3Com E4500-24 Cli Configuration Manual
  1. Manuals
  2. Brands
  3. 3Com Manuals
  4. Switch
  5. E4500-24
  6. Cli configuration manual
3Com E4500-24 Cli Configuration Manual

3Com E4500-24 Cli Configuration Manual

Hp e4500-24: user guide
Hide thumbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
Table of Contents

Advertisement

Quick Links

1 CLI Configuration ······································································································································1-1
Introduction to the CLI·····························································································································1-1
Command Hierarchy ·······························································································································1-1
Command Level and User Privilege Level ······················································································1-1
Modifying the Command Level········································································································1-2
Switching User Level ·······················································································································1-3
CLI Views ················································································································································1-7
CLI Features ·········································································································································1-11
Online Help····································································································································1-11
Terminal Display····························································································································1-12
Command History··························································································································1-12
Error Prompts ································································································································1-13
Command Edit·······························································································································1-13
Table of Contents
i

Advertisement

Table of Contents
loading

Related Manuals for 3Com E4500-24

Summary of Contents for 3Com E4500-24

  • Page 1 Table of Contents 1 CLI Configuration ······································································································································1-1 Introduction to the CLI·····························································································································1-1 Command Hierarchy ·······························································································································1-1 Command Level and User Privilege Level ······················································································1-1 Modifying the Command Level········································································································1-2 Switching User Level ·······················································································································1-3 CLI Views ················································································································································1-7 CLI Features ·········································································································································1-11 Online Help····································································································································1-11 Terminal Display····························································································································1-12 Command History··························································································································1-12 Error Prompts ································································································································1-13 Command Edit·······························································································································1-13...

  • Page 2: Cli Configuration

    CLI Configuration When configuring CLI, go to these sections for information you are interested in: Introduction to the CLI Command Hierarchy CLI Views CLI Features Introduction to the CLI A command line interface (CLI) is a user interface to interact with a switch. Through the CLI on a switch, a user can enter commands to configure the switch and check output information to verify the configuration.

  • Page 3: Modifying The Command Level

    Monitor level (level 1): Commands at this level are mainly used to maintain the system and diagnose service faults, and they cannot be saved in configuration file. Such commands include debugging and terminal. System level (level 2): Commands at this level are mainly used to configure services. Commands concerning routing and network layers are at this level.

  • Page 4: Switching User Level

    To do… Use the command… Remarks Configure the level of a command in command-privilege level level view Required a specific view view command You are recommended to use the default command level or modify the command level under the guidance of professional staff; otherwise, the change of command level may bring inconvenience to your maintenance and operation, or even potential security problem.
  • Page 5 can switch to a higher level temporarily; when the administrators need to leave for a while or ask someone else to manage the device temporarily, they can switch to a lower privilege level before they leave to restrict the operation by others. The high-to-low user level switching is unlimited.
  • Page 6 When both the super password authentication and the HWTACACS authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the HWTACACS authentication server is unreachable), the backup authentication mode is adopted.
  • Page 7 To do… Use the command… Remarks Enter system view — system-view Enter ISP domain view domain domain-name — Required Set the HWTACACS authentication super By default, the HWTACACS authentication scheme for hwtacacs-scheme authentication scheme for user level user level switching hwtacacs-scheme-name switching is not set.

  • Page 8: Cli Views

    # Set the password used by the current user to switch to level 3. [Sysname] super password level 3 simple 123 A VTY 0 user switches its level to level 3 after logging in. # A VTY 0 user telnets to the switch, and then uses the set password to switch to user level 3. <Sysname>...
  • Page 9 Table 1-1 lists the CLI views provided by the 3com switch 4500, operations that can be performed in different CLI views and the commands used to enter specific CLI views. Table 1-1 CLI views Available View Prompt example Enter method Quit method operation Display operation...
  • Page 10 Available View Prompt example Enter method Quit method operation Execute the Configure user User interface user-interface interface [Sysname-ui-aux0] view command in parameters system view. Execute the ftp FTP client Configure FTP [ftp] command in user view client parameters view. Execute the sftp SFTP client Configure SFTP sftp-client>...
  • Page 11 Available View Prompt example Enter method Quit method operation Define rules for a Execute the acl User-defined user-defined ACL [Sysname-acl-user number command ACL view (with ID ranging -5000] in system view. from 5000 to 5999) Execute the QoS profile [Sysname-qos-pro qos-profile Define QoS profile view...

  • Page 12: Cli Features

    CLI Features Online Help When configuring the switch, you can use the online help to get related help information. The CLI provides two types of online help: complete and partial. Complete online help Enter a question mark (?) in any view on your terminal to display all the commands available in the view and their brief descriptions.

  • Page 13: Terminal Display

    Enter a command, a space, a character/string and a question mark (?) next to it. All the keywords beginning with the character/string (if available) are displayed on your terminal. For example: <Sysname> display v? version vlan voice Enter the first several characters of a keyword of a command and then press <Tab>. If there is a unique keyword beginning with the characters just typed, the unique keyword is displayed in its complete form.

  • Page 14: Command Edit

    The Windows 9x HyperTerminal explains the up and down arrow keys in a different way, and therefore the two keys are invalid when you access history commands in such an environment. However, you can use <Ctrl+ P> and <Ctrl+ N> instead to achieve the same purpose. When you enter the same command multiple times consecutively, only one history command entry is created by the command line interface.
  • Page 15 Press… To… Use the partial online help. That is, when you input an incomplete keyword and press <Tab>, if the input parameter uniquely identifies a complete keyword, the system substitutes the complete keyword for the input parameter; if <Tab> more than one keywords match the input parameter, you can display them one by one (in complete form) by pressing <Tab>...

  • Page 16: Table Of Contents

    Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 User Interface Index ························································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Logging In Through the Console Port ·····································································································2-1 Console Port Login Configuration ···········································································································2-3...
  • Page 17 Modem Connection Establishment ·········································································································4-2 5 Logging In Through the Web-based Network Management System····················································5-1 Introduction ·············································································································································5-1 Establishing an HTTP Connection ··········································································································5-1 Configuring the Login Banner ·················································································································5-2 Configuration Procedure··················································································································5-2 Configuration Example ····················································································································5-3 Enabling/Disabling the WEB Server ·······································································································5-3 6 Logging In Through NMS··························································································································6-1 Introduction ·············································································································································6-1 Connection Establishment Using NMS ···································································································6-1 7 Configuring Source IP Address for Telnet Service Packets ·································································7-1...

  • Page 18: Logging In To An Ethernet Switch

    Logging In to an Ethernet Switch Go to these sections for information you are interested in: Logging In to an Ethernet Switch Introduction to the User Interface Configuring Source IP Address for Telnet Service Packets User Control Logging In to an Ethernet Switch You can log in to an Ethernet switch in one of the following ways: Logging In Through the Console Port Logging In Through Telnet...

  • Page 19: User Interface Index

    User Interface Index Two kinds of user interface index exist: absolute user interface index and relative user interface index. The absolute user interface indexes are as follows: The absolute AUX user interfaces are numbered 0 through 7. VTY user interface indexes follow AUX user interface indexes. The first absolute VTY user interface is numbered 8, the second is 9, and so on.
  • Page 20 To do… Use the command… Remarks Optional By default, copyright Enable copyright displaying is enabled. That is, copyright-info enable information displaying the copy right information is displayed on the terminal after a user logs in successfully. user-interface [ type ] first-number Enter user interface view —...

  • Page 21: Logging In Through The Console Port

    Logging In Through the Console Port Go to these sections for information you are interested in: Introduction Logging In Through the Console Port Console Port Login Configuration Console Port Login Configuration with Authentication Mode Being None Console Port Login Configuration with Authentication Mode Being Password Console Port Login Configuration with Authentication Mode Being Scheme Introduction To log in through the console port is the most common way to log in to a switch.
  • Page 22 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4...

  • Page 23: Console Port Login Configuration

    Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt appears after you press the Enter key. You can then configure the switch or check the information about the switch by executing the corresponding commands.

  • Page 24: Console Port Login Configurations For Different Authentication Modes

    Configuration Remarks Optional Make terminal By default, terminal services are available in all user services available interfaces Set the maximum Optional number of lines the By default, the screen can contain up to 24 lines. screen can contain Terminal configuration Optional Set history command buffer...

  • Page 25: Console Port Login Configuration With Authentication Mode Being None

    Authentication Console port login configuration Remarks mode Optional Specify to AAA configuration perform local specifies whether to Local authentication is authentication or perform local performed by default. remote RADIUS authentication or RADIUS Refer to the AAA part for authentication authentication more.

  • Page 26: Configuration Example

    To do… Use the command… Remarks Optional Set the check parity { even | none | By default, the check mode of a mode odd } console port is none, that is, no check is performed. Optional Set the stop bits stopbits { 1 | 1.5 | 2 } The stop bits of a console port is 1.
  • Page 27 Commands of level 2 are available to the users logging in to the AUX user interface. The baud rate of the console port is 19,200 bps. The screen can contain up to 30 lines. The history command buffer can contain up to 20 commands. The timeout time of the AUX user interface is 6 minutes.

  • Page 28: Console Port Login Configuration With Authentication Mode Being Password

    Console Port Login Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to configure console port login with the authentication mode being password: To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface user-interface aux 0 —...

  • Page 29: Configuration Example

    To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, Set the timeout time for the idle-timeout minutes the connection to a user interface is user interface [ seconds ] terminated if no operation is performed...

  • Page 30: Console Port Login Configuration With Authentication Mode Being Scheme

    # Specify to authenticate users logging in through the console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to the AUX user interface. [Sysname-ui-aux0] user privilege level 2 # Set the baud rate of the console port to 19,200 bps.
  • Page 31 To do… Use the command… Remarks Set the authentication password { simple | cipher } Required password for the local user password Specify the service type for service-type terminal [ level Required AUX users level ] Quit to system view quit —...

  • Page 32: Configuration Example

    To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user Set the timeout time for the idle-timeout minutes interface is terminated if no user interface [ seconds ] operation is performed in the user...
  • Page 33 Configuration procedure # Enter system view. <Sysname> system-view # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Terminal, Specify commands of level 2 are available to users logging in to the AUX user interface.

  • Page 34: Logging In Through Telnet

    Logging In Through Telnet Go to these sections for information you are interested in: Introduction Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password Introduction Switch 4500 support Telnet. You can manage and maintain a switch remotely by Telnetting to the switch.

  • Page 35: Telnet Configurations For Different Authentication Modes

    Configuration Description Optional Configure the protocols the By default, Telnet and SSH protocol are user interface supports supported. Optional Set the commands to be executed automatically after By default, no command is executed a user log in to the user automatically after a user logs into the VTY user interface successfully interface.

  • Page 36: Telnet Configuration With Authentication Mode Being None

    Authentication Telnet configuration Description mode Manage VTY Set service type for Required users VTY users Optional Perform common Perform common configuration Telnet configuration Refer to Table 3-2. To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations.

  • Page 37: Configuration Example

    To do… Use the command… Remarks Optional Make terminal services shell By default, terminal services are available available in all user interfaces. Optional By default, the screen can contain Set the maximum number of screen-length up to 24 lines. lines the screen can contain screen-length You can use the screen-length 0 command to disable the function to...

  • Page 38: Telnet Configuration With Authentication Mode Being Password

    Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0. [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging in to VTY 0. [Sysname-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported.

  • Page 39: Configuration Example

    To do… Use the command… Remarks Optional Set the commands to be executed automatically By default, no command is executed auto-execute command text after a user login to the automatically after a user logs into the user interface successfully user interface. Optional Make terminal services shell...

  • Page 40: Telnet Configuration With Authentication Mode Being Scheme

    Network diagram Figure 3-2 Network diagram for Telnet configuration (with the authentication mode being password) Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure to authenticate users logging in to VTY 0 using the password. [Sysname-ui-vty0] authentication-mode password # Set the local password to 123456 (in plain text).
  • Page 41 To do… Use the command… Remarks you need to perform the following configuration as well: Perform AAA&RADIUS configuration on the switch. (Refer Quit to to the AAA part for more.) quit system view Configure the user name and password accordingly on the AAA server.
  • Page 42 To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user Set the timeout time for the idle-timeout minutes interface is terminated if no user interface [ seconds ] operation is performed in the user...

  • Page 43: Configuration Example

    Scenario Command Authentication level User type Command mode The user privilege level level command is executed, and the service-type command specifies the available command level. The user privilege level level command is not executed, and the Level 0 service-type command does not specify the available command level.

  • Page 44: Telnetting To A Switch

    Network diagram Figure 3-3 Network diagram for Telnet configuration (with the authentication mode being scheme) Configuration procedure # Enter system view. <Sysname> system-view # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password of the local user to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Telnet, Specify commands of level 2 are available to users logging in to VTY 0..
  • Page 45 Launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 95/Windows 98/Windows NT/Windows 2000/Windows XP) on the PC terminal, with the baud rate set to 19,200 bps, data bits set to 8, parity check set to none, and flow control set to none. Turn on the switch and press Enter as prompted.

  • Page 46: Telnetting To Another Switch From The Current Switch

    After successfully Telnetting to the switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? at any time for help. Refer to the relevant parts in this manual for the information about the commands. A Telnet connection is terminated if you delete or modify the IP address of the VLAN interface in the Telnet session.

  • Page 47: Logging In Using A Modem

    Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.

  • Page 48: Switch Configuration

    You can verify your configuration by executing the AT&V command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
  • Page 49 Figure 4-1 Establish the connection by using modems Modem serial cable Telephone line Modem PSTN Modem Telephone number of the romote end: 82882285 Console port Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 4-2 through...
  • Page 50 Figure 4-3 Set the telephone number Figure 4-4 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help.

  • Page 51: Introduction

    Logging In Through the Web-based Network Management System Go to these sections for information you are interested in: Introduction Establishing an HTTP Connection Configuring the Login Banner Enabling/Disabling the WEB Server Introduction Switch 4500 has a Web server built in. It enables you to log in to an Ethernet switch through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 52: Configuring The Login Banner

    [Sysname-luser-admin] service-type telnet level 3 [Sysname-luser-admin] password simple admin Establish an HTTP connection between your PC and the switch, as shown in Figure 5-1. Figure 5-1 Establish an HTTP connection between your PC and the switch Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar.

  • Page 53: Configuration Example

    Configuration Example Network requirements A user logs in to the switch through Web. The banner page is desired when a user logs into the switch. Network diagram Figure 5-3 Network diagram for login banner configuration Configuration Procedure # Enter system view. <Sysname>...
  • Page 54 To do… Use the command… Remarks Enter system view system-view — Required Enable the Web server ip http shutdown By default, the Web server is enabled. Disable the Web server Required undo ip http shutdown To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration.

  • Page 55: Logging In Through Nms

    Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through a network management station (NMS), and then configure and manage the switch through the agent module on the switch. Simple network management protocol (SNMP) is applied between the NMS and the agent.

  • Page 56: Configuring Source Ip Address For Telnet Service Packets

    Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are interested in: Overview Configuring Source IP Address for Telnet Service Packets Displaying Source IP Address Configuration Overview You can configure the source IP address for Telnet service packets for a Switch 4500 operating as a Telnet client.

  • Page 57: Displaying Source Ip Address Configuration

    To do… Use the command… Remarks a Telnet client telnet { source-ip ip-address | source-interface interface-type interface-number } The IP address specified is that of a Layer 3 interface of the local device. Otherwise, the system prompts configuration failure. The source interface specified must exist. Otherwise, the system prompts configuration failure. Configuring the source interface of Telnet service packets equals configuring the IP address of this interface as the source IP address of the Telnet service packets.

  • Page 58: User Control

    User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction You can control users logging in through Telnet, SNMP and WEB by defining Access Control List (ACL), as listed in...

  • Page 59: Controlling Telnet Users

    Controlling Telnet Users Prerequisites The controlling policy against Telnet users is determined, including the source IP addresses, destination IP addresses and source MAC addresses to be controlled and the controlling actions (permitting or denying). Controlling Telnet Users by Source IP Addresses Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999.

  • Page 60: Controlling Telnet Users By Source Mac Addresses

    To do… Use the command… Remarks user-interface [ type ] Enter user interface view — first-number [ last-number ] Required The inbound keyword specifies to Apply the ACL to control filter the users trying to Telnet to Telnet users by specified acl acl-number { inbound | the current switch.

  • Page 61: Controlling Network Management Users By Source Ip Addresses

    Network diagram Figure 8-1 Network diagram for controlling Telnet users using ACLs 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL.

  • Page 62: Configuration Example

    To do… Use the command… Remarks As for the acl number Create a basic ACL or acl number acl-number [ match-order command, the config enter basic ACL view { auto | config } ] keyword is specified by default. Define rules for the ACL rule [ rule-id ] { deny | permit } [ rule-string ] Required Quit to system view...

  • Page 63: Controlling Web Users By Source Ip Address

    [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch. [Sysname] snmp-agent community read aaa acl 2000 [Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000 Controlling Web Users by Source IP Address...

  • Page 64: Configuration Example

    To do… Use the command… Remarks Required Disconnect a Web user free web-users { all | user-id user-id | by force user-name user-name } Available in user view Configuration Example Network requirements Only the Web users sourced from the IP address of 10.110.100.52 are permitted to access the switch. Network diagram Figure 8-3 Network diagram for controlling Web users using ACLs 10.110.100.46...
  • Page 65 Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Configuration Task List ···························································································································1-2 Saving the Current Configuration ····································································································1-2 Erasing the Startup Configuration File ····························································································1-4 Specifying a Configuration File for Next Startup ·············································································1-4 Displaying Switch Configuration······································································································1-5...

  • Page 66: Configuration File Management

    Configuration File Management When configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List Introduction to Configuration File A configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily.

  • Page 67: Configuration Task List

    When saving the current configuration, you can specify the file to be a main or backup or normal configuration file. When removing a configuration file from a switch, you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attribute of the file.
  • Page 68 Modes in saving the configuration Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file quicker but is likely to lose the original configuration file if the switch reboots or the power fails during the process.

  • Page 69: Erasing The Startup Configuration File

    It is recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. If you use the save command after a fabric is formed on the switch, the units in the fabric save their own startup configuration files automatically.

  • Page 70: Displaying Switch Configuration

    You can specify a configuration file to be used for the next startup and configure the main/backup attribute for the configuration file. Assigning main attribute to the startup configuration file If you save the current configuration to the main configuration file, the system will automatically set the file as the main startup configuration file.
  • Page 71 Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ·····················································································································1-2 VLAN Principles·······························································································································1-2 VLAN Interface ································································································································1-4 VLAN Classification ·························································································································1-4 Port-Based VLAN····································································································································1-4 Link Types of Ethernet Ports ···········································································································1-4 Assigning an Ethernet Port to Specified VLANs ·············································································1-5 Configuring the Default VLAN ID for a Port·····················································································1-5 2 VLAN Configuration ··································································································································2-1 VLAN Configuration ································································································································2-1...

  • Page 72: Vlan Overview

    VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.

  • Page 73: Advantages Of Vlans

    Figure 1-1 A VLAN implementation Advantages of VLANs Compared with the traditional Ethernet, VLAN enjoys the following advantages. Broadcasts are confined to VLANs. This decreases bandwidth consumption and improves network performance. Network security is improved. Because each VLAN forms a broadcast domain, hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 switches are used.
  • Page 74 tag is encapsulated after the destination MAC address and source MAC address to show the information about VLAN. Figure 1-3 Format of VLAN tag As shown in Figure 1-3, a VLAN tag contains four fields, including the tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID.

  • Page 75: Vlan Interface

    Independent VLAN learning (IVL), where the switch maintains an independent MAC address forwarding table for each VLAN. The source MAC address of a packet received in a VLAN on a port is recorded to the MAC address forwarding table of this VLAN only, and packets received in a VLAN are forwarded according to the MAC address forwarding table for the VLAN.

  • Page 76: Assigning An Ethernet Port To Specified Vlans

    A hybrid port allows the packets of multiple VLANs to be sent untagged, but a trunk port only allows the packets of the default VLAN to be sent untagged. The three types of ports can coexist on the same device. Assigning an Ethernet Port to Specified VLANs You can assign an Ethernet port to a VLAN to forward packets for the VLAN, thus allowing the VLAN on the current switch to communicate with the same VLAN on the peer switch.
  • Page 77 Table 1-2 Packet processing of a trunk port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the port has already If the VLAN ID is one of the If the VLAN ID is just the been added to its default VLAN IDs allowed to pass default VLAN ID, strip off the...

  • Page 78: Vlan Configuration

    VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required Basic VLAN Interface Configuration Optional Displaying VLAN Configuration...

  • Page 79: Basic Vlan Interface Configuration

    VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.

  • Page 80: Displaying Vlan Configuration

    The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. Displaying VLAN Configuration To do... Use the command... Remarks Display the VLAN interface display interface information Vlan-interface [ vlan-id ] Available in any view.

  • Page 81: Assigning An Ethernet Port To A Vlan

    Assigning an Ethernet Port to a VLAN You can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view. You can assign an access port to a VLAN in either Ethernet port view or VLAN view. You can assign a trunk port or hybrid port to a VLAN only in Ethernet port view.

  • Page 82: Configuring The Default Vlan For A Port

    Configuring the Default VLAN for a Port Because an access port can belong to only one VLAN, its default VLAN is the VLAN it resides in and cannot be configured. This section describes how to configure a default VLAN for a trunk or hybrid port. Follow these steps to configure the default VLAN for a port: To do…...
  • Page 83 Network diagram Figure 2-1 Network diagram for VLAN configuration Server2 Server1 SwitchA GE1/0/12 GE1/0/13 GE1/0/2 GE1/0/10 GE1/0/11 GE1/0/1 SwitchB Configuration procedure Configure Switch A. # Create VLAN 100, specify its descriptive string as Dept1, and add GigabitEthernet 1/0/1 to VLAN 100. <SwitchA>...
  • Page 84 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 100 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 200 # Configure GigabitEthernet 1/0/10 of Switch B. [SwitchB] interface GigabitEthernet 1/0/10 [SwitchB-GigabitEthernet1/0/10] port link-type trunk [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 100 [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 200...
  • Page 85 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special Case IP Addresses·············································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Configuring IP Addresses················································································································1-3 Configuring Static Domain Name Resolution ··················································································1-4 Displaying IP Addressing Configuration··································································································1-4 IP Address Configuration Examples ·······································································································1-5 IP Address Configuration Example I ·······························································································1-5 IP Address Configuration Example II ······························································································1-5 Static Domain Name Resolution Configuration Example································································1-7...

  • Page 86: Ip Addressing Configuration

    IP Addressing Configuration When configuring IP addressing, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying IP Addressing Configuration IP Address Configuration Examples IP Addressing Overview IP Address Classes IP addressing uses a 32-bit address to identify each host on a network. An example is 01010000100000001000000010000000 in binary.

  • Page 87: Special Case Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Description Address 0.0.0.0 means this host no this network. This address is used by a host at bootstrap when it does not know its IP address. This address is never a valid destination address.

  • Page 88: Configuring Ip Addresses

    While allowing you to create multiple logical networks within a single Class A, B, or C network, subnetting is transparent to the rest of the Internet. All these networks still appear as one. As subnetting adds an additional level, subnet ID, to the two-level hierarchy with IP addressing, IP routing now involves three steps: delivery to the site, delivery to the subnet, and delivery to the host.

  • Page 89: Configuring Static Domain Name Resolution

    You can assign at most five IP address to an interface, among which one is the primary IP address and the others are secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any. The primary and secondary IP addresses of an interface cannot reside on the same network segment;...

  • Page 90: Ip Address Configuration Examples

    IP Address Configuration Examples IP Address Configuration Example I Network requirement Assign IP address 129.2.2.1 with mask 255.255.255.0 to VLAN-interface 1 of the switch. Network diagram Figure 1-3 Network diagram for IP address configuration Configuration procedure # Configure an IP address for VLAN-interface 1. <Switch>...
  • Page 91 Network diagram Figure 1-4 Network diagram for IP address configuration Configuration procedure # Assign a primary IP address and a secondary IP address to VLAN-interface 1. <Switch> system-view [Switch] interface Vlan-interface 1 [Switch-Vlan-interface1] ip address 172.16.1.1 255.255.255.0 [Switch-Vlan-interface1] ip address 172.16.2.1 255.255.255.0 sub # Set the gateway address to 172.16.1.1 on the PCs attached to the subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to the subnet 172.16.2.0/24.

  • Page 92: Static Domain Name Resolution Configuration Example

    Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms...

  • Page 93: Ip Performance Optimization Configuration

    IP Performance Optimization Configuration When configuring IP performance, go to these sections for information you are interested in: IP Performance Overview Configuring IP Performance Displaying and Maintaining IP Performance Configuration IP Performance Overview Introduction to IP Performance Configuration In some network environments, you need to adjust the IP parameters to achieve best network performance.

  • Page 94: Disabling Icmp To Send Error Packets

    terminated. If FIN packets are received, the TCP connection state changes to TIME_WAIT. If non-FIN packets are received, the system restarts the timer from receiving the last non-FIN packet. The connection is broken after the timer expires. Size of TCP receive/send buffer Follow these steps to configure TCP attributes: To do…...

  • Page 95: Displaying And Maintaining Ip Performance Configuration

    Displaying and Maintaining IP Performance Configuration To do… Use the command… Remarks Display TCP connection status display tcp status Display TCP connection statistics display tcp statistics Display UDP traffic statistics display udp statistics Display IP traffic statistics display ip statistics Display ICMP traffic statistics display icmp statistics Display the current socket...
  • Page 96 Table of Contents 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How Switch 4500 Series Switches Identify Voice Traffic ································································1-3 Setting the Voice Traffic Transmission Priority ···············································································1-3 Configuring Voice VLAN Assignment Mode of a Port ·····································································1-4 Support for Voice VLAN on Various Ports·······················································································1-4 Security Mode of Voice VLAN ·········································································································1-6 Voice VLAN Configuration ······················································································································1-7...

  • Page 97: Voice Vlan Configuration

    Voice VLAN Configuration When configuring voice VLAN, go to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuration Example Voice VLAN Overview Voice VLANs are allocated specially for voice traffic. After creating a voice VLAN and assigning ports that connect voice devices to the voice VLAN, you can have voice traffic transmitted in the dedicated voice VLAN and configure quality of service (QoS) parameters for the voice traffic to improve its transmission priority and ensure voice quality.
  • Page 98 Following describes the way an IP phone acquires an IP address. Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission. An IP phone goes through the following three phases to become capable of transmitting voice data.

  • Page 99: How Switch 4500 Series Switches Identify Voice Traffic

    tag to communicate with the voice gateway. In this case, the port connecting to the IP phone must be configured to allow the packets tagged with the voice VLAN tag to pass. An untagged packet carries no VLAN tag. A tagged packet carries the tag of a VLAN. To set an IP address and a voice VLAN for an IP phone manually, just make sure that the voice VLAN ID to be set is consistent with that of the switch and the NCP is reachable to the IP address to be set.

  • Page 100: Configuring Voice Vlan Assignment Mode Of A Port

    Set the DSCP value to 46. Configuring Voice VLAN Assignment Mode of a Port A port can work in automatic voice VLAN assignment mode or manual voice VLAN assignment mode. You can configure the voice VLAN assignment mode for a port according to data traffic passing through the port.
  • Page 101 Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice assignment traffic Port type Supported or not mode type Access Not supported Supported Make sure the default VLAN of the port exists and is not Trunk a voice VLAN, and the access port permits the traffic of Tagged...

  • Page 102: Security Mode Of Voice Vlan

    Table 1-3 Matching relationship between port types and voice devices acquiring voice VLAN through manual configuration Voice VLAN Port type Supported or not assignment mode Access Not supported Supported Make sure the default VLAN of the port exists and is not a Trunk voice VLAN, and the access port permits the traffic of the Automatic...

  • Page 103: Voice Vlan Configuration

    Voice VLAN Packet Type Processing Method Mode matches the OUI list, the packet is transmitted in Packet carrying the voice the voice VLAN. Otherwise, the packet is VLAN tag dropped. The packet is forwarded or dropped based on whether the receiving port is assigned to the Packet carrying any other carried VLAN.

  • Page 104: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode

    Optional Set the voice VLAN aging timer voice vlan aging minutes The default aging timer is 1440 minutes. Enable the voice VLAN function voice vlan vlan-id enable Required globally interface interface-type Enter Ethernet port view Required interface-number Required Enable the voice VLAN function voice vlan enable By default, voice VLAN is on a port...
  • Page 105 Optional By default, the voice Enable the voice VLAN security mode voice vlan security enable VLAN security mode is enabled. Optional Set the voice VLAN aging timer voice vlan aging minutes The default aging timer is 1,440 minutes. Enable the voice VLAN function globally voice vlan vlan-id enable Required interface interface-type...

  • Page 106: Displaying And Maintaining Voice Vlan

    The voice VLAN function can be enabled for only one VLAN at one time. If the Link Aggregation Control Protocol (LACP) is enabled on a port, voice VLAN feature cannot be enabled on it. Voice VLAN function can be enabled only for the static VLAN. A dynamic VLAN cannot be configured as a voice VLAN.
  • Page 107 The MAC address of IP phone A is 0011-1100-0001. The phone connects to a downstream device named PC A whose MAC address is 0022-1100-0002 and to GigabitEthernet 1/0/1 on an upstream device named Device A. The MAC address of IP phone B is 0011-2200-0001. The phone connects to a downstream device named PC B whose MAC address is 0022-2200-0002 and to Ethernet GigabitEthernet1/0/2 on Device A.
  • Page 108 # Configure GigabitEthernet 1/0/1 to operate in automatic voice VLAN assignment mode. (Optional. By default, a port operates in automatic voice VLAN assignment mode.) [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] voice vlan mode auto # Configure GigabitEthernet 1/0/1 as a hybrid port. [DeviceA-GigabitEthernet1/0/1] port link-type hybrid # Configure VLAN 2 as the voice VLAN for GigabitEthernet 1/0/1.

  • Page 109: Voice Vlan Configuration Example (Manual Voice Vlan Assignment Mode)

    Voice VLAN Configuration Example (Manual Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configure it to operate in manual voice VLAN assignment mode. Add the port to which an IP phone is connected to the voice VLAN to enable voice traffic to be transmitted within the voice VLAN.
  • Page 110 [DeviceA-Ethernet1/0/1] port hybrid pvid vlan 2 [DeviceA-Ethernet1/0/1] port hybrid vlan 2 untagged # Enable the voice VLAN function on Ethernet 1/0/1. [DeviceA-Ethernet1/0/1] voice vlan enable Verification # Display the OUI addresses, the corresponding OUI address masks and the corresponding description strings that the system supports.
  • Page 111 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-4 Protocol Specifications ····················································································································1-4 GVRP Configuration································································································································1-4 GVRP Configuration Tasks ·············································································································1-4 Enabling GVRP ·······························································································································1-4 Configuring GVRP Timers ···············································································································1-5 Configuring GVRP Port Registration Mode ·····················································································1-6 Displaying and Maintaining GVRP··········································································································1-7 GVRP Configuration Example ················································································································1-7 GVRP Configuration Example·········································································································1-7...

  • Page 112: Gvrp Configuration

    GVRP Configuration When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Example Introduction to GVRP GARP VLAN registration protocol (GVRP) is an implementation of generic attribute registration protocol (GARP).
  • Page 113 GARP timers Timers determine the intervals of sending different types of GARP messages. GARP defines four timers to control the period of sending GARP messages. Hold: When a GARP entity receives a piece of registration information, it does not send out a Join message immediately.
  • Page 114 Figure 1-1 Format of GARP packets The following table describes the fields of a GARP packet. Table 1-1 Description of GARP packet fields Field Description Value Protocol ID Protocol ID Each message consists of two Message parts: Attribute Type and —...

