)#periodic daily 09:00:00 to 17:00:00
/*Define an extended ACL to limit users of department A*/

ZXR10(config-ext-acl)#rule 1 permit ip 192.168.1.100 0.0.0.0 any
ZXR10(config-ext-acl)#rule 2 deny ip 192.168.1.0 0.0.0.255
192.168.4.60 0.0.0.0 time-range working-time
ZXR10(config-ext-acl)#rule 3 deny tcp any 192.168.4.70 0.0.0.0
time-range working-time
ZXR10(config-ext-acl)#rule 4 deny ip any 192.168.3.100 0.0.0.0
ZXR10(config-ext-acl)#rule 5 permit ip any any
/*Define an extended ACL to limit users of department B*/

ZXR10(config-ext-acl)#rule 2 deny ip 192.168.2.0 0.0.0.255
192.168.4.60 0.0.0.0 time-range working-time
ZXR10(config-ext-acl)#rule 3 deny tcp any 192.168.4.70 0.0.0.0
/*Apply the ACL to the corresponding physical port*/

ZXR10(config-gei_1/1)#ip access-group 100 in

ACL Maintenance and

Diagnosis
For the convenience of ACL maintenance and diagnosis, ZXR10
5900/5200 provides related view commands.
1. To display the contents of all ACLs with specified list number,
show acl [<acl-number>|name <acl-name>]
2. To show whether an ACL is applied on a physical port, use the
following command.
show running-config interface <port-name>

Chapter 8
QoS Configuration
Table of Contents
QoS Overview ...................................................................69
Configuring QoS ................................................................73
QoS Configuration Example.................................................78
QoS Maintenance and Diagnosis ..........................................80
QoS Overview
Traditional networks provide best-effort service, treating all pack-
ets identically and handling them with the first in, first out (FIFO)
policy. This service policy delivers the packets to their destination
as it can, without any assurance and guarantee for reliability and
delivery delay, and so on for packet forwarding.
With the continuous emergence of new applications a new require-
ment for network service quality is raised because the traditional
network at the best effort cannot satisfy the requirement for ap-
plications. For example, the user cannot use the VoIP service and
real-time image transmission normally if packet transfer delay is
too long. To solve the problem, provide the system with the capa-
bility of supporting QoS.
QoS is designed to provide different qualities of service for differ-
ent demands from various applications, such as, providing specific
bandwidth, reducing packet loss ratio, shortening packet transfer
delay and delay-jitter. To achieve the above purposes, QoS offers
the following functions:
1. Traffic classification
2. Traffic Policing
3. Traffic Shaping
4. Queue scheduling and default 802.1p Priority
5. Redirection and policy routing
6. Priority Mark
7. Flow Mirroring
8. Traffic statistics
Traffic Classification
Traffic refers to packets passing through switch. Traffic classifica-
tion is the process of distinguishing one kind of traffic from another
by examining the fields in the packet.

Traffic classification of QoS is based on ACL and the ACL rule must
be permit. The user can classify packets according to some filter
options of the ACL which are as follows: Source IP address, desti-
nation IP address, source MAC address, destination MAC address,
IP protocol type, TCP source port No. TCP destination port No.,
UDP source port No., UDP destination port No., ICMP type, ICMP
code, DSCP, ToS, precedence, source VLAN ID, Layer 2 Ethernet
protocol type and 802.1p priority value.
Traffic Policing
Traffic policing is to impose restriction on bandwidth occupied by
some traffic flow to prevent it from exceeding specified bandwidth
and thus affecting other services. As for the exceeding amount of
traffics, conduct the following operation:
� Discard or forward
� Modify its DSCP value
� Modify its drop precedence (packets with higher drop prece-
dence will be dropped preferentially when congestion occurs)
Traffic policing will not introduce extra delay. Its working process
is shown in Figure 19.
FIGURE 19 TRAFFIC POLICING WORKING FLOW
ZXR10 5900/5200 implements the Single Rate Three Color Marker

(SrTCM) (RFC2697) and Two Rate Three Color Marker (TrTCM)
(RFC2698) functions, which both support the color-blind and color-
aware modes.
It assumes that packets are colorless in color-blind mode but as-
sumes that packets are marked in a color in color-aware mode.
On the switch, each packet traversing the switch will be assigned
a color according to some principle (packet information). Maker
colors the IP packet according to result from Meter and the color
is marked in DS field.

Chapter 8 QoS Configuration
The following two methods will be described:

1. Single Rate Three Color Marker (SrTCM)
This algorithm is used in Diffserv traffic conditioner. SrTCM
measures data flow and marks packets according to three traf-
fic parameters (Committed Information Rate, CIR; Committed
Burst Size, CBS; Excess Burst Size, EBS). We call the three
parameters as green, yellow and red marker respectively. A
packet is green if its size is less than CBS. A packet is yellow if
its size is between CBS and EBS and is red if its size exceeds
EBS. By default, red packet is discarded.
2. Two Rate Three Color Marker (TrTCM)
This algorithm is used in Diffserv traffic conditioner. TrTCM
measures IP data flow and marks packets with green, yellow
and red based on two types of rates (Peak Information Rate,
PIR and Committed Information Rate, CIR) and their related
committed burst size (CBS and PBS). A packet is marked in
red if its size exceeds PIR. A packet is marked in yellow is its
size is between PIR and CIR and is marked in green if its size
is less than CIR.
Traffic Shaping
Traffic shaping is used to control the rate of output packets thus
sending packets at even speed. Traffic shaping is used to match
packet rate with downlink equipment to avoid congestion and
packet discarding.
The difference between traffic shaping and traffic policing is that
traffic shaping is to cache packets whose rate exceeds the limited
value and send packets at even rate whereas traffic policing is to
discard packets whose rate exceeds the limited value. Moreover,
traffic shaping makes delay longer but traffic policing does not in-
troduce any extra delay.
Queue Bandwidth Limit

Queue bandwidth limit means limiting the bandwidth of queue on
interface to ensure the minimum bandwidth for queue. When traf-
fic is blocked, certain bandwidth can be ensured for this queue.
Queue Scheduling and Default

802.1p
Each physical port of the ZXR10 5900/5200 supports eight output
queues (queue 0 to queue 7) called CoS queues. The switch per-
forms incoming port output queue operation according to the CoS
queue corresponding to 802.1p of packets. In network conges-
tion, the queue scheduling is generally used to solve the problem

that multiple packets compete with each other for resources at the
same time.
ZXR10 5900/5200 supports Strict Priority (SP) and Weighted
Round Robin (WRR) queue scheduling modes. Eight output
queues of a port can adopt different modes respectively.
� SP Scheduling
SP is to strictly schedule data of each queue according to queue
priority. First send packets in the highest priority queue and
after that, send packets in the higher priority queue. Similarly,
after that, send packets in the lower priority queue, and so on.
SP scheduling makes packets of key services processed prefer-
entially, thus guaranteeing service quality of key services. But
the low priority queue may never be processed and "starved”.
� WRR
WRR makes each queue investigated possibly and not
“starved”. Each queue is investigated at different time, that is,
has different weight indicating the ratio of resources obtained
by each queue. Packets in the high priority queue have more
opportunities to be scheduled than the low priority queue.
Data priority is contained in the 802.1P label. If data entering the
port is not marked with an 802.1P label, a default 802.1p value
will be assigned by the switch.
Redirection and Policy Routing

Redirecting is used to make the decision again about the forward-
ing of packets with certain features according to traffic classifica-
tion. Redirection changes transmission direction of packets and
export messages to the specific port, CPU or next-hop IP address.
Redirect packets to the next-hop IP address to implement policy
routing.
On the aspect of packet forwarding control, policy-based route has
more powerful control capacity than traditional route because it
can select a forwarding path according to the matched field in the
ACL. Policy routing can implement traffic engineering to a certain
extent, thus making traffic of different service quality or different
service data (such as voice and FTP) to go to different paths. The
user has higher and higher requirements for network performance,
therefore it is necessary to select different packet forwarding paths
based on the differences of services or user categories.
Priority Marking
Priority marking is used to reassign a set of service parameters
to specific traffic described in the ACL to perform the following
operations:
1. Change the CoS queue of the packet and change the 802.1p
value.

2. Change the CoS queue of the packet and do not change the
802.1p value.
3. Change the DSCP value of the packet.
4. Change the discard priority of the packet.
Marking Outside Vlan Value

Marking outside Vlan value means configuring outside VLAN tag
value for traffic complying with ACL rule.
Traffic Mirroring
Traffic mirroring is used to copy a service flow matching the ACL
rule to the CPU or specific port to analyze and monitor packets
during network fault diagnosis.
Traffic Statistics
Traffic statistics is used to sum up packets of the specific service
flow. This is to understand the actual condition of the network
and reasonably allocate network resources. The main content of
traffic statistics contains the number of packets received from the
incoming direction of the port.
Configuring QoS
Configuring Traffic Polices
Command Function
ZXR10(config)#traffic-limit in <acl-number> rule-id This configures traffic policy.

<rule-no> cir <cir-value> cbs <cbs-value> ebs
<ebs-value>[pir <pir-value>][mode <mode>][{[drop
-yellow][forward-red][remark-red-dp {high|low|me
dium}][remark-red-dscp<value>][remark-yellow-dp
{high|low|medium}][remark-yellow-dscp <value>]}]
Color rendering configuration parameters contain cir, cbs, ebs and

pir. To use the dual-rate marker algorithm, configure the pir pa-
rameter. The ebs parameter indicates the pbs parameter stipu-
lated in the protocol.

Parameter mode <mode>: blind indicates Color-Blind mode and

aware indicates Color-Aware mode.
Parameter drop-yellow: indicates dropping yellow packets;
packets will be forwarded by default.
Parameter forward-red: indicates forwarding red packets; pack-
ets will be forwarded by default.
Parameter remark indicates remarking service parameter of pack-
ets with color:
� remark-red-dp: Remark drop precedence of red packets, pri-
ority parameter includes high, medium and low.
� remark-red-dscp: Remark DSCP priority of red packets, pri-
ority parameter is 0~63.
� remark-yellow-dp: Remark yellow packet dp to parameter
of high, medium or low.
� remark-yellow-dscp:Remark yellow packet’s dscp value
from 0 to 63 and one value can be chosen..
Example This example shows the traffic policy of packets sent to the desti-
nation IP address of 168.2.5.5 on port of gei_1/1 and bandwidth
is set to 10M.
ZXR10(config)#acl extended number 100
ZXR10(config-ext-acl)#rule 1 permit ip any
168.2.5.5 0.0.0.0
ZXR10(config-ext-acl)#exit
ZXR10(config)# traffic-limit in rule-id 1 cir
10000 cbs 2000 pir 10000 pbs 2000 mode blind
Configuring Traffic Shaping
Command Function
ZXR10(config-gei_1/x)#traffic-shape data-rate This configures traffic shaping

<rate-value> burst-size <value> for the port.
Example This example shows the conduction of traffic shaping on port

gei_1/1 and configures the port rate as 20 M.
ZXR10(config-gei_1/1)#traffic-shape data-rate 20000 burst-size 4
Configuring Queue Bandwidth Limit
Command Function
ZXR10(config-gei_1/x)#traffic-shape queue This configures queue maximum

<queue-no>{max-datarate-limit <max-daterate-vlaue and minimum bandwidth limit.
>|min-gua-datarate <min-datarate-vlaue>}

Example This example shows the conduction of queue bandwidth limit on

port gei_1/1 and configures maximum bandwidth limit of queue 1
as 20M and minimum bandwidth as 2M, maximum bandwidth limit
of queue 2 as 20M, minimum bandwidth limit of queue 3 as 2M.
ZXR10(config-gei_1/1)#traffic-shape queue 1 max-datarate-limit 20000
min-gua-datarate 2000
ZXR10(config-gei_1/1)#traffic-shape queue 2 max-datarate-limit 20000
ZXR10(config-gei_1/1)#traffic-shape queue 3 min-gua-datarate 2000
Configuring Queue Scheduling and

Default 802.1p of the Port
ZXR10 5900/5200 supports two types of queue scheduling modes:
Strict Priority Scheduling (SP) and weighted Round-Robin (WRR).
When these two modes are used together, SP has a higher priority
than WRR.
Command Function
ZXR10(config-gei_1/x)#queue-mode strict-priority|wrr This configures queue

<Queue number><Queue weight> scheduling and default 802.1p
priority of the port.
Example This example shows the implementing of SP scheduling on the port

gei_1/1. This implements WRR scheduling on port gei_1/2 and
configures the weight of queue 0 to queue 7 sequentially as 10,
5, 8, 10, 5, 8, 9 and 10. Default 802.1p is configured on the port
gei_1/2 as 5.
ZXR10(config-gei_1/1)#queue-mode strict-priority
ZXR10(config-gei_1/2)# queue-mode wrr 0 10 1 5 2 8 3 10 4 5 5 8 6 9 7 10
ZXR10(config-gei_1/2)#priority 5
Configuring Redirection and Policy

Routing
Command Function
ZXR10(config)#redirect in <acl-number> rule-id This redirects the packets.

<rule-no>{cpu|interface <port-name>|next-hop
<ip-address>}
Example This example shows the redirection of the packet whose source
IP address is 168.2.5.5 on the port gei_1/4 to the port gei_1/3.
In addition, it is to implement the policy routing to packet whose

destination IP address is 66.100.5.6 and specify the next-hop IP

address as 166.88.96.56.
ZXR10(config-ext-acl)#rule 2 permit ip any 66.100.5.6 0.0.0.0
ZXR10(config)#redirect in 100 rule-id 1 interface gei_1/3
ZXR10(config)#redirect in 100 rule-id 2 next-hop 166.88.96.56
Configuring Priority Marking
Command Function
ZXR10(config)#priority-mark in <acl-number> rule-id This configures priority marking.

<rule-no>{ dscp <dscp-value>| cos<cos-value>
local-precedence <local-value> drop-precedence
<dropl-value>}}
Example This example shows how to change the DSCP value of the packet
whose source IP address is 168.2.5.5 on the port gei_1/1 to 34
and selects the output queue to 4.
ZXR10(config-std-acl)#rule 1 permit 168.2.5.5
ZXR10(config-std-acl)#exit
ZXR10(config)#priority-mark in 10 rule-id 1 dscp 34 cos
4 drop-precedence low
Configuring Outer VLAN Value

To configure outer VLAN value of traffic which matches ACL rule,
Command Function
ZXR10(config)#qos set acl-svlan-map acl {acl-number | This configures outer VLAN

acl-name} rule <rule-id> to out-vlanid-<vlan-id> value of traffic which matches
ACL rule.
Example This example shows how to configure outer vlan value of traffic
which complies with rule 1 on gei_1/4 as 2000.
ZXR10(config)#qos set acl-svlan-map acl 10
rule 1 to out-vlanid 2000

Configuring Traffic Mirroring
Command Function
ZXR10(config)#traffic-mirror in <acl-number> rule-id This configures traffic mirroring.

<rule-no>{cpu|interface <interface-num>}
Example This example shows the mirror data traffic whose source IP ad-
dress is 168.2.5.6 on the port gei_1/8 to the port gei_1/4.
ZXR10(config)#traffic-mirror in 10 rule-id 2 interface gei_1/4
Configuring Tail-Drop
Command Function
ZXR10(config)#qos tail-drop < session-index> queue-id This configures the tail-drop

< queue-id>< all-threshold>< yellow-threshold>< parameter.
red-threshold>
To enable the tail-drop function on the port, use the following com-
mand.
drop-mode tail-drop <session-id>
Example This example shows the configuration of tail-drop. In queue 1:
Red packets tail-drop value is 120. Yellow packets tail-drop value
is 120. all packets tail-drop value is 240. This is configured on the
port gei_1/8.
ZXR10(config)#qos tail-drop 1 queue-id 1 240 120 120
ZXR10(config-gei_1/8# drop-mode tail-drop 1
Configuring Traffic Statistics
Command Function
ZXR10(config)#traffic-statistics < acl-number> rrulle-iid This configures traffic statistics.

< rule-no> pkt-type { all| green| red| yellow}
statistics-type { byte| packet}

Example This example shows the conduction of traffic statistics to data

whose destination IP address network segment is 67.100.88.0/24
on the port gei_1/8.
ZXR10(config)#traffic-statistics 100 rule-id 2 pkt-type all statistics-type byte
QoS Configuration Example

Typical QoS Configuration Example
Network A, Network B and internal servers are all connected to an
Ethernet switch, as shown in Figure 20. One of internal servers
is the VOD server with the IP address of 192.168.4.70. To guar-
antee service quality of the VOD, configure it as one with high
priority. The internal user can access the Internet over the agent
192.168.3.100 but the bandwidth of Network A and Network B
should be restricted and their traffic statistics should be conducted.
FIGURE 20 QOS CONFIGURATION EXAMPLE
Switch configuration:
ZXR10(config-ext-acl)#rule 1 permit tcp any 192.168.4.70 0.0.0.0

/*To guarantee the service quality of the VOD, change the
802.1pvalue to 7*/
ZXR10(config)#priority-mark in 100 rule-id 1 dscp 62
cos 7 local-precedence 7 drop-precedence low
/*Restrict the bandwidth of Network A to access Internet*/
ZXR10(config)#traffic-limit in 100 rule-id 2 cir 5000
cbs 2000 ebs 3000 mode blind
/*Sum up traffic of Network A*/
ZXR10(config)#traffic-statistics in 100 rule-id 2
pkt-type all statistics-type byte

ZXR10(config-ext-acl)#rule 1 permit tcp
192.168.2.0 0.0.0.255 192.168.4.70 0.0.0.0
ZXR10(config-ext-acl)#rule 2 permit ip any
192.168.3.100 0.0.0.0
/*To guarantee the sevice quality of the VOD, cange the
802.1p value to7*/
ZXR10(config)#priority-mark in 101 rule-id 1 dscp 62
cos 7 drop-precedence low
/*Restrict the bandwidth of Network B to access Internet*/
ZXR10(config)#traffic-limit in 101 rule-id 2 cir 10000
cbs 2000 ebs 3000 mode blind
/*Sum up traffic of Network B*/
ZXR10(config)#traffic-statistics in 101 rule-id 2
Policy Routing Configuration

Example
When there are many Internet Service Provider (ISP) egresses on
the network, select different ISP egresses for users from differ-
ent groups through policy routing or select different ISP egresses
based on service types.
As shown in Figure 21, Users on both sub-networks are connected
to the switch and there are two available ISP egresses. It is
required to select different egresses based on IP addresses of
users as follows: Users on the sub-network 10.10.0.0/24 use the
ISP1 egress. Users on the sub-network 11.11.0.0/24 use the
ISP2 egress.

