Comware - PVST+

1.      STP and RSTP cannot load balance, therefore PVST created by Cisco. 

            Protoco            Developer               VLAN ID
            MSTP               IEEE (802.1Q)         802.1Q
            PVST                Cisco                        ISL
            PVST+              Cisco                        802.1Q

2.       Comware v5 implements MSTP

3.       New software releases add PVST+ to Comware v5 switches

Configuration Steps

1.       Configure 3 VLANs

2. Create a spanning tree per VLAN
3. Configure

•       Switch A as root of VLAN 1

•       Switch B as root of VLAN 2

•       Switch C as root of VLAN 3 

4. Note: in this example it is assumed that Switch A has the smallest default Bridge-ID

Test Layout

1.        Configure all VLANs

2. Enable STP in system-view

stp enable 

3.       Change the STP mode to PVST

stp mode pvst

4.       Connect the switches 

Notes

The STP default mode is MSTP

At this point a Spanning Tree has been created for each VLAN. All spanning trees have the same root

5. Change the bridge priority for individual VLANs or for lists of VLANs

stp vlan vlan-list priority priority value

Figure 1: Test Network Layout

1.    On all three switches

a.    Create VLANs 2-6

b.    Configure ports 1 and 2 as “link-type trunk” permitting all VLANs

c.    Enable STP

d.    Change STP mode to PVST+

2.    Connect Cables following figure 1.

Commands

system-view

 vlan 2 to 6

 interface gigabit 0/1

  port link-type trunk

  port trunk permit vlan all

  quit

 interface gigabit 0/2

  port link-type trunk

  port trunk permit vlan all

  quit

 stp enable

 stp mode pvst

 quit

3.    Check the stp configuration. Notice that the root bridge for all STP instances is the same.

Commands

display stp root

display stp brief

4.    Change the root of different instances:

a.    Switch 1: VLAN 1 and 2

b.    Switch 2: VLAN 3 and 4

c.    Switch 3: VLAN 5 and 6

Example

Switch A:

system-view

 stp vlan 1 priority 4096

 quit

Switch B:

system-view

 stp vlan 2 priority 4096

 quit

Switch C:

system-view

 stp vlan 3 priority 4096

 quit

Result 

1.    Verify that the root bridges changed

Commands

display stp root

display stp brief

Comware & ProCurve - local traffic mirroring

Network Diagram

A5800

vlan 10: 10.3.2.1/24

access ports gi1/0/1 to gi1/0/4

E3500
vlan 10: 10.3.2.2/24
untagged ports 1-4

             +----------+    +---------+

             | Procurve |    | Comware |
  [router]---- p1       |    | gi1/0/1 -----[router]
             | p3       |    | gi1/0/3 |
             +-|--------+    +--|------+
               |                |
               |                |
              PC               PC

traffic mirroring - ProCurve

1. Connect the PC to a port in VLAN 2.

2. From the CLI, configure the PC port as the mirror destination.

E3500(config)# mirror 1 port 3

3. Configure the port connected to the 5800 as the traffic source.

E3500(config)# interface 1 monitor all both mirror 1
or
interface 1
   monitor all both mirror 1
   exit

traffic mirroring – Comware

1. Connect the PC to a port in VLAN 2 on the Comware switch.

2. Create a local mirroring group.

[A5800]mirroring-group 1 local

3. From the CLI, configure the PC port as the mirror destination.

[A5800]mirroring-group 1 monitor-port gi1/0/3
or
[A5800] interface GigabitEthernet1/0/3
port access vlan 2
mirroring-group 1 monitor-port

4. Configure the port connected to the 3500 as the source of the mirrored traffic.

[A5800]mirroring-group 1 mirroring-port gi1/0/1 both
or
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk permit vlan 1 to 2 10
 port trunk pvid vlan 10
 mirroring-group 1 mirroring-port both

H3C - Configuration Examples

Sample HPN vs. Cisco CLI Comparison Reference

H3C	Cisco
display	show
undo	no
Quit	exit
return	end
logout	exit
sysname	hostname
local-user	user
Acl	access-list
display version	show version
display current	show run
display saved-config	show start
ctrl+q	ctrl+z
ctrl+e	ctrl+p
ctrl+d (undebug all)	no debug all
save	write
delete	erase
simple	0
cipher	7
info-center	logging

Mode and View Reference:

H3C	Cisco	Description
User View: <Router>	Router>	User level Basic limited access
System View: [Router]	Router#	Privileged Detailed access
System View: [Router]	Router(config)#	Configuration Level access

Basic Configurations
              Hostnames
              Define the hostname (unique identifier) for each device being configured.
              sysname CORE_9500
                  Command Alias

Time and Date

             clock datetime HH:MM:SS {YYYY/MM/DD | MM/DD/YYYY }
             clock timezone zone-name { add | minus } HH:MM:SS

Startup Config File Settings

             startup saved-config filename.cfg
             sysname
             slave auto-update config (this auto saves to all slave management modules across a single chassis and IRF cluster)

Date and Time

Static

             clock datetime HH:MM:SS {YYYY/MM/DD | MM/DD/YYYY }

NTP

            ntp-service source-interface Vlan-interface10
            ntp-service unicast-server 192.168.128.1 priority
            ntp-service unicast-server 192.168.16.1 priority