  • Page 115: Gvrp

    GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other switches through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information, including the information about the VLAN members, the ports through which the VLAN members can be reached, and so on.

  • Page 116: Configuring Gvrp Timers

    To do ... Use the command ... Remarks Enter system view system-view — Required Enable GVRP globally gvrp By default, GVRP is disabled globally. interface interface-type Enter Ethernet port view — interface-number Required Enable GVRP on the port gvrp By default, GVRP is disabled on the port.

  • Page 117: Configuring Gvrp Port Registration Mode

    Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of the Join timer. Hold 10 centiseconds You can change the threshold by changing the timeout time of the Join timer.

  • Page 118: Displaying And Maintaining Gvrp

    Displaying and Maintaining GVRP To do … Use the command … Remarks display garp statistics Display GARP statistics [ interface interface-list ] Display the settings of the display garp timer [ interface GARP timers interface-list ] Available in any view display gvrp statistics Display GVRP statistics [ interface interface-list ]...
  • Page 119 [SwitchA-Ethernet1/0/1] port link-type trunk [SwitchA-Ethernet1/0/1] port trunk permit vlan all # Enable GVRP on Ethernet1/0/1. [SwitchA-Ethernet1/0/1] gvrp [SwitchA-Ethernet1/0/1] quit # Configure Ethernet1/0/2 to be a trunk port and to permit the packets of all the VLANs. [SwitchA] interface Ethernet 1/0/2 [SwitchA-Ethernet1/0/2] port link-type trunk [SwitchA-Ethernet1/0/2] port trunk permit vlan all # Enable GVRP on Ethernet1/0/2.
  • Page 120 The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch B. [SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic Total 1 dynamic VLAN exist(s).
  • Page 121 5, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic No dynamic vlans exist! 1-10...
  • Page 122 Table of Contents 1 Port Basic Configuration ··························································································································1-1 Ethernet Port Configuration ····················································································································1-1 Combo Port Configuration ···············································································································1-1 Initially Configuring a Port ···············································································································1-1 Configuring Port Auto-Negotiation Speed ·······················································································1-2 Limiting Traffic on individual Ports···································································································1-3 Configuring Flow Control on a Port ·································································································1-4 Duplicating the Configuration of a Port to Other Ports ····································································1-5 Configuring Loopback Detection for an Ethernet Port·····································································1-5 Enabling Loopback Test··················································································································1-7 Enabling the System to Test Connected Cable ··············································································1-8...

  • Page 123: Port Basic Configuration

    Port Basic Configuration When performing basic port configuration, go to these sections for information you are interested in: Ethernet Port Configuration Ethernet Port Configuration Example Troubleshooting Ethernet Port Configuration Ethernet Port Configuration Combo Port Configuration Introduction to Combo port A Combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding interface.

  • Page 124: Configuring Port Auto-Negotiation Speed

    To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional By default, the port is enabled. Enable the Ethernet port undo shutdown Use the shutdown command to disable the port. Optional Set the description string description text...

  • Page 125: Limiting Traffic On Individual Ports

    Follow these steps to configure auto-negotiation speeds for a port: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet interface interface interface-type — view interface-number Optional By default, the port speed is Configure the available speed auto [ 10 | 100 | determined through auto-negotiation speed(s)

  • Page 126: Configuring Flow Control On A Port

    To do... Use the command... Remarks Optional Limit unknown unicast traffic unicast-suppression { ratio | By default, the switch does not received on the current port pps max-pps } suppress unknown unicast traffic. Configuring Flow Control on a Port In situations where the receiving port is unable to process received frames, you can use the flow control function to enable the receiving port to inform the sending port to stop sending the frames for a while, thus preventing frames from being dropped.

  • Page 127: Duplicating The Configuration Of A Port To Other Ports

    Reflector ports and fabric ports do not support the flow-control no-pauseframe-sending command. Duplicating the Configuration of a Port to Other Ports To make other ports have the same configuration as that of a specific port, you can duplicate the configuration of a port to specific ports. Specifically, the following types of port configuration can be duplicated from one port to other ports: VLAN configuration, protocol-based VLAN configuration, LACP configuration, QoS configuration, GARP configuration, STP configuration and initial port configuration.
  • Page 128 If you have not enabled the loopback port auto-shutdown function on the port, the port will automatically resume the normal forwarding state after the loop is removed. If a loop is found on a trunk or hybrid port, the system merely sends log messages to the terminal but does not set the port to the block state or remove the corresponding MAC forwarding entry.

  • Page 129: Enabling Loopback Test

    To do… Use the command… Remarks Enable loopback detection loopback-detection on the Use either command. interface-list enable specified Enable By default, the loopback detection ports in loopback function is enabled if the device boots bulk detection with the default configuration file on the (config.def);...

  • Page 130: Enabling The System To Test Connected Cable

    external: Performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch ( for 100M port, the self-loop headers are made from four cores of the 8-core cables, for 1000M port, the self-loop header are made from eight cores of the 8-core cables, then the packets forwarded by the port will be received by itself.).

  • Page 131: Enabling Giant-Frame Statistics Function

    To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional Set the interval to perform statistical analysis on port flow-interval interval By default, this interval is 300 traffic seconds. Enabling Giant-Frame Statistics Function The giant-frame statistics function is used to ensure normal data transmission and to facilitate statistics and analysis of unusual traffic on the network.

  • Page 132: Setting The Port State Change Delay

    Configuration examples # In the default conditions, where UP/DOWN log output is enabled, execute the shutdown command or the undo shutdown command on Ethernet 1/0/1. The Up/Down log information for Ethernet 1/0/1 is generated and displayed on the terminal. <Sysname> system-view System View: return to User View with Ctrl+Z.

  • Page 133: Displaying And Maintaining Basic Port Configuration

    To do … Use the command … Remarks Required Set the port state change link-delay delay-time Defaults to 0, which indicates that no delay delay is introduced. The delay configured in this way does not take effect for ports in DLDP down state. For information about the DLDP down state, refer to DLDP.

  • Page 134: Troubleshooting Ethernet Port Configuration

    Network diagram Figure 1-2 Network diagram for Ethernet port configuration Configuration procedure Only the configuration for Switch A is listed below. The configuration for Switch B is similar to that of Switch A. This example supposes that VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 have been created. # Enter Ethernet 1/0/1 port view.
  • Page 135 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ·······················································································································1-1 Consistency Considerations for the Ports in Aggregation·······························································1-1 Link Aggregation Classification···············································································································1-2 Manual Aggregation Group ·············································································································1-2 Static LACP Aggregation Group······································································································1-3 Dynamic LACP Aggregation Group·································································································1-4 Aggregation Group Categories ···············································································································1-5 Link Aggregation Configuration···············································································································1-6 Configuring a Manual Aggregation Group·······················································································1-6...

  • Page 136: Link Aggregation Configuration

    Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories Link Aggregation Configuration Displaying and Maintaining Link Aggregation Configuration Link Aggregation Configuration Example Overview Introduction to Link Aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group.

  • Page 137: Link Aggregation Classification

    Table 1-1 Consistency considerations for ports in an aggregation Category Considerations State of port-level STP (enabled or disabled) Attribute of the link (point-to-point or otherwise) connected to the port Port path cost STP priority STP packet format Loop protection Root protection Port type (whether the port is an edge port) Rate limiting Priority marking...

  • Page 138: Static Lacp Aggregation Group

    LACP is disabled on the member ports of manual aggregation groups, and you cannot enable LACP on ports in a manual aggregation group. Port status in manual aggregation group A port in a manual aggregation group can be in one of the two states: selected or unselected. In a manual aggregation group, only the selected ports can forward user service packets.

  • Page 139: Dynamic Lacp Aggregation Group

    The ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port but to a peer port that is not in the same aggregation group as the peer port of the master port are unselected ports. The system sets the ports with basic port configuration different from that of the master port to unselected state.

  • Page 140: Aggregation Group Categories

    For an aggregation group: When the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; When the rate of a port decreases, if the port belongs to a manual or static LACP aggregation group, the port will be switched to the unselected state;...

  • Page 141: Link Aggregation Configuration

    A load-sharing aggregation group contains at least two selected ports, but a non-load-sharing aggregation group can only have one selected port at most, while others are unselected ports. When more than eight load-sharing aggregation groups are configured on a single switch, fabric ports cannot be enabled on this switch.

  • Page 142: Configuring A Static Lacp Aggregation Group

    For a manual aggregation group, a port can only be manually added/removed to/from the manual aggregation group. Follow these steps to configure a manual aggregation group: To do… Use the command… Remarks Enter system view system-view — Create a manual aggregation link-aggregation group agg-id mode Required group...

  • Page 143: Configuring A Dynamic Lacp Aggregation Group

    To do… Use the command… Remarks Create a static aggregation link-aggregation group agg-id Required group mode static interface interface-type Enter Ethernet port view — interface-number Add the port to the aggregation port link-aggregation group Required group agg-id Note: For a static LACP aggregation group or a manual aggregation group, you are recommended not to cross cables between the two devices at the two ends of the aggregation group.

  • Page 144: Configuring A Description For An Aggregation Group

    Note: Changing the system priority may affect the priority relationship between the aggregation peers, and thus affect the selected/unselected status of member ports in the dynamic aggregation group. Configuring a Description for an Aggregation Group To do… Use the command… Remarks —...

  • Page 145: Link Aggregation Configuration Example

    Link Aggregation Configuration Example Ethernet Port Aggregation Configuration Example Network requirements Switch A connects to Switch B with three ports Ethernet 1/0/1 to Ethernet 1/0/3. It is required that load between the two switches can be shared among the three ports. Adopt three different aggregation modes to implement link aggregation on the three ports between switch A and B.
  • Page 146 # Create static aggregation group 1. <Sysname> system-view [Sysname] link-aggregation group 1 mode static # Add Ethernet 1/0/1 through Ethernet 1/0/3 to aggregation group 1. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-aggregation group 1 [Sysname-Ethernet1/0/1] quit [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] port link-aggregation group 1 [Sysname-Ethernet1/0/2] quit [Sysname] interface Ethernet1/0/3...
  • Page 147 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying and Maintaining Port Isolation Configuration ········································································1-2 Port Isolation Configuration Example······································································································1-2...

  • Page 148: Port Isolation Configuration

    Port Isolation Configuration When configuring port isolation, go to these sections for information you are interested in: Port Isolation Overview Port Isolation Configuration Displaying and Maintaining Port Isolation Configuration Port Isolation Configuration Example Port Isolation Overview The port isolation feature is used to secure and add privacy to the data traffic and prevent malicious attackers from obtaining the user information.

  • Page 149: Port Isolation Configuration Example

    When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group will join/leave the isolation group at the same time. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
  • Page 150 Network diagram Figure 1-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/2 [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2] quit [Sysname] interface ethernet1/0/3 [Sysname-Ethernet1/0/3] port isolate [Sysname-Ethernet1/0/3] quit...
  • Page 151 Table of Contents 1 Port Security Configuration······················································································································1-1 Port Security Overview····························································································································1-1 Introduction······································································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-1 Port Security Configuration Task List······································································································1-4 Enabling Port Security ·····················································································································1-5 Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5 Setting the Port Security Mode········································································································1-6 Configuring Port Security Features ·································································································1-7 Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure mode ······························1-8 Ignoring the Authorization Information from the RADIUS Server··················································1-10...

  • Page 152: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Port Security Overview Port Security Configuration Task List Displaying and Maintaining Port Security Configuration Port Security Configuration Examples Port Security Overview Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.
  • Page 153 Table 1-1 Description of port security modes Security mode Description Feature In this mode, neither the In this mode, access to the port is not NTK nor the intrusion noRestriction restricted. protection feature is triggered. In this mode, a port can learn a specified number of MAC addresses and save those addresses as security MAC addresses.
  • Page 154 Security mode Description Feature In this mode, neither NTK In this mode, port-based 802.1x authentication userlogin nor intrusion protection is performed for access users. will be triggered. MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds.

  • Page 155: Port Security Configuration Task List

    Security mode Description Feature In this mode, a port performs MAC authentication of an access user first. If the authentication succeeds, the user is authenticated. Otherwise, the port performs macAddressElseUs 802.1x authentication of the user. erLoginSecure In this mode, there can be only one 802.1x-authenticated user on the port, but there can be several MAC-authenticated users.

  • Page 156: Enabling Port Security

    Task Remarks Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure Optional mode Ignoring the Authorization Information from the RADIUS Server Optional Configuring Security MAC Addresses Optional Enabling Port Security Configuration Prerequisites Before enabling port security, you need to disable 802.1x and MAC authentication globally. Enabling Port Security Follow these steps to enable port security: To do...

  • Page 157: Setting The Port Security Mode

    Control the maximum number of users who are allowed to access the network through the port Control the number of Security MAC addresses that can be added with port security This configuration is different from that of the maximum number of MAC addresses that can be leaned by a port in MAC address management.

  • Page 158: Configuring Port Security Features

    Before setting the port security mode to autolearn, you need to set the maximum number of MAC addresses allowed on the port with the port-security max-mac-count command. When the port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port.

  • Page 159: Configuring Guest Vlan For A Port In Macaddressoruserloginsecure Mode

    To do... Use the command... Remarks Optional Set the timer during which the port-security timer disableport port remains disabled timer 20 seconds by default The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled.
  • Page 160 The users of the port can initiate 802.1x authentication. If a user passes authentication, the port leaves the guest VLAN and is added to the original VLAN, that is, the one the port belongs to before it is added to the guest VLAN). The port then does not handle other users' authentication requests. MAC address authentication is also allowed.

  • Page 161: Ignoring The Authorization Information From The Radius Server

    Ignoring the Authorization Information from the RADIUS Server After an 802.1x user or MAC-authenticated user passes Remote Authentication Dial-In User Service (RADIUS) authentication, the RADIUS server delivers the authorization information to the device. You can configure a port to ignore the authorization information from the RADIUS server. Follow these steps to configure a port to ignore the authorization information from the RADIUS server: To do...
  • Page 162 To do... Use the command... Remarks Enter system view system-view — mac-address security mac-address In system Either is interface interface-type interface-number vlan view required. vlan-id Add a security By default, no MAC address interface interface-type interface-number security MAC entry In Ethernet address entry is port view mac-address security mac-address vlan...

  • Page 163: Displaying And Maintaining Port Security Configuration

    Displaying and Maintaining Port Security Configuration To do... Use the command... Remarks Display information about port display port-security [ interface interface-list ] security configuration Available in Display information about display mac-address security [ interface any view security MAC address interface-type interface-number ] [ vlan vlan-id ] configuration [ count ] Port Security Configuration Examples...

  • Page 164: Guest Vlan Configuration Example

    [Switch-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1 # Configure the port to be silent for 30 seconds after intrusion protection is triggered. [Switch-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-Ethernet1/0/1] quit [Switch] port-security timer disableport 30 Guest VLAN Configuration Example Network requirements As shown in Figure 1-2, Ethernet 1/0/2 connects to a PC and a printer, which are not used at the same time.
  • Page 165 # Configure RADIUS scheme 2000. <Switch> system-view [Switch] radius scheme 2000 [Switch-radius-2000] primary authentication 10.11.1.1 1812 [Switch-radius-2000] primary accouting 10.11.1.1 1813 [Switch-radius-2000] key authentication abc [Switch-radius-2000] key accouting abc [Switch-radius-2000] user-name-format without-domain [Switch-radius-2000] quit # Configure the ISP domain and apply the scheme 2000 to the domain. [Switch] domaim system [Switch-isp-system] scheme radius-scheme 2000 [Switch-isp-system] quit...
  • Page 166 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 DLDP Fundamentals·······························································································································1-2 DLDP packets··································································································································1-2 DLDP Status····································································································································1-4 DLDP Timers ···································································································································1-4 DLDP Operating Mode ····················································································································1-5 DLDP Implementation ·····················································································································1-6 DLDP Neighbor State ······················································································································1-8 Link Auto-recovery Mechanism ·······································································································1-8 DLDP Configuration ································································································································1-9 Performing Basic DLDP Configuration ····························································································1-9 Resetting DLDP State ···················································································································1-10 Displaying and Maintaining DLDP·································································································1-10 DLDP Configuration Example ···············································································································1-11...

  • Page 167: Dldp Configuration

    DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: Overview DLDP Fundamentals DLDP Configuration DLDP Configuration Example Overview Device link detection protocol (DLDP) is an technology for dealing with unidirectional links that may occur in a network. If two switches, A and B, are connected via a pair of optical fiber cables, one used for sending from A to B, the other sending from B to A, it is a bidirectional link (two-way link).

  • Page 168: Dldp Fundamentals

    Figure 1-2 Fiber broken or not connected Device A GE1/0/49 GE1/0/50 GE1/0/49 GE1/0/50 Device B Device link detection protocol (DLDP) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If DLDP finds a unidirectional link, it disables the related port automatically or prompts you to disable it manually according to the configurations, to avoid network problems.
  • Page 169 DLDP packet type Function Advertisement packet with the RSY flag set to 1. RSY advertisement RSY-Advertisement packets are sent to request synchronizing the neighbor information when packets (referred to as neighbor information is not locally available or a neighbor information RSY packets hereafter) entry ages out.

  • Page 170: Dldp Status

    DLDP Status A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 1-2 DLDP status Status Description Initial Initial status before DLDP is enabled. Inactive DLDP is enabled but the corresponding link is down Active DLDP is enabled, and the link is up or an neighbor entry is cleared All neighbors communicate normally in both directions, or DLDP...

  • Page 171: Dldp Operating Mode

    Timer Description When a new neighbor joins, a neighbor entry is created and the corresponding entry aging timer is enabled When an advertisement packet is received from a neighbor, the neighbor entry is updated and the corresponding entry aging timer is updated In the normal mode, if no packet is received from the neighbor when Entry aging timer...

  • Page 172: Dldp Implementation

    Table 1-4 DLDP operating mode and neighbor entry aging Detecting a neighbor Removing the DLDP after the corresponding neighbor entry Triggering the Enhanced timer operating neighbor entry ages immediately after the after an Entry timer expires mode Entry timer expires Normal mode Yes (When the enhanced timer...
  • Page 173 Table 1-5 DLDP state and DLDP packet type DLDP state Type of the DLDP packets sent Active Advertisement packets, with the RSY flag set or not set. Advertisement Advertisement packets Probe Probe packets A DLDP packet received is processed as follows: In authentication mode, the DLDP packet is authenticated and is then dropped if it fails the authentication.

  • Page 174: Dldp Neighbor State

    Table 1-7 Processing procedure when no echo packet is received from the neighbor No echo packet received from the Processing procedure neighbor In normal mode, no echo packet is received DLDP switches to the disable state, outputs log and when the echo waiting timer expires. tracking information, and sends flush packets.

  • Page 175: Dldp Configuration

    DLDP Configuration Performing Basic DLDP Configuration Follow these steps to perform basic DLDP configuration: To do … Use the command … Remarks Enter system view — system-view Enable DLDP on all optical dldp enable ports of the switch Required. Enable DLDP Enter Ethernet interface interface-type Enable...

  • Page 176: Resetting Dldp State

    When connecting two DLDP-enabled devices, make sure the software running on them is of the same version. Otherwise, DLDP may operate improperly. When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently.

  • Page 177: Dldp Configuration Example

    DLDP Configuration Example Network requirements As shown in Figure 1-4, Switch A and Switch B are connected through two pairs of fibers. Both of them support DLDP. All the ports involved operate in mandatory full duplex mode, with their rates all being 1,000 Mbps. Suppose the fibers between Switch A and Switch B are cross-connected.
  • Page 178 # Set the DLDP handling mode for unidirectional links to auto. [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state [SwitchA] display dldp 1 When two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive state.
  • Page 179 Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to the MAC Address Table ··························································································1-1 Introduction to MAC Address Learning ···························································································1-1 Managing MAC Address Table ·······································································································1-3 MAC Address Table Management··········································································································1-4 MAC Address Table Management Configuration Task List ····························································1-4 Configuring a MAC Address Entry ··································································································1-5 Setting the MAC Address Aging Timer····························································································1-6 Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-6...

  • Page 180: Mac Address Table Management

    MAC Address Table Management When MAC address table management functions, go to these sections for information you are interested in: Overview MAC Address Table Management Displaying MAC Address Table Information Configuration Example This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to Multicast Operation.
  • Page 181 Generally, the majority of MAC address entries are created and maintained through MAC address learning. The following describes the MAC address learning process of a switch: As shown in Figure 1-1, User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A comes into the switch on GigabitEthernet 1/0/1.

  • Page 182: Managing Mac Address Table

    Figure 1-4 MAC address learning diagram (3) At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 1-5. When forwarding the response packet from User B to User A, the switch sends the response to User A through GigabitEthernet 1/0/1 (technically called unicast), because MAC-A is already in the MAC address table.

  • Page 183: Mac Address Table Management

    The MAC address aging timer only takes effect on dynamic MAC address entries. With the “destination MAC address triggered update function” enabled, when a switch finds a packet with a destination address matching one MAC address entry within the aging time, it updates the entry and restarts the aging timer.

  • Page 184: Configuring A Mac Address Entry

    Task Remarks Enabling Destination MAC Address Triggered Update Optional Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). Adding a MAC address entry in system view You can add a MAC address entry in either system view or Ethernet port view.

  • Page 185: Setting The Mac Address Aging Timer

    When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherwise, the entry will not be added. If the VLAN specified by the vlan argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN.

  • Page 186: Enabling Destination Mac Address Triggered Update

    By setting the maximum number of MAC addresses that can be learned from individual ports, the administrator can control the number of the MAC address entries the MAC address table can dynamically maintain. When the number of the MAC address entries learnt from a port reaches the set value, the port stops learning MAC addresses.

  • Page 187: Configuration Examples

    To do… Use the command… Remarks Display the aging time of the dynamic MAC address entries in the MAC address display mac-address aging-time table Display the configured start port MAC display port-mac address Configuration Examples Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through GigabitEthernet 1/0/2.
  • Page 188 Table of Contents 1 Auto Detect Configuration························································································································1-1 Introduction to the Auto Detect Function·································································································1-1 Auto Detect Configuration·······················································································································1-1 Auto Detect Basic Configuration ·····································································································1-2 Auto Detect Implementation in Static Routing·················································································1-2 Auto Detect Implementation in VLAN Interface Backup··································································1-3 Auto Detect Configuration Examples ······································································································1-4 Configuration Example for Auto Detect Implementation with Static Routing ··································1-4 Configuration Example for Auto Detect Implementation with VLAN Interface Backup ···················1-5...

  • Page 189: Auto Detect Configuration

    Auto Detect Configuration When configuring the auto detect function, go to these sections for information you are interested in: Introduction to the Auto Detect Function Auto Detect Configuration Auto Detect Configuration Examples Introduction to the Auto Detect Function The Auto Detect function uses Internet Control Message Protocol (ICMP) request/reply packets to test network connectivity regularly between the Auto Detect-enabled switch and the detected object.

  • Page 190: Auto Detect Basic Configuration

    Task Remarks Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to configure the auto detect function: To do… Use the command… Remarks Enter system view system-view — Create a detected group and detect-group group-number Required enter detected group view detect-list list-number ip...

  • Page 191: Auto Detect Implementation In Vlan Interface Backup

    To avoid such problems, you can configure another route to back up the static route and use the Auto Detect function to judge the validity of the static route. If the static route is valid, packets are forwarded according to the static route, and the other route is standby. If the static route is invalid, packets are forwarded according to the backup route.

  • Page 192: Auto Detect Configuration Examples

    Figure 1-1 Schematic diagram for VLAN interface backup Using Auto Detect can help implement VLAN interfaces backup. When data can be transmitted through two VLAN interfaces on the switch to the same destination, configure one of the VLAN interface as the active interface and the other as the standby interface.

  • Page 193: Configuration Example For Auto Detect Implementation With Vlan Interface Backup

    On switch A, configure a static route to Switch C. Enable the static route when the detected group 8 is reachable. To ensure normal operating of the auto detect function, configure a static route to Switch A on Switch C. Network diagram Figure 1-2 Network diagram for implementing the auto detect function in static route Configuration procedure...
  • Page 194 Network diagram Figure 1-3 Network diagram for VLAN interface backup Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1-3. The configuration procedure is omitted. # Enter system view. <SwitchA> system-view # Create auto detected group 10. [SwitchA] detect-group 10 # Add the IP address of 10.1.1.4 to detected group 10 to detect the reachability of the IP address, with the IP address of 192.168.1.2 as the next hop, and the detecting number set to 1.
  • Page 195 Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Spanning Tree Protocol Overview···································································································1-1 Rapid Spanning Tree Protocol Overview ······················································································1-10 Multiple Spanning Tree Protocol Overview ···················································································1-10 MSTP Implementation on Switches ······························································································1-14 Protocols and Standards ···············································································································1-15 MSTP Configuration Task List ··············································································································1-15 Configuring Root Bridge························································································································1-17 Configuring an MST Region ··········································································································1-17 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge·····································1-18 Configuring the Bridge Priority of the Current Switch····································································1-20...
  • Page 196 Introduction····································································································································1-39 Configuring Digest Snooping·········································································································1-40 Configuring Rapid Transition ················································································································1-41 Introduction····································································································································1-41 Configuring Rapid Transition·········································································································1-43 Configuring VLAN-VPN Tunnel·············································································································1-44 Introduction····································································································································1-44 Configuring VLAN-VPN tunnel ······································································································1-44 MSTP Maintenance Configuration ········································································································1-45 Introduction····································································································································1-45 Enabling Log/Trap Output for Ports of MSTP Instance·································································1-45 Configuration Example ··················································································································1-45 Enabling Trap Messages Conforming to 802.1d Standard···································································1-46 Displaying and Maintaining MSTP ········································································································1-46 MSTP Configuration Example···············································································································1-47 VLAN-VPN Tunnel Configuration Example ··························································································1-49...

  • Page 197: Mstp Configuration

    MSTP Configuration Go to these sections for information you are interested in: Overview MSTP Configuration Task List Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition Configuring VLAN-VPN Tunnel MSTP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example...
  • Page 198 STP identifies the network topology by transmitting BPDUs between STP compliant network devices, typically switches and routers. BPDUs contain sufficient information for the network devices to complete the spanning tree calculation. In STP, BPDUs come in two types: Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology. Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology changes, if any.
  • Page 199 Figure 1-1 A schematic diagram of designated bridges and designated ports All the ports on the root bridge are designated ports. Bridge ID A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the MAC address of the device.
  • Page 200 Port ID A port ID used on a 3Com switch 4500 consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all Ethernet ports on 3Com switches 4500 is 128. You can use commands to configure port priorities.
  • Page 201 Table 1-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.
  • Page 202 Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port whose role is to be determined, and acts as follows based on the comparison result: If the calculated configuration BPDU is superior, this port will serve as the designated port, and the configuration BPDU on the port will be replaced with the calculated configuration BPDU, which will be sent out periodically.
  • Page 203 Device Port name BPDU of port {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 1-5 Comparison process and result on each device BPDU of port after Device...
  • Page 204 BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
  • Page 205 Figure 1-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.

  • Page 206: Rapid Spanning Tree Protocol Overview

    For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout the entire network.
  • Page 207 MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP introduces instances (which integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization.
  • Page 208 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 1-4 contains multiple spanning trees known as MSTIs.
  • Page 209 A region boundary port is located on the boundary of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region. An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or master port being blocked, the alternate port becomes the new root port or master port.

  • Page 210: Mstp Implementation On Switches

    Forwarding state. Ports in this state can forward user packets and receive/send BPDU packets. Learning state. Ports in this state can receive/send BPDU packets but do not forward user packets. Discarding state. Ports in this state can only receive BPDU packets. Port roles and port states are not mutually dependent.

  • Page 211: Mstp Configuration Task List

    In addition to the basic MSTP functions, 3com Switch 4500 also provides the following functions for users to manage their switches. Root bridge hold Root bridge backup Root guard BPDU guard Loop guard TC-BPDU attack guard BPDU packet drop Protocols and Standards MSTP is documented in: IEEE 802.1D: spanning tree protocol IEEE 802.1w: rapid spanning tree protocol...
  • Page 212 Task Remarks Configuring the Timeout Time Factor Optional Optional Configuring the Maximum Transmitting Rate on the Current Port The default value is recommended. Configuring the Current Port as an Edge Optional Port Setting the Link Type of a Port to P2P Optional Required To prevent network topology jitter...

  • Page 213: Configuring Root Bridge

    Configuring Root Bridge Configuring an MST Region Configuration procedure Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view — stp region-configuration Required Configure the name of the MST region-name name The default MST region name of a region...

  • Page 214: Specifying The Current Switch As A Root Bridge/Secondary Root Bridge

    MSTP-enabled switches are in the same region only when they have the same format selector (a 802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-instance mapping table, and revision level. The 3Com switches 4500 support only the MST region name, VLAN-to-instance mapping table, and revision level.
  • Page 215 Specify the current switch as the secondary root bridge of a spanning tree Follow these steps to specify the current switch as the secondary root bridge of a spanning tree: To do... Use the command... Remarks Enter system view — system-view stp [ instance instance-id ] root Specify the current switch as...

  • Page 216: Configuring The Bridge Priority Of The Current Switch

    Configuring the Bridge Priority of the Current Switch Root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An MSTP-enabled switch can have different bridge priorities in different MSTIs.

  • Page 217: Configuring The Mstp Operation Mode

    To do... Use the command... Remarks Required By default, a port recognizes and sends Configure how a port stp interface interface-list MSTP packets in the automatic mode. recognizes and sends compliance { auto | dot1s | That is, it determines the format of MSTP packets legacy } packets to be sent according to the...

  • Page 218: Configuring The Maximum Hop Count Of An Mst Region

    To do... Use the command... Remarks Enter system view — system-view Required Configure the MSTP operation An MSTP-enabled switch stp mode { stp | rstp | mstp } mode operates in the MSTP mode by default. Configuration example # Specify the MSTP operation mode as STP-compatible. <Sysname>...

  • Page 219: Configuring The Network Diameter Of The Switched Network

    Configuring the Network Diameter of the Switched Network In a switched network, any two switches can communicate with each other through a specific path made up of multiple switches. The network diameter of a network is measured by the number of switches;...
  • Page 220 To do... Use the command... Remarks Required Configure the max age stp timer max-age The max age parameter defaults to parameter centiseconds 2,000 centiseconds (namely, 20 seconds). All switches in a switched network adopt the three time-related parameters configured on the CIST root bridge.

  • Page 221: Configuring The Timeout Time Factor

    Configuring the Timeout Time Factor When the network topology is stable, a non-root-bridge switch regularly forwards BPDUs received from the root bridge to its neighboring devices at the interval specified by the hello time parameter to check for link failures. Normally, a switch regards its upstream switch faulty if the former does not receive any BPDU from the latter in a period three times of the hello time and then initiates the spanning tree recalculation process.

  • Page 222: Configuring The Current Port As An Edge Port

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Configure the maximum The maximum transmitting rate stp transmit-limit packetnum transmitting rate of all Ethernet ports on a switch defaults to 10. As the maximum transmitting rate parameter determines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources.

  • Page 223: Setting The Link Type Of A Port To P2P

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Configure the port as an edge By default, all the Ethernet stp edged-port enable port ports of a switch are non-edge ports. On a switch with BPDU guard disabled, an edge port becomes a non-edge port again once it receives a BPDU from another port.

  • Page 224: Enabling Mstp

    Setting the Link Type of a Port to P2P in Ethernet port view Follow these steps to specify whether the link connected to a port is point-to-point link in Ethernet port view: To do... Use the command... Remarks Enter system view —...

  • Page 225: Configuring Leaf Nodes

    Use the To do... Remarks command... Optional By default, MSTP is enabled on all ports. stp interface Disable MSTP on To enable a switch to operate more flexibly, you can interface-list specified ports disable MSTP on specific ports. As MSTP-disabled disable ports do not participate in spanning tree calculation, this operation saves CPU resources of the switch.