FIGURE 21 POLICY ROUTING EXAMPLE
/*Define an ACC, which describes users in 10.10.0.0/24
network segment and 11.11.0.0/24 network segment*/
/*Configure policy routing of QoS*/

/*Apply to the corresponding port*/

QoS Maintenance and

Diagnosis
ZXR10 5900/5200 provides the following commands of QoS main-
tenance and diagnosis.
1. To display QoS configuration, use the following command.
show qos
2. To displayconfiguration of map of service parameter of data
packets according to conformance level and DSCP, use the fol-
lowing command.
show qos conform-dscp
3. To display 802.1p parameter map table configuration infor-
mation according to local-precedence, use the following com-
mand.
show qos cos-local-map

4. To display table configuration information that 802.1P user pri-

ority maps to switch local precedence, use the following com-
mand.
show qos cos-drop-map
Example ZXR10(config)#acl standard number 1
ZXR10(config)#traffic-limit in 1 rule-id 1 cir 10000 cbs 2000
ebs 2000 mode blind
ZXR10(config)#show qos
traffic-limit in 1 rule-id 1 cir 10000 cbs 2000 ebs 2000 mode blind
ZXR10(config)#qos conform-dscp 1 0 7 2
ZXR10(config)#show qos conform-dscp
qos conform-dscp 1 0 7 2
ZXR10(config)#qos cos-local-map 1 2 3 4 5 6 7 0
ZXR10(config)#show qos cos-local-map
qos cos-local-map 1 2 3 4 5 6 7 0
ZXR10(config)#qos cos-drop-map 2 1 0 2 1 1 0 1
ZXR10(config)#show qos cos-drop-map
qos cos-drop-map 2 1 0 2 1 1 0 1


Chapter 9
DHCP Configuration
Table of Contents
DHCP Overview .................................................................83
Configuring DHCP ..............................................................84
DHCP Configuration Example...............................................99
DHCP Maintenance and Diagnosis ...................................... 103
DHCP Overview
Dynamic Host Configuration Protocol (DHCP) enables a host on the
network to obtain an IP address ensuring its normal communica-
tion and relevant configuration information from a DHCP server.
DHCP adopts UDP as the transmission protocol. Host sends a mes-
sage to Port 67 of the DHCP server and the DHCP server returns
the message to Port 68 of the host. The DHCP works in the fol-
lowing steps:
1. Host sends a broadcast packet DHCPDiscover including the re-
quest of IP address and other configuration parameters.
2. DHCP server returns a unicast packet DHCPOffer including the
valid IP address and configuration.
3. Host selects the server which returns DHCPOffer arriving at
first and sends a unicast DHCPRequest to the server, indicating
to accept relevant configuration.
4. Selected DHCP server returns a unicast packet DHCPAck for
confirmation.
By now the host can use the IP address and relevant configuration
obtained from the DHCP server for communication.
DHCP supports three mechanisms for IP address allocation:
1. Automatic allocation—DHCP assigns a permanent IP address
to a client.
2. Dynamic allocation—DHCP assigns an IP address to a client for
a limited period of time (or until the client explicitly relinquishes
the address).
3. Manual allocation—the network administrator assigns an IP ad-
dress to a client and DHCP is used simply to convey the as-
signed address to the client.
Usually Dynamic allocation method is adopted. The valid time seg-
ment of using the address is called lease period. Once the lease
period expires, the host must request the server for continuous
lease. The host cannot continue to lease until it accepts the re-
quest, otherwise it must give up unconditionally.

Routers do not send the received broadcast packet from a sub-net-

work to another by default. But the router as the default gateway
of the client host must send the broadcast packet to the sub-net-
work where the DHCP server locates when the DHCP server and
client host are not in the same sub-network. This function is called
DHCP relay.
ZXR10 5900/5200 can act as a DHCP server or DHCP relay to for-
ward DHCP information but it cannot use both functions at the
same time.
DHCP makes IP address allocation more convinent. But with the
wide application of DHCP service, some problem happens. Firstly,
DHCP service allows multiple DHCP servers to be in a subnet, which
means that administrator can’t assure that client doesn’t get IP ad-
dress from illegal DHCP server set by some clients but only gets
legal IP address from DHCP server set by administrator. Secondly,
in subnet deployed DHCP service, the host which is designated le-
gal IP address, subnet mask and gateway can access network nor-
mally. But DHCP server will still allocate this IP address to other
hosts possibly. It will lead to address collision and affect the nor-
mal distribution of IP address. DHCP snooping function is enabled
for ZXR10 5900/5200 to prevent bogus DHCP server from being
laid in network, and in this case, the port connecting to DHCP
server must be set to trusted port. What’s more, dynamic ARP
inspection technology can be used together to prevent illegal IP
and MAC address binding, thus ensuring normal assignment of IP
addresses by DHCP server.
Configuring DHCP
Configuring IP Pool
1. To configure or delete an IP pool, use the following command.
1 ZXR10(config)#ip pool <word> This creates IP pool which

DHCP function uses and
enters into IP pool of
corresponding name
configuration mode.
<word> IP address pool
name, 1~16 characters.
2 ZXR10(config)#no ip pool <word> This deletes IP address pool

which name corresponds.
2. To configure conflict time in ip pool or delete the orginal con-

figuration, use the following commands.

Chapter 9 DHCP Configuration
1 ZXR10(config-ip-pool)#conflict-time <time> This configures conflict time

in IP pool.
<time> conflict time value,
1~18000 minutes, the default
value is 30 minutes.
2 ZXR10(config-ip-pool)#no conflict-time This deletes the original

configuration and restores
default time value.
3. To configure reserving address in IP pool or delete the original

configuration, use the following commands.
1 ZXR10(config-ip-pool)#exclude <low_ip_addr>[<hig This configures reserving

_ip_addr>] address in ip pool.
<low_ip_addr >the begin low
address of reserving address
or a specific address.
<Hig_ip_add r> the highest
range. This command
parameter must be a subset
of this address pool.
2 ZXR10(config-ip-pool)#no exclude <low_ip_addr>[<h This deletes the original

ig_ip_addr>] configuration.
<low_ip_addr >the begin low
or a specific address.
<Hig_ip_add r> the highest
range. This command
parameter must be a subset
of this address pool.
4. To add all suitable ip addresses to ip pool or delete the corre-

sponding IP address range, use the following commands.
1 ZXR10(config-ip-pool)#network <net_number><net This adds all suitable IP

_mask> addresses to IP pool.
<net_numberr > a specific
subnet network number,
<net_maskr > subnet mask.
2 ZXR10(config-ip-pool)#no network <net_number><n This deletes corresponding IP

et_mask> address range configuration.
<net_numberr > a specific
subnet network number,
<net_maskr > subnet mask.
5. To configure IP pool range or delete corresponding IP address

range , use the following commands.

1 ZXR10(config-ip-pool)#range <begin_ip_addr><last_i This configures IP pool range.

p_addr><ip_mask> <begin_ip_addr > the
beginning address of IP
address pool, <last_n_ip_add
r> the end address of IP
address pool, <ip_mask r>
mask.
2 ZXR10(config-ip-pool)#no range <begin_ip_addr><l This deletes corresponding IP

ast_ip_addr><ip_mask> address range configuration.
<begin_ip_addr > the
beginning address of IP
address pool, <last_n_ip_add
r> the end address of IP
address pool, <ip_mask r>
mask.
Configuring DHCP POOL

A DHCP pool will bind a ip pool. DHCP server will allocate address
in binding address pool.
1. To configure a DHCP pool or delete a DHCP pool, use the fol-
lowing command.
1 ZXR10(config)#ip dhcp pool <word> This configures a DHCP pool .

<word> DHCP pool name
2 ZXR10(config)#no ip dhcp pool <word> This deletes a DHCP pool.
2. To configure binding table between MAC address and ip ad-

dress or delete the original configuration, use the following
commands.
1 ZXR10(config-dhcp-pool)#binding <mac_addr><ip_ad This configures binding table

dr>[vrf-instance <instance_ namer>] between MAC address and ip
address.
<mac_addr> Mac address
<ip_addr> IP Address
<instance_namer> instance
name
2 ZXR10(config-dhcp-pool)#no binding <mac_addr><ip This deletes the original

_addr>[vrf-instance <instance_ namer>] configuration.
3. To configure a default route or delete the configured content,

use the following commands.

1 ZXR10(config-dhcp-pool)#default-router This configures a default

<ip_addr>[<ip_addr>][<ip_addr>] route.
2 ZXR10(config-dhcp-pool)#no default-router This deletes the configured

<ip_addr>[<ip_addr>][<ip_addr>] content.
4. To configure DNS server or delete the corresponding configu-

ration, use the following commands.
1 ZXR10(config-dhcp-pool)#dns-server <ip_addr>[<ip_ This configure DNS server

addr>][<ip_addr>] address.
This command can configure
up to 8 DNS server addresses.
2 ZXR10(config-dhcp-pool)#no dns-server This deletes the correspond-

<ip_addr>[<ip_addr>][<ip_addr>] ing configuration.
5. To bind the specific ip pool with dhcp pool or delete binding

relationship, use the following command.
1 ZXR10(config-dhcp-pool)#ip-pool <ip_pool_name> This binds the specific ip pool

with dhcp pool.
<ip_pool_namer> ip pool
address pool name, 1~16
characters.
2 ZXR10(config-dhcp-pool)#no ip-pool This deletes binding

relationship.
6. To configure ip address lease-time or delete configured time,

1 ZXR10(config)#lease-time [[infinite]|[<days><hours This configurse ip address

><minutes>]] lease-time.
<days> 0~365
<hours> 0~23
<minutes> 0~59
infinite
The default is 60 minutes.
2 ZXR10(config)#no lease-time This deletes configured time.
7. To configure other options, use the following command.

Command Function
ZXR10(config-dhcp-pool)#option <option_code>[[ascii This configures other options.

<string>]|[hex <hex_num>]|[ip <ip_addr>]] <option_code> configured
optional code,1~254.
<string> NVT ASCII character
string.
<hex_num> hexadecimal
number.
Configuring DHCP POLICY

1. To enter POLICY configuration mode or delete name corre-
sponding policy configuration, use the following commands.
1 ZXR10(config)#ip dhcp policy <policy_name><priori This enters policy

ty> configuration mode.
<policy_namer> name of
policy, 1~16 characters.
<priority> priority.
2 ZXR10(config)#no ip dhcp policy <policy_name><pri This deletes name

ority> corresponding policy
configuration.
2. To bind the policy to a dhcp-pool or delete binding relationship,

1 ZXR10(config-dhcp-pool)#dhcp-pool <pool_name> This binds the policy to a

dhcp-pool.
<pool_name> name of dhcp
pool
2 ZXR10(config-dhcp-pool)#no dhcp-pool <pool_name> This deletes binding

relationship.
3. To configure relay agent address or delete the configuration,

1 ZXR10(config-dhcp-pool)#relay-agent <ip_addr> This configures relay agent

address.
2 ZXR10(config-dhcp-pool)#no relay-agent This deletes configuration.

Configuring DCHP Server

1. To enable DHCP or stop DHCP, use the following command.
1 ZXR10(config)#ip dhcp enable After enabling DHCP, system

will take DHCP ip address
request on the interface which
is configured user interface
attribute. This system builts
in DHCP Server function and
DHCP Relay function which
are enabled by using this
command.
By default, disable DHCP.
2 ZXR10(config)#no ip dhcp enable This stops DHCP.
2. To enable DHCP working mode on the interface, use the fol-

lowing command.
Command Function
ZXR10(config-if-vlanX)#ip dhcp mode [server | relay | Relay: enalbe DHCP Relay on

proxy] the interface;
server: enable DHCP Server on
the interface;
proxy:enable DHCP Proxy on
the interface.
After enabling built-in DHCP Relay process, system processes

IP address request sent from DHCP client on the interface and
allocate IP address for DHCP Client dynamically by external
DHCP Server configured in the interface.
After enabling built-in DHCP Proxy process, system will process
IP address request sent from DHCP client on the interface,
allocate IP address for DHCP Client dynamically by external
DHCP Server configured in the interface and replace the long
lease with short lease to client. When DHCP Client sending
continue-to-rent request, if the long lease allocated by DHCP
Server is not timeout, DHCP Proxy will response DHCP Client
directly and won’t send continue-to-rent request to external
DHCP Server to relieve the burden of external DHCP Server.
Only one function among system built-in DHCP Server function,
DHCP Relay function and DHCP Proxy function can be run on
the same interface.
3. To bind policy to an interface or delete configuration, use the
following commands.

1 ZXR10(config-if-vlanX)#ip dhcp policy < This binds policy to an

policy_name> interface.
<policy_name> the policy
name that interface need
bind.
2 ZXR10(config-if-vlanX)#no ip dhcp policy This deletes configuration.
4. To configure DHCP user quota on interface or cancel this con-

figuration, use the following command.
1 ZXR10(config-if-vlanX)#ip dhcp user quota This configures DHCP user

<limit-value> quota on interface, that is
, the maximum number of
DHCP Client on the interface.
<limit-value> DHCP user
quota1~2048.
The default: no quota.
2 ZXR10(config-if-vlanX)#no ip dhcp user quotar This cancel dhcp user quota.
As for DHCP Server, DHCP user quota is used to limit the max
number of DHCP users on an interface, thus limiting the num-
ber of IP addresses assigned on the interface.
As for DHCP Relay, DHCP Relay standard mode doesn’t support
DHCP user quota, thus user quota doesn’t take effect. But if
DHCP Relay is configured forwarding in safety mode, DHCP
Relay will make DHCP user quota configuration valid.
5. To configure the interface select outside DHCP Server policy or
cancel this policy, use the following command.
1 ZXR10(config-if-vlanX)#ip dhcp helper-address This configures the interface

policy vclass-id select outside DHCP Server
policy.
The default is to select DHCP
Server in ip dhcp relay server
command on the interface.
2 ZXR10(config-if-vlanX)#no ip dhcp helper-address This cancels this interface

policy vclass-id select outside DHCP Server
policy.
6. To configure DHCP SERVER/RELAY/PROXY ramble function or

disable DHCP ramble function, use the following command.

1 ZXR10(config)#ip dhcp ramble When DHCP ramble function

is enabled, DHCP user can
switch the access interface
on-line. The default: disable
DHCP ramble function.
2 ZXR10(config)#no ip dhcp ramble This disables DHCP ramble

function.
7. To enable DHCP log print switch or stop DHCP print function,

1 ZXR10(config)#ip dhcp logging on This enables DHCP log print

switch.
The default is to disable DHCP
log print function.
After DHCP log print function
is enabled, DHCP user on-line
log will be recorded.
2 ZXR10(config)#no ip dhcp logging on This disables DHCP print

function.
Configuring DHCP Snooping

1. To add the binding entry to binding-database manually or
delete binding entry from DHCP SNOOPING binding-database,
1 ZXR10(config)#ip dhcp snooping binding <mac> This adds user binding entry
vlan <vlan><ip address><interface-number> expiry to binding-database manually.
<2147483647> <mac> user MAC address
<vlan> the VLAN user belongs
to, 1~4096input the range.
<ip address> DHCP binding
IP address.
<interface-number> physical
interface numbersuch as fei,
gei and smartgroup.
2 ZXR10(config)#no ip dhcp snooping binding <mac> This deletes user binding

vlan <vlan><ip address><interface-number> entry from DHCP SNOOPING
binding database.
2. To delete the entry of DHCP SNOOPING binding table on layer

2 interface manually, use the following command.

Command Function
ZXR10(config)#ip dhcp snooping clear [<interface-num This deletes the entry of DHCP
ber>] SNOOPING binding table on
layer 2 interface manually.
interface numbersuch as fei, gei
and smartgroup.
3. To enable DHCP SNOOPING or disable DHCP SNOOPING, use

the following command.
1 ZXR10(config)#ip dhcp snooping enable After DHCP SNOOPING is

globally enabled, DHCP
SNOOPING need to be
enabled on the corresponding
VLAN to take effect on it.
2 ZXR10(config)#no ip dhcp snooping enable This disables DHCP

SNOOPING function.
4. To configure if 82 option is inserted when DHCP SNOOPING is

configured, use the following command.
1 ZXR10(config)#ip dhcp snooping information option This inserts 82 option.
2 ZXR10(config)#no ip dhcp snooping information This doesn’t insert 82 option.

option
5. To configure the 82 option format or delete the configured 82

option format and restore the default format, use the following
command.
1 ZXR10(config)#ip dhcp snooping information format This configures 82 option

{china-tel | dsl-forum} format which is inserted
when DHCP SNOOPING is
configured,
china-tel: China Telecom 82
option format.
dsl-forum:DSL forum 82
option format.
The default is China Telecom
82 option format.
2 ZXR10(config)#no ip dhcp snooping information This cancels configured 82

format option format to restore
default format.
6. To configure the policy of forwarding DHCP data packet 82 op-

tion or cancel the policy, use the following command.

1 ZXR10(config)#ip dhcp snooping information policy This configures the policy of

{keep | replace} forwarding DHCP data packet
82 option.
keep: keep the original 82
option and transparently
transmit.
replace: replace the original
82 option.
The default is to keep
the original 82 option and
transparently transmit.
2 ZXR10(config)#no ip dhcp snooping information This cancels configured 82

policy option policy to restore
default format.
7. To configure DHCP SNOOPING ramble function and allow user

to switch on different ports, use the following command.
1 ZXR10(config)#ip dhcp snooping ramble This configures DHCP

SNOOPING ramble function.
2 ZXR10(config)#no ip dhcp snooping ramble This disables DHCP

SNOOPING ramble function.
8. To configure the interface connects to DHCP SERVER as trust

interface, use the following command.
1 ZXR10(config)#ip dhcp snooping trust This configures DHCP SERVER

<interface-number> interface as trust interface.
interface numbersuch as fei,
gei and smartgroup.
2 ZXR10(config)#no ip dhcp snooping trust This cancels DHCP SERVER

<interface-numbe> interface as trust interface.
9. To enable DHCP SNOOPING on the specific VLAN, use the fol-

lowing command.
1 ZXR10(config)#ip dhcp snooping vlan <vlan> This enables DHCP SNOOPING

on the specific VLAN.
<vlan> the VLAN user belongs
to, 1~4094input the range.
2 ZXR10(config)#no ip dhcp snooping vlan <vlan> This cancels DHCP SNOOPING

on the specific VLAN.

