1. Manuals
  2. Brands
  3. 3Com Manuals
  4. Switch
  5. 4200G 12-Port
  6. Configuration manual

3Com 4200G 12-Port Configuration Manual

4200g family
Hide thumbs Also See for 4200G 12-Port:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
Table of Contents

Advertisement

Quick Links

See also: Quick Reference Manual
3Com Switch 4200G Family

Configuration Guide

Switch 4200G 12-Port
Switch 4200G 24-Port
Switch 4200G 48-Port
Switch 4200G PWR 24-Port
Product Version: V3.02.00
Manual Version:
6PW100-20081201
www.3com.com
3Com Corporation
350 Campus Drive, Marlborough,
MA, USA 01752 3064

Advertisement

Table of Contents
loading

Related Manuals for 3Com 4200G 12-Port

Summary of Contents for 3Com 4200G 12-Port

  • Page 1: Configuration Guide

    3Com Switch 4200G Family Configuration Guide Switch 4200G 12-Port Switch 4200G 24-Port Switch 4200G 48-Port Switch 4200G PWR 24-Port Product Version: V3.02.00 Manual Version: 6PW100-20081201 www.3com.com 3Com Corporation 350 Campus Drive, Marlborough, MA, USA 01752 3064...
  • Page 2 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

  • Page 3: Table Of Contents

    About This Manual Organization 3Com Switch 4200G Family Configuration Guide is organized as follows: Part Contents Introduces the ways to log into an Ethernet switch and CLI 1 Login related configuration. 2 Configuration File Management Introduces configuration file and the related configuration.
  • Page 4 Part Contents 28 File System Management Introduces basic configuration for file system management. Introduces basic configuration for FTP, SFTP and TFTP, 29 FTP-SFTP-TFTP and the applications. 30 Information Center Introduces information center configuration. 31 System Maintenance and Introduces daily system maintenance and debugging. Debugging 32 Remote-ping Introduces Remote-ping and the related configuration.

  • Page 5: Related Documentation

    3Com Switch 4200G Family Release information in this guide differs from information in the Notes release notes, use the information in the Release Notes. Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL: http://www.3com.com.

  • Page 6: Login

    Table of Contents Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 Relationship Between a User and a User Interface ········································································1-2 User Interface Index ························································································································1-2 Common User Interface Configuration····························································································1-2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Setting Up a Login Environment for Login Through the Console Port····················································2-1...
  • Page 7 Switch Configuration························································································································4-2 Modem Connection Establishment ·········································································································4-2 CLI Configuration ······································································································································5-1 Introduction to the CLI·····························································································································5-1 Command Hierarchy ·······························································································································5-1 Command Level and User Privilege Level ······················································································5-1 Modifying the Command Level········································································································5-2 Switching User Level ·······················································································································5-3 CLI Views ················································································································································5-7 CLI Features ·········································································································································5-10 Online Help····································································································································5-10 Terminal Display····························································································································5-11 Command History··························································································································5-12 Error Prompts ································································································································5-12 Command Edit·······························································································································5-13...

  • Page 8: Logging In To An Ethernet Switch

    Supported User Interfaces The auxiliary (AUX) port and the console port of a 3Com low-end and mid-range Ethernet switch are the same port (referred to as console port in the following part). You will be in the AUX user interface if you log in through this port.

  • Page 9: Relationship Between A User And A User Interface

    Table 1-1 Description on user interface User interface Applicable user Port used Remarks Each switch can Users logging in through the Console port accommodate one AUX console port user. Each switch can Telnet users and SSH users Ethernet port accommodate up to five VTY users.
  • Page 10 To do… Use the command… Remarks Optional Lock the current user Available in user view lock interface A user interface is not locked by default. Specify to send messages Optional to all user interfaces/a send { all | number | type number } Available in user view specified user interface Optional...

  • Page 11: Logging In Through The Console Port

    Logging In Through the Console Port Go to these sections for information you are interested in: Introduction Setting Up a Login Environment for Login Through the Console Port Console Port Login Configuration Console Port Login Configuration with Authentication Mode Being None Console Port Login Configuration with Authentication Mode Being Password Console Port Login Configuration with Authentication Mode Being Scheme Introduction...
  • Page 12 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4...

  • Page 13: Console Port Login Configuration

    Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt appears after you press the Enter key. You can then configure the switch or check the information about the switch by executing the corresponding commands.
  • Page 14 Configuration Remarks Set the maximum Optional number of lines the By default, the screen can contain up to 24 lines. screen can contain Optional Set history command buffer By default, the history command buffer can contain up size to 10 commands. Optional Set the timeout time of a user interface...

  • Page 15: Console Port Login Configurations For Different Authentication Modes

    To do… Use the command… Remarks Optional By default, the screen can contain up Set the maximum number of screen-length to 24 lines. lines the screen can contain screen-length You can use the screen-length 0 command to disable the function to display information in pages.

  • Page 16: Console Port Login Configuration With Authentication Mode Being None

    Changes made to the authentication mode for console port login takes effect after you quit the command-line interface and then log in again. Console Port Login Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to configure console port login with the authentication mode being none: To do…...

  • Page 17: Console Port Login Configuration With Authentication Mode Being Password

    Network diagram Figure 2-5 Network diagram for AUX user interface configuration (with the authentication mode being none) GE1/0/1 Ethernet Configuration PC running Telnet Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify not to authenticate users logging in through the console port.

  • Page 18: Configuration Example

    To do… Use the command… Remarks Enter system view — system-view Enter AUX user interface user-interface aux 0 — view Required By default, users logging in to a switch Configure to authenticate authentication-mode through the console port are not users using the local password authenticated;...

  • Page 19: Console Port Login Configuration With Authentication Mode Being Scheme

    <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate users logging in through the console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to the AUX user interface.

  • Page 20: Configuration Example

    To do… Use the command… Remarks Enter the Optional default ISP domain domain-name By default, the local AAA scheme domain view is applied. If you specify to apply the local scheme { local | none | AAA scheme, you need to Specify the AAA radius-scheme perform the configuration...
  • Page 21 Set the authentication password of the local user to 123456 (in plain text). Set the service type of the local user to Terminal and the command level to 2. Configure to authenticate the users in the scheme mode. The baud rate of the console port is 19,200 bps. The screen can contain up to 30 lines.
  • Page 22 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2-4 to log in to the switch successfully.

  • Page 23: Logging In Through Telnet

    Logging In Through Telnet Go to these sections for information you are interested in: Introduction Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password Introduction Switch 4200G supports Telnet. You can manage and maintain a switch remotely by Telnetting to the switch.
  • Page 24 Configuration Description Optional Configure the protocols the By default, Telnet and SSH protocol are user interface supports supported. Optional Set the commands to be executed automatically after By default, no command is executed a user log in to the user automatically after a user logs into the VTY user interface successfully interface.

  • Page 25: Telnet Configurations For Different Authentication Modes

    To do… Use the command… Remarks Optional The default history command Set the history command buffer history-command buffer size is 10, that is, the history size max-size value command buffer of a user can store up to 10 commands by default.

  • Page 26: Telnet Configuration With Authentication Mode Being None

    To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.

  • Page 27: Telnet Configuration With Authentication Mode Being Password

    Network diagram Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none) Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0. [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging in to VTY 0.

  • Page 28: Configuration Example

    When the authentication mode is password, the command level available to users logging in to the user interface is determined by the user privilege level command. Configuration Example Network requirements Assume current user logins through the console port and the current user level is set to the administrator level (level 3).

  • Page 29: Telnet Configuration With Authentication Mode Being Scheme

    Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to configure Telnet with the authentication mode being scheme: To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user user-interface vty —...

  • Page 30: Configuration Example

    Refer to the AAA part of this manual for information about AAA, RADIUS, and HWTACACS. Configuration Example Network requirements Assume current user logins through the console port and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet. Configure the local user name as guest.

  • Page 31: Telnetting To A Switch

    # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [Sysname-ui-vty0] idle-timeout 6 Telnetting to a Switch Telnetting to a Switch from a Terminal...
  • Page 32 <Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A 3Com switch can accommodate up to five Telnet connections at same time.

  • Page 33: Telnetting To Another Switch From The Current Switch

    Telnetting to another Switch from the Current Switch You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.

  • Page 34: Logging In Using A Modem

    Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.

  • Page 35: Switch Configuration

    You can verify your configuration by executing the AT&V command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
  • Page 36 Figure 4-1 Establish the connection by using modems Modem serial cable Telephone line Modem PSTN Modem Telephone number of the romote end: 82882285 Console port Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 4-2 through...
  • Page 37 Figure 4-3 Set the telephone number Figure 4-4 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <Sysname>) appears. You can then configure or manage the switch.

  • Page 38: Cli Configuration

    Each 3com switch 4200G provides an easy-to-use CLI and a set of configuration commands for the convenience of the user to configure and manage the switch. The CLI on the 3com switch 4200G provides the following features, and so has good manageability and operability.

  • Page 39: Modifying The Command Level

    Monitor level (level 1): Commands at this level are mainly used to maintain the system and diagnose service faults, and they cannot be saved in configuration file. Such commands include debugging and terminal. System level (level 2): Commands at this level are mainly used to configure services. Commands concerning routing and network layers are at this level.

  • Page 40: Switching User Level

    To do… Use the command… Remarks Configure the level of a command in a command-privilege level level view Required specific view view command You are recommended to use the default command level or modify the command level under the guidance of professional staff; otherwise, the change of command level may bring inconvenience to your maintenance and operation, or even potential security problem.
  • Page 41 can switch to a higher level temporarily; when the administrators need to leave for a while or ask someone else to manage the device temporarily, they can switch to a lower privilege level before they leave to restrict the operation by others. The high-to-low user level switching is unlimited.
  • Page 42 When both the super password authentication and the HWTACACS authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the HWTACACS authentication server is unreachable), the backup authentication mode is adopted.
  • Page 43 To do… Use the command… Remarks Enter system view — system-view Enter ISP domain view domain domain-name — Required Set the HWTACACS authentication super By default, the HWTACACS authentication scheme for hwtacacs-scheme authentication scheme for user user level switching hwtacacs-scheme-name level switching is not set.

  • Page 44: Cli Views

    # Set the password used by the current user to switch to level 3. [Sysname] super password level 3 simple 123 A VTY 0 user switches its level to level 3 after logging in. # A VTY 0 user telnets to the switch, and then uses the set password to switch to user level 3. <Sysname>...
  • Page 45 Table 5-1 lists the CLI views provided by the 3com switch 4200G, operations that can be performed in different CLI views and the commands used to enter specific CLI views. Table 5-1 CLI views View Available operation Prompt example Enter method...
  • Page 46 View Available operation Prompt example Enter method Quit method Execute the User interface Configure user [Sysname-ui-aux user-interface view interface parameters command in system view. Execute the ftp FTP client Configure FTP client [ftp] command in user view parameters view. Execute the sftp SFTP client Configure SFTP command in...

  • Page 47: Cli Features

    View Available operation Prompt example Enter method Quit method Execute the Remote-ping Configure [Sysname-remot remote-ping test group remote-ping test e-ping-a123-a12 command in view group parameters system view. Execute the Configure HWTACACS [Sysname-hwtac hwtacacs HWTACACS view acs-a123] scheme command parameters in system view. Execute the PoE profile Configure PoE...

  • Page 48: Terminal Display

    <Other information is omitted> Enter a command, a space, and a question mark (?). If the question mark “?” is at a keyword position in the command, all available keywords at the position and their descriptions will be displayed on your terminal. <Sysname>...

  • Page 49: Command History

    Operation Function Press <Enter> Get to the next line. Command History The CLI provides the command history function. You can use the display history-command command to view a specific number of latest executed commands and execute them again in a convenient way. By default, the CLI can store up to 10 latest executed commands for each user.

  • Page 50: Command Edit

    Error message Remarks Wrong parameter A parameter entered is wrong. found at '^' position An error is found at the '^' position. Command Edit The CLI provides basic command edit functions and supports multi-line editing. The maximum number of characters a command can contain is 254. Table 5-4 lists the CLI edit operations.

  • Page 51: Introduction

    Logging In Through the Web-based Network Management Interface Go to these sections for information you are interested in: Introduction Establishing an HTTP Connection Configuring the Login Banner Enabling/Disabling the WEB Server Introduction Switch 4200G has a Web server built in. It enables you to log in to Switch 4200G through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 52: Configuring The Login Banner

    Establish an HTTP connection between your PC and the switch, as shown in Figure 6-1. Figure 6-1 Establish an HTTP connection between your PC and the switch Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar.

  • Page 53: Configuration Example

    Configuration Example Network requirements A user logs in to the switch through Web. The banner page is desired when a user logs into the switch. Network diagram Figure 6-3 Network diagram for login banner configuration Configuration Procedure # Enter system view. <Sysname>...
  • Page 54 To do… Use the command… Remarks Enter system view — system-view Required Enable the Web server ip http shutdown By default, the Web server is enabled. Disable the Web server undo ip http shutdown Required To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration.

  • Page 55: Logging In Through Nms

    Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through a Network Management Station (NMS), and then configure and manage the switch through the agent software on the switch. Simple Network Management Protocol (SNMP) is applied between the NMS and the agent.

  • Page 56: Configuring Source Ip Address For Telnet Service Packets

    Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are interested in: Overview Configuring Source IP Address for Telnet Service Packets Displaying Source IP Address Configuration Overview You can configure source IP address or source interface for the Telnet server and Telnet client. This provides a way to manage services and enhances security.

  • Page 57: Displaying Source Ip Address Configuration

    Operation Command Description Specify a source interface for telnet-server source-interface Optional Telnet server interface-type interface-number Specify source IP address for telnet source-ip ip-address Optional Telnet client Specify a source interface for telnet source-interface interface-type Optional Telnet client interface-number To perform the configurations listed in Table 8-1 Table 8-2, make sure that:...

  • Page 58: User Control

    User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction You can control users logging in through Telnet, SNMP and WEB by defining Access Control List (ACL), as listed in...

  • Page 59: Controlling Telnet Users By Acl

    If no ACL is configured on the VTY user interface, users are not controlled when establishing a Telnet connection using this user interface. If an ACL is configured on the VTY user interface, there will be two possibilities: if the packets for establishing a Telnet connection match the ACL rule configured on the VTY user interface, the connection will be permitted or denied according to the ACL rule;...

  • Page 60: Configuration Example

    To do… Use the command… Remarks Apply a Required basic or advanced acl acl-number { inbound | Use either command ACL to outbound } Apply an The inbound keyword specifies to control ACL to filter the users trying to Telnet to Telnet users control the current switch.

  • Page 61: Prerequisites

    Defining an ACL Applying the ACL to control users accessing the switch through SNMP To control whether an NMS can manage the switch, you can use this function. Prerequisites The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).

  • Page 62: Controlling Web Users By Source Ip Address

    Network diagram Figure 9-2 Network diagram for controlling SNMP users using ACLs 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch.

  • Page 63: Logging Out A Web User

    To do… Use the command… Remarks Enter system view — system-view As for the acl number Create a basic ACL or enter acl number acl-number command, the config keyword basic ACL view [ match-order { config | auto } ] is specified by default.
  • Page 64 [Sysname-acl-basic-2030] quit # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switch. [Sysname] ip http acl 2030...
  • Page 65 Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Configuration Task List ···························································································································1-2 Saving the Current Configuration ····································································································1-2 Erasing the Startup Configuration File ····························································································1-3 Specifying a Configuration File for Next Startup ·············································································1-4 Displaying Switch Configuration······································································································1-5...

  • Page 66: Configuration File Management

    Configuration File Management When configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List Introduction to Configuration File A configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily.

  • Page 67: Configuration Task List

    When saving the current configuration, you can specify the file to be a main or backup or normal configuration file. When removing a configuration file from a switch, you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attribute of the file.

  • Page 68: Erasing The Startup Configuration File

    When you use the save safely command to save the configuration file, if the switch reboots or the power fails during the saving process, the switch initializes itself in the following two conditions when it starts up next time: If a configuration file with the extension .cfg exists in the Flash, the switch uses the configuration file to initialize itself when it starts up next time.

  • Page 69: Specifying A Configuration File For Next Startup

    To do… Use the command… Remarks Required Erase the startup configuration reset saved-configuration file from the storage switch [ backup | main ] Available in user view You may need to erase the configuration file for one of these reasons: After you upgrade software, the old configuration file does not match the new software.

  • Page 70: Displaying Switch Configuration

    The configuration file must use .cfg as its extension name and the startup configuration file must be saved at the root directory of the switch. Displaying Switch Configuration To do… Use the command… Remarks Display the initial configuration display saved-configuration [ unit unit-id ] file saved in the Flash of a switch [ by-linenum ] Display the configuration file used...
  • Page 71 Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ·····················································································································1-2 VLAN Fundamentals ·······················································································································1-2 VLAN Interface ································································································································1-4 VLAN Classification ·························································································································1-4 Port-Based VLAN····································································································································1-4 Link Types of Ethernet Ports ···········································································································1-4 Assigning an Ethernet Port to Specified VLANs ·············································································1-5 Configuring the Default VLAN ID for a Port·····················································································1-5 2 VLAN Configuration ··································································································································2-1 VLAN Configuration ································································································································2-1...

  • Page 72: Vlan Overview

    VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.

  • Page 73: Advantages Of Vlans

    Figure 1-1 A VLAN implementation Advantages of VLANs Compared with traditional Ethernet technology, VLAN technology delivers the following benefits: Confining broadcast traffic within individual VLANs. This saves bandwidth and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2.
  • Page 74 Figure 1-3 Format of VLAN tag A VLAN tag comprises four fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID. The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the Switch 4200G series Ethernet switches, the default TPID is 0x8100.

  • Page 75: Vlan Interface

    Independent VLAN learning (IVL), where the switch maintains an independent MAC address forwarding table for each VLAN. The source MAC address of a packet received in a VLAN on a port is recorded to the MAC address forwarding table of this VLAN only, and packets received in a VLAN are forwarded according to the MAC address forwarding table for the VLAN.

  • Page 76: Assigning An Ethernet Port To Specified Vlans

    An access port can belong to only one VLAN. Usually, ports directly connected to PCs are configured as access ports. A trunk port can carry multiple VLANs to receive and send traffic for them. Except traffic of the default VLAN, traffic passes through a trunk port will be VLAN tagged. Usually, ports connecting network devices are configured as trunk ports to allow members of the same VLAN to communicate with each other across multiple network devices.
  • Page 77 Table 1-1 Packet processing of an access port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the VLAN ID is just the default VLAN Receive the packet and tag Strip the tag from the ID, receive the packet.

  • Page 78: Vlan Configuration

    VLAN Configuration When configuring a VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required Basic VLAN Interface Configuration Optional...

  • Page 79: Basic Vlan Interface Configuration

    VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.

  • Page 80: Displaying Vlan Configuration

    To do... Use the command... Remarks Optional By default, the VLAN interface Disable the VLAN interface shutdown is enabled. In this case, the VLAN interface’s status is determined by the status of the ports in the VLAN, that is, if all ports of the VLAN are down, the VLAN interface is down (disabled);...

  • Page 81: Assigning An Ethernet Port To A Vlan

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required port link-type { access | Configure the port link type The link type of an Ethernet hybrid | trunk } port is access by default.

  • Page 82: Configuring The Default Vlan For A Port

    To do… Use the command… Remarks Required Assign the specified access port or ports to the current port interface-list By default, all ports belong to VLAN VLAN 1. Configuring the Default VLAN for a Port Because an access port can belong to its default VLAN only, there is no need for you to configure the default VLAN for an access port.
  • Page 83 The devices within each VLAN can communicate with each other but that in different VLANs cannot communicate with each other directly. Network diagram Figure 2-1 Network diagram for VLAN configuration Configuration procedure Configure Switch A. # Create VLAN 101, specify its descriptive string as “DMZ”, and add GigabitEthernet1/0/1 to VLAN 101. <SwitchA>...
  • Page 84 # Configure GigabitEthernet1/0/3 of Switch A. [SwitchA] interface GigabitEthernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 101 [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 201 # Configure GigabitEthernet1/0/10 of Switch B. [SwitchB] interface GigabitEthernet 1/0/10 [SwitchB-GigabitEthernet1/0/10] port link-type trunk [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 101 [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 201...

  • Page 85: Static Routing

    Table of Contents 1 Static Routing Configuration····················································································································1-1 Introduction ·············································································································································1-1 Routing Table ··································································································································1-1 Static Route ·····································································································································1-2 Default Route···································································································································1-2 Configuring a Static Route ······················································································································1-3 Displaying and Maintaining a Routing Table···························································································1-3 Static Route Configuration Example ·······································································································1-4 Basic Static Route Configuration Example······················································································1-4...

  • Page 86: Static Routing Configuration

    Static Routing Configuration Introduction Routing Table Routing table Routing tables play a key role in routing. Each router maintains a routing table, and each entry in the table specifies which physical interface a packet destined for a certain destination should go out to reach the next hop or the directly connected destination.

  • Page 87: Static Route

    Figure 1-1 A sample routing table Switch A Switch F 17.0.0.1 17.0.0.0 17.0.0.3 16.0.0.2 11.0.0.2 17.0.0.2 Switch D 16.0.0.0 11.0.0.0 14.0.0.3 11.0.0.1 16.0.0.1 14.0.0.2 14.0.0.4 Switch B 14.0.0.0 Switch G 15.0.0.2 12.0.0.1 14.0.0.1 Switch E 12.0.0.0 15.0.0.0 13.0.0.2 15.0.0.1 12.0.0.2 13.0.0.3 13.0.0.1 13.0.0.0...

  • Page 88: Configuring A Static Route

    If there is no default route and the destination address of the packet fails to match any entry in the routing table, the packet will be discarded and an ICMP packet will be sent to the source to report that the destination or the network is unreachable. The network administrator can configure a default route with both destination and mask being 0.0.0.0.

  • Page 89: Static Route Configuration Example

    To do… Use the command… Remarks Display the statistics on the display ip routing-table statistics routing table Clear statistics about a reset ip routing-table statistics Use the reset command in routing table protocol { all | protocol } user view Use the delete command in Delete all static routes delete static-routes all...
  • Page 90 The default gateways for the three hosts A, B and C are 1.1.2.3, 1.1.6.1 and 1.1.3.1 respectively. The configuration procedure is omitted. Display the configuration. # Display the IP routing table of Switch A. [SwitchA] display ip routing-table Routing Table: public net Destination/Mask Protocol Cost...

  • Page 91: Voice Vlan

    Table of Contents 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How Switch 4200G Series Switches Identify Voice Traffic ·····························································1-3 Setting the Voice Traffic Transmission Priority ···············································································1-3 Configuring Voice VLAN Assignment Mode of a Port ·····································································1-4 Support for Voice VLAN on Various Ports·······················································································1-4 Security Mode of Voice VLAN ·········································································································1-6 Voice VLAN Configuration ······················································································································1-7...

  • Page 92: Voice Vlan Configuration

    Voice VLAN Configuration When configuring voice VLAN, go to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuration Example Voice VLAN Overview Voice VLANs are VLANs configured specially for voice traffic. By adding the ports connected with voice devices to voice VLANs, you can have voice traffic transmitted within voice VLANs and perform QoS-related configuration and prioritization for voice traffic as required, thus ensuring the transmission priority of voice traffic and voice quality.
  • Page 93 Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission. An IP phone goes through the following three phases to become capable of transmitting voice data.

  • Page 94: How Switch 4200G Series Switches Identify Voice Traffic

    Pingtel phones 00e0-7500-0000 Polycom phones 00e0-bb00-0000 3Com phones Setting the Voice Traffic Transmission Priority In order to improve the transmission quality of voice traffic, the switch re-marks the precedence of the traffic in the voice VLAN as follows: Set the CoS (802.1p) precedence to 6.

  • Page 95: Configuring Voice Vlan Assignment Mode Of A Port

    For more information about CoS and DSCP precedence values, refer to the QoS part of the manual. Configuring Voice VLAN Assignment Mode of a Port A port can work in automatic voice VLAN assignment mode or manual voice VLAN assignment mode. You can configure the voice VLAN assignment mode for a port according to data traffic passing through the port.
  • Page 96 Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice assignment traffic Port type Supported or not mode type Access Not supported Supported Make sure the default VLAN of the port exists and is not Trunk Tagged a voice VLAN, and the access port permits the traffic of...

  • Page 97: Security Mode Of Voice Vlan

    Table 1-3 Matching relationship between port types and voice devices acquiring voice VLAN through manual configuration Voice VLAN assignment Port type Supported or not mode Access Not supported Supported Make sure the default VLAN of the port exists and is not a Trunk voice VLAN, and the access port permits the traffic of the...

  • Page 98: Voice Vlan Configuration

    The following table presents how a packet is handled when the voice VLAN is operating in security mode and normal mode. Table 1-4 How a packet is handled when the voice VLAN is operating in different modes Voice VLAN Mode Packet Type Processing Method Untagged packet...

  • Page 99: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode

    To do… Use the command… Remarks Optional Set the voice VLAN aging timer voice vlan aging minutes The default aging timer is 1440 minutes. Enable the voice VLAN function voice vlan vlan-id enable Required globally interface interface-type Enter Ethernet port view Required interface-number Required...
  • Page 100 To do… Use the command… Remarks — Enter system view system-view Optional voice vlan mac-address Set an OUI address that can be identified Without this address, oui mask oui-mask by the voice VLAN the default OUI [ description text ] address is used.

  • Page 101: Displaying And Maintaining Voice Vlan

    VLAN. If you have to do so, make sure that the voice VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between 3Com device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...

  • Page 102: Voice Vlan Configuration Example

    Voice VLAN Configuration Example Voice VLAN Configuration Example (Automatic Mode) Network requirements As shown in Figure 1-2, The MAC address of IP phone A is 0011-1100-0001. The phone connects to a downstream device named PC A whose MAC address is 0022-1100-0002 and to GigabitEthernet 1/0/1 on an upstream device named Device A.
  • Page 103 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the current states of voice VLANs. <DeviceA> display voice vlan state Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes...

  • Page 104: Voice Vlan Configuration Example (Manual Mode)

    Voice VLAN Configuration Example (Manual Mode) Network requirements Create a voice VLAN and configure it to operate in manual mode. Add the port to which an IP phone is connected to the voice VLAN to enable voice traffic to be transmitted within the voice VLAN. Create VLAN 2 and configure it as a voice VLAN.
  • Page 105 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the status of the current voice VLAN. <DeviceA> display voice vlan status Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes...
  • Page 106 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-4 Protocol Specifications ····················································································································1-4 GVRP Configuration································································································································1-4 GVRP Configuration Tasks ·············································································································1-4 Enabling GVRP ·······························································································································1-4 Configuring GVRP Timers ···············································································································1-5 Configuring GVRP Port Registration Mode ·····················································································1-6 Displaying and Maintaining GVRP··········································································································1-7 GVRP Configuration Example ················································································································1-7 GVRP Configuration Example·········································································································1-7...