  • Page 226: Configuring The Timeout Time Factor

    Configuring the Timeout Time Factor Refer to Configuring the Timeout Time Factor. Configuring the Maximum Transmitting Rate on the Current Port Refer to Configuring the Maximum Transmitting Rate on the Current Port. Configuring a Port as an Edge Port Refer to Configuring the Current Port as an Edge Port.
  • Page 227 Operation mode Latency Rate 802.1D-1998 IEEE 802.1t (half-/full-duplex) standard Full-duplex 20,000 Aggregated link 2 ports 10,000 1,000 Mbps Aggregated link 3 ports 6,666 Aggregated link 4 ports 5,000 Full-duplex 2,000 Aggregated link 2 ports 1,000 10 Gbps Aggregated link 3 ports Aggregated link 4 ports Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port operating in half-duplex mode.

  • Page 228: Configuring Port Priority

    Perform this configuration in system view <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 instance 1 cost 2000 Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 1 cost 2000 Configuration example (B) # Configure the path cost of Ethernet 1/0/1 in MSTI 1 to be calculated by the MSTP-enabled switch according to the IEEE 802.1D-1998 standard.

  • Page 229: Setting The Link Type Of A Port To P2P

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required. Configure port priority for the stp [ instance instance-id ] port port priority priority The default port priority is 128. Changing port priority of a port may change the role of the port and put the port into state transition. A smaller port priority value indicates a higher possibility for the port to become the root port.

  • Page 230: Configuration Procedure

    Configuration Procedure You can perform the mCheck operation in the following two ways. Perform the mCheck operation in system view Follow these steps to perform the mCheck operation in system view: To do... Use the command... Remarks Enter system view —...

  • Page 231: Configuring Root Guard

    shuts down the edge ports that receive configuration BPDUs and then reports these cases to the administrator. Ports shut down in this way can only be restored by the administrator. You are recommended to enable BPDU guard for devices with edge ports configured. Configuration Prerequisites MSTP runs normally on the switch.
  • Page 232 forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not receive any configuration BPDUs with higher priorities for a specified period. You are recommended to enable root guard on the designated ports of a root bridge. Loop guard, root guard, and edge port settings are mutually exclusive.

  • Page 233: Configuring Loop Guard

    Configuring Loop Guard A switch maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream switch. These BPDUs may get lost because of network congestions or unidirectional link failures. If a switch does not receive BPDUs from the upstream switch for certain period, the switch selects a new root port;...

  • Page 234: Configuring Bpdu Dropping

    period, the switch may be busy in removing the MAC address table and ARP entries, which may affect spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization. With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time.

  • Page 235: Configuring Digest Snooping

    As a result, STP calculation is performed repeatedly, which may occupy too much CPU of the switches or cause errors in the protocol state of the BPDU packets. In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function is enabled on a port, the port will not receive or forward any BPDU packets.

  • Page 236: Configuring Digest Snooping

    The digest snooping function is not applicable to edge ports. Configuring Digest Snooping Configure the digest snooping feature on a switch to enable it to communicate with other switches adopting proprietary protocols to calculate configuration digests in the same MST region through MSTIs.

  • Page 237: Configuring Rapid Transition

    When the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols.
  • Page 238 Figure 1-6 The RSTP rapid transition mechanism Upstream switch Downstream switch Proposal for rapid transition Root port blocks other non- edge ports, changes to forwarding state and sends Agreement to upstream device Designated port Root port changes to Designated port forwarding state Figure 1-7 The MSTP rapid transition mechanism Upstream switch...

  • Page 239: Configuring Rapid Transition

    Configuring Rapid Transition Configuration prerequisites As shown in Figure 1-8, a 3Com switch 4500 is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally. The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports.

  • Page 240: Configuring Vlan-Vpn Tunnel

    The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Introduction The VLAN-VPN Tunnel function enables STP packets to be transparently transmitted between geographically dispersed customer networks through specified VLAN VPNs in service provider networks, through which spanning trees can be generated across these customer networks and are independent of those of the service provider network.

  • Page 241: Mstp Maintenance Configuration

    To do... Use the command... Remarks Required Enable the VLAN-VPN vlan-vpn tunnel The VLAN-VPN tunnel function is tunnel function globally disabled by default. Make sure that you enter the Ethernet port view of the port for which you interface interface-type Enter Ethernet port view want to enable the VLAN-VPN tunnel interface-number...

  • Page 242: Enabling Trap Messages Conforming To 802.1D Standard

    <Sysname> system-view [Sysname] stp instance 1 portlog # Enable log/trap output for the ports of all instances. <Sysname> system-view [Sysname] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard A switch sends trap messages conforming to 802.1d standard to the network management device in the following two cases: The switch becomes the root bridge of an instance.

  • Page 243: Mstp Configuration Example

    MSTP Configuration Example Network requirements Implement MSTP in the network shown in Figure 1-10 to enable packets of different VLANs to be forwarded along different MSTIs. The detailed configurations are as follows: All switches in the network belong to the same MST region. Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along MSTI 1, MSTI 3, MSTI 4, and MSTI 0 respectively.
  • Page 244 # Specify Switch A as the root bridge of MSTI 1. [Sysname] stp instance 1 root primary Configure Switch B # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region. [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30...

  • Page 245: Vlan-Vpn Tunnel Configuration Example

    VLAN-VPN Tunnel Configuration Example Network requirements Switch C and Switch D are the access devices for the service provider network. The 3Com switches 4500 operate as the access devices of the customer networks, that is, Switch A and Switch B in the network diagram. Switch C and Switch D are connected to each other through the configured trunk ports of the switches.
  • Page 246 [Sysname] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port GigabitEthernet 1/0/1 [Sysname-Vlan10] quit # Enable the VLAN VPN function on GigabitEthernet 1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port access vlan 10 [Sysname-GigabitEthernet1/0/1] vlan-vpn enable [Sysname-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 as a trunk port.
  • Page 247 Table of Contents 1 IP Routing Protocol Overview ··················································································································1-1 Introduction to IP Route and Routing Table····························································································1-1 IP Route···········································································································································1-1 Routing Table ··································································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing and Dynamic Routing·······························································································1-3 Classification of Dynamic Routing Protocols···················································································1-3 Routing Protocols and Routing Priority ···························································································1-3 Load Sharing and Route Backup ····································································································1-4 Routing Information Sharing············································································································1-4 Displaying and Maintaining a Routing Table···························································································1-5...
  • Page 248 Filters ···············································································································································4-1 IP Route Policy Configuration Task List··································································································4-2 Route Policy Configuration ·····················································································································4-2 Configuration Prerequisites ·············································································································4-3 Defining a Route Policy ···················································································································4-3 Defining if-match Clauses and apply Clauses·················································································4-3 IP-Prefix Configuration ····························································································································4-5 Configuration Prerequisites ·············································································································4-5 Configuring an ip-prefix list··············································································································4-5 Displaying IP Route Policy······················································································································4-5 IP Route Policy Configuration Example ··································································································4-6 Controlling RIP Packet Cost to Implement Dynamic Route Backup ···············································4-6 Troubleshooting IP Route Policy·············································································································4-9...

  • Page 249: Ip Routing Protocol Overview

    IP Routing Protocol Overview Go to these sections for information you are interested in: Introduction to IP Route and Routing Table Routing Protocol Overview Displaying and Maintaining a Routing Table Introduction to IP Route and Routing Table IP Route Routers are used for route selection on the Internet. As a router receives a packet, it selects an appropriate route (through a network) according to the destination address of the packet and forwards the packet to the next router.
  • Page 250 Preference: There may be multiple routes with different next hops to the same destination. These routes may be discovered by different routing protocols, or be manually configured static routes. The one with the highest preference (the smallest numerical value) will be selected as the current optimal route.

  • Page 251: Routing Protocol Overview

    Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routing configuration again whenever the network topology changes.

  • Page 252: Load Sharing And Route Backup

    each routing protocol (including static routes) is assigned a priority. The route found by the routing protocol with the highest priority is preferred. The following table lists some routing protocols and the default priorities for routes found by them: Table 1-1 Routing protocols and priorities of their default route Routing approach Priority DIRECT...

  • Page 253: Displaying And Maintaining A Routing Table

    routing information. Each routing protocol shares routing information discovered by other routing protocols through a route redistribution mechanism. Displaying and Maintaining a Routing Table To do… Use the command… Remarks Display brief information about display ip routing-table [ | { begin | a routing table exclude | include } regular-expression ] Display detailed information...

  • Page 254: Static Route Configuration

    Static Route Configuration When configuring a static route, go to these sections for information you are interested in: Introduction to Static Route Static Route Configuration Displaying and Maintaining Static Routes Static Route Configuration Example Troubleshooting a Static Route The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 255: Default Route

    Default Route To avoid too large a routing table, you can configure a default route. When the destination address of a packet fails to match any entry in the routing table, If there is default route in the routing table, the default route will be selected to forward the packet. If there is no default route, the packet will be discarded and an ICMP Destination Unreachable or Network Unreachable packet will be returned to the source.

  • Page 256: Static Route Configuration Example

    To do... Use the command... Remarks Display the brief information of a display ip routing-table routing table Display the detailed information of a display ip routing-table verbose routing table Display the information of static display ip routing-table protocol static routes [ inactive | verbose ] Available in Delete all static routes...

  • Page 257: Troubleshooting A Static Route

    Perform the following configurations on the switch. # Approach 1: Configure static routes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # Approach 2: Configure a static route on Switch A. <SwitchA>...

  • Page 258: Rip Configuration

    RIP Configuration When configuring RIP, go to these sections for information you are interested in: RIP Overview RIP Configuration Task List RIP Configuration Example Troubleshooting RIP Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 259: Rip Startup And Operation

    Interface: Outbound interface on this router, through which IP packets should be forwarded to reach the destination. Metric: Cost from the local router to the destination. Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated.

  • Page 260: Basic Rip Configuration

    Task Remarks Enabling RIP on the interfaces attached to a specified Required network segment Configuring Basic RIP Functions Setting the RIP operating status on an interface Optional Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional Configuring RIP route summarization Optional...

  • Page 261: Rip Route Control

    Related RIP commands configured in interface view can take effect only after RIP is enabled. RIP operates on the interfaces attached to a specified network segment. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the interface, nor forwards any interface route.

  • Page 262: Configuration Prerequisites

    Set the preference of RIP to change the preference order of routing protocols. This order makes sense when more than one route to the same destination is discovered by multiple routing protocols. Redistribute external routes in an environment with multiple routing protocols. Configuration Prerequisites Before configuring RIP route control, perform the following tasks: Configuring network layer addresses of interfaces so that adjacent nodes are reachable to each...
  • Page 263 Follow these steps to configure RIP route summarization: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable RIP-2 automatic summary route summarization Enabled by default Disabling the router from receiving host routes In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources.
  • Page 264 The filter-policy import command filters the RIP routes received from neighbors, and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors. The filter-policy export command filters all the routes to be advertised, including the routes redistributed with the import-route command and routes learned from neighbors.

  • Page 265: Rip Network Adjustment And Optimization

    RIP Network Adjustment and Optimization In some special network environments, some RIP features need to be configured and RIP network performance needs to be adjusted and optimized. By performing the configuration mentioned in this section, the following can be implemented: Changing the convergence speed of RIP network by adjusting RIP timers;...
  • Page 266 Split horizon cannot be disabled on a point-to-point link. Configuring RIP-1 packet zero field check Follow these steps to configure RIP-1 packet zero field check: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable the check of the must be zero checkzero...

  • Page 267: Displaying And Maintaining Rip Configuration

    Configuring RIP to unicast RIP packets Follow these steps to configure RIP to unicast RIP packets: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Configure RIP to When RIP runs on the link that does not support peer ip-address unicast RIP packets broadcast or multicast, you must configure RIP to...

  • Page 268: Troubleshooting Rip Configuration

    Switch C Vlan-int1 110.11.2.3/24 Vlan-int4 117.102.0.1/16 Configuration procedure Only the configuration related to RIP is listed below. Before the following configuration, make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly. Configure Switch A: # Configure RIP.

  • Page 269: Ip Route Policy Configuration

    IP Route Policy Configuration When configuring an IP route policy, go to these sections for information you are interested in: IP Route Policy Overview IP Route Policy Configuration Task List Displaying IP Route Policy IP Route Policy Configuration Example Troubleshooting IP Route Policy The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 270: Ip Route Policy Configuration Task List

    For ACL configuration, refer to the part discussing ACL. IP-prefix list IP-prefix list plays a role similar to ACL. But it is more flexible than ACL and easier to understand. When IP-prefix list is applied to filter routing information, its matching object is the destination address field in routing information.

  • Page 271: Configuration Prerequisites

    if-match clause: Defines matching rules; that is, the filtering conditions that the routing information should satisfy for passing the current route policy. The matching objects are some attributes of the routing information. apply clause: Specifies actions, which are the configuration commands executed after a route satisfies the filtering conditions specified by the if-match clause.
  • Page 272 To do... Use the command... Remarks Enter system view system-view — route-policy Enter the route-policy route-policy-name { permit Required view | deny } node node-number Optional Define a rule to match the if-match { acl acl-number | IP address of routing By default, no matching is performed on ip-prefix ip-prefix-name } information...

  • Page 273: Ip-Prefix Configuration

    IP-Prefix Configuration IP-prefix plays a role similar to ACL and but is more flexible and easier to understand. When IP-prefix is applied to filtering routing information, its matching object is the destination address information field of routing information. Configuration Prerequisites Before configuring a filter list, prepare the following data: IP-prefix name Range of addresses to be matched...

  • Page 274: Ip Route Policy Configuration Example

    IP Route Policy Configuration Example Controlling RIP Packet Cost to Implement Dynamic Route Backup Network requirements The required speed of convergence in the small network of a company is not high. The network provides two services. Main and backup links are provided for each service for the purpose of reliability. The main link of one service serves as the backup link of the other.
  • Page 275 For the OA server, the main link is between Switch A and Switch C, while the backup link is between Switch B and Switch C. For the service server, the main link is between Switch B and Switch C, while the backup link is between Switch A and Switch C.
  • Page 276 [SwitchC-route-policy] if-match interface Vlan-interface2 [SwitchC-route-policy] if-match ip-prefix 2 [SwitchC-route-policy] apply cost 6 [SwitchC-route-policy] quit # Create node 30 with the matching mode being permit in the route policy. Define if-match clauses. Apply the cost 6 to routes matching the outgoing interface VLAN-interface 6 and prefix list 1. [SwitchC] route-policy in permit node 30 [SwitchC-route-policy] if-match interface Vlan-interface6 [SwitchC-route-policy] if-match ip-prefix 1...

  • Page 277: Troubleshooting Ip Route Policy

    Display data forwarding paths when the main link of the OA server between Switch A and Switch C is down. <SwitchC> display ip routing-table Routing Table: public net Destination/Mask Protocol Cost Nexthop Interface 1.0.0.0/8 6.6.6.5 Vlan-interface2 3.0.0.0/8 6.6.6.5 Vlan-interface6 6.0.0.0/8 DIRECT 6.6.6.6 Vlan-interface6...
  • Page 278 Table of Contents 1 Multicast Overview ····································································································································1-1 Multicast Overview ··································································································································1-1 Information Transmission in the Unicast Mode ···············································································1-1 Information Transmission in the Broadcast Mode···········································································1-2 Information Transmission in the Multicast Mode·············································································1-3 Roles in Multicast ····························································································································1-3 Common Notations in Multicast·······································································································1-4 Advantages and Applications of Multicast·······················································································1-4 Multicast Models ·····································································································································1-5 Multicast Architecture······························································································································1-5 Multicast Address ····························································································································1-6...
  • Page 279 Configuring IGMP Snooping··········································································································1-16 Configuring Multicast VLAN ··········································································································1-18 Troubleshooting IGMP Snooping··········································································································1-21...

  • Page 280: Multicast Overview

    Multicast Overview In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Multicast Overview With the development of the Internet, more and more interaction services such as data, voice, and video services are running on the network.

  • Page 281: Information Transmission In The Broadcast Mode

    Assume that Hosts B, D and E need this information. The source server establishes transmission channels for the devices of these users respectively. As the transmitted traffic over the network is in direct proportion to the number of users that receive this information, when a large number of users need the same information, the server must send many packets of information with the same content to the users.

  • Page 282: Information Transmission In The Multicast Mode

    Information Transmission in the Multicast Mode As described in the previous sections, unicast is suitable for networks with sparsely distributed users, whereas broadcast is suitable for networks with densely distributed users. When the number of users requiring information is not certain, unicast and broadcast not efficient. Multicast solves this problem.

  • Page 283: Common Notations In Multicast

    All receivers interested in the same information form a multicast group. Multicast groups are not subject to geographic restrictions. A router that supports Layer 3 multicast is called multicast router or Layer 3 multicast device. In addition to providing multicast routing, a multicast router can also manage multicast group members.

  • Page 284: Multicast Models

    Application of multicast The multicast technology effectively addresses the issue of point-to-multipoint data transmission. By enabling high-efficiency point-to-multipoint data transmission, over an IP network, multicast greatly saves network bandwidth and reduces network load. Multicast provides the following applications: Applications of multimedia and flow media, such as Web TV, Web radio, and real-time video/audio conferencing.

  • Page 285: Multicast Address

    Host registration: What receivers reside on the network? Technologies of discovering a multicast source: Which multicast source should the receivers receive information from? Multicast addressing mechanism: Where should the multicast source transports information? Multicast routing: How is information transported? IP multicast is a kind of peer-to-peer service. Based on the protocol layer sequence from bottom to top, the multicast mechanism contains addressing mechanism, host registration, multicast routing, and multicast application: Addressing mechanism: Information is sent from a multicast source to a group of receivers through...
  • Page 286 Note that: The IP addresses of a permanent multicast group keep unchanged, while the members of the group can be changed. There can be any number of, or even zero, members in a permanent multicast group. Those IP multicast addresses not assigned to permanent multicast groups can be used by temporary multicast groups.

  • Page 287: Multicast Protocols

    Class D address range Description The specified subnetwork bandwidth 224.0.0.16 management (SBM) 224.0.0.17 All SBMS 224.0.0.18 Virtual Router Redundancy Protocol (VRRP) 224.0.0.19 to 224.0.0.255 Other protocols Like having reserved the private network segment 10.0.0.0/8 for unicast, IANA has also reserved the network segment 239.0.0.0/8 for multicast.
  • Page 288 Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping.

  • Page 289: Multicast Packet Forwarding Mechanism

    An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs. So far, mature solutions include Multicast Source Discovery Protocol (MSDP). For the SSM model, multicast routes are not divided into inter-domain routes and intra-domain routes. Since receivers know the position of the multicast source, channels established through PIM-SM are sufficient for multicast information transport.

  • Page 290: Implementation Of The Rpf Mechanism

    To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a Reverse Path Forwarding (RPF) check on the incoming interface. The result of the RPF check determines whether the packet will be forwarded or discarded.
  • Page 291 Assume that unicast routes exist in the network, as shown in Figure 1-2. Multicast packets travel along the SPT from the multicast source to the receivers. Figure 1-2 RPF check process Receiver Switch B Vlan-int2 Vlan-int1 Source Router A 192.168.0.1/24 Receiver Multicast packets Vlan-int1...

  • Page 292: Common Multicast Configuration

    Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Common Multicast Configuration Table 2-1 Complete the following tasks to perform common multicast configurations: Task Remarks Configuring Suppression on the Multicast...

  • Page 293: Configuring A Multicast Mac Address Entry

    To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional Configure multicast source port Multicast source port multicast-source-deny suppression suppression is disabled by default. Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast forwarding entries dynamically through a Layer 2 multicast protocol.

  • Page 294: Configuring Dropping Unknown Multicast Packets

    If the multicast MAC address entry to be created already exists, the system gives you a prompt. If you want to add a port to a multicast MAC address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified port to the forwarding ports of this entry.

  • Page 295: Igmp Snooping Configuration

    IGMP Snooping Configuration When configuring IGMP snooping, go to these sections for information you are interested in: IGMP Snooping Overview Configuring IGMP Snooping Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.

  • Page 296: Basic Concepts In Igmp Snooping

    Figure 3-1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast packet transmission Multicast packet transmission without IGMP Snooping when IGMP Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Host A Host C Host C...

  • Page 297: Work Mechanism Of Igmp Snooping

    member ports. The switch records all member ports on the local device in the IGMP Snooping forwarding table. Port aging timers in IGMP Snooping and related messages and actions Table 3-1 Port aging timers in IGMP Snooping and related messages and actions Message before Timer Description...
  • Page 298 A switch will not forward an IGMP report through a non-router port for the following reason: Due to the IGMP report suppression mechanism, if member hosts of that multicast group still exist under non-router ports, the hosts will stop sending reports when they receive the message, and this prevents the switch from knowing if members of that multicast group are still attached to these ports.

  • Page 299: Configuring Igmp Snooping

    Configuring IGMP Snooping Complete the following tasks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snooping Optional Configuring Timers Optional Configuring Fast Leave Processing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Number of Multicast Optional Groups on a Port Configuring IGMP Snooping Querier...

  • Page 300: Configuring The Version Of Igmp Snooping

    Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VLAN interface. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...

  • Page 301: Configuring Fast Leave Processing

    To do... Use the command... Remarks Optional Configure the aging timer of the igmp-snooping By default, the aging time of the router port router-aging-time seconds router port is 105 seconds. Optional Configure the general query igmp-snooping By default, the general query response timer max-response-time seconds response timeout time is 10...

  • Page 302: Configuring A Multicast Group Filter

    The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified; if one or more VLANs are specified, the configuration takes effect on all ports in the specified VLAN(s).

  • Page 303: Configuring The Maximum Number Of Multicast Groups On A Port

    A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port. If no ACL rule is configured, all the multicast groups will be filtered. Since most devices broadcast unknown multicast packets by default, this function is often used together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function.

  • Page 304: Configuring Igmp Snooping Querier

    Configuring IGMP Snooping Querier In an IP multicast network running IGMP, one dedicated multicast device is responsible for sending IGMP general queries, and this router or Layer 3 switch is called the IGMP querier. However, a Layer 2 multicast switch does not support IGMP, and therefore cannot send general queries by default.

  • Page 305: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan

    Configuring the source address to be carried in IGMP queries Follow these steps to configure the source address to be carried in IGMP queries: To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id —...

  • Page 306: Configuring A Static Router Port

    In Ethernet port view Follow these steps to configure a static multicast group member port in Ethernet port view: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Configure the current port as a multicast static-group By default, no port is configured static member port for a...

  • Page 307: Configuring A Port As A Simulated Group Member

    To do... Use the command... Remarks Required Configure the current port as a multicast static-router-port By default, no static router port static router port vlan vlan-id is configured. In VLAN view Follow these steps to configure a static router port in VLAN view: To do...

  • Page 308: Configuring A Vlan Tag For Query Messages

    Before configuring a simulated host, enable IGMP Snooping in VLAN view first. The port to be configured must belong to the specified VLAN; otherwise the configuration does not take effect. You can use the source-ip source-address command to specify a multicast source address that the port will join as a simulated host.
  • Page 309 To do... Use the command... Remarks Enter system view system-view — Create a multicast VLAN and vlan vlan-id — enter VLAN view Return to system view quit — interface Vlan-interface Enter VLAN interface view — vlan-id Required Enable IGMP igmp enable By default, the IGMP feature is disabled.

  • Page 310: Displaying And Maintaining Igmp Snooping

    To do... Use the command... Remarks Required The multicast VLAN must be Specify the VLANs to be port hybrid vlan vlan-id-list included, and the port must be allowed to pass the port { tagged | untagged } configured to forward tagged packets for the multicast VLAN.
  • Page 311 Network diagram Figure 3-3 Network diagram for IGMP Snooping configuration Receiver Host A Source Receiver Eth1/0/4 VLAN100 Eth1/0/1 Eth1/0/2 10.1.1.1/24 Eth1/0/1 Eth1/0/3 1.1.1.2/24 Router A Switch A Host B Eth1/0/2 1.1.1.1/24 IGMP querier Multicast packets Host C Configuration procedure Configure the IP address of each interface Configure an IP address and subnet mask for each interface as per Figure 3-3.
  • Page 312 # View the detailed information of the multicast group in VLAN 100 on Switch A. <SwitchA> display igmp-snooping group vlan100 Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): Ethernet1/0/1 IP group(s):the following ip group(s) match to one mac group.
  • Page 313 Device Device description Networking description VLAN 2 contains Ethernet 1/0/1 and VLAN 3 contains Ethernet 1/0/2. The default VLANs of Ethernet 1/0/1 and Ethernet 1/0/2 are VLAN 2 and VLAN 3 respectively. VLAN 10 contains Ethernet 1/0/10, Ethernet 1/0/1, and Ethernet 1/0/2. Switch B Layer 2 switch Ethernet 1/0/10 is connected to Switch A.
  • Page 314 [SwitchA-Vlan-interface20] ip address 168.10.1.1 255.255.255.0 [SwitchA-Vlan-interface20] pim dm [SwitchA-Vlan-interface20] quit # Configure VLAN 10. [SwitchA] vlan 10 [SwitchA-vlan10] quit # Define Ethernet 1/0/10 as a hybrid port, add the port to VLAN 10, and configure the port to forward tagged packets for VLAN 10. [SwitchA] interface Ethernet 1/0/10 [SwitchA-Ethernet1/0/10] port link-type hybrid [SwitchA-Ethernet1/0/10] port hybrid vlan 10 tagged...

  • Page 315: Troubleshooting Igmp Snooping

    [SwitchB] interface Ethernet 1/0/2 [SwitchB-Ethernet1/0/2] port link-type hybrid [SwitchB-Ethernet1/0/2] port hybrid vlan 3 10 untagged [SwitchB-Ethernet1/0/2] port hybrid pvid vlan 3 [SwitchB-Ethernet1/0/2] quit Troubleshooting IGMP Snooping Symptom: Multicast function does not work on the switch. Solution: Possible reasons are: IGMP Snooping is not enabled. Use the display current-configuration command to check the status of IGMP Snooping.
  • Page 316 Table of Contents 1 802.1x Configuration ·································································································································1-1 Introduction to 802.1x······························································································································1-1 Architecture of 802.1x Authentication······························································································1-1 The Mechanism of an 802.1x Authentication System ·····································································1-3 Encapsulation of EAPoL Messages ································································································1-3 802.1x Authentication Procedure ····································································································1-5 Timers Used in 802.1x·····················································································································1-9 Additional 802.1x Features on Switch 4500 ··················································································1-10 Introduction to 802.1x Configuration ·····································································································1-13 Basic 802.1x Configuration ···················································································································1-13 Configuration Prerequisites ···········································································································1-13...
  • Page 317 Layer 3 Error Control ·······················································································································4-1 Configuring System Guard······················································································································4-1 Configuring System Guard Against IP Attacks················································································4-1 Configuring System Guard Against TCN Attacks············································································4-2 Enabling Layer 3 Error Control········································································································4-3 Displaying and Maintaining System Guard Configuration ······································································4-3...

  • Page 318: 802.1X Configuration

    802.1x Configuration When configuring 802.1x, go to these sections for information you are interested in: Introduction to 802.1x Introduction to 802.1x Configuration Basic 802.1x Configuration Advanced 802.1x Configuration Displaying and Maintaining 802.1x Configuration Configuration Example Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs.
  • Page 319 Figure 1-1 Architecture of 802.1x authentication The supplicant system is the entity seeking access to the LAN. It resides at one end of a LAN segment and is authenticated by the authenticator system at the other end of the LAN segment. The supplicant system is usually a user terminal device.

  • Page 320: The Mechanism Of An 802.1X Authentication System

    The controlled port can be used to pass service packets when it is in authorized state. It is blocked when not in authorized state. In this case, no packets can pass through it. Controlled port and uncontrolled port are two properties of a port. Packets reaching a port are visible to both the controlled port and uncontrolled port of the port.
  • Page 321 Figure 1-3 The format of an EAPoL packet In an EAPoL packet: The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. The Protocol version field holds the version of the protocol supported by the sender of the EAPoL packet.

  • Page 322: 802.1X Authentication Procedure

    The Length field indicates the size of an EAP packet, which includes the Code, Identifier, Length, and Data fields. The Data field carries the EAP packet, whose format differs with the Code field. A Success or Failure packet does not contain the Data field, so the Length field of it is 4. Figure 1-5 shows the format of the Data field of a Request packet or a Response packet.
  • Page 323 EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the RADIUS server support the two newly-added fields: the EAP-message field (with a value of 79) and the Message-authenticator field (with a value of 80).
  • Page 324 Figure 1-8 802.1x authentication procedure (in EAP relay mode) EAPOL EAPOR Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Request / Identity RADIUS Access - Request EAP- Response / Identity (EAP- Response / Identity) RADIUS Access -Challenge EAP- Request / MD5 challenge ( EAP- Request / MD5 challenge) RADIUS Access - Request EAP- Response / MD5 challenge...
  • Page 325 feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authenticated. The switch changes the state of the corresponding port to accepted state to allow the supplicant system to access the network. The supplicant system can also terminate the authenticated state by sending EAPoL-Logoff packets to the switch.

  • Page 326: Timers Used In 802.1X

    Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL- Start EAP- Request /Identity EAP- Response/Identity EAP- Request/ MD5 Challenge EAP- Response/MD5 Challenge RADIUS Access-Request ( CHAP- Response/MD5 Challenge) RADIUS Access - Accept ( CHAP-Success) EAP- Success Port...

  • Page 327: Additional 802.1X Features On Switch 4500

    Re-authentication timer (reauth-period). The switch initiates 802.1x re-authentication at the interval set by the re-authentication timer. RADIUS server timer (server-timeout). This timer sets the server-timeout period. After sending an authentication request packet to the RADIUS server, the switch sends another authentication request packet if it does not receive the response from the RADIUS server when this timer times out.
  • Page 328 Sends Trap packets without disconnecting the supplicant system. This function needs the cooperation of 802.1x client and a CAMS server. The 802.1x client needs to be capable of detecting multiple network adapters, proxies, and IE proxies. The CAMS server is configured to disable the use of multiple network adapters, proxies, or IE proxies.
  • Page 329 Users belonging to the guest VLAN can access the resources of the guest VLAN without being authenticated. But they need to be authenticated when accessing external resources. Normally, the guest VLAN function is coupled with the dynamic VLAN delivery function. Refer to AAA Operation for detailed information about the dynamic VLAN delivery function.

  • Page 330: Introduction To 802.1X Configuration

    Note: 802.1x re-authentication will fail if a CAMS server is used and configured to perform authentication but not accounting. This is because a CAMS server establishes a user session after it begins to perform accounting. Therefore, to enable 802.1x re-authentication, do not configure the accounting none command in the domain.

  • Page 331: Configuring Basic 802.1X Functions

    Configuring Basic 802.1x Functions Follow these steps to configure basic 802.1x functions: To do… Use the command… Remarks Enter system view system-view — Required Enable 802.1x globally dot1x By default, 802.1x is disabled globally. In system dot1x interface interface-list view Enable Required interface interface-type...

  • Page 332: Timer And Maximum User Number Configuration

    Caution: 802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. The settings of 802.1x and MAC address learning limit are mutually exclusive. Enabling 802.1x on a port will prevent you from setting the limit on MAC address learning on the port and vice versa. The settings of 802.1x and aggregation group member are mutually exclusive.

  • Page 333: Advanced 802.1X Configuration

    Optional The settings of 802.1x timers are as follows. dot1x timer { handshake-period handshake-period-value: handshake-period-value | 15 seconds quiet-period quiet-period-value | quiet-period-value: server-timeout seconds Set 802.1x timers server-timeout-value | server-timeout-value: supp-timeout seconds supp-timeout-value | tx-period supp-timeout-value: tx-period-value | ver-period seconds ver-period-value } tx-period-value: 30 seconds ver-period-value:...