Configuring DHCP Relay

1. To configure the DHCP agent ip address on the interface or
delete the ip address, use the following command.
1 ZXR10(config-if-vlanX)#ip dhcp relay agent This configures the DHCP

<ip-address> agent ip address on the
interface.
< ip-address> DHCP agent IP
address on the interface, in
dotted decimal notation.
2 ZXR10(config-if-vlanX)#no ip dhcp relay agent This deletes the DHCP agent

ip address on the interface.
Before enabling DHCP Relay to forward user DHCP request to

external DHCP Server, it is needed to configure IP address of
DHCP Agent, which is one of the IP addresses of interfaces
where DHCP Client locates.
External DHCP Server will assign IP address according to IP
address of DHCP Agent to make them in the same subnet.
DHCP reply packet returned to DHCP client by DHCP server is
forwarded by DHCP Agent. Therefore, a route pointing to the
subnet where DHCP Agent locates needs to be configured on
external DHCP Server.
2. To configure the outside DHCP server ip address on the inter-
face or delete outside DHCP Server address on the interface,
1 ZXR10(config-if-vlanX)#ip dhcp relay server <ip-address>outside DHCP

<ip-address>{standard | security} Server ip address, in dotted
decimal notation
standard: comply with DHCP
standard protocol forwarding
mode
security: ZTE security
forwarding mode, The default
is standard.
2 ZXR10(config-if-vlanX)#no ip dhcp relay server <ip-address>outside DHCP

<ip-address> Server ip address, in dotted
decimal notation
Standard forwarding mode conforms to DHCP standard proto-

col. After user obtains corresponding IP address, DHCP process
will not process subsequent unicast interaction any more, such
as security inspection. At the same time, writing ARP table
function is invalid for standard mode. Standard forwarding
mode performance will be better for big consumer number be-
cause it does not deal with the subsequent unicast interaction.

Security forwarding mode combines DHCP standard protocol

with ZTE patent technology to control and manage all interac-
tion of DHCP client and outside DHCP SERVER such as security
check. Therefore, DHCP process can work in all DHCP inter-
action. At the same time, it supports ARP writing function.
System default Relay forwarding mode is standard forwarding
mode.
3. To configure the retry time that DHCP Relay applies from out-
side DHCP Server or recover default retry time, use the follow-
ing command.
1 ZXR10(config)#ip dhcp relay server retry <limit-value> the retry time

<limit-values> that DHCP Relay applies from
outside DHCP Server. The
range is 5~1000. The value
is 10 by default.
2 ZXR10(config)#no ip dhcp relay server retry This recovers default retry

time.
4. To configure the specific domain name DHCP CLient applies

from outside DHCP Server, use the following command.
1 ZXR10(config)#ip dhcp relay server vclass-id <domain name> domain

<domain name><ip-address>{standard | security} name that DHCP Client
request packet carries.
<ip-address>outside DHCP
Server ip address, in dotted
decimal notation
standard: comply with DHCP
standard protocol forwarding
mode
security: ZTE security
forwarding mode.
2 ZXR10(config)#no ip dhcp relay server vclass-id <domain name> domain

<domain name><ip-address> name that DHCP Client
request packet carries.
<ip-address>outside DHCP
Server ip address, in dotted
decimal notation
5. To configure unrestricted DHCP user message on DHCP Relay

standard mode or restrict DHCP user message, use the follow-
ing command.

1 ZXR10(config)#ip dhcp relay forward reply This configurse unrestricted

unrestricted DHCP user message on DHCP
Relay standard mode.
2 ZXR10(config)#no ip dhcp relay forward reply This restricts DHCP user

unrestricted message and recovers default
mode.
DHCP client continuous rent is launched by DHCP client. For

that DHCP client does not send continuous rent message, if
can receive ACK message that DHCP Server response to client,
it is taken for granted that DHCP client is on-line and send
transparently this message to client.
6. To configure the insert 82 option when the DHCP process is
in relay forwarding or cancel the insert of 82 option, use the
following command.
1 ZXR10(config)#ip dhcp relay information option This configures the insert

82 option when the DHCP
process is in relay forwarding.
The default: 82 option is not
inserted.
2 ZXR10(config)#no ip dhcp relay information option This cancels the insert 82

option.
7. To configure the DHCP process when the insert 82 option has

been configured in the DHCP process in relay forwarding data
and host should configure the insert 82 option or delete con-
figured 82 option handle policy, use the following command.
1 ZXR10(config)#ip dhcp relay information policy keep: keep the original 82

{keep | replace} option and transparently
transmit.
replace: replace the original
82 option.
The default is to keep
the original 82 option and
transparently transmit.
2 ZXR10(config)#no ip dhcp relay information policy This cancels configured 82

option policy to restore
default policy.
8. To configure DHCP client server-id that DHCP Relay responses

or cancel DHCP client server-id that DHCP Relay responses, use

1 ZXR10(config)#ip dhcp relay security client This configures DHCP client

server-id <ip-address> server-id that DHCP Relay
response. <ip-address>
server-id ip addressin dotted
decimal notation.
2 ZXR10(config)#no ip dhcp relay security client This cancels DHCP client

server-id server-id that DHCP Relay
responses.
9. To enable DHCP Relay Snooping, use the following command.
1 ZXR10(config)#ip dhcp relay snooping enable This enables DHCP Relay

Snooping.
DHCP Relay Snooping is
disabled by default.
2 ZXR10(config)#no ip dhcp relay snooping enable This cancels DHCP Relay

Snooping function.
10. To enable DHCP network packet that all reply on the interface,
1 ZXR10(config-if-vlanX)#ip dhcp relay snooping This enables DHCP network

packet reply packet that all reply on the
interface.
2 ZXR10(config-if-vlanX)#no ip dhcp relay snooping This command disables DHCP

packet reply network packet that all reply
on the interface.
11. To enable DHCP network packet that all request on the inter-
face, use the following command.
1 ZXR10(config-if-vlanX)#ip dhcp relay snooping This enables DHCP network

packet request packet that all request on the
interface.
2 ZXR10(config-if-vlanX)#no ip dhcp relay snooping This disables DHCP network

packet request packet that all request on the
interface.
12. To enable the interface as DHCP Relay trust or disable the in-
terface as DHCP Relay trust, use the following command.

1 ZXR10(config-if-vlanX)#ip dhcp relay snooping trust This enables the interface as

DHCP Relay trust.
2 ZXR10(config-if-vlanX)#no ip dhcp relay snooping This disables the interface as

trust DHCP Relay trust.
13. To enable DHCP Relay Snooping Trust or disable DHCP Relay

Snooping Trust, use the following command.
1 ZXR10(config)#ip dhcp relay snooping trust enable This enables DHCP Relay
Snooping Trust.
2 ZXR10(config)#no ip dhcp relay snooping trust This disables DHCP Relay

enable Snooping function.
Configuring DHCP Client

1. To enable class-id of dhcp client on the interface, use the fol-
lowing command.
Command Function
ZXR10(config-if-vlanX)#ip dhcp client class-id {WORD This enables class-id of dhcp

| hex} client on the interface.
2. This configures class-id of dhcp client on the interface.
1 ZXR10(config-if-vlanX)#ip dhcp client client-id This configures dhcp client-id

on the interface.
2 ZXR10(config-if-vlanX)#no ip dhcp client client-id This cancels the configuration

of dhcp client-id on the
interface.
3. To configure hostname of dhcp client on the interface, use the

following command.
Command Function
ZXR10(config-if-vlanX)#ip dhcp client hostname WORD This configures hostname of

dhcp client on the interface.
4. To configure lease information of dhcp client on the interface,


Command Function
ZXR10(config-if-vlanX)#ip dhcp client lease { 0-365 | This configures lease

infinite } information of dhcp client
on the interface.
5. To configure request information of dhcp client on the interface,

Command Function
ZXR10(config-if-vlanX)#ip dhcp client request { This configures request

dns-nameserver | domain-name | router | static-route information of dhcp client
| tftp-server-address } on the interface.
DHCP Configuration
Example
DHCP Server Configuration Example
R1 acts as the DHCP server and default gateway and the host ob-
tains IP addresses through the DHCP dynamically, as shown in
Figure 22.

FIGURE 22 DHCP SERVER CONFIGURATION
R1 configuration:
ZXR10(config-if-vlan10)#ip dhcp mode server
ZXR10(config-if-vlan10)#exit
ZXR10(config)#ip pool pool1
ZXR10(config-ip-pool)#range 10.10.1.10 10.10.1.100 255.255.255.0
ZXR10(config-ip-pool)#exit
ZXR10(config)#ip dhcp pool dhcp1
ZXR10(config-dhcp-pool)#ip-pool pool1
ZXR10(config-dhcp-pool)#exit
ZXR10(config)#ip dhcp policy p1 1
ZXR10(config-dhcp-policy)#dhcp-pool dhcp1
ZXR10(config-dhcp-policy)#default-route 10.10.1.1
ZXR10(config-dhcp-policy)#exit
ZXR10(config-if-vlan10)#ip dhcp policy p1
ZXR10(config)#ip dhcp enable
DHCP Relay Configuration Example

Router at the user end is connected directly as DHCP relay when
the DHCP client and server are not in the same network.
R1 enables DHCP relay function and a single server 10.10.2.2 pro-
vides DHCP server function. This mode is usually adopted when a
lot of hosts require the DHCP service. This is shown in Figure 23.

FIGURE 23 DHCP RELAY CONFIGURATION
R1 configuration:
ZXR10(config)#interface vlan10
ZXR10(config-if-vlan10)#ip dhcp mode relay
ZXR10(config-if-vlan10)#ip dhcp relay agent 10.10.1.1
ZXR10(config-if-vlan10)#ip dhcp relay server 10.10.2.2
ZXR10(config)#ip dhcp enable
DHCP Snooping Configuration

Example
DHCP server 1 connects to the interface gei_1/1 in switch R1. Man-
ager configures the DHCP. The server 2 connects to the interface
gei_1/2 in switch R1. This is configured by the user, it is illegal
DHCP server. Both ports gei_1/1 and gei_1/2 are in vlan 100.
Enable the DHCP snooping function in the switch can prevent set
illusive DHCP server.
Now it is needed to enable DHCP Snooping function in vlan 100 and
configure the interface gei_1/1 be trust interface. This is shown
in Figure 24.

FIGURE 24 DHCP SNOOPING CONFIGURATION
R1 configuration:
ZXR10(config-gei_1/1)#switch access vlan 100
ZXR10(config-gei_1/2)#switch access vlan 100
ZXR10(config)#ip dhcp snooping enable
ZXR10(config)#ip dhcp snooping vlan 100
ZXR10(config)#ip dhcp snooping trust gei_1/1
DHCP Snooping Prevent Static IP

Configuration Example
DHCP server belongs to vlan 100 and PC belongs to vlan 200. PC
gets the IP address use by DHCP. Now it is required to forbid the PC
to configure the static IP address through the DHCP snooping and
dynamic ARP inspection technologies. This illustration is shown in
Figure 25.

FIGURE 25 DHCP SNOOPING PREVENT STATIC IP CONFIGURATION
R1 configuration:
ZXR10(config)#vlan 100
ZXR10(config-vlan100)#ip arp inspection
DHCP Maintenance and

Diagnosis
1. To display configuration information of the DHCP relay process
module, use the following command.
show ip dhcp relay [forward | information | security |
server | snooping | user]
2. To display configuration information of the local address pool,
show ip local pool [<pool-name>]
3. To display configuration information of interface-related DHCP
server/relay, use the following command.
show ip interface
4. To display the DHCP snooping configuration, use the following
command.
show ip dhcp snooping configure
5. To view the DHCP snooping Vlan, use the following command.
show ip dhcp snooping vlan [<vlan-id>]
6. To view the IP DHCP snooping trust, use the following com-
mand.
show ip dhcp snooping trust

7. To display DHCP snooping database, use the following com-

mand.
show ip dhcp snooping database <port-number>
8. To view dynamic arp inspection, use the following command.
show ip arp inspection vlan [<vlanl-id>]
9. To display DHCP pool, use the following command.
show ip dhcp pool [<pool-name>]
10. To display DHCP policy, use the following command.
show ip dhcp policy [<policy_name>]
To handle DHCP server/relay processes, use debug ip dhcpcom-
mand.

Chapter 10
VRRP Configuration
Table of Contents
VRRP Overview ............................................................... 105
Configuring VRRP ............................................................ 106
VRRP Configuration Example ............................................. 107
VRRP Maintenance and Diagnosis....................................... 109
VRRP Overview
Host in a broadcast domain usually sets a default gateway as the
next hop of route packets. The host in the broadcast domain can-
not communicate with the host in another network unless the de-
fault gateway works normally. To avoid the single point of failure
caused by the default gateway, multiple router interfaces are con-
figured in the broadcast domain and run the Virtual Router Redun-
dancy Protocol (VRRP) in these routers.
VRRP is used to configure multiple router interfaces in a broadcast
domain into a group to form a virtual router and assigns an IP
address to the router to function as its interface address. This
interface address may be the address of one of router interfaces
or the third party address.
The router is used as the master router if its interface address is
used and other routers are used as the backup ones. The router
with high priority is used as the master router if the third party
address is used. If two routers have the same priority, the one
with the greater interface address wins. For ZXR10 5900/5200, if
the two routers priorities are same, master apply priority rule.
Set the IP address of the virtual router to gateway on the host
in this broadcast domain. The master router is replaced with
the backup router with the highest priority if the master router
is faulty, without affecting the host in this domain. The host in
this domain cannot communicate with outside world only when all
routers in the VRRP group work abnormally.
These routers can be configured into multiple groups for mutual
backup. The hosts in the domain use different IP addresses as
gateway to implement data load balance.

Configuring VRRP
1. To run VRRP, use the following command.
Command Function
ZXR10(config-if-vlanX)#vrrp <group> ip <ip-address>[se This runs VRRP.

condary]
This configures multiple virtual addresses in a VRRP group and

the linked host can use any address as gateway for communi-
cation.
2. To configure VRRP priority on the interface, use the following
command.
Command Function
ZXR10(config-if-vlanX)#vrrp <group> prirority <priority> This configures VRRP priority on

the interface.
3. To configure whether preemption is enabled on the interface,

Command Function
ZXR10(config-if-vlanX)#vrrp <group> preempt [delay To configure whether

<milliseconds>] preemption is enabled on
the interface, use the following
command.
4. To configure the time interval for sending VRRP notifications on

the interface, use the following command.
Command Function
ZXR10(config-if-vlanX)#vrrp <group> advertise This configures the time interval

[msec]<interval> for sending VRRP notifications
on the interface.
5. To configure how to learn about the time interval for sending

VRRP packets on the interface, use the following command.
Command Function
ZXR10(config-if-vlanX)#vrrp <group> learn This configures how to learn

about the time interval for
sending VRRP packets on the
interface.
6. To configure authentication character string on the interface,


Chapter 10 VRRP Configuration
Command Function
ZXR10(config-if-vlanX)#vrrp <group> authentication This configures authentication

<string> character string on the interface.
7. To configure VRRP up-flow link track function, use the following

command.
Command Function
ZXR10(config-if-vlanX)#vrrp <group> track This configures VRRP up-flow

<track-num>[decrement<priority>] link track function.
8. To configure the mode of virtual device, use the following com-

mand.
Command Function
ZXR10(config-if-vlanX)#vrrp < group> mode {private This configures the mode of

| standard} virtual device
9. To configure virtual device vrrp protocol message out-inter-

face, use the following command.
Command Function
ZXR10(config-if-vlanX)#vrrp < group> out-interface This configures virtual device

<interfacename> vrrp protocol message
out-interface.
VRRP Configuration
Example
Basic VRRP Configuration Example
This example shows that R1 and R2 run in the VRRP protocol
between each other. R1 interface address 10.0.0.1 is used as
the VRRP virtual address, therefore R1 is considered as a mas-
ter router. This is shown in Figure 26.

FIGURE 26 BASIC VRRP CONFIGURATION
R1 configuration:
ZXR10_R1(config)#interface vlan 1
ZXR10_R1(config-if-vlan1)#ip address 10.0.0.1 255.255.0.0
ZXR10_R1(config-if-vlan1)#vrrp 1 ip 10.0.0.1
R2 configuration:
Symmetric VRRP Configuration

Example
Two VRRP groups are booted in this example, where PC1 and PC2
use the virtual router in Group 1 as default gateway with the ad-
dress 10.0.0.1. PC3 and PC4 use the virtual router in Group 2
as default gateway with the address 10.0.0.2. R1 and R2 serve
as mutual backup. Four hosts cannot communicate with outside
world until both routers become invalid. This is shown in Figure
27.

Chapter 10 VRRP Configuration
FIGURE 27 SYMMETRIC VRRP CONFIGURATION
R1 configuration:
R2 configuration:
VRRP Maintenance and

Diagnosis
To perform VRRP maintenance and diagnosis, ZXR10 5900/5200
provides the following commands to view all VRRP configuration
information.
show vrrp [<group>|brief|interface <interface-name>|all]
ZXR10 5900/5200 provides debug vrrp command to display VRRP
debug information switch.
debug vrrp {state|packet|event|error|all}


Chapter 11
Network Management
Configuration
Table of Contents
NTP Configuration............................................................ 111
RADIUS Configuration ...................................................... 113
SNMP Configuration ......................................................... 115
RMON Configuration......................................................... 119
SysLog Configuration ....................................................... 121
TACACS+ Configuration.................................................... 124
NTP Configuration
NTP Overview
Network Time Protocol (NTP) is the protocol used to synchronize
the clocks of computers on a network or across multiple networks,
like the Internet. Without adequate NTP synchronization, organi-
zations cannot expect their network and applications to function
properly. In practice, ZXR10 5900/5200 can act as the NTP client
and support the configuration of at most 5 NTP time servers.
Configuring NTP
1. To define a time server, use the following command.
Command Function
ZXR10(config)#rmon collection statistics <index>[owner This defines a time server.

<string>] Priority must be selected. Each
server priority is different and
the range is 1~5; Version is
option , the range is 1~3 , the
default is 3. Key is valid when
authentication is enabled and
option; Lock/unlock is used to
configure if server is locked and
option.

2. To enable NTP function, use the following command.
Command Function
ZXR10(config)#ntp enable This enables NTP function.
3. To configure the source address used by the NTP in the process

of sending a synchronization time request, use the following
command.
Command Function
ZXR10(config)#ntp source <ip-address> This configures the source

address used by the NTP
in the process of sending a
synchronization time request.
4. To configure time zone of the switch, use the following com-

mand.
Command Function
ZXR10(config)#clock timezone This configures time zone of the

switch.
5. To view the NTP running state, use the following command.
Command Function
ZXR10(config-router)#show ntp status This views the NTP running

state.
NTP Configuration Example

This example shows routing switch as a NTP client and assume
that the NTP protocol version is 2. This is shown in Figure 28.
FIGURE 28 NTP CONFIGURATION EXAMPLE

Chapter 11 Network Management Configuration
ZXR10 Configuration:
ZXR10(config)#interface vlan24
ZXR10(config)#ntp enable
ZXR10(config)#ntp server 192.168.2.1 version 2
RADIUS Configuration
RADIUS Overview
Remote Authentication Dial In User Service (RADIUS) is a stan-
dard AAA protocol. AAA represents Authorization, Authentication
and Accounting. AAA is used to authenticate the users accessing
the routing switch and prevent illegal users from accessing which
results in enhancing security of the equipment.
ZXR10 5900/5200 supports RADIUS authentication function to au-
thenticate Telnet users accessing the routing switch.
ZXR10 5900/5200 supports multiple RADIUS server groups. Three
authentication servers can be configured in each RADIUS group.
The server timeout time and times of timeout retransmission can
be set for each group. The administrator can configure different
RADIUS groups to select a specific RADIUS server.
Configuring RADIUS
1. To configure RADIUS accounting group, use the following com-
mand.
Command Function
ZXR10(config)#radius accounting-group <group-numb This configures RADIUS

er> accounting group.
2. To configure RADIUS authentication group, use the following

command.
Command Function
ZXR10(config)#radius authentication-group This configures RADIUS

<group-number> authentication group.
3. To configure the parameters of RADIUS, peform the following

steps.