  • Page 107: Gvrp Configuration

    GVRP Configuration When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Example Introduction to GVRP GARP VLAN registration protocol (GVRP) is an implementation of generic attribute registration protocol (GARP).
  • Page 108 GARP timers Timers determine the intervals of sending different types of GARP messages. GARP defines four timers to control the period of sending GARP messages. Hold: When a GARP entity receives a piece of registration information, it does not send out a Join message immediately.
  • Page 109 Figure 1-1 Format of GARP packets The following table describes the fields of a GARP packet. Table 1-1 Description of GARP packet fields Field Description Value Protocol ID Protocol ID Each message consists of two Message parts: Attribute Type and —...

  • Page 110: Gvrp

    GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other switches through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information, including the information about the VLAN members, the ports through which the VLAN members can be reached, and so on.

  • Page 111: Configuring Gvrp Timers

    To do ... Use the command ... Remarks Enter system view system-view — Required Enable GVRP globally gvrp By default, GVRP is disabled globally. interface interface-type Enter Ethernet port view — interface-number Required Enable GVRP on the port gvrp By default, GVRP is disabled on the port.

  • Page 112: Configuring Gvrp Port Registration Mode

    Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of the Join timer. Hold 10 centiseconds You can change the threshold by changing the timeout time of the Join timer.

  • Page 113: Displaying And Maintaining Gvrp

    Displaying and Maintaining GVRP To do … Use the command … Remarks display garp statistics Display GARP statistics [ interface interface-list ] Display the settings of the display garp timer [ interface GARP timers interface-list ] Available in any view display gvrp statistics Display GVRP statistics [ interface interface-list ]...
  • Page 114 [SwitchA-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet1/0/1. [SwitchA-GigabitEthernet1/0/1] gvrp [SwitchA-GigabitEthernet1/0/1] quit # Configure GigabitEthernet1/0/2 to be a trunk port and to permit the packets of all the VLANs. [SwitchA] interface GigabitEthernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan all # Enable GVRP on GigabitEthernet1/0/2.
  • Page 115 5, 7, 8, # Display the VLAN information dynamically registered on Switch B. [SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic Total 1 dynamic VLAN exist(s).
  • Page 116 5, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic No dynamic vlans exist! 1-10...
  • Page 117 Table of Contents 1 Port Basic Configuration ··························································································································1-1 Ethernet Port Configuration ····················································································································1-1 Combo Port Configuration ···············································································································1-1 Initially Configuring a Port ···············································································································1-1 Configuring Port Auto-Negotiation Speed ·······················································································1-2 Limiting Traffic on individual Ports···································································································1-3 Enabling Flow Control on a Port······································································································1-3 Duplicating the Configuration of a Port to Other Ports ····································································1-4 Configuring Loopback Detection for an Ethernet Port·····································································1-4 Enabling Loopback Test··················································································································1-5 Enabling the System to Test Connected Cable ··············································································1-6...

  • Page 118: Port Basic Configuration

    Port Basic Configuration Ethernet Port Configuration Combo Port Configuration A Combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding interface. For a Combo port, the electrical port and the corresponding optical port are TX-SFP multiplexed.

  • Page 119: Configuring Port Auto-Negotiation Speed

    To do... Use the command... Remarks Optional Set the speed of the By default, the speed of an Ethernet speed { 10 | 100 | 1000 | auto } Ethernet port port determined through auto-negotiation (the auto keyword). Set the medium Optional dependent interface mdi { across | auto | normal }...

  • Page 120: Limiting Traffic On Individual Ports

    Only ports on the front panel of the device support the auto-negotiation speed configuration feature. And ports on the extended interface card do not support this feature currently. After you configure auto-negotiation speed(s) for a port, if you execute the undo speed command or the speed auto command, the auto-negotiation speed setting of the port restores to the default setting.

  • Page 121: Duplicating The Configuration Of A Port To Other Ports

    To do... Use the command... Remarks Enable flow control on the By default, flow control is not flow-control Ethernet port enabled on the port. Duplicating the Configuration of a Port to Other Ports To make other ports have the same configuration as that of a specific port, you can duplicate the configuration of a port to specific ports.

  • Page 122: Enabling Loopback Test

    To do... Use the command... Remarks Enter system view system-view — Required Enable loopback detection loopback-detection enable By default, loopback detection globally is disabled globally. Optional Set the interval for performing loopback-detection port loopback detection interval-time time The default is 30 seconds. interface interface-type Enter Ethernet port view —...

  • Page 123: Enabling The System To Test Connected Cable

    To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Enable loopback test loopback { external | internal } Required external: Performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch ( for 1000M port, the self-loop header are made from eight cores of the 8-core cables, then the packets forwarded by the port will be received by itself.).

  • Page 124: Configuring The Interval To Perform Statistical Analysis On Port Traffic

    Configuring the Interval to Perform Statistical Analysis on Port Traffic By performing the following configuration, you can set the interval to perform statistical analysis on the traffic of a port. When you use the display interface interface-type interface-number command to display the information of a port, the system performs statistical analysis on the traffic flow passing through the port during the specified interval and displays the average rates in the interval.

  • Page 125: Configuring A Port Group

    Configuration examples # In the default conditions, where UP/DOWN log output is enabled, execute the shutdown command or the undo shutdown command on GigabitEthernet 1/0/1. The Up/Down log information for GigabitEthernet 1/0/1 is generated and displayed on the terminal. <Sysname> system-view System View: return to User View with Ctrl+Z.

  • Page 126: Displaying And Maintaining Basic Port Configuration

    Displaying and Maintaining Basic Port Configuration To do... Use the command... Remarks Display port configuration display interface [ interface-type | information interface-type interface-number ] Display the enable/disable status of port loopback display loopback-detection detection Display information for a display port-group group-id specified port group display brief interface [ interface-type Display brief information about...
  • Page 127 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ·······················································································································1-1 Consistency Considerations for the Ports in Aggregation·······························································1-1 Link Aggregation Classification···············································································································1-2 Manual Aggregation Group ·············································································································1-2 Static LACP Aggregation Group······································································································1-3 Dynamic LACP Aggregation Group·································································································1-3 Aggregation Group Categories ···············································································································1-4 Link Aggregation Configuration···············································································································1-6 Configuring a Manual Aggregation Group·······················································································1-6...

  • Page 128: Link Aggregation Configuration

    Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories Link Aggregation Configuration Displaying and Maintaining Link Aggregation Configuration Link Aggregation Configuration Example Overview Introduction to Link Aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group.

  • Page 129: Link Aggregation Classification

    Table 1-1 Consistency considerations for ports in an aggregation Category Considerations State of port-level STP (enabled or disabled) Attribute of the link (point-to-point or otherwise) connected to the port Port path cost STP priority STP packet format Loop protection Root protection Port type (whether the port is an edge port) 802.1p priority Traffic accounting...

  • Page 130: Static Lacp Aggregation Group

    There is a limit on the number of selected ports in an aggregation group. Therefore, if the number of the selected ports in an aggregation group exceeds the maximum number supported by the device, those with lower port numbers operate as the selected ports, and others as unselected ports. Among the selected ports in an aggregation group, the one with smallest port number operates as the master port.

  • Page 131: Aggregation Group Categories

    are connected to the same peer device and have the same speed, duplex mode, and basic configurations, and their peer ports have the same configurations. Besides multiple-port aggregation groups, the system is also able to create single-port aggregation groups, each of which contains only one port. LACP is enabled on the member ports of dynamic aggregation groups.
  • Page 132 In general, the system only provides limited load-sharing aggregation resources, so the system needs to reasonably allocate the resources among different aggregation groups. The system always allocates hardware aggregation resources to the aggregation groups with higher priorities. When load-sharing aggregation resources are used up by existing aggregation groups, newly-created aggregation groups will be non-load-sharing ones.

  • Page 133: Link Aggregation Configuration

    Link Aggregation Configuration The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time. The ports where the mac-address max-mac-count command is configured cannot be added to an aggregation group. Contrarily, the mac-address max-mac-count command cannot be configured on a port that has already been added to an aggregation group.

  • Page 134: Configuring A Static Lacp Aggregation Group

    If the aggregation group you are creating already exists and contains ports, the possible type changes may be: changing from dynamic or static to manual, and changing from dynamic to static; and no other kinds of type change can occur. When you change a dynamic/static group to a manual group, the system will automatically disable LACP on the member ports.

  • Page 135: Configuring A Dynamic Lacp Aggregation Group

    Configuring a Dynamic LACP Aggregation Group A dynamic LACP aggregation group is automatically created by the system based on LACP-enabled ports. The adding and removing of ports to/from a dynamic aggregation group are automatically accomplished by LACP. You need to enable LACP on the ports which you want to participate in dynamic aggregation of the system, because, only when LACP is enabled on those ports at both ends, can the two parties reach agreement in adding/removing ports to/from dynamic aggregation groups.

  • Page 136: Displaying And Maintaining Link Aggregation Configuration

    If you have saved the current configuration with the save command, after system reboot, the configuration concerning manual and static aggregation groups and their descriptions still exists, but that of dynamic aggregation groups and their descriptions gets lost. Displaying and Maintaining Link Aggregation Configuration To do…...
  • Page 137 Configuration procedure The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation. Adopting manual aggregation mode # Create manual aggregation group 1. <Sysname> system-view [Sysname] link-aggregation group 1 mode manual # Add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1.
  • Page 138 [Sysname] interface GigabitEthernet1/0/3 [Sysname-GigabitEthernet1/0/3] lacp enable The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration (such as rate, duplex mode, and so on). 1-11...

  • Page 139: Port Isolation

    Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying and Maintaining Port Isolation Configuration ········································································1-2 Port Isolation Configuration Example······································································································1-2...
  • Page 140 Port Isolation Configuration When configuring port isolation, go to these sections for information you are interested in: Port Isolation Overview Port Isolation Configuration Displaying and Maintaining Port Isolation Configuration Port Isolation Configuration Example Port Isolation Overview With the port isolation feature, you can add the ports to be controlled into an isolation group to isolate the Layer 2 and Layer 3 data between each port in the isolation group.

  • Page 141: Port Isolation Configuration Example

    When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group will join/leave the isolation group at the same time. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
  • Page 142 Configuration procedure # Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface GigabitEthernet1/0/2 [Sysname-GigabitEthernet1/0/2] port isolate [Sysname-GigabitEthernet1/0/2] quit [Sysname] interface GigabitEthernet1/0/3 [Sysname-GigabitEthernet1/0/3] port isolate [Sysname-GigabitEthernet1/0/3] quit [Sysname] interface GigabitEthernet1/0/4 [Sysname-GigabitEthernet1/0/4] port isolate [Sysname-GigabitEthernet1/0/4] quit [Sysname] quit...
  • Page 143 Table of Contents 1 Port Security Configuration······················································································································1-1 Port Security Overview····························································································································1-1 Introduction······································································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-1 Port Security Configuration Task List······································································································1-4 Enabling Port Security ·····················································································································1-5 Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5 Setting the Port Security Mode········································································································1-6 Configuring Port Security Features ·································································································1-7 Ignoring the Authorization Information from the RADIUS Server····················································1-8 Configuring Security MAC Addresses ·····························································································1-9...

  • Page 144: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Port Security Overview Port Security Configuration Task List Displaying and Maintaining Port Security Configuration Port Security Configuration Example Port Security Overview Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.
  • Page 145 Table 1-1 Description of port security modes Security mode Description Feature In this mode, neither the In this mode, access to the port is not NTK nor the intrusion noRestriction restricted. protection feature is triggered. In this mode, the port automatically learns MAC addresses and changes them to security MAC addresses.
  • Page 146 Security mode Description Feature In this mode, neither NTK In this mode, port-based 802.1x authentication userlogin nor intrusion protection is performed for access users. will be triggered. MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds.

  • Page 147: Port Security Configuration Task List

    Security mode Description Feature In this mode, a port performs MAC authentication of an access user first. If the authentication succeeds, the user is authenticated. Otherwise, the port performs macAddressElseUs 802.1x authentication of the user. erLoginSecure In this mode, there can be only one 802.1x-authenticated user on the port, but there can be several MAC-authenticated users.

  • Page 148: Enabling Port Security

    Task Remarks Ignoring the Authorization Information from the RADIUS Server Optional Configuring Security MAC Addresses Optional Enabling Port Security Configuration Prerequisites Before enabling port security, you need to disable 802.1x and MAC authentication globally. Enabling Port Security Follow these steps to enable port security: To do...

  • Page 149: Setting The Port Security Mode

    This configuration is different from that of the maximum number of MAC addresses that can be leaned by a port in MAC address management. Follow these steps to set the maximum number of MAC addresses allowed on a port: To do... Use the command...

  • Page 150: Configuring Port Security Features

    Before setting the port security mode to autolearn, you need to set the maximum number of MAC addresses allowed on the port with the port-security max-mac-count command. When the port operates in the autoLearn mode, you cannot change the maximum number of MAC addresses allowed on the port.

  • Page 151: Ignoring The Authorization Information From The Radius Server

    Configuring intrusion protection Follow these steps to configure the intrusion protection feature: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Set the corresponding action to port-security intrusion-mode be taken by the switch when { blockmac | disableport | By default, intrusion intrusion protection is triggered...

  • Page 152: Configuring Security Mac Addresses

    Follow these steps to configure a port to ignore the authorization information from the RADIUS server: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Ignore the authorization port-security authorization By default, a port uses the information from the RADIUS ignore...

  • Page 153: Displaying And Maintaining Port Security Configuration

    To do... Use the command... Remarks mac-address security mac-address In system Either is interface interface-type interface-number vlan view required. vlan-id Add a security By default, no MAC address interface interface-type interface-number security MAC In Ethernet address is port view mac-address security mac-address vlan configured.
  • Page 154 [Switch] port-security enable # Enter GigabitEthernet1/0/1 port view. [Switch] interface GigabitEthernet 1/0/1 # Set the maximum number of MAC addresses allowed on the port to 80. [Switch-GigabitEthernet1/0/1] port-security max-mac-count 80 # Set the port security mode to autolearn. [Switch-GigabitEthernet1/0/1] port-security port-mode autolearn # Add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1.

  • Page 155: Port Binding Configuration

    Port Binding Configuration When configuring port binding, go to these sections for information you are interested in: Port Binding Overview Displaying and Maintaining Port Binding Configuration Port Binding Configuration Example Port Binding Overview Introduction Port binding enables the network administrator to bind the MAC address and IP address of a user to a specific port.

  • Page 156: Port Binding Configuration Example

    Port Binding Configuration Example Port Binding Configuration Example Network requirements It is required to bind the MAC and IP addresses of Host A to GigabitEthernet 1/0/1 on Switch A, so as to prevent malicious users from using the IP address they steal from Host A to access the network. Network diagram Figure 2-1 Network diagram for port binding configuration Configuration procedure...
  • Page 157 Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to MAC Address Table ································································································1-1 Introduction to MAC Address Learning ···························································································1-1 Managing MAC Address Table ·······································································································1-3 Configuring MAC Address Table Management ······················································································1-4 Configuration Task List····················································································································1-4 Configuring a MAC Address Entry ··································································································1-5 Setting the Aging Time of MAC Address Entries ············································································1-6 Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-6 Displaying MAC Address Table Information ···························································································1-7...

  • Page 158: Mac Address Table Management

    MAC Address Table Management This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to the part related to multicast protocol. Overview Introduction to MAC Address Table An Ethernet switch is mainly used to forward packets at the data link layer, that is, transmit the packets to the corresponding ports according to the destination MAC address of the packets.
  • Page 159 Figure 1-1 MAC address learning diagram (1) Figure 1-2 MAC address table entry of the switch (1) After learning the MAC address of User A, the switch starts to forward the packet. Because there is no MAC address and port information of User B in the existing MAC address table, the switch forwards the packet to all ports except GigabitEthernet 1/0/1 to ensure that User B can receive the packet.

  • Page 160: Managing Mac Address Table

    Figure 1-4 MAC address learning diagram (3) At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 1-5. When forwarding the response packet, the switch unicasts the packet instead of broadcasting it to User A through GigabitEthernet 1/0/1, because MAC-A is already in the MAC address table. Figure 1-5 MAC address table entries of the switch (2) After this interaction, the switch directly unicasts the communication packets between User A and User B based on the corresponding MAC address table entries.

  • Page 161: Configuring Mac Address Table Management

    Aging timer only takes effect on dynamic MAC address entries. Entries in a MAC address table Entries in a MAC address table fall into the following categories according to their characteristics and configuration methods: Static MAC address entry: Also known as permanent MAC address entry. This type of MAC address entries are added/removed manually and can not age out by themselves.

  • Page 162: Configuring A Mac Address Entry

    Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). You can add a MAC address entry in either system view or Ethernet port view. Adding a MAC address entry in system view Table 1-3 Add a MAC address entry in system view Operation...

  • Page 163: Setting The Aging Time Of Mac Address Entries

    Setting the Aging Time of MAC Address Entries Setting aging time properly helps effective utilization of MAC address aging. The aging time that is too long or too short affects the performance of the switch. If the aging time is too long, excessive invalid MAC address entries maintained by the switch may fill up the MAC address table.

  • Page 164: Configuration Example

    Operation Command Description Required Set the maximum number of mac-address max-mac-count By default, the number of the MAC addresses the port can count MAC addresses a port can learn learn is not limited. Displaying MAC Address Table Information To verify your configuration, you can display information about the MAC address table by executing the display command in any view.
  • Page 165 4 mac address(es) found on port GigabitEthernet1/0/2 ---...

  • Page 166: Mstp

    Table of Contents 1 MSTP Configuration ··································································································································1-1 STP Overview ·········································································································································1-1 MSTP Overview ······································································································································1-9 Background of MSTP ······················································································································1-9 Basic MSTP Terminologies ···········································································································1-10 Principle of MSTP··························································································································1-13 MSTP Implementation on Switches ······························································································1-14 STP-related Standards ··················································································································1-15 Configuring Root Bridge························································································································1-15 Configuration Prerequisites ···········································································································1-16 Configuring an MST Region ··········································································································1-16 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge·····································1-17 Configuring the Bridge Priority of the Current Switch····································································1-19 Configuring How a Port Recognizes and Sends MSTP Packets ··················································1-19...
  • Page 167 Configuring Loop Guard ················································································································1-37 Configuring TC-BPDU Attack Guard ·····························································································1-37 Configuring Digest Snooping ················································································································1-38 Introduction····································································································································1-38 Configuring Digest Snooping·········································································································1-38 Configuring Rapid Transition ················································································································1-39 Introduction····································································································································1-39 Configuring Rapid Transition·········································································································1-41 STP Maintenance Configuration ···········································································································1-42 Introduction····································································································································1-42 Enabling Log/Trap Output for Ports of MSTP Instance·································································1-42 Configuration Example ··················································································································1-42 Enabling Trap Messages Conforming to 802.1d Standard···································································1-43 Displaying and Maintaining MSTP ········································································································1-43 MSTP Configuration Example···············································································································1-43...

  • Page 168: Mstp Configuration

    MSTP Configuration Go to these sections for information you are interested in: MSTP Overview Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition STP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example STP Overview...
  • Page 169 There is one and only one root bridge in the entire network, and the root bridge can change alone with changes of the network topology. Therefore, the root bridge is not fixed. Upon network convergence, the root bridge generates and sends out configuration BPDUs periodically. Other devices just forward the configuration BPDUs received.
  • Page 170 All the ports on the root bridge are designated ports. Path cost Path cost is a value used for measuring link capacity. By comparing the path costs of different links, STP selects the most robust links and blocks the other links to prune the network into a tree. How STP works STP identifies the network topology by transmitting configuration BPDUs between network devices.
  • Page 171 Table 1-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.
  • Page 172 Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port whose role is to be determined, and acts as follows based on the comparison result: If the calculated configuration BPDU is superior, this port will serve as the designated port, and the configuration BPDU on the port will be replaced with the calculated configuration BPDU, which will be sent out periodically.
  • Page 173 Device Port name BPDU of port {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 1-5 Comparison process and result on each device BPDU of port after Device Comparison process...
  • Page 174 BPDU of port after Device Comparison process comparison By comparison: The configuration BPDUs of CP1 is elected as the optimum Root port CP1: configuration BPDU, so CP1 is identified as the root port, the {0, 0, 0, AP2} configuration BPDUs of which will not be changed. Designated port Device C compares the calculated designated port CP2:...
  • Page 175 To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time. If it is the root port that received the configuration BPDU and the received configuration BPDU is superior to the configuration BPDU of the port, the device will increase message age carried in the configuration BPDU by a certain rule and start a timer to time the configuration BPDU while it sends...

  • Page 176: Mstp Overview

    MSTP Overview Background of MSTP Disadvantages of STP and RSTP STP does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or it is an edge port (an edge port refers to a port that directly connects to a user terminal rather than to another device or a shared LAN segment.) The rapid spanning tree protocol (RSTP) is an optimized version of STP.

  • Page 177: Basic Mstp Terminologies

    Basic MSTP Terminologies Figure 1-4 illustrates basic MSTP terms (assuming that MSTP is enabled on each switch in this figure). Figure 1-4 Basic MSTP terminologies Region A0: VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU BPDU...
  • Page 178 region A0 contains these mappings: VLAN 1 to MSTI 1; VLAN 2 to MSTI 2, and other VLANs to CIST. In an MST region, load balancing is implemented according to the VLAN-to-MSTI mapping table. An internal spanning tree (IST) is a spanning tree in an MST region. ISTs together with the common spanning tree (CST) form the common and internal spanning tree (CIST) of the entire switched network.
  • Page 179 switch blocks one of the two ports to eliminate the loop that occurs. The blocked port is the backup port. Figure 1-5, switch A, switch B, switch C, and switch D form an MST region. Port 1 and port 2 on switch A connect upstream to the common root.

  • Page 180: Principle Of Mstp

    Table 1-6 Combinations of port states and port roles Port role Region Root/master Designated Alternate Backup Boundary port port port port port Port state Forwarding √ √ √ — — Learning √ √ √ — — Discarding √ √ √ √...

  • Page 181: Mstp Implementation On Switches

    MSTP is compatible with both STP and RSTP. That is, MSTP-enabled switches can recognize the protocol packets of STP and RSTP and use them for spanning tree calculation. In addition to the basic MSTP functions, 3com switches also provide the following functions for users to manage their switches. Root bridge hold...

  • Page 182: Stp-Related Standards

    STP-related Standards STP-related standards include the following. IEEE 802.1D: spanning tree protocol IEEE 802.1w: rapid spanning tree protocol IEEE 802.1s: multiple spanning tree protocol Configuring Root Bridge Complete the following tasks to configure the root bridge: Task Remarks Required To prevent network topology jitter caused by other Enabling MSTP related configurations, you are recommended to enable MSTP after other related configurations are...

  • Page 183: Configuration Prerequisites

    In a network containing switches with both GVRP and MSTP enabled, GVRP messages travel along the CIST. If you want to advertise a VLAN through GVRP, be sure to map the VLAN to the CIST (MSTI 0) when configuring the VLAN-to-MSTI mapping table. Configuration Prerequisites The role (root, branch, or leaf) of each switch in each MSTI is determined.

  • Page 184: Specifying The Current Switch As A Root Bridge/Secondary Root Bridge

    802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-MSTI mapping table, and revision level. The 3com switches support only the MST region name, VLAN-to-MSTI mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.
  • Page 185 To do... Use the command... Remarks Enter system view — system-view Specify the current switch as stp [ instance instance-id ] root primary the root bridge of a spanning [ bridge-diameter bridgenumber [ hello-time Required tree centi-seconds ] ] Specify the current switch as the secondary root bridge of a spanning tree Follow these steps to specify the current switch as the secondary root bridge of a spanning tree: To do...

  • Page 186: Configuring The Bridge Priority Of The Current Switch

    Configuration example # Configure the current switch as the root bridge of MSTI 1 and a secondary root bridge of MSTI 2. <Sysname> system-view [Sysname] stp instance 1 root primary [Sysname] stp instance 2 root secondary Configuring the Bridge Priority of the Current Switch Root bridges are selected according to the bridge priorities of switches.
  • Page 187 The port automatically determines the format (legacy or dot1s) of received MSTP packets and then determines the format of the packets to be sent accordingly, thus communicating with the peer devices. If the format of the received packets changes repeatedly, MSTP will shut down the corresponding port to prevent network storm.

  • Page 188: Configuring The Mstp Operation Mode

    [Sysname-GigabitEthernet1/0/1] undo stp compliance Configuring the MSTP Operation Mode To make an MSTP-enabled switch compatible with STP/RSTP, MSTP provides the following three operation modes: STP-compatible mode, where the ports of a switch send STP BPDUs to neighboring devices. If STP-enabled switches exist in a switched network, you can use the stp mode stp command to configure an MSTP-enabled switch to operate in STP-compatible mode.

  • Page 189: Configuring The Network Diameter Of The Switched Network

    Configuration procedure Follow these steps to configure the maximum hop count for an MST region: To do... Use the command... Remarks Enter system view — system-view Required Configure the maximum hop stp max-hops hops By default, the maximum hop count of the MST region count of an MST region is 20.

  • Page 190: Configuring The Mstp Time-Related Parameters

    Configuring the MSTP Time-related Parameters Three MSTP time-related parameters exist: forward delay, hello time, and max age. You can configure the three parameters to control the process of spanning tree calculation. Configuration procedure Follow these steps to configure MSTP time-related parameters: To do...

  • Page 191: Configuring The Timeout Time Factor

    You are recommended to specify the network diameter of the switched network and the hello time by using the stp root primary or stp root secondary command. After that, the three proper time-related parameters are determined automatically. Configuration example # Configure the forward delay parameter to be 1,600 centiseconds, the hello time parameter to be 300 centiseconds, and the max age parameter to be 2,100 centiseconds (assuming that the current switch operates as the CIST root bridge).

  • Page 192: Configuring The Current Port As An Edge Port

    Configure the maximum transmitting rate for specified ports in system view Follow these steps to configure the maximum transmitting rate for specified ports in system view: To do... Use the command... Remarks Enter system view — system-view Required Configure the maximum stp interface interface-list The maximum transmitting rate transmitting rate for specified...

  • Page 193: Specifying Whether The Link Connected To A Port Is Point-To-Point Link

    To do... Use the command... Remarks Enter system view — system-view Required Configure the specified ports as stp interface interface-list By default, all the Ethernet edge ports edged-port enable ports of a switch are non-edge ports. Configure a port as an edge port in Ethernet port view Follow these steps to configure a port as an edge port in Ethernet port view: To do...
  • Page 194 You can determine whether or not the link connected to a port is a point-to-point link in one of the following two ways. Specify whether the link connected to a port is point-to-point link in system view Follow these steps to specify whether the link connected to a port is point-to-point link in system view: To do...