  • Page 334: Configuring Client Version Checking

    dot1x supp-proxy-check In system { logoff | trap } [ interface view interface-list ] Enable proxy Required interface interface-type checking for a interface-number By default, the 802.1x proxy port/specified checking is disabled on a port. ports In port view dot1x supp-proxy-check { logoff | trap } quit Note:...

  • Page 335: Enabling Dhcp-Triggered Authentication

    Enabling DHCP-triggered Authentication After performing the following configuration, 802.1x allows running DHCP on access users, and users are authenticated when they apply for dynamic IP addresses through DHCP. Follow these steps to enable DHCP-triggered authentication: To do... Use the command... Remarks Enter system view system-view...

  • Page 336: Configuring The 802.1X Re-Authentication Timer

    To do... Use the command... Remarks Enter system view system-view — dot1x re-authenticate Required In system view Enable 802.1x [ interface interface-list ] By default, 802.1x re-authentication re-authentication is on port(s) In port view dot1x re-authenticate disabled on a port. Note: To enable 802.1x re-authentication on a port, you must first enable 802.1x globally and on the port.

  • Page 337: Displaying And Maintaining 802.1X Configuration

    Displaying and Maintaining 802.1x Configuration To do... Use the command... Remarks Display the configuration, display dot1x [ sessions | session, and statistics statistics ] [ interface Available in any view information about 802.1x interface-list ] Clear 802.1x-related statistics reset dot1x statistics Available in user view information [ interface interface-list ]...
  • Page 338 Network diagram Figure 1-12 Network diagram for AAA configuration with 802.1x and RADIUS enabled Configuration procedure Note: Following configuration covers the major AAA/RADIUS configuration commands. Refer to AAA Operation for the information about these commands. Configuration on the client and the RADIUS servers is omitted.
  • Page 339 [Sysname-radius-radius1] key accounting money # Set the interval and the number of the retries for the switch to send packets to the RADIUS servers. [Sysname-radius-radius1] timer 5 [Sysname-radius-radius1] retry 5 # Set the timer for the switch to send real-time accounting packets to the RADIUS servers. [Sysname-radius-radius1] timer realtime-accounting 15 # Configure to send the user name to the RADIUS server with the domain name truncated.

  • Page 340: Quick Ead Deployment Configuration

    Quick EAD Deployment Configuration When configuring quick EAD deployment, go to these sections for information you are interested in: Introduction to Quick EAD Deployment Configuring Quick EAD Deployment Displaying and Maintaining Quick EAD Deployment Quick EAD Deployment Configuration Example Troubleshooting Introduction to Quick EAD Deployment Quick EAD Deployment Overview As an integrated solution, an Endpoint Admission Defense (EAD) solution can improve the overall...

  • Page 341: Configuring Quick Ead Deployment

    Configuring Quick EAD Deployment Configuration Prerequisites Enable 802.1x on the switch. Set the port authorization mode to auto for 802.1x-enabled ports using the dot1x port-control command. Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do...

  • Page 342: Displaying And Maintaining Quick Ead Deployment

    large number of users log in but cannot pass authentication, the switch may run out of ACL resources, preventing other users from logging in. A timer called ACL timer is designed to solve this problem. You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online.

  • Page 343: Troubleshooting

    Configuration procedure Note: Before enabling quick EAD deployment, make sure sure that: The Web server is configured properly. The default gateway of the PC is configured as the IP address of the Layer-3 virtual interface of the VLAN to which the port that is directly connected with the PC belongs. # Configure the URL for HTTP redirection.

  • Page 344: Habp Configuration

    HABP Configuration When configuring HABP, go to these sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration Introduction to HABP When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets.

  • Page 345: Habp Client Configuration

    Required By default, a switch operates as an HABP client after you Configure the current switch enable HABP on the switch. If habp server vlan vlan-id to be an HABP server you want to use the switch as a management switch, you need to configure the switch to be an HABP server.

  • Page 346: System Guard Configuration

    System Guard Configuration When configuring System Guard, go to these sections for information you are interested in: System Guard Overview Configuring System Guard Displaying and Maintaining System Guard Configuration System Guard Overview Guard Against IP Attacks System-guard operates to inspect the IP packets over 10-second intervals for the CPU for suspicious source IP addresses.

  • Page 347: Configuring System Guard Against Tcn Attacks

    Set the maximum number of Optional system-guard ip infected hosts that can be detect-maxnum number 30 by default concurrently monitored Set the maximum number of addresses that the system can learn, the maximum number of system-guard ip Optional times an address can be hit detect-threshold By default, ip-record-threshold before an action is taken and...

  • Page 348: Enabling Layer 3 Error Control

    Enabling Layer 3 Error Control Follow these steps to enable Layer 3 error control: To do... Use the command... Remarks Enter system view system-view — Required Enable Layer 3 error control system-guard l3err enable Enabled by default Displaying and Maintaining System Guard Configuration To do...
  • Page 349 Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization····································································································································1-1 Accounting·······································································································································1-1 Introduction to ISP Domain ·············································································································1-2 Introduction to AAA Services ··················································································································1-2 Introduction to RADIUS ···················································································································1-2 Introduction to HWTACACS ············································································································1-6 2 AAA Configuration ····································································································································2-1 AAA Configuration Task List ···················································································································2-1 Creating an ISP Domain and Configuring Its Attributes ··································································2-2 Configuring an AAA Scheme for an ISP Domain ············································································2-3 Configuring Dynamic VLAN Assignment·························································································2-6...
  • Page 350 Local Authentication of FTP/Telnet Users·····················································································2-28 HWTACACS Authentication and Authorization of Telnet Users ···················································2-29 Troubleshooting AAA ····························································································································2-30 Troubleshooting RADIUS Configuration························································································2-30 Troubleshooting HWTACACS Configuration ················································································2-31 3 EAD Configuration·····································································································································3-1 Introduction to EAD ·································································································································3-1 Typical Network Application of EAD ·······································································································3-1 EAD Configuration ··································································································································3-1 EAD Configuration Example ···················································································································3-2...

  • Page 351: Aaa Overview

    AAA Overview Introduction to AAA AAA is the acronym for the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure these three functions to implement network security management. Authentication: Defines what users can access the network, Authorization: Defines what services can be available to the users who can access the network, Accounting: Defines how to charge the users who are using network resources.

  • Page 352: Introduction To Isp Domain

    None accounting: No accounting is performed for users. Remote accounting: User accounting is performed on a remote RADIUS or TACACS server. Introduction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a username in the format of userid@isp-name or userid.isp-name, the isp-name following the "@"...
  • Page 353 Figure 1-1 Databases in a RADIUS server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service. Basic message exchange procedure in RADIUS The messages exchanged between a RADIUS client (a switch, for example) and a RADIUS server are verified through a shared key.
  • Page 354 The RADIUS client accepts or denies the user depending on the received authentication result. If it accepts the user, the RADIUS client sends a start-accounting request (Accounting-Request, with the Status-Type attribute value = start) to the RADIUS server. The RADIUS server returns a start-accounting response (Accounting-Response). The user starts to access network resources.
  • Page 355 Direction: client->server. The client transmits this message to the server to request the server to start or end the accounting Accounting-Request (whether to start or to end the accounting is determined by the Acct-Status-Type attribute in the message). This message carries almost the same attributes as those carried in the Access-Request message.

  • Page 356: Introduction To Hwtacacs

    Filter-ID Proxy-State Framed-MTU Login-LAT-Service Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-ID NAS-Port-Type (unassigned) Port-Limit Framed-Route Login-LAT-Port The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS.
  • Page 357 Table 1-3 Differences between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP, providing more reliable network Adopts UDP. transmission. Encrypts the entire message except the HWTACACS Encrypts only the password field in header. authentication message. Separates authentication from authorization. For example, you can use one TACACS server for Combines authentication and authentication and another TACACS server for authorization.
  • Page 358 Figure 1-6 AAA implementation procedure for a telnet user The basic message exchange procedure is as follows: A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server. The TACACS server returns an authentication response, asking for the username.
  • Page 359 After receiving the response indicating an authorization success, the TACACS client pushes the configuration interface of the switch to the user. 10) The TACACS client sends an accounting start request to the TACACS server. 11) The TACACS server returns an accounting response, indicating that it has received the accounting start request.
  • Page 360 AAA Configuration AAA Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure AAA (configuring a combined AAA scheme for an ISP domain): Task Remarks...

  • Page 361: Aaa Configuration

    Task Remarks Creating an ISP Domain and Configuring Its Required Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you can specify authentication, authorization and accounting Configuring an AAA Scheme for an ISP schemes respectively. Domain configuration You need to configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication.

  • Page 362: Configuring An Aaa Scheme For An Isp Domain

    Optional Set the accounting-optional By default, the accounting optional switch accounting-optional switch is off. Optional messenger time { enable limit Set the messenger function By default, the messenger interval | disable } function is disabled. Optional Set the self-service server self-service-url { disable | By default, the self-service location function...
  • Page 363 Create an ISP domain and enter its view, or enter the view domain isp-name Required of an existing ISP domain Required scheme { local | none | radius-scheme Configure an AAA scheme for radius-scheme-name [ local ] | By default, an ISP the ISP domain hwtacacs-scheme domain uses the...
  • Page 364 To do… Use the command… Remarks Enter system view — system-view Create an ISP domain and enter its view, or enter the view domain isp-name Required of an existing ISP domain authentication Optional { radius-scheme Configure an authentication radius-scheme-name [ local ] | By default, no separate scheme for the ISP domain hwtacacs-scheme...

  • Page 365: Configuring Dynamic Vlan Assignment

    accounting. In this case, if the combined scheme uses RADIUS or HWTACACS, the system never uses the secondary scheme for authorization and accounting. If you configure no separate scheme, the combined scheme is used for authentication, authorization, and accounting. In this case, if the system uses the secondary local scheme for authentication, it also does so for authorization and accounting;...

  • Page 366: Configuring The Attributes Of A Local User

    In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch adds the authenticated port to the VLAN with the integer value as the VLAN ID (VLAN 1024, for example).
  • Page 367 To do… Use the command… Remarks Enter system view — system-view Optional By default, the password local-user display mode of all access Set the password display mode password-display-mode users is auto, indicating the of all local users { cipher-force | auto } passwords of access users are displayed in the modes set by the password command.

  • Page 368: Cutting Down User Connections Forcibly

    The following characters are not allowed in the user-name string: /:*?<>. And you cannot input more than one “@” in the string. After the local-user password-display-mode cipher-force command is executed, any password will be displayed in cipher mode even though you specify to display a user password in plain text by using the password command.
  • Page 369 Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Optional Transmission Attempts Configuring the Configuring the Type of RADIUS Servers to be Supported Optional RADIUS client Configuring the Status of RADIUS Servers...

  • Page 370: Creating A Radius Scheme

    creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting. And for each type of server, you can configure two servers in a RADIUS scheme: primary server and secondary server.

  • Page 371: Configuring Radius Accounting Servers

    Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Required Set the IP address and port By default, the IP address and number of the primary RADIUS primary authentication UDP port number of the authentication/authorization...

  • Page 372: Configuring Shared Keys For Radius Messages

    Optional Enable stop-accounting stop-accounting-buffer By default, stop-accounting request request buffering enable buffering is enabled. Optional Set the maximum number of transmission retry stop-accounting By default, the system tries at most 500 attempts of a buffered retry-times times to transmit a buffered stop-accounting request.

  • Page 373: Configuring The Maximum Number Of Radius Request Transmission Attempts

    Required Set a shared key for RADIUS authentication/authorization key authentication string By default, no shared key is messages created. Required Set a shared key for RADIUS key accounting string By default, no shared key is accounting messages created. The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server.

  • Page 374: Configuring The Status Of Radius Servers

    If you change the RADIUS server type, the units of data flows sent to RADIUS servers will be restored to the defaults. When the third party RADIUS server is used, you can select standard or extended as the server-type in a RADIUS scheme; when the CAMS server is used, you can select extended as the server-type in a RADIUS scheme.
  • Page 375 To do… Use the command… Remarks Enter system view — system-view Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Optional Set the format of the user-name-format By default, the usernames sent usernames to be sent to...

  • Page 376: Configuring The Local Radius Server

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the usernames that carry ISP domain names.

  • Page 377: Configuring Timers For Radius Servers

    adopt local RADIUS server function, port number authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this switch. The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server.

  • Page 378: Enabling Sending Trap Message When A Radius Server Goes Down

    Optional Set the response timeout time timer response-timeout By default, the response of RADIUS servers seconds timeout time of RADIUS servers is three seconds. Optional Set the time that the switch waits before it try to By default, the switch waits five re-communicate with primary timer quiet minutes minutes before it restores the...
  • Page 379 user cannot get authenticated. In this case, the user can access the network again only when the CAMS administrator manually removes the user's online information. The user re-authentication at restart function is designed to resolve this problem. After this function is enabled, every time the switch restarts: The switch generates an Accounting-On message, which mainly contains the following information: NAS-ID, NAS-IP-address (source IP address), and session ID.

  • Page 380: Hwtacacs Configuration Task List

    HWTACACS Configuration Task List Complete the following tasks to configure HWTACACS: Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers Required Configuring the Configuring TACACS Accounting Servers Optional TACACS client Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent to TACACS Optional...

  • Page 381: Configuring Tacacs Authorization Servers

    Required Set the IP address and port By default, the IP address of primary authentication number of the primary the primary authentication ip-address [ port ] TACACS authentication server server is 0.0.0.0, and the port number is 0. Optional Set the IP address and port By default, the IP address of secondary authentication number of the secondary...

  • Page 382: Configuring Tacacs Accounting Servers

    Configuring TACACS Accounting Servers Follow these steps to configure TACACS accounting servers: To do… Use the command… Remarks Enter system view system-view — Required Create a HWTACACS scheme hwtacacs scheme By default, no HWTACACS and enter its view hwtacacs-scheme-name scheme exists. Required Set the IP address and port By default, the IP address of...

  • Page 383: Configuring The Attributes Of Data To Be Sent To Tacacs Servers

    Required Create a HWTACACS scheme hwtacacs scheme By default, no HWTACACS and enter its view hwtacacs-scheme-name scheme exists. Set a shared key for key { accounting | Required HWTACACS authentication, authorization | authorization or accounting By default, no such key is set. authentication } string messages Configuring the Attributes of Data to be Sent to TACACS Servers...

  • Page 384: Displaying And Maintaining Aaa Configuration

    To do… Use the command… Remarks Enter system view — system-view Required Create a HWTACACS scheme hwtacacs scheme By default, no HWTACACS and enter its view hwtacacs-scheme-name scheme exists. Optional Set the response timeout time timer response-timeout By default, the response of TACACS servers seconds timeout time is five seconds.

  • Page 385: Displaying And Maintaining Radius Protocol Configuration

    Displaying and Maintaining RADIUS Protocol Configuration To do… Use the command… Remarks Display RADIUS message statistics about local RADIUS display local-server statistics server Display configuration information display radius scheme about one specific or all RADIUS [ radius-scheme-name ] schemes Available in any view Display RADIUS message display radius statistics...
  • Page 386 Network requirements In the network environment shown in Figure 2-1, you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS server. A RADIUS authentication server with IP address 10.110.91.164 is connected to the switch. On the switch, set the shared key it uses to exchange messages with the authentication RADIUS server to aabbcc.

  • Page 387: Local Authentication Of Ftp/Telnet Users

    [Sysname-radius-cams] server-type Extended [Sysname-radius-cams] user-name-format with-domain [Sysname-radius-cams] quit # Associate the ISP domain with the RADIUS scheme. [Sysname] domain cams [Sysname-isp-cams] scheme radius-scheme cams A Telnet user logging into the switch by a name in the format of userid @cams belongs to the cams domain and will be authenticated according to the configuration of the cams domain.

  • Page 388: Hwtacacs Authentication And Authorization Of Telnet Users

    # Configure an authentication scheme for the default “system” domain. [Sysname] domain system [Sysname-isp-system] scheme local A Telnet user logging into the switch with the name telnet@system belongs to the "system" domain and will be authenticated according to the configuration of the "system" domain. Method 2: using local RADIUS server This method is similar to the remote authentication method described in Remote RADIUS...

  • Page 389: Troubleshooting Aaa

    [Sysname-hwtacacs-hwtac] primary authentication 10.110.91.164 49 [Sysname-hwtacacs-hwtac] primary authorization 10.110.91.164 49 [Sysname-hwtacacs-hwtac] key authentication aabbcc [Sysname-hwtacacs-hwtac] key authorization aabbcc [Sysname-hwtacacs-hwtac] user-name-format without-domain [Sysname-hwtacacs-hwtac] quit # Configure the domain name of the HWTACACS scheme to hwtac. [Sysname] domain hwtacacs [Sysname-isp-hwtacacs] scheme hwtacacs-scheme hwtac Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP/IP protocol suite.

  • Page 390: Troubleshooting Hwtacacs Configuration

    Troubleshooting HWTACACS Configuration See the previous section if you encounter an HWTACACS fault. 2-31...

  • Page 391: Typical Network Application Of Ead

    EAD Configuration Introduction to EAD Endpoint Admission Defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints. With the cooperation of switch, AAA sever, security policy server and security client, EAD is able to evaluate the security compliance of network endpoints and dynamically control their access rights.

  • Page 392: Ead Configuration Example

    Configuring the IP address of the security policy server. Associating the ISP domain with the RADIUS scheme. EAD is commonly used in RADIUS authentication environment. This section mainly describes the configuration of security policy server IP address. For other related configuration, refer to Overview.
  • Page 393 Network diagram Figure 3-2 EAD configuration Authentication servers 10.110.91.164/16 Eth1/0/1 Internet User Security policy servers Virus patch servers 10.110.91.166/16 10.110.91.168/16 Configuration procedure # Configure 802.1x on the switch. Refer to “Configuring 802.1x” in 802.1x and System Guard Configuration. # Configure a domain. <Sysname>...
  • Page 394 Table of Contents 1 MAC Address Authentication Configuration ··························································································1-1 MAC Address Authentication Overview ··································································································1-1 Performing MAC Address Authentication on a RADIUS Server ·····················································1-1 Performing MAC Address Authentication Locally ···········································································1-1 Related Concepts····································································································································1-2 MAC Address Authentication Timers ······························································································1-2 Quiet MAC Address·························································································································1-2 Configuring Basic MAC Address Authentication Functions ····································································1-2 MAC Address Authentication Enhanced Function Configuration ···························································1-3 MAC Address Authentication Enhanced Function Configuration Task List ····································1-3 Configuring a Guest VLAN ··············································································································1-4...

  • Page 395: Mac Address Authentication Configuration

    MAC Address Authentication Configuration When configuring MAC address authentication, go to these sections for information you are interested: MAC Address Authentication Overview Related Concepts Configuring Basic MAC Address Authentication Functions MAC Address Authentication Enhanced Function Configuration Displaying and Maintaining MAC Address Authentication Configuration MAC Address Authentication Configuration Examples MAC Address Authentication Overview MAC address authentication provides a way for authenticating users based on ports and MAC...

  • Page 396: Related Concepts

    format configured with mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail. In fixed mode, all users’ MAC addresses are automatically mapped to the configured local passwords and usernames. The service type of a local user needs to be configured as lan-access. Related Concepts MAC Address Authentication Timers The following timers function in the process of MAC address authentication:...

  • Page 397: Mac Address Authentication Enhanced Function Configuration

    To do... Use the command... Remarks quit Optional Set the user name in mac-authentication authmode By default, the MAC MAC address mode usernameasmacaddress [ usernameformat address of a user is for MAC address { with-hyphen | without-hyphen } { lowercase | used as the user authentication uppercase } | fixedpassword password ]...

  • Page 398: Configuring A Guest Vlan

    Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Number of MAC Address Authentication Users Optional Allowed to Access a Port Configuring a Guest VLAN Different from Guest VLANs described in the 802.1x and System-Guard manual, Guest VLANs mentioned in this section refer to Guests VLANs dedicated to MAC address authentication. After completing configuration tasks in Configuring Basic MAC Address Authentication Functions for a...
  • Page 399 After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast MAC address is learned by the switch) periodically. If this user passes the re-authentication, this port will exit the Guest VLAN, and thus the user can access the network normally.

  • Page 400: Configuring The Maximum Number Of Mac Address Authentication Users Allowed To Access A Port

    If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.

  • Page 401: Displaying And Maintaining Mac Address Authentication Configuration

    If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port.
  • Page 402 # Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user. Specify the user name and password. [Sysname] local-user 00-0d-88-f6-44-c1 [Sysname-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 Set the service type to lan-access.
  • Page 403 Table of Contents 1 ARP Configuration·····································································································································1-1 Introduction to ARP ·································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Table ·······································································································································1-3 ARP Process ···································································································································1-3 Introduction to Gratuitous ARP········································································································1-4 Configuring ARP ·····································································································································1-4 Configuring Gratuitous ARP····················································································································1-5 Displaying and Debugging ARP··············································································································1-6 ARP Configuration Examples ·················································································································1-6 2 ARP Attack Defense Configuration ·········································································································2-1 ARP Attack Defense Configuration·········································································································2-1 Introduction to Maximum Number of Dynamic ARP Entries a VLAN Interface Can Learn·············2-1...

  • Page 404: Arp Configuration

    ARP Configuration When configuring ARP, go to these sections for information you are interested in: Introduction to ARP Configuring ARP Configuring Gratuitous ARP Displaying and Debugging ARP ARP Configuration Examples Introduction to ARP ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. An IP address is the address of a host at the network layer.
  • Page 405 Figure 1-1 ARP message format Hardware type (16 bits) Hardware type (16 bits) Hardware type (16 bits) Protocol type (16 bits) Protocol type (16 bits) Length of hardware address Length of protocol address Length of hardware address Length of protocol address Operator (16 bits) Operator (16 bits) Hardware address of the sender...

  • Page 406: Arp Table

    Value Description Chaos IEEE802.X ARC network ARP Table In an Ethernet, the MAC addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an Ethernet maintains an ARP table, where the latest used IP address-to-MAC address mapping entries are stored.

  • Page 407: Introduction To Gratuitous Arp

    mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request. Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.

  • Page 408: Configuring Gratuitous Arp

    To do… Use the command… Remarks Enable the ARP entry checking function (that is, disable the Optional switch from learning ARP arp check enable Enabled by default. entries with multicast MAC addresses) Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically.

  • Page 409: Displaying And Debugging Arp

    Displaying and Debugging ARP To do… Use the command… Remarks Display specific ARP mapping display arp [ static | dynamic | ip-address ] table entries Display the ARP mapping display arp [ dynamic | static ] | { begin | entries related to a specified include | exclude } regular-expression string in a specified way...

  • Page 410: Arp Attack Defense Configuration

    ARP Attack Defense Configuration ARP Attack Defense Configuration Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. This chapter mainly introduces these features. Introduction to Maximum Number of Dynamic ARP Entries a VLAN Interface Can Learn To prevent ARP flood attacks, you can limit the number of ARP entries learned by a VLAN interface on...
  • Page 411 Figure 2-1 Network diagram for ARP man-in-the-middle attack ARP attack detection To guard against the man-in-the-middle attacks launched by hackers or attackers, S4500 series Ethernet switches support the ARP attack detection function. After you enable ARP attack detection for a VLAN, When receiving an ARP request or response packet from an ARP untrusted port, the device delivers the ARP packet to the CPU to check the validity of the packet.

  • Page 412: Introduction To Arp Packet Rate Limit

    For details about DHCP Snooping and IP static binding, refer to DHCP Operation. For details about 802.1x authentication, refer to 802.1x and System Guard Operation. ARP restricted forwarding With the ARP restricted forwarding function enabled, ARP request packets are forwarded through trusted ports only;...

  • Page 413: Configuring Arp Attack Defense

    Figure 2-2 Gateway spoofing attack To prevent gateway spoofing attacks, an S4500 series Ethernet switch can work as an access device (usually with the upstream port connected to the gateway and the downstream ports connected to hosts) and filter ARP packets based on the gateway’s address. To filter APR attack packets arriving on a downstream port, you can bind the gateway’s IP address to the downstream port (directly connected to hosts) of the switch.

  • Page 414: Configuring The Maximum Number Of Dynamic Arp Entries That A Vlan Interface Can Learn

    Task Remarks Optional Configuring the Maximum Number of Dynamic ARP Entries that a VLAN Interface Can Learn The switch serves as a gateway. Optional Configuring ARP Source MAC Address Consistency The switch serves as a gateway or an Check access device. Optional ARP Packet Filtering Based on Gateway’s Address The switch serves as an access device.

  • Page 415: Configuring Arp Attack Detection

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Configure ARP packet filtering Required based on the gateway’s IP arp filter source ip-address Not configured by default. address Follow these steps to configure ARP packet filtering based on gateway’s IP and MAC address: To do…...

  • Page 416: Configuring The Arp Packet Rate Limit Function

    To do… Use the command… Remarks Optional After DHCP snooping is Specify the current port as a enabled, you need to configure dhcp-snooping trust trusted port the upstream port connected to the DHCP server as a trusted port. Optional By default, a port is an ARP Configure the port as an ARP untrusted port.

  • Page 417: Arp Attack Defense Configuration Example

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Required Enable the ARP packet rate By default, the ARP packet rate arp rate-limit enable limit function limit function is disabled on a port. Optional Configure the maximum ARP By default, the maximum ARP arp rate-limit rate packet rate allowed on the port...
  • Page 418 Network diagram Figure 2-3 ARP attack detection and packet rate limit configuration Configuration procedure # Enable DHCP snooping on Switch A. <SwitchA> system-view [SwitchA] dhcp-snooping # Specify Ethernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port. [SwitchA] interface Ethernet 1/0/1 [SwitchA-Ethernet1/0/1] dhcp-snooping trust [SwitchA-Ethernet1/0/1] arp detection trust...

  • Page 419: Arp Attack Defense Configuration Example Ii

    ARP Attack Defense Configuration Example II Network Requirements Host A and Host B are connected to Gateway through an access switch (Switch). The IP and MAC addresses of Gateway are 192.168.100.1/24 and 000D-88F8-528C. To prevent gateway spoofing attacks from Host A and Host B, configure ARP packet filtering based on the gateway’s IP and MAC addresses on Switch.

  • Page 420: Arp Attack Defense Configuration Example Iii

    ARP Attack Defense Configuration Example III Network Requirements Host A and Host B are connected to Gateway (Switch A) through a Layer 2 switch (Switch B). To prevent ARP attacks such as ARP flooding: Enable ARP packet source MAC address consistency check on Switch A to block ARP packets with the sender MAC address different from the source MAC address in the Ethernet header.
  • Page 421 Enable ARP attack detection based on bindings of authenticated 802.1x clients on the switch to prevent ARP attacks. Network Diagram Figure 2-6 Network diagram for 802.1x based ARP attack defense Configuration Procedures # Enter system view. <Switch> system-view # Enable 802.1x authentication globally. [Switch] dot1x # Enable ARP attack detection for VLAN 1.
  • Page 422 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP IP Address Assignment ···············································································································1-1 IP Address Assignment Policy ········································································································1-1 Obtaining IP Addresses Dynamically ······························································································1-2 Updating IP Address Lease·············································································································1-2 DHCP Packet Format······························································································································1-3 Protocol Specification······························································································································1-4 2 DHCP Server Configuration······················································································································2-1 Introduction to DHCP Server ··················································································································2-1 Usage of DHCP Server ···················································································································2-1 DHCP Address Pool ························································································································2-1 DHCP IP Address Preferences ·······································································································2-3...
  • Page 423 Enabling Unauthorized DHCP Server Detection···········································································2-24 Configuring IP Address Detecting ·································································································2-24 Configuring DHCP Accounting Functions ·····························································································2-25 Introduction to DHCP Accounting··································································································2-25 DHCP Accounting Fundamentals··································································································2-25 DHCP Accounting Configuration ···································································································2-26 Enabling the DHCP Server to Process Option 82 ················································································2-26 Displaying and Maintaining the DHCP Server ······················································································2-27 DHCP Server Configuration Examples ·································································································2-27 DHCP Server Configuration Example ···························································································2-27 DHCP Server with Option 184 Support Configuration Example ···················································2-29...
  • Page 424 6 DHCP/BOOTP Client Configuration ·········································································································6-1 Introduction to DHCP Client····················································································································6-1 Introduction to BOOTP Client ·················································································································6-1 Configuring a DHCP/BOOTP Client········································································································6-2 DHCP Client Configuration Example·······························································································6-3 BOOTP Client Configuration Example ····························································································6-3 Displaying DHCP/BOOTP Client Configuration······················································································6-3...

  • Page 425: Introduction To Dhcp

    DHCP Overview When configuring DHCP, go to these sections for information you are interested in: Introduction to DHCP DHCP IP Address Assignment DHCP Packet Format Protocol Specification Introduction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators.

  • Page 426: Obtaining Ip Addresses Dynamically

    Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be occupied by the DHCP clients permanently. Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address again at the expiration of the period.

  • Page 427: Dhcp Packet Format

    By default, a DHCP client updates its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server when half of the lease time elapses. The DHCP server responds with a DHCP-ACK packet to notify the DHCP client of a new IP lease if the server can assign the same IP address to the client.

  • Page 428: Protocol Specification

    file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client. option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS server, and IP address of the WINS server. Protocol Specification Protocol specifications related to DHCP include: RFC2131: Dynamic Host Configuration Protocol...

  • Page 429: Dhcp Server Configuration

    DHCP Server Configuration When configuring the DHCP server, go to these sections for information you are interested in: Introduction to DHCP Server DHCP Server Configuration Task List Enabling DHCP Configuring the Global Address Pool Based DHCP Server Configuring the Interface Address Pool Based DHCP Server Configuring DHCP Server Security Functions Configuring DHCP Accounting Functions Enabling the DHCP Server to Process Option 82...
  • Page 430 Types of address pool The address pools of a DHCP server fall into two types: global address pool and interface address pool. A global address pool is created by executing the dhcp server ip-pool command in system view. It is valid on the current device. If an interface is configured with a valid unicast IP address, you can create an interface-based address pool for the interface by executing the dhcp select interface command in interface view.

  • Page 431: Dhcp Ip Address Preferences

    If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server will select this address pool and assign the statically bound IP address to the client. Otherwise, the DHCP server observes the following principles to select a dynamic address pool.

  • Page 432: Dhcp Server Configuration Task List

    When you merge two or more XRN systems into one XRN system, a new master unit is elected, and the new XRN system adopts new configurations accordingly. This may result in the existing system configurations (including the address pools configured for the DHCP servers) being lost. As the new XRN system cannot inherit the original DHCP server configurations, you need to perform DHCP server configurations for it.

  • Page 433: Configuring The Global Address Pool Based Dhcp Server

    To improve security and avoid malicious attacks to unused sockets, S4500 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After DHCP is enabled with the dhcp enable command, if the DHCP server and DHCP relay agent functions are not configured, UDP port 67 and UDP port 68 ports are kept disabled;...

  • Page 434: Creating A Dhcp Global Address Pool

    To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the Configure the specified Optional current interface dhcp select global interface(s) or By default, the all the quit interface operates interfaces to in global address operate in Configure multiple dhcp select global { interface...
  • Page 435 Currently, only one IP address in a global DHCP address pool can be statically bound to a MAC address or a client ID. Follow these steps to configure the static IP address allocation mode: To do… Use the command… Remarks Enter system view system-view —...
  • Page 436 To improve security and avoid malicious attack to the unused sockets, S4500 Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP address pool is created by executing the dhcp server ip-pool command, the UDP 67 and UDP 68 ports used by DHCP are enabled.