LLDP

             Enable LLDP signaling on Ethernet ports.
             LLDP is enabled by default on fixed port switches.
             It is disabled by default on chassis based switches.
             lldp enable
                 Terminal Settings
            This keeps logging and monitor messages from messing up your command input.
              info-center synch (keeps system messages from messing up your typing)
              quit
              screen-length disable (don’t stop scrolling text…this is an individual session setting)

Loopback Interfaces

Create Loopback interfaces.  These can be used for BGP/OSPF router ID (RID) and MPLS label switch router ID (LSR ID)

             Interface loopback 0
             ip address 10.1.200.1 32

Message of the Day

      header motd %
      This computer system and associated networks are for the sole
      business use of ACME widget Corporation.  No Unauthorized use.
      %

Remote Access and AAA

Telnet
telnet server enable
user-interface vty 0 4

authentication-mode password (password will require only a password, scheme requires a user name and password setup via local-user…see SSH example)

set authentication password simple admin

protocol inbound telnet (could be all to allow for both telnet and ssh)

quit

SSH

public-key local create rsa

public-key local create dsa

ssh server enable

Configure User Interface:

user-interface vty 0 4

authentication-mode scheme

protocol inbound ssh (could be all to allow for both telnet and ssh)

quit

Configure a local user:

local-user admin

password simple admin

authorization-attribute level 3

service-type ssh

quit

Configure local user to use SSH:

ssh user admin service-type stelnet authentication-type password (using all as service type allows this user to be used for sFTP)

FTP

Anonymous FTP is not allowed. You must configure a local user with ftp rights.

ftp server enable

local-user admin

password simple admin

service-type ftp

authorization-attribute level 3

quit

sFTP 

public-key local create rsa

public-key local create dsa

ssh server enable

sftp server enable

sFTP Server:

Configure User Interface:

user-interface vty 0 4

authentication-mode scheme

protocol inbound ssh (sFTP uses ssh)

quit

Configure a local user:

local-user sftp-user

password simple admin

service-type ssh

authorization-attribute level 3

quit

Configure local user to use sFTP:

ssh user sftp-user service-type sftp authentication-type password (using all as service type allows this user to be used for SSH)

RADIUS

Create a domain: 

domain test-domain

quit

domain default enable test-domain

Create a RADIUS Scheme:

radius scheme rad-scheme

primary authentication x.x.x.x (this is for authentication and authorization)

secondary authentication x.x.x.x

key authentication test_key

primary accounting x.x.x.x

secondary accounting x.x.x.x

key accounting test_key

user-name-format without-domain (do this only if the RADIUS server doesn’t want to see the domain name in the requests

quit

domain test-domain

authentication login radius-scheme rad-scheme

authorization login radius-scheme rad-scheme

accounting login radius-scheme rad-scheme

quit

TACACS 

Create a domain:

domain test-domain
quit

domain default enable test-domain

hwtacacs scheme tacacs-scheme

primary authentication x.x.x.x

secondary authentication x.x.x.x

key authentication test_key

primary authorization x.x.x.x

secondary authorization x.x.x.x

key authorization test_key

primary accounting x.x.x.x

secondary accounting x.x.x.x

key accounting test_key

user-name-format without-domain (do this only if the TACACS server doesn’t want to see the domain name in the requests

quit

domain test-domain

authentication login hwtacacs-scheme tacacs-scheme

authorization login hwtacacs-scheme tacacs-scheme

accounting login hwtacacs-scheme tacacs-scheme

quit

 

VLANs
Create VLANs to be used on each switch according to the diagram, and assign VLAN IP addresses on the CORE.

VLAN 10

description test VLAN

quit

interface vlan 10

ip address 10.1.10.1 24

quit

Port Configurations

For ports that will be part of a link aggregation group, skip to the Link Aggregation section. For these ports, all configurations need to be done at the port group level with the exception of adding each individual port to a port group. Otherwise there can be issues with all port joining the group correctly.

Access Ports

interface ten 1/0/1

description access port

port access vlan 10

Trunk Ports

interface ten 1/2/0/1

description trunk port to EDGE_5800

port link-type trunk

port trunk permit vlan 10 to 11

undo port trunk permit vlan 1

port trunk pvid vlan 10 (if you want to set pvid)

Link Aggregation

Order is important in LAG group configuration:

Ø  Clear out current port config

Ø  Create LAG group and set it to dynamic if LACP is desired

Ø  Add the ports to the LAG

Ø  Do remaining config on the LAG

interface bridge-aggregation 1

description LAG to Server

link-aggregation mode dynamic (enables LACP. Enabled by default)

quit

interface ten 1/2/0/8 (interface to be added to LAG)

port link-aggregation group 1

quit

interface ten 2/2/0/8 (interface to be added to LAG)

port link-aggregation group 1

quit

interface bridge-aggregation 1

port link-type trunk

port trunk permit vlan 10 to 11

undo port trunk permit vlan 1

quit

display link-aggregation verbose

All interfaces should have a status of S (selected). If they say U (unselected), something is wrong.