  • Page 195: Enabling Mstp

    Enabling MSTP Configuration procedure Follow these steps to enable MSTP in system view: To do... Use the command... Remarks Enter system view — system-view Required Enable MSTP stp enable MSTP is enabled by default. Optional By default, MSTP is enabled on all ports. Disable MSTP on stp interface To enable a switch to operate more flexibly, you can...

  • Page 196: Configuration Prerequisites

    Task Remarks Required To prevent network topology jitter caused by other Enabling MSTP related configurations, you are recommended to enable MSTP after performing other configurations. Configuring an MST Region Required Configuring How a Port Recognizes and Optional Sends MSTP Packets Configuring the Timeout Time Factor Optional Optional...

  • Page 197: Configuring The Path Cost For A Port

    Configuring the Path Cost for a Port The path cost parameter reflects the rate of the link connected to the port. For a port on an MSTP-enabled switch, the path cost may be different in different MSTIs. You can enable flows of different VLANs to travel along different physical links by configuring appropriate path costs on ports, so that VLAN-based load balancing can be implemented.
  • Page 198 When calculating the path cost of an aggregated link, the 802.1D-1998 standard does not take the number of the ports on the aggregated link into account, whereas the 802.1T standard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000,000 / link transmission rate Where, “link transmission rate”...

  • Page 199: Configuring Port Priority

    [Sysname] stp pathcost-standard dot1d-1998 Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] undo stp instance 1 cost [Sysname-GigabitEthernet1/0/1] quit [Sysname] stp pathcost-standard dot1d-1998 Configuring Port Priority Port priority is an important criterion on determining the root port. In the same condition, the port with the smallest port priority value becomes the root port.

  • Page 200: Specifying Whether The Link Connected To A Port Is A Point-To-Point Link

    [Sysname] stp interface GigabitEthernet 1/0/1 instance 1 port priority 16 Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] stp instance 1 port priority 16 Specifying Whether the Link Connected to a Port Is a Point-to-point Link Refer to Specifying Whether the Link Connected to a Port Is Point-to-point Link.

  • Page 201: Configuration Example

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Perform the mCheck operation Required stp mcheck Configuration Example # Perform the mCheck operation on GigabitEthernet 1/0/1. Perform this configuration in system view <Sysname>...
  • Page 202 Loop guard A switch maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream switch. These BPDUs may get lost because of network congestions or unidirectional link failures. If a switch does not receive BPDUs from the upstream switch for certain period, the switch selects a new root port;...

  • Page 203: Configuration Prerequisites

    Configuration Prerequisites MSTP runs normally on the switch. Configuring BPDU Guard Configuration procedure Follow these steps to configure BPDU guard: To do... Use the command... Remarks Enter system view — system-view Required Enable the BPDU guard stp bpdu-protection The BPDU guard function is function disabled by default.

  • Page 204: Configuring Loop Guard

    [Sysname] stp interface GigabitEthernet 1/0/1 root-protection Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] stp root-protection Configuring Loop Guard Configuration procedure Follow these steps to configure loop guard: To do... Use the command... Remarks Enter system view —...

  • Page 205: Configuring Digest Snooping

    MST region. This problem can be overcome by implementing the digest snooping feature. If a port on a 3com switch 4200G is connected to another manufacturer's switch that has the same MST region-related configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest snooping on the port.

  • Page 206: Configuring Rapid Transition

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Enable the digest snooping stp config-digest-snooping The digest snooping feature is feature disabled on a port by default. Return to system view —...
  • Page 207 Proposal packets: Packets sent by designated ports to request rapid transition Agreement packets: Packets used to acknowledge rapid transition requests Both RSTP and MSTP specify that the upstream switch can perform rapid transition operation on the designated port only when the port receives an agreement packet from the downstream switch. The difference between RSTP and MSTP are: For MSTP, the upstream switch sends agreement packets to the downstream switch;...

  • Page 208: Configuring Rapid Transition

    3com switch operating as the downstream switch. Among these ports, those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch.

  • Page 209: Stp Maintenance Configuration

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Enable the rapid transition stp no-agreement-check By default, the rapid transition feature feature is disabled on a port. The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port.

  • Page 210: Enabling Trap Messages Conforming To 802.1D Standard

    Enabling Trap Messages Conforming to 802.1d Standard A switch sends trap messages conforming to 802.1d standard to the network management device in the following two cases: The switch becomes the root bridge of an instance. Network topology changes are detected. Configuration procedure Follow these steps to enable trap messages conforming to 802.1d standard: To do...
  • Page 211 All switches in the network belong to the same MST region. Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along MSTI 1, MSTI 3, MSTI 4, and MSTI 0 respectively. In this network, Switch A and Switch B operate on the convergence layer; Switch C and Switch D operate on the access layer.
  • Page 212 [Sysname] stp region-configuration # Configure the region name, VLAN-to-MSTI mapping table, and revision level for the MST region. [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30 [Sysname-mst-region] instance 4 vlan 40 [Sysname-mst-region] revision-level 0 # Activate the settings of the MST region manually. [Sysname-mst-region] active region-configuration # Specify Switch B as the root bridge of MSTI 3.
  • Page 213 Table of Contents 1 802.1x Configuration ·································································································································1-1 Introduction to 802.1x······························································································································1-1 Architecture of 802.1x Authentication······························································································1-1 The Mechanism of an 802.1x Authentication System ·····································································1-3 Encapsulation of EAPoL Messages ································································································1-3 802.1x Authentication Procedure ····································································································1-5 Timers Used in 802.1x·····················································································································1-9 Additional 802.1x Features on Switch 4200G ···············································································1-10 Introduction to 802.1x Configuration ·····································································································1-13 Basic 802.1x Configuration ···················································································································1-14 Configuration Prerequisites ···········································································································1-14...
  • Page 214 Displaying and Maintaining System-Guard·····························································································4-1...

  • Page 215: 802.1X Configuration

    802.1x Configuration When configuring 802.1x, go to these sections for information you are interested in: Introduction to 802.1x Introduction to 802.1x Configuration Basic 802.1x Configuration Advanced 802.1x Configuration Displaying and Maintaining 802.1x Configuration Configuration Example Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs.
  • Page 216 The authenticator system, residing at the other end of the LAN segment, is the entity that authenticates the connected supplicant system. The authenticator system is usually an 802.1x-supported network device, such as a 3Com series switch. It provides the port (physical or logical) for the supplicant system to access the LAN.

  • Page 217: The Mechanism Of An 802.1X Authentication System

    By default, a controlled port is a unidirectional port. The way a port is controlled A port of an 3COM series switch can be controlled in the following two ways. Port-based control. When a port is under port-based control, all the supplicant systems connected to the port can access the network without being authenticated after one supplicant system among them passes the authentication.
  • Page 218 Figure 1-3 The format of an EAPoL packet In an EAPoL packet: The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. The Protocol version field holds the version of the protocol supported by the sender of the EAPoL packet.

  • Page 219: 802.1X Authentication Procedure

    The Length field indicates the size of an EAP packet, which includes the Code, Identifier, Length, and Data fields. The Data field carries the EAP packet, whose format differs with the Code field. A Success or Failure packet does not contain the Data field, so the Length field of it is 4. Figure 1-5 shows the format of the Data field of a Request packet or a Response packet.
  • Page 220 EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the RADIUS server support the two newly-added fields: the EAP-message field (with a value of 79) and the Message-authenticator field (with a value of 80).
  • Page 221 Figure 1-8 802.1x authentication procedure (in EAP relay mode) EAPOL EAPOR Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Request / Identity RADIUS Access - Request EAP- Response / Identity (EAP- Response / Identity) RADIUS Access -Challenge EAP- Request / MD5 challenge ( EAP- Request / MD5 challenge) RADIUS Access - Request EAP- Response / MD5 challenge...
  • Page 222 feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authenticated. The switch changes the state of the corresponding port to accepted state to allow the supplicant system to access the network. The supplicant system can also terminate the authenticated state by sending EAPoL-Logoff packets to the switch.

  • Page 223: Timers Used

    Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL- Start EAP- Request /Identity EAP- Response/Identity EAP- Request/ MD5 Challenge EAP- Response/MD5 Challenge RADIUS Access-Request ( CHAP- Response/MD5 Challenge) RADIUS Access - Accept ( CHAP-Success) EAP- Success Port...

  • Page 224: Additional 802.1X Features On Switch 4200G

    Re-authentication timer (reauth-period). The switch initiates 802.1x re-authentication at the interval set by the re-authentication timer. RADIUS server timer (server-timeout). This timer sets the server-timeout period. After sending an authentication request packet to the RADIUS server, the switch sends another authentication request packet if it does not receive the response from the RADIUS server when this timer times out.
  • Page 225 Only disconnects the supplicant system but sends no Trap packets. Sends Trap packets without disconnecting the supplicant system. This function needs the cooperation of 802.1x client and a CAMS server. The 802.1x client needs to be capable of detecting multiple network adapters, proxies, and IE proxies.
  • Page 226 After the maximum number retries have been made and there are still ports that have not sent any response back, the switch will then add these ports to the guest VLAN. Users belonging to the guest VLAN can access the resources of the guest VLAN without being authenticated.

  • Page 227: Introduction To 802.1X Configuration

    The RADIUS server has the switch perform 802.1x re-authentication of users. The RADIUS server sends the switch an Access-Accept packet with the Termination-Action attribute field of 1. Upon receiving the packet, the switch re-authenticates the user periodically. You enable 802.1x re-authentication on the switch. With 802.1x re-authentication enabled, the switch re-authenticates users periodically.

  • Page 228: Basic 802.1X Configuration

    Basic 802.1x Configuration Configuration Prerequisites Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS scheme or a local scheme. Ensure that the service type is configured as lan-access (by using the service-type command) if local authentication scheme is adopted.

  • Page 229: Timer And Maximum User Number Configuration

    To do… Use the command… Remarks Optional Enable online user dot1x handshake enable By default, online user handshaking handshaking is enabled. interface interface-type — Enter Ethernet port view interface-number 802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. The settings of 802.1x and MAC address learning limit are mutually exclusive.

  • Page 230: Advanced 802.1X Configuration

    To do… Use the command... Remarks Optional The settings of 802.1x timers are as follows. dot1x timer { handshake-period handshake-period-value: handshake-period-value | 15 seconds quiet-period quiet-period-value | quiet-period-value: server-timeout seconds Set 802.1x timers server-timeout-value | server-timeout-value: supp-timeout seconds supp-timeout-value | tx-period supp-timeout-value: tx-period-value | ver-period seconds...

  • Page 231: Configuring Client Version Checking

    To do... Use the command... Remarks Required Enable proxy checking function dot1x supp-proxy-check By default, the 802.1x proxy globally { logoff | trap } checking function is globally disabled. dot1x supp-proxy-check In system { logoff | trap } [ interface view interface-list ] Enable proxy...

  • Page 232: Enabling Dhcp-Triggered Authentication

    As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also execute this command in port view. In this case, this command applies to the current port only and the interface-list argument is not needed.

  • Page 233: Configuring 802.1X Re-Authentication

    The guest VLAN function is available only when the switch operates in the port-based access control mode. Only one guest VLAN can be configured for each switch. The guest VLAN function cannot be implemented if you configure the dot1x dhcp-launch command on the switch to enable DHCP-triggered authentication.

  • Page 234: Displaying And Maintaining 802.1X Configuration

    During re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned two ways is used to determine the re-authentication interval. For example, if you configure a re-authentication interval on the switch and the switch receives an Access-Accept packet whose Termination-Action attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute field as the re-authentication interval.
  • Page 235 a real-time accounting packet to the RADIUS servers once in every 15 minutes. A user name is sent to the RADIUS servers with the domain name truncated. The user name and password for local 802.1x authentication are “localuser” and “localpass” (in plain text) respectively.
  • Page 236 [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages. [Sysname-radius-radius1] key authentication name # Set the password for the switch and the accounting RADIUS servers to exchange messages. [Sysname-radius-radius1] key accounting money # Set the interval and the number of the retries for the switch to send packets to the RADIUS servers.

  • Page 237: Quick Ead Deployment Configuration

    Quick EAD Deployment Configuration When configuring quick EAD deployment, go to these sections for information you are interested in: Introduction to Quick EAD Deployment Configuring Quick EAD Deployment Displaying and Maintaining Quick EAD Deployment Quick EAD Deployment Configuration Example Troubleshooting Introduction to Quick EAD Deployment Quick EAD Deployment Overview As an integrated solution, an Endpoint Admission Defense (EAD) solution can improve the overall...

  • Page 238: Configuring Quick Ead Deployment

    Configuring Quick EAD Deployment Configuration Prerequisites Enable 802.1x on the switch. Set the port authorization mode to auto for 802.1x-enabled ports using the dot1x port-control command. Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do...

  • Page 239: Displaying And Maintaining Quick Ead Deployment

    large number of users log in but cannot pass authentication, the switch may run out of ACL resources, preventing other users from logging in. A timer called ACL timer is designed to solve this problem. You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online.
  • Page 240 Network diagram Figure 2-1 Network diagram for quick EAD deployment IP network Switch GE1/0/1 Web Server 192.168.0.110/24 192.168.0.111/24 Host 192.168.0.109/24 Configuration procedure Before enabling quick EAD deployment, make sure sure that: The Web server is configured properly. The default gateway of the PC is configured as the IP address of the Layer-3 virtual interface of the VLAN to which the port that is directly connected with the PC belongs.

  • Page 241: Troubleshooting

    Troubleshooting Symptom: A user cannot be redirected to the specified URL server, no matter what URL the user enters in the IE address bar. Solution: If a user enters an IP address in a format other than the dotted decimal notation, the user may not be redirected.

  • Page 242: Habp Configuration

    HABP Configuration When configuring HABP, go to these sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration Introduction to HABP When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets.

  • Page 243: Habp Client Configuration

    To do... Use the command... Remarks Required By default, a switch operates as an HABP client after you Configure the current switch enable HABP on the switch. If habp server vlan vlan-id to be an HABP server you want to use the switch as a management switch, you need to configure the switch to be an HABP server.

  • Page 244: System Guard Configuration

    System Guard Configuration System-Guard Overview At first, you must determine whether the CPU is under attack to implement system guard for the CPU. You should not determine whether the CPU is under attack just according to whether congestion occurs in a queue. Instead, you must do that in the following ways: According to the number of packets processed in the CPU in a time range.
  • Page 245 Table 4-2 Display and maintain system-guard Operation Command Display the record of detected attacks display system-guard attack-record Display the state of the system-guard display system-guard state feature...
  • Page 246 Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization····································································································································1-1 Accounting·······································································································································1-1 Introduction to ISP Domain ·············································································································1-2 Introduction to AAA Services ··················································································································1-2 Introduction to RADIUS ···················································································································1-2 Introduction to HWTACACS ············································································································1-6 2 AAA Configuration ····································································································································2-1 AAA Configuration Task List ···················································································································2-1 Creating an ISP Domain and Configuring Its Attributes ··································································2-2 Configuring an AAA Scheme for an ISP Domain ············································································2-3 Configuring Dynamic VLAN Assignment·························································································2-6...
  • Page 247 Local Authentication of FTP/Telnet Users·····················································································2-28 HWTACACS Authentication and Authorization of Telnet Users ···················································2-30 Troubleshooting AAA ····························································································································2-31 Troubleshooting RADIUS Configuration························································································2-31 Troubleshooting HWTACACS Configuration ················································································2-31 3 EAD Configuration·····································································································································3-1 Introduction to EAD ·································································································································3-1 Typical Network Application of EAD ·······································································································3-1 EAD Configuration ··································································································································3-1 EAD Configuration Example ···················································································································3-2...

  • Page 248: Aaa Overview

    Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS protocol. This device (for example, a 3Com switch) acts as the client to communicate with the RADIUS or TACACS server. Remote authentication allows convenient centralized management and is feature-rich.

  • Page 249: Introduction To Isp Domain

    None accounting: No accounting is performed for users. Remote accounting: User accounting is performed on a remote RADIUS or TACACS server. Introduction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a username in the format of userid@isp-name or userid.isp-name, the isp-name following the "@"...
  • Page 250 Figure 1-1 Databases in a RADIUS server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service. Basic message exchange procedure in RADIUS The messages exchanged between a RADIUS client (a switch, for example) and a RADIUS server are verified through a shared key.
  • Page 251 The RADIUS client accepts or denies the user depending on the received authentication result. If it accepts the user, the RADIUS client sends a start-accounting request (Accounting-Request, with the Status-Type attribute value = start) to the RADIUS server. The RADIUS server returns a start-accounting response (Accounting-Response). The user starts to access network resources.
  • Page 252 Code Message type Message description Direction: client->server. The client transmits this message to the server to request the server to start or end the accounting Accounting-Request (whether to start or to end the accounting is determined by the Acct-Status-Type attribute in the message). This message carries almost the same attributes as those carried in the Access-Request message.

  • Page 253: Introduction To Hwtacacs

    Type field Type field Attribute type Attribute type value value Framed-Routing NAS-Identifier Filter-ID Proxy-State Framed-MTU Login-LAT-Service Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-ID NAS-Port-Type (unassigned) Port-Limit Framed-Route Login-LAT-Port The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS.
  • Page 254 Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and therefore is more suitable for security control. Table 1-3 lists the primary differences between HWTACACS and RADIUS. Table 1-3 Differences between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP, providing more reliable network Adopts UDP.
  • Page 255 Figure 1-6 AAA implementation procedure for a telnet user The basic message exchange procedure is as follows: A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server. The TACACS server returns an authentication response, asking for the username.
  • Page 256 After receiving the response indicating an authorization success, the TACACS client pushes the configuration interface of the switch to the user. 10) The TACACS client sends an accounting start request to the TACACS server. 11) The TACACS server returns an accounting response, indicating that it has received the accounting start request.

  • Page 257: Aaa Configuration

    AAA Configuration AAA Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure AAA (configuring a combined AAA scheme for an ISP domain): Task Remarks...

  • Page 258: Creating An Isp Domain And Configuring Its Attributes

    Task Remarks Creating an ISP Domain and Configuring Its Required Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you can specify authentication, authorization and accounting Configuring an AAA Scheme for an ISP schemes respectively. Domain configuration You need to configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication.

  • Page 259: Configuring An Aaa Scheme For An Isp Domain

    To do… Use the command… Remarks Optional Set the accounting-optional By default, the accounting optional switch accounting-optional switch is off. Optional messenger time { enable limit Set the messenger function By default, the messenger interval | disable } function is disabled. Note that: On a Switch 4200G, each access user belongs to an ISP domain.
  • Page 260 You can execute the scheme radius-scheme radius-scheme-name command to adopt an already configured RADIUS scheme to implement all the three AAA functions. If you adopt the local scheme, only the authentication and authorization functions are implemented, the accounting function cannot be implemented. If you execute the scheme radius-scheme radius-scheme-name local command, the local scheme is used as the secondary scheme in case no RADIUS server is available.
  • Page 261 To do… Use the command… Remarks authentication Optional { radius-scheme Configure an authentication radius-scheme-name [ local ] | By default, no separate scheme for the ISP domain hwtacacs-scheme authentication scheme is hwtacacs-scheme-name configured. [ local ] | local | none } Optional Configure a HWTACACS authentication super...

  • Page 262: Configuring Dynamic Vlan Assignment

    for authentication, it also does so for authorization and accounting, even if authorization and accounting fail. Configuring Dynamic VLAN Assignment The dynamic VLAN assignment feature enables a switch to dynamically add the switch ports of successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access.

  • Page 263: Configuring The Attributes Of A Local User

    In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch adds the authenticated port to the VLAN with the integer value as the VLAN ID (VLAN 1024, for example).
  • Page 264 To do… Use the command… Remarks Enter system view — system-view Optional By default, the password local-user display mode of all access Set the password display mode password-display-mode users is auto, indicating the of all local users { cipher-force | auto } passwords of access users are displayed in the modes set by the password command.

  • Page 265: Cutting Down User Connections Forcibly

    RADIUS Configuration Task List 3Com’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. Complete the following tasks to configure RADIUS (the switch functions as a RADIUS client):...
  • Page 266 Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Optional Transmission Attempts Configuring the Configuring the Type of RADIUS Servers to be Supported Optional RADIUS client Configuring the Status of RADIUS Servers...

  • Page 267: Creating A Radius Scheme

    creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting. And for each type of server, you can configure two servers in a RADIUS scheme: primary server and secondary server.

  • Page 268: Configuring Radius Accounting Servers

    To do… Use the command… Remarks Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Required Set the IP address and port By default, the IP address and number of the primary RADIUS primary authentication UDP port number of the...

  • Page 269: Configuring Shared Keys For Radius Messages

    To do… Use the command… Remarks Optional Set the IP address and By default, the IP address and UDP port port number of the secondary accounting number of the secondary accounting secondary RADIUS ip-address [ port-number ] server are 0.0.0.0 and 1813 for a newly accounting server created RADIUS scheme.

  • Page 270: Configuring The Maximum Number Of Radius Request Transmission Attempts

    To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Required Set a shared key for RADIUS authentication/authorization key authentication string By default, no shared key is...

  • Page 271: Configuring The Status Of Radius Servers

    To do… Use the command… Remarks Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Configure the type of RADIUS server-type { extended | Optional servers to be supported standard }...

  • Page 272: Configuring The Attributes Of Data To Be Sent To Radius Servers

    To do… Use the command… Remarks Set the status of the secondary state secondary RADIUS authentication { block | authentication/authorization active } server Set the status of the secondary state secondary accounting RADIUS accounting server { block | active } Configuring the Attributes of Data to be Sent to RADIUS Servers Follow these steps to configure the attributes of data to be sent to RADIUS servers: To do…...

  • Page 273: Configuring The Local Radius Server

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the usernames that carry ISP domain names.

  • Page 274: Configuring Timers For Radius Servers

    adopt local RADIUS server function, port number authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this switch. The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server.

  • Page 275: Enabling Sending Trap Message When A Radius Server Goes Down

    To do… Use the command… Remarks Optional Set the response timeout time timer response-timeout By default, the response of RADIUS servers seconds timeout time of RADIUS servers is three seconds. Optional Set the time that the switch waits before it try to By default, the switch waits five re-communicate with primary timer quiet minutes...
  • Page 276 online when the user re-logs into the network before the CAMS performs online user detection, and the user cannot get authenticated. In this case, the user can access the network again only when the CAMS administrator manually removes the user's online information. The user re-authentication at restart function is designed to resolve this problem.

  • Page 277: Hwtacacs Configuration Task List

    HWTACACS Configuration Task List Complete the following tasks to configure HWTACACS: Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers Required Configuring the Configuring TACACS Accounting Servers Optional TACACS client Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent to TACACS Optional...

  • Page 278: Configuring Tacacs Authorization Servers

    To do… Use the command… Remarks Required Set the IP address and port By default, the IP address of primary authentication number of the primary the primary authentication ip-address [ port ] TACACS authentication server server is 0.0.0.0, and the port number is 0.

  • Page 279: Configuring Tacacs Accounting Servers

    You are not allowed to configure the same IP address for both primary and secondary authorization servers. If you do this, the system will prompt that the configuration fails. You can remove a server only when it is not used by any active TCP connection for sending authorization messages.

  • Page 280: Configuring The Attributes Of Data To Be Sent To Tacacs Servers

    The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are exchanged between the two parties. The two parties verify the validity of the HWTACACS messages received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key.

  • Page 281: Configuring The Timers Regarding Tacacs Servers

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Where, isp-name after the “@” or “.” character represents the ISP domain name. If the TACACS server does not accept the usernames that carry ISP domain names, it is necessary to remove domain names from usernames before they are sent to TACACS server.

  • Page 282: Displaying And Maintaining Aaa Configuration

    Displaying and Maintaining AAA Configuration Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one specific display domain [ isp-name ] or all ISP domains display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number | ip Display information about user ip-address | mac mac-address | radius-scheme...

  • Page 283: Aaa Configuration Examples

    To do… Use the command… Remarks Display buffered display stop-accounting-buffer non-response { hwtacacs-scheme stop-accounting requests hwtacacs-scheme-name Clear HWTACACS message reset hwtacacs statistics { accounting | statistics authentication | authorization | all } Available in user reset stop-accounting-buffer view Delete buffered non-response hwtacacs-scheme stop-accounting requests hwtacacs-scheme-name...

  • Page 284: Local Authentication Of Ftp/Telnet Users

    Network diagram Figure 2-1 Remote RADIUS authentication of Telnet users RADIUS server 10.110.91.164/16 Internet Telnet user Configuration procedure # Enter system view. <Sysname> system-view # Adopt AAA authentication for Telnet users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode scheme [Sysname-ui-vty0-4] quit # Configure an ISP domain.
  • Page 285 The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication. Network requirements In the network environment shown in Figure 2-2, you are required to configure the switch so that the Telnet users logging into the switch are authenticated locally.

  • Page 286: Hwtacacs Authentication And Authorization Of Telnet Users

    Enable the local RADIUS server function, set the IP address and shared key for the network access server to 127.0.0.1 and aabbcc, respectively. Configure local users. HWTACACS Authentication and Authorization of Telnet Users Network requirements You are required to configure the switch so that the Telnet users logging into the switch are authenticated and authorized by the TACACS server.

  • Page 287: Troubleshooting Aaa

    Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol prescribes how the switch and the RADIUS server of the ISP exchange user information with each other. Symptom 1: User authentication/authorization always fails. Possible reasons and solutions: The username is not in the userid@isp-name or userid.isp-name format, or the default ISP domain is not correctly specified on the switch —...

  • Page 288: Ead Configuration

    EAD Configuration Introduction to EAD Endpoint Admission Defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints. With the cooperation of switch, AAA sever, security policy server and security client, EAD is able to evaluate the security compliance of network endpoints and dynamically control their access rights.

  • Page 289: Ead Configuration Example

    Configuring the IP address of the security policy server. Associating the ISP domain with the RADIUS scheme. EAD is commonly used in RADIUS authentication environment. This section mainly describes the configuration of security policy server IP address. For other related configuration, refer to Overview.
  • Page 290 Network diagram Figure 3-2 EAD configuration Configuration procedure # Configure 802.1x on the switch. Refer to “Configuring 802.1x” in 802.1x and System Guard Configuration. # Configure a domain. <Sysname> system-view [Sysname] domain system [Sysname-isp-system] quit # Configure a RADIUS scheme. [Sysname] radius scheme cams [Sysname-radius-cams] primary authentication 10.110.91.164 1812 [Sysname-radius-cams] accounting optional...
  • Page 291 Table of Contents 1 MAC Address Authentication Configuration ··························································································1-1 MAC Address Authentication Overview ··································································································1-1 Performing MAC Address Authentication on a RADIUS Server ·····················································1-1 Performing MAC Address Authentication Locally ···········································································1-1 Related Concepts····································································································································1-2 MAC Address Authentication Timers ······························································································1-2 Quiet MAC Address·························································································································1-2 Configuring Basic MAC Address Authentication Functions ····································································1-2 MAC Address Authentication Enhanced Function Configuration ···························································1-3 MAC Address Authentication Enhanced Function Configuration Task List ····································1-3 Configuring a Guest VLAN ··············································································································1-4...