  • Page 437: Configuring A Domain Name Suffix For The Dhcp Client

    In the same DHCP global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. If an IP address that is not to be automatically assigned has been configured as a statically-bound IP address, the DHCP server still assigns this IP address to the client whose MAC address or ID has been bound.

  • Page 438: Configuring Wins Servers For The Dhcp Client

    Configuring WINS Servers for the DHCP Client For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by Windows internet naming service (WINS) servers. So you need to perform WINS-related configuration for most Windows-based hosts. To implement host name-to-IP address translation for DHCP clients, you should enable the DHCP server to assign WINS server addresses when assigning IP addresses to DHCP clients.

  • Page 439: Configuring Gateways For The Dhcp Client

    Configuring Gateways for the DHCP Client Gateways are necessary for DHCP clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a DHCP server, the DHCP server provides the gateway addresses to DHCP clients as well while assigning IP addresses to them. You can configure gateway addresses for global address pools on a DHCP server.
  • Page 440 Sub-option 4: Fail-over call routing. Meanings of the sub-options for Option 184 Table 2-1 Meanings of the sub-options for Option 184 Sub-option Feature Function Note The IP address of the NCP server carried by sub-option 1 of Option When used in Option The NCP-IP sub-option 184 is intended for 184, this sub-option...
  • Page 441 For the configurations specifying to add sub-option 2, sub-option 3, and sub-option 4 in the response packets to take effect, you need to configure the DHCP server to add sub-option 1. Mechanism of using Option 184 on DHCP server The DHCP server encapsulates the information for Option 184 to carry in the response packets sent to the DHCP clients.

  • Page 442: Configuring The Tftp Server And Bootfile Name For The Dhcp Client

    Specify an IP address for the network calling processor before performing other configuration. Configuring the TFTP Server and Bootfile Name for the DHCP Client This task is to specify the IP address and name of a TFTP server and the bootfile name in the DHCP global address pool.

  • Page 443: Configuring The Interface Address Pool Based Dhcp Server

    Follow these steps to configure a self-defined DHCP option: To do… Use the command… Remarks Enter system view system-view — Enter DHCP address pool view dhcp server ip-pool pool-name — Required option code { ascii ascii-string | hex Configure a self-defined DHCP hex-string&<1-10>...

  • Page 444: Enabling The Interface Address Pool Mode On Interface

    Task Remarks Enabling the Interface Address Pool Mode on Interface(s) Required Configuring an Configuring the static IP address allocation One of the two options is Address Allocation mode required. And these two Mode for an options can be configured Configuring the dynamic IP address allocation Interface Address at the same time.

  • Page 445: Configuring An Address Allocation Mode For An Interface Address Pool

    To improve security and avoid malicious attack to the unused sockets, S4500 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP interface address pool is created by executing the dhcp select interface command, UDP port 67 and UDP port 68 ports used by DHCP are enabled.
  • Page 446 The IP addresses statically bound in interface address pools and the interface IP addresses must be in the same network segment. There is no limit to the number of IP addresses statically bound in an interface address pool, but the IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment.

  • Page 447: Configuring A Domain Name Suffix For The Dhcp Client

    To do… Use the command… Remarks Optional Specify the IP addresses By default, all IP addresses in a dhcp server forbidden-ip that are not dynamically DHCP address pool are low-ip-address [ high-ip-address ] assigned available for being dynamically assigned. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients.

  • Page 448: Configuring Wins Servers For The Dhcp Client

    To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the current dhcp server dns-list ip-address&<1-8> Required Configure interface DNS server By default, no quit addresses DNS server for DHCP Configure address is dhcp server dns-list ip-address&<1-8> clients multiple configured.

  • Page 449: Configuring Bims Server Information For The Dhcp Client

    Follow these steps to configure WINS servers for the DHCP client: To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the current dhcp server nbns-list ip-address&<1-8> Required Configure interface By default, no quit WINS server WINS server addresses for Configure...

  • Page 450: Configuring The Tftp Server And Bootfile Name For The Dhcp Client

    Follow these steps to configure Option 184 parameters for the client with voice service: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Specify the primary dhcp server voice-config ncp-ip network calling Not specified by ip-address...

  • Page 451: Configuring A Self-Defined Dhcp Option

    Follow these steps to configure the TFTP server and bootfile name for the DHCP client: To do… Use the command… Remarks Enter system view system-view — interface interface-type — Enter interface view interface-number Specify the IP address Specify the TFTP dhcp server tftp-server ip-address and name of server...

  • Page 452: Configuring Dhcp Server Security Functions

    Be cautious when configuring self-defined DHCP options because such configuration may affect the DHCP operation process. Configuring DHCP Server Security Functions DHCP security configuration is needed to ensure the security of DHCP service. Prerequisites Before configuring DHCP security, you should first complete the DHCP server configuration (either global address pool-based or interface address pool-based DHCP server configuration).

  • Page 453: Configuring Dhcp Accounting Functions

    will assign the IP address to the requesting client (The DHCP client probes the IP address by sending gratuitous ARP packets). Follow these steps to configure IP address detecting: To do… Use the command… Remarks Enter system view system-view — Optional Specify the number of ping dhcp server ping packets...

  • Page 454: Dhcp Accounting Configuration

    DHCP Accounting Configuration Prerequisites Before configuring DHCP accounting, make sure that: The DHCP server is configured and operates properly. Address pools and lease time are configured. DHCP clients are configured and DHCP service is enabled. The network operates properly. Configuring DHCP Accounting Follow these steps to configure DHCP accounting: To do…...

  • Page 455: Displaying And Maintaining The Dhcp Server

    Displaying and Maintaining the DHCP Server To do… Use the command… Remarks Display the statistics on IP display dhcp server conflict { all | ip address conflicts ip-address } display dhcp server expired { ip ip-address | Display lease expiration pool [ pool-name ] | interface [ interface-type information interface-number ] | all }...
  • Page 456 The IP addresses of VLAN-interface 1 and VLAN-interface 2 on Switch A are 10.1.1.1/25 and 10.1.1.129/25 respectively. In the address pool 10.1.1.0/25, the address lease duration is ten days and twelve hours, domain name suffix aabbcc.com, DNS server address 10.1.1.2, gateway 10.1.1.126, and WINS server 10.1.1.4.

  • Page 457: Dhcp Server With Option 184 Support Configuration Example

    <SwitchA> system-view [SwitchA] dhcp enable # Configure the IP addresses that are not dynamically assigned. (That is, the IP addresses of the DNS server, WINS server, and gateways.) [SwitchA] dhcp server forbidden-ip 10.1.1.2 [SwitchA] dhcp server forbidden-ip 10.1.1.4 [SwitchA] dhcp server forbidden-ip 10.1.1.126 [SwitchA] dhcp server forbidden-ip 10.1.1.254 # Configure DHCP address pool 0, including address range, domain name suffix of the clients, and domain name server address.
  • Page 458 Network diagram Figure 2-2 Network diagram for Option 184 support configuration DHCP client DHCP client DHCP Server IP:10.1.1.1/24 DHCP client 3COM VCX Configuration procedure Configure the DHCP client. Configure the 3COM VCX device to operate as a DHCP client and to request for all sub-options of Option 184.

  • Page 459: Dhcp Accounting Configuration Example

    DHCP Accounting Configuration Example Network requirements The DHCP server connects to a DHCP client and a RADIUS server respectively through Ethernet 1/0/1 and Ethernet 1/0/2. Ethernet 1/0/1 belongs to VLAN 2; Ethernet 1/0/2 belongs to VLAN 3. The IP address of VLAN-interface 1 is 10.1.1.1/24, and that of VLAN-interface 2 is 10.1.2.1/24. The IP address of the RADIUS server is 10.1.2.2/24.

  • Page 460: Troubleshooting A Dhcp Server

    [Sysname] interface vlan-interface 3 [Sysname-Vlan-interface3] ip address 10.1.2.1 24 [Sysname-Vlan-interface3] quit # Create a domain and a RADIUS scheme. Associate the domain with the RADIUS scheme. [Sysname] radius scheme 123 [Sysname-radius-123] primary authentication 10.1.2.2 [Sysname-radius-123] primary accounting 10.1.2.2 [Sysname] domain 123 [Sysname-isp-123] scheme radius-scheme 123 [Sysname-isp-123] quit # Create an address pool on the DHCP server.

  • Page 461: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Example Troubleshooting DHCP Relay Agent Configuration Currently, the interface-related DHCP relay agent configurations can only be made on VLAN interfaces.

  • Page 462: Option 82 Support On Dhcp Relay Agent

    Figure 3-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding process of the DHCP relay agent.

  • Page 463: Configuring The Dhcp Relay Agent

    Figure 3-2 Padding contents for sub-option 1 of Option 82 Figure 3-3 Padding contents for sub-option 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly.

  • Page 464: Dhcp Relay Agent Configuration Task List

    If a switch belongs to an XRN fabric, you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent. DHCP Relay Agent Configuration Task List Complete the following tasks to configure the DHCP relay agent: Task Remarks Enabling DHCP...

  • Page 465: Configuring Dhcp Relay Agent Security Functions

    To improve security and avoid malicious attack to the unused SOCKETs, S4500 Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: When a VLAN interface is mapped to a DHCP server group with the dhcp-server command, the DHCP relay agent is enabled.
  • Page 466 To do… Use the command… Remarks Optional Create a static dhcp-security static IP-to-MAC binding ip-address mac-address Not created by default. interface interface-type Enter interface view — interface-number Required Enable the address address-check enable checking function Disabled by default. The address-check enable command is independent of other commands of the DHCP relay agent.

  • Page 467: Configuring The Dhcp Relay Agent To Support Option 82

    Currently, the DHCP relay agent handshake function on an S4500 series switch can only interoperate with a Windows 2000 DHCP server. Enabling unauthorized DHCP server detection If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the unauthorized DHCP server may assign an incorrect IP address to the DHCP client.

  • Page 468: Displaying And Maintaining Dhcp Relay Agent Configuration

    To do… Use the command… Remarks Required Enable Option 82 support on dhcp relay information the DHCP relay agent enable Disabled by default. Configure the strategy for the Optional dhcp relay information DHCP relay agent to process strategy { drop | keep | By default, the replace strategy request packets containing replace }...

  • Page 469: Troubleshooting Dhcp Relay Agent Configuration

    Network diagram Figure 3-4 Network diagram for DHCP relay agent DHCP client DHCP client Vlan-int1 Vlan-int2 10.10.1.1/24 10.1.1.2/24 Vlan-int2 10.1.1.1/24 Switch A Switch B DHCP relay DHCP server DHCP client DHCP client Configuration procedure # Create DHCP server group 1 and configure an IP address of 10.1.1.1 for it. <SwitchA>...
  • Page 470 Solution Check if DHCP is enabled on the DHCP server and the DHCP relay agent. Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server. Check if a reachable route is configured between the DHCP relay agent and the DHCP server. Check the DHCP relay agent.

  • Page 471: Dhcp Snooping Configuration

    DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Displaying and Maintaining DHCP Snooping Configuration DHCP Snooping Configuration Examples DHCP Snooping Overview Introduction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients.

  • Page 472: Introduction To Dhcp-Snooping Option 82

    Figure 4-1 Typical network diagram for DHCP snooping application DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: DHCP-REQUEST packet DHCP-ACK packet Introduction to DHCP-Snooping Option 82 Introduction to Option 82...
  • Page 473 Figure 4-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length identifiers of the Circuit ID and Remote ID sub-options. To interwork with these devices, S4500 Series Ethernet Switches support Option 82 in the standard format.

  • Page 474: Introduction To Ip Filtering

    When receiving a DHCP client’s request without Option 82, the DHCP snooping device will add the option field with the configured sub-option and then forward the packet. For details, see Table 4-2. Table 4-2 Ways of handling a DHCP packet without Option 82 Sub-option configuration The DHCP-Snooping device will …...

  • Page 475: Configuring Dhcp Snooping

    client cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IP filtering of the DHCP-snooping table, thus it cannot access external networks. To solve this problem, the switch supports the configuration of static binding table entries, that is, the binding relationship between IP address, MAC address, and the port connecting to the client, so that packets of the client can be correctly forwarded.

  • Page 476: Configuring Dhcp Snooping To Support Option 82

    If an S4500 Ethernet switch is enabled with DHCP snooping, the clients connected to it cannot dynamically obtain IP addresses through BOOTP. You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses.
  • Page 477 Configuring a handling policy for DHCP packets with Option 82 Follow these steps to configure a handling policy for DHCP packets with Option 82: To do… Use the command… Remarks Enter system view system-view — Optional Configure a global handling dhcp-snooping information policy for requests that contain strategy { drop | keep |...
  • Page 478 Configuring the circuit ID sub-option Follow these steps to configure the circuit ID sub-option: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional By default, the circuit ID dhcp-snooping Configure the circuit ID sub-option contains the VLAN ID information [ vlan vlan-id ]...

  • Page 479: Configuring Ip Filtering

    To do… Use the command… Remarks Optional dhcp-snooping By default, the remote ID Configure the remote ID information [ vlan vlan-id ] sub-option is the MAC address of sub-option in Ethernet port view remote-id string string the DHCP snooping device that received the client’s request.

  • Page 480: Displaying And Maintaining Dhcp Snooping Configuration

    To do… Use the command… Remarks Enable IP filtering based on the ip check source ip-address DHCP-snooping table [ mac-address ] Either command is and the IP static required Enable IP binding table filtering By default, this Enable IP filtering function is disabled.

  • Page 481: Dhcp Snooping Configuration Examples

    To do… Use the command… Remarks display ip source static binding [ vlan Display the IP static binding table vlan-id | interface interface-type interface-number ] Available in Remove DHCP snooping entries reset dhcp-snooping [ ip-address ] user view DHCP Snooping Configuration Examples DHCP-Snooping Option 82 Support Configuration Example Network requirements As shown in...

  • Page 482: Ip Filtering Configuration Example

    # Enable DHCP-snooping Option 82 support. [Switch] dhcp-snooping information enable # Set the remote ID sub-option in Option 82 to the system name (sysname) of the DHCP snooping device. [Switch] dhcp-snooping information remote-id sysname # Set the circuit ID sub-option in DHCP packets from VLAN 1 to abcd on Ethernet 1/0/3. [Switch] interface ethernet 1/0/3 [Switch-Ethernet1/0/3] dhcp-snooping information vlan 1 circuit-id string abcd IP Filtering Configuration Example...
  • Page 483 # Specify Ethernet 1/0/1 as the trusted port. [Switch] interface ethernet 1/0/1 [Switch-Ethernet1/0/1] dhcp-snooping trust [Switch-Ethernet1/0/1] quit # Enable IP filtering on Ethernet 1/0/2, Ethernet 1/0/3, and Ethernet 1/0/4 to filter packets based on the source IP addresses/MAC addresses. [Switch] interface ethernet 1/0/2 [Switch-Ethernet1/0/2] ip check source ip-address mac-address [Switch-Ethernet1/0/2] quit [Switch] interface ethernet 1/0/3...

  • Page 484: Dhcp Packet Rate Limit Configuration

    DHCP Packet Rate Limit Configuration When configuring the DHCP packet rate limit function, go to these sections for information you are interested in: Introduction to DHCP Packet Rate Limit Configuring DHCP Packet Rate Limit Rate Limit Configuration Example Introduction to DHCP Packet Rate Limit To prevent ARP attacks and attacks from unauthorized DHCP servers, ARP packets and DHCP packets will be processed by the switch CPU for validity checking.

  • Page 485: Configuring Dhcp Packet Rate Limit

    Configuring DHCP Packet Rate Limit Configuring DHCP Packet Rate Limit Follow these steps to configure rate limit of DHCP packets: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter port view — interface-number Required Enable the DHCP packet dhcp rate-limit enable By default, DHCP packet rate limit is rate limit function...

  • Page 486: Rate Limit Configuration Example

    Rate Limit Configuration Example Network requirements As shown in Figure 5-1, Ethernet 1/0/1 of the S4500 switch is connected to the DHCP server. Ethernet 1/0/2 is connected to client B and Ethernet 1/0/11 is connected to client A. Enable DHCP snooping on the switch, and specify Ethernet 1/0/1 as the DHCP snooping trusted port.
  • Page 487 [Sysname-Ethernet1/0/11] dhcp rate-limit 100...

  • Page 488: Dhcp/Bootp Client Configuration

    DHCP/BOOTP Client Configuration When configuring the DHCP/BOOTP client, go to these sections for information you are interested in: Introduction to DHCP Client Introduction to BOOTP Client Configuring a DHCP/BOOTP Client Displaying DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and management.

  • Page 489: Configuring A Dhcp/Bootp Client

    Configuring a DHCP/BOOTP Client Follow these steps to configure a DHCP/BOOTP client: To do… Use the command… Remarks Enter system view system-view — interface vlan-interface Enter VLAN interface view — vlan-id Required Configure the VLAN interface ip address { bootp-alloc | By default, no IP address is to obtain IP address through dhcp-alloc }...

  • Page 490: Dhcp Client Configuration Example

    DHCP Client Configuration Example Network requirements Using DHCP, VLAN-interface 1 of Switch B is connected to the LAN to obtain an IP address from the DHCP server. Network diagram Figure 2-1. Configuration procedure The following describes only the configuration on Switch B serving as a DHCP client. # Configure VLAN-interface 1 to dynamically obtain an IP address by using DHCP.
  • Page 491 Table of Contents 1 ACL Configuration·····································································································································1-1 ACL Overview ·········································································································································1-1 ACL Matching Order························································································································1-1 Ways to Apply an ACL on a Switch·································································································1-2 Types of ACLs Supported by Switch 4500 Series ··········································································1-3 ACL Configuration Task List ···················································································································1-3 Configuring Time Range··················································································································1-3 Configuring Basic ACL ····················································································································1-5 Configuring Advanced ACL ·············································································································1-6 Configuring Layer 2 ACL ·················································································································1-7 Configuring User-defined ACL ········································································································1-8...

  • Page 492: Acl Configuration

    ACL Configuration When configuring ACL, go to these sections for information you are interested in: ACL Overview ACL Configuration Task List Displaying and Maintaining ACL Configuration Examples for Upper-layer Software Referencing ACLs Examples for Applying ACLs to Hardware ACL Overview As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management.

  • Page 493: Ways To Apply An Acl On A Switch

    Depth-first match order for rules of a basic ACL Range of source IP address: The smaller the source IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority. Fragment keyword: A rule with the fragment keyword is prior to others. If the above two conditions are identical, the earlier configured rule applies.

  • Page 494: Types Of Acls Supported By Switch 4500 Series

    Referenced by routing policies Used to control Telnet, SNMP and Web login users When an ACL is directly applied to hardware for packet filtering, the switch will permit packets if the packets do not match the ACL. When an ACL is referenced by upper-layer software to control Telnet, SNMP and Web login users, the switch will deny packets if the packets do not match the ACL.
  • Page 495 An absolute time range on Switch 4500 Series can be within the range 1970/1/1 00:00 to 2100/12/31 24:00. Configuration procedure Follow these steps to configure a time range: To do... Use the command... Remarks Enter system view — system-view time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] Create a time range [ to end-time end-date ] | from start-time...

  • Page 496: Configuring Time Range

    <Sysname> system-view [Sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008 [Sysname] display time-range test Current time is 13:30:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) From 15:00 Jan/28/2006 to 15:00 Jan/28/2008 Configuring Basic ACL A basic ACL filters packets based on their source IP addresses. A basic ACL can be numbered from 2000 to 2999.

  • Page 497: Configuring Advanced Acl

    Configuration example # Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 192.168.0.1 0 # Display the configuration information of ACL 2000. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, 1 rule Acl's step is 1 rule 0 deny source 192.168.0.1 0...

  • Page 498: Configuring Layer 2 Acl

    Note that: With the config match order specified for the advanced ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the ACL, you cannot modify any existent rule; otherwise the system prompts error information. If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.

  • Page 499: Configuring User-Defined Acl

    To do... Use the command... Remarks Required rule [ rule-id ] { permit | deny } For information about Define an ACL rule rule-string rule-string, refer to ACL Commands. Optional Assign a description string to rule rule-id comment text the ACL rule No description by default Optional Assign a description string to...
  • Page 500 To do... Use the command... Remarks Enter system view — system-view Create a user-defined ACL and enter acl number acl-number Required user-defined ACL view Required rule [ rule-id ] { permit | deny } For information about Define an ACL rule [ rule-string rule-mask offset ] &<1-8>...

  • Page 501: Applying Acl Rules On Ports

    Acl's step is 1 rule 0 deny 06 ff 27 Applying ACL Rules on Ports By applying ACL rules on ports, you can filter packets on the corresponding ports. Configuration prerequisites You need to define an ACL before applying it on a port. For information about defining an ACL, refer to Configuring Basic ACL, Configuring Advanced...

  • Page 502: Displaying And Maintaining Acl Configuration

    Configuration procedure Follow these steps to apply ACL rules to ports in a VLAN: To do... Use the command... Remarks — Enter system view system-view Required packet-filter vlan vlan-id Apply ACL rules to ports in a { inbound | outbound } For information about acl-rule, VLAN acl-rule...

  • Page 503: Example For Controlling Web Login Users By Source Ip

    Configuration procedure # Define ACL 2000. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Reference ACL 2000 on VTY user interface to control Telnet login users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Example for Controlling Web Login Users by Source IP Network requirements Apply an ACL to permit Web users with the source IP address of 10.110.100.46 to log in to the switch...

  • Page 504: Advanced Acl Configuration Example

    Network diagram Figure 1-3 Network diagram for basic ACL configuration Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 2000 to filter packets with the source IP address of 10.1.1.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test [Sysname-acl-basic-2000] quit...

  • Page 505: Layer 2 Acl Configuration Example

    Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day # Define ACL 3000 to filter packets destined for wage query server. [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range test [Sysname-acl-adv-3000] quit # Apply ACL 3000 on Ethernet 1/0/1.

  • Page 506: User-Defined Acl Configuration Example

    User-defined ACL Configuration Example Network requirements As shown in Figure 1-6, PC 1 and PC 2 are connected to the switch through Ethernet 1/0/1 and Ethernet 1/0/2 respectively. They belong to VLAN 1 and access the Internet through the same gateway, which has an IP address of 192.168.0.1 (the IP address of VLAN-interface 1).
  • Page 507 Network diagram Figure 1-7 Network diagram for applying an ACL to a VLAN Database server 192.168.1.2 Eth1/0/1 Eth1/0/3 Eth1/0/2 VLAN 10 PC 1 PC 2 PC 3 Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 in working days. <Sysname>...
  • Page 508 Table of Contents 1 QoS Configuration·····································································································································1-1 Overview ·················································································································································1-1 Introduction to QoS··························································································································1-1 Traditional Packet Forwarding Service····························································································1-1 New Applications and New Requirements ······················································································1-1 Major Traffic Control Techniques ····································································································1-2 QoS Supported By Switch 4500 Series ··································································································1-3 Introduction to QoS Functions ················································································································1-3 Traffic Classification ························································································································1-3 Priority Trust Mode ··························································································································1-4 Protocol Priority ·······························································································································1-7 Priority Marking································································································································1-8...

  • Page 509: Qos Configuration

    QoS Configuration When configuring QoS, go to these sections for information you are interested in: Overview QoS Supported By Switch 4500 Series QoS Configuration Displaying and Maintaining QoS QoS Configuration Examples Overview Introduction to QoS Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs.

  • Page 510: Major Traffic Control Techniques

    and VoD. As for other applications, such as transaction processing and Telnet, although bandwidth is not as critical, a too long delay may cause unexpected results. That is, they need to get serviced in time even if congestion occurs. Newly emerging applications demand higher service performance from IP networks. In addition to simply delivering packets to their destinations, better network services are demanded, such as allocating dedicated bandwidth, reducing packet loss ratio, avoiding congestion, regulating network traffic, and setting priority of the packets.

  • Page 511: Qos Supported By Switch 4500 Series

    QoS Supported By Switch 4500 Series The Switch 4500 series support the QoS features listed in Table 1-1: Table 1-1 QoS features supported by Switch 4500 series QoS Feature Description Refer to … Classify incoming traffic based on ACLs. The Switch 4500 For information about ACLs, refer to the series support the following ACL Operation and ACL Command...

  • Page 512: Priority Trust Mode

    protocol or the port number of an application. Normally, traffic classification is done by checking the information carried in packet header. Packet payload is rarely adopted for traffic classification. The identifying rule is unlimited in range. It can be a quintuplet consisting of source address, source port number, protocol number, destination address, and destination port number.
  • Page 513 Assured forwarding (AF) class: This class is further divided into four subclasses (AF1/2/3/4) and a subclass is further divided into three drop priorities, so the AF service level can be segmented. The QoS rank of the AF class is lower than that of the EF class; Class selector (CS) class: This class comes from the IP ToS field and includes eight subclasses;...
  • Page 514 802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2. Figure 1-3 An Ethernet frame with an 802.1Q tag header As shown in the figure above, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length).

  • Page 515: Protocol Priority

    Priority trust mode After a packet enters a switch, the switch sets the 802.1p priority and local precedence for the packet according to its own capability and the corresponding rules. For a packet carrying no 802.1q tag When a packet carrying no 802.1q tag reaches the port of a switch, the switch uses the port priority as the 802.1p precedence value of the received packet, searches for the local precedence corresponding to the port priority of the receiving port in the 802.1p-to-local precedence mapping table, and assigns the local precedence to the packet.

  • Page 516: Priority Marking

    Priority Marking The priority marking function is to reassign priority for the traffic matching an ACL referenced for traffic classification. If 802.1p priority marking is configured, the traffic will be mapped to the local precedence corresponding to the re-marked 802.1p priority and assigned to the output queue corresponding to the local precedence.

  • Page 517: Line Rate

    enough to forward the packets, the traffic is conforming to the specification; otherwise, the traffic is nonconforming or excess. Parameters concerning token bucket include: Average rate: The rate at which tokens are put into the bucket, namely, the permitted average rate of the traffic.
  • Page 518 The Switch 4500 series support three queue scheduling algorithms: Strict Priority (SP) queuing, Weighted Fair Queuing (WFQ), and Weighted Round Robin (WRR) queuing. SP queuing Figure 1-6 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay.
  • Page 519 Figure 1-7 Diagram for WFQ queuing Before WFQ is introduced, you must understand fair queuing (FQ) first. FQ is designed for the purpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows. It takes the interests of all parties into account, such as: Different queues are scheduled fairly, so the delay of each flow is balanced globally.

  • Page 520: Congestion Avoidance

    Figure 1-8 Diagram for WRR queuing WRR queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time. In a typical 3Com switch there are eight output queues on each port. WRR configures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0 respectively for queue 7 through queue 0.

  • Page 521: Traffic Mirroring

    In WRED algorithm, an upper limit and a lower limit are set for each queue, and the packets in a queue are processed as follows. When the current queue length is smaller than the lower limit, no packet is dropped; When the queue length exceeds the upper limit, all the newly received packets are dropped;...

  • Page 522: Configuring The Mapping Between 802.1P Priority And Local Precedence

    Configuration procedure Follow these steps to configure to trust port priority: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional Configure to trust port priority By default, the switch trusts priority priority-level and configure the port priority port priority and the priority of a...

  • Page 523: Setting The Priority Of Protocol Packets

    Configuration procedure Follow these steps to configure the mapping between 802.1p priority and local precedence: To do… Use the command… Remarks Enter system view system-view — qos cos-local-precedence-map Configure the mapping cos0-map-local-prec cos1-map-local-prec between 802.1p priority and cos2-map-local-prec cos3-map-local-prec Required local precedence cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec...

  • Page 524: Marking Packet Priority

    Configuration example Set the IP precedence of ICMP packets to 3. Display the configuration. Configuration procedure: <Sysname> system-view [Sysname] protocol-priority protocol-type icmp ip-precedence 3 [Sysname] display protocol-priority Protocol: icmp IP-Precedence: flash(3) Marking Packet Priority Refer to section Priority Marking for information about marking packet priority. Marking packet priority can be implemented in the following two ways: Through traffic policing When configuring traffic policing, you can define the action of marking the DSCP precedence for...

  • Page 525: Configuring Traffic Policing

    To do… Use the command… Remarks Enter system view system-view — traffic-priority vlan vlan-id { inbound Required Mark the priorities for the | outbound } acl-rule { { dscp Refer to the command packets belonging to a VLAN dscp-value | ip-precedence manual for information and matching specific ACL { pre-value | from-cos } } | cos...

  • Page 526: Configuring Line Rate

    To do… Use the command… Remarks Required Specify a committed information rate traffic-limit inbound acl-rule (CIR) for the target-rate argument, Configure traffic [ union-effect ] target-rate and specify a committed bust size policing [ burst-bucket burst-bucket-size ] (CBS) for the burst-bucket-size [ exceed action ] argument.

  • Page 527: Configuring Vlan Mapping

    To do… Use the command… Remarks Required Specify a committed information line-rate { inbound | rate (CIR) for the target-rate outbound } target-rate Configure line rate argument, and specify a [ burst-bucket committed bust size (CBS) for the burst-bucket-size ] burst-bucket-size argument.
  • Page 528 Configuration procedure Follow these steps to configure queue scheduling in system view: To do… Use the command… Remarks Enter system view system-view — Required queue-scheduler { strict-priority | wfq queue0-width queue1-width By default, the queue queue2-width queue3-width scheduling algorithm adopted queue4-width queue5-width on all the ports is WRR.

  • Page 529: Configuring Wred

    The queue scheduling algorithm specified by using the queue-scheduler command in system view takes effect on all the ports. The queue scheduling algorithm configured in port view must be the same as that configured in system view. Otherwise, the system prompts configuration errors. If the weight (or bandwidth value) specified in system view for a queue of WRR queuing or WFQ queuing cannot meet the requirement of a port, you can modify the weight (or bandwidth value) for this port in the corresponding Ethernet port view.

  • Page 530: Configuring Traffic Mirroring

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required wred queue-index qstart Configure WRED By default, WRED is not probability configured. Configuration example Configure WRED for queue 2 of Ethernet 1/0/1 to drop the packets in queue 2 randomly when the number of packets in queue 2 exceeds 64, setting the dropping probability being 20%.

  • Page 531: Displaying And Maintaining Qos

    For information about the mirroring-group monitor-port command and the monitor-port command, refer to the part talking about mirroring. Configuration example Network requirements: Ethernet 1/0/1 is connected to the 10.1.1.0/24 network segment. Duplicate the packets from network segment 10.1.1.0/24 to the destination mirroring port Ethernet 1/0/4.

  • Page 532: Qos Configuration Examples

    QoS Configuration Examples Configuration Example of Traffic policing and Line Rate Network requirement An enterprise network connects all the departments through an Ethernet switch. PC 1, with the IP address 192.168.0.1 belongs to the R&D department and is connected to Ethernet 1/0/1 of the switch. The marketing department is connected to Ethernet 1/0/2 of the switch.

  • Page 533: Configuration Example Of Priority Marking And Queue Scheduling

    Configuration Example of Priority Marking and Queue Scheduling Network requirements As shown in Figure 1-10, an enterprise network connects all the departments through an Ethernet switch. Clients PC 1 through PC 3 are connected to Ethernet 1/0/1 of the switch; clients PC 4 through PC 6 are connected to Ethernet 1/0/3 of the switch.

