Page 1: Configuration Guide
® 3Com Switch 5500 Family Configuration Guide Switch 5500-SI Switch 5500-EI Switch 5500G-EI www.3Com.com Part Number: 10014922 Rev. AC Published: December 2006...
Page 2 LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.
Page 3: Table Of Contents
ONTENTS ONTENTS BOUT UIDE Organization of the Manual Intended Readership Conventions Related Manuals ETTING TARTED Product Overview XRN Overview Major Technologies Typical Networking Topology Product Features Logging in to the Switch Setting up Configuration Environment through the Console Port Setting up Configuration Environment through Telnet Setting up Configuration Environment through a Dial-up Modem Command Line Interface Command Line View...
Page 4 HAPTER ONTENTS Displaying Port Configuration Information in Brief Ethernet Port Configuration Example Ethernet Port Troubleshooting Link Aggregation Configuration Link Aggregation Configuration Displaying and Debugging Link Aggregation Link Aggregation Configuration Example Global Broadcast Suppression Feature Configuring Global Broadcast Suppression Global Broadcast Suppression Configuration Example Configuration procedure Displaying Information About a Specified Optical Port XRN C...
Page 5 Protocol-Based VLAN Configuration Configuring Protocol-Based VLANs Displaying the Information about Protocol-Based VLANs Voice VLAN Configuration Voice VLAN Configuration Displaying and Debugging of Voice VLAN Voice VLAN Configuration Example Creating VLANs in Batches Voice VLAN Configuration Configuring the Voice VLAN Function Voice VLAN Displaying and Debugging Voice VLAN Configuration Example GVRP C...
Page 6 HAPTER ONTENTS DHCP S ERVER ONFIGURATION Introduction to DHCP Server Usage of DHCP Server DHCP Fundamentals DHCP Packet Processing Modes DHCP Address Pool Global Address Pool-Based DHCP Server Configuration Configuration Overview Enabling DHCP Configuring Global Address Pool Mode on Interface(s) Configuring How to Assign IP Addresses in a Global Address Pool Configuring DNS Services for DHCP Clients Configuring NetBIOS Services for DHCP Clients...
Page 7 VRRP C ONFIGURATION VRRP Overview Virtual Router Overview Introduction to Backup Group VRRP Configuration Configuring a Virtual Router IP address Configuring Backup Group-Related Parameters Displaying and Clearing VRRP Information VRRP Configuration Example Single-VRRP Backup Group Configuration Example VRRP Tracking Interface Example Multiple-VRRP Backup Group Configuration Example Troubleshooting VRRP MSTP C...
Page 8 HAPTER ONTENTS Introduction to the Protection Functions Prerequisites Configuring BPDU Protection Configuring Root Protection Configuring Loop Prevention Configuring TC-BPDU Attack Prevention BPDU Tunnel Configuration Introduction to BPDU Tunnel Configuring BPDU Tunnel Displaying and Debugging MSTP MSTP Configuration Example BPDU Tunnel Configuration Example MAC A ENTRALIZED DDRESS...
Page 9 Displaying and Debugging RIP Example: Typical RIP Configuration Troubleshooting RIP OSPF Configuration Calculating OSPF Routes Basic Concepts Related to OSPF Configuring OSPF Displaying and Debugging OSPF Example: Configuring DR Election Based on OSPF Priority Example: Configuring OSPF Virtual Link Troubleshooting OSPF IP Routing Policy Configuring an IP Routing Policy Forwarding Layer 3 Broadcast Packets...
Page 10 HAPTER ONTENTS Option 82 Supporting Configuration Prerequisites Enabling Option 82 Supporting on a DHCP Relay Option 82 Supporting Configuration Example Introduction to DHCP Snooping DHCP Snooping Configuration Configuration Example Introduction to DHCP Accounting Structure of the DHCP Accounting Packets DHCP Accounting Fundamentals DHCP Accounting Configuration Displaying and Debugging DHCP Configuration DHCP Relay Configuration Example One...
Page 11 Displaying Multicast MAC Address Configuration Multicast Source Deny Configuration Clearing MFC Forwarding Entries or Statistics Information Clearing Route Entries From The Core Multicast Routing Table Displaying and Debugging Common Multicast Configuration Internet Group Management Protocol (IGMP) Configuring IGMP Displaying and debugging IGMP PIM-DM Overview Configuring PIM-DM Displaying and Debugging PIM-DM...