  • Page 292: Mac Address Authentication Configuration

    MAC Address Authentication Configuration When configuring MAC address authentication, go to these sections for information you are interested: MAC Address Authentication Overview Related Concepts Configuring Basic MAC Address Authentication Functions MAC Address Authentication Enhanced Function Configuration Displaying and Maintaining MAC Address Authentication Configuration MAC Address Authentication Configuration Examples MAC Address Authentication Overview MAC address authentication provides a way for authenticating users based on ports and MAC...

  • Page 293: Related Concepts

    format configured with mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail. In fixed mode, all users’ MAC addresses are automatically mapped to the configured local passwords and usernames. The service type of a local user needs to be configured as lan-access. Related Concepts MAC Address Authentication Timers The following timers function in the process of MAC address authentication:...

  • Page 294: Mac Address Authentication Enhanced Function Configuration

    To do... Use the command... Remarks quit Optional Set the user name in mac-authentication authmode By default, the MAC MAC address mode usernameasmacaddress [ usernameformat address of a user is for MAC address { with-hyphen | without-hyphen } { lowercase | used as the user authentication uppercase } | fixedpassword password ]...

  • Page 295: Configuring A Guest Vlan

    Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Number of MAC Address Authentication Users Optional Allowed to Access a Port Configuring a Guest VLAN Different from Guest VLANs described in the 802.1x and System-Guard manual, Guest VLANs mentioned in this section refer to Guests VLANs dedicated to MAC address authentication. After completing configuration tasks in Configuring Basic MAC Address Authentication Functions for a...
  • Page 296 After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast MAC address is learned by the switch) periodically. If this user passes the re-authentication, this port will exit the Guest VLAN, and thus the user can access the network normally.
  • Page 297 If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.

  • Page 298: Displaying And Maintaining Mac Address Authentication Configuration

    If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port.
  • Page 299 # Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user. Specify the user name and password. [Sysname] local-user 00-0d-88-f6-44-c1 [Sysname-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 Set the service type to lan-access.
  • Page 300 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ······················································································································1-2 Subnetting and Masking ··················································································································1-2 Protocols and Standards ·················································································································1-3 Configuring IP Addresses ·······················································································································1-3 Displaying IP Addressing Configuration··································································································1-4 VLAN Interface IP Address Configuration Examples··············································································1-4 2 IP Performance Optimization Configuration···························································································2-1 IP Performance Overview ·······················································································································2-1 Introduction to IP Performance Configuration ·················································································2-1...

  • Page 301: Ip Addressing Configuration

    IP Addressing Configuration The term IP address used throughout this chapter refers to IPv4 address. For details about IPv6 address, refer to IPv6 Management. When configuring IP addressing, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying IP Addressing Configuration VLAN Interface IP Address Configuration Examples...

  • Page 302: Special Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test.

  • Page 303: Protocols And Standards

    subnetting. When designing your network, you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts. For example, a Class B network can accommodate 65,534 – 2. Of the two deducted Class B addresses, one with an all-ones host ID is the broadcast address and the other with an all-zero host ID is the network address) hosts before being subnetted.

  • Page 304: Displaying Ip Addressing Configuration

    For saving IP address resources, the IP address of a Loopback interface is automatically configured with a 32-bit mask. Displaying IP Addressing Configuration To do… Use the command… Remarks Display information about a display ip interface specified or all Layer 3 [ interface-type interfaces interface-number ]...

  • Page 305: Ip Performance Optimization Configuration

    IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are interested in: IP Performance Overview Configuring IP Performance Optimization Displaying and Maintaining IP Performance Optimization Configuration IP Performance Overview Introduction to IP Performance Configuration In some network environments, you can adjust the IP parameters to achieve best network performance.

  • Page 306: Disabling Sending Of Icmp Error Packets

    synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval, the TCP connection cannot be created. finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started.

  • Page 307: Displaying And Maintaining Ip Performance Optimization Configuration

    If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local device, the device sends a “protocol unreachable” ICMP error packet to the source. When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet’s port number does not match the running process, the device will send the source a “port unreachable”...
  • Page 308 To do… Use the command… Remarks Display the forwarding information base (FIB) display fib entries display fib ip_address1 [ { mask1 | mask-length1 } Display the FIB entries matching the [ ip_address2 { mask2 | destination IP address mask-length2 } | longer ] | longer ] Display the FIB entries permitted by a display fib acl number...
  • Page 309 Table of Contents ARP Configuration ····································································································································1-1 Introduction to ARP ·································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Table ·······································································································································1-3 ARP Process ···································································································································1-3 Introduction to Gratuitous ARP········································································································1-4 Configuring ARP ·····································································································································1-4 Configuring Gratuitous ARP····················································································································1-5 Displaying and Debugging ARP··············································································································1-5 ARP Configuration Examples ·················································································································1-6...

  • Page 310: Arp Configuration

    ARP Configuration When configuring ARP, go to these sections for information you are interested in: Introduction to ARP Configuring ARP Configuring Gratuitous ARP Displaying and Debugging ARP ARP Configuration Examples Introduction to ARP ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. An IP address is the address of a host at the network layer.
  • Page 311 Figure 1-1 ARP message format Hardware type (16 bits) Hardware type (16 bits) Hardware type (16 bits) Protocol type (16 bits) Protocol type (16 bits) Length of hardware address Length of protocol address Length of hardware address Length of protocol address Operator (16 bits) Operator (16 bits) Hardware address of the sender...

  • Page 312: Arp Table

    Value Description Chaos IEEE802.X ARC network ARP Table In an Ethernet, the MAC addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an Ethernet maintains an ARP table, where the latest used IP address-to-MAC address mapping entries are stored.

  • Page 313: Introduction To Gratuitous Arp

    mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request. Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.

  • Page 314: Configuring Gratuitous Arp

    Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically. As for the arp static command, the value of the vlan-id argument must be the ID of an existing VLAN, and the port identified by the interface-type and interface-number arguments must belong to the VLAN.

  • Page 315: Arp Configuration Examples

    To do… Use the command… Remarks reset arp [ dynamic | static | interface Available in Clear specific ARP entries interface-type interface-number ] user view ARP Configuration Examples Network requirements Disable ARP entry check on the switch. Set the aging time for dynamic ARP entries to 10 minutes. Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address being 000f-e201-0000, and the outbound port being GigabitEthernet 1/0/10 of VLAN 1.
  • Page 316 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP IP Address Assignment ···············································································································1-1 IP Address Assignment Policy ········································································································1-1 Obtaining IP Addresses Dynamically ······························································································1-2 Updating IP Address Lease·············································································································1-3 DHCP Packet Format······························································································································1-3 Protocol Specification······························································································································1-4 2 DHCP Relay Agent Configuration ············································································································2-1 Introduction to DHCP Relay Agent ·········································································································2-1 Usage of DHCP Relay Agent ··········································································································2-1 DHCP Relay Agent Fundamentals··································································································2-1...

  • Page 317: Dhcp Overview

    DHCP Overview When configuring DHCP, go to these sections for information you are interested in: Introduction to DHCP DHCP IP Address Assignment DHCP Packet Format Protocol Specification Introduction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators.

  • Page 318: Obtaining Ip Addresses Dynamically

    Manual assignment. The administrator configures static IP-to-MAC bindings for some special clients, such as a WWW server. Then the DHCP server assigns these fixed IP addresses to the clients. Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be occupied by the DHCP clients permanently.

  • Page 319: Updating Ip Address Lease

    Updating IP Address Lease After a DHCP server dynamically assigns an IP address to a DHCP client, the IP address keeps valid only within a specified lease time and will be reclaimed by the DHCP server when the lease expires. If the DHCP client wants to use the IP address for a longer time, it must update the IP lease.

  • Page 320: Protocol Specification

    siaddr: IP address of the DHCP server. giaddr: IP address of the first DHCP relay agent that the DHCP client passes after it sent the request packet. chaddr: Hardware address of the DHCP client. sname: Name of the DHCP server. file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client.

  • Page 321: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent ConfigurationDHCP Relay Agent Configuration Example Troubleshooting DHCP Relay Agent Configuration Currently, the interface-related DHCP relay agent configurations can only be made on VLAN interfaces.

  • Page 322: Option 82 Support On Dhcp Relay Agent

    Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding process of the DHCP relay agent.

  • Page 323: Configuring The Dhcp Relay Agent

    Figure 2-2 Padding contents for sub-option 1 of Option 82 Figure 2-3 Padding contents for sub-option 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly.

  • Page 324: Correlating A Dhcp Server Group With A Relay Agent Interface

    Task Remarks Correlating a DHCP Server Group with a Relay Agent Interface Required Configuring DHCP Relay Agent Security Functions Optional Configuring the DHCP Relay Agent to Support Option 82 Optional Correlating a DHCP Server Group with a Relay Agent Interface To enhance reliability, you can set multiple DHCP servers on the same network.

  • Page 325: Configuring Dhcp Relay Agent Security Functions

    You can configure up to eight DHCP server IP addresses in a DHCP server group. You can map multiple VLAN interfaces to one DHCP server group. But one VLAN interface can be mapped to only one DHCP server group. If you execute the dhcp-server groupNo command repeatedly, the new configuration overwrites the previous one.

  • Page 326: Configuring The Dhcp Relay Agent To Support Option 82

    The address-check enable command is independent of other commands of the DHCP relay agent. That is, the invalid address check takes effect when this command is executed, regardless of whether other commands (such as the command to enable DHCP) are used. Before executing the address-check enable command on the interface connected to the DHCP server, you need to configure the static binding of the IP address to the MAC address of the DHCP server.

  • Page 327: Displaying And Maintaining Dhcp Relay Agent Configuration

    To do… Use the command… Remarks Enter system view system-view — Required Enable Option 82 support on dhcp relay information the DHCP relay agent enable Disabled by default. Configure the strategy for the Optional dhcp relay information DHCP relay agent to process strategy { drop | keep | By default, the replace strategy request packets containing...

  • Page 328: Troubleshooting Dhcp Relay Agent Configuration

    Network diagram Figure 2-4 Network diagram for DHCP relay agent DHCP client DHCP client Vlan-int1 Vlan-int2 10.10.1.1/24 10.1.1.2/24 Vlan-int2 10.1.1.1/24 Switch A Switch B DHCP relay DHCP server DHCP client DHCP client Configuration procedure # Create DHCP server group 1 and configure an IP address of 10.1.1.1 for it. <SwitchA>...
  • Page 329 Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server. Check if a reachable route is configured between the DHCP relay agent and the DHCP server. Check the DHCP relay agent. Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides.

  • Page 330: Dhcp/Bootp Client Configuration

    DHCP/BOOTP Client Configuration When configuring the DHCP/BOOTP client, go to these sections for information you are interested in: Introduction to DHCP Client Introduction to BOOTP Client Configuring a DHCP/BOOTP Client Displaying DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and management.

  • Page 331: Displaying Dhcp/Bootp Client Configuration

    To do… Use the command… Remarks Enter system view — system-view interface vlan-interface Enter VLAN interface view — vlan-id Required Configure the VLAN interface ip address { bootp-alloc | By default, no IP address is to obtain IP address through dhcp-alloc } configured for the VLAN DHCP or BOOTP...

  • Page 332: Bootp Client Configuration Example

    Network diagram Figure 3-1 A DHCP network Client WINS server DHCP server Vlan-int1 DNS server Switch A Client Configuration procedure The following describes only the configuration on Switch A serving as a DHCP client. # Configure VLAN-interface 1 to dynamically obtain an IP address by using DHCP. <SwitchA>...
  • Page 333 Table of Contents 1 DNS Configuration·····································································································································1-1 DNS Overview·········································································································································1-1 Static Domain Name Resolution ·····································································································1-1 Dynamic Domain Name Resolution ································································································1-1 Configuring Domain Name Resolution····································································································1-2 Configuring Static Domain Name Resolution ··················································································1-2 Configuring Dynamic Domain Name Resolution·············································································1-3 Displaying and Maintaining DNS ············································································································1-3 DNS Configuration Examples ·················································································································1-4 Static Domain Name Resolution Configuration Example································································1-4 Dynamic Domain Name Resolution Configuration Example···························································1-5 Troubleshooting DNS······························································································································1-6...

  • Page 334: Dns Configuration

    DNS Configuration When configuring DNS, go to these sections for information you are interested in: DNS Overview Configuring Domain Name Resolution Displaying and Maintaining DNS DNS Configuration Examples Troubleshooting DNS This chapter covers only IPv4 DNS configuration. For details about IPv6 DNS, refer to IPv6 Management Operation.

  • Page 335: Configuring Domain Name Resolution

    2) The DNS resolver looks up the local domain name cache for a match. If a match is found, it sends the corresponding IP address back. If not, it sends the query to the DNS server. 3) The DNS server looks up its DNS database for a match. If no match is found, it sends a query to a higher-level DNS server.

  • Page 336: Configuring Dynamic Domain Name Resolution

    To do… Use the command… Remarks Enter system view — system-view Required Configure a mapping ip host hostname between a host name and No IP address is assigned ip-address an IP address to a host name by default. The IP address you assign to a host name last time will overwrite the previous one if there is any.

  • Page 337: Dns Configuration Examples

    To do… Use the command… Remarks nslookup type { ptr ip-address | Display the DNS resolution result a domain-name } Clear the information in the Available in reset dns dynamic-host dynamic domain name cache user view DNS Configuration Examples Static Domain Name Resolution Configuration Example Network requirements The switch uses static domain name resolution to access host 10.1.1.2 through domain name host.com.

  • Page 338: Dynamic Domain Name Resolution Configuration Example

    Dynamic Domain Name Resolution Configuration Example Network requirements As shown in Figure 1-3, the switch serving as a DNS client uses dynamic domain name resolution to access the host at 3.1.1.1/16 through its domain name host. The DNS server has the IP address 2.1.1.2/16. The DNS suffix is com. Network diagram Figure 1-3 Network diagram for dynamic DNS configuration Configuration procedure...

  • Page 339: Troubleshooting Dns

    Reply from 3.1.1.1: bytes=56 Sequence=1 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=125 time=5 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received...
  • Page 340 Table of Contents 1 ACL Configuration·····································································································································1-1 ACL Overview ·········································································································································1-1 ACL Matching Order························································································································1-1 Ways to Apply an ACL on a Switch·································································································1-2 Types of ACLs Supported by Switch 4200G Series········································································1-3 ACL Configuration···································································································································1-3 Configuring Time Range··················································································································1-3 Configuring Basic ACL ····················································································································1-4 Configuring Advanced ACL ·············································································································1-5 Configuring Layer 2 ACL ·················································································································1-7 ACL Assignment ·····································································································································1-8 Assigning an ACL Globally··············································································································1-9...

  • Page 341: Acl Matching Order

    ACL Configuration ACL Overview As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management. Filtering data packets can prevent a network from being accessed by unauthorized users efficiently while controlling network traffic and saving network resources.

  • Page 342: Ways To Apply An Acl On A Switch

    Depth-first match order for rules of an advanced ACL Protocol range: A rule which has specified the types of the protocols carried by IP is prior to others. Range of source IP address: The smaller the source IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority.

  • Page 343: Types Of Acls Supported By Switch 4200G Series

    When an ACL is directly applied to hardware for packet filtering, the switch will permit packets if the packets do not match the ACL. When an ACL is referenced by upper-layer software to control Telnet, SNMP and Web login users, the switch will deny packets if the packets do not match the ACL.

  • Page 344: Configuring Basic Acl

    If only a periodic time section is defined in a time range, the time range is active only when the system time is within the defined periodic time section. If multiple periodic time sections are defined in a time range, the time range is active only when the system time is within one of the periodic time sections.

  • Page 345: Configuring Advanced Acl

    Configuration Procedure Table 1-2 Define a basic ACL rule Operation Command Description Enter system view system-view — Required Create an ACL and acl number acl-number [ match-order enter basic ACL view { auto | config } ] config by default Required rule [ rule-id ] { deny | permit } For information about...
  • Page 346 Advanced ACLs support analysis and processing of three packet priority levels: type of service (ToS) priority, IP priority and differentiated services codepoint (DSCP) priority. Using advanced ACLs, you can define classification rules that are more accurate, more abundant, and more flexible than those defined for basic ACLs. Configuration Prerequisites To configure a time range-based advanced ACL rule, you need to create the corresponding time ranges first.

  • Page 347: Configuring Layer 2 Acl

    [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 # Display the configuration information of ACL 3000. [Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 1 rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www Configuring Layer 2 ACL Layer 2 ACLs filter packets according to their Layer 2 information, such as the source and destination...

  • Page 348: Acl Assignment

    The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists. Configuration Example # Configure ACL 4000 to deny packets sourced from the MAC address 000d-88f5-97ed, destined for the MAC address 0011-4301-991e, and with their 802.1p priority being 3.

  • Page 349: Assigning An Acl Globally

    Assigning an ACL Globally Configuration prerequisites Before applying ACL rules to a VLAN, you need to define the related ACLs. For information about defining an ACL, refer to section Configuring Basic ACL, section Configuring Advanced ACL, section Configuring Layer 2 ACL.

  • Page 350: Assigning An Acl To A Port Group

    Configuration example # Apply ACL 2000 to VLAN 10 to filter the inbound packets of VLAN 10 on all the ports. <Sysname> system-view [Sysname] packet-filter vlan 10 inbound ip-group 2000 Assigning an ACL to a Port Group Configuration prerequisites Before applying ACL rules to a VLAN, you need to define the related ACLs. For information about defining an ACL, refer to section Configuring Basic ACL, section...

  • Page 351: Displaying Acl Configuration

    Configuration procedure Table 1-8 Apply an ACL to a port Operation Command Description — Enter system view system-view interface interface-type — Enter Ethernet port view interface-number Required For description on the acl-rule Apply an ACL to the port packet-filter inbound acl-rule argument, refer to ACL Command.

  • Page 352: Example For Upper-Layer Software Referencing Acls

    Example for Upper-layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP Network requirements Apply an ACL to permit users with the source IP address of 10.110.100.52 to telnet to the switch. Network diagram Figure 1-1 Network diagram for controlling Telnet login users by source IP Internet Switch 10.110.100.52...

  • Page 353: Example For Applying Acls To Hardware

    Configuration procedure # Define ACL 2001. <Sysname> system-view [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [Sysname-acl-basic-2001] quit # Reference ACL 2001 to control users logging in to the Web server. [Sysname] ip http acl 2001 Example for Applying ACLs to Hardware Basic ACL Configuration Example Network requirements PC 1 and PC 2 connect to the switch through GigabitEthernet 1/0/1.

  • Page 354: Advanced Acl Configuration Example

    Advanced ACL Configuration Example Network requirements Different departments of an enterprise are interconnected through a switch. The IP address of the wage query server is 192.168.1.2. The R&D department is connected to GigabitEthernet 1/0/1 of the switch. Apply an ACL to deny requests from the R&D department and destined for the wage server during the working hours (8:00 to 18:00).

  • Page 355: Example For Applying An Acl To A Vlan

    Network diagram Figure 1-5 Network diagram for Layer 2 ACL Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 4000 to filter packets with the source MAC address of 0011-0011-0011 and the destination MAC address of 0011-0011-0012.
  • Page 356 Network diagram Figure 1-6 Network diagram for applying an ACL to a VLAN Database server 192.168.1.2 GE1/0/1 GE1/0/3 GE1/0/2 VLAN 10 PC 1 PC 2 PC 3 Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 in working days. <Sysname>...
  • Page 357 Table of Contents 1 QoS Configuration·····································································································································1-1 Overview ·················································································································································1-1 Introduction to QoS··························································································································1-1 Traditional Packet Forwarding Services··························································································1-1 New Requirements from Emerging Applications·············································································1-1 Major Traffic Control Technologies ·································································································1-2 QoS Features Supported by the Switch 4200G series ···········································································1-2 Introduction to QoS Features··················································································································1-3 Traffic Classification ························································································································1-3 Priority Trust Mode ··························································································································1-4 Protocol Priority ·······························································································································1-8 Traffic Policing and Traffic Shaping·································································································1-8...

  • Page 358: Overview

    QoS Configuration When configuring QoS, go to these sections for information you are interested in: Overview QoS Features Supported by the Switch 4200G series Introduction to QoS Features QoS Configuration QoS Configuration Examples Overview Introduction to QoS Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs.

  • Page 359: Major Traffic Control Technologies

    and jitter. As for mission-critical applications, such as transactions and Telnet, they may not require high bandwidth but do require low delay and preferential service during congestion. The emerging applications demand higher service performance of IP networks. Better network services during packets forwarding are required, such as providing dedicated bandwidth, reducing packet loss ratio, managing and avoiding congestion, regulating network traffic, and setting the precedence of packets.

  • Page 360: Introduction To Qos Features

    Table 1-1 QoS features supported by the Switch 4200G series QoS Feature Description Reference information about Classify incoming traffic based on ACLs. ACLs, refer to the ACL The Switch 4200G series support the Operation following types of ACLs: Command manuals. Traffic classification Basic ACLs information...

  • Page 361: Priority Trust Mode

    Priority Trust Mode Introduction to precedence types IP precedence, ToS precedence, and DSCP Figure 1-2 DS field and ToS byte As shown in Figure 1-2, the ToS field of the IP header contains eight bits: the first three bits (0 to 2) represent IP precedence from 0 to 7 and the subsequent four bits (3 to 6) represent a ToS value from 0 to 15.
  • Page 362 Best Effort (BE) class: This class is a special CS class that does not provide any assurance. AF traffic exceeding the limit is degraded to the BE class. Currently, all IP network traffic belongs to this class by default. Table 1-3 Description on DSCP values DSCP value (decimal) DSCP value (binary) Description...
  • Page 363 The 4-byte 802.1q tag header consists of a two-byte tag protocol identifier (TPID) field, whose value is 0x8100, and a two-byte tag control information (TCI) field. Figure 1-4 presents the format of the 802.1q tag header. Figure 1-4 802.1q tag header Byte 1 Byte 2 Byte 3...
  • Page 364 When a packet carrying no 802.1q tag reaches a port, the switch uses the port priority as the 802.1p precedence value of the received packet, searches for the set of precedence values corresponding to the port priority of the receiving port in the 802.1p-precedence-to-other-precedence mapping table, and assigns the set of matching precedence values to the packet.

  • Page 365: Protocol Priority

    Table 1-6 The default CoS-precedence-to-other-precedence mapping table of Switch 4200G series Target local precedence 802.1p precedence value Target drop precedence value value Table 1-7 The default DSCP -to-other-precedence mapping table of Switch 4200G series Target local precedence DSCP values Target drop precedence value value 0 to 7 8 to 15...
  • Page 366 Token bucket A token bucket can be considered as a container holding a certain number of tokens. The system puts tokens into the bucket at a set rate. When the token bucket is full, the extra tokens will overflow. Figure 1-6 Evaluate the traffic with the token bucket Put tokens in the bucket at the set rate Packets to be sent through this port...

  • Page 367: Queue Scheduling

    Traffic policing is widely used for policing traffic entering the network of internet service providers (ISPs). It can classify the policed traffic and perform pre-defined policing actions based on different evaluation results. These actions include: Dropping the nonconforming packets. Forwarding the conforming packets. Traffic shaping Traffic shaping provides measures to adjust the rate of outbound traffic actively.
  • Page 368 Figure 1-8 Diagram for SP queuing SP queuing is specially designed for mission-critical applications. The key feature of mission-critical applications is that they require preferential service to reduce the response delay when congestion occurs. Assume that there are eight output queues on the port and SP queuing classifies the eight output queues on the port into eight classes, which are queue 7, queue 6, queue 5, queue 4, queue 3, queue 2, queue 1, and queue 0 in the descending order of priority.

  • Page 369: Flow-Based Traffic Accounting

    WRR queuing schedules all the queues in turn and ensure that all of them can be served for a certain time by assigning each queue a weight representing a certain amount of resources. Assume there are eight output queues on the port. WRR assigns queues 7 through 0 the weights w7, w6, w5, w4, w3, w2, w1, and w0.

  • Page 370: Qos Configuration

    By enabling the burst function on your device, you can improve the processing performance of the device operating in the above scenarios and thus reduce packet loss rate. Because the burst function may affect the QoS performance of your device, you must make sure that you are fully aware of the impacts when enabling the burst function.

  • Page 371: Configuring Priority Mapping

    Follow these steps to configure a port to trust 802.1p precedence: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port interface interface-type — view interface-number Required Configure to trust priority-trust cos 802.1p precedence By default, port priority is trusted. Configuring a port to trust DSCP value of traffic Follow these steps to configure a port to trust DSCP value of traffic: To do…...
  • Page 372 Configuration procedures Configuring the CoS-precedence-to-other-precedence mapping table Follow these steps to configure the CoS-precedence-to-other-precedence mapping table: To do… Use the command… Remarks Enter system view system-view — qos cos-local-precedence-map Configure the cos0-map-local-prec cos1-map-local-prec CoS-precedence-to-local-p cos2-map-local-prec cos3-map-local-prec Required recedence mapping table cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec qos cos-drop-precedence-map...
  • Page 373 [Sysname] qos dscp-local-precedence-map 8 9 10 11 12 13 14 15 : 3 [Sysname] qos dscp-local-precedence-map 16 17 18 19 20 21 22 23 : 4 [Sysname] qos dscp-local-precedence-map 24 25 26 27 28 29 30 31 : 1 [Sysname] qos dscp-local-precedence-map 32 33 34 35 36 37 38 39 : 7 [Sysname] qos dscp-local-precedence-map 40 41 42 43 44 45 46 47 : 0 [Sysname] qos dscp-local-precedence-map 48 49 50 51 52 53 54 55 : 5 [Sysname] qos dscp-local-precedence-map 56 57 58 59 60 61 62 63 : 6...

  • Page 374: Setting The Priority Of Protocol Packets

    36 : 37 : 38 : 39 : 40 : 41 : 42 : 43 : 44 : 45 : 46 : 47 : 48 : 49 : 50 : 51 : 52 : 53 : 54 : 55 : 56 : 57 : 58 :...