  • Page 534: Vlan Mapping Configuration Example

    [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 1 local-precedence 3 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 2 local-precedence 2 [Sysname-Ethernet1/0/2] quit Configure queue scheduling # Apply SP queue scheduling algorithm. [Sysname] queue-scheduler strict-priority VLAN Mapping Configuration Example Network requirements Two customer networks are connected to the public network through Switch A and Switch B. Configure the VLAN mapping function on the switches to enable the hosts on the two customer networks to communicate through public network VLANs.
  • Page 535 Configuration procedure # Create customer VLANs VLAN 100 and VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A. <SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit [SwitchA] vlan 500 [SwitchA-vlan500] quit [SwitchA] vlan 600 [SwitchA-vlan600] quit # Configure Ethernet 1/0/11 of Switch A as a trunk port and configure its default VLAN as VLAN 100.
  • Page 536 # Configure VLAN mapping on Ethernet 1/0/11 to replace VLAN tag 100 with VLAN tag 500. [SwitchA] interface Ethernet 1/0/11 [SwitchA-Ethernet1/0/11] traffic-remark-vlanid inbound link-group 4000 remark-vlan 500 [SwitchA-Ethernet1/0/11] quit # Configure VLAN mapping on Ethernet 1/0/12 to replace VLAN tag 200 with VLAN tag 600. [SwitchA] interface Ethernet 1/0/12 [SwitchA-Ethernet1/0/12] traffic-remark-vlanid inbound link-group 4001 remark-vlan 600 [SwitchA-Ethernet1/0/12] quit...
  • Page 537 Table of Contents 1 Mirroring Configuration ····························································································································1-1 Mirroring Overview ··································································································································1-1 Local Port Mirroring ·························································································································1-1 Remote Port Mirroring ·····················································································································1-2 Traffic Mirroring ·······························································································································1-3 Mirroring Configuration····························································································································1-3 Configuring Local Port Mirroring······································································································1-4 Configuring Remote Port Mirroring··································································································1-4 Displaying and Maintaining Port Mirroring ······························································································1-7 Mirroring Configuration Examples···········································································································1-8 Local Port Mirroring Configuration Example····················································································1-8 Remote Port Mirroring Configuration Example ···············································································1-9...

  • Page 538: Mirroring Configuration

    Mirroring Configuration When configuring mirroring, go to these sections for information you are interested in: Mirroring Overview Mirroring Configuration Displaying and Maintaining Port Mirroring Mirroring Configuration Examples Mirroring Overview Mirroring is to duplicate packets from a port to another port connected with a data monitoring device for network monitoring and diagnosis.

  • Page 539: Remote Port Mirroring

    Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device. The source and destination ports can be located on multiple devices across the network. This allows an administrator to monitor traffic on remote devices conveniently. To implement remote port mirroring, a special VLAN, called remote-probe VLAN, is used.

  • Page 540: Traffic Mirroring

    Sends mirrored packets to the destination switch. Intermediate Two trunk ports are necessary for the intermediate Trunk port switch switch to connect the devices at the source switch side and the destination switch side. Trunk port Receives remote mirrored packets. Destination switch Receives packets forwarded from the trunk port and Destination port...

  • Page 541: Configuring Local Port Mirroring

    Configuring Local Port Mirroring Configuration prerequisites The source port is determined and the direction in which the packets are to be mirrored is determined. The destination port is determined. Configuration procedure Follow these steps to configure port mirroring on Switch 4500 series: To do…...
  • Page 542 Configuration on a switch acting as a source switch Configuration prerequisites The source port, the reflector port, and the remote-probe VLAN are determined. Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN. The direction of the packets to be monitored is determined. Configuration procedure Follow these steps to perform configurations on the source switch: To do…...
  • Page 543 cannot be configured with functions like VLAN-VPN, port loopback detection, packet filtering, QoS, port security, and so on. You cannot modify the duplex mode, port rate, and MDI attribute of a reflector port. Only an existing static VLAN can be configured as the remote-probe VLAN. To remove a remote-probe VLAN, you need to restore it to a normal VLAN first.

  • Page 544: Displaying And Maintaining Port Mirroring

    To do… Use the command… Remarks Enter system view system-view — Create a VLAN and enter VLAN vlan-id is the ID of the vlan vlan-id view remote-probe VLAN. Configure the current VLAN as remote-probe vlan enable Required a remote-probe VLAN Return to system view quit —...

  • Page 545: Mirroring Configuration Examples

    Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Switch 4500 series: Research and Development (R&D) department is connected to Switch C through Ethernet 1/0/1. Marketing department is connected to Switch C through Ethernet 1/0/2. Data detection device is connected to Switch C through Ethernet 1/0/3 The administrator wants to monitor the packets received on and sent from the R&D department and the marketing department through the data detection device.

  • Page 546: Remote Port Mirroring Configuration Example

    Ethernet1/0/1 both Ethernet1/0/2 both monitor port: Ethernet1/0/3 After the configurations, you can monitor all packets received on and sent from the R&D department and the marketing department on the data detection device. Remote Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Switch 4500 series: Switch A, Switch B, and Switch C are Switch 4500 series.
  • Page 547 Configuration procedure Configure the source switch (Switch A) # Create remote source mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the source ports, reflector port, and remote-probe VLAN for the remote source mirroring group.
  • Page 548 [Sysname-Ethernet1/0/2] port trunk permit vlan 10 Configure the destination switch (Switch C) # Create remote destination mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-destination # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the destination port and remote-probe VLAN for the remote destination mirroring group.
  • Page 549 Table of Contents 1 XRN Fabric Configuration·························································································································1-1 Introduction to XRN·································································································································1-1 Establishment of an XRN Fabric ·····································································································1-1 How XRN Works······························································································································1-4 XRN Fabric Configuration ·······················································································································1-4 XRN Fabric Configuration Task List ································································································1-4 Specifying the Fabric Port of a Switch·····························································································1-5 Specifying the VLAN Used to Form an XRN Fabric········································································1-6 Setting a Unit ID for a Switch ··········································································································1-7 Assigning a Unit Name to a Switch ·································································································1-8 Assigning an XRN Fabric Name to a Switch ···················································································1-8...

  • Page 550: Xrn Fabric Configuration

    XRN Fabric Configuration When configuring XRN fabric, go to these sections for information you are interested in: Introduction to XRN XRN Fabric Configuration Displaying and Maintaining XRN Fabric XRN Fabric Configuration Example Introduction to XRN Expandable Resilient Networking (XRN), a feature particular to 3Com Switch 4500 series switches, is a new technology for building the core of a network.
  • Page 551 Figure 1-2 Port connection mode for Switch 4500 series bus topology XRN fabric H3C S3600 Speed :Green=100Mbps ,Yellow=10Mbps Duplx :Green=Full Duplx ,Yellow=Half Duplx Series 11 12 15 16 17 18 19 20 21 22 23 24 Console Unit Mode Green=Speed Yellow=Duplex 10/100Base-TX 1000 Base...
  • Page 552 The number of the existing devices in the fabric does not reach the maximum number of devices allowed by the fabric (up to eight devices can form a fabric). The fabric name of the device and the existing devices in the fabric are the same. The software version of the device is the same as that of the existing devices in the fabric.

  • Page 553: How Xrn Works

    Status Analysis Solution of the fabric are not the same, or the passwords for the local device password configured does not match. and the fabric as the same. How XRN Works When a fabric is established, the devices determine their respective roles in the fabric by comparing their CPU MAC addresses.

  • Page 554: Specifying The Fabric Port Of A Switch

    Task Remarks Fabric Setting a Unit ID for a Switch Optional Assigning a Unit Name to a Switch Optional Assigning an XRN Fabric Name to a Switch Optional Setting the XRN Fabric Authentication Mode Optional Specifying the Fabric Port of a Switch You can specify the fabric port of a switch in either system view or Ethernet interface view.

  • Page 555: Specifying The Vlan Used To Form An Xrn Fabric

    Establishing an XRN system requires a high consistency of the configuration of each device. Hence, before you enable the fabric port, do not perform any configuration for the port, and do not configure some functions that affect the XRN for other ports or globally. Otherwise, you cannot enable the fabric port.

  • Page 556: Setting A Unit Id For A Switch

    Setting a Unit ID for a Switch On the switches that support automatic numbering, FTM will automatically number the switches to constitute an XRN fabric by default, so that each switch has a unique unit ID in the fabric. You can use the command in the following table to set unit IDs for switches.

  • Page 557: Assigning A Unit Name To A Switch

    If auto-numbering is selected, the system sets the unit priority to 10. You can use the fabric save-unit-id command to save the modified unit ID into the unit Flash memory and clear the information about the existing one. Priority is the reference for FTM program to perform automatic numbering. The value of priority can be 5 or 10.

  • Page 558: Displaying And Maintaining Xrn Fabric

    To do… Use the command… Remarks Enter system view system-view — Optional Set the XRN fabric xrn-fabric authentication mode for the authentication-mode { simple By default, no authentication switch password | md5 key } mode is set on a switch. When an XRN fabric operates normally, you can regard the whole fabric as a single device and perform configuration on it.

  • Page 559: Network Diagram

    Network Diagram Figure 1-3 Network diagram for forming an XRN fabric Configuration Procedure Configure Switch A. # Configure fabric ports. <Sysname> system-view [Sysname] fabric-port GigabitEthernet1/0/25 enable # Configure the unit name as Unit 1. [Sysname] set unit 1 name Unit1 # Configure the fabric name as hello.
  • Page 560 # Configure the unit name as Unit 3. [Sysname] set unit 1 name unit3 # Configure the fabric name as hello. [Sysname] sysname hello # Configure the fabric authentication mode as simple and the password as welcome. [hello] xrn-fabric authentication-mode simple welcome Configure Switch D.
  • Page 561 Table of Contents 1 Cluster ························································································································································1-1 Cluster Overview·····································································································································1-1 Introduction to HGMP ······················································································································1-1 Roles in a Cluster ····························································································································1-2 How a Cluster Works·······················································································································1-4 Cluster Configuration Task List···············································································································1-9 Configuring the Management Device ······························································································1-9 Configuring Member Devices ········································································································1-14 Managing a Cluster through the Management Device··································································1-16 Configuring the Enhanced Cluster Features ·················································································1-17 Displaying and Maintaining Cluster Configuration ················································································1-19 Cluster Configuration Examples ···········································································································1-20...

  • Page 562: Cluster

    Cluster When configuring cluster, go to these sections for information you are interested in: Cluster Overview Cluster Configuration Task List Displaying and Maintaining Cluster Configuration Cluster Configuration Examples Cluster Overview Introduction to HGMP A cluster contains a group of switches. Through cluster management, you can manage multiple geographically dispersed in a centralized way.

  • Page 563: Roles In A Cluster

    Figure 1-1 A cluster implementation HGMP V2 has the following advantages: It eases the configuration and management of multiple switches: You just need to configure a public IP address for the management device instead of for all the devices in the cluster; and then you can configure and manage all the member devices through the management device without the need to log onto them one by one.
  • Page 564 Table 1-1 Description on cluster roles Role Configuration Function Provides an interface for managing all the switches in a cluster Manages member devices through command redirection, that forwards commands intended specific member devices. Configured with a external IP Management device Discovers neighbors, address...

  • Page 565: How A Cluster Works

    A candidate device becomes a member device after being added to a cluster. A member device becomes a candidate device after it is removed from the cluster. A management device becomes a candidate device only after the cluster is removed. After you create a cluster on a Switch 4500 switch, the switch collects the network topology information periodically and adds the candidate switches it finds to the cluster.
  • Page 566 packet data. The receiving devices store the information carried in the NDP packet into the NDP table but do not forward the NDP packet. When they receive another NDP packet, if the information carried in the packet is different from the stored one, the corresponding entry in the NDP table is updated, otherwise only the holdtime of the entry is updated.
  • Page 567 To implement NTDP, you need to enable NTDP both globally and on specific ports on the management device, and configure NTDP parameters. On member/candidate devices, you only need to enable NTDP globally and on specific ports. Member and candidate devices adopt the NTDP settings of the management device. Introduction to Cluster A cluster must have one and only one management device.
  • Page 568 Figure 1-3 State machine of the connection between the management device and a member device Active Receives the Fails to receive handshake or Disconnect state handshake management is recovered packets in three packets consecutive intervals State holdtime exceeds the specified value Connect Disconnect After a cluster is created and a candidate device is added to the cluster as a member device, both...
  • Page 569 Enabling the management packets (including NDP packets, NTDP packets, and handshake packets) to be transmitted in the management VLAN only, through which the management packets are isolated from other packets and network security is improved. Enabling the management device and the member devices to communicate with each other in the management VLAN.

  • Page 570: Cluster Configuration Task List

    downstream switch compares its own MAC address with the destination MAC address carried in the multicast packet: If the two MAC addresses are the same, the downstream switch sends a response to the switch sending the tracemac command, indicating the success of the tracemac command. If the two MAC addresses are different, the downstream switch will query the port connected with its downstream switch based on the MAC address and VLAN ID, and then forward the packet to its downstream switch.
  • Page 571 Task Remarks Enabling NTDP globally and on a specific port Required Configuring NTDP-related parameters Optional Enabling the cluster function Required Configuring cluster parameters Required Configuring inside-outside interaction for a Optional cluster Configuring the network management interface Optional for a cluster To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the Switch 4500 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed:...
  • Page 572 To do… Use the command… Remarks Enter system view system-view — Optional Configure the holdtime of NDP ndp timer aging By default, the holdtime of NDP information aging-in-seconds information is 180 seconds. Optional Configure the interval to send ndp timer hello seconds By default, the interval to send NDP packets NDP packets is 60 seconds.
  • Page 573 Enabling the cluster function Follow these steps to enable the cluster function: To do… Use the command… Remarks Enter system view system-view — Required Enable the cluster function cluster enable By default, the cluster function globally is enabled. Configuring cluster parameters The establishment of a cluster and the related configuration can be accomplished in manual mode or automatic mode, as described below.
  • Page 574 To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster — ip-pool Configure the IP address range administrator-ip-address Required for the cluster { ip-mask | ip-mask-length } Required Start automatic cluster auto-build [ recover ] Follow prompts to establish a establishment cluster.

  • Page 575: Configuring Member Devices

    Follow these steps to configure the network management interface for a cluster: To do… Use the command… Remarks Enter system view system-view — Enter cluster view Required cluster Required Configure the network nm-interface Vlan-interface By default, the management management (NM) interface for vlan-id VLAN interface is used as the the cluster...
  • Page 576 To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the Switch 4500 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.

  • Page 577: Managing A Cluster Through The Management Device

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Enable NTDP on the port ntdp enable Required Enabling the cluster function Follow these steps to enable the cluster function: To do… Use the command… Remarks Enter system view system-view —...

  • Page 578: Configuring The Enhanced Cluster Features

    To do… Use the command… Remarks Return to system view quit — Return to user view — quit Optional cluster switch-to Switch between management { member-number | You can use this command device and member device mac-address H-H-H | switch to the view of a member administrator } device and switch back.
  • Page 579 Configuring the enhanced cluster features Complete the following tasks to configure the enhanced cluster feature: Task Remarks Configuring cluster topology management Required function Configuring cluster device blacklist Required Configuring cluster topology management function Configuration prerequisites Before configuring the cluster topology management function, make sure that: The basic cluster configuration is completed.

  • Page 580: Displaying And Maintaining Cluster Configuration

    If the management device of a cluster is a slave device in an XRN fabric, the standard topology information is saved only to the local Flash of the master device in the XRN fabric. Configuring cluster device blacklist Follow these steps to configure the cluster device blacklist on a management device: To do…...

  • Page 581: Cluster Configuration Examples

    To do… Use the command… Remarks Display information about the display cluster members member devices of the cluster [ member-number | verbose ] Clear the statistics on NDP reset ndp statistics Available in user view. ports [ interface port-list ] When you display the cluster topology information, the devices attached to the switch that is listed in the backlist will not be displayed.
  • Page 582 Network diagram Figure 1-4 Network diagram for HGMP cluster configuration Internet SNMP/logging host(NMS) FTP/TFTP Server Eth 1/0/1 63.172 .55.1 69.172.55.4 Management VLAN-interface 2 device 163.172 .55.1 Eth 1/0/3 Eth 1/0/2 Eth 1/0/1 Eth 1/0/1 Cluster Member device Member device MAC: 000f.e201. 0011 MAC: 000f.
  • Page 583 [Sysname] ndp enable [Sysname] undo ndp enable interface Ethernet 1/0/1 [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] undo ntdp enable [Sysname-Ethernet1/0/1] quit # Enable NDP on Ethernet 1/0/2 and Ethernet 1/0/3. [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] ndp enable [Sysname-Ethernet1/0/2] quit [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] ndp enable [Sysname-Ethernet1/0/3] quit # Set the hold time of NDP information to 200 seconds.
  • Page 584 [Sysname-cluster] build aaa [aaa_0.Sysname-cluster] # Add the attached two switches to the cluster. [aaa_0.Sysname-cluster] add-member 1 mac-address 000f-e201-0011 [aaa_0.Sysname-cluster] add-member 17 mac-address 000f-e201-0012 # Set the holdtime of member device information to 100 seconds. [aaa_0.Sysname-cluster] holdtime 100 # Set the interval between sending handshake packets to 10 seconds. [aaa_0.Sysname-cluster] timer 10 # Configure VLAN-interface 2 as the network management interface.

  • Page 585: Network Management Interface Configuration Example

    Network Management Interface Configuration Example Network requirements Configure VLAN-interface 2 as the network management interface of the switch; Configure VLAN 3 as the management VLAN; The IP address of the FTP server is 192.168.4.3; Switch A operates as the management switch; Switch B and Switch C are member switches.

  • Page 586: Enhanced Cluster Feature Configuration Example

    # Set the IP address of VLAN-interface 2 to 192.168.4.22. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] ip address 192.168.4.22 255.255.255.0 [Sysname-Vlan-interface2] quit # Enable the cluster function. [Sysname] cluster enable # Enter cluster view. [Sysname] cluster [Sysname-cluster] # Configure a private IP address pool for the cluster. The IP address pool contains 30 IP addresses, starting from 192.168.5.1.
  • Page 587 Network diagram Figure 1-6 Network diagram for the enhanced cluster feature configuration FTP server 192. 168.0.4 192. 168.0.1 Member Management device device Member Member device device 0001- 2034-a0e5 Configuration procedure # Enter cluster view. <aaa_0.Sysname> system-view [aaa_0.Sysname] cluster # Add the MAC address 0001-2034-a0e5 to the cluster blacklist. [aaa_0.Sysname-cluster] black-list add-mac 0001-2034-a0e5 # Backup the current topology.
  • Page 588 Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Introduction to PoE ··························································································································1-1 PoE Features Supported by Switch 4500 ·······················································································1-1 PoE Configuration ···································································································································1-2 PoE Configuration Task List············································································································1-2 Enabling the PoE Feature on a Port································································································1-3 Setting the Maximum Output Power on a Port················································································1-3 Setting PoE Management Mode and PoE Priority of a Port····························································1-3 Setting the PoE Mode on a Port······································································································1-4 Configuring the PD Compatibility Detection Function ·····································································1-5...

  • Page 589: Poe Configuration

    PoE Configuration When configuring PoE, go to these sections for information you are interested in: PoE Overview PoE Configuration PoE Configuration Example PoE Overview Introduction to PoE Power over Ethernet (PoE)-enabled devices use twisted pairs through electrical ports to supply power to the remote powered devices (PD) in the network and implement power supply and data transmission simultaneously.

  • Page 590: Poe Configuration Task List

    Through the fixed 24/48 Ethernet electrical ports, it can supply power to up to 24/48 remote Ethernet switches with a maximum distance of 100 m (328 feet). Each Ethernet electrical port can supply at most a power of 15,400 mW to a PD. When AC power input is adopted for the switch, the maximum total power that can be provided is 300 W.

  • Page 591: Enabling The Poe Feature On A Port

    Task Remarks Configuring PoE Over-Temperature Protection on the Switch Upgrading the PSE Processing Software of Fabric Switches Online Optional Displaying PoE Configuration Optional Enabling the PoE Feature on a Port Follow these steps to enable the PoE feature on a port: To do…...

  • Page 592: Setting The Poe Mode On A Port

    auto: When the switch is close to its full load in supplying power, it will first supply power to the PDs that are connected to the ports with critical priority, and then supply power to the PDs that are connected to the ports with high priority. For example: Port A has the priority of critical. When the switch PoE is close to its full load and a new PD is now added to port A, the switch will power down the PD connected to the port with the lowest priority and turn to supply power to this new PD.

  • Page 593: Configuring The Pd Compatibility Detection Function

    Configuring the PD Compatibility Detection Function After the PD compatibility detection function is enabled, the switch can detect the PDs that do not conform to the 802.3af standard and supply power to them. After the PoE feature is enabled, perform the following configuration to enable the PD compatibility detection function.

  • Page 594: Upgrading The Pse Processing Software Online

    When the internal temperature of the switch decreases from X (X>65°C, or X>149°F) to Y (60°C≤Y<65°C, or 140°F≤Y<149°F), the switch still keeps the PoE function disabled on all the ports. When the internal temperature of the switch increases from X (X<60°C, or X<140°F) to Y (60°C<Y≤65°C, or 140°F<Y≤149°F), the switch still keeps the PoE function enabled on all the ports.

  • Page 595: Displaying Poe Configuration

    Follow these steps to upgrade the PSE processing software online: To do… Use the command… Remarks Upgrade the PSE processing update fabric { file-url | software of the fabric switch Optional device-name file-url } online Displaying PoE Configuration To do… Use the command…...
  • Page 596 Network diagram Figure 1-1 Network diagram for PoE Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on Ethernet 1/0/1, and set the PoE maximum output power of Ethernet 1/0/1 to 12,000 mW.

  • Page 597: Poe Profile Configuration

    PoE Profile Configuration When configuring PoE profile, go to these sections for information you are interested in: Introduction to PoE Profile PoE Profile Configuration Displaying PoE Profile Configuration PoE Profile Configuration Example Introduction to PoE Profile On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, Switch 4500 provides the PoE profile features.
  • Page 598 To do… Use the command… Remarks Required Enable the PoE feature poe enable on a port Disabled by default. Optional Configure PoE mode poe mode { signal | spare } for Ethernet ports signal by default. Configure the relevant Configure the PoE Optional features in priority for Ethernet...

  • Page 599: Displaying Poe Profile Configuration

    Displaying PoE Profile Configuration To do… Use the command… Remarks Display the detailed information display poe-profile { all-profile | Available in any about the PoE profiles created interface interface-type interface-number | view on the switch name profile-name } PoE Profile Configuration Example PoE Profile Application Example Network requirements Switch A is a Switch 4500 supporting PoE.
  • Page 600 Network diagram Figure 2-1 PoE profile application Network Switch A Eth1/0/1~Eth1/0/5 Eth1/0/6~Eth1/0/10 IP Phone IP Phone IP Phone IP Phone Configuration procedure # Create Profile 1, and enter PoE profile view. <SwitchA> system-view [SwitchA] poe-profile Profile1 # In Profile 1, add the PoE policy configuration applicable to Ethernet 1/0/1 through Ethernet 1/0/5 ports for users of group A.
  • Page 601 [SwitchA-poe-profile-Profile2] poe mode signal [SwitchA-poe-profile-Profile2] poe priority high [SwitchA-poe-profile-Profile2] poe max-power 15400 [SwitchA-poe-profile-Profile2] quit # Display detailed configuration information for Profile2. [SwitchA] display poe-profile name Profile2 Poe-profile: Profile2, 2 action poe enable poe priority high # Apply the configured Profile 1 to Ethernet 1/0/1 through Ethernet 1/0/5 ports. [SwitchA] apply poe-profile Profile1 interface Ethernet1/0/1 to Ethernet1/0/5 # Apply the configured Profile 2 to Ethernet 1/0/6 through Ethernet 1/0/10 ports.
  • Page 602 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-2 Displaying and Maintaining UDP Helper·································································································1-2 UDP Helper Configuration Example ·······································································································1-3 Cross-Network Computer Search Through UDP Helper·································································1-3...

  • Page 603: Udp Helper Configuration

    UDP Helper Configuration When configuring UDP helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Example Introduction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.

  • Page 604: Configuring Udp Helper

    Protocol UDP port number Time Service Configuring UDP Helper Follow these steps to configure UDP Helper: To do… Use the command… Remarks Enter system view system-view — Required Enable UDP Helper udp-helper enable Disabled by default. Optional By default, the device enabled udp-helper port { port-number with UDP Helper forwards the Specify a UDP port number...

  • Page 605: Udp Helper Configuration Example

    To do… Use the command… Remarks Clear statistics about packets Available in user view reset udp-helper packet forwarded by UDP Helper UDP Helper Configuration Example Cross-Network Computer Search Through UDP Helper Network requirements PC A resides on network segment 192.168.1.0/24 and PC B on 192.168.10.0/24; they are connected through Switch A and are routable to each other.
  • Page 606 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Operation Mechanism··········································································································1-1 SNMP Versions ·······························································································································1-1 Supported MIBs·······························································································································1-2 Configuring Basic SNMP Functions········································································································1-2 Configuring Trap-Related Functions ·······································································································1-4 Configuring Basic Trap Functions ···································································································1-4 Configuring Extended Trap Function·······························································································1-5 Enabling Logging for Network Management···························································································1-5 Displaying SNMP ····································································································································1-6 SNMP Configuration Example ················································································································1-6 SNMP Configuration Example·········································································································1-6 2 RMON Configuration ·································································································································2-1...

  • Page 607: Snmp Configuration

    SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview Configuring Basic SNMP Functions Configuring Trap-Related Functions Enabling Logging for Network Management Displaying SNMP SNMP Configuration Example SNMP Overview The Simple Network Management Protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes.

  • Page 608: Configuring Basic Snmp Functions

    Set the permission for a community to access an MIB object to be read-only or read-write. Communities with read-only permissions can only query the switch information, while those with read-write permission can configure the switch as well. Set the basic ACL specified by the community name. Supported MIBs An SNMP packet carries management variables with it.
  • Page 609 To do… Use the command… Remarks snmp-agent community Required Direct Set a { read | write } configura community community-name [ acl SNMPv1/SNMPv2c tion name acl-number | mib-view community name view-name ]* through direct Set a configuration. snmp-agent group { v1 | community Indirect configuration is Set an...

  • Page 610: Configuring Trap-Related Functions

    To do… Use the command… Remarks snmp-agent Optional calculate-password Encrypt a plain-text password This command is used if plain-password mode { md5 | to generate a cipher-text one password in cipher-text is sha } { local-engineid | needed for adding a new user. specified-engineid engineid } snmp-agent usm-user v3 user-name group-name...

  • Page 611: Configuring Extended Trap Function

    To do… Use the command… Remarks snmp-agent trap enable [ configuration | Enable the switch to send flash | standard [ authentication | coldstart traps to NMS | linkdown | linkup | warmstart ]* | system ] Enter port view or Optional interface interface-type interface-number interface view...

  • Page 612: Displaying Snmp

    To do… Use the command… Remarks snmp-agent log Optional Enable logging for network { set-operation | management Disabled by default. get-operation | all } When SNMP logging is enabled on a device, SNMP logs are output to the information center of the device.
  • Page 613 Perform the following configuration on Switch A: setting the community name and access permission, administrator ID, contact and switch location, and enabling the switch to sent traps. Thus, the NMS is able to access Switch A and receive the traps sent by Switch A. Network diagram Figure 1-2 Network diagram for SNMP configuration Switch A...
  • Page 614 [Sysname] snmp-agent trap enable standard linkdown [Sysname] snmp-agent target-host trap address udp-domain 10.10.10.1 udp-port 5000 params securityname public Configuring the NMS Authentication-related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully. For more information, refer to the corresponding manuals of 3Com’s NMS products.

  • Page 615: Rmon Configuration

    RMON Configuration When configuring RMON, go to these sections for information you are interested in: Introduction to RMON RMON Configuration Displaying RMON RMON Configuration Example Introduction to RMON Remote Monitoring (RMON) is a kind of MIB defined by Internet Engineering Task Force (IETF). It is an important enhancement made to MIB II standards.

  • Page 616: Commonly Used Rmon Groups

    statistics and performance statistics of the network segments to which the ports of the managed network devices are connected. Thus, the NMS can further manage the networks. Commonly Used RMON Groups Event group Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms.
  • Page 617 Statistics group Statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created. The statistics include the number of the following items: collisions, packets with Cyclic Redundancy Check (CRC) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets.

  • Page 618: Displaying Rmon

    The rmon alarm and rmon prialarm commands take effect on existing nodes only. For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.
  • Page 619 [Sysname-Ethernet1/0/1] quit # Add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers of all the oversize and undersize packets received by Ethernet 1/0/1 that are in correct data format and sample it in every 10 seconds.
  • Page 620 Table of Contents 1 NTP Configuration ·····································································································································1-1 Introduction to NTP ·································································································································1-1 Applications of NTP ·························································································································1-1 Implementation Principle of NTP·····································································································1-2 NTP Implementation Modes············································································································1-3 NTP Configuration Task List ···················································································································1-6 Configuring NTP Implementation Modes ································································································1-6 Configuring NTP Server/Client Mode ······························································································1-7 Configuring the NTP Symmetric Peer Mode ···················································································1-7 Configuring NTP Broadcast Mode···································································································1-8 Configuring NTP Multicast Mode·····································································································1-9 Configuring Access Control Right ·········································································································1-10...

  • Page 621: Ntp Configuration

    NTP Configuration When configuring NTP, go to these sections for information you are interested in: Introduction to NTP NTP Configuration Task List Configuring NTP Implementation Modes Configuring Access Control Right Configuring NTP Authentication Configuring Optional NTP Parameters Displaying NTP Configuration Configuration Examples Introduction to NTP Network Time Protocol (NTP) is a time synchronization protocol defined in RFC 1305.

  • Page 622: Implementation Principle Of Ntp

    Defining the accuracy of clocks by stratum to synchronize the clocks of all devices in a network quickly Supporting access control (see section Configuring Access Control Right) and MD5 encrypted authentication (see section Configuring NTP Authentication) Sending protocol packets in unicast, multicast, or broadcast mode The clock stratum determines the accuracy, which ranges from 1 to 16.

  • Page 623: Ntp Implementation Modes

    Figure 1-1 Implementation principle of NTP NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am 11:00:02 am IP network Device B Device A NTP message received at 10:00:03 am IP network...
  • Page 624 Server/client mode Figure 1-2 Server/client mode Symmetric peer mode Figure 1-3 Symmetric peer mode Active peer Passive peer Network Clock synchronization Works in passive peer request packet mode automatically Response packet In peer mode, both sides can be synchronized to Synchronize each other In the symmetric peer mode, the local S4500 Ethernet switch serves as the symmetric-active peer and...
  • Page 625 Multicast mode Figure 1-5 Multicast mode Table 1-1 describes how the above mentioned NTP modes are implemented on 3Com S4500 series Ethernet switches. Table 1-1 NTP implementation modes on 3Com S4500 series Ethernet switches NTP implementation mode Configuration on S4500 series switches Configure the local S4500 Ethernet switch to work in the NTP client mode.

  • Page 626: Ntp Configuration Task List

    When a 3Com S4500 Ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer. The NTP server mode, NTP broadcast mode, or NTP multicast mode takes effect only after the local clock of the 3Com S4500 Ethernet switch has been synchronized.

  • Page 627: Configuring Ntp Server/Client Mode

    Execution of one of the ntp-service unicast-server, ntp-service unicast-peer, ntp-service broadcast-client, ntp-service broadcast-server, ntp-service multicast-client, and ntp-service multicast-server commands enables the NTP feature and opens UDP port 123 at the same time. Execution of the undo form of one of the above six commands disables all implementation modes of the NTP feature and closes UDP port 123 at the same time.

  • Page 628: Configuring Ntp Broadcast Mode

    To do… Use the command… Remarks Required ntp-service unicast-peer { remote-ip | Specify a peer-name } [ authentication-keyid key-id | By default, a switch is not symmetric-passive priority | source-interface Vlan-interface configured to work in the peer for the switch vlan-id | version number ]* symmetric mode.

  • Page 629: Configuring Ntp Multicast Mode

    To do… Use the command… Remarks interface Vlan-interface Enter VLAN interface view — vlan-id Configure the switch to work in ntp-service broadcast-server Required the NTP broadcast server [ authentication-keyid key-id | Not configured by default. mode version number ]* Configuring a switch to work in the NTP broadcast client mode Follow these steps to configure a switch to work in the NTP broadcast client mode: To do…...