1 ZXR10(config-authgrp-1)#timeout <timeout> This configures timeout retry

parameter of RADIUS server.
2 ZXR10(config-authgrp-1)#algorithm {first|round-r This configures algorithm of

obin} RADIUS server.
3 ZXR10(config-authgrp-1)#alias <name-str> This configures alias of

RADIUS server group.
4 ZXR10(config-authgrp-1)#calling-station-format < This configures format of

Format number> command calling-station-id.
5 ZXR10(config-authgrp-1)#deadtime <time> This configures dead time of

authentication server.
6 ZXR10(config-authgrp-1)#max-retries <times> This configures timeout retry

parameter of RADIUS server.
7 ZXR10(config-authgrp-1)#nas-ip-address < NAS IP This configures nas-ip

address> of RADIUS server, which
corresponds to nas-ip and
source ip address of protocol
packets.
8 ZXR10(config-authgrp-1)#server <ipaddress> key This configures radius server

<keystr> port <portnum> and its parameter.
9 ZXR10(config-authgrp-1)#user-name-format This configures format of user

{include-domain|strip-domain} name which BRAS sends to
RADIUS server.
10 ZXR10(config-authgrp-1)#vendor {enable|disable} This configures whether

self-definition attribute of
manufacturer is in a sending
RADIUS protocol packet.
4. To perform RADIUS maintenance and diagnosis, execute the

following commands.
Command Function
ZXR10#debug radius {accounting {event| error|data | This displays RADIUS debugging

packet <group-number|all>}| authentication {event| information.
error|data | packet <group-number|all>}|user
user-nam|all|exception}
ZXR10#show counter radius {accounting-group group- This displays statistics

number | authentication-group group-number|all} information.
ZXR10#show accounting local-buffer {group This displays the content of

group-number|name radiusname|session accounting packets in local
session-id|user user-name|sum|all} buffer.
ZXR10#clear accounting local-buffer [ group number | This clears the content of

all] accounting packets in local
buffer.

RADIUS Configuration Example

The mode of configuring accounting group is same as that of con-
figuring authentication group. The following example is how to
configure accounting group.
ZXR10(config)#radius accounting-group 1
ZXR10(config-acct-group-1)#algorithm round-robin
ZXR10(config-acct-group-1)#calling-station-format 2
ZXR10(config-acct-group-1)#deadtime 5
ZXR10(config-acct-group-1)#local-buffer enable
ZXR10(config-acct-group-1)#max-retries 5
ZXR10(config-acct-group-1)#nas-ip-address 10.1.1.4
ZXR10(config-acct-group-1)#server 1 10.2.1.3 key uas
ZXR10(config-acct-group-1)#server 2 12.1.2.3 key uas
ZXR10(config-acct-group-1)#timeout 10
SNMP Configuration
SNMP Overview
Simple Network Management Protocol (SNMP) is the most popu-
lar NMS protocol nowadays. An NMS server can manage all the
devices on the network through this protocol.
SNMP is managed based on server and client. The background
NMS server serves as the SNMP server and the foreground network
device serves as SNMP client. The foreground and background
share an MIB and communicate with each other through the SNMP
protocol. It is required to configure the specific SNMP server for
the rouging switch as the SNMP agent and define contents and au-
thorities availably collected by the NMS. ZXR10 5900/5200 sup-
ports multiple versions of SNMP.
Configuring SNMP
1. To set the SNMP packet community, use the following com-
mand.
Command Function
ZXR10(config)#snmp-server community <community-na This sets the SNMP packet

me>[view <view-name>][ro|rw] community.
SNMPv1/v2c adopts the community authentication mode.

SNMP community is named by character strings and different
communities have read-only or read-write access authorities.
Community with read-only authority can only query equipment
information. and the community with read-write authority can
configure the equipment.

Both read-only and read-write are limited by the view. Oper-

ations can only be conducted in the permitted view range. If
parameter view is omitted use default view and use parameter
ro if ro/rw are omitted.
2. To define a SNMPv2 view, use the following command.
Command Function
ZXR10(config)#snmp-server view <view-name><subtree This defines a SNMPv2 view.

-id>{included|excluded}
3. To set the system handler contract mode (SysContact) of the

MIB object, use the following command.
Command Function
ZXR10(config)#snmp-server contact <mib-syscontact- This sets the system handler

text> contract mode (SysContact) of
the MIB object.
SysContact is a management variable of the system group in

the MIB II and it records ID and contact mode of the relevant
personnel of the managed equipment.
4. To set the location (SysLocation) of the MIB object, use the
following command.
Command Function
ZXR10(config)#snmp-server location <mib-syslocation- This sets the location

text> (SysLocation) of the MIB
object.
SysLocation is a management variable of the system group in

the MIB II and is used to indicate the location of the managed
equipment.
5. To set the types of TRAP allowed for sending, use the following
command.
Command Function
ZXR10(config)#snmp-server enable trap [<notification-t This sets the types of TRAP

ype>] allowed for sending.
TRAP is un-requested information sent by the managed equip-

ment initiatively to the NMS and is used to report some emer-
gent events.
6. To set the TRAP destination host, use the following command.
Command Function
ZXR10(config)#snmp-server host [mng]<ip-address>[tra This sets the TRAP destination

p|inform][version {1|2c|3 {auth|noauth|priv}}]<com host.
munity-name>[udp-port <udp-port>][…<trap-type>]

ZXR10 5900/5200 supports five kinds of ordinary traps: SNMP,

bgp, OSPF, RMON and stalarm.
7. To use ACL to control the host that can access the switches
through SNMP protocol, use the following command.
Command Function
ZXR10(config)#snmp-server access-list <acl-number> This uses ACL to control the host

that can access the switches
through SNMP protocol.
8. To define context name of SNMP, use the following command.
Command Function
ZXR10(config)#snmp-server context < context name > This defines context name of
SNMP.
9. To set local engine id of SNMPv3, use the following command.
Command Function
ZXR10(config)#snmp-server engine-id <engine-id> This sets local engine id of

SNMPv3.
10. To configure safe mode group of user, use the following com-
mand.
Command Function
ZXR10(config)#snmp-server group <groupname> This configures safe mode group

v3 {auth|noauth|priv}[context <context-name> of user.
match-prefix|match-exact ][read <readview>][write
<writeview>][notify <notifyview>]
11. To set the maximum packet size of SNMP, use the following
command.
Command Function
ZXR10(config)#snmp-server packetsize <484-1400> This sest the maximum packet

size of SNMP.
12. To configure TRAP source, use the following command.
Command Function
ZXR10(config)#snmp-server trap-source <IP address> This configures TRAP source.
13. To configure the users which are allowed to access SNMP

engine, use the following command.

Command Function
ZXR10(config)#snmp-server user <username><groupna This configures the users which

me> v3 [encrypted][auth {md5|sha}<auth-password are allowed to access SNMP
>[priv des56 <priv-password>]] engine.
14. To display relevant information of SNMP, use the following com-

mand.
Command Function
ZXR10(config)#show snmp This displays relevant

information of SNMP.
15. To display configuration information of SNMP, use the following

command.
Command Function
ZXR10(config)#show snmp config This displays configuration

information of SNMP.
16. To display users of SNMPv3, use the following command.
Command Function
ZXR10(config)#show snmp user This displays users of SNMPv3.
17. To display information of SNMPv3 group, use the following

command.
Command Function
ZXR10(config)#show snmp group This displays information of

SNMPv3 group.
18. To display SNMP engine ID, use the following command.
Command Function
ZXR10(config)#show engine-id This displays SNMP engine ID.
SNMP Configuration Example

The following is an example of SNMP configuration.
ZXR10(config)#snmp-server view myViewName 1.3.6.1.2.1 included
ZXR10(config)#snmp-server community myCommunity view myview rw
ZXR10(config)#snmp host 168.1.1.1 trap ver 1 ospf
ZXR10(config)#snmp-server location this is ZXR10 in china
ZXR10(config)#snmp-server contact this is ZXR10, tel: (025)2872006

RMON Configuration
RMON Overview
Remote Monitoring (RMON) system is to monitor network terminal
services. A remote detector, the local routing switch system, com-
pletes data collection and processing through the RMON. The rout-
ing switch contains RMON agent software communicating with the
NMS through the SNMP. Information is usually transmitted from
the routing switch to the NMS.
Configuring RMON
1. To enable the interface statistics function (only for Ethernet),
Command Function
ZXR10(config-gei_1/x)#rmon collection statistics This enables the interface

<index>[owner <string>] statistics function (only for
Ethernet) .
2. To set an alarm and MIB object, use the following command.
Command Function
ZXR10(config)#rmon alarm <index><variable This sets an alarm and MIB

><interval>{delta|absolute} rising-thershold object.
<value>[<event-index>] falling-threshold
<value>[<event-index>][owner <string>]
3. To enable the history collection function of the interface, use

Command Function
ZXR10(config-gei_1/x)#rmon collection history <index This enables the history

>[owner <string>][buckets <bucket-number>][interval collection function of the
<seconds>] interface.
4. To configure an event, use the following command.
Command Function
ZXR10(config)#rmon event <index>[log][trap This configures an event.

<community>][description <string>][owner <string>]
5. To display RMON configuration and relevant information, use


Command Function
ZXR10(config)#show rmon [alarms][events][history][st This displays RMON

atistics] configuration and relevant
information.
RMON Configuration Example

1. This example shows how to configure and start statistics con-
trol entries of the RMON.
ZXR10(config-gei_1/1)#rmon collection statistics 1 owner rmontest
ZXR10(config-gei_1/1)#
Assume that n computers are linked to the port gei_1/1 and

when these computers communicate on the sub-network. We
can view traffic statistics data through NMS software and view
RMON statistics information with the show command.
ZXR10#show rmon statistics
EtherStatsEntry 1 is active, and owned by rmontest
Monitors ifEntry.1.1 which has
Received 60739740 octets, 201157 packets,
1721 broadcast and 9185 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 32 collisions.
# of dropped packet events (due to lack of resources): 511
# of packets received of length (in octets):
64: 92955, 65-127: 14204, 128-255: 1116,
256-511: 4479, 512-1023: 85856, 1024-1518:2547
ZXR10#
2. This example shows how to configure and start history control
entries of the RMON.
ZXR10(config-gei_1/1)#rmon collection history 1 bucket 10 interval
10 owner rmontest
ZXR10(config-gei_1/1)#
View RMON history information with the show command.

ZXR10#show rmon history
Entry 1 is active, and owned by rmontest
Monitors ifEntry.1.1 every 10 seconds
Requested # of time intervals, ie buckets, is 10
Granted # of time intervals, ie buckets, is 10
Sample # 1 began measuring at 00:11:00
Received 38346 octets, 216 packets,
0 broadcast and 80 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions.
# of dropped packet events is 0
Network utilization is estimated at 1
3. This example shows how to configure and start alarm control
entries of the RMON.
ZXR10(config)#rmon alarm 1 system.3.0 10 absolute
rising-threshold 1000 1
Falling-threshold 10 1 owner rmontest
ZXR10(config)#
View RMON alarm information with the show command.

ZXR10#show rmon alarm
Alarm 1 is active, owned by rmontest
Monitors system.3.0 every 10 seconds
Taking absolute samples, last value was 54000
Rising threshold is 1000, assigned to event 1

Falling threshold is 10, assigned to event 0

On startup enable rising or falling alarm
ZXR10#
4. This example shows how to configure and enable the event
function.
ZXR10(config)#rmon event 1 log trap rmontrap
description test owner rmontest
ZXR10(config)#
Configure an alarm control entry and wait for 10s, and then
view RMON event contents with the show command.
ZXR10#show rmon event
Event 1 is active, owned by rmontest
Description is test
Event firing causes log and trap to community rmontrap,
last fired 05:40:20
Current log entries:
index time description
1 05:40:14 test
ZXR10#
SysLog Configuration
SysLog Overview
ZXR10 5900/5200 provides users with log information setting
and query functions. Log information provides convenient routine
maintenance of the routing switch. User can view alarm infor-
mation and port state change condition on the routing switch
through log information. Log information can be displayed on the
configuration terminal in real time or can be saved to a file on
the routing switch or background log server. The syslog protocol
can be enabled on ZXR10 5900/5200 so that the routers can
communicate with the background syslog server to deliver the log
information.
Configuring SysLog
1. To enable the log function, use the following command.
Command Function
ZXR10(config)#logging on This enables the log function.
2. To set the log buffer size, use the following command.
Command Function
ZXR10(config)#logging buffer <buffer-size> This sets the log buffer size.
3. To set log clearance mode, use the following command.

Command Function
ZXR10(config)#logging mode <mode>[<interval>] This sets log clearance mode.
4. To set the log level displayed on the console interface of telnet

interface, use the following command.
Command Function
ZXR10(config)#logging console <level>[filter This sets the log level displayed

map-name] on the console interface of telnet
interface.
5. To set the log level saved in log buffer, use the following com-
mand.
Command Function
ZXR10(config)#logging level <level> This sets the log level saved in

log buffer.
6. To set the background FTP log server parameter, use the fol-
lowing command.
Command Function
ZXR10(config)#logging ftp <level>[mng]<ftp-server><us This sets the background FTP

ername><password>[<filename>] log server parameter.
7. To set parameters of alarm information which is sent to trap

server, use the following command.
Command Function
ZXR10(config)#logging trap <level><community>[mng This sets parameters of alarm

]<host-address> information which is sent to trap
server.
8. To set parameters to pack information in alarm buffer to file

and send it to ftp server, use the following command.
Command Function
ZXR10(config)#logging filesavetime {everyday This sets parameters to pack

<hh:mm:ss>|interval <hh:mm:ss>|month information in alarm buffer to
<monthday><hh:mmm:ss>|week <weekday><hh:mm file and send it to ftp server.
:ss>}[mng]<ftp sever><username><password><alarm
file prefix>
9. To set background syslog server parameters, use the following

command.

Command Function
ZXR10(config)#syslog-server host <ip-address>[fport This sets background syslog

<fport>][lport <lport>][ alarmlog| alarmlog| alarmlog] server parameters.
10. To display log information, use the following command.
Command Function
ZXR10(config)#show logging alarm {[typeid This displays log information.

<type>][start-date <date>][end-date <date>][level
<level>]}
Now, the supported alarm information types contain ENVIRO-

MENT, BOARD, PORT, ROS, DATABASE, OAM, SECURITY, OSPF,
RIP, BGP, DRP, TCP-UDP, IP, IGMP, TELNET, ARP, ISIS, ICMP,
SNMP and RMON.
11. To save alarm logging information in location flash:
data/log.dat, use the following command.
Command Function
ZXR10#write logging This saves alarm logging

information in location flash:
data/log.dat.
12. To configure packets, use the following command.
Command Function
ZXR10#syslog-server facility This distinguishes different

servers by this field.
13. To designate source address in syslog, use the following com-

mand.
Command Function
ZXR10#syslog-server source <ip-address> This designates source address

in syslog.
Syslog Configuration Example

The following is a system log setting example. When configuring,
log function must be enabled with the logging on command .
ZXR10(config)#logging on
ZXR10(config)#logging buffer 100
ZXR10(config)#logging mode FULLCLEAR
ZXR10(config)#logging console warnings
ZXR10(config)#logging level errors
ZXR10(config)#logging ftp notificational 168.1.70.100
target target zxralarm.log
ZXR10(config)# syslog-server host 192.168.0.100

TACACS+ Configuration
TACACS+ Overview
TACACS+, Terminal Access Controller Access Control System, is
the most popular AAA protocol which is the simplified name of Au-
thorization, Authentication and Accounting. TACACS+ supports in-
dependent authentication, authorization and accounting, allowing
different TACACS+ security server to be authentication, authoriza-
tion and accounting server respectively.
PPP user and Telnet user that use the system service should be au-
thenticated, authorized and accounted in ZXROS. TACACS+ proto-
col can solve this problem effectively. TACACS+ module provides
centralized security authentication, authorization and accounting
for logging user.
TACACS+ software module in ZXROS is client software authen-
ticated by TACACS+. It implements the protocol interaction be-
tween NAS and TACACS+ security server to complete TACACS+
AAA function. TACACS+ client also provides the operation that
TACACS+ configuration needs to configure TACACS+ environment.
At present, ZXR10 5900/5200 supports TACACS+ authentication
to provide authentication of Telnet users accessing the routers.
ZXR10 5900/5200 supports multiple TACACS+ server groups.
Each TACACS+ group permits the configuration of four authen-
tication servers and each group can be configured with two
parameters: server timeout time and retry times. The adminis-
trator can configure different TACACS+ server groups to select a
specific TACACS+ server.
Configuring TACACS+
1. To enable TACACS+ protocol function, use the following com-
mand.
Command Function
ZXR10(config)#tacacs enable This enables TACACS+ protocol

function.
2. To disable TACACS+ protocol function, use the following com-

mmand.
Command Function
ZXR10(config)#tacacs disable [clear] This disables TACACS+ protocol

function.
3. To configure TACACS+ server group member, use the following

command.

Command Function
ZXR10(config-sg)#server <ip-addr>[port <1025~65535>] This configures TACACS+ server

group member.
Command parameter description is as follows:
<ip-addr> IP address of TACACS + Server which must be the configured

one.
<1025~65535> The port number that TCP connects.
4. To configure TACACS client IP address, use the following com-

mand.
Command Function
ZXR10(config)#tacacs-client <ip-addr>[port This configures Tacacs+ client

<1025~65535> IP address which is used to
communicate with Tacacs+
server. Configuration is deleted
with no command.
<ip-addr> Client IP
<1025~65535> Client layer 4 port
5. To configure TACACS server parameter, use the following com-

mand.
Command Function
ZXR10(config)#tacacs-server host <ip-addr>[port This configures TACACS server

<integer>][timeout <integer>][key <string>] parameter. Configuration is
deleted with no command.
<ip-addr> TACACS + Server IP address
port Port number for TCP connection. The default value is 49.
timeout Connection timeout time, in range of 1~1000. Unit is second.

The configuration here will invalidate the global configuration.
key Encryption key between NAS and TACACS+ server. The

configuration here will invalidate the global configuration.