  • Page 375: Configuring Traffic Policing

    Configuration examples # Set the IP precedence value of ICMP packets to 3. <Sysname> system-view [Sysname] protocol-priority protocol-type icmp ip-precedence 3 # After completing the above configuration, display the list of protocol priorities manually specified. [Sysname] display protocol-priority Protocol: icmp IP-Precedence: flash(3) Configuring Traffic Policing Refer to...
  • Page 376 To do… Use the command… Remarks Enter system view — system-view Enter port group port-group group-id — view Required Configure traffic traffic-limit inbound acl-rule target-rate policing Disabled by default. Configuring traffic policing for a port Follow these steps to configure traffic policing for the incoming packets matching the specific ACL rules on a port: To do…...

  • Page 377: Configuring Traffic Shaping

    Configuring Traffic Shaping Refer to Traffic Policing and Traffic Shaping for information about traffic shaping. Configuration prerequisites The queue for which traffic shaping is to be performed has been determined. The maximum traffic rate and the burst size have been determined. The port where traffic shaping is to be configured has been determined.
  • Page 378 To do… Use the command… Remarks Optional By default, SP queuing Configure SP queuing undo queue-scheduler [ queue-id ] &<1-8> is used on all the output queues of a port. Configuring SDWRR queuing Follow these steps to configure SDWRR queuing: To do…...

  • Page 379: Configuring Traffic Accounting

    QID: scheduling-group weight ----------------------------------- wrr , group2 wrr , group2 wrr , group2 wrr , group1 wrr , group1 wrr , group1 Configuring Traffic Accounting Refer to Flow-Based Traffic Accounting for information about traffic accounting. Configuration prerequisites The ACL rules for traffic classification have been defined. Refer to the ACL module of this manual for information about defining ACL rules.
  • Page 380 To do… Use the command… Remarks Enter system view — system-view Enter port group view port-group group-id — Required Collect statistics about ACL traffic-statistic inbound acl-rule By default, traffic matching packets accounting is disabled. Clear statistics about ACL reset traffic-statistic inbound Optional matching packets acl-rule...

  • Page 381: Enabling The Burst Function

    <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] traffic-statistic vlan 2 inbound ip-group 2000 [Sysname] reset traffic-statistic vlan 2 inbound ip-group 2000 Enabling the Burst Function Refer to Burst for information about the burst function. Configuration prerequisites The burst function is required.

  • Page 382: Qos Configuration Examples

    To do… Use the command… Remarks Display QoS-related display qos-interface configuration of a port or all the { interface-type Available in any view ports interface-number | unit-id } all display qos-interface Display the priority trust mode { interface-type Available in any view of a port or all the ports interface-number | unit-id } priority-trust...
  • Page 383 Figure 1-10 Network diagram for traffic policing configuration Configuration procedure Define an ACL for traffic classification # Create ACL 2000 and enter basic ACL view to match packets sourced from network segment 192.168.1.0/24. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit # Create ACL 2001 and enter basic ACL view to match packets sourced from network segment 192.168.2.0/24.

  • Page 384: Mirroring

    Table of Contents 1 Mirroring Configuration································································································ 1-1 Mirroring Overview······································································································ 1-1 1.1.1 Local Port Mirroring ····················································································· 1-1 Remote Port Mirroring ·························································································· 1-2 Mirroring Configuration ······························································································· 1-3 1.1.2 Configuring Local Port Mirroring ··································································· 1-4 Configuring Remote Port Mirroring ········································································ 1-5 Displaying Port Mirroring····························································································· 1-8 Mirroring Configuration Examples ················································································...

  • Page 385: Mirroring Configuration

    Mirroring Configuration When configuring mirroring, go to these sections for information you are interested in: Mirroring Overview Mirroring Configuration Displaying Port Mirroring Mirroring Configuration Examples Mirroring Overview Mirroring is to duplicate packets from a port to another port connected with a data monitoring device for network monitoring and diagnosis.

  • Page 386: Remote Port Mirroring

    Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device. The source and destination ports can be located on multiple devices across the network. This allows an administrator to monitor traffic on remote devices conveniently. To implement remote port mirroring, a special VLAN, called remote-probe VLAN, is used.

  • Page 387: Mirroring Configuration

    Table 1-1 Ports involved in the mirroring operation Switch Ports involved Function Port monitored. It copies packets to the reflector port Source port through local port mirroring. There can be more than one source port. Receives packets from the Source switch source port and broadcasts Reflector port the packets in the...

  • Page 388: Configuring Local Port Mirroring

    Task Remarks Configuring Local Port Mirroring Optional Configuring Remote Port Mirroring Optional On a Switch 4200G, only one destination port for local port mirroring or one reflector port for remote port mirroring can be configured, and the two kinds of ports cannot both exist. 1.1.2 Configuring Local Port Mirroring Configuration prerequisites...

  • Page 389: Configuring Remote Port Mirroring

    When configuring local port mirroring, note that: You need to configure the source and destination ports for the local port mirroring to take effect. The source port and the destination port cannot be a member port of an existing mirroring group; besides, the destination port cannot be a member port of an aggregation group or a port enabled with LACP or STP.
  • Page 390 To do… Use the command… Remarks Return to system view quit — Create a remote source mirroring-group group-id Required mirroring group remote-source mirroring-group group-id Configure source port(s) for mirroring-port the remote source mirroring Required mirroring-port-list { both | group inbound | outbound } Configure the reflector port mirroring-group group-id for the remote source...
  • Page 391 To do… Use the command… Remarks Return to system view quit — Enter the view of the Ethernet port connecting to interface interface-type the source switch, — interface-number destination switch or other intermediate switch Required Configure the current port port link-type trunk By default, the port type is as trunk port Access.

  • Page 392: Displaying Port Mirroring

    To do… Use the command… Remarks Configure the destination mirroring-group group-id port for the remote Required monitor-port monitor-port destination mirroring group Configure the remote-probe mirroring-group group-id VLAN for the remote remote-probe vlan Required destination mirroring group remote-probe-vlan-id When configuring a destination switch, note that: The destination port of remote port mirroring cannot be a member port of an existing mirroring group, a member port of an aggregation group, or a port enabled with LACP or STP.

  • Page 393: Remote Port Mirroring Configuration Example

    Network diagram Figure 1-3 Network diagram for local port mirroring Configuration procedure Configure Switch C: # Create a local mirroring group. <Sysname> system-view [Sysname] mirroring-group 1 local # Configure the source ports and destination port for the local mirroring group. [Sysname] mirroring-group 1 mirroring-port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 both [Sysname] mirroring-group 1 monitor-port GigabitEthernet 1/0/3...
  • Page 394 Department 1 is connected to GigabitEthernet 1/0/1 of Switch A. Department 2 is connected to GigabitEthernet 1/0/2 of Switch A. GigabitEthernet 1/0/3 of Switch A connects to GigabitEthernet 1/0/1 of Switch B. GigabitEthernet 1/0/2 of Switch B connects to GigabitEthernet 1/0/1 of Switch C. The data detection device is connected to GigabitEthernet 1/0/2 of Switch C.
  • Page 395 [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the source ports, reflector port, and remote-probe VLAN for the remote source mirroring group. [Sysname] mirroring-group 1 mirroring-port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 inbound [Sysname] mirroring-group 1 reflector-port GigabitEthernet 1/0/4 [Sysname] mirroring-group 1 remote-probe vlan 10 # Configure GigabitEthernet 1/0/3 as trunk port, allowing packets of VLAN 10 to pass.
  • Page 396 <Sysname> system-view [Sysname] mirroring-group 1 remote-destination # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the destination port and remote-probe VLAN for the remote destination mirroring group. [Sysname] mirroring-group 1 monitor-port GigabitEthernet 1/0/2 [Sysname] mirroring-group 1 remote-probe vlan 10 # Configure GigabitEthernet 1/0/1 as the trunk port, allowing packets of VLAN 10 to pass.
  • Page 397 Table of Contents 1 Stack ···························································································································································1-1 Stack Function Overview ························································································································1-1 The Main Switch of a Stack·············································································································1-1 The Slave Switches of a Stack········································································································1-1 Creating a Stack ······························································································································1-1 Main Switch Configuration ······················································································································1-2 Configuring the IP Address Pool and Creating the Stack ·······························································1-2 Switching to Slave Switch View·······································································································1-3 Slave Switch Configuration ·····················································································································1-3 Displaying and Debugging a Stack ·········································································································1-4...

  • Page 398: Stack

    Stack Among Switch 4200G series switches, Switch 4200G 24-Port, Switch 4200G PWR 24-Port, and Switch 4200G 48-Port switches support stacks formed by 10GE stack boards. Stack Function Overview A stack is a management domain formed by a group of Ethernet switches interconnected through their stack ports.

  • Page 399: Main Switch Configuration

    Connect the intended main switch and slave switches through stack modules and dedicated stack cables. (Refer to 3Com Switch 4200G 10G Interface Module Installation Guide for the information about stack modules and stack cables.) Configure the IP address pool for the stack and enable the stack function. The main switch then automatically adds the switches connected to its stack ports to the stack.

  • Page 400: Switching To Slave Switch View

    To add a switch to a stack successfully, make sure the IP address pool contains at least one unoccupied IP address. Make sure the IP addresses in the IP address pool of a stack are successive so that they can be assigned successively.

  • Page 401: Displaying And Debugging A Stack

    Displaying and Debugging a Stack Use the display command to display the information about a stack. The display command can be executed in any view. Table 1-4 Display and maintain stack configurations Operation Command Description Optional The display command can be executed in any view.
  • Page 402 Total members:3 Management-vlan:1(default vlan) # Display the information about the stack members on switch A. <stack_0.Sysname> display stacking members Member number: 0 Name:stack_0.Sysname Device: 4200G 12-Port MAC Address:000f-e20f-c43a Member status:Admin IP: 129.10.1.15 /16 Member number: 1 Name:stack_1.Sysname Device: 4200G 12-Port...
  • Page 403 IP: 129.10.1.16/16 Member number: 2 Name:stack_2.Sysname Device: 4200G 24-Port MAC Address: 000f-e200-3135 Member status:Up IP: 129.10.1.17/16 # Switch to Switch B (a slave switch). <stack_0.Sysname> stacking 1 <stack_1.Sysname> # Display the information about the stack on switch B. <stack_1.Sysname> display stacking Slave device for stack.

  • Page 404: Cluster

    Cluster Cluster Overview Introduction to HGMP A cluster contains a group of switches. Through cluster management, you can manage multiple geographically dispersed in a centralized way. Cluster management is implemented through Huawei group management protocol (HGMP). HGMP version 2 (HGMPv2) is used at present. A switch in a cluster plays one of the following three roles: Management device Member device...

  • Page 405: Roles In A Cluster

    you can configure and manage all the member devices through the management device without the need to log onto them one by one. It provides the topology discovery and display function, which assists in monitoring and maintaining the network. It allows you to configure and upgrade multiple switches at the same time. It enables you to manage your remotely devices conveniently regardless of network topology and physical distance.

  • Page 406: How A Cluster Works

    Figure 2-2 State machine of cluster role A candidate device becomes a management device when you create a cluster on it. Note that a cluster must have one (and only one) management device. On becoming a management device, the device collects network topology information and tries to discover and determine candidate devices, which can then be added to the cluster through configurations.
  • Page 407 The management device adds the candidate devices to the cluster or removes member devices from the cluster according to the candidate device information collected through NTDP. Introduction to NDP NDP is a protocol used to discover adjacent devices and provide information about them. NDP operates on the data link layer, and therefore it supports different network layer protocols.
  • Page 408 device busy processing of the NTDP topology collection responses. To avoid such cases, the following methods can be used to control the NTDP topology collection request advertisement speed. Configuring the devices not to forward the NTDP topology collection request immediately after they receive an NTDP topology collection request.
  • Page 409 To create a cluster, you need to determine the device to operate as the management device first. The management device discovers and determines candidate devices through NDP and NTDP, and adds them to the cluster. You can also add candidate devices to a cluster manually. After a candidate device is added to a cluster, the management device assigns a member number and a private IP address (used for cluster management) to it.
  • Page 410 Additionally, on the management device, you can configure the FTP server, TFTP server, logging host and SNMP host to be shared by the whole cluster. When a member device in the cluster communicates with an external server, the member device first transmits data to the management device, which then forwards the data to the external server.

  • Page 411: Cluster Configuration Tasks

    Determine whether the destination MAC address or destination IP address is used to trace a device in the cluster If you use the tracemac command to trace the device by its MAC address, the switch will query its MAC address table according to the MAC address and VLAN ID in the command to find out the port connected with the downstream switch.

  • Page 412: Configuring The Management Device

    Configuration task Remarks Configuring the Cluster Synchronization Optional Function Configuring the Management Device Management device configuration tasks Table 2-3 Management device configuration tasks Operation Description Enabling NDP globally and on specific ports Required Configuring NTDP-related parameters Optional Enabling NTDP globally and on a specific port Required Configuring NTDP-related parameters Optional...
  • Page 413 Operation Command Description ndp enable interface In system view port-list Enable NDP Enter Use either approach. interface interface-type on specified Ethernet interface-number By default, NDP is Ethernet port view In Ethernet enabled on a port. ports port view Enable NDP on the ndp enable port Configuring NDP-related parameters...
  • Page 414 Operation Command Description Optional Configure the device forward delay of topology collection ntdp timer hop-delay time By default, the device forward requests delay is 200 ms. Optional Configure the port forward delay of topology collection ntdp timer port-delay time By default, the port forward requests delay is 20 ms.
  • Page 415 Operation Command Description Required Configure a multicast MAC By default, the cluster multicast cluster-mac H-H-H address for the cluster MAC address is 0180-C200-000A. Optional Set the interval for the cluster-mac syn-interval By default, the interval to send management device to send time-interval multicast packets is one multicast packets...

  • Page 416: Configuring Member Devices

    Operation Command Description Optional Configure a shared FTP server By default, the management ftp-server ip-address for the cluster device acts as the shared FTP server. Optional Configure a shared TFTP tftp-server ip-address By default, no shared TFTP server for the cluster server is configured.
  • Page 417 To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the Switch 4200G series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.

  • Page 418: Managing A Cluster Through The Management Device

    Operation Command Description Enable NTDP globally ntdp enable Required interface interface-type Enter Ethernet port view — interface-number Enable NTDP on the port ntdp enable Required Enabling the cluster function Table 2-15 Enable the cluster function Operation Command Description Enter system view —...

  • Page 419: Configuring The Enhanced Cluster Features

    Operation Command Description Remove a member device from delete-member Optional the cluster member-number reboot member Reboot a specified member { member-number | Optional device mac-address H-H-H } [ eraseflash ] Return to system view — quit Return to user view quit —...
  • Page 420 connected to the current cluster, this device cannot join the cluster and participate in the unified management and configuration of the cluster. Configure the enhanced cluster features Table 2-18 The enhanced cluster feature configuration tasks Operation Description Configure cluster topology management function Required Configure cluster device blacklist Required...

  • Page 421: Configuring The Cluster Synchronization Function

    Operation Command Description Display the information about display cluster all the devices in the base base-members cluster topology Configure cluster device blacklist Perform the following configuration on the management device. Table 2-20 Configure the cluster device blacklist Operation Command Description Enter system view system-view —...
  • Page 422 NDP and NTDP have been enabled on the management device and member devices, and NDP- and NTDP-related parameters have been configured. A cluster is established, and you can manage the member devices through the management device. Configuration procedure Perform the following operations on the management device to synchronize SNMP configurations: To do…...
  • Page 423 The MIB view name is mib_a, which includes all objects of the subtree org The SNMPv3 user is user_a, which belongs to the group group_a. # Create a community with the name of read_a, allowing read-only access right using this community name.
  • Page 424 snmp-agent snmp-agent local-engineid 800007DB000FE22405626877 snmp-agent community read read_a@cm0 snmp-agent community write write_a@cm0 snmp-agent sys-info version all snmp-agent group v3 group_a snmp-agent mib-view included mib_a org snmp-agent usm-user v3 user_a group_a undo snmp-agent trap enable standard Configuration file content on a member device (only the SNMP-related information is displayed) <test_2.Sysname>...

  • Page 425: Displaying And Maintaining Cluster Configuration

    Perform the above operations on the management device of the cluster. Creating a public local user is equal to executing these configurations on both the management device and the member devices (refer to the AAA Operation part in this manual), and these configurations will be saved to the configuration files of the management device and the member devices.

  • Page 426: Cluster Configuration Example

    Cluster Configuration Example Basic Cluster Configuration Example Network requirements Three switches compose a cluster, where: An Switch 4200G series switch serves as the management device. The rest are member devices. Serving as the management device, the Switch 4200G switch manages the two member devices. The configuration for the cluster is as follows: The two member devices connect to the management device through GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3.
  • Page 427 [Sysname-Ethernet1/0/1] ntdp enable [Sysname-Ethernet1/1] quit # Enable the cluster function. [Sysname] cluster enable Configure the management device # Enable NDP globally and on GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3. <Sysname> system-view [Sysname] ndp enable [Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] ndp enable [Sysname-GigabitEthernet1/0/2] quit [Sysname] interface GigabitEthernet 1/0/3 [Sysname-GigabitEthernet1/0/3] ndp enable...
  • Page 428 [Sysname-cluster] ip-pool 172.16.0.1 255.255.255.248 # Name and build the cluster. [Sysname-cluster] build aaa [aaa_0.Sysname-cluster] # Add the attached two switches to the cluster. [aaa_0.Sysname-cluster] add-member 1 mac-address 000f-e20f-0011 [aaa_0.Sysname-cluster] add-member 17 mac-address 000f-e20f-0012 # Set the holdtime of member device information to 100 seconds. [aaa_0.Sysname-cluster] holdtime 100 # Set the interval to send handshake packets to 10 seconds.

  • Page 429: Enhanced Cluster Feature Configuration Example

    Enhanced Cluster Feature Configuration Example Network requirements The cluster operates properly. Add the device with the MAC address 0001-2034-a0e5 to the cluster blacklist, that is, prevent the device from being managed and maintained by the cluster. Save the current cluster topology as the base topology and save it in the flash of the local management device in the cluster.
  • Page 430 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Operation Mechanism··········································································································1-1 SNMP Versions ·······························································································································1-1 Supported MIBs·······························································································································1-2 Configuring Basic SNMP Functions········································································································1-2 Configuring Trap-Related Functions ·······································································································1-5 Configuring Basic Trap Functions ···································································································1-5 Configuring Extended Trap Function·······························································································1-5 Enabling Logging for Network Management···························································································1-6 Displaying SNMP ····································································································································1-6 SNMP Configuration Example ················································································································1-7 SNMP Configuration Example·········································································································1-7 2 RMON Configuration ·································································································································2-1...

  • Page 431: Snmp Configuration

    SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview Configuring Basic SNMP Functions Configuring Trap-Related Functions Enabling Logging for Network Management Displaying SNMP SNMP Configuration Example SNMP Overview The Simple Network Management Protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes.

  • Page 432: Supported Mibs

    Set the permission for a community to access an MIB object to be read-only or read-write. Communities with read-only permissions can only query the switch information, while those with read-write permission can configure the switch as well. Set the basic ACL specified by the community name. Supported MIBs An SNMP packet carries management variables with it.
  • Page 433 By default, the contact snmp-agent sys-info information for system Set system information, and specify { contact sys-contact | maintenance is " 3Com to enable SNMPv1 or SNMPv2c on location sys-location | Corporation.", the system the switch version { { v1 | v2c | v3 }* | location is "...
  • Page 434 By default, the contact snmp-agent sys-info information for system Set system information and { contact sys-contact | maintenance is " 3Com specify to enable SNMPv3 on location sys-location | version Corporation.", the system the switch { { v1 | v2c | v3 }* | all } } location is "...

  • Page 435: Configuring Trap-Related Functions

    Configuring Trap-Related Functions Configuring Basic Trap Functions traps refer to those sent by managed devices to the NMS without request. They are used to report some urgent and important events (for example, the rebooting of managed devices). Note that basic SNMP configuration is performed before you configure basic trap function. Follow these steps to configure basic trap function: To do…...

  • Page 436: Enabling Logging For Network Management

    Follow these steps to configure extended trap function: To do… Use the command… Remarks Enter system view system-view — Optional By default, the linkUp/linkDown Configure the extended trap snmp-agent trap ifmib link trap adopts the standard format function extended defined in IF-MIB. For details, refer to RFC 1213.

  • Page 437: Snmp Configuration Example

    To do… Use the command… Remarks Display trap list information display snmp-agent trap-list Display the currently configured display snmp-agent community [ read | community name write ] Display the currently configured display snmp-agent mib-view [ exclude | MIB view include | viewname view-name ] SNMP Configuration Example SNMP Configuration Example Network requirements...
  • Page 438 Authentication-related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully. For more information, refer to the corresponding manuals of 3Com’s NMS products. You can query and configure an Ethernet switch through the NMS.

  • Page 439: Rmon Configuration

    RMON Configuration When configuring RMON, go to these sections for information you are interested in: Introduction to RMON RMON Configuration Displaying RMON RMON Configuration Example Introduction to RMON Remote Monitoring (RMON) is a kind of MIB defined by Internet Engineering Task Force (IETF). It is an important enhancement made to MIB II standards.

  • Page 440: Commonly Used Rmon Groups

    error statistics and performance statistics of the network segments to which the ports of the managed network devices are connected. Thus, the NMS can further manage the networks. Commonly Used RMON Groups Event group Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms.

  • Page 441: Rmon Configuration

    Statistics group Statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created. The statistics include the number of the following items: collisions, packets with Cyclic Redundancy Check (CRC) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets.

  • Page 442: Displaying Rmon

    The rmon alarm and rmon prialarm commands take effect on existing nodes only. For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.
  • Page 443 [Sysname-GigabitEthernet1/0/1] quit # Add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers of all the oversize and undersize packets received by GigabitEthernet 1/0/1 that are in correct data format and sample it in every 10 seconds.
  • Page 444 Table of Contents 1 Multicast Overview ····································································································································1-1 Multicast Overview ··································································································································1-1 Information Transmission in the Unicast Mode ···············································································1-1 Information Transmission in the Broadcast Mode···········································································1-2 Information Transmission in the Multicast Mode·············································································1-2 Roles in Multicast ····························································································································1-3 Advantages and Applications of Multicast·······················································································1-4 Multicast Models ·····································································································································1-4 Multicast Architecture······························································································································1-5 1.1.1 Multicast Protocols ·················································································································1-8 Multicast Packet Forwarding Mechanism ·····························································································1-10...

  • Page 446: Multicast Overview

    Multicast Overview Multicast Overview With development of networks on the Internet, more and more interaction services such as data, voice, and video services are running on the networks. In addition, highly bandwidth- and time-critical services, such as e-commerce, Web conference, online auction, video on demand (VoD), and tele-education have come into being.

  • Page 447: Information Transmission In The Broadcast Mode

    Information Transmission in the Broadcast Mode When you adopt broadcast, the system transmits information to all users on a network. Any user on the network can receive the information, no matter the information is needed or not. shows information transmission in broadcast mode. Figure 1-2 Information transmission in the broadcast mode Assume that Hosts B, D, and E need the information.

  • Page 448: Roles In Multicast

    Figure 1-3 Information transmission in the multicast mode Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for the multicast group Host E Assume that Hosts B, D and E need the information. To transmit the information to the right users, it is necessary to group Hosts B, D and E into a receiver set.

  • Page 449: Advantages And Applications Of Multicast

    Table 1-1 An analogy between TV transmission and multicast transmission Step TV transmission Multicast transmission A TV station transmits a TV program A multicast source sends multicast data to through a television channel. a multicast group. A user tunes the TV set to the channel. A receiver joins the multicast group.

  • Page 450: Multicast Architecture

    ASM model In the ASM model, any sender can become a multicast source and send information to a multicast group; numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of the position of a multicast source in advance.
  • Page 451 As receivers are multiple hosts in a multicast group, you should be concerned about the following questions: What destination should the information source send the information to in the multicast mode? How to select the destination address? These questions are about multicast addressing. To enable the communication between the information source and members of a multicast group (a group of information receivers), network-layer multicast addresses, namely, IP multicast addresses must be provided.
  • Page 452 Class D address range Description Administratively scoped multicast addresses, which are 239.0.0.0 to 239.255.255.255 for specific local use only. As specified by IANA, the IP addresses ranging from 224.0.0.0 to 224.0.0.255 are reserved for network protocols on local networks. The following table lists commonly used reserved IP multicast addresses: Table 1-3 Reserved IP multicast addresses Class D Description...

  • Page 453: Multicast Protocols

    Ethernet multicast MAC address When a unicast IP packet is transported in an Ethernet network, the destination MAC address is the MAC address of the receiver. When a multicast packet is transported in an Ethernet network, a multicast MAC address is used as the destination address because the destination is a group with an uncertain number of members.
  • Page 454 Figure 1-5 Positions of Layer 3 multicast protocols AS 1 Receiver AS 2 Receiver IGMP IGMP MSDP IGMP Receiver Source Multicast management protocols Typically, the Internet Group Management Protocol (IGMP) is used between hosts and Layer 3 multicast devices directly connected with the hosts. These protocols define the mechanism of establishing and maintaining group memberships between hosts and Layer 3 multicast devices.

  • Page 455: Multicast Packet Forwarding Mechanism

    Figure 1-6 Positions of Layer 2 multicast protocols Source IGMP Snooping Receiver Receiver multicast packets IGMP Snooping Running on Layer 2 devices, Internet Group Management Protocol Snooping (IGMP Snooping) are multicast constraining mechanisms that manage and control multicast groups by listening to and analyzing IGMP messages exchanged between the hosts and Layer 3 multicast devices, thus effectively controlling the flooding of multicast data in a Layer 2 network.

  • Page 456: Rpf Check

    If the corresponding (S, G) entry exists, but the interface on which the packet actually arrived is not the incoming interface in the multicast forwarding table, the multicast packet is subject to an RPF check. If the result of the RPF check shows that the RPF interface is the incoming interface of the existing (S, G) entry, this means that the (S, G) entry is correct but the packet arrived from a wrong path and is to be discarded.
  • Page 457 A multicast packet from Source arrives to VLAN-interface 1 of Switch C, and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C. Switch C performs an RPF check, and finds in its unicast routing table that the outgoing interface to 192.168.0.0/24 is VLAN-interface 2.

  • Page 458: Igmp Snooping Configuration

    IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. Principle of IGMP Snooping By analyzing received IGMP messages, a Layer 2 device running IGMP Snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.

  • Page 459: Work Mechanism Of Igmp Snooping

    Figure 2-2 IGMP Snooping related ports Receiver Router A Switch A Eth1/0/1 Eth1/0/2 Host A Eth1/0/3 Host B Receiver Eth1/0/1 Source Eth1/0/2 Host C Switch B Router port Member port Multicast packets Host D Ports involved in IGMP Snooping, as shown in Figure 2-2, are described as follows: Router port: A router port is a port on the Layer 3 multicast device (DR or IGMP querier) side of the...
  • Page 460 When receiving a general query The IGMP querier periodically sends IGMP general queries to all hosts and routers on the local subnet to find out whether active multicast group members exist on the subnet. Upon receiving an IGMP general query, the switch forwards it through all ports in the VLAN except the receiving port and performs the following to the receiving port: If the receiving port is a router port existing in its router port list, the switch resets the aging timer of this router port.