  • Page 630: Configuring Access Control Right

    To do… Use the command… Remarks Enter system view — system-view interface Vlan-interface Enter VLAN interface view — vlan-id Required Configure the switch to work in ntp-service multicast-client the NTP multicast client mode [ ip-address ] Not configured by default. Configuring Access Control Right With the following command, you can configure the NTP service access-control right to the local switch for a peer device.

  • Page 631: Configuring Ntp Authentication

    The access-control right mechanism provides only a minimum degree of security protection for the local switch. A more secure method is identity authentication. Configuring NTP Authentication In networks with higher security requirements, the NTP authentication function must be enabled to run NTP.
  • Page 632 Configuration Procedure Configuring NTP authentication on the client Follow these steps to configure NTP authentication on the client: To do… Use the command… Remarks Enter system view system-view — Required Enable the NTP authentication ntp-service authentication function enable Disabled by default. Required ntp-service Configure the NTP...

  • Page 633: Configuring Optional Ntp Parameters

    To do… Use the command… Remarks Required Configure the specified key as a ntp-service reliable By default, no trusted trusted key authentication-keyid key-id authentication key is configured. Enter VLAN interface view interface Vlan-interface vlan-id — In NTP broadcast server Configure on the mode and NTP multicast ntp-service broadcast-server NTP broadcast...

  • Page 634: Displaying Ntp Configuration

    If you have specified an interface in the ntp-service unicast-server or ntp-service unicast-peer command, this interface will be used for sending NTP messages. Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations.

  • Page 635: Configuring Ntp Server/Client Mode

    To do… Use the command… Remarks Display the information about the display ntp-service sessions maintained by NTP sessions [ verbose ] Display the brief information about NTP servers along the path display ntp-service trace from the local device to the reference clock source Configuration Examples Configuring NTP Server/Client Mode...

  • Page 636: Configuring Ntp Symmetric Peer Mode

    [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The above output information indicates that Device B is synchronized to Device A, and the stratum level of its clock is 3, one level lower than that of Device A.
  • Page 637 Configuration procedure Configure Device C. # Set Device A as the NTP server. <DeviceC> system-view [DeviceC] ntp-service unicast-server 3.0.1.31 Configure Device B (after the Device C is synchronized to Device A). # Enter system view. <DeviceB> system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicast-peer 3.0.1.33 Device C and Device B are symmetric peers after the above configuration.

  • Page 638: Configuring Ntp Broadcast Mode

    Configuring NTP Broadcast Mode Network requirements The local clock of Device C is set as the NTP master clock, with a stratum level of 2. Configure Device C to work in the NTP broadcast server mode and send NTP broadcast messages through VLAN-interface 2.
  • Page 639 View the NTP status of Device D after the clock synchronization. [DeviceD] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms...
  • Page 640 Network diagram Figure 1-9 Network diagram for NTP multicast mode configuration Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as a multicast server to send multicast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service multicast-server Configure Device A (perform the same configuration on Device D).

  • Page 641: Configuring Ntp Server/Client Mode With Authentication

    Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that Device D is synchronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C. # View the information about the NTP sessions of Device D (you can see that a connection is established between Device D and Device C).
  • Page 642 To synchronize Device B, you need to perform the following configurations on Device A. # Enable the NTP authentication function. <DeviceA> system-view [DeviceA] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key 42 as a trusted key.
  • Page 643 Table of Contents 1 SSH Configuration·····································································································································1-1 SSH Overview·········································································································································1-1 Introduction to SSH ·························································································································1-1 Algorithm and Key ···························································································································1-1 SSH Operating Process ··················································································································1-2 SSH Server and Client ····························································································································1-4 Configuring the SSH Server····················································································································1-5 Configuring the User Interfaces for SSH Clients·············································································1-6 Configuring the SSH Management Functions·················································································1-7 Configuring Key Pairs······················································································································1-8 Creating an SSH User and Specifying an Authentication Type ······················································1-9 Specifying a Service Type for an SSH User on the Server···························································1-10...

  • Page 644: Ssh Configuration

    SSH Configuration When configuring SSH, go to these sections for information you are interested: SSH Overview SSH Server and Client Displaying and Maintaining SSH Configuration Comparison of SSH Commands with the Same Functions SSH Configuration Examples SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in insecure network environments, allowing for secure access to the Command Line Interface (CLI) of a switch for configuration and management.

  • Page 645: Ssh Operating Process

    The same key is used for both encryption and decryption. Supported symmetric key algorithms include DES, 3DES, and AES, which can effectively prevent data eavesdropping. Asymmetric key algorithm Asymmetric key algorithm is also called public key algorithm. Both ends have their own key pair, consisting of a private key and a public key.
  • Page 646 Currently, the switch supports only SSH2 Version. Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server. After the TCP connection is established, the server sends the first packet to the client, which includes a version identification string in the format “SSH-<primary protocol...

  • Page 647: Ssh Server And Client

    The server starts to authenticate the user. If authentication fails, the server sends an authentication failure message to the client, which contains the list of methods used for a new authentication process. The client selects an authentication type from the method list to perform authentication again. The above process repeats until the authentication succeeds, or the connection is torn down when the authentication times reach the upper limit.

  • Page 648: Configuring The Ssh Server

    Figure 1-2 Network diagram for SSH connections Configure the devices accordingly This document describes two cases: The 3Com switch acts as the SSH server to cooperate with software that supports the SSH client functions. The 3Com switch acts as the SSH server to cooperate with another 3Com switch that acts as an SSH client.

  • Page 649: Configuring The User Interfaces For Ssh Clients

    Complete the following tasks to configure the SSH server: Task Remarks Configuring the User Interfaces for Required SSH Clients Preparation Configuring the SSH Management Optional Functions Configuring Key Pairs Required Creating an SSH User and Specifying Authentication Required an Authentication Type Optional Specifying a Service Type for an SSH Authorization...

  • Page 650: Configuring The Ssh Management Functions

    To do... Use the command... Remarks Optional Specify supported protocol inbound { all |ssh } By default, both Telnet and protocol(s) SSH are supported. If you have configured a user interface to support SSH protocol, you must configure AAA authentication for the user interface by using the authentication-mode scheme command to ensure successful login.

  • Page 651: Configuring Key Pairs

    You can configure a login header only when the service type is stelnet. For configuration of service types, refer to Specifying a Service Type for an SSH User. For details of the header command, refer to the corresponding section in Login Command. Configuring Key Pairs The SSH server’s key pairs are for generating session keys and for SSH clients to authenticate the server.

  • Page 652: Creating An Ssh User And Specifying An Authentication Type

    To do… Use the command… Remarks Destroy the RSA key pair public-key local destroy rsa Optional Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an authentication type. Specifying an authentication type for a new user is a must to get the user login.

  • Page 653: Specifying A Service Type For An Ssh User On The Server

    To do... Use the command... Remarks are used and different authentication types are ssh user username Create an SSH user, and specified, the authentication authentication-type { all | specify an authentication type type specified with the ssh password | password-publickey for it user authentication-type | publickey }...

  • Page 654: Configuring The Public Key Of A Client On The Server

    If the ssh user service-type command is executed with a username that does not exist, the system will automatically create the SSH user. However, the user cannot log in unless you specify an authentication type for it. Configuring the Public Key of a Client on the Server This configuration is not necessary if the password authentication mode is configured for SSH users.

  • Page 655: Assigning A Public Key To An Ssh User

    To do... Use the command... Remarks Enter system view system-view — Import the public key from a public-key peer keyname Required public key file import sshkey filename Assigning a Public Key to an SSH User This configuration task is unnecessary if the SSH user’s authentication mode is password. For the publickey authentication mode, you must specify the client’s public key on the server for authentication.

  • Page 656: Configuring The Ssh Client

    With the filename argument specified, you can export the RSA host public key to a file so that you can configure the key at a remote end by importing the file. If the filename argument is not specified, this command displays the host public key information on the screen in a specified format. Configuring the SSH Client The configurations required on the SSH client are related to the authentication mode that the SSH server uses.
  • Page 657 Task Remarks Opening an SSH connection with publickey Required for publickey authentication; authentication unnecessary for password authentication For putty, it is recommended to use PuTTY release 0.53; PuTTY release 0.58 is also supported. For OpenSSH, it is recommended to use OpenSSH_3.1p1; OpenSSH_4.2p1 is also supported. Any other version or other client, please be careful to use.
  • Page 658 Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1-4. Otherwise, the process bar stops moving and the key pair generating process is stopped. Figure 1-4 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key.
  • Page 659 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private” in this case) to save the private key. Figure 1-6 Generate the client keys (4) To generate RSA public key in PKCS format, run SSHKEY.exe, click Browse and select the public key file, and then click Convert.
  • Page 660 Figure 1-8 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure...
  • Page 661 Figure 1-9 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2. Opening an SSH connection with password authentication From the window shown in Figure...

  • Page 662: Configuring An Ssh Client Assumed By An Ssh2-Capable Switch

    Figure 1-10 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open. If the connection is normal, a user will be prompted for a username. Once passing the authentication, the user can log in to the server.
  • Page 663 Configuring whether first-time authentication is supported When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. With first-time authentication enabled, an SSH client that is not configured with the server host public key can continue accessing the server when it accesses the server for the first time, and it will save the host public key on the client for use in subsequent authentications.

  • Page 664: Displaying And Maintaining Ssh Configuration

    Follow these steps to specify a source IP address/interface for the SSH client: To do... Use the command... Remarks Enter system view system-view — Optional Specify a source IP address for ssh2 source-ip ip-address default, source the SSH client address is configured. Optional Specify a source interface for ssh2...

  • Page 665: Comparison Of Ssh Commands With The Same Functions

    To do... Use the command... Remarks Display information about all display user-information SSH users [ username ] Display the current source IP address or the IP address of display ssh-server source-ip the source interface specified for the SSH server. Display the mappings between host public keys and SSH display ssh server-info servers saved on a client...

  • Page 666: Ssh Configuration Examples

    The results of the display rsa local-key-pair public command or the public key converted with the SSHKEY tool contains no information such as the authentication type, so they cannot be directly used as parameters in the public-key peer command. For the same reason, neither can the results of the display public-key local rsa public command be used in the rsa peer-public-key command directly.
  • Page 667 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local client client001, and set the authentication password to abc, protocol type to SSH, and command privilege level to 3 for the client. [Switch] local-user client001 [Switch-luser-client001] password simple abc [Switch-luser-client001] service-type ssh level 3...

  • Page 668: When Switch Acts As Server For Password And Radius Authentication

    Figure 1-13 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 1-13, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log in to the server.
  • Page 669 Network diagram Figure 1-14 Switch acts as server for password and RADIUS authentication Configuration procedure Configure the RADIUS server This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required. # Add an access device. Log in to the CAMS management platform and select System Management >...
  • Page 670 Figure 1-15 Add an access device # Add a user account for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account page and perform the following configurations: Add a user named hello, and specify the password.
  • Page 671 Generating the RSA key pair on the server is prerequisite to SSH login. # Generate RSA key pairs. [Switch] public-key local create rsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 672 Figure 1-17 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-18 appears.

  • Page 673: When Switch Acts As Server For Password And Hwtacacs Authentication

    Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name hello and the password. Once authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server.
  • Page 674 [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain...

  • Page 675: When Switch Acts As Server For Publickey Authentication

    In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-21 appears. Figure 1-21 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version.
  • Page 676 Configuration procedure Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Switch-Vlan-interface1] quit Generating the RSA key pair on the server is prerequisite to SSH login.
  • Page 677 Figure 1-23 Generate a client key pair (1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-24. Otherwise, the process bar stops moving and the key pair generating process is stopped.
  • Page 678 Figure 1-24 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). Figure 1-25 Generate a client key pair (3) Likewise, to save the private key, click Save private key.
  • Page 679 Figure 1-26 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client. # Establish a connection with the SSH server Launch PuTTY.exe to enter the following interface.
  • Page 680 Figure 1-28 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. Figure 1-29 SSH client configuration interface (3) 1-37...

  • Page 681: When Switch Acts As Client For Password Authentication

    Click Browse to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 1-29, click Open. If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in...

  • Page 682: When Switch Acts As Client For Publickey Authentication

    [SwitchB-luser-client001] password simple abc [SwitchB-luser-client001] service-type ssh level 3 [SwitchB-luser-client001] quit # Configure the authentication type of user client001 as password. [SwitchB] ssh user client001 authentication-type password Configure Switch A # Create a VLAN interface on the switch and assign an IP address, which serves as the SSH client’s address in an SSH connection.
  • Page 683 Configuration procedure Configure Switch B # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit Generating the RSA key pair on the server is prerequisite to SSH login.

  • Page 684: When Switch Acts As Client And First-Time Authentication Is Not Supported

    <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit # Generate a RSA key pair [SwitchA] public-key local create rsa # Export the generated RSA key pair to a file named Switch001. [SwitchA] public-key local export rsa ssh2 Switch001 After the key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client.
  • Page 685 Network diagram Figure 1-32 Switch acts as client and first-time authentication is not supported Configuration procedure Configure Switch B # Create a VLAN interface on the switch and assign an IP address for it to serve as the destination of the client.
  • Page 686 # Import the client’s public key file Switch001 and name the public key as Switch001. [SwitchB] public-key peer Switch001 import sshkey Switch001 # Assign public key Switch001 to user client001 [SwitchB] ssh user client001 assign publickey Switch001 # Export the generated RSA host public key pair to a file named Switch002. [SwitchB] public-key local export rsa ssh2 Switch002 When first-time authentication is not supported, you must first generate a RSA key pair on the server and save the key pair in a file named Switch002, and then upload the file to the SSH client through FTP...
  • Page 687 # Import the public key pair named Switch002 from the file Switch002. [SwitchA] public-key peer Switch002 import sshkey Switch002 # Specify the host public key pair name of the server. [SwitchA] ssh client 10.165.87.136 assign publickey Switch002 # Establish the SSH connection to server 10.165.87.136. [SwitchA] ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 ...
  • Page 688 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Configuration·······················································································································1-1 Introduction to File System ··············································································································1-1 File System Configuration Task List································································································1-1 Directory Operations························································································································1-2 File Operations ································································································································1-2 Flash Memory Operations ···············································································································1-3 Prompt Mode Configuration ············································································································1-4 File System Configuration Examples ······························································································1-4 File Attribute Configuration ·····················································································································1-5 Introduction to File Attributes···········································································································1-5 Booting with the Startup File ···········································································································1-6...

  • Page 689: File System Management Configuration

    File System Management Configuration When configuring file system management, go to these sections for information you are interested in: File System Configuration File Attribute Configuration Configuration File Backup and Restoration File System Configuration Introduction to File System To facilitate management on the switch memory, 4500 series Ethernet switches provide the file system function, allowing you to access and manage the files and directories.

  • Page 690: Directory Operations

    Directory Operations The file system provides directory-related functions, such as: Creating/deleting a directory Displaying the current work directory, or contents in a specified directory Follow these steps to perform directory-related operations: To do… Use the command… Remarks Optional Create a directory mkdir directory Available in user view Optional...

  • Page 691: Flash Memory Operations

    To do… Use the command… Remarks Optional rename fileurl-source Rename a file fileurl-dest Available in user view Optional Copy a file copy fileurl-source fileurl-dest Available in user view Optional Move a file move fileurl-source fileurl-dest Available in user view Optional Available in user view Display the content of a file more file-url...

  • Page 692: Prompt Mode Configuration

    The format operation leads to the loss of all files, including the configuration files, on the Flash memory and is irretrievable. Prompt Mode Configuration You can set the prompt mode of the current file system to alert or quiet. In alert mode, the file system will give a prompt for confirmation if you execute a command which may cause data loss, for example, deleting or overwriting a file.

  • Page 693: File Attribute Configuration

    Directory of unit1>flash:/ 1 (*) -rw- 5822215 Jan 01 1970 00:07:03 test.bin -rwh Apr 01 2000 23:55:49 snmpboots -rwh Apr 02 2000 00:47:30 hostkey -rwh Apr 02 2000 00:47:38 serverkey -rw- 1220 Apr 02 2000 00:06:57 song.cfg -rw- 26103 Jan 01 1970 00:04:34 testv1r1.bin -rwh Apr 01 2000 23:55:53...

  • Page 694: Booting With The Startup File

    Attribute name Description Feature Identifier Identifies backup In the Flash memory, there startup files. The can be only one app file, one backup startup file is backup configuration file and one used after a switch Web file with the backup fails to start up using attribute.

  • Page 695: Configuring File Attributes

    Configuring File Attributes You can configure and view the main attribute or backup attribute of the file used for the next startup of a switch, and change the main or backup attribute of the file. Follow these steps to configure file attributes: To do…...

  • Page 696: Configuration File Backup And Restoration

    Configuration File Backup and Restoration Introduction to Configuration File Backup and Restoration Formerly, you can only back up and restore the configuration file of the units one by one in a fabric system. By using the configuration file backup and restoration feature, you can easily back up and restore the configuration files in the whole fabric as well as in a specific unit.
  • Page 697 Table of Contents 1 FTP and SFTP Configuration····················································································································1-1 Introduction to FTP and SFTP ················································································································1-1 Introduction to FTP ··························································································································1-1 Introduction to SFTP························································································································1-2 FTP Configuration ···································································································································1-2 FTP Configuration: A Switch Operating as an FTP Server ·····························································1-2 FTP Configuration: A Switch Operating as an FTP Client ······························································1-6 Configuration Example: A Switch Operating as an FTP Server······················································1-9 FTP Banner Display Configuration Example·················································································1-11 FTP Configuration: A Switch Operating as an FTP Client ····························································1-12...

  • Page 698: Ftp And Sftp Configuration

    FTP and SFTP Configuration When configuring FTP and SFTP, go to these sections for information you are interested in: Introduction to FTP and SFTP FTP Configuration SFTP Configuration Introduction to FTP and SFTP Introduction to FTP File Transfer Protocol (FTP) is commonly used in IP-based networks to transmit files. Before World Wide Web comes into being, files are transferred through command lines, and the most popular application is FTP.

  • Page 699: Introduction To Sftp

    files from an FTP server, and stops rotating when the file downloading is finished, as shown in Figure 1-1. Figure 1-1 Clockwise rotating of the seven-segment digital LED Introduction to SFTP Secure FTP (SFTP) is established based on an SSH2 connection. It allows a remote user to log in to a switch to manage and transmit files, providing a securer guarantee for data transmission.
  • Page 700 To do… Use the command… Remarks Optional Configure a password for the password { simple | cipher } By default, no password is specified user password configured. Required Configure the service type as service-type ftp By default, no service is configured.
  • Page 701 Follow these steps to configure connection idle time: To do… Use the command… Remarks Enter system view system-view — Optional Configure the connection idle time ftp timeout minutes for the FTP server 30 minutes by default Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server to enhance server security.
  • Page 702 Disconnecting a specified user On the FTP server, you can disconnect a specified user from the FTP server to secure the network. Follow these steps to disconnect a specified user: To do… Use the command… Remarks Enter system view system-view —...

  • Page 703: Ftp Configuration: A Switch Operating As An Ftp Client

    Figure 1-3 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server: To do… Use the command… Remarks Enter system view system-view — Configure a login banner header login text Required Use either command or both. By default, no banner is Configure a shell banner header shell text...
  • Page 704 To do… Use the command… Remarks ftp [ cluster | remote-server Enter FTP client view — [ port-number ] ] Specify to transfer files in ASCII ascii Use either command. characters By default, files are transferred Specify to transfer files in in ASCII characters.
  • Page 705 To do… Use the command… Remarks Download a remote file from get remotefile [ localfile ] the FTP server Upload a local file to the remote put localfile [ remotefile ] FTP server Rename a file on the remote rename remote-source server remote-dest Log in with the specified user...

  • Page 706: Configuration Example: A Switch Operating As An Ftp Server

    The specified interface must be an existing one. Otherwise a prompt appears to show that the configuration fails. The value of the ip-address argument must be the IP address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails. The source interface/source IP address set for one connection is prior to the fixed source interface/source IP address set for each connection.
  • Page 707 [Sysname] local-user switch [Sysname-luser-switch] password simple hello [Sysname-luser-switch] service-type ftp Configure the PC (FTP client) Run an FTP client application on the PC to connect to the FTP server. Upload the application named switch.bin to the root directory of the Flash memory of the FTP server, and download the configuration file named config.cfg from the FTP server.

  • Page 708: Ftp Banner Display Configuration Example

    If available space on the Flash memory of the switch is not enough to hold the file to be uploaded, you need to delete files not in use from the Flash memory to make room for the file, and then upload the file again.

  • Page 709: Ftp Configuration: A Switch Operating As An Ftp Client

    Configuration procedure Configure the switch (FTP server) # Configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”. For detailed configuration of other network requirements, see section Configuration Example: A Switch Operating as an FTP Server.
  • Page 710 Configuration procedure Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a user account on the FTP server with username switch and password hello. (For detailed configuration, refer to the configuration instruction relevant to the FTP server software.) Configure the switch (FTP client) # Log in to the switch.

  • Page 711: Sftp Configuration: A Switch Operating As An Sftp Server

    <Sysname> boot boot-loader switch.bin <Sysname> reboot For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual. SFTP Configuration Complete the following tasks to configure SFTP: Task Remarks Enabling an SFTP server...

  • Page 712: Sftp Configuration: A Switch Operating As An Sftp Client

    To do… Use the command… Remarks Enter system view — system-view Optional Configure the connection idle ftp timeout time-out-value time for the SFTP server 10 minutes by default. Supported SFTP client software A 3com switch 4500 operating as an SFTP server can interoperate with SFTP client software, including SSH Tectia Client v4.2.0 (SFTP), v5.0, and WINSCP.
  • Page 713 To do… Use the command… Remarks sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | Required dh_exchange_group } | Support for the 3des keyword prefer_ctos_cipher { 3des | depends on the number of des | aes128 } | Enter SFTP client view...

  • Page 714: Sftp Configuration Example

    If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key;...
  • Page 715 [Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Sysname-Vlan-interface1] quit # Specify the SSH authentication mode as AAA.
  • Page 716 sftp-client> # Display the current directory of the server. Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx...
  • Page 717 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server and rename it as public.

  • Page 718: Tftp Configuration

    TFTP Configuration When configuring TFTP, go to these sections for information you are interested in: Introduction to TFTP TFTP Configuration Introduction to TFTP Compared with FTP, Trivial File Transfer Protocol (TFTP) features simple interactive access interface and no authentication control. Therefore, TFTP is applicable in the networks where client-server interactions are relatively simple.

  • Page 719: Tftp Configuration: A Switch Operating As A Tftp Client

    TFTP Configuration Complete the following tasks to configure TFTP: Task Remarks Basic configurations on a TFTP — client TFTP Configuration: A Switch Specifying the source interface Operating as a TFTP Client or source IP address for an Optional FTP client For details, see the TFTP server configuration —...

  • Page 720: Tftp Configuration Example

    To do… Use the command… Remarks tftp tftp-server source-ip Optional Specify the source IP address ip-address { get source-file used for the current connection [ dest-file ] | put source-file-url Not specified by default. [ dest-file ] } Enter system view system-view —...
  • Page 721 Network diagram Figure 2-1 Network diagram for TFTP configurations Configuration procedure Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the Login module for detailed information.) <Sysname>...
  • Page 722 For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual.
  • Page 723 Table of Contents 1 Information Center·····································································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ·············································································································1-4 Information Center Configuration············································································································1-7 Information Center Configuration Task List·····················································································1-7 Configuring Synchronous Information Output ·················································································1-7 Configuring to Display the Time Stamp with the UTC Time Zone ··················································1-8 Setting to Output System Information to the Console ·····································································1-8 Setting to Output System Information to a Monitor Terminal ························································1-10 Setting to Output System Information to a Log Host·····································································1-11...

  • Page 724: Information Center

    Information Center When configuring information center, go to these sections for information you are interested in: Information Center Overview Information Center Configuration Displaying and Maintaining Information Center Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information. Together with the debugging function (the debugging command), information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
  • Page 725 Information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering. If the threshold is set to 1, only information with the severity being emergencies will be output; If the threshold is set to 8, information of all severities will be output.
  • Page 726 Outputting system information by source module The system information can be classified by source module and then filtered. Some module names and description are shown in Table 1-3. Table 1-3 Source module name list Module name Description 8021X 802.1X module Access control list module ADBM Address base module...

  • Page 727: System Information Format

    Module name Description SYSMIB System MIB module HWTACACS module TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module Virtual type terminal module XModem module default Default settings for all the modules To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the ten channels to the six output destinations.
  • Page 728 If the address of the log host is specified in the information center of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host.
  • Page 729 locate and solve problems globally. In this case, you can configure the information center to add UTC time zone to the time stamp of the output information, so that you can know the standard time when the information center processing each piece of information. That is, you can know the Greenwich standard time of each switch in the network based on the UTC record in the time stamp.

  • Page 730: Information Center Configuration

    Source This field indicates the source of the information, such as the source IP address of the log sender. This field is optional and is displayed only when the output destination is the log host. Context This field provides the content of the system information. Information Center Configuration Information Center Configuration Task List Complete the following tasks to configure information center:...

  • Page 731: Configuring To Display The Time Stamp With The Utc Time Zone

    If the system information is output before you input any information following the current command line prompt, the system does not echo any command line prompt after the system information output. In the interaction mode, you are prompted for some information input. If the input is interrupted by system output, no system prompt (except the Y/N string) will be echoed after the output, but your input will be displayed in a new line.
  • Page 732 To do… Use the command… Remarks Optional Enable system info-center console channel By default, the switch uses information output to { channel-number | information channel 0 to output the console channel-name } log/debugging/trap information to the console. info-center source { modu-name | default } channel Optional Configure the output...

  • Page 733: Setting To Output System Information To A Monitor Terminal

    Follow these steps to enable the system information display on the console: To do… Use the command… Remarks Optional Enable the debugging/log/trap terminal monitor information terminal display function Enabled by default. Optional Enable debugging information terminal debugging terminal display function Disabled by default.

  • Page 734: Setting To Output System Information To A Log Host

    When there are multiple Telnet users or dumb terminal users, they share some configuration parameters including module filter, language and severity level threshold. In this case, change to any such parameter made by one user will also be reflected on all other user terminals. To view debugging information of specific modules, you need to set the information type as debug when setting the system information output rules, and enable debugging for corresponding modules through the debugging command.

  • Page 735: Setting To Output System Information To The Trap Buffer

    To do… Use the command… Remarks Optional By default, debugging information output info-center switch-on { unit Enable information is enabled, and log and trap information unit-id | master | all } output for a specified output are disabled for the master switch [ debugging | logging | switch in a fabric in a fabric.

  • Page 736: Setting To Output System Information To The Log Buffer

    To do… Use the command… Remarks Optional By default, the switch uses Enable system info-center trapbuffer [channel information channel 3 to output information output to the { channel-number | channel-name } | trap information to the trap trap buffer size buffersize]* buffer, which can holds up to 256 items by default.

  • Page 737: Displaying And Maintaining Information Center

    To do… Use the command… Remarks Optional info-center snmp channel Enable information By default, the switch outputs trap { channel-number | output to the SNMP NMS information to SNMP through channel-name } channel 5. info-center source { modu-name | default } channel Optional Configure the output { channel-number |...

  • Page 738: Information Center Configuration Examples

    Information Center Configuration Examples Log Output to a UNIX Log Host Network requirements The switch sends the following log information to the Unix log host whose IP address is 202.38.1.10: the log information of the two modules ARP and IP, with severity higher than “informational”. Network diagram Figure 1-1 Network diagram for log output to a Unix log host Network...

  • Page 739: Log Output To A Linux Log Host

    When you edit the file “/etc/syslog.conf”, note that: A note must start in a new line, starting with a “#” sign. In each pair, a tab should be used as a separator instead of a space. No space is allowed at the end of a file name. The device name (facility) and received log information severity level specified in the file “/etc/syslog.conf”...
  • Page 740 <Switch> system-view [Switch] info-center enable # Configure the host whose IP address is 202.38.1.10 as the log host. Permit all modules to output log information with severity level higher than error to the log host. [Switch] info-center loghost 202.38.1.10 facility local7 [Switch] info-center source default channel loghost log level errors debug state off trap state off Configure the log host:...

  • Page 741: Log Output To The Console

    Log Output to the Console Network requirements The switch sends the following information to the console: the log information of the two modules ARP and IP, with severity higher than “informational”. Network diagram Figure 1-3 Network diagram for log output to the console Configuration procedure # Enable the information center.
  • Page 742 Network diagram Figure 1-4 Network diagram Configuration procedure # Name the local time zone z8 and configure it to be eight hours ahead of UTC time. <Switch> clock timezone z8 add 08:00:00 # Set the time stamp format of the log information to be output to the log host to date. <Switch>...
  • Page 743 Table of Contents 1 Boot ROM and Host Software Loading ···································································································1-1 Introduction to Loading Approaches ·······································································································1-1 Local Boot ROM and Software Loading··································································································1-1 BOOT Menu ····································································································································1-2 Loading by XModem through Console Port ····················································································1-3 Loading by TFTP through Ethernet Port ·························································································1-7 Loading by FTP through Ethernet Port····························································································1-9 Remote Boot ROM and Software Loading ···························································································1-11 Remote Loading Using FTP ··········································································································1-11 Remote Loading Using TFTP········································································································1-15...

  • Page 744: Introduction To Loading Approaches

    Boot ROM and Host Software Loading Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port.

  • Page 745: Boot Menu

    The loading process of the Boot ROM software is the same as that of the host software, except that during the former process, you should press “6” or <Ctrl+U> and <Enter> after entering the BOOT menu and the system gives different prompts. The following text mainly describes the Boot ROM loading process.

  • Page 746: Loading By Xmodem Through Console Port

    1. Download application file to flash 2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery 9.
  • Page 747 0. Return Enter your choice (0-5): Step 3: Choose an appropriate baudrate for downloading. For example, if you press 5, the baudrate 115200 bps is chosen and the system displays the following information: Download baudrate is 115200 bit/s Please change the terminal's baudrate to 115200 bit/s and select XMODEM protocol Press enter key when ready If you have chosen 9600 bps as the download baudrate, you need not modify the HyperTerminal’s baudrate, and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly.
  • Page 748 Figure 1-2 Console port configuration dialog box Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 1-3. Figure 1-3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program.
  • Page 749 Figure 1-4 Send file dialog box Step 8: Click <Send>. The system displays the page, as shown in Figure 1-5. Figure 1-5 Sending file page Step 9: After the sending process completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baudrate to 9600 bps (refer to Step 4 and 5).

  • Page 750: Loading By Tftp Through Ethernet Port

    Loading host software Follow these steps to load the host software: Step 1: Select <1> in BOOT Menu and press <Enter>. The system displays the following information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0.
  • Page 751 You can use one PC as both the configuration device and the TFTP server. Step 2: Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded. TFTP server program is not provided with the 3Com Series Ethernet Switches. Step 3: Run the HyperTerminal program on the configuration PC.

  • Page 752: Loading By Ftp Through Ethernet Port

    0. Return to boot menu Enter your choice(0-3): Step 2: Enter 1 in the above menu to download the host software using TFTP. The subsequent steps are the same as those for loading the Boot ROM, except that the system gives the prompt for host software loading instead of Boot ROM loading.
  • Page 753 Bootrom update menu: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Step 4: Enter 2 in the above menu to download the Boot ROM using FTP. Then set the following FTP-related parameters as required: Load File name :switch.btm...