6. To configure global TACACS+ protocol encryption key, use the

following command.
Command Function
ZXR10(config)#tacacs-server key <key> This configures global TACACS+

protocol encryption key which
is valid for all servers without
designated key. Configuration is
<key> Encryption key used in exchanging packets between NAS and

server. Length: 1~63 characters (without space). The key
defined in the server must be same as this one.
7. To configure TACACS+ maximum packet length, use the fol-

lowing command.
Command Function
ZXR10(config)#tacacs-server packet <1024~4096> This configures TACACS+

maximum packet length. The
default configuration 1024 is
restored with no command.
<1024~4096> Packet maximum length. The default is 1024.
8. To configure connection timeout for TACACS+ server, use the

following command.
Command Function
ZXR10(config)#tacacs-server timeout <1~1000> This configures connection

timeout for TACACS+ server.
The default is 5s. The default
configuration is restored with no
command.
<1~1000> timeout time, The unit is second. 1~1000, 5s by default.
9. To configure TACACS+ server group, use the following com-

mand.

Command Function
ZXR10(config)#aaa group server tacacs+ <group-name> This enters into AAA server
group configuration mode.
Server group configuration is
<group-name> tacacs+ server group name with 1~31 characters
TACACS Configuration Example

ZXR10(config)#tacacs enable
ZXR10(config)#tacacs-server host 1.1.1.1
ZXR10(config)#tacacs-client 1.1.1.2
ZXR10(config)#aaa authentication login default group zte
ZXR10(config)#aaa authentication enable default local group zte
ZXR10(config)#aaa authorization login default group zte
ZXR10(config)#user-authentication-type tacacs+
ZXR10(config)#user-authorization-type tacacs+
ZXR10(config)#aaa group-server tacacs+ zte
ZXR10(config-sg)#server 1.1.1.1


Chapter 12
DOT1X Configuration
Table of Contents
DOT1x Overview ............................................................. 129
Configuring DOT1X .......................................................... 130
DOT1X Configuration Example........................................... 137
DOT1X Maintenance and Diagnosis .................................... 140
DOT1x Overview
DOT1X, IEEE 802.1x, is a port-based network access control pro-
tocol. It optimizes the authentication mode and authentication
architecture and solves the problems caused by traditional PPPoE
and Web/Portal authentication modes, therefore it is more suitable
for the broadband Ethernet.
IEEE 802.1x protocol architecture contains three major parts:
Supplicant System, Authenticator System and Authentication
Server System.
1. Generally client system is a user terminal system where client
software is often installed. User originates IEEE802.1x protocol
authentication by booting the client software. To support port-
based access control, the client system needs to support the
Extensible Authentication Protocol Over LAN (EAPOL).
2. Authentication system is network equipment supporting the
IEEE802.1x protocol, such as the switch. The equipment cor-
responds to different user ports (physical port or MAC address,
VLAN and IP of the user equipment) and has two logical ports
composed of the controlled port and uncontrolled port.
� Uncontrolled port is always in bidirectional connection state
and delivers EAPOL protocol, which ensures the client to
always send or receive authentication.
� Controlled port opens upon success of the authentication
to deliver network resources and services. The controlled
port modes can be configured as bidirectional controlled
and only transmission controlled to adapt to different ap-
plication environments. If the user fails to pass authentica-
tion, the controlled port is in unauthenticated state and the
user cannot access services offered by the authentication
system.
Controlled port and uncontrolled port in the IEEE 802.1x pro-
tocol are logical concepts and such physical switches are inex-
istent in the equipment. The IEEE 802.1x protocol establishes

a logical authentication channel for each user and other users

cannot use the logical channel after the port is enabled.
3. Authentication server is usually a RADIUS server. In authen-
tication server user-related information is stored such as the
VLAN where the user locates, CAR parameter, priority and ac-
cess control list of the user. Once the user passes authen-
tication, the authentication server delivers user-related infor-
mation to the authentication system which creates a dynamic
access control list. The above parameters are used to mea-
sure subsequent traffic of the user. Authentication server and
RADIUS server communicate with each other through the RA-
DIUS protocol.
Configuring DOT1X
Configuring AAA
1. To create an AAA control entry, use the following command.
Command Function
ZXR10(config-nas)#create aaa <rule-id>[port This creates an AAA control

<port-name>][vlan <vlan-id>] entry.
2. To clear an AAA control entry, use the following command.
Command Function
ZXR10(config-nas)#clear aaa <rule-id> This clears an AAA control entry.
3. To enable/disable dot1x authentication or trunk, use the fol-

lowing command.
Command Function
ZXR10(config-nas)#aaa <rule-id> control {dot1x|dot1x This enables/disables dot1x

-relay}{enable|disable} authentication or trunk.
4. To select an authentication mode, use the following command.
Command Function
ZXR10(config-nas)#aaa <rule-id> authentication This selects an authentication

{local|radius} mode.
5. To select an authentication protocol, use the following com-

mand.

Chapter 12 DOT1X Configuration
Command Function
ZXR10(config-nas)#aaa <rule-id> protocol {pap|chap|e This selects an authentication

ap} protocol.
6. To configure the keepalive interval, use the following com-

mand.
Command Function
ZXR10(config-nas)#aaa <rule-id> keepalive {enable This configures the keepalive

[period < period-value >]|disable} interval.
7. To configure whether to charge, use the following command.
Command Function
ZXR10(config-nas)#aaa <rule-id> accounting This configures whether to

{enable|disable} enable accounting.
8. To configure whether multiple users are allowed and limitation

on the number of users, use the following command.
Command Function
ZXR10(config-nas)#aaa <rule-id> multiple-hosts {enable This configures whether multiple

[max-hosts <host-number>]|disable} users are allowed and limitation
on the number of users.
9. To configure the default ISP server name, use the following

command.
Command Function
ZXR10(config-nas)#aaa <rule-id> default-isp <isp-name> This configures the default ISP

server name.
10. To configure whether to conduct full name accounting, use the

following command.
Command Function
ZXR10(config-nas)#aaa <rule-id> fullaccount This configures whether to

{enable|disable} conduct full name accounting.
11. To configure a group name, use the following command.
Command Function
ZXR10(config-nas)#aaa <rule-id> groupname This configures a group name.

<group-name>
12. To bind an AAA control entry with the radius server group, use

Command Function
ZXR10(config-nas)#aaa <rule-id> radius-server This binds an AAA control entry

authentication< group-number > with the radius server group.
13. To configure binding radius accounting server group, use the

following command.
Command Function
ZXR10(config-nas)#aaa <rule-id> radius-server This configures binding radius

accounting < group-number > accounting server group.
14. To configure authentication mode as local or radius server

mode, use the following command.
Command Function
ZXR10(config-nas)#aaa <rule-id> authentication This configures authentication

{local|radius} mode as local or radius server
mode.
15. To configure authorization mode, use the following command.
Command Function
ZXR10(config-nas)#aaa <rule-id> authorization This configures authorization

{auto|unauthorized|authorized} mode.
Configuring DOT1X Parameter

1. To configure dot1x period for re-authentication, use the follow-
ing command.
Command Function
ZXR10(config-nas)#dot1x re-authentication {enable This configures dot1x period for

[period < period >]|disable} re-authentication.
2. To configure the quiet period of dot1x authentication, use the

following command.
Command Function
ZXR10(config-nas)#dot1x quiet-period < period > This configures the quiet period
of dot1x authentication.
3. To configure the sending period of dot1x authentication, use


Command Function
ZXR10(config-nas)#dot1x tx-period <period> This configures the sending

period of dot1x authentication.
4. To configure dot1x client timeout time, use the following com-

mand.
Command Function
ZXR10(config-nas)#dot1x supplicant-timeout <period> This configures dot1x client

timeout time.
5. To configure dot1x authentication server timeout time, use the

following command.
Command Function
ZXR10(config-nas)#dot1x server-timeout <period> This configures dot1x

authentication server timeout
time.
6. To configure the maximum times of requests for dot1x client,

Command Function
ZXR10(config-nas)#dot1x max-requests <count> This configures the maximum

times of requests for dot1x
client.
Configuring Local Authentication

User
1. To create a local user, use the following command.
Command Function
ZXR10(config-nas)#create localuser <user-id>[name This creates a local user.

<user-name>][password <user-password>]
2. To delete a local user, use the following command.
Command Function
ZXR10(config-nas)#clear localuser < user-id > This deletes a local user.
3. To bind the user with the port, use the following command.

Command Function
ZXR10(config-nas)#localuser <user-id> port <port-name> This binds the user with the
port.
4. To bind the user with the VLAN, use the following command.
Command Function
ZXR10(config-nas)#localuser <user-id> vlan <vlan-id> This binds the user with the
VLAN.
5. To bind the user with the MAC address, use the following com-
mand.
Command Function
ZXR10(config-nas)#localuser <user-id> mac This binds the user with the MAC
<mac-address> address.
6. To configure whether to charge the local user, use the following

command.
Command Function
ZXR10(config-nas)#localuser <user-id> accounting This configures whether to

{enable|disable} charge the local user.
Managing DOT1X Authentication

Access User
1. To display all dot1x authentication users, use the following
command.
Command Function
ZXR10(config-nas)#show clients [device <device-numb This displays all dot1x

er>| index <client-index>| mac <mac-address>| port authentication users.
<port-name>| vlan <vlan-id>]
2. To delete a specific user, use the following command.
Command Function
ZXR10(config-nas)#clear client [index <client-index>|port This deletes a specific user.

<port-name>| vlan <vlan-id>]

Managing Multiple Domains

Configuration
1. To enable/disable multiple domains function, use the following
command.
Command Function
ZXR10(config)#domain-auth enable This enables multiple domains

authentication function.
ZXR10(config)#no domain-auth This disables multiple domains

authentication function.
2. To configure domain separator, use the following command.
Command Function
ZXR10(config)#domaindelimiter <domaindelimiter> @, /, %, # or other characters.
ZXR10(config)#no domaindelimiter This cancels domain separator

configuration.
3. To configure domain information, use the following command.
Command Function
ZXR10(config)#domain <domain-id>[ default ] This configures domain

information.
ZXR10(config)#no domain <domain-id>[ default ] This cancels domain information.
4. To configure domain fullname authentication information, use

Command Function
ZXR10(config-domain)#domain-fullaccount enable This configures domain fullname

authentication information.
ZXR10(config-domain)#no domain-fullaccount This deletes domain fullname

authentication information.
5. To configure domain name information, use the following com-

mand.
Command Function
ZXR10(config-domain)#domain-name <domain-name> This configures domain name

information.
ZXR10(config-domain)#no domain-name This deletes domain name

information.

6. To configure domain accounting server information, use the

following command.
Command Function
ZXR10(config-domain)#domain-radius-account-server This configures domain

<server-id> accounting server information.
ZXR10(config-domain)#no domain-radius-account-server This deletes domain accounting

server information.
7. To configure domain authentication server information, use the

following command.
Command Function
ZXR10(config-domain)#domain-radius-authen-server This configures domain

<server-id> authentication server
information.
ZXR10(config-domain)#no domain-radius-authen-server This deletes domain

authentication server
information.
8. To configure ISP name in rule, use the following command.
Command Function
ZXR10(config-nas)#aaa <rule-id> default-isp <isp-name>[ This configures ISP name in

default ] rule.
ZXR10(config-nas)#no aaa <rule-id> default-isp This deletes ISP name in rule.

[<isp-name>]
9. To configure domain name separator in rule, use the following

command.
Command Function
ZXR10(config-nas)#aaa <rule-id> domaindelimiter @, /, %, # or other characters.

<domaindelimiter>
ZXR10(config-nas)#no aaa <rule-id> domaindelimiter This cancels domain separator

in rule.
Configuring 802.1x VLAN Hopping

To configure VLAN hopping function at the interface, use the fol-
lowing command.
Command Function
ZXR10(config-gei_1/x)#vlanjump {enable|disable}[de This configures VLAN hopping

faultauthvlan <vlan-id>] function at the specific interface.

DOT1X Configuration
Example
Dot1x Radius Authentication
Application
Workstation of a user is connected to Ethernet A of the Ethernet
switch. This is shown in Figure 29.
FIGURE 29 DOT1X RADIUS AUTHENTICATION APPLICATION
The following needs to be implemented on the switch:

� Conduct user access authentication on each port to control the
user’s access to the Internet.
� It is required that the access control mode is MAC address-
based access control mode.
� All the AAA access users belong to the default domain
zte163.net.
� This authentication and RADIUS authentication are conducted
at the same time.
� Disconnect the user and make it offline if RADIUS accounting
fails.
� Do not add the domain name after the user name during ac-
cess.
� Connect the server group composed of two RADIUS servers
to the switch. IP addresses of these servers are 10.1.1.1 and
10.1.1.2 respectively. It is required that the former serves as
the master authentication/slave charging server and the latter
serves as the slave authentication/master charging server.

� Set the encryption password to “aaazte” when the system ex-

changes packets with the authentication RADIUS server. Set
the system to resend packets to the RADIUS server if no re-
sponse comes from this server within five seconds after the
previous sending, and packets can be resent for five times at
most. Direct the system to remove the user domain name from
the user name and then send it to the RADIUS server.
ZXR10(config)#radius authentication-group 1
ZXR10(config-authgrp-1)#server 1 10.1.1.1 key aaazte port
<auth server port num >
ZXR10(config-authgrp-1)#server 2 10.1.1.2 key aaazte port
ZXR10(config-authgrp-1)#exit
ZXR10(config-acctgrp-1)#server 1 10.1.1.1 key aaazte port
<acct server port num >
<acct server port num >
ZXR10(config-acctgrp-1)#exit
ZXR10(config)# nas
ZXR10(config-nas)#dot1x re-authentication enable period 5
ZXR10(config-nas)#dot1x max-request 5
ZXR10(config-nas)#create aaa 1 port gei_1/1
ZXR10(config-nas)#aaa 1 authentication radius
ZXR10(config-nas)#aaa 1 control dot1x enable
ZXR10(config-nas)#aaa 1 authorization auto
ZXR10(config-nas)#aaa 1 accounting enable
ZXR10(config-nas)#aaa 1 multiple-hosts enable
ZXR10(config-nas)#aaa 1 default-isp zte163.net
ZXR10(config-nas)#aaa 1 fullaccount disable
ZXR10(config-nas)#aaa 1 radius-server authentication 1
ZXR10(config-nas)#aaa 1 radius-server accounting 1
ZXR10(config-nas)#aaa 1 authen radius
Dot1x Trunk Authentication

Application
Internal network of an enterprise is shown in Figure 30.
FIGURE 30 DOT1X TRUNK AUTHENTICATION APPLICATION

The criteria is that Internet resources can only be accessed through

the authentication host and only enterprise network resources can
be accessed by other hosts.
� Divide the hosts in the enterprise into a sub-network (or mul-
tiple sub-networks), where the hosts can access each other.
� Enable the 802.1X trunk function on the Ethernet switch inside
the sub-network and enable 802.1X authentication on the Eth-
ernet port of the sub-network gateway.
� Do not charge users inside the enterprise, and only authenti-
cate them on the Radius server. The master/slave authentica-
tion servers are 10.1.1.1/10.1.1.2 respectively. It is assumed
that the enterprise uses the 2826E Ethernet switch inside it
and gateway uses the ZXR10 5900/5200.
2826E configuration:
Set dot1xreley enable
ZXR10 5900/5200 configuration:

ZXR10(config)#radius authentication-group 1
ZXR10(config-authgrp-1)#server 1 10.1.1.1 key aaazte port 1812
ZXR10(config-authgrp-1)#server 2 10.1.1.2 key aaazte port 1812
ZXR10(config-authgrp-1)#exit
ZXR10(config)#nas
ZXR10(config-nas)#aaa 1 authentication radius
ZXR10(config-nas)#aaa 1 accounting disable
ZXR10(config-nas)#aaa 1 radius-server authentication 1
Dot1x Local Authentication

Application
In the applications shown in Figure 29 and Figure 30, the enter-
prise wants to register the network card address of each host.
Only the MAC address of the network card is checked when the
user uses any account to log in from the dot1x client. User can
log in only when address is legal. In addition, enterprise numbers
each MAC address and sums up Internet access duration of the
user based on the number. ZXR10 5900/5200 can implement the
application requirement. Authenticator adopts ZXR10 5900/5200,
as shown in Figure 29and Figure 30, to implement the application
configuration as follows:
ZXR10(config-acctgrp-1)#exit
ZXR10(config)#nas
ZXR10(config-nas)#aaa 1 authentication local
ZXR10(config-nas)#aaa 1 accounting disable


ZXR10(config-nas)# aaa 1 radius-server accounting 1
ZXR10(config-nas)#create localuser 1 name A0001
ZXR10(config-nas)#localuser 1 mac 00d0.d0d0.1234
ZXR10(config-nas)#localuser 1 accounting enable
In the above configuration, the local authentication function on

the ZXR10 5900/5200 is enabled to implement the application re-
quirement of the enterprise. According to the above configuration,
only 00d0.d0d0.1234, 00d0.d0d0.1456 and 00d0.d0d0.1689 net-
work card addresses can be accessed and the Internet access du-
ration of these three users, named as A0001, A0002 and A0003,
is summed up. The duration is recorded on the Radius server.
DOT1X Multiple Domains Function

In Figure 29 andFigure 30 applicationsGuest Vlan function is based
on interface. When user authentication at the port succeeds, in-
terface will be switched in authentication VLAN. and other users
which are not unauthorized can’t visit Guest Vlan internal resource.
When all authentication users at the port are offline, port can re-
cover attribute of Guest Vlan. If one authentication user exists on
the port the port can’t recover attribute of Guest Vlan. This ap-
plication can be implemented on 5900/5200 switch. In Figure 29
and Figure 30 , authenticator applies 5900/5200, the configura-
tion example of 5900/5200 is as follows.
ZXR10(config)#nas
ZXR10(config-nas)#aaa 1 authentication local
ZXR10(config-gei_1/1)# vlanjump enable defaultauthvlan 20
In the above configuration, local authentication function on

5900/5200 is applied to meet manager application requirement.
DOT1X Maintenance and

Diagnosis
When encountering DOT1X problem, we can locate the fault and
remove them with relevant debugging commands. Among these
commands, show command and debug command may be used.
1. To display Dot1x authentication configuration information, use
show dot1x

2. To view an AAA control entry, use the following command.

show aaa
3. To display online user information, use the following command.
show clients
4. To display configured local user information, use the following
command.
show localuser
Command debug can be used to trace packet sending, receiving
and its processing during Dot1x Server/Relay process.
1. To trace the transceiving packet and handling processes of the
dot1x, use the following command.
debug nas
2. To trace the process of interacting with the radius, use the
following command.
debug radius


Chapter 13
Cluster Management
Configuration
Table of Contents
Cluster Management Overview .......................................... 143
Configuring Cluster Management ....................................... 145
Cluster Management Configuration Example........................ 149
Cluster Management Maintenance and Diagnosis ................. 149
Cluster Management
Overview
Cluster is a combination of a group of switches in a specific broad-
cast domain. This group of switches forms a unified management
domain which provides a public network IP address and a man-
agement interface to the outside and provides the functions of
managing and accessing every member in the cluster.
The management switch which configures public network IP ad-
dress is called command switch and other managed switches are
called member switches. Generally, public network IP address is
not configured for the member switch but a private address is as-
signed to the member switch with similar DHCP function of the
command switch. Command switch and member switch form a
cluster (private network).
It is suggested to isolate the broadcast domain of the public net-
work and that of the private network on the command switch,
and shield the direct access to the private address. The command
switch provides a management and maintenance channel to the
outside to manage the cluster in a centralized and unified manner.
A broadcast domain is usually composed of four kinds of switches:
command switch, member switch, candidate switch and indepen-
dent switch.
There is only one command switch in a cluster. Command switch
can collect equipment topology and establish a cluster automati-
cally. After the cluster is established, command switch provides a
management channel for cluster to manage member switch. Mem-
ber switch serves as a candidate switch before being added into
cluster. Switch which does not support cluster management is
called independent switch.