  • Page 461: Igmp Snooping Configuration

    immediately delete the forwarding entry corresponding to that port from the forwarding table; instead, it resets the aging timer of the member port. Upon receiving the IGMP leave message from a host, the IGMP querier resolves from the message the address of the multicast group that the host just left and sends an IGMP group-specific query to that multicast group through the port that received the leave message.

  • Page 462: Enabling Igmp Snooping

    1.1.1 Enabling IGMP Snooping Table 2-3 Enable IGMP Snooping Operation Command Remarks Enter system view system-view — Required Enable IGMP Snooping igmp-snooping enable By default, IGMP Snooping is globally disabled globally. Enter VLAN view vlan vlan-id — Required Enable IGMP Snooping on the igmp-snooping enable By default, IGMP Snooping is VLAN...

  • Page 463: Configuring Timers

    Before configuring related IGMP Snooping functions, you must enable IGMP Snooping in the specified VLAN. Different multicast group addresses should be configured for different multicast sources because IGMPv3 Snooping cannot distinguish multicast data from different sources to the same multicast group.

  • Page 464: Configuring A Multicast Group Filter

    Enabling fast leave processing in Ethernet port view Table 2-7 Enable fast leave processing in Ethernet view Operation Command Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Enable fast leave processing igmp-snooping fast-leave By default, the fast leave for specific VLANs [ vlan vlan-list ]...

  • Page 465: Configuring The Maximum Number Of Multicast Groups On A Port

    Operation Command Remarks Required Configure a multicast group igmp-snooping group-policy No group filter is configured by filter acl-number [ vlan vlan-list ] default, namely hosts can join any multicast group. Configuring a multicast group filter in Ethernet port view Table 2-9 Configure a multicast group filter in Ethernet port view Operation Command Remarks...

  • Page 466: Configuring Igmp Querier

    Operation Command Remarks Required Limit the number of multicast igmp-snooping group-limit limit The system default for groups on a port [ vlan vlan-list [ overflow-replace ] ] Switch 4200G series is 256. To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process.

  • Page 467: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan

    Operation Command Remarks Optional Configure the interval of igmp-snooping By default, the interval of sending general queries query-interval seconds sending general queries is 60 seconds. Optional igmp-snooping Configure the source IP general-query source-ip By default, the source IP address of general queries { current-interface | address of general queries is ip-address }...

  • Page 468: Configuring A Static Router Port

    Operation Command Remarks Required Configure the current port as a multicast static-group By default, no port is configured static member port for a group-address vlan vlan-id as a static multicast group multicast group in a VLAN member port. In VLAN interface view Table 2-14 Configure a static multicast group member port in VLAN interface view Operation Command...

  • Page 469: Configuring A Port As A Simulated Group Member

    Configuring a Port as a Simulated Group Member Generally, hosts running IGMP respond to the IGMP query messages of the multicast switch. If hosts fail to respond for some reason, the multicast switch may consider that there is no member of the multicast group on the local subnet and remove the corresponding path.

  • Page 470: Configuring A Vlan Tag For Query Messages

    Configuring a VLAN Tag for Query Messages By configuring the VLAN tag carried in IGMP general and group-specific queries forwarded and sent by IGMP Snooping switches, you can enable multicast packet forwarding between different VLANs In a Layer-2 multicast network environment. Follow these steps to configure VLAN tag for query message: Table 2-18 Configure VLAN Tag for query message Operation...
  • Page 471 Operation Command Remarks Required Enable IGMP igmp enable By default, the IGMP feature is disabled. Return to system view quit — Enter Ethernet port view for the interface interface-type — Layer 2 switch to be configured interface-number Define the port as a trunk or port link-type { trunk | Required hybrid port...

  • Page 472: Displaying And Maintaining Igmp Snooping

    One port can belong to only one multicast VLAN. The port connected to a user terminal must be a hybrid port. The multicast member ports must be in the same VLAN with the router port. Otherwise, the multicast member port cannot receive multicast packets. If a router port is in a multicast VLAN, the router port must be configured as a trunk port or a hybrid port that allows tagged packets to pass for the multicast VLAN.
  • Page 473 Network diagram Figure 2-3 Network diagram for IGMP Snooping configuration Receiver Host A Source Receiver VLAN100 GE1/0/4 GE1/0/2 GE1/0/1 1.1.1.2/24 10.1.1.1/24 GE1/0/1 GE1/0/3 Router A Switch A Host B GE1/0/2 1.1.1.1/24 IGMP querier Multicast packets Host C Configuration procedure Configure the IP address of each interface Configure an IP address and subnet mask for each interface as per Figure 2-3.

  • Page 474: Configuring Multicast Vlan

    # View the detailed information of the multicast group in VLAN 100 on Switch A. <SwitchA> display igmp-snooping group vlan100 Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): GigabitEthernet1/0/1 IP group(s):the following ip group(s) match to one mac group.
  • Page 475 Device Device description Networking description VLAN 2 contains GigabitEthernet 1/0/1 and VLAN 3 contains GigabitEthernet 1/0/2. The default VLANs of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are VLAN 2 and VLAN 3 respectively. VLAN 10 contains GigabitEthernet 1/0/10, GigabitEthernet 1/0/1, and GigabitEthernet Switch B Layer 2 switch 1/0/2.
  • Page 476 [SwitchA-Vlan-interface20] ip address 168.10.1.1 255.255.255.0 [SwitchA-Vlan-interface20] pim dm [SwitchA-Vlan-interface20] quit # Configure VLAN 10. [SwitchA] vlan 10 [SwitchA-vlan10] quit # Define GigabitEthernet 1/0/10 as a hybrid port, add the port to VLAN 10, and configure the port to forward tagged packets for VLAN 10. [SwitchA] interface GigabitEthernet 1/0/10 [SwitchA-GigabitEthernet1/0/10] port link-type hybrid [SwitchA-GigabitEthernet1/0/10] port hybrid vlan 10 tagged...

  • Page 477: Troubleshooting Igmp Snooping

    [SwitchB-GigabitEthernet1/0/2] port hybrid pvid vlan 3 [SwitchB-GigabitEthernet1/0/2] quit Troubleshooting IGMP Snooping Symptom: Multicast function does not work on the switch. Solution: Possible reasons are: IGMP Snooping is not enabled. Use the display current-configuration command to check the status of IGMP Snooping. If IGMP Snooping is disabled, check whether it is disabled globally or in the specific VLAN.

  • Page 478: Common Multicast Configuration

    Common Multicast Configuration Common Multicast Configuration Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast forwarding entries dynamically through a Layer 2 multicast protocol. Alternatively, you can statically bind a port to a multicast MAC address entry by configuring a multicast MAC address entry manually.

  • Page 479: Configuring Dropping Unknown Multicast Packets

    If the multicast MAC address entry to be created already exists, the system gives you a prompt. If you want to add a port to a multicast MAC address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified port to the forwarding ports of this entry.
  • Page 480 Table of Contents 1 NTP Configuration ·····································································································································1-1 Introduction to NTP ·································································································································1-1 Applications of NTP ·························································································································1-1 Implementation Principle of NTP·····································································································1-2 NTP Implementation Modes············································································································1-4 NTP Configuration Task List ···················································································································1-6 Configuring NTP Implementation Modes ································································································1-6 Configuring NTP Server/Client Mode ······························································································1-7 Configuring the NTP Symmetric Peer Mode ···················································································1-7 Configuring NTP Broadcast Mode···································································································1-8 Configuring NTP Multicast Mode·····································································································1-9 Configuring Access Control Right ·········································································································1-10...

  • Page 481: Ntp Configuration

    NTP Configuration When configuring NTP, go to these sections for information you are interested in: Introduction to NTP NTP Configuration Task List Configuring NTP Implementation Modes Configuring Access Control Right Configuring NTP Authentication Configuring Optional NTP Parameters Displaying NTP Configuration Configuration Examples Introduction to NTP Network Time Protocol (NTP) is a time synchronization protocol defined in RFC 1305.

  • Page 482: Implementation Principle Of Ntp

    Defining the accuracy of clocks by stratum to synchronize the clocks of all devices in a network quickly Supporting access control and MD5 encrypted authentication Sending protocol packets in unicast, multicast, or broadcast mode The clock stratum determines the accuracy, which ranges from 1 to 16. The stratum of a reference clock ranges from 1 to 15.
  • Page 483 Figure 1-1 Implementation principle of NTP NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am 11:00:02 am IP network Device B Device A NTP message received at 10:00:03 am IP network...

  • Page 484: Ntp Implementation Modes

    NTP Implementation Modes According to the network structure and the position of the local Ethernet switch in the network, the local Ethernet switch can work in multiple NTP modes to synchronize the clock. Server/client mode Figure 1-2 Server/client mode Symmetric peer mode Figure 1-3 Symmetric peer mode Active peer Passive peer...
  • Page 485 Figure 1-4 Broadcast mode Multicast mode Figure 1-5 Multicast mode Table 1-1 describes how the above mentioned NTP modes are implemented on 3Com S4200G series Ethernet switches. Table 1-1 NTP implementation modes on 3Com S4200G series Ethernet switches NTP implementation mode...

  • Page 486: Ntp Configuration Task List

    NTP messages through the VLAN interface configured on the switch. When a 3Com S4200G Ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer.

  • Page 487: Configuring Ntp Server/Client Mode

    UDP port 123 is opened only when the NTP feature is enabled. UDP port 123 is closed as the NTP feature is disabled. These functions are implemented as follows: Execution of one of the ntp-service unicast-server, ntp-service unicast-peer, ntp-service broadcast-client, ntp-service broadcast-server, ntp-service multicast-client, and ntp-service multicast-server commands enables the NTP feature and opens UDP port 123 at the same time.

  • Page 488: Configuring Ntp Broadcast Mode

    To do… Use the command… Remarks Enter system view — system-view ntp-service unicast-peer { remote-ip | Required Specify a peer-name } [ authentication-keyid By default, a switch is not symmetric-passive key-id | priority | source-interface configured to work in the peer for the switch Vlan-interface vlan-id | version symmetric mode.

  • Page 489: Configuring Ntp Multicast Mode

    To do… Use the command… Remarks Enter system view — system-view interface Vlan-interface Enter VLAN interface view — vlan-id Configure the switch to work in ntp-service broadcast-server Required the NTP broadcast server [ authentication-keyid key-id | Not configured by default. mode version number ]* Configuring a switch to work in the NTP broadcast client mode...

  • Page 490: Configuring Access Control Right

    Configuring a switch to work in the multicast client mode Follow these steps to configure a switch to work in the NTP multicast client mode: To do… Use the command… Remarks Enter system view system-view — interface Vlan-interface Enter VLAN interface view —...

  • Page 491: Configuring Ntp Authentication

    To do… Use the command… Remarks Configure the NTP service ntp-service access { peer | Optional access-control right to the local server | synchronization | peer by default switch for peer devices query } acl-number The access-control right mechanism provides only a minimum degree of security protection for the local switch.

  • Page 492: Configuration Procedure

    In addition, for the server/client mode and the symmetric peer mode, you need to associate a specific key on the client (the symmetric-active peer in the symmetric peer mode) with the corresponding NTP server (the symmetric-passive peer in the symmetric peer mode); for the NTP broadcast/multicast mode, you need to associate a specific key on the broadcast/multicast server with the corresponding NTP broadcast/multicast client.

  • Page 493: Configuring Optional Ntp Parameters

    To do… Use the command… Remarks Required ntp-service authentication Enable NTP authentication enable Disabled by default. Required ntp-service Configure an NTP authentication-keyid key-id By default, no NTP authentication key authentication-mode md5 authentication key is value configured. Required Configure the specified key as a ntp-service reliable By default, no trusted trusted key...

  • Page 494: Configuring An Interface On The Local Switch To Send Ntp Messages

    Task Remarks Configuring an Interface on the Local Switch to Send NTP Messages Optional Configuring the Number of Dynamic Sessions Allowed on the Local Optional Switch Disabling an Interface from Receiving NTP Messages Optional Configuring an Interface on the Local Switch to Send NTP Messages Follow these steps to configure an interface on the local switch to send NTP messages: To do…...

  • Page 495: Displaying Ntp Configuration

    Disabling an Interface from Receiving NTP Messages Follow these steps to disable an interface from receiving NTP messages: To do… Use the command… Remarks Enter system view system-view — interface Vlan-interface Enter VLAN interface view — vlan-id Required Disable an interface from ntp-service in-interface By default, a VLAN interface receiving NTP messages...

  • Page 496: Configuring Ntp Symmetric Peer Mode

    Reference clock ID: none Nominal frequency: 60.0002 Hz Actual frequency: 60.0002 Hz Clock precision: 2^18 Clock offset: 0.0000 ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000) # Set Device A as the NTP server of Device B. <DeviceB>...
  • Page 497 Network diagram Figure 1-7 Network diagram for NTP peer mode configuration Device A 3.0.1.31/24 3.0.1.32/24 3.0.1.33/24 Device B Device C Configuration procedure Configure Device C. # Set Device A as the NTP server. <DeviceC> system-view [DeviceC] ntp-service unicast-server 3.0.1.31 Configure Device B (after the Device C is synchronized to Device A). # Enter system view.

  • Page 498: Configuring Ntp Broadcast Mode

    # View the information about the NTP sessions of Device C (you can see that a connection is established between Device C and Device B). [DeviceC] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************* [1234]3.0.1.32 LOCL -14.3 12.9...

  • Page 499: Configuring Ntp Multicast Mode

    # Set Device A as a broadcast client. [DeviceA] interface Vlan-interface 2 [DeviceA-Vlan-interface2] ntp-service broadcast-client After the above configurations, Device A and Device D will listen to broadcast messages through their own VLAN-interface 2, and Device C will send broadcast messages through VLAN-interface 2. Because Device A and Device C do not share the same network segment, Device A cannot receive broadcast messages from Device C, while Device D is synchronized to Device C after receiving broadcast messages from Device C.
  • Page 500 Network diagram Figure 1-9 Network diagram for NTP multicast mode configuration Vlan-int2 3.0.1.31/24 Device C Vlan-int2 1.0.1.31/24 Device A Device B Vlan-int2 3.0.1.32/24 Device D Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as a multicast server to send multicast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service multicast-server Configure Device A (perform the same configuration on Device D).

  • Page 501: Configuring Ntp Server/Client Mode With Authentication

    Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that Device D is synchronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C. # View the information about the NTP sessions of Device D (you can see that a connection is established between Device D and Device C).
  • Page 502 After the above configurations, Device B is ready to synchronize with Device A. Because the NTP authentication function is not enabled on Device A, the clock of Device B will fail to be synchronized to that of Device A. To synchronize Device B, you need to perform the following configurations on Device A. # Enable the NTP authentication function.
  • Page 503 Table of Contents 1 SSH Configuration·····································································································································1-1 SSH Overview·········································································································································1-1 Introduction to SSH ·························································································································1-1 Algorithm and Key ···························································································································1-1 SSH Operating Process ··················································································································1-2 SSH Server and Client ····························································································································1-4 Configuring the SSH Server····················································································································1-5 Configuring the User Interfaces for SSH Clients·············································································1-6 Configuring the SSH Management Functions·················································································1-7 Configuring the SSH Server to Be Compatible with SSH1 Clients ·················································1-8 Configuring Key Pairs······················································································································1-8 Creating an SSH User and Specifying an Authentication Type ······················································1-9...

  • Page 504: Ssh Configuration

    SSH Configuration When configuring SSH, go to these sections for information you are interested: SSH Overview SSH Server and Client Displaying and Maintaining SSH Configuration Comparison of SSH Commands with the Same Functions SSH Configuration Examples SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in insecure network environments, allowing for secure access to the Command Line Interface (CLI) of a switch for configuration and management.

  • Page 505: Ssh Operating Process

    The same key is used for both encryption and decryption. Supported symmetric key algorithms include DES, 3DES, and AES, which can effectively prevent data eavesdropping. Asymmetric key algorithm Asymmetric key algorithm is also called public key algorithm. Both ends have their own key pair, consisting of a private key and a public key.
  • Page 506 Currently, the switch that serves as an SSH server supports two SSH versions: SSH2 and SSH1, and the switch that serves as an SSH client supports only SSH2. Unless otherwise noted, SSH refers to SSH2 throughout this document. Version negotiation The server opens port 22 to listen to connection requests from clients.

  • Page 507: Ssh Server And Client

    The server starts to authenticate the user. If authentication fails, the server sends an authentication failure message to the client, which contains the list of methods used for a new authentication process. The client selects an authentication type from the method list to perform authentication again. The above process repeats until the authentication succeeds, or the connection is torn down when the authentication times reach the upper limit.

  • Page 508: Configuring The Ssh Server

    The 3Com switch acts as the SSH server to cooperate with software that supports the SSH client functions. The 3Com switch acts as the SSH server to cooperate with another 3Com switch that acts as an SSH client. Complete the following tasks to configure the SSH server and clients:...

  • Page 509: Configuring The User Interfaces For Ssh Clients

    Task Remarks Configuring the User Interfaces for Required SSH Clients Preparation Configuring the SSH Management Optional Functions Optional This task determines which SSH Configuring the SSH Server to Be versions the server should support. Version Compatible with SSH1 Clients By default, the SSH server is compatible with SSH1 clients.

  • Page 510: Configuring The Ssh Management Functions

    To do... Use the command... Remarks Required Configure the authentication authentication-mode scheme By default, the user interface mode as scheme [ command-authorization ] authentication mode password. Optional Specify supported protocol inbound { all |ssh } By default, both Telnet and protocol(s) SSH are supported.

  • Page 511: Configuring The Ssh Server To Be Compatible With Ssh1 Clients

    To do... Use the command... Remarks Optional Specify a source IP address for ssh-server source-ip By default, no source IP address the SSH server ip-address is configured. Optional ssh-server source-interface Specify a source interface for interface-type By default, no source interface is the SSH server interface-number configured.

  • Page 512: Creating An Ssh User And Specifying An Authentication Type

    To do... Use the command... Remarks Generate an RSA public-key local create rsa key pairs Required Generate key By default, no key pair(s) pairs are generated. Generate a DSA public-key local create dsa key pair The command for generating a key pair can survive a reboot. You only need to configure it once. It takes more time to encrypt and decrypt data with a longer key, which, however, ensures higher security.
  • Page 513 SSH uses the authentication function of AAA to authenticate the password of the user that is logging in. Based on the AAA authentication scheme, password authentication can be done locally or remotely. For local authentication, the SSH server saves the user information and implements the authentication. For remote authentication, the user information is saved on an authentication server (such as a RADIUS server) and authentication is implemented through the cooperation of the SSH server and the authentication server.

  • Page 514: Specifying A Service Type For An Ssh User On The Server

    For password authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authentication, the username argument is the SSH local user name, so that there is no need to configure a local user in AAA. If the default authentication type for SSH users is password and local AAA authentication is adopted, you need not use the ssh user command to create an SSH user.

  • Page 515: Configuring The Public Key Of A Client On The Server

    Configuring the Public Key of a Client on the Server This configuration is not necessary if the password authentication mode is configured for SSH users. With the publickey authentication mode configured for an SSH client, you must configure the client’s RSA or DSA host public key(s) on the server for authentication.

  • Page 516: Exporting The Host Public Key To A File

    This configuration task is unnecessary if the SSH user’s authentication mode is password. For the publickey authentication mode, you must specify the client’s public key on the server for authentication. Follow these steps to assign a public key for an SSH user: To do...

  • Page 517: Configuring The Ssh Client

    With the filename argument specified, you can export the RSA or DSA host public key to a file so that you can configure the key at a remote end by importing the file. If the filename argument is not specified, this command displays the host public key information on the screen in a specified format.
  • Page 518 Task Remarks Opening an SSH connection with password Required for password authentication; authentication unnecessary for publickey authentication Opening an SSH connection with publickey Required for publickey authentication; authentication unnecessary for password authentication For putty, it is recommended to use PuTTY release 0.53; PuTTY release 0.58 is also supported. For OpenSSH, it is recommended to use OpenSSH_3.1p1;...
  • Page 519 Figure 1-3 Generate a client key (1) Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1-4. Otherwise, the process bar stops moving and the key pair generating process is stopped.
  • Page 520 After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key. Figure 1-5 Generate the client keys (3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution.
  • Page 521 Figure 1-7 Generate the client keys (5) Specifying the IP address of the Server Launch PuTTY.exe. The following window appears. Figure 1-8 SSH client configuration interface 1 1-18...
  • Page 522 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure 1-8, select SSH under Protocol.

  • Page 523: Configuring An Ssh Client Assumed By An Ssh2-Capable Switch

    Opening an SSH connection with publickey authentication If a user needs to be authenticated with a public key, the corresponding private key file must be specified. A private key file is not required for password-only authentication. From the category on the left of the window, select Connection/SSH/Auth. The following window appears.
  • Page 524 Configuring the SSH client for publickey authentication When the authentication mode is publickey, you need to configure the RSA or DSA public key of the client on the server: To generate a key pair on the client, refer to Configuring Key Pairs. To export the RSA or DSA public key of the client, refer to Exporting the Host Public Key.
  • Page 525 With first-time authentication enabled, an SSH client that is not configured with the SSH server's host public key saves the host public key sent by the server without authenticating the server. Attackers may exploit the vulnerability to initiate man-in-middle attacks by acting as an SSH server. Therefore, it is recommended to disable first-time authentication unless you are sure that the SSH server is reliable.

  • Page 526: Displaying And Maintaining Ssh Configuration

    To do... Use the command... Remarks Required In this command, you can also specify preferred exchange algorithm, encryption algorithms HMAC ssh2 { host-ip | host-name } algorithms between the server [ port-num ] [ identity-key { dsa and client. | rsa } | prefer_kex { dh_group1 | HMAC: Hash-based message dh_exchange_group } |...

  • Page 527: Comparison Of Ssh Commands With The Same Functions

    To do... Use the command... Remarks Display the mappings between host public keys and SSH display ssh server-info servers saved on a client Display the current source IP address or the IP address of display ssh2 source-ip the source interface specified for the SSH Client.

  • Page 528: Ssh Configuration Examples

    After RSA key pairs are generated, the display rsa local-key-pair public command displays two public keys (the host public key and server public key) when the switch is working in SSH1-compatible mode, but only one public key (the host public key) when the switch is working in SSH2 mode.
  • Page 529 # Generate RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local client client001, and set the authentication password to abc, protocol type to SSH, and...

  • Page 530: When Switch Acts As Server For Password And Radius Authentication

    In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select SSH under Connection. The window as shown in Figure 1-13 appears. Figure 1-13 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version.
  • Page 531 Network diagram Figure 1-14 Switch acts as server for password and RADIUS authentication Configuration procedure Configure the RADIUS server This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required. # Add an access device. Log in to the CAMS management platform and select System Management >...
  • Page 532 Figure 1-15 Add an access device # Add a user account for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account page and perform the following configurations: Add a user named hello, and specify the password.
  • Page 533 Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 534 Figure 1-17 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-18 appears.

  • Page 535: When Switch Acts As Server For Password And Hwtacacs Authentication

    authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server. You can specify the level by setting the EXEC Privilege Level argument in the Add Account window shown in Figure 1-16.
  • Page 536 # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Apply the scheme to the ISP domain.

  • Page 537: When Switch Acts As Server For Publickey Authentication

    From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-21 appears. Figure 1-21 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name client001 and the password.
  • Page 538 Configuration procedure Under the publickey authentication mode, either the RSA or DSA public key can be generated for the server to authenticate the client. Here takes the RSA public key as an example. Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
  • Page 539 # Import the client’s public key named Switch001 from file public. [Switch] public-key peer Switch001 import sshkey public # Assign the public key Switch001 to client client001. [Switch] ssh user client001 assign publickey Switch001 Configure the SSH client (taking PuTTY version 0.58 as an example) # Generate an RSA key pair.
  • Page 540 Figure 1-24 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). Figure 1-25 Generate a client key pair (3) 1-37...
  • Page 541 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key (private.ppk in this case). Figure 1-26 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client.
  • Page 542 Figure 1-28 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. Figure 1-29 SSH client configuration interface (3) 1-39...

  • Page 543: When Switch Acts As Client For Password Authentication

    Click Browse to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 1-29, click Open. If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in...

  • Page 544: When Switch Acts As Client For Publickey Authentication

    The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n Enter password: ************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB>...
  • Page 545 Configuration procedure In public key authentication, you can use either RSA or DSA public key. Here takes the DSA public key as an example. Configure Switch B # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
  • Page 546 The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n ************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed.

  • Page 547: When Switch Acts As Client And First-Time Authentication Is Not Supported

    When Switch Acts as Client and First-Time Authentication is not Supported Network requirements As shown in Figure 1-32, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. The user name is client001 and the SSH server’s IP address is 10.165.87.136.
  • Page 548 Before doing the following steps, you must first generate a DSA key pair on the client and save the key pair in a file named Switch001, and then upload the file to the SSH server through FTP or TFTP. For details, refer to the following “Configure Switch A”.
  • Page 549 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... ************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB> 1-46...
  • Page 550 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Configuration·······················································································································1-1 Introduction to File System ··············································································································1-1 File System Configuration Tasks·····································································································1-1 Directory Operations························································································································1-1 File Operations ································································································································1-2 Flash Memory Operations ···············································································································1-3 Prompt Mode Configuration ············································································································1-3 File System Configuration Example ································································································1-4 File Attribute Configuration ·····················································································································1-5 Introduction to File Attributes···········································································································1-5 Booting with the Startup File ···········································································································1-6 Configuring File Attributes ···············································································································1-6...

  • Page 551: File System Management Configuration

    Prompt Mode Configuration Optional 3com switches 4200G allow you to input a file path and file name in one of the following ways: In universal resource locator (URL) format and starting with “unit1>flash:/”. or “flash:/” This method is used to specify a file in the current Flash memory. For example, the URL of a file named text.txt in the root directory of the switch is unit1>flash:/text.txt or flash:/text.txt.

  • Page 552: File Operations

    Table 1-2 Directory operations To do… Use the command… Remarks Create a directory mkdir directory Optional Delete a directory rmdir directory Optional Display the current work directory Optional Display the information about specific dir [ /all ] [ file-url ] Optional directories and files Enter a specified directory...

  • Page 553: Flash Memory Operations

    To do… Use the command… Remarks Enter system view — system-view Optional Execute the specified batch file execute filename This command should be executed in system view. For deleted files whose names are the same, only the latest deleted file is kept in the recycle bin and can be restored.