  • Page 754: Remote Boot Rom And Software Loading

    Remote Boot ROM and Software Loading If your terminal is not directly connected to the switch, you can telnet to the switch, and use FTP or TFTP to load the Boot ROM and host software remotely. Remote Loading Using FTP Loading Procedure Using FTP Client Loading the Boot ROM As shown in...
  • Page 755 Before restarting the switch, make sure you have saved all other configurations that you want, so as to avoid losing configuration information. Loading host software Loading the host software is the same as loading the Boot ROM program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for next startup of the switch.
  • Page 756 System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.28 255.255.255.0 Step 3: Enable FTP service on the switch, and configure the FTP user name to test and password to pass. [Sysname-Vlan-interface1] quit [Sysname] ftp server enable [Sysname] local-user test New local user added.
  • Page 757 Figure 1-11 Enter Boot ROM directory Step 6: Enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in Figure 1-12, to log on to the FTP server. Figure 1-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 1-13.

  • Page 758: Remote Loading Using Tftp

    Figure 1-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <Sysname>...

  • Page 759: Basic System Configuration And Debugging

    Basic System Configuration and Debugging When configuring basic system configuration and debugging, go to these sections for information you are interested in: Basic System Configuration Displaying the System Status Debugging the System Basic System Configuration Perform the following basic system configuration: To do…...

  • Page 760: Displaying The System Status

    Displaying the System Status To do… Use the command… Remarks Display the current date and time of the system display clock Display the version of the system display version Available in any view Display the information about users logging onto the display users [ all ] switch Debugging the System...

  • Page 761: Displaying Debugging Status

    You can use the following commands to enable the two switches. Follow these steps to enable debugging and terminal display for a specific module: To do… Use the command… Remarks Required Enable system debugging for debugging module-name Disabled for all modules by specific module [ debugging-option ] default.

  • Page 762: Network Connectivity Test

    Network Connectivity Test When configuring network connectivity test, go to these sections for information you are interested in: ping tracert Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. To do…...

  • Page 763: Device Management

    Device Management When configuring device management, go to these sections for information you are interested in: Introduction to Device Management Device Management Configuration Displaying the Device Management Configuration Remote Switch APP Upgrade Configuration Example Introduction to Device Management Device Management includes the following: Reboot the Ethernet switch Configure real-time monitoring of the running status of the system Specify the APP to be used at the next reboot...

  • Page 764: Scheduling A Reboot On The Switch

    Before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed. This prevents the system from losing the configurations in case of shutting down the system without saving the configurations Use the following command to reboot the Ethernet switch: To do…...

  • Page 765: Specifying The App To Be Used At Reboot

    Enabling of this function consumes some amounts of CPU resources. Therefore, if your network has a high CPU usage requirement, you can disable this function to release your CPU resources. Specifying the APP to be Used at Reboot APP is the host software of the switch. If multiple APPs exist in the Flash memory, you can use the command here to specify the one that will be used when the switch reboots.

  • Page 766: Upgrading The Host Software In The Fabric

    Currently, in the S4500 series Ethernet switches, the auto power down configuration does not take effect on 1000BASE-X SFP Ports Upgrading the Host Software in the Fabric You can execute the following command on any device in a Fabric to use specified host software to upgrade all devices in a Fabric, thus realizing the software version consistency in this Fabric.

  • Page 767: Displaying The Device Management Configuration

    To do… Use the command… Remarks display transceiver interface Display main parameters of Available for all pluggable [ interface-type the pluggable transceiver(s) transceivers interface-number ] Display part of the electrical display transceiver Available for anti-spoofing label information of the manuinfo interface pluggable transceiver(s) anti-spoofing transceiver(s) [ interface-type...

  • Page 768: Remote Switch App Upgrade Configuration Example

    To do… Use the command… Remarks Display system diagnostic information or save system diagnostic information to a file with display diagnostic-information the extension .diag into the Flash memory Display enabled debugging on a display debugging { fabric | unit specified switch or all switches in the unit-id } [ interface interface-type fabric interface-number ] [ module-name ]...
  • Page 769 Refer to the Login Operation part of this manual for configuration commands and steps about telnet user. Execute the telnet command on the PC to log into the switch. The following prompt appears: <Sysname> If the Flash memory of the switch is not sufficient, delete the original applications before downloading the new ones.
  • Page 770 Unit 1: The current boot app is: switch.bin The main boot app is: switch.bin The backup boot app is: # Reboot the switch to upgrade the Boot ROM and host software of the switch. <Sysname> reboot Start to check configuration with next startup configuration file, please wait..
  • Page 771 Table of Contents 1 VLAN-VPN Configuration··························································································································1-1 VLAN-VPN Overview ······························································································································1-1 Introduction to VLAN-VPN···············································································································1-1 Implementation of VLAN-VPN·········································································································1-2 Configuring the TPID for VLAN-VPN Packets·················································································1-2 Inner-to-Outer Tag Priority Replicating and Mapping······································································1-3 Transparent IGMP Message Transmission on a VLAN-VPN Port ··················································1-3 VLAN-VPN Configuration························································································································1-3 VLAN-VPN Configuration Task List·································································································1-3 Enabling the VLAN-VPN Feature for a Port ····················································································1-4 Configuring the TPID Value for VLAN-VPN Packets on a Port·······················································1-4 Configuring the Inner-to-Outer Tag Priority Replicating and Mapping Feature·······························1-5...

  • Page 772: Vlan-Vpn Configuration

    VLAN-VPN Configuration When configuring VLAN-VPN, go to these sections for information you are interested in: VLAN-VPN Overview VLAN-VPN Configuration Displaying and Maintaining VLAN-VPN Configuration VLAN-VPN Configuration Example VLAN-VPN Overview Introduction to VLAN-VPN Virtual private network (VPN) is a new technology that emerges with the expansion of the Internet. It can be used for establishing private networks over the public network.

  • Page 773: Implementation Of Vlan-Vpn

    Figure 1-2 Structure of packets with double-layer VLAN tags Destination MAC address Source MAC address Outer VLAN Tag Inner VLAN Tag Data Compared with MPLS-based Layer 2 VPN, VLAN-VPN has the following features: It provides Layer 2 VPN tunnels that are simpler. VLAN-VPN can be implemented through manual configuration.

  • Page 774: Inner-To-Outer Tag Priority Replicating And Mapping

    frame as needed. When doing that, you should set the same TPID on both the customer-side port and the service provider-side port. The TPID in an Ethernet frame has the same position with the protocol type field in a frame without a VLAN tag.

  • Page 775: Enabling The Vlan-Vpn Feature For A Port

    Task Remarks Enabling the VLAN-VPN Feature for a Port Required Configuring the TPID Value for VLAN-VPN Optional Packets on a Port Configuring the Inner-to-Outer Tag Priority Optional Replicating and Mapping Feature As XRN fabric is mutually exclusive with VLAN-VPN, make sure that XRN fabric is disabled on the switch before performing any of the configurations listed in the above table.

  • Page 776: Configuring The Inner-To-Outer Tag Priority Replicating And Mapping Feature

    Besides the default TPID 0x8100, you can configure only one TPID value on a Switch 4500 switch. For the Switch 4500 series to exchange packets with the public network device properly, you should configure the TPID value used by the public network device on both the customer-side port and the service provider-side port.

  • Page 777: Vlan-Vpn Configuration Example

    VLAN-VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN Network requirements As shown in Figure 1-4, Switch A and Switch B are both Switch 4500 series switches. They connect the users to the servers through the public network. PC users and PC servers are in VLAN 100 created in the private network, while terminal users and terminal servers are in VLAN 200, which is also created in the private network.
  • Page 778 [SwitchA-Ethernet1/0/11] vlan-vpn enable [SwitchA-Ethernet1/0/11] quit # Set the TPID value of Ethernet 1/0/12 to 0x9200 (for intercommunication with the devices in the public network) and configure the port as a trunk port permitting packets of VLAN 1040. [SwitchA] interface Ethernet 1/0/12 [SwitchA-Ethernet1/0/12] vlan-vpn tpid 9200 [SwitchA-Ethernet1/0/12] port link-type trunk [SwitchA-Ethernet1/0/12] port trunk permit vlan 1040...
  • Page 779 The TPID value of the outer VLAN tag is set to 0x9200 before the packet is forwarded to the public network through Ethernet1/0/12 of Switch A. The outer VLAN tag of the packet remains unchanged while the packet travels in the public network, till it reaches Ethernet1/0/22 of Switch B.

  • Page 780: Selective Qinq Configuration

    Selective QinQ Configuration When configuring selective QinQ, go to these sections for information you are interested in: Selective QinQ Overview Selective QinQ Configuration Selective QinQ Configuration Example Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced application of the VLAN-VPN feature. With the selective QinQ feature, you can configure inner-to-outer VLAN tag mapping, according to which you can add different outer VLAN tags to the packets with different inner VLAN tags.

  • Page 781: Mac Address Replicating

    telephone users (in VLAN 201 to VLAN 300). Packets of all these users are forwarded by Switch A to the public network. After the selective QinQ feature and the inner-to-outer tag mapping feature are enabled on the port connecting Switch A to these users, the port will add different outer VLAN tags to the packets according to their inner VLAN tags.

  • Page 782: Selective Qinq Configuration Task List

    device receives a packet from the service provider network, this device will find the path for the packet by searching the MAC address table of the VLAN corresponding to the outer tag and unicast the packet. Thus, packet broadcast is reduced in selective QinQ applications. Likewise, the entries in the MAC address table of the outer VLAN can also be replicated to that of the default VLAN on a port, through which the outbound port to the service provider network can be determined through the MAC address table of the default VLAN and user packets destined for the...

  • Page 783: Selective Qinq Configuration Example

    Do not enable both the selective QinQ function and the DHCP snooping function on a switch. Otherwise, the DHCP snooping function may operate improperly. Enabling the Inter-VLAN MAC Address Replicating Feature Follow these steps to enable the inter-VLAN MAC address replicating feature: To do...
  • Page 784 The public network permits packets of VLAN 1000 and VLAN 1200. Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1200. That is, packets of VLAN 1200 have higher transmission priority over packets of VLAN 1000. Employ the selective QinQ feature on Switch A and Switch B to differentiate traffic of PC users from that of IP phone users, for the purpose of using QoS policies to guarantee higher priority for voice traffic.
  • Page 785 [SwitchA-Ethernet1/0/5] port hybrid vlan 5 1000 1200 tagged [SwitchA-Ethernet1/0/5] quit # Configure Ethernet 1/0/3 as a hybrid port and configure VLAN 5 as its default VLAN. Configure Ethernet 1/0/3 to remove VLAN tags when forwarding packets of VLAN 5, VLAN 1000, and VLAN 1200. [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] port link-type hybrid [SwitchA-Ethernet1/0/3] port hybrid pvid vlan 5...
  • Page 786 [SwitchB] interface Ethernet 1/0/11 [SwitchB-Ethernet1/0/11] port link-type hybrid [SwitchB-Ethernet1/0/11] port hybrid vlan 12 13 1000 1200 tagged # Configure Ethernet1/0/12 as a hybrid port and configure VLAN 12 as its default VLAN . Configure Ethernet 1/0/12 to remove VLAN tags when forwarding packets of VLAN 12 and VLAN 1000. [SwitchB] interface Ethernet 1/0/12 [SwitchB-Ethernet1/0/12] port link-type hybrid [SwitchB-Ethernet1/0/12] port hybrid pvid...
  • Page 787 Table of Contents 1 Remote-ping Configuration ······················································································································1-1 Introduction to remote-ping ·····················································································································1-1 remote-ping Configuration ······················································································································1-1 Introduction to remote-ping Configuration ·······················································································1-1 Configuring remote-ping ··················································································································1-2 Displaying remote-ping Configuration ·····························································································1-2 Configuration Example ····················································································································1-3...
  • Page 788 Remote-ping Configuration Introduction to remote-ping remote-ping is a network diagnostic tool used to test the performance of protocols (only ICMP by far) running on network. It is an enhanced alternative to the ping command. remote-ping test group is a set of remote-ping test parameters. A test group contains several test parameters and is uniquely identified by an administrator name plus a test tag.

  • Page 789: Configuring Remote-Ping

    This parameter is used to enable the system to automatically perform the same test at regular intervals. Test timeout time Test timeout time is the duration while the system waits for an ECHO-RESPONSE packet after it sends out an ECHO-REQUEST packet. If no ECHO-RESPONSE packet is received within this duration, this test is considered a failure.
  • Page 790 Table 1-2 Display remote-ping configuration Operation Command Description display remote-ping history Display the information of [ administrator-name remote-ping test history operation-tag ] The display command can be executed in any view. display remote-ping results Display the latest remote-ping [ administrator-name test results operation-tag ] Configuration Example...
  • Page 791 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 [Sysname-remote-ping-administrator-icmp] display remote-ping history administrator icmp remote-ping entry(admin administrator, tag icmp) history record: Index Response...
  • Page 792 Table of Contents 1 IPv6 Configuration·····································································································································1-1 IPv6 Overview ·········································································································································1-1 IPv6 Features ··································································································································1-1 Introduction to IPv6 Address ···········································································································1-3 Introduction to IPv6 Neighbor Discovery Protocol···········································································1-6 Protocols and Standards ·················································································································1-8 IPv6 Configuration Task List ···················································································································1-8 Configuring an IPv6 Unicast Address······························································································1-9 Configuring IPv6 NDP ···················································································································1-10 Configuring a Static IPv6 Route ····································································································1-12 Configuring IPv6 TCP Properties ··································································································1-12 Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time····1-13...

  • Page 793: Ipv6 Configuration

    IPv6 Configuration When configuring IPv6, go to these sections for information you are interested in: IPv6 Overview IPv6 Configuration Task List IPv6 Configuration Example The term “router” in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol.
  • Page 794 Figure 1-1 Comparison between IPv4 header format and IPv6 header format Adequate address space The source IPv6 address and the destination IPv6 address are both 128 bits (16 bytes) long. IPv6 can provide 3.4 x 10 addresses to completely meet the requirements of hierarchical address division as well as allocation of public and private addresses.

  • Page 795: Introduction To Ipv6 Address

    Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented by a group of Internet Control Message Protocol Version 6 (ICMPv6) messages. The IPv6 neighbor discovery protocol manages message exchange between neighbor nodes (nodes on the same link). The group of ICMPv6 messages takes the place of Address Resolution Protocol (ARP), Internet Control Message Protocol Version 4 (ICMPv4), and ICMPv4 redirect messages to provide a series of other functions.
  • Page 796 Multicast address: An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Anycast address: An identifier for a set of interfaces (typically belonging to different nodes).A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the nearest one, according to the routing protocols’...
  • Page 797 Unassigned address: The unicast address :: is called the unassigned address and may not be assigned to any node. Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet, but may not use it as a destination IPv6 address. Multicast address Multicast addresses listed in Table 1-2...

  • Page 798: Introduction To Ipv6 Neighbor Discovery Protocol

    Introduction to IPv6 Neighbor Discovery Protocol The IPv6 Neighbor Discovery Protocol (NDP) uses five types of ICMPv6 messages to implement the following functions: Address resolution Neighbor unreachability detection Duplicate address detection Router/prefix discovery Address autoconfiguration Redirection Table 1-3 lists the types and functions of ICMPv6 messages used by the NDP. Table 1-3 Types and functions of ICMPv6 messages ICMPv6 message Function...
  • Page 799 Address resolution Similar to the ARP function in IPv4, a node acquires the link-layer address of neighbor nodes on the same link through NS and NA messages. Figure 1-3 shows how node A acquires the link-layer address of node B. Figure 1-3 Address resolution The address resolution procedure is as follows: Node A multicasts an NS message.

  • Page 800: Ipv6 Configuration Task List

    Figure 1-4 Duplicate address detection The duplicate address detection procedure is as follows: Node A sends an NS message whose source address is the unassigned address :: and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected.

  • Page 801: Configuring An Ipv6 Unicast Address

    Task Remarks Configuring the Hop Limit of ICMPv6 Reply Packets Optional Displaying and Maintaining IPv6 Optional Configuring an IPv6 Unicast Address An IPv6 address is required for a host to access an IPv6 network. A host can be assigned a global unicast address, a site-local address, or a link-local address.

  • Page 802: Configuring Ipv6 Ndp

    To do... Use the command... Remarks Automatically Optional generate a ipv6 address auto link-local By default, after an link-local address IPv6 site-local address or global Configure an IPv6 unicast address is link-local address configured for an Manually assign a ipv6 address ipv6-address interface, a link-local address link-local...
  • Page 803 Follow these steps to configure a static neighbor entry: To do... Use the command... Remarks Enter system view system-view — ipv6 neighbor ipv6-address Configure a static neighbor mac-address { vlan-id port-type Required entry port-number | interface interface-type interface-number } Configuring the maximum number of neighbors dynamically learned The device can dynamically acquire the link-layer address of a neighbor node through NS and NA messages and add it to the neighbor table.

  • Page 804: Configuring A Static Ipv6 Route

    Configuring the NS Interval After a device sends an NS message, if it does not receive a response within a specific period, the device will send another NS message. You can configure the interval for sending NS messages. Follow these steps to configure the NS interval: To do…...

  • Page 805: Configuring The Maximum Number Of Ipv6 Icmp Error Packets Sent Within A Specified Time

    FIN packets are received, the IPv6 TCP connection status becomes TIME_WAIT. If other packets are received, the finwait timer is reset from the last packet and the connection is terminated after the finwait timer expires. Size of IPv6 TCP receiving/sending buffer. Follow these steps to configure IPv6 TCP properties: To do…...

  • Page 806: Displaying And Maintaining Ipv6

    To do… Use the command… Remarks Enter system view system-view — Optional Configure the hop limit of ipv6 nd hop-limit value ICMPv6 reply packets 64 by default. Displaying and Maintaining IPv6 To do… Use the command… Remarks Display the FIB entries display ipv6 fib Display the mapping between display ipv6 host...

  • Page 807: Ipv6 Configuration Example

    IPv6 Configuration Example IPv6 Unicast Address Configuration Network requirements Two switches are directly connected through two Ethernet ports. The Ethernet ports belong to VLAN 2. Different types of IPv6 addresses are configured for the interface VLAN-interface 2 on each switch to verify the connectivity between the two switches.
  • Page 808 Global unicast address(es): 2001::20F:E2FF:FE49:8048, subnet is 2001::/64 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF49:8048 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Display the brief IPv6 information of the interface on Switch B.
  • Page 809 bytes=56 Sequence=3 hop limit=255 time = 60 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=4 hop limit=255 time = 70 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=5 hop limit=255 time = 60 ms --- FE80::20F:E2FF:FE00:1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 60/66/80 ms [SwitchA-Vlan-interface2] ping ipv6 2001::20F:E2FF:FE00:1...

  • Page 810: Ipv6 Application Configuration

    IPv6 Application Configuration When configuring IPv6 application, go to these sections for information you are interested in: Introduction to IPv6 Application Configuring IPv6 Application IPv6 Application Configuration Example Troubleshooting IPv6 Application Introduction to IPv6 Application IPv6 are supporting more and more applications. Most of IPv6 applications are the same as those of IPv4.

  • Page 811: Ipv6 Traceroute

    IPv6 Traceroute The traceroute ipv6 command is used to record the route of IPv6 packets from source to destination, so as to check whether the link is available and determine the point of failure. Figure 2-1 Traceroute process Figure 2-1 shows, the traceroute process is as follows: The source sends an IP datagram with the Hop Limit of 1.

  • Page 812: Ipv6 Telnet

    To do… Use the command… Remarks tftp ipv6 remote-system [ -i interface-type Required Download/Upload files from interface-number ] { get | put } TFTP server Available in user view source-filename [ destination-filename ] When you use the tftp ipv6 command to connect to the TFTP server, you must specify the “–i” keyword if the destination address is a link-local address.

  • Page 813: Ipv6 Application Configuration Example

    Displaying and maintaining IPv6 Telnet To do… Use the command… Remarks Display the use information of display users [ all ] Available in any view the users who have logged in IPv6 Application Configuration Example IPv6 Applications Network requirements Figure 2-3, SWA, SWB, and SWC are three switches, among which SWA is a 3com switch 4500, SWB and SWC are two switches supporting IPv6 forwarding.

  • Page 814: Troubleshooting Ipv6 Application

    bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms --- 3003::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received...

  • Page 815: Unable To Run Traceroute

    Use the display ipv6 interface command to determine the interfaces of the source and the destination and the link-layer protocol between them are up. Use the display ipv6 route-table command to verify that the destination is reachable. Use the ping ipv6 -t timeout { destination-ipv6-address | hostname } [ -i interface-type interface-number ] command to increase the timeout time limit, so as to determine whether it is due to the timeout limit is too small.
  • Page 816 Table of Contents 1 Password Control Configuration Operations ·························································································1-1 Introduction to Password Control Configuration ·····················································································1-1 Password Control Configuration ·············································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Tasks·························································································································1-3 Configuring Password Aging ···········································································································1-3 Configuring the Limitation of Minimum Password Length ·······························································1-5 Configuring History Password Recording························································································1-6 Configuring a User Login Password in Interactive Mode ································································1-7 Configuring Login Attempt Times Limitation and Failure Processing Mode ···································1-7 Configuring the Password Authentication Timeout Time ································································1-8...

  • Page 817: Introduction To Password Control Configuration

    Password Control Configuration Operations Introduction to Password Control Configuration The password control feature is designed to manage the following passwords: Telnet passwords: passwords for logging into the switch through Telnet. SSH passwords: passwords for logging into the switch through SSH. FTP passwords: passwords for logging into the switch through FTP.
  • Page 818 Function Description Application Encrypted display: The switch protects the displayed password. The password is always displayed as a string containing only asterisks (*) in the configuration file or on Password user terminal. protection All passwords encryption Saving passwords in ciphertext: The switch encrypts and saves the configured passwords in ciphertext in the configuration file.

  • Page 819: Password Control Configuration

    Password Control Configuration Configuration Prerequisites A user PC is connected to the switch to be configured; both devices are operating normally. Configuration Tasks The following sections describe the configuration tasks for password control: Configuring Password Aging Configuring the Limitation of Minimum Password Length Configuring History Password Recording Configuring a User Login Password in Interactive Mode Configuring Login Attempt Times Limitation and Failure Processing Mode...
  • Page 820 Operation Command Description Create a local user or enter — local-user user-name local user view Optional Configure a password aging password-control aging By default, the aging time is time for the local user aging-time 90 days. In this section, you must note the effective range of the same commands when executed in different views or to different types of passwords: Global settings in system view apply to all local user passwords and super passwords.

  • Page 821: Configuring The Limitation Of Minimum Password Length

    You can configure the password aging time when password aging is not yet enabled, but these configured parameters will not take effect. After the user changes the password successfully, the switch saves the old password in a readable file in the flash memory. The switch does not provide the alert function for FTP passwords.

  • Page 822: Configuring History Password Recording

    In this section, you must note the effective range of the same commands when executed in different views or to different types of passwords: Global settings in system view apply to all local user passwords and super passwords. Settings in the local user view apply to the local user password only. Settings on the parameters of the super passwords apply to super passwords only.

  • Page 823: Configuring A User Login Password In Interactive Mode

    Table 1-5 Manually remove history password records Operation Command Description Executing this command without the user-name reset user-name option removes the history password Remove history password-control records of all users. password records history-record Executing this command with the user-name of one or all users user-name user-name option removes the history password user-name ]...

  • Page 824: Configuring The Password Authentication Timeout Time

    lock-time: In this mode, the system inhibits the user from re-logging in within a certain time period. After the period, the user is allowed to log into the switch again. By default, this time is 120 minutes. lock: In this mode, the system inhibits the user from re-logging in forever. The user is allowed to log into the switch again only after the administrator removes the user from the user blacklist.

  • Page 825: Configuring Password Composition Policies

    Table 1-9 Configure the timeout time for users to be authenticated Operation Command Description Enter system view system-view — Configure the timeout time password-control Optional for users to be authentication-timeout By default, it is 60 seconds. authenticated authentication-timeout Configuring Password Composition Policies A password can be combination of characters from the following four categories: letters A to Z, a to z, number 0 to 9, and 32 special characters of space and ~`!@#$%^&*()_+-={}|[]\:”;’<>,./.

  • Page 826: Displaying Password Control

    Operation Command Description Optional By default, the minimum number password-control of types a password should Configure the password composition type-number contain is 1 and the minimum composition policy for the local policy-type [ type-length number of characters of each user type-length ] type is 1.
  • Page 827 For the super password, the minimum number of password composition types is 3 and the minimum number of characters in each composition type is 3. For a local user named test, the minimum password length is 6 characters, the minimum number of password composition types is 2, the minimum number of characters in each password composition type is 3, and the password aging time is 20 days.
  • Page 828 Table of Contents 1 Access Management Configuration ·············································································· 1-1 Access Management Overview ···················································································· 1-1 Configuring Access Management ················································································· 1-2 Access Management Configuration Examples ······························································ 1-3 Access Management Configuration Example·························································· 1-3 Combining Access Management with Port Isolation ················································ 1-4...

  • Page 829: Access Management Configuration

    Access Management Configuration When configuring access management, go to these sections for information you are interested in: Access Management Overview Configuring Access Management Access Management Configuration Examples Access Management Overview Normally, client PCs in a network are connected to switches operating on the network access layer (also referred to as access switches) through Layer 2 switches;...

  • Page 830: Configuring Access Management

    A port without an access management IP address pool configured allows the hosts to access external networks only if their IP addresses are not in the access management IP address pools of other ports of the switch. Note that the IP addresses in the access management IP address pool configured on a port must be in the same network segment as the IP address of the VLAN (where the port belongs to) interface.

  • Page 831: Access Management Configuration Example

    Access Management Configuration Examples Access Management Configuration Example Network requirements Client PCs are connected to the external network through Switch A (an Ethernet switch). The IP addresses of the PCs of Organization 1 are in the range 202.10.20.1/24 to 202.10.20.20/24. The IP address of PC 2 is 202.10.20.100/24, and that of PC 3 is 202.10.20.101/24.

  • Page 832: Combining Access Management With Port Isolation

    [Sysname-Ethernet1/0/1] am ip-pool 202.10.20.1 20 Combining Access Management with Port Isolation Network requirements Client PCs are connected to the external network through Switch A (an Ethernet switch). The IP addresses of the PCs of Organization 1 are in the range 202.10.20.1/24 to 202.10.20.20/24, and those of the PCs in Organization 2 are in the range 202.10.20.25/24 to 202.10.20.50/24 and the range 202.10.20.55 to 202.10.20.65/24.
  • Page 833 # Set the IP address of VLAN-interface 1 to 202.10.20.200/24. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 202.10.20.200 24 [Sysname-Vlan-interface1] quit # Configure the access management IP address pool on Ethernet 1/0/1. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] am ip-pool 202.10.20.1 20 # Add Ethernet 1/0/1 to the port isolation group.
  • Page 834 Table of Contents 1 LLDP Configuration···································································································································1-1 Introduction to LLDP ·······························································································································1-1 Overview··········································································································································1-1 LLDP Fundamental··························································································································1-1 TLV Types ·······································································································································1-2 Protocols and Standards ·················································································································1-4 LLDP Configuration Task List ·················································································································1-4 Performing Basic LLDP Configuration ····································································································1-4 Enabling LLDP·································································································································1-4 Setting LLDP Operating Mode ········································································································1-5 Configuring LLDPDU TLVs ·············································································································1-5 Enable LLDP Polling························································································································1-6 Configuring the Parameters Concerning LLDPDU Sending ···························································1-7 Configuring the Encapsulation Format for LLDPDUs ·············································································1-7...

  • Page 835: Overview

    LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: Introduction to LLDP LLDP Configuration Task List Performing Basic LLDP Configuration Configuring the Encapsulation Format for LLDPDUs Configuring CDP Compatibility Configuring LLDP Trapping Displaying and Maintaining LLDP LLDP Configuration Examples Introduction to LLDP Overview...

  • Page 836: Tlv Types

    To enable the neighboring devices to be informed of the existence of a device or an LLDP operating mode change (from the disable mode to TxRx mode, or from the Rx mode to Tx mode) timely, a device can invoke the fast sending mechanism. In this case, the interval to send LLDPDUs changes to one second.
  • Page 837 Type Description Remarks Carries the management address, the corresponding port number, and OID (object identifier). If the management address is not configured, it is the IP address of the Management Address TLV interface of the VLAN with the least VLAN ID among those permitted on the port.

  • Page 838: Lldp Configuration Task List

    Firmware revision TLV, which carries the firmware version of an MED device. Software revision TLV, which carries the software version of an MED device . Serial number TLV, which carries the serial number of an MED device. Manufacturer name TLV, which carries the manufacturer name of an MED device. Model name TLV, which carries the model of an MED device.

  • Page 839: Setting Lldp Operating Mode

    To do… Use the command… Remarks Required Enable LLDP globally lldp enable By default, LLDP is disabled globally. interface interface-type Enter Ethernet interface view Required interface-number Optional, the configuration applies to the current port only. Enable LLDP lldp enable By default, LLDP is enabled on a port.

  • Page 840: Enable Lldp Polling

    To do… Use the command… Remarks lldp tlv-enable { basic-tlv { all | port-description | system-capability | system-description | system-name } | dot1-tlv { all | port-vlan-id | protocol-vlan-id [ vlan-id ] | Optional, the configuration vlan-name [ vlan-id ] } | dot3-tlv { all | applies to the current port only.

  • Page 841: Configuring The Parameters Concerning Lldpdu Sending

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet interface view Required interface-number Optional, the configuration applies to Enable LLDP polling and set lldp check-change-interval value the current port only. the polling interval Disabled by default Configuring the Parameters Concerning LLDPDU Sending Configuring time-related parameters Follow these steps to set time-related parameters:...

  • Page 842: Configuring Cdp Compatibility

    With SNAP encapsulation configured, an LLDP port sends LLDPDUs in SNAP frames and processes only SNAP encapsulated incoming LLDPDUs. By default, LLDPDUs are encapsulated in Ethernet II frames. If the neighbor devices encapsulate LLDPDUs in SNAP frames, you can configure the encapsulation format for LLDPDUs as SNAP on the port connected to the neighbor device, thus guaranteeing communication with the other devices in the network.

  • Page 843: Configuring Lldp Trapping

    Configuration Prerequisites Before configuring CDP compatibility, make sure that: LLDP is enabled globally. LLDP is enabled on the port connected to an IP phone and is configured to operate in TxRx mode on the port. Configuring CDP Compatibility Follow these steps to enable LLDP to be compatible with CDP: To do…...

  • Page 844: Displaying And Maintaining Lldp

    To do… Use the command… Remarks Required , the configuration applies to the lldp notification remote-change Enable LLDP trap sending current port only. enable Disabled by default — Quit to system view quit Optional Set the interval to send LLDP lldp timer notification-interval value traps 5 seconds by default...
  • Page 845 Figure 1-1 Network diagram for LLDP configuration GE1/0/2 GE1/0/1 Switch A GE1/0/1 Switch B MED Device Configuration procedure Configure Switch A. # Enable LLDP globally. <SwitchA> system-view [SwitchA] lldp enable # Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, setting the LLDP operating mode to [SwitchA] interface gigabitethernet1/0/1 [SwitchA-GigabitEthernet1/0/1] lldp enable [SwitchA-GigabitEthernet1/0/1] lldp admin-status rx...
  • Page 846 Transmit interval : 30s Hold multiplier Reinit delay : 2s Transmit delay : 2s Trap interval : 5s Fast start times Port 1 [GigabitEthernet1/0/1] : Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors...

  • Page 847: Cdp-Compatible Lldp Configuration Example

    Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV Port 2 [GigabitEthernet1/0/2] : Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No...
  • Page 848 # Enable the voice VLAN feature on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] voice vlan 2 enable [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] voice vlan 2 enable [SwitchA-GigabitEthernet1/0/2] quit Configure CDP-compatible LLDP on Switch A. # Enable LLDP globally.

This manual is also suitable for:

4500

Table of Contents