Cluster management network is formed as shown in Figure 31.
FIGURE 31 CLUSTER MANAGEMENT NETWORKING
Switching rule of four types switches in the cluster is shown in

Figure 32.

Chapter 13 Cluster Management Configuration
FIGURE 32 SWITCH SWITCHING RULE
Configuring Cluster
Management
Configuring ZDP Neighbor Discovery
Protocol
1. To enable the ZDP function globally or in specific interface, use
Command Function
ZXR10(config)#zdp enable This enables the ZDP function

globally or in specific interface.
2. To configure time interval of transmitting ZDP packets, use the

following command.
Command Function
ZXR10(config)#zdp timer <time> This configures time interval of

transmitting ZDP packets.
3. To configure the valid holding time of ZDP information, use the

following command.

Command Function
ZXR10(config)#zdp holdtime <time> This configures the valid holding

time of ZDP information.
Configuring ZTP Topology Collection

Protocol
1. To enable the ZTP function globally or in specific interface, use
Command Function
ZXR10(config)#ztp enable This enables the ZTP function

globally or in specific interface.
2. To conduct ZTP topology collection on different VLANs, use the

following command.
Command Function
ZXR10(config)#ztp vlan <vlanId> This conducts ZTP topology

collection on different VLANs.
3. To set the hops of ZTP topology collection, use the following

command.
Command Function
ZXR10(config)#ztp hop <number> This sets the hops of ZTP

topology collection.
4. To set each hop delay in sending ZTP protocol packets, use the
following command.
Command Function
ZXR10(config)#ztp hop-delay <time> This sets each hop delay in

sending ZTP protocol packets.
5. To set delay in sending ZTP protocol packets on the port, use

Command Function
ZXR10(config)#ztp port-delay <time> This sets delay in sending ZTP

protocol packets on the port.
6. To conduct once topology collection, use the following com-

mand.

Command Function
ZXR10(config)#ztp start This conducts once topology

collection.
7. To set ZTP timing topology collection time, use the following

command.
Command Function
ZXR10(config)#ztp timer This sets ZTP timing topology

collection time.
Establishing Cluster
1. To set the switch to command, candidate or independent
switch, use the following command.
Command Function
ZXR10(config)#group switch-type { candidate | This sets the switch to

independent | (commander [ (ip-pool <ip_addr>( { command, candidate or
mask <ip_addr>| length <mask_len>}] ) } independent switch and
allocates an IP address pool to
cluster.
2. To change the cluster name, use the following command.
Command Function
ZXR10(config)#group name <name > This changes the cluster name.
3. To set the cluster handshake time, use the following command.
Command Function
ZXR10(config)#group handtime <time> This sets the cluster handshake

time.
4. To set the holding time between the member and command

switch on the command switch, use the following command.
Command Function
ZXR10(config)#group holdtime <time> This sets the holding time

between the member and
command switch on the
command switch.
5. To add a specific equipment or MAC address as a member on

the command switch, use the following command.

Command Function
ZXR10(config)#group member { ( ( mac <mac_addr> ) This adds a specific equipment

[member <mem_id>] ) | ( device <device_id> ) } or MAC address as a member on
the command switch.
Maintaining Cluster
1. To restart the member on the command switch, use the fol-
lowing command.
Command Function
ZXR10(config)#group reset-member { all |<member_id>} This restarts the member on the

command switch.
2. To save the member on the command switch, use the following

command.
Command Function
ZXR10(config)#group save-member { all |<member_id>} This saves the configuration

for member on the command
switch.
3. To delete the member configuration file from the command

switch, use the following command.
Command Function
ZXR10(config)#group erase-member { all |<member_i This deletes the member

d>} configuration file from the
command switch.
4. To configure the tftp server on the cluster, use the following

command.
Command Function
ZXR10(config)#group tftp-server <ip_addr> This configures the tftp server

on the cluster.
5. To configure the alarm receiver on the cluster, use the following

command.
Command Function
ZXR10(config)#group trap-host <ip_addr> This configures the alarm

receiver on the cluster.

Cluster Management
Connect two devices to implement cluster management, as shown
in Figure 33.
FIGURE 33 CLUSTER MANAGEMENT CONFIGURATION
Configuration steps are as follows:

1. Ensure that two ports are in a VLAN (configured as vlan1 and
ensure that vlan1 does not configure Layer 3 address).
2. Execute show zdp neighbor on DUT A and ensure zdp neighbor
is already set up.
3. Execute ztp start on DUT A to conduct topology collection, and
then execute show ztp device-list to view DUT A and DUT B.
4. Configure DUT A as the command switch with group switch-
type command. View whether DUT A has become the com-
mand switch with show group command.
5. Configure DUT B as the member switch with group member
device 1 command and then view Member 1 in the up state
with the show group member command on DUT A.
6. Log in to Member 1 with the rlogin member 1 command in the
privilege mode, and log in from Member 1 to the command
switch with the rlogin commander command on DUT A.
Cluster Management
Maintenance and Diagnosis
When encountering cluster management problem, we can locate
the fault and remove them with relevant debugging commands.
Among these commands, show command and debug command
may be used.
Command show can be used to view current cluster configuration
information.
1. To display ZDP configuration information, use the following
command.
show zdp
2. To view ZTP configuration information, use the following com-
mand.
show ztp
3. To display cluster configuration information, use the following
command.

show group
4. To display ZDP neighbor, use the following command.
show zdp neighbour [ interface <interface>| mac <mac-a
ddress>]
5. To display received equipment information, use the following
command.
show ztp {device-list | device {mac <mac-address>|<id
>}}
6. To display group member information, use the following com-
mand.
show group {member | candidates [mac <mac-address
>]}
Command debug group-management can be used to trace
packet sending, receiving of ZDP and ZTP and its processing
during cluster management process.

Chapter 14
IPTV Configuration
Table of Contents
Internet Protocol Television Overview ................................. 151
Configuring IPTV ............................................................. 151
IPTV Configuration Example .............................................. 154
IPTV Maintenance and Diagnosis ....................................... 155
Internet Protocol Television

Overview
Internet Protocol television (IPTV) is also called Interactive Net-
work TV. IPTV is a method of distributing television content over
IP that enables a more customized and interactive user experi-
ence. IPTV could allow people who were separated geographically
to watch a movie together, while chatting and exchanging files si-
multaneously. IPTV uses a two-way broadcast signal sent through
the provider’s backbone network and servers, allowing viewers to
select content on demand, and take advantage of other interactive
TV options. IPTV can be used through PC or “IP machine box +
TV”.
Configuring IPTV
Configuring IPTV Global Parameters
1. To set the least preview time, use the following command.
Command Function
ZXR10(config-nas)#iptv control login-time This sets the least preview time.
2. To set the max preview counts on global, use the following

command.

Command Function
ZXR10(config-nas)#iptv control prvcount count This sets the max preview

counts on global.
3. To set the least preview interval on global, use the following

command.
Command Function
ZXR10(config-nas)#iptv control prvinterval This sets the least preview

interval on global.
4. To set the max preview time on global, use the following com-
mand.
Command Function
ZXR10(config-nas)#iptv control prvtime This sets the max preview time

on global.
5. To set the period of global reset preview counts, use the fol-
lowing command.
Command Function
ZXR10(config-nas)#iptv control prvcount reset-period This sets the period of global

reset preview counts.
6. To enable/disable IPTV, use the following command.
Command Function
ZXR10(config-nas)#iptv control {enable|disable} This enables/disables IPTV.
Configuring IPTV Channels

1. To create channels of IPTV, use the following command.
Command Function
ZXR10(config)#create iptv channel [general <256>| This creates channels of IPTV.

special <0-255>]
Channel number is 0~256. 0~255 are special channels. Each

channel must designate a multicast address. 256 is general
channel and needn’t to designate multicast address.
2. To set the name of a channel, use the following command.

Chapter 14 IPTV Configuration
Command Function
ZXR10(config)#iptv channel <0-256> name This sets the name of a channel.
3. To set a channel belonging to a multicast Vlan, use the following

command.
Command Function
ZXR10(config)#iptv channel <0-256> mvlan This sets a channel belonging to

a multicast Vlan.
4. To delete a channel, use the following command.
Command Function
ZXR10(config)#clear iptv channel<0-256> This deletes a channel.
Configuring Channel Access Control

(CAC)
1. To create rules of CAC, use the following command.
Command Function
ZXR10(config)#create iptv cac-rule<1-256> This creates rules of CAC.
2. To set the name of CAC rule, use the following command.
Command Function
ZXR10(config)#iptv cac-rule <1-256> name This sets the name of CAC rule.
3. To set maximum preview counts of rules, use the following

command.
Command Function
ZXR10(config)#iptv cac-rule <1-256> prvcount This sets maximum preview

counts of rules. The default is
global maximum preview count.
4. To set maximum preview time of rules, use the following com-

mand.
Command Function
ZXR10(config)#iptv cac-rule <1-256> prvtime This sets maximum preview

time of rules. The default is
global maximum preview time.

5. To set the least preview interval of rules, use the following

command.
Command Function
ZXR10(config)#iptv cac-rule <1-256> prvinterval This sets the least preview

interval of rules. The default is
global least preview interval.
6. To set the right rule to channel, use the following command.
Command Function
ZXR10(config)#iptv cac-rule <1-256> right This sets the right rule to

channel.
7. To delete rules, use the following command.
Command Function
ZXR10(config)#clear iptv cac-rule <1-256> This deletes rules.
Configuring Administrative Command

of IPTV Users
Command Function
ZXR10(config)#clear iptv client This deletes online users of IPTV.
IPTV Configuration Example

1. User which connects to port gei_1/1 is a requesting user of
multicast group 224.1.1.1. Vlan ID of this multicast group is
100. Configuration is shown below:
ZXR10(config-nas)# iptv control enable
ZXR10(config-nas)# create iptv channel special 1 address 224.1.1.1
ZXR10(config-nas)# iptv channel 1 mvlan 100
ZXR10(config-nas)# iptv channel 1 name cctv1
ZXR10(config-nas)# create iptv cac-rule 1 port gei_1/1
ZXR10(config-nas)# iptv cac-rule 1 right order 1
2. User which connects to port gei_1/1 in Vlan 1 is the preview

user of multicast group 224.1.1.1. Max preview time is 2 min-
utes. Least preview interval is for 20 seconds. Max preview
counts are 10. Vlan ID of multicast group is 100. Configura-
tion is shown below:
ZXR10(config-nas)# iptv channel 1 name cctv1
ZXR10(config-nas)# create iptv cac-rule 1 port gei_1/1 vlan 1
ZXR10(config-nas)# iptv cac-rule 1 prvcount 10
ZXR10(config-nas)# iptv cac-rule 1 prvtime 120

Chapter 14 IPTV Configuration
ZXR10(config-nas)# iptv cac-rule 1 prvinterval 20

ZXR10(config-nas)# iptv cac-rule 1 right preview 1
3. User which connects to port gei_1/1 wants to view all multicast

groups in Vlan 100. Configuration is shown below:
ZXR10(config-nas)# create iptv channel general 256
ZXR10(config-nas)# iptv cac-rule 1 right order 256
4. Port gei_1/1 only permits receiving the requesting packets of

multicast group 224.1.1.1. Vlan ID of this multicast group is
100. Configuration is shown below:
ZXR10(config-nas)# iptv cac-rule 1 right query 1
IPTV Maintenance and

Diagnosis
1. To display the global configuration information of IPTV, use the
following command.
show iptv control
2. To display the channel information of IPTV, use the following
command.
show iptv channel [{ id <channelno>| name<channel-nam
e>}]
3. To display the CAC rule, use the following command.
show iptv cac-rule [{ id <channelno>| name<channel-nam
e>}]
4. To display online users of IPTV, use the following command.
show iptv client [{port<portno>| vlan <vlanid>| device
<devno>}]


Chapter 15
VBAS Configuration
Table of Contents
VBAS Overview ............................................................... 157
Configuring VBAS ............................................................ 157
VBAS Configuration Example............................................. 158
VBAS Maintenance and Diagnosis ...................................... 159
VBAS Overview
VBAS is the abbreviation of Virtual Broadband Access Server. It
is an extent inquiry protocol between IP-DSLAM and BRAS equip-
ment. The communication method between IP-DSLAM and BRAS
is layer 2 point-to-point, that is, interface information inquiry and
response packets are encapsulated in layer 2 Ethernet data frame.
The principle is to configure DSLAMDigital Subscriber Line Access
Multiplexer) corresponding to VLAN on BAS. During the procedure
of PPPOE calling, DSLAM applies VBAS protocol, that is, mapping
to corresponding DSLAM according to VLAN of user. BAS demand
the user line identity inquiry from DSLAM. In this user manual,
switch means DSLAM equipment.
VBAS protocol is implemented by sending VBAS packet between
BAS and DSLAM.
Configuring VBAS
Enabling/Disabling VBAS
Command Function
ZXR10(config)#vbas enable This enables VBAS.
ZXR10(config)#no vbas enable This disables VBAS.

Enabling/Disabling VBAS in VLAN

Mode
1 ZXR10(config)#vlan <vlan-id> This enters into VLAN

Configuration Mode.
2 ZXR10(config-vlanX)# vbas enable This enables VBAS in VLAN

configuration mode.
Configuring VBAS Trust Interface
1 ZXR10(config)#interface <interface-name> This enters interface

configuration mode.
2 ZXR10(config-gei_1/x)#vbas trust This configures VBAS trust

interface.
Configuring VBAS Interface as User

Interface or Network Interface
1 ZXR10(config)#interface <interface-name> This enters interface

configuration mode.
2 ZXR10(config-gei_1/x)#vbas port-type {user|net} This configures VBAS interface

as user interface or network
interface.
VBAS Configuration
Example
Enable VBAS on the switch and configure VBAS enable vlan as vlan
1. Configure gei_1/1 as trust interface and interface type is user.
Configuration is shown below:
ZXR10(config)#vbas enable
ZXR10(config)#vlan 1
ZXR10(config-vlan1)#vbas enable
ZXR10(config-vlan1)#exit

Chapter 15 VBAS Configuration
ZXR10(config-gei_1/1)#vbas trust
ZXR10(config-gei_1/1)#vbas port-type user
Note:
In this example, vlan1 which enables VBAS should include at least
two interfaces, one connection user and another BRAS enquip-
ment. In this example gei_1/1 is used to connect BRAS equip-
ment.
VBAS Maintenance and

Diagnosis
On the privileged mode, the command debug vbas is used to
open VBAS debug function and send VBAS debug information.


Chapter 16
ZESR/ZESR+
Configuration
Table of Contents
ZESR/ZESR+ Overview .................................................... 161
Configuring ZESR/ZESR+ ................................................. 162
ZESR/ZESR+ Configuration Example .................................. 165
ZESR/ZESR+ Overview
ZESRZTE Ethernet Smart Ringis a solution for solving the layer 2
loop problem (RFC 3619). Compared with STP, the biggest advan-
tage is that the link will switch and recover quickly when one way
is disconnected and the shortest time is 50ms.
ZESR is applicable with multi-ring area. Multi-ring is designated
that every level is an independent ring and low-level has two entry
points to connect with high-level ring. The highest level ring is
named as major-level ring and others are named as access rings.
Multi-area is named that there are many protection instances on
the same ring suitable to different service vlan. Their logic routes
are different and independent.
ZESR+ , in double nodes double uplinks networking, improves the
current ZESR to meet redundancy protection for uplink and node
at the same time in double nodes double uplinks networking.