  • Page 554: File System Configuration Example

    To do… Use the command… Remarks Required Configure the prompt mode of file prompt { alert | quiet } By default, the prompt mode of the the file system file system is alert. File System Configuration Example # Display all the files in the root directory of the file system. <Sysname>...

  • Page 555: File Attribute Configuration

    -rw- 1235 Apr 05 2000 01:51:34 test.cfg -rw- 1235 Apr 05 2000 01:56:44 1.cfg 15367 KB total (3585 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute File Attribute Configuration Introduction to File Attributes The following three startup files support file attribute configuration: App files: An app file is an executable file, with .bin as the extension.

  • Page 556: Booting With The Startup File

    For the Web file and configuration file, 3com may provide corresponding default file when releasing software versions. When booting, the device selects the startup files based on certain order. The device selects Web files in the following steps: If the default Web file exists, the device will boot with the default Web file;...
  • Page 557 To do… Use the command… Remarks Display the information about display boot-loader [ unit the app file used as the startup unit-id ] Optional file Available in any view Display information about the display web package Web file used by the device Before configuring the main or backup attribute for a file, make sure the file already exists on the device.
  • Page 558 Table of Contents 1 FTP and SFTP Configuration····················································································································1-1 Introduction to FTP and SFTP ················································································································1-1 Introduction to FTP ··························································································································1-1 Introduction to SFTP························································································································1-1 FTP Configuration ···································································································································1-2 FTP Configuration: A Switch Operating as an FTP Server ·····························································1-2 FTP Configuration: A Switch Operating as an FTP Client ······························································1-6 Configuration Example: A Switch Operating as an FTP Server······················································1-8 FTP Banner Display Configuration Example·················································································1-10 FTP Configuration: A Switch Operating as an FTP Client ····························································1-11...

  • Page 559: Ftp And Sftp Configuration

    Binary mode for program file transfer ASCII mode for text file transfer A 3com switch 4200G can act as an FTP client or the FTP server in FTP-employed data transmission: Table 1-1 Roles that a 3com switch 4200G acts as in FTP...

  • Page 560: Ftp Configuration

    FTP Configuration Complete the following tasks to configure FTP: Task Remarks Creating an FTP user Required Enabling an FTP server Required Configuring connection idle time Optional FTP Configuration: A Specifying the source interface and source IP Switch Operating as an Optional address for an FTP server FTP Server...
  • Page 561 Only one user can access a 3com switch 4200G at a given time when the latter operates as an FTP server. Operating as an FTP server, a 3com switch 4200G cannot receive a file whose size exceeds its storage space. The clients that attempt to upload such a file will be disconnected with the FTP server due to lack of storage space on the FTP server.
  • Page 562 Required server With a 3com switch 4200G acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the 3com switch 4200G will disconnect the user after the data transmission is completed.
  • Page 563 Login banner: After the connection between an FTP client and an FTP server is established, the FTP server outputs the configured login banner to the FTP client terminal. Figure 1-1 Process of displaying a login banner Shell banner: After the connection between an FTP client and an FTP server is established and correct user name and password are provided, the FTP server outputs the configured shell banner to the FTP client terminal.

  • Page 564: Ftp Configuration: A Switch Operating As An Ftp Client

    Displaying FTP server information To do… Use the command… Remarks Display the information about FTP server display ftp-server configurations on a switch Available in any Display the source IP address set for an FTP view display ftp-server source-ip server Display the login FTP client on an FTP server display ftp-user FTP Configuration: A Switch Operating as an FTP Client Basic configurations on an FTP client...
  • Page 565 To do… Use the command… Remarks dir [ remotefile ] [ localfile ] Optional If no file name is specified, all the files in the current directory are displayed. The difference between these Query a specified file on the two commands is that the dir FTP server ls [ remotefile ] [ localfile ] command can display the file...

  • Page 566: Configuration Example: A Switch Operating As An Ftp Server

    To do… Use the command… Remarks Specify an interface as the source interface the FTP client ftp source-interface uses every time it connects to interface-type interface-number an FTP server Use either command Not specified by default Specify an IP address as the source IP address the FTP ftp source-ip ip-address client uses every time it...
  • Page 567 Network diagram Figure 1-3 Network diagram for FTP configurations: a switch operating as an FTP server Configuration procedure Configure Switch A (the FTP server) # Log in to the switch and enable the FTP server function on the switch. Configure the user name and password used to access FTP services, and specify the service type as FTP (You can log in to a switch through the Console port or by telnetting the switch.

  • Page 568: Ftp Banner Display Configuration Example

    Boot ROM menu. 3com switch 4200G is not shipped with FTP client application software. You need to purchase and install it by yourself. Configure Switch A (FTP server) # After uploading the application, use the boot boot-loader command to specify the uploaded file (switch.bin) to be the startup file used when the switch starts the next time, and restart the switch.

  • Page 569: Ftp Configuration: A Switch Operating As An Ftp Client

    Configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”. Network diagram Figure 1-4 Network diagram for FTP banner display configuration Configuration procedure Configure the switch (FTP server) # Configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”.
  • Page 570 Network diagram Figure 1-5 Network diagram for FTP configurations: a switch operating as an FTP client Configuration procedure Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a user account on the FTP server with username switch and password hello.

  • Page 571: Sftp Configuration

    [ftp] get switch.bin # Execute the quit command to terminate the FTP connection and return to user view. [ftp] quit <Sysname> # After downloading the file, use the boot boot-loader command to specify the downloaded file (switch.bin) to be the application for next startup, and then restart the switch. Thus the switch application is upgraded.

  • Page 572: Sftp Configuration: A Switch Operating As An Sftp Client

    For configurations on client software, see the corresponding configuration manual. Currently a 3com switch 4200G operating as an SFTP server supports the connection of only one SFTP user. When multiple users attempt to log in to the SFTP server or multiple connections are enabled on a client, only the first user can log in to the SFTP user.
  • Page 573 Follow these steps to perform basic configurations on an SFTP client: To do… Use the command… Remarks Enter system view system-view — sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | Required dh_exchange_group } | Support for the 3des keyword...

  • Page 574: Sftp Configuration Example

    To do… Use the command… Remarks Display the online help about a specified command help [ all | command-name ] Optional concerning SFTP If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server.
  • Page 575 Configuration procedure Configure the SFTP server (switch B) # Create key pairs. <Sysname> system-view [Sysname] public-key local create rsa [Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server.
  • Page 576 Connected to 192.168.0.1 ... The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n Enter password: sftp-client> # Display the current directory of the server. Delete the file z and verify the result. sftp-client>...
  • Page 577 sftp-client> rename new1 new2 File successfully renamed sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone...

  • Page 578: Tftp Configuration

    To upload a file, a client sends Write Request packets to the TFTP server, then sends data to the TFTP server, and receives acknowledgement packets from the TFTP server. A 3com switch 4200G can act as a TFTP client only. When you download a file that is larger than the free space of the switch’s flash memory:...

  • Page 579: Tftp Configuration: A Switch Operating As A Tftp Client

    Task Remarks Basic configurations on a TFTP client — TFTP Configuration: A Switch Specifying the source interface or source IP Operating as a TFTP Client Optional address for an FTP client TFTP server configuration For details, see the corresponding manual —...

  • Page 580: Tftp Configuration Example

    To do… Use the command… Remarks Specify an interface as the source interface a TFTP client tftp source-interface uses every time it connects to a interface-type interface-number TFTP server Use either command Not specified by default. Specify an IP address as the source IP address a TFTP tftp source-ip ip-address client uses every time it...
  • Page 581 Network diagram Figure 2-1 Network diagram for TFTP configurations Configuration procedure Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the Login module for detailed information.) <Sysname>...
  • Page 582 For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual.
  • Page 583 Table of Contents 1 Information Center·····································································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ·············································································································1-4 Information Center Configuration············································································································1-7 Information Center Configuration Task List·····················································································1-7 Configuring Synchronous Information Output ·················································································1-7 Configuring to Display the Time Stamp with the UTC Time Zone ··················································1-8 Setting to Output System Information to the Console ·····································································1-8 Setting to Output System Information to a Monitor Terminal ························································1-10 Setting to Output System Information to a Log Host·····································································1-11...

  • Page 584: Information Center

    Information Center When configuring information center, go to these sections for information you are interested in: Information Center Overview Information Center Configuration Displaying and Maintaining Information Center Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information. Together with the debugging function (the debugging command), information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
  • Page 585 Information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering. If the threshold is set to 1, only information with the severity being emergencies will be output; If the threshold is set to 8, information of all severities will be output.
  • Page 586 Outputting system information by source module The system information can be classified by source module and then filtered. Some module names and description are shown in Table 1-3. Table 1-3 Source module name list Module name Description 8021X 802.1X module Access control list module ADBM Address base module...

  • Page 587: System Information Format

    Module name Description SYSMIB System MIB module HWTACACS module TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module Virtual type terminal module XModem module default Default settings for all the modules To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the ten channels to the six output directions.
  • Page 588 If the address of the log host is specified in the information center of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host.
  • Page 589 %Dec 8 10:12:21:708 2006 [GMT+08:00:00] Sysname SHELL/5/LOGIN:- 1 - VTY(1.1.0.2) in unit1 login Sysname Sysname is the system name of the local switch and defaults to “3Com”. You can use the sysname command to modify the system name. Refer to the System Maintenance and Debugging part of this manual for details) Note that there is a space between the sysname and module fields.

  • Page 590: Information Center Configuration

    Source This field indicates the source of the information, such as the source IP address of the log sender. This field is optional and is displayed only when the output destination is the log host. Context This field provides the content of the system information. Information Center Configuration Information Center Configuration Task List Complete the following tasks to configure information center:...

  • Page 591: Configuring To Display The Time Stamp With The Utc Time Zone

    If the system information is output before you input any information following the current command line prompt, the system does not echo any command line prompt after the system information output. In the interaction mode, you are prompted for some information input. If the input is interrupted by system output, no system prompt (except the Y/N string) will be echoed after the output, but your input will be displayed in a new line.
  • Page 592 To do… Use the command… Remarks Optional info-center console channel By default, the switch uses Enable system information { channel-number | information channel 0 to output output to the console channel-name } log/debugging/trap information to the console. info-center source Optional { modu-name | default } Configure the output rules of channel { channel-number |...

  • Page 593: Setting To Output System Information To A Monitor Terminal

    Follow these steps to enable the system information display on the console: To do… Use the command… Remarks Enable the debugging/log/trap Optional information terminal display terminal monitor Enabled by default. function Optional Enable debugging information terminal debugging terminal display function Disabled by default.

  • Page 594: Setting To Output System Information To A Log Host

    To do… Use the command… Remarks Optional By default, the time stamp info-center timestamp { log | Set the format of time stamp in format of the log and trap trap | debugging } { boot | the output information output information is date, and date | none } that of the debugging output...

  • Page 595: Setting To Output System Information To The Trap Buffer

    To do… Use the command… Remarks Enter system view system-view — Optional Enable the information center info-center enable Enabled by default. Required By default, the switch does not output information to the log info-center loghost host-ip-addr [ channel host. Enable system information { channel-number | After you configure the switch output to a log host...

  • Page 596: Setting To Output System Information To The Log Buffer

    To do… Use the command… Remarks Optional info-center trapbuffer By default, the switch uses Enable system information [channel { channel-number | information channel 3 to output output to the trap buffer channel-name } | size trap information to the trap buffersize]* buffer, which can holds up to 256 items by default.

  • Page 597: Displaying And Maintaining Information Center

    To do… Use the command… Remarks Optional Enable the information center info-center enable Enabled by default. Optional info-center snmp channel Enable information output to By default, the switch outputs { channel-number | the SNMP NMS trap information to SNMP channel-name } through channel 5.

  • Page 598: Information Center Configuration Examples

    Information Center Configuration Examples Log Output to a UNIX Log Host Network requirements The switch sends the following log information to the Unix log host whose IP address is 202.38.1.10: the log information of the two modules ARP and IP, with severity higher than “informational”. Network diagram Figure 1-1 Network diagram for log output to a Unix log host Network...

  • Page 599: Log Output To A Linux Log Host

    When you edit the file “/etc/syslog.conf”, note that: A note must start in a new line, starting with a “#” sign. In each pair, a tab should be used as a separator instead of a space. No space is allowed at the end of a file name. The device name (facility) and received log information severity level specified in the file “/etc/syslog.conf”...
  • Page 600 <Switch> system-view [Switch] info-center enable # Configure the host whose IP address is 202.38.1.10 as the log host. Permit all modules to output log information with severity level higher than error to the log host. [Switch] info-center loghost 202.38.1.10 facility local7 [Switch] info-center source default channel loghost log level errors debug state off trap state off Configure the log host:...

  • Page 601: Log Output To The Console

    Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file “syslog.conf”, you can sort information precisely for filtering. Log Output to the Console Network requirements The switch sends the following information to the console: the log information of the two modules ARP and IP, with severity higher than “informational”.
  • Page 602 Network diagram Figure 1-4 Network diagram Configuration procedure # Name the local time zone z8 and configure it to be eight hours ahead of UTC time. <Switch> clock timezone z8 add 08:00:00 # Set the time stamp format of the log information to be output to the log host to date. <Switch>...
  • Page 603 Table of Contents 1 Boot ROM and Host Software Loading ···································································································1-1 Introduction to Loading Approaches ·······································································································1-1 Local Boot ROM and Software Loading··································································································1-1 BOOT Menu ····································································································································1-2 Loading by XModem through Console Port ····················································································1-3 Loading by TFTP through Ethernet Port ·························································································1-7 Loading by FTP through Ethernet Port····························································································1-9 Remote Boot ROM and Software Loading ···························································································1-11 Remote Loading Using FTP ··········································································································1-11 Remote Loading Using TFTP········································································································1-15...

  • Page 604: Boot Rom And Host Software Loading

    Boot ROM and Host Software Loading Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port.

  • Page 605: Boot Menu

    BOOT Menu Starting..*********************************************************** Switch 4200G 12-Port BOOTROM, Version 2.00 *********************************************************** Copyright (c) 2004-2007 3Com Corporation and its licensors. Creation date : Nov 20 2007, 17:02:48 CPU Clock Speed : 200MHz BUS Clock Speed : 33MHz Memory Size...

  • Page 606: Loading By Xmodem Through Console Port

    2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery 9. Set switch startup mode 0.
  • Page 607 Enter your choice (0-5): Step 3: Choose an appropriate baudrate for downloading. For example, if you press 5, the baudrate 115200 bps is chosen and the system displays the following information: Download baudrate is 115200 bps Please change the terminal's baudrate to 115200 bps and select XMODEM protocol Press enter key when ready If you have chosen 9600 bps as the download baudrate, you need not modify the HyperTerminal’s baudrate, and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly.
  • Page 608 Figure 1-2 Console port configuration dialog box Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 1-3. Figure 1-3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program.
  • Page 609 Figure 1-4 Send file dialog box Step 8: Click <Send>. The system displays the page, as shown in Figure 1-5. Figure 1-5 Sending file page Step 9: After the sending process completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baudrate to 9600 bps (refer to Step 4 and 5).

  • Page 610: Loading By Tftp Through Ethernet Port

    Loading host software Follow these steps to load the host software: Step 1: Select <1> in BOOT Menu and press <Enter>. The system displays the following information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0.
  • Page 611 Step 2: Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded. TFTP server program is not provided with the 3Com Series Ethernet Switches. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the BOOT Menu.

  • Page 612: Loading By Ftp Through Ethernet Port

    0. Return to boot menu Enter your choice(0-3): Step 2: Enter 1 in the above menu to download the host software using TFTP. The subsequent steps are the same as those for loading the Boot ROM, except that the system gives the prompt for host software loading instead of Boot ROM loading.
  • Page 613 At the prompt "Enter your choice(0-9):" in the BOOT Menu, press <6> or <Ctrl+U>, and then press <Enter> to enter the Boot ROM update menu shown below: Bootrom update menu: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3.

  • Page 614: Remote Boot Rom And Software Loading

    Remote Boot ROM and Software Loading If your terminal is not directly connected to the switch, you can telnet to the switch, and use FTP or TFTP to load the Boot ROM and host software remotely. Remote Loading Using FTP Loading Procedure Using FTP Client Loading the Boot ROM As shown in...
  • Page 615 <Sysname> reboot Before restarting the switch, make sure you have saved all other configurations that you want, so as to avoid losing configuration information. Loading host software Loading the host software is the same as loading the Boot ROM program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for next startup of the switch.
  • Page 616 You can configure the IP address for any VLAN on the switch for FTP transmission. However, before configuring the IP address for a VLAN interface, you have to make sure whether the IP addresses of this VLAN and PC are routable. <Sysname>...
  • Page 617 Figure 1-11 Enter Boot ROM directory Step 6: Enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in Figure 1-12, to log on to the FTP server. Figure 1-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 1-13.

  • Page 618: Remote Loading Using Tftp

    Figure 1-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <Sysname>...

  • Page 619: Basic System Configuration And Debugging

    — view Optional Set the system name of the sysname sysname switch By default, the name is 3Com. Optional Return from current view to quit If the current view is user view, you lower level view will quit the current user interface.

  • Page 620: Displaying The System Status

    To do… Use the command… Remarks Optional Return from current view to The composite key <Ctrl+Z> has return user view the same effect with the return command. Displaying the System Status To do… Use the command… Remarks Display the current date and time of the display clock system Available in...

  • Page 621: Displaying Debugging Status

    Displaying debugging information on the terminal is the most commonly used way to output debugging information. You can also output debugging information to other directions. For details, refer to Information Center Operation. You can use the following commands to enable the two switches. Follow these steps to enable debugging and terminal display for a specific module: To do…...

  • Page 622: Network Connectivity Test

    Network Connectivity Test When configuring network connectivity test, go to these sections for information you are interested in: ping tracert Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. To do…...

  • Page 623: Device Management

    Device Management When configuring device management, go to these sections for information you are interested in: Introduction to Device Management Device Management Configuration Displaying the Device Management Configuration Remote Switch APP Upgrade Configuration Example Introduction to Device Management Device Management includes the following: Reboot the Ethernet switch Configure real-time monitoring of the running status of the system Specify the APP to be used at the next reboot...

  • Page 624: Scheduling A Reboot On The Switch

    Before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed. This prevents the system from losing the configurations in case of shutting down the system without saving the configurations Use the following command to reboot the Ethernet switch: To do…...

  • Page 625: Specifying The App To Be Used At Reboot

    Enabling of this function consumes some amounts of CPU resources. Therefore, if your network has a high CPU usage requirement, you can disable this function to release your CPU resources. Specifying the APP to be Used at Reboot APP is the host software of the switch. If multiple APPs exist in the Flash memory, you can use the command here to specify the one that will be used when the switch reboots.
  • Page 626 Whether can be an Whether can be an Transceiver type Applied environment optical transceiver electrical transceiver XFP (10-Gigabit small Generally used for Form-factor 10G Ethernet Pluggable) interfaces XENPAK (10 Gigabit Generally used for EtherNet Transceiver 10G Ethernet Package) interfaces Identifying pluggable transceivers As pluggable transceivers are of various types and from different vendors, you can perform the following configurations to identify main parameters of the pluggable transceivers, including transceiver type, connector type, central wavelength of the laser sent, transfer distance and vendor name or vendor...

  • Page 627: Displaying The Device Management Configuration

    To do… Use the command… Remarks Display the currently measured value of the digital diagnosis display transceiver Available for anti-spoofing parameters of the diagnosis interface pluggable optical transceiver(s) anti-spoofing optical [ interface-type customized by H3C only transceiver(s) customized by interface-number ] Displaying the Device Management Configuration To do…...
  • Page 628 The host software switch.app and the Boot ROM file boot.btm of the switch are stored in the directory switch on the PC. Use FTP to download the switch.app and boot.btm files from the FTP server to the switch. Network diagram Figure 4-1 Network diagram for FTP configuration Configuration procedure Configure the following FTP server–related parameters on the PC: an FTP user with the username...
  • Page 629 [ftp] Enter the authorized path on the FTP server. [ftp] cd switch Execute the get command to download the switch.app and boot.btm files on the FTP server to the Flash memory of the switch. [ftp] get switch.app [ftp] get boot.btm Execute the quit command to terminate the FTP connection and return to user view.
  • Page 630 Table of Contents 1 remote-ping Configuration ·······················································································································1-1 remote-ping Overview ·····························································································································1-1 Introduction to remote-ping ·············································································································1-1 Test Types Supported by remote-ping ····························································································1-2 remote-ping Test Parameters··········································································································1-2 remote-ping Configuration ······················································································································1-4 remote-ping Server Configuration ···································································································1-4 remote-ping Client Configuration·····································································································1-4 Displaying remote-ping Configuration ···························································································1-15 remote-ping Configuration Examples····································································································1-15 ICMP Test······································································································································1-15 DHCP Test ····································································································································1-17 FTP Test········································································································································1-18...

  • Page 631: Remote-Ping Configuration

    remote-ping Configuration When configuring remote-ping, go to these sections for information you are interested in: remote-ping Overview remote-ping Configuration remote-ping Configuration Examples remote-ping Overview Introduction to remote-ping remote-ping is a network diagnostic tool. It is used to test the performance of various protocols running in networks.

  • Page 632: Test Types Supported By Remote-Ping

    Test Types Supported by remote-ping Table 1-1 Test types supported by remote-ping Supported test types Description ICMP test DHCP test FTP test For these types of tests, you need to configure the remote-ping client and corresponding servers. HTTP test DNS test SNMP test Jitter test These types of tests need the cooperation of the remote-ping...
  • Page 633 Test parameter Description You can use remote-ping to test a variety of protocols, see Table 1-1 for details. To perform a type of test, you must first create a test group of this Test type (test-type) type. One test group can be of only one remote-ping test type. If you modify the test type of a test group using the test-type command, the parameter settings, test results, and history records of the original test type will be all cleared.

  • Page 634: Remote-Ping Configuration

    Test parameter Description A remote-ping test will generate a Trap message no matter whether the test successes or not. You can use the Trap switch to enable or disable the output of trap messages. Trap You can set the number of consecutive failed remote-ping tests before Trap output.
  • Page 635 Follow these steps to configure ICMP test on remote-ping client: To do… Use the command… Remarks Enter system view system-view — Required Enable the remote-ping remote-ping-agent enable By default, the remote-ping client client function function is disabled. Create a remote-ping remote-ping Required test group and enter its...
  • Page 636 To do… Use the command… Remarks Required Enable the remote-ping remote-ping-agent enable By default, the remote-ping client client function function is disabled. Create a remote-ping remote-ping Required test group and enter its administrator-name By default, no test group is configured. view operation-tag Required...
  • Page 637 To do… Use the command… Remarks Required Configure the test type test-type ftp By default, the test type is ICMP. Optional Configure the number count times of probes per test By default, each test makes one probe. Configure the Optional maximum number of history-records number history records that can...
  • Page 638 To do… Use the command… Remarks Required You can configure an IP address or a Configure the destination-ip ip-address host name. destination IP address By default, no destination address is configured. Required when you use the destination-ip command to configure the destination address as the host Configure dns-server dns-server ip-address...
  • Page 639 Follow these steps to configure jitter test on remote-ping client: To do… Use the command… Remarks Enter system view system-view — Required Enable the remote-ping client remote-ping-agent enable By default, the remote-ping function client function is disabled. Required remote-ping Create a remote-ping test administrator-name By default, no test group is group and enter its view...
  • Page 640 To do… Use the command… Remarks Optional Configure the type of service tos value By default, the service type is zero. Optional Configure the number of test packets that will be sent in each jitter-packetnum number By default, each jitter probe will jitter probe send 10 packets.
  • Page 641 To do… Use the command… Remarks Optional By default, the automatic test Configure the automatic test frequency interval interval is zero seconds, interval indicating no automatic test will be made. Optional Configure the probe timeout timeout time By default, a probe times out in time three seconds.
  • Page 642 To do… Use the command… Remarks Optional Configure the source source-port port-number port By default, no source port is specified. Required test-type { tcpprivate | Configure the test type tcppublic } By default, the test type is ICMP. Optional Configure the number of count times probes per test By default, one probe is made per time.
  • Page 643 To do… Use the command… Remarks Required in a Udpprivate test A Udppublic test is a UDP connection test port remote-ping-server udpecho ip-address 7 command on the server to configure destination-port Configure the the listening service port; otherwise the destination port test will fail.
  • Page 644 To do… Use the command… Remarks Required Enable the remote-ping client remote-ping-agent enable By default, the remote-ping function client function is disabled. Required remote-ping Create a remote-ping test administrator-name operation- By default, no test group is group and enter its view configured.

  • Page 645: Displaying Remote-Ping Configuration

    To do… Use the command… Remarks Enter system view system-view — Required Enable the remote-ping client remote-ping-agent enable By default, the remote-ping function client function is disabled. Required remote-ping Create a remote-ping test administrator-name operation- By default, no test group is group and enter its view configured.
  • Page 646 Configuration procedure Configure remote-ping Client (Switch A): # Enable the remote-ping client. <Sysname> system-view [Sysname] remote-ping-agent enable # Create a remote-ping test group, setting the administrator name to administrator and test tag to ICMP. [Sysname] remote-ping administrator icmp # Configure the test type as icmp. [Sysname-remote-ping-administrator-icmp] test-type icmp # Configure the destination IP address as 10.2.2.2.

  • Page 647: Dhcp Test

    2000-04-02 20:55:12.2 For detailed output description, see the corresponding command manual. DHCP Test Network requirements Both the remote-ping client and the DHCP server are 4200G Ethernet switches. Perform a remote-ping DHCP test between the two switches to test the time required for the remote-ping client to obtain an IP address from the DHCP server.

  • Page 648: Ftp Test

    remote-ping entry(admin administrator, tag dhcp) test result: Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 1018/1037/1023 Square-Sum of Round Trip Time: 10465630 Last complete test time: 2000-4-3 9:51:30.9 Extend result: SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0...
  • Page 649 Network diagram Figure 1-4 Network diagram for the FTP test Configuration procedure Configure FTP Server (Switch B): Configure FTP server on Switch B. For specific configuration of FTP server, refer to the FTP-SFTP-TFTP part of the manual. Configure remote-ping Client (Switch A): # Enable the remote-ping client.

  • Page 650: Http Test

    [Sysname-remote-ping-administrator-ftp] display remote-ping results administrator ftp remote-ping entry(admin administrator, tag ftp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 3245/15891/12157 Square-Sum of Round Trip Time: 1644458573 Last complete test time: 2000-4-3 4:0:34.6 Extend result: SD Maximal delay: 0 DS Maximal delay: 0...
  • Page 651 Network diagram Figure 1-5 Network diagram for the HTTP test Configuration procedure Configure HTTP Server: Use Windows 2003 Server as the HTTP server. For HTTP server configuration, refer to the related instruction on Windows 2003 Server configuration. Configure remote-ping Client (Switch A): # Enable the remote-ping client.

  • Page 652: Jitter Test

    System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Http result: DNS Resolve Time: 0 HTTP Operation Time: 675 DNS Resolve Min Time: 0 HTTP Test Total Time: 748 DNS Resolve Max Time: 0 HTTP Transmission Successful Times: 10 DNS Resolve Failed Times: 0...
  • Page 653 Network diagram Figure 1-6 Network diagram for the Jitter test Configuration procedure Configure remote-ping Server (Switch B): # Enable the remote-ping server and configure the IP address and port to listen on. <Sysname> system-view [Sysname] remote-ping-server enable [Sysname] remote-ping-server udpecho 10.2.2.2 9000 Configure remote-ping Client (Switch A): # Enable the remote-ping client.

  • Page 654: Snmp Test

    Last complete test time: 2000-4-2 8:14:58.2 Extend result: SD Maximal delay: 10 DS Maximal delay: 10 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Jitter result:...
  • Page 655 Network diagram Figure 1-7 Network diagram for the SNMP test Configuration procedure Configure SNMP Agent (Switch B): # Start SNMP agent and set SNMP version to V2C, read-only community name to public, and read-write community name to private. <Sysname> system-view [Sysname] snmp-agent [Sysname] snmp-agent sys-info version v2c [Sysname] snmp-agent community read public...
  • Page 656 # Start the test. [Sysname-remote-ping-administrator-snmp] test-enable # Display test results [Sysname-remote-ping-administrator-snmp] display remote-ping results administrator snmp remote-ping entry(admin administrator, tag snmp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 9/11/10 Square-Sum of Round Trip Time: 983 Last complete test time: 2000-4-3 8:57:20.0 Extend result: SD Maximal delay: 0...
  • Page 657 Configuration procedure Configure remote-ping Server (Switch B): # Enable the remote-ping server and configure the IP address and port to listen on. <Sysname> system-view [Sysname] remote-ping-server enable [Sysname] remote-ping-server tcpconnect 10.2.2.2 8000 Configure remote-ping Client (Switch A): # Enable the remote-ping client. <Sysname>...

  • Page 658: Udp Test (Udpprivate Test) On The Specified Ports

    [Sysname-remote-ping-administrator-tcpprivate] display remote-ping history administrator tcpprivate remote-ping entry(admin administrator, tag tcpprivate) history record: Index Response Status LastRC Time 2000-04-02 08:26:02.9 2000-04-02 08:26:02.8 2000-04-02 08:26:02.8 2000-04-02 08:26:02.7 2000-04-02 08:26:02.7 2000-04-02 08:26:02.6 2000-04-02 08:26:02.6 2000-04-02 08:26:02.5 2000-04-02 08:26:02.5 2000-04-02 08:26:02.4 For detailed output description, see the corresponding command manual. UDP Test (Udpprivate Test) on the Specified Ports Network requirements Both the remote-ping client and the remote-ping server are 4200G Ethernet switches.
  • Page 659 [Sysname-remote-ping-administrator-udpprivate] test-type udpprivate # Configure the IP address of the remote-ping server as 10.2.2.2. [Sysname-remote-ping-administrator-udpprivate] destination-ip 10.2.2.2 # Configure the destination port on the remote-ping server. [Sysname-remote-ping-administrator-udpprivate] destination-port 8000 # Configure to make 10 probes per test. [Sysname-remote-ping-administrator-udpprivate] count 10 # Set the probe timeout time to 5 seconds.

  • Page 660: Dns Test

    DNS Test Network requirements An Switch 4200G serves as the remote-ping client, and a PC serves as the DNS server. Perform a remote-ping DNS test between the switch and the DNS server to test the time required from the client sends a DNS request to it receives a resolution result from the DNS server.
  • Page 661 Min/Max/Average Round Trip Time: 6/10/8 Square-Sum of Round Trip Time: 756 Last complete test time: 2006-11-28 11:50:40.9 Extend result: SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0...
  • Page 662 Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Introduction to PoE ··························································································································1-1 PoE Features Supported by Switch 4200G·····················································································1-1 PoE Configuration ···································································································································1-2 PoE Configuration Task List············································································································1-2 Enabling the PoE Feature on a Port································································································1-3 Setting the Maximum Output Power on a Port················································································1-3 Setting PoE Management Mode and PoE Priority of a Port····························································1-3 Setting the PoE Mode on a Port······································································································1-4 Configuring the PD Compatibility Detection Function ·····································································1-4...

  • Page 663: Poe Overview

    PoE Configuration When configuring PoE, go to these sections for information you are interested in: PoE Overview PoE Configuration PoE Configuration Example PoE Overview Introduction to PoE Power over Ethernet (PoE)-enabled devices use twisted pairs through electrical ports to supply power to the remote powered devices (PD) in the network and implement power supply and data transmission simultaneously.

  • Page 664: Poe Configuration Task List

    Each Ethernet electrical port can supply at most a power of 15,400 mW to a PD. When AC power input is adopted for the switch, the maximum total power that can be provided is 300 W. The switch can determine whether to supply power to the next remote PD it detects depending on its available power.

  • Page 665: Enabling The Poe Feature On A Port

    Enabling the PoE Feature on a Port Follow these steps to enable the PoE feature on a port: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Enable the PoE feature on a Required poe enable port...

  • Page 666: Setting The Poe Mode On A Port

    more than one port has the same lowest priority, the switch will power down the PD connected to the port with larger port number. manual: When the switch is close to its full load in supplying power, it will not make change to its original power supply status based on its priority when a new PD is added.

  • Page 667: Configuring A Pd Disconnection Detection Mode

    To do… Use the command… Remarks Enter system view — system-view Required Enable the PD compatibility poe legacy enable detection function Disabled by default. Configuring a PD Disconnection Detection Mode To detect the PD connection with PSE, PoE provides two detection modes: AC detection and DC detection.

  • Page 668: Upgrading The Pse Processing Software Online

    When the internal temperature of the switch decreases from X (X>65°C, or X>149°F) to Y (60°C≤Y<65°C, or 140°F≤Y<149°F), the switch still keeps the PoE function disabled on all the ports. When the internal temperature of the switch increases from X (X<60°C, or X<140°F) to Y (60°C<Y≤65°C, or 140°F<Y≤149°F), the switch still keeps the PoE function enabled on all the ports.

  • Page 669: Displaying Poe Configuration

    Displaying PoE Configuration To do… Use the command… Remarks Display the current PD disconnection display poe disconnect detection mode of the switch Display the PoE status of a specific port or display poe interface all ports of the switch [ interface-type interface-number ] Available in any Display the PoE power information of a display poe interface power...
  • Page 670 Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on GigabitEthernet 1/0/1, and set the PoE maximum output power of GigabitEthernet 1/0/1 to 12,000 mW. [SwitchA] interface GigabitEthernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] poe enable [SwitchA-GigabitEthernet1/0/1] poe max-power 12000 [SwitchA-GigabitEthernet1/0/1] quit...

  • Page 671: Poe Profile Configuration

    PoE Profile Configuration When configuring PoE profile, go to these sections for information you are interested in: Introduction to PoE Profile PoE Profile Configuration Displaying PoE Profile Configuration PoE Profile Configuration Example Introduction to PoE Profile On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, Switch 4200G provides the PoE profile features.

  • Page 672: Displaying Poe Profile Configuration

    To do… Use the command… Remarks Required Enable the PoE feature poe enable on a port Disabled by default. Optional Configure PoE mode poe mode { signal | spare } for Ethernet ports signal by default. Configure the relevant Configure the PoE Optional features in priority for Ethernet...

  • Page 673: Poe Profile Configuration Example

    PoE Profile Configuration Example PoE Profile Application Example Network requirements Switch A is a Switch 4200G supporting PoE. GigabitEthernet 1/0/1 through GigabitEthernet 1/0/10 of Switch A are used by users of group A, who have the following requirements: The PoE function can be enabled on all ports in use. Signal mode is used to supply power.
  • Page 674 # In Profile 1, add the PoE policy configuration applicable to GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 ports for users of group A. [SwitchA-poe-profile-Profile1] poe enable [SwitchA-poe-profile-Profile1] poe mode signal [SwitchA-poe-profile-Profile1] poe priority critical [SwitchA-poe-profile-Profile1] poe max-power 3000 [SwitchA-poe-profile-Profile1] quit # Display detailed configuration information for Profile1. [SwitchA] display poe-profile name Profile1 Poe-profile: Profile1, 3 action poe enable...
  • Page 675 Table of Contents 1 Smart Link Configuration ·························································································································1-1 Smart Link Overview ·······························································································································1-1 Basic Concepts in Smart Link ·········································································································1-1 Operating Mechanism of Smart Link ·······························································································1-3 Configuring Smart Link····························································································································1-3 Configuration Task List····················································································································1-3 Configuring a Smart Link Device·····································································································1-4 Configuring Associated Devices······································································································1-5 Precautions······································································································································1-5 Displaying and Maintaining Smart Link···································································································1-6 Smart Link Configuration Example ·········································································································1-6 Implementing Link Redundancy Backup ·························································································1-6 2 Monitor Link Configuration ······················································································································2-1...

  • Page 676: Smart Link Configuration

    Smart Link Configuration When configuring smart link, go to these sections for information you are interested in: Smart Link Overview Configuring Smart Link Displaying and Maintaining Smart Link Smart Link Configuration Example Smart Link Overview As shown in Figure 1-1, dual-uplink networking is widely applied currently. Usually, Spanning Tree Protocol (STP) is used to implement link redundancy backup in the network.
  • Page 677 Slave port The slave port can be either an Ethernet port or a manually-configured or static LACP aggregation group. For example, you can configure GigabitEthernet 1/0/2 of switch A in Figure 1-1 as the slave port through the command line. Flush message When a forwarding link fails, the device will switch the traffic to the blocked standby link.

  • Page 678: Operating Mechanism Of Smart Link

    Operating Mechanism of Smart Link Figure 1-2 Network diagram of Smart Link operating mechanism As shown in Figure 1-2, GigabitEthernet 1/0/1 on Switch A is active and GigabitEthernet 1/0/2 on Switch A is blocked. When the link connected to GigabitEthernet 1/0/1 fails, GigabitEthernet 1/0/1 is blocked automatically, and the state of GigabitEthernet 1/0/2 turns to active state.

  • Page 679: Configuring A Smart Link Device

    Task Remarks Create a smart link group Configuring a Smart Link Add member ports to the smart link group Required Device Enable the function of sending flush messages in the specified control VLAN Enable the function of processing flush Configuring Associated messages received from the specified control Required Devices...

  • Page 680: Configuring Associated Devices

    To do… Use the command… Remarks Optional Enable the function of sending By default, no control VLAN for flush messages in the specified flush enable control-vlan vlan-id sending flush messages is control VLAN specified. Configuring Associated Devices An associated device mentioned in this document refers to a device that supports Smart Link and locally configured to process flush messages received from the specified control VLAN so as to work with the corresponding Smart Link device.

  • Page 681: Displaying And Maintaining Smart Link

    Network requirements As shown in Figure 1-3, Switch A is an 3Com S4200G series Ethernet switch. Switch C, Switch D and Switch E support Smart Link. Configure Smart Link feature to provide remote PCs with reliable access to the server.
  • Page 682 Network diagram Figure 1-3 Network diagram for Smart Link configuration Configuration procedure Configure a smart link group on Switch A and configure member ports for it. Enable the function of sending flush messages in Control VLAN 1. # Enter system view. <switchA>...
  • Page 683 # Enter system view. <SwitchC> system-view # Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1/0/2. <SwitchC> smart-link flush enable control-vlan 1 port GigabitEthernet 1/0/2 Enable the function of processing flush messages received from VLAN 1 on Switch D. # Enter system view.

  • Page 684: Monitor Link Configuration

    Monitor Link Configuration When configuring Monitor Link, go to these sections for information you are interested in: Introduction to Monitor Link Configuring Monitor Link Displaying Monitor Link Configuration Monitor Link Configuration Example Introduction to Monitor Link Monitor Link is a collaboration scheme introduced to complement for Smart Link. It is used to monitor uplink and to perfect the backup function of Smart Link.

  • Page 685: How Monitor Link Works

    How Monitor Link Works Figure 2-2 Network diagram for a monitor link group implementation As shown in Figure 2-2, the devices Switch C and Switch D are connected to the uplink device Switch E. Switch C is configured with a monitor link group, where GigabitEthernet 1/0/1 is the uplink port, while GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 are the downlink ports.

  • Page 686: Configuring Monitor Link

    Configuring Monitor Link Before configuring a monitor link group, you must create a monitor link group and configure member ports for it. A monitor link group consists of an uplink port and one or multiple downlink ports. The uplink port can be a manually-configured or static LACP link aggregation group, an Ethernet port, or a smart link group.

  • Page 687: Configuring A Downlink Port

    To do… Use the command… Remarks Monitor link port interface-type group view interface-number uplink Configure the specified Ethernet port quit as the uplink port of the interface interface-type Ethernet monitor link interface-number port view group port monitor-link group group-id uplink Configuring a Downlink Port Follow these steps to configure a downlink port: To do…...

  • Page 688: Displaying Monitor Link Configuration

    A smart link/monitor link group with members cannot be deleted. A smart link group as a monitor link group member cannot be deleted. The smart link/monitor link function and the remote port mirroring function are incompatible with each other. If a single port is specified as a smart link/monitor link group member, do not use the lacp enable command on the port or add the port to another dynamic link aggregation group because doing so will cause the port to become an aggregation group member.
  • Page 689 Network diagram Figure 2-3 Network diagram for Monitor Link configuration Server GE1/0/10 GE1/0/11 Switch E GE1/0/1 GE1/0/1 Switch C Switch D GE1/0/2 GE1/0/2 GE1/0/3 GE1/0/3 GE1/0/1 BLOCK GE1/0/1 GE1/0/2 GE1/0/2 Switch A Switch B PC 1 PC 2 PC 3 PC 4 Configuration procedure Enable Smart Link on Switch A and Switch B to implement link redundancy backup.
  • Page 690 Enable Monitor Link on Switch C and Switch D and enable the function of processing flush messages received from VLAN 1. Perform the following configuration on Switch C. The operation procedure on Switch D is the same as that performed on Switch C. # Enter system view.
  • Page 691 Table of Contents 1 IPv6 Configuration·····································································································································1-1 IPv6 Overview ·········································································································································1-1 IPv6 Features ··································································································································1-1 Introduction to IPv6 Address ···········································································································1-3 Introduction to IPv6 Neighbor Discovery Protocol···········································································1-6 Introduction to IPv6 DNS ·················································································································1-8 Protocols and Standards ·················································································································1-8 IPv6 Configuration Task List ···················································································································1-9 Configuring an IPv6 Unicast Address······························································································1-9 Configuring IPv6 NDP ···················································································································1-11 Configuring a Static IPv6 Route ····································································································1-12 Configuring IPv6 TCP Properties ··································································································1-13...

  • Page 692: Ipv6 Configuration

    The term “router” in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol. 3com Switch 4200G supports IPv6 management features, but do not support IPv6 forwarding and related features. IPv6 Overview Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet Protocol Version 4 (IPv4).
  • Page 693 Figure 1-1 Comparison between IPv4 header format and IPv6 header format Adequate address space The source IPv6 address and the destination IPv6 address are both 128 bits (16 bytes) long. IPv6 can provide 3.4 x 10 addresses to completely meet the requirements of hierarchical address division as well as allocation of public and private addresses.

  • Page 694: Introduction To Ipv6 Address

    Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented by a group of Internet Control Message Protocol Version 6 (ICMPv6) messages. The IPv6 neighbor discovery protocol manages message exchange between neighbor nodes (nodes on the same link). The group of ICMPv6 messages takes the place of Address Resolution Protocol (ARP), Internet Control Message Protocol Version 4 (ICMPv4), and ICMPv4 redirect messages to provide a series of other functions.
  • Page 695 Multicast address: An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Anycast address: An identifier for a set of interfaces (typically belonging to different nodes).A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the nearest one, according to the routing protocols’...
  • Page 696 Unassigned address: The unicast address :: is called the unassigned address and may not be assigned to any node. Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet, but may not use it as a destination IPv6 address. Multicast address Multicast addresses listed in Table 1-2...

  • Page 697: Introduction To Ipv6 Neighbor Discovery Protocol

    3com Switch 4200G does not support the RS, RA, or Redirect message. Of the above mentioned IPv6 NDP functions, 3com Switch 4200G supports the following three functions: address resolution, neighbor unreachability detection, and duplicate address detection.
  • Page 698 Address resolution Similar to the ARP function in IPv4, a node acquires the link-layer address of neighbor nodes on the same link through NS and NA messages. Figure 1-3 shows how node A acquires the link-layer address of node B. Figure 1-3 Address resolution The address resolution procedure is as follows: Node A multicasts an NS message.

  • Page 699: Introduction To Ipv6 Dns

    Figure 1-4 Duplicate address detection The duplicate address detection procedure is as follows: Node A sends an NS message whose source address is the unassigned address :: and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected.

  • Page 700: Ipv6 Configuration Task List

    RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture RFC 3596: DNS Extensions to Support IP Version 6 IPv6 Configuration Task List Complete the following tasks to configure IPv6: Task Remarks Configuring an IPv6 Unicast Address Required Configuring IPv6 NDP Optional Configuring a Static IPv6 Route Optional...
  • Page 701 IPv6 unicast addresses can be configured for only one VLAN interface on a 3com switch 4200G. The total number of global unicast addresses and site-local addresses on the VLAN interface can be up to four.

  • Page 702: Configuring Ipv6 Ndp

    Configuring IPv6 NDP Configuring a static neighbor entry The IPv6 address of a neighbor node can be resolved into a link-layer address dynamically through NS and NA messages or statically through manual configuration. You can configure a static neighbor entry in two ways: Mapping a VLAN interface to an IPv6 address and a link-layer address Mapping a port in a VLAN to an IPv6 address and a link-layer address If you configure a static neighbor entry in the second way, make sure the corresponding VLAN interface...

  • Page 703: Configuring A Static Ipv6 Route

    Follow these steps to configure the attempts to send an NS message for duplicate address detection: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter VLAN interface view — interface-number Optional Configure the attempts to send 1 by default.

  • Page 704: Configuring Ipv6 Tcp Properties

    To do… Use the command… Remarks ipv6 route-static ipv6-address Required prefix-length [ interface-type Configure a static IPv6 route By default, no static IPv6 route interface-number] is configured. nexthop-address Configuring IPv6 TCP Properties The IPv6 TCP properties you can configure include: synwait timer: When a SYN packet is sent, the synwait timer is triggered.

  • Page 705: Configuring The Hop Limit Of Icmpv6 Reply Packets

    To do… Use the command… Remarks Enter system view system-view — Optional Configure the maximum By default, the capacity of a token ipv6 icmp-error { bucket number of IPv6 ICMP bucket is 10 and the update period to bucket-size | ratelimit error packets sent within 100 milliseconds.

  • Page 706: Displaying And Maintaining Ipv6

    To do… Use the command… Remarks Enter system view — system-view Required Enable the dynamic domain dns resolve name resolution function Disabled by default. Required If the IPv6 address of the DNS dns server ipv6 ipv6-address server is a link-local address, Configure an IPv6 DNS server [ interface-type the interface-type and...

  • Page 707: Ipv6 Configuration Example

    To do… Use the command… Remarks Display the statistics of IPv6 display ipv6 statistics packets and IPv6 ICMP packets Display the statistics of IPv6 TCP display tcp ipv6 statistics packets Display the IPv6 TCP connection display tcp ipv6 status status Display the statistics of IPv6 display udp ipv6 statistics UDP packets...
  • Page 708 Configuration procedure Configure Switch A. # Configure an automatically generated link-local address for the interface VLAN-interface 2. <SwitchA> system-view [SwitchA] interface Vlan-interface 2 [SwitchA-Vlan-interface2] ipv6 address auto link-local # Configure an EUI-64 address for the interface VLAN-interface 2. [SwitchA-Vlan-interface2] ipv6 address 2001::/64 eui-64 # Configure a global unicast address for the interface VLAN-interface 2.
  • Page 709 2001::20F:E2FF:FE00:1, subnet is 2001::/64 3001::2, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:2 FF02::1:FF00:1 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # On Switch A, ping the link-local address, EUI-64 address, and global unicast address of Switch B.
  • Page 710 bytes=56 Sequence=3 hop limit=255 time = 60 ms Reply from 2001::20F:E2FF:FE00:1 bytes=56 Sequence=4 hop limit=255 time = 60 ms Reply from 2001::20F:E2FF:FE00:1 bytes=56 Sequence=5 hop limit=255 time = 60 ms --- 2001::20F:E2FF:FE00:1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/58/70 ms [SwitchA-Vlan-interface2] ping ipv6 3001::2...

  • Page 711: Ipv6 Application Configuration

    IPv6 Application Configuration Example Troubleshooting IPv6 Application Introduction to IPv6 Application IPv6 are supporting more and more applications. Most of IPv6 applications are the same as those of IPv4. The applications supported on a 3com Switch 4200G are: Ping Traceroute TFTP...

  • Page 712: Ipv6 Traceroute

    IPv6 Traceroute The traceroute ipv6 command is used to record the route of IPv6 packets from source to destination, so as to check whether the link is available and determine the point of failure. Figure 2-1 Traceroute process Figure 2-1 shows, the traceroute process is as follows: The source sends an IP datagram with the Hop Limit of 1.

  • Page 713: Ipv6 Telnet

    To do… Use the command… Remarks tftp ipv6 remote-system [ -i interface-type Required Download/Upload files from interface-number ] { get | put } TFTP server Available in user view source-filename [ destination-filename ] When you use the tftp ipv6 command to connect to the TFTP server, you must specify the “–i” keyword if the destination address is a link-local address.

  • Page 714: Ipv6 Application Configuration Example

    Network requirements Figure 2-3, SWA, SWB, and SWC are three switches, among which SWA is a 3com switch 4200G, SWB and SWC are two switches supporting IPv6 forwarding. In a LAN, there is a Telnet server and a TFTP server for providing Telnet service and TFTP service to the switch respectively. It is required that you telnet to the telnet server from SWA and download files from the TFTP server.

  • Page 715: Troubleshooting Ipv6 Application

    bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms --- 3003::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received...

  • Page 716: Unable To Run Traceroute

    Use the display ipv6 interface command to determine the interfaces of the source and the destination and the link-layer protocol between them are up. Use the display ipv6 route-table command to verify that the destination is reachable. Use the ping ipv6 -t timeout { destination-ipv6-address | hostname } [ -i interface-type interface-number ] command to increase the timeout time limit, so as to determine whether it is due to the timeout limit is too small.
  • Page 717 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-2 Displaying and Maintaining UDP Helper·································································································1-2 UDP Helper Configuration Example ·······································································································1-3 Cross-Network Computer Search Through UDP Helper·································································1-3...

  • Page 718: Udp Helper Configuration

    UDP Helper Configuration When configuring UDP helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Example Introduction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.

  • Page 719: Configuring Udp Helper

    Protocol UDP port number TFTP (Trivial File Transfer Protocol) Time Service Configuring UDP Helper Follow these steps to configure UDP Helper: To do… Use the command… Remarks Enter system view system-view — Required Enable UDP Helper udp-helper enable Disabled by default. Optional By default, the device enabled udp-helper port { port-number...

  • Page 720: Udp Helper Configuration Example

    To do… Use the command… Remarks Clear statistics about packets Available in user view reset udp-helper packet forwarded by UDP Helper UDP Helper Configuration Example Cross-Network Computer Search Through UDP Helper Network requirements PC A resides on network segment 192.168.1.0/24 and PC B on 192.168.10.0/24; they are connected through Switch A and are routable to each other.
  • Page 721 Table of Contents 1 Access Management Configuration ········································································································1-1 Access Management Overview ··············································································································1-1 Configuring Access Management ···········································································································1-2 Access Management Configuration Examples ·······················································································1-2 Access Management Configuration Example ·················································································1-2 Combining Access Management with Port Isolation ·······································································1-3...

  • Page 722: Access Management Configuration

    Access Management Configuration When configuring access management, go to these sections for information you are interested in: Access Management Overview Configuring Access Management Access Management Configuration Examples Access Management Overview Normally, client PCs in a network are connected to switches operating on the network access layer (also referred to as access switches) through Layer 2 switches;...

  • Page 723: Configuring Access Management

    Configuring Access Management Follow these steps to configure access management: To do… Use the command… Remarks Enter system view system-view — Required Enable access management By default, the system disables am enable function the access management function. Required Enable access management am trap enable By default, access trap...

  • Page 724: Combining Access Management With Port Isolation

    Allow the PCs of Organization 1 to access the external network through GigabitEthernet 1/0/1 on Switch A. The port belongs to VLAN 1, and the IP address of VLAN-interface 1 is 202.10.20.200/24. Disable the PCs that are not of Organization 1 (PC 2 and PC 3) from accessing the external network through GigabitEthernet 1/0/1 of Switch A.
  • Page 725 Allow the PCs of Organization 1 to access the external network through GigabitEthernet 1/0/1 of Switch A. Allow the PCs of Organization 2 to access the external network through GigabitEthernet 1/0/2 of Switch A. GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 belong to VLAN 1. The IP address of VLAN-interface 1 is 202.10.20.200/24.
  • Page 726 [Sysname-GigabitEthernet1/0/1] port isolate [Sysname-GigabitEthernet1/0/1] quit # Configure the access management IP address pool on GigabitEthernet 1/0/2. [Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] am ip-pool 202.10.20.25 26 202.10.20.55 11 # Add GigabitEthernet 1/0/2 to the port isolation group. [Sysname-GigabitEthernet1/0/2] port isolate [Sysname-GigabitEthernet1/0/2] quit...
  • Page 727 Table of Contents Appendix A Acronyms ································································································································ A-1...
  • Page 728 Appendix A Acronyms Authentication, Authorization and Accounting Area Border Router Access Control List Address Resolution Protocol Autonomous System ASBR Autonomous System Border Router Backup Designated Router Committed Access Rate Command Line Interface Class of Service DHCP Dynamic Host Configuration Protocol Designated Router Distance Vector Routing Algorithm Exterior Gateway Protocol...
  • Page 729 Link State Advertisement LSDB Link State DataBase Medium Access Control Management Information Base NBMA Non Broadcast MultiAccess Network Information Center Network Management System NVRAM Nonvolatile RAM OSPF Open Shortest Path First Protocol Independent Multicast PIM-DM Protocol Independent Multicast-Dense Mode PIM-SM Protocol Independent Multicast-Sparse Mode Power over Ethernet Quality of Service...
  • Page 730 Video On Demand Weighted Round Robin eXchange Identification eXpandable Resilient Networking...

This manual is also suitable for:

4200g 24-port4200g 48-portSwitch 4800g pwr 24-port

Table of Contents