Configuring ZESR/ZESR+
Configuring ZESR Area Protection
Instance
1 ZXR10(config)#zesr ctrl-vlan <1-4094> <1-4094> area control

protect-instance <<0-16> vlan, indicates zesr area, <
0-16>the protected instance
ID ,samed as stp instance
2 ZXR10(config)#no zesr ctrl-vlan <1-4094> <1-4094> area control vlan,

protect-instance indicates zesr area
ZESR protection instance is same as STP. Service vlan is put into

protection instance, so generally enabling STP to cooperate with
ZESR. Control vlan should use vlan except service and shouldn’t
conflict with service and network management. Note that pvid
of the port shouldn’t be selected as control vlan. Outside port
shouldn’t be put into control vlan.
Example 1. This example shows how to configure control vlan as 4000 pro-
tection instance as 1.
ZXR10(config)# zesr ctrl-vlan 4000 protect-instance 1
2. This example shows how to delete control vlan as 4000 pro-
tection instance
ZXR10(config)# no zesr ctrl-vlan 4000 protect-instance
Configuring Major-level Ring ZESR

To configure ZESR/ZESR+ on major-level ring , use the following
commands. Major-level ring is the highest level ring, others are
access rings.
1 ZXR10(config)#zesr ctrl-vlan < 1-4094> major-level This configures major-level

{( preforward <1-600>[ preup <0-500>])| (role ring ZESR.
{master |transit|zess-master|zess-transit}
2 ZXR10(config)#no zesr ctrl-vlan < 1-4094> This cancels the configuration

major-level of major-level ring ZESR.
Parameter Description:
< 1-4094> Area control vlan, indicating zesr area

Chapter 16 ZESR/ZESR+ Configuration
<1-600> Preforward value, the unit is second. After the disconnected

port reconnecting, unless ZESR protocol is set or after waiting
for preforward time open automatically and the default is 10s.
<0-500> Preup value, the unit is second. After Master detects that
loop is up, the status is switched until delaying preup time.
The default value is 0.
<primary-interface-name> major ring two interfaces. To master, secondary interface is

<secondary-interface-name> blocked to ensure ring is disconnected and no storm.
< 1-6> Hello value, the unit is second. the time of master/zess-transit
major interface sending hello protocol message, the default is
1s.
< 3-18> The maximum time daley that master/zess-transit hasn’t

received hello packet. The unit is second. The default value is
3s.
master|transit|zess- configuration node role, master|transit is ZESR master

master|zess-transit node/transit node, zess-master|zess-transit is ZESR+ master
node/transit node.
After node role and interface are ensured, preforward and preup
can be configured, of which hello, fail and preup only can be used
for master or zess-tranist, preup only can be configured as mas-
ter or zess-master. Interface must be configured in control vlan
before it is configured. Interface can use lacp interface but must
be dynamic lacp and member interface must close stp.
Besides secondery interface of zess-master node decides blocking
location. Therefore the interface must be placed on the uplink
which need to be blocked, but secondery interface of zess-transit
is suggested to be placed on uplink.
Example 1. This example shows how to configure control vlan as 4000, role
as master, interface as gei_2/10 and gei_2/20.
ZXR10(config)# zesr ctrl-vlan 4000 major-level role master
gei_2/10 gei_2/20
2. This example shows how to configure control vlan as 4000, role
as zess-master, interface as gei_2/10 and gei_2/20.
ZXR10(config)# zesr ctrl-vlan 4000 major-level role zess-master
gei_2/10 gei_2/20
as master, preforward as 20s, preup as 20s.
ZXR10(config)#zesr ctrl-vlan 4000 major-level preforward 20 preup 20
as master, hello as 2s, fail as 4s.
ZXR10(config)#zesr ctrl-vlan 4000 major-level hello 2 fail 4

Configuring Access Ring ZESR
1 ZXR10(config-router)#zesr ctrl-vlan < 1-4094> level This configures access ring

<1-2> seg <1-4>{preforward <1-600>[ preup ZESR.
<0-500>]| role {master |transit}<primary-interface
-name><secondary-interface-name>| { edge-assist
ant | edge-control}<edge-interface-name>}| hello
< 1-6> fail < 3-18>}
2 ZXR10(config)#no zesr ctrl-vlan < 1-4094> level This cancels the configuration
<1-2> seg <1-4> of access ring ZESR.
Parameter description
< 1-4094> Area control vlan, indicating zesr area
<1-2> Level of access ring
<1-4> access ring SN, at most 4 access rings in each level.
<1-600> Preforward value, the unit is second. After the discon-
nected port reconnecting, unless ZESR protocol is set or after wait-
ing for preforward time open automatically and the default is 10s.
<0-500> Preup value, the unit is second. After Master or edge-
control detects that loop is up, the status is switched until delaying
preup time. The default value is 0.
<primary-interface-name> <secondary-interface-name> access
ring two interfaces.
< 1-6> Hello value, the unit is second. The default is 1s.
< 3-18> The maximum time dalay that master or edge-control
hasn’t received hello packet. The unit is second. The default value
is 3s.
<edge-interface-name> edge node interface
Switch could be in the entry that major-ring and access ring con-
nect. At that time, it can be in major-ring or access ring . There
are two interfaces in major-ring and one interface in access ring .
Switch is named as entry node. The entry node could be edge-as-
sistant and edge-control in access ring and edge-control plays a
general node master role.
Example 1. This example shows how to configure control vlan as 4000, role
as master, level as 1 , seg as 1, ports as gei_2/10 gei_2/10
ZXR10(config)# zesr ctrl-vlan 4000 level 1 seg 1 role
master gei_2/10 gei_2/20
as edge-assistant, level as 1 , seg as 1, ports as gei_2/1/10
ZXR10(config)# zesr ctrl-vlan 4000 level 1 seg 1 role
edge-assistant gei_2/1/10
3. This example shows how to configure control vlan as 4000,
level as 1, seg as 1, preforward as 20s, preup as 20s
ZXR10(config)#zesr ctrl-vlan 4000 level 1 seg 1
preforward 20 preup 20
4. This example shows how to configure control vlan as 4000,
level as 1, seg as 1, hello as 2s, fail as 4s
ZXR10(config)#zesr ctrl-vlan 4000 level 1 seg 1 hello 2 fail 4

Configuring ZESR Restart-Time
Command Function
ZXR10(config)#zesr restart-time <30-600> <30-600>the specific timethe

unit is second, the default is
120s
Example This example shows how to configure ZESR restart-time as 60s.

ZXR10(config)#zesr restart-time 60
ZESR/ZESR+ Configuration
Example
ZESR Configuration Example
As shown in Figure 34,
FIGURE 34 ZESR CONFIGURATION EXAMPLE
SW1-SW4 buildup ring network, transparently transform 100-200,

SW1 is core switch and the entire network exit. SW2-SW4 are
convergence switch. Demand that service is not be affected if any
link is down.

SW1: sg1gei_1/1, gei_1/2connects SW2, sg2gei_1/3, gei_1/4con-

nects SW3
SW2: gei_1/1 connects SW3, gei_1/2 connects SW4, sg2gei_1/3,
gei_1/4 connects SW1
SW3: gei_1/1 connects SW2, gei_1/2 connects SW4, sg2gei_1/3,
gei_1/4 connects SW1
SW4: gei_1/1 connects SW2, gei_1/2 connects SW3.
The network formed by SW1, SW2 and SW3 is major level. SW2 is
master node. The port that SW2 connect with SW1 is major port
(sg1). The network formed by SW2-SW4 is slave ring level 1 seg
1. Take SW4 as master node and select the port connects with
SW3 as slave port (gei_1/2), control vlan as 4000.
SW1 configuration:
ZXR10_S1(config)#spanning-tree enable
ZXR10_S1(config)#spanning-tree mst configuration
ZXR10(config-mstp)# instance 1 vlan 100-200
ZXR10(config-mstp)#exit
ZXR10_S1(config)#interface smartgroup1
ZXR10_S1(config-smartgroup1)#switchport mode trunk
ZXR10_S1 (config-smartgroup1)#smartgroup mode 802.3ad
ZXR10_S1(config-smartgroup1)switchport trunk vlan 100-200
ZXR10_S1(config-smartgroup1)switchport trunk vlan 4000
ZXR10_S1(config-smartgroup1)exit
ZXR10_S1(config-smartgroup2)#switchport mode trunk
ZXR10_S1(config-smartgroup2)#switchport trunk vlan 100-200
ZXR10_S1(config-smartgroup2)#switchport trunk vlan 4000
ZXR10_S1(config-smartgroup2)#exit
ZXR10_S1(config)#interface gei_1/1
ZXR10_S1(config-gei_1/1)#negotiation auto
ZXR10_S1(config-gei_1/1)#switchport mode trunk
ZXR10_S1(config-gei_1/1)#switchport trunk vlan 100-200
ZXR10_S1(config-gei_1/1)#switchport trunk vlan 4000
ZXR10_S1(config-gei_1/1)#smartgroup 1 mode active
ZXR10_S1(config-gei_1/1)#spanning-tree disable
ZXR10_S1(config-gei_1/1)#exit

ZXR10_S1(config)zesr ctrl-vlan 4000 protect-instance 1

ZXR10_S1(config)zesr ctrl-vlan 4000 major level role transit
smartgroup1 smartgroup2
SW2 Configuration
ZXR10(config-mstp)# nstance 1 vlan 100-200
ZXR10_S2(config-smartgroup1)switchport mode trunk
ZXR10_S2(config-smartgroup1)switchport trunk vlan 100-200
ZXR10_S2(config-smartgroup1)switchport trunk vlan 4000
ZXR10_S2(config-smartgroup1)exit
ZXR10_S2(config-gei_1/1)switchport mode trunk
ZXR10_S2(config-gei_1/1)switchport trunk vlan 100-200
ZXR10_S2(config-gei_1/1)switchport trunk vlan 4000
ZXR10_S2(config-gei_1/1)exit
ZXR10_S2(config-gei_1/3)negotiation auto
ZXR10_S2(config-gei_1/3)smartgroup 1 mode active
ZXR10_S2(config-gei_1/3)spanning-tree disable
ZXR10_S2(config-gei_1/4)smartgroup 1 mode active
ZXR10_S2(config-gei_1/4)spanning-tree disable
ZXR10_S2(config)#zesr ctrl-vlan 4000 protect-instance 1

ZXR10_S2(config)#zesr ctrl-vlan 4000 major level role transit
smartgroup1 gei_1/1
ZXR10_S2(config)#zesr ctrl-vlan 4000 level 1 seg 1 role
edge- assistant gei_1/2
SW3 Configuration
Interface instance configuration is as SW2
ZXR10_S3(config)#zesr ctrl-vlan 4000 major level role master
smartgroup1 gei_1/1
edge- assistant gei_1/2
SW4 configuration
Interface instance configuration is as SW2
ZXR10_S4(config)#zesr ctrl-vlan 4000 level 1 seg 1 role master
gei_1/1 gei_1/2

ZESR and ZESR+ Hybrid

FIGURE 35 ZESR+ AND ZESR HYBRID NETWORKING TOPOLOGY FIGURE
Figure 35 is typical ZESR+ and ZESR hybrid networking topology

figure. Node ZXR10-2 , ZXR10-3 and ZXR10-1 form double nodes
double uplinks, that is ZESR+. Also three nodes form a main loop
virtually. Node ZXR10-2, ZXR10-3 and ZXR10-4 form a level 1seg
1 secondary ring, that is ZESR.
Node 1 configuration:
//as a normal switch, the major function is to
transparently transmit data package
//VLAN information need to be configured.
(port with tagged belongs to ctrl-vlan)
//close port broadcast and unknown unicast suppression
//connect ZXR10-3
//configure interface working mode as auto negotiation
//connect ZXR10-2
//configure interface working mode as auto negotiation

//configure ZESR+ Master node

ZXR10(config-mstp)# instance 1 vlan 100-200
//connect ZXR10-1
//connect ZXR10-3
//connect ZXR10-4

ZXR10_S2(config)#zesr ctrl-vlan 4000 major level role
zess-master gei_2/2 gei_2/1 //configure zess-master node
/*Note:Secondary interface decides blocking location, therefore ，
therefore Secondary interface can’t be configured on corresponding
interface of link between ZXR10-2 and ZXR10-3 or blocking interface
faulty will occur.*/
edge- assistant gei_2/3 //configure ordinary ZESR border node role
The configuration such as interface instance of node 3 is the same
as that of node 2.
//Configure ZESR+ Tansit node
ZXR10 s3(config)#zesr ctrl-vlan 4000 major-level role zess-transit
gei_3/2 gei_3/1 //configure zess-transit node
/*When configuring zess-transit role, note that Primary interface
decides the direction that node sends hello frame, therefor
Primary interface must be configured the corresponding interface
of link between ZXR10-2 and ZXR10-3, or configuration error will occur.*/
ZXR10 s3(config)#zesr ctrl-vlan 4000 level 1 seg 1 role edge-assistant
gei_3/3 //configure ordinary ZESR border node role
The configuration such as interface instance of node 4 is the same
as that of node 2.
//Configure ZESR low-level main node
ZXR10 s4(config)#zesr ctrl-vlan 4000 level 1 seg 1 role master
gei_4/2 gei_4/1 //configure ordinary ZESR master role


Chapter 17
Security Configuration
Table of Contents
IP Source Guard .............................................................. 171
Control Plane Security Configuration .................................. 174
DAI Configuration ............................................................ 177
MFF Configuration............................................................ 180
IP Source Guard
IP Source Guard Overview
IP Source Guard is an application based on DHCP SNOOPING.It
records dynamic user information ( IP, MAC ) by constructing DHCP
SNOOPING binding database. After enabling this function, user
only can use the address that DHCP server dynamically distributes
to access external network. This prevents other users from using
other IP address for deceit.
Configuring IP Source Guard

To configure IP Source Guard or delete IP Source Guard, use the
following commands.
1 ZXR10(config-if-vlanX)#ip dhcp snooping This configures IP Source

ip-source-guard { ip-base| mac-base| Guard of interface.
mac-ip-base }[ vlan { default |<vlan-id>}]
2 ZXR10(config-if-vlanX)#no ip dhcp snooping This deletes IP Source Guard

ip-source-guard of interface.

IP Source Guard Configuration

Example

Address
In Figure 36, DHCP server connects gei_1/1 on R1, administra-
tor sets management DHCP, gei_1/1 belongs to vlan100. DHCP
Snooping function is enabled in VLAN100 and interface gei_1/1 is
configured as trusted. PC connects gei_1/2 of switch, which be-
longs to vlan100.
FIGURE 36 IP SOURCE GUARD CONFIGURATION
IP Source Guard based on IP address is configured on the gei_1/2

interface mode. After getting IP address dynamically, PC can only
pass the data packet with source IP address that is distributed by
DHCP server.
Configuration of R1:
XR10(config)#interface gei_1/2
ZXR10(config-gei_1/2)#ip dhcp snnoping ip-source-guard ip-base
IP Source Guard Configuration based on MAC

Address
longs to vlan100.

Chapter 17 Security Configuration
IP Source Guard based on MAC address is configured on the

gei_1/2 interface mode. Afer getting IP address dynamically, PC
can only pass the data packet with source MAC address that is
local host NIC card.
ZXR10(config-if)#ip dhcp snnoping ip-source-guard mac-base

Address and MAC address
longs to vlan100.
IP Source Guard based on MAC address is configured on the

gei_1/2 interface mode. After getting IP address dynamically, PC
can only pass the data packet with source MAC address that is
local host NIC card and source IP address that is distributed by
DHCP server.
ZXR10(config-if)#ip dhcp snnoping ip-source-guard mac-ip-base

Control Plane Security

Configuration
Control Plane Security Overview
Internet and IP technology wildspread application bring the great
change to the world. With IP network being developed widely and
deeply, network attack and virus are becoming more and more
frequent, which brings people much visible and invisible loss. The
previous network attack and virus mostly take PC or server host
as major attack objects. But now terminal end user anti-virus
capability and virus maker capability increases day by day, the
network devices such as router and switch become the object that
virus attacks.
According to known or predictable attack and virus on the switch,
we can take many kinds of measures to make switch have self-pro-
tection and safeguarding network security capability. The main
function of control plane security is to monitor the packet upload-
ing rate, generate alarm on abnormal rate uploading packet and
remind network manager to pay attention to possible packet attack
to CPU. So that network manager can decide if discard this packet
on the interface or limit speed and filter unreasonable packet.
Command Configuration
1. To enable/disable control-plane-security function, use the fol-
lowing command.
Command Function
ZXR10(config)#control-plane-security {enable | This command is control-plane-

disable} security function global switch.
It is used to open or close
control-plane-security function,
the default is enabled.
2. To discard or pass protocol packet, use the following command.
Command Function
ZXR10(config-gei_1/x)#protocol-protect mode This passes/discards protocol

<protocolname>{enable | disable} packet.
This command is configured in the interface mode. Configura-

tion decides if a certain protocol packet will be discarded in a
physical port. As for the port whose port configuration is NNI,
all configured protocol packets are enabled in default. But as
for the port whose port configuration is UNI, the default value

is different according to different protocol packets, which can

be viewed by show command.
3. To configure protocol packet alarm threshold, use the following
command.
Command Function
ZXR10(config-gei_1/x)#protocol-protect alarm mode This configures a certain

<protocol name>< alarm-limit > protocol packet alarm threshold
as 30s.
The alarm-limit range is
1000-18000.
This command is also configured in the interface mode. It is

used to modify a certain protocol packet alarm threshold in
a certain physical port. When the number of specific protocol
packet exceeds this threshold in 30s, an alarm message is sent
to user. The default value is 3000.
4. To configure protocol packet passing peak/average speed, use
Command Function
ZXR10(config-gei_1/x)#protocol-protect {peak-rate | This configures protocol packet

average-rate} mode <protocol name>< rate-limit > passing peak/average speed.
This command is used to configure peak speed or average

speed of corresponding protocol packet on corresponding port.
The unit is pps, peak speed can be configured 100~1000 and
the default value is 300, average speed can be set 10~600 and
the default is 100.
5. To configure port type, use the following command.
Command Function
ZXR10(config-gei_1/x)#protocol-protect type {nni | uni} This configures the type of a

certain port is uni or nni.
This command is used to configure a certain port type which is

uni or nni. The default is nni.
The above commands supporting protocol includes:
pim igmp icmp arpreply arprequest udld, group mng vbase lldp,
dhcplacp bpdu snmp, na ns ra rs.
When protocol packet is configured discard, even if uploaded to
MUX module, it will be discarded by this module, which leads to
fail to upload to platform. When control-plane-security mod-
ule find that the speed of a certain protocol packet uploading
to platform is too fast, it will send alarm to remind user that
maybe there is a certain protocol packet to attack CPU. When
seeing this alarm, user can configure protocol packet discard
or limit speed to prevent attack from CPU.

Note:
The discard of some protocol packets will make the correspond-
ing service invalid.
1. This example shows how to configure port arp protocol and set
alarm threshold as 2500.
Zxr10#conf t
Zxr10(config)#inter gei_1/1
Zxr10(config-gei_1/1)# protocol-protect mode arp enable
Zxr10(config-gei_1/1)# protocol-protocol alarm mode arp 2500
2. This example shows how to configure icmp protocol packet

passing peak/average speed.
Zxr10#conf t
Zxr10(config)#inter gei_1/1
Zxr10(config-gei_1/1)# protocol-protect peak-rate mode icmp 500
Zxr10(config-gei_1/1)# protocol-protocol average-mode mode icmp 250
Maintenance and Diagnosis

ZXR10 5900/5200 provides show command to help maintenance
and diagnosis. Common commands used in control-plane-security
maintenance and diagnosis are as follows.
1 ZXR10(config)#show protocol-protect packet-config This views a certain port

<interfacename> type and the protocol packet
configuration and receiving
statistics on this port.
2 ZXR10(config)#show protocol-protect token-buck This views protocol packet

ets <interfacename> receiving speed configuration
and statistics on a certain
port.
3 ZXR10#clear protocol-protect {packets-count | This clears protocol statistic

buckets-count}<interfacename> count on a certain port.

DAI Configuration
DAI Overview
The attack based on ARP often happens in network. DHCP SNOOP-
ING module on the switch implements DAI (Dynamic ARP Inspec-
tion) function, but this function is limited.
Currently DAI function only checks binding table in DHCP SNOOP-
ING for switch learning ARP packet, that is, only can check layer
3 user.
If users of the switch are in the same VLAN, the communication
between users requires switch to forward not on layer 3 but layer
2. Switch need not to learn ARP packets of these users. Therefore
there isn’t relevant security check. It is a big security bug, which
causes man-in-the-middle attack, as shown in Figure 39.
FIGURE 39 MAN-IN-THE-MIDDLE ATTACK
A/B/C are in the same broadcast domain, that is, the same net-
work segment. When A and B communicates with each other,
ARP packet is sent first, which can be learned by C. If C acts as
man-in-the-middle to do malicious scanning, only sends free ARP
to A to inform that IP corresponding MAC address of B has been
updated to that of C, the flow from A to B is directly forwarded
to C; Based on the same principle the flow from B to A can be
forwarded to C. After doing malicious scanning on packet, C mod-
ifies the destination address as the real MAC address of B or A
and return the packet to switch. The flow between A and B can
be forwarded normally and not be perceived. So that C completes
man-in-the-middle attack.
To avoid this bug, all ARP packets should be checked. Those that
conform to the qualification are forwared by software. The ARP
packets that fail in check will be discarded.
Based on this requirement, the following methods that prevents
usual ARP attack are added.
1. As for untrusted interface, DAI blocks all ARP packets and send
them to upper layer software for check.
2. The speed that ARP packet sent to CPU is configurable.
3. When DHCP SNOOPING is enabled, laye 2 IP ,MAC and port
corresponding relationship are checked. Illegal user will be
discarded.

DAI detects ARP packet according to the binding relationship be-

tween IP and MAC address which is stored in trust database. When
DHCP SNOOPING of VLAN is open, database is created by DHCP
SNOOPING. If ARP packet is received from a trust port, switch need
not any detection and forwards packet directly. If ARP packet is
received from a untrust port, switch only forwards valid packet.
Configuring DAI
1 Zxr10(config-gei_1/x)#ip arp inspection trust This configures trust attribute

of interface.
2 Zxr10 (config-smartgroupX)#ip arp inspection trust This configures trust attribute

of Smartgroup interface.
3 Zxr10(config)#ip arp inspection validate This configures global ARP

{[des-mac][ip][src-mac]} validate inspection function.
4 Zxr10 (config-gei_1/x)#ip arp inspection limit This configures the limited

<1-100> speed of interface.
As for untrusted interface, the
default is 15pps.
As for trusted interface, ARP
packet speed is not limited.
5 Zxr10(config-vlanX)#ip arp inspection This configures DAI enabled

of VLAN.
DAI Maintenance and Diagnosis

and diagnosis. Common commands used in DAI maintenance and
diagnosis are as follows.
1. To view trusted attribute of interface, use the following com-
mand.
show ip arp inspection {interface interface_name}
2. To view ARP packet validated inspection information, use the
following command.
show ip arp inspection configure
3. To view DAI configuration information of VLAN, use the follow-
ing command.
show ip arp inspection vlan [{<1-4094>| disable | enable
| name vlan_name}]

DAI Configuration Example

As shown in Figure 40, VLAN 2 is configured on switch and DAI is
run.
FIGURE 40 DAI CONFIGURATION EXAMPLE
Prerequisites: DHCP SNOOPING function is opened in VLAN 2.

VLAN 2 is configured on switch A and DAI is run.

ZXR10(config-vlan2)#ip arp inspection
Gei_1/1 and gei_1/2 are bound with VLAN 2.

Gei_1/1 is set as untrusted interface (the default attribute is un-
trusted interface).
The legal ARP packet(legal ARP packet: consistent witch IP+ port+
MAC in DHCP binding table) that host A sends to switch is broad-
cast in VLAN. Host B can receive ARP packet. The illegal packet is
discarded and not forwarded. Host B can’t receive ARP packet.
If gei_1/1 is set as trusted interface,
host A sends ARP packet(legal/illegal) to switch. Switch forwards
ARP packet by hardware to all interfaces that are bound with VLAN
1. Host B can receive ARP packet. When configuring interface lim-

ited speed as X(1-100), switch will receive at most X ARP packets

every second, the additional are discarded.
MFF Configuration
MFF Overview
MFF MAC-Forced Forwarding mainly implements layer 2 isolation
and layer 3 intercommunication among different client hosts in
the same broadcast domain. MFF blocks user ARP request packet
and reply response packet of gateway MAC address by ARP an-
swer-agent mechanism. This way can force user to send all traf-
fic (includes traffic in the same subnet) to gateway, which makes
gateway monitor data flow, prevent malicious attack among users
and ensure safety of network deployment.
MFF supports manual and automatic modes. Manual mode is ap-
plied in user static IP address configuration scene. Automatic
mode is used in user dynamically getting IP address by DHCP pro-
tocol scene.
Configuring MFF
1. To set MFF mode, use the following commands.
1 ZXR10(config)#mff mode {auto | manus} This configures MFF manual

mode or automatic modes.
2 ZXR10(config)#no mff mode This cancels MFF mode

configuration.
2. To enable MFF function, use the following command.
1 ZXR10(config-if-vlanX)#mff enable This enables MFF function in

VLAN interface.
2 ZXR10(config-if-vlanX)#no mff mode This disables MFF function in

VLAN interface.
3. To configure MFF interface type, use the following command.

1 ZXR10(config-gei_1/x)#set mff {user-port | This sets layer 2 physical

network-port} interface as MFF user interface
or network interface.
2 ZXR10(config-gei_1/x)#no set mff This cancels MFF interface

type.
4. To configure MFF gateway IP address, use the following com-

mand.
1 ZXR10(config-if-vlanX)#set mff gateway ip This configures MFF gateway

<A.B.C.D> IP address in VLAN by manual
mode.
2 ZXR10(config-if-vlanX)#no set mff gateway ip This cancels MFF gateway IP

address.
5. To configure MFF user statically, use the following command.
1 ZXR10(config)#mff user <A.B.C.D><H.H.H> vlan This configures MFF user

<1-4094> gateway < A.B.C.D > statically in manual mode.
2 ZXR10(config)#no mff user <A.B.C.D> vlan <1-4094> This clears statically

configured MFF user.
6. To enable MFF gateway MAC address detection function, use

the following commands.
1 ZXR10(config)#mff gateway detect enable This enables MFF gateway

MAC address detection
function.
2 ZXR10(config)#mff gateway detect disable This disables MFF gateway

MAC address detection
function.
MFF Configuration Example

As shown in Figure 41, R1 is MFF gateway. PC1 obtains IP address
through DHCP. DHCP SNOOPING and MFF are configured on switch

FIGURE 41 MANUAL MODE BASIC MFF FUNCTION CONFIGURATION EXAMPLE
MFF configuration of switch:

ZXR10(config)#mff mode auto
ZXR10(config)#mff gateway detect enable
ZXR10(config-if-vlan1)#mff enable
ZXR10(config-gei_1/2)#set mff network-port
ZXR10(config-gei_1/4)#set mff user-port
MFF maintenance and diagnosis

When MFF encounters problem, we can locate the fault and re-
move them with relevant debugging commands. The mostly used
command is show command.
1. This displays MFF global configuration information.
show mff configure
Example: This configures global configuration information
manually.
ZXR10# show mff configure
MFF Mode :manus
MFF Gateway MAC detecting :disable

2. This displays MFF VLAN configuration information.

show mff vlan <vlan-id>
Example: This designates VLAN configuration information
manually.
ZXR10#show mff vlan 1
MFF function: enable
MFF gateway ip: 10.40.20.1
3. This displays MFF physical interface configuration information.

show mff interface [<interface-name>]
The command with interface name will view configuration in-
formation of designated interface; The command without pa-
rameter will view all opened MFF function configuration infor-
mation.
Example: view configuration information of the designated in-
terface.
ZXR10#show mff interface gei_1/1
Interface MFF Type
------------- -------------
gei_1/1 Network port
4. This views MFF corresponding relationship table.

show mff-table [vlan <vlan-id>[A.B.C.D]]
Command Illustration:
i. The command without option will view all MFF correspond-
ing relationship.
ii. The command with VLAN option will view all MFF corre-
sponding relationship in this VLAN.
iii. The command with VLAN and user IP address option will
view MFF corresponding relationship of specific user.
iv. Illustration to displayed command information:
Information Description
IP Address Subscriber’s IP address
Type Entry Type
Hardware Address User MAC Address
VlanID : User VLAN ID


Chapter 18
POE Configuration
Table of Contents
POE Overview ................................................................. 185
Configuring PoE............................................................... 186
PoE Configuration Example ............................................... 187
PoE Maintenance ............................................................. 188
POE Overview
PoEPower over Ethernetis an extended feature of network device
that supports Ethernet electrical interface. The network device
supporting PoE function such as switch and router can provide
power supply to remote PD including IP phone, WLANE AP and
Network Camera through twisted pair for implementing remote
power supply.
Ethernet remote power supply sometimes is called network power
supply. It is the technology that transfers power through 10 BaseT
and 100 Base-TX. When the current Ethernet Cat.5 infrastructure
doesn’t change, data signal can be transmitted to the terminals
based on IP (such as IP phone, AP and network camera and DC
power can be supplied to those at the same time. PoE technology
can ensure the structured cabling security and the current network
normal operation to decrease the cost greatly.
Figure 42 displays a common PoE power supply example.

FIGURE 42 POE POWER SUPPLY
Configuring PoE
1 ZXR10（config-if）#poe enable This enables interface PoE

function.
The default is disabled.
2 ZXR10（config-if）#poe pd-max-power [15.4 | 7.0 This configures port maximum

| 4.0 | ext.18| ext.27|ext.30.0] power.
This command only can be
used when this interface
doesn’t be enabled PoE
function.
The default is 15.4.
3 ZXR10（config-if）#poe priority [critical | high | low] This configures interface

priority.
function.
The default is low.

Chapter 18 POE Configuration
4 ZXR10（config-if）#poe enhanced-mode [enable | This configures compatibility

disable] detection of port connected
device.
function.
The default is enabled.
This command indicates
whether to open the
connected device
compatibility detection.
If enable is configured, power
will be supplied on port when
non-standard PD device
(cisco big capacity device)
is detected. If disable is
configured, power will be
supplied only when standard
PD device is detected.
5 ZXR10（config）#poe overtemperature auto-recovery This configures switch

enable temperature recovery.
When device works at stack
mode, the command format
is poe overtemperature
auto-recovery enable
device-id <device-id>
The default is disabled.
6 ZXR10（config#poe power-threshold <40-90> This configures switch power

occupancy alarm threshold.
When device works in stack
mode, this command format
is poe power-threshold
<40-90> device-id
<device-id>.
The default is 80.
7 ZXR10（ config） #poe upgrade-firmware This upgrades firmware used

{firmware-name} in device.
When device works in stack
mode, this command format
is poe upgrade-firmware
{firmware-name}
device-id <device-id>.
This command upgrades
Firmware PSE handling
software on-line.
PoE Configuration Example

This examples shows the PoE configuration on switch in a stack
system.
ZXR10(config)#int gei_2/1/5
ZXR10(config-gei_2/1/5)#poe priority high

ZXR10(config-gei_2/1/5)#poe pd-max-power ext.27

ZXR10(config-gei_2/1/5)#poe enhanced-mode enable
ZXR10(config-gei_2/1/5)#poe enable
ZXR10(config-gei_2/1/5)#exit
ZXR10(config)#poe overtemperature auto-recovery enable device-id 2
ZXR10(config)#poe power-threshold 88 device-id 2
PoE Maintenance
and diagnosis of PoE. Common commands used in PoE mainte-
nance and diagnosis are as follows.
1 ZXR10(config)#show poe config interface This views interface PoE

<infterface-name> configuration.
2 ZXR10(config)#show poe interface <infterface-name> This views interface PoE

status configuration.
3 ZXR10(config)#show poe device <device-id> This views PSE status

information.

Figures
Figure 1 ZXR10 5900/5200 Configuration Modes..................... 3

Figure 2 STARTING THE HYPERTERMINAL .............................. 4
Figure 3 LOCATION INFORMATION ........................................ 4
Figure 4 SETTING UP A CONNECTION.................................... 5
Figure 5 CONNECTION CONFIGURATION................................ 6
Figure 6 COM1 PROPERTIES................................................. 7
Figure 7 RUN TELNET .......................................................... 8
Figure 8 TELNET LOGIN ....................................................... 8
Figure 9 SETTING IP ADDRESS AND PORT NUMBER OF SSH
SERVER............................................................10
Figure 10 SETTING THE SSH VERSION NUMBER ....................11
Figure 11 WFTPD INTERFACE ..............................................19
Figure 12 USER/RIGHTS SECURITY DIALOG BOX ...................20
Figure 13 TFTPD INTERFACE ...............................................21
Figure 14 CONFIGURING DIALOG BOX .................................21
Figure 15 PORT MIRRORING EXAMPLE..................................39
Figure 16 PORT RSPAN MIRRORING EXAMPLE .......................40
Figure 17 Port Loopback Detection Example ..........................42
Figure 18 ACL Configuration Example ...................................67
Figure 19 TRAFFIC POLICING WORKING FLOW ......................70
Figure 20 QOS CONFIGURATION EXAMPLE ............................78
Figure 21 POLICY ROUTING EXAMPLE...................................80
Figure 22 DHCP SERVER CONFIGURATION .......................... 100
Figure 23 DHCP RELAY CONFIGURATION ............................ 101
Figure 24 DHCP SNOOPING CONFIGURATION ..................... 102
Figure 25 DHCP SNOOPING PREVENT STATIC IP
CONFIGURATION ............................................. 103
Figure 26 BASIC VRRP CONFIGURATION ............................. 108
Figure 27 SYMMETRIC VRRP CONFIGURATION ..................... 109
Figure 28 NTP CONFIGURATION EXAMPLE........................... 112
Figure 29 DOT1X RADIUS AUTHENTICATION APPLICATION.... 137
Figure 30 DOT1X TRUNK AUTHENTICATION APPLICATION ..... 138
Figure 31 CLUSTER MANAGEMENT NETWORKING................. 144
Figure 32 SWITCH SWITCHING RULE ................................. 145

Figure 33 CLUSTER MANAGEMENT CONFIGURATION ............ 149

Figure 34 ZESR Configuration Example ............................... 165
Figure 35 ZESR+ and ZESR Hybrid Networking Topology
Figure ............................................................ 168
Figure 36 IP SOURCE GUARD Configuration......................... 172
Figure 37 IP Source Guard Configuration ............................ 173
Figure 38 IP Source Guard Configuration ............................ 173
Figure 39 Man-in-the-middle Attack ................................... 177
Figure 40 DAI Configuration Example ................................. 179
Figure 41 Manual Mode Basic MFF Function Configuration
Example ......................................................... 182
Figure 42 POE Power Supply ............................................. 186

Tables
Table 1 CHAPTER SUMMARY .................................................. i

Table 2 COMMAND MODES..................................................12
Table 3 INVOKING A COMMAND...........................................15
Table 4 Interface State Abnormal Condition...........................35
Table 5 IP ADDRESS RANGE FOR EACH CLASS.......................47


Glossary
DHCP - Dynamic Host Configuration Protocol

BRAS - Broadband Remote Access Server
DWRR - Deficit Weighted Round Robin
CLI - Command Line Interface
CIR - Committed Information Rate
DSCP - Differentiated Services Code Point
CBS - Committed Burst Size
EAPOL - Extensible Authentication Protocol Over LAN
IP - Internet Protocol
MAC - Media Access Control
LLDPDU - Link Layer Discovery Protocol Data Unit
IPTV - Internet Protocol Television
FTP - File Transfer Protocol
LLDP - Link Layer Discovery Protocol
ICMP - Internet Control Message ProtocolInternet
MIB - Management Information Base
NTP - Network Time Protocol
EBS - Excess Burst Size
SP - Strict Priority
SNMP - Simple Network Management Protocol
PVID - Port VLAN ID
SSH - Secure Shell
PIR - Peak Information Rate
PBS - Peak Burst Size
RADIUS - Remote Authentication Dial In User Service
RMON - Remote Monitoring
QoS - Quality of Service
STP - Spanning Tree Protocol
TELNET - Telecommunication Network Protocol
TFTP - Trivial File Transfer Protocol
UDP - User Datagram Protocol
URPF - Unicast Reverse Path Forwarding
UDLD - UniDirectional Link Detection
TTL - Time To Live
ToS - Type Of Service

TCP - Transmission Control Protocol

TLV - Type Length Value
VBAS - Virtual Broadband Access Server
VLAN - Virtual Local Area Network
WRR - Weighted Round Robin
ACL - Access Control List
BAS - Broadband Access Server
AAA - Authentication, Authorization, and Accounting
ARP - Address ResolutionProtocol
CoS - Class of Service
DSLAM - Digital Subscriber Line Access Multiplexer

Zxr10 5960 Switch

Uploaded by

Copyright:

Available Formats

Zxr10 5960 Switch

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Zxr10 5960 Switch

Uploaded by

Copyright:

Available Formats

ZXR10 5900/5200 Series

All Gigabit-Port Intelligent Routing Switch

Copyright © 2006 ZTE CORPORATION.

The ultimate right to interpret this product resides in ZTE CORPORATION.

Revision No. Revision Date Revision Reason

Serial Number: sjzl20095126

Purpose ZXR10 5900/5200 (V2.8.23.A) Series All Gigabit-Port Intelligent

Chapter 1 Safety This chapter describes the safety

Chapter 2 Usage and This chapter describes ZXR10 5900/5200

Chapter 3 System This chapter introduces file system

Chapter 4 Interface This chapter describes port parameters

Chapter 5 Network This chapter describes IP address

Confidential and Proprietary Information of ZTE CORPORATION i

Chapter 6 Switch Stack This chapter describes the content and

Chapter 7 ACL This chapter introduces ACL and related

Chapter 8 QoS This chapter introduces QOS and related

Chapter 9 DHCP This chapter introduces DHCP and related

Chapter 10 VRRP This chapter introduces VRRP and related

Chapter 11 Network This chapter introduces Network

Chapter 12 DOT1X This chapter introduces DOT1Xt

Chapter 13 Cluster This chapter introduces Cluster

Chapter 14 IPTV This chapter describes the content and

Chapter 15 VBAS This chapter introduces VBAS configuration.

Chapter 16 ZESR This chapter introduces ZESR configuration.

Chapter 17 Security This chapter introduces Security

Chapter 18 POE This chapter describes the content and

Related The following documentation is related to this manual:

ii Confidential and Proprietary Information of ZTE CORPORATION

� ZXR10 Router-Ethernet Switch Command Manual - System

Confidential and Proprietary Information of ZTE CORPORATION iii

This page is intentionally blank.

iv Confidential and Proprietary Information of ZTE CORPORATION

Confidential and Proprietary Information of ZTE CORPORATION 1

This page is intentionally blank.

2 Confidential and Proprietary Information of ZTE CORPORATION

Usage and Operation

FIGURE 1 ZXR10 5900/5200 CONFIGURATION MODES

Confidential and Proprietary Information of ZTE CORPORATION 3

Configuring Through Console Port

FIGURE 2 STARTING THE HYPERTERMINAL

2. Input the related local information in the interface as shown

FIGURE 3 LOCATION INFORMATION

4 Confidential and Proprietary Information of ZTE CORPORATION

3. After the Connection Description dialog box appears, enter

FIGURE 4 SETTING UP A CONNECTION

4. Based on serial port connection to the console cable, choose

Confidential and Proprietary Information of ZTE CORPORATION 5

FIGURE 5 CONNECTION CONFIGURATION

5. Enter the properties of the selected serial port as shown in

6 Confidential and Proprietary Information of ZTE CORPORATION

FIGURE 6 COM1 PROPERTIES

Power on and boot ZXR10 5900/5200 to initialize the system and

Telnet Connection Configuration

Confidential and Proprietary Information of ZTE CORPORATION 7

i. Configure the Telnet login user name and password through

FIGURE 7 RUN TELNET

vi. Click OK to enter the interface as shown inFigure 8 .

FIGURE 8 TELNET LOGIN

vii.Type the correct user name and password at the prompt to

8 Confidential and Proprietary Information of ZTE CORPORATION