Page 12 HAPTER ONTENTS Applying QoS Profile to the Port QoS Profile Configuration Example ACL Control Configuration Configuring ACL for Telnet Users Defining ACL Importing ACL Configuration Example Configuring ACL for SNMP Users Configuration Example Configuring ACL Control over the HTTP Users Defining ACL Calling ACL to Control HTTP Users Configuration Example...
Page 13 Configuring Timers Enabling/Disabling a Quiet-Period Timer 802.1x Client Version Checking Configuration Enabling the 802.1x Client Version Checking Function Configuring the Maximum Number of Retires to Send Version Checking Request Packets Configuring the Version Checking Timer 802.1x Client Version Checking Configuration Example Guest VLAN Configuration Guest VLAN Configuration Configure Guest VLAN in Ethernet port view...
Page 14 Setting the Timers of the RADIUS Server Displaying and Debugging AAA and RADIUS Protocol AAA and RADIUS Protocol Configuration Example Configuring the Switch 5500 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting Problem Diagnosis 3Com-User-Access-Level YSTEM ANAGEMENT File System Overview Directory Operation File Attribute Configuration...
Page 15 MAC Address Table Management MAC Address Table Configuration Displaying MAC Address Table MAC Address Table Management Display Example MAC Address Table Management Configuration Example Device Management Device Management Configuration Device Management Configuration Example System Maintenance and Debugging Setting the Daylight Saving Time Telneting with Specified Source IP Address/Source Interface IP Address Basic System Configuration Terminating the FTP Connection of a Specified User...
Page 16 HAPTER ONTENTS Configure NTP Broadcast Mode Configure NTP Multicast Mode Configure Authentication-enabled NTP Server Mode SSH Terminal Services Configuring SSH Server Setting System Protocol Configuring SSH Client SSH Configuration Example File System Configuration Introduction to File System File System Configuration FTP Lighting Configuration Introduction to FTP FTP Lighting Procedure...
Page 17 RSTP C ONFIGURATION STP Overview Implement STP Configuration BPDU Forwarding Mechanism in STP Implement RSTP on the Switch RSTP Configuration Enable/Disable RSTP on a Switch Enable/Disable RSTP on a Port Configure RSTP Operating Mode Configure the STP-Ignore attribute of VLANs on a Switch Set Priority of a Specified Bridge Specify the Switch as Primary or Secondary Root Bridge Set Forward Delay of a Specified Bridge...
Page 18 HAPTER ONTENTS Network Management Operation Logging Configuration Displaying and Debugging SNMP SNMP Configuration Example Reading Usmusr Table Configuration Example IP A OURCE DDRESS ONFIGURATION Configuring Source IP Address for Service Packets Displaying the Source IP Address Configuration ASSWORD ONTROL ONFIGURATION PERATIONS Introduction to Password Control Configuration Password Control Configuration...
Page 19 LUSTERING Clustering Overview Switch Roles Introduction to NDP Introduction to NTDP Introduction to Cluster Roles Management Device Configuration Enabling System and Port NDP Configuring NDP Parameters Enabling System and Port NTDP Configuring NTDP Parameters Configuring Cluster Parameters Configuring Internal-External Interaction NM Interface for Cluster Management Configuration Member Device Configuration Enabling System and Port NDP...
Page 20 WITCH WITH ISCO ECURE Cisco Secure ACS (TACACS+) and the 3Com Switch 5500 Setting Up the Cisco Secure ACS (TACACS+) server Adding a 3Com Switch 5500 as a RADIUS client Adding a User for Network Login Adding a User for Switch Login...
Page 21: About This Guide
® commands supported on the 3Com Switch 5500 Family. The descriptions in this guide apply to the Switch 5500-SI and Switch 5500-EI. Differences between the models are noted in the text. Organization of the The Switch 5500 Family Configuration Guide consists of the following chapters: Manual Getting Started—Details the main features and configurations of the Switch...
Page 22: Intended Readership
BOUT UIDE ACL by RADIUS—Details ACL by RADUIS Configuration. ■ Auto Detect—Details Auto Detect Configuration. ■ RSTP—Details Spanning Tree Protocol Configuration. ■ PoE—Details PoE profile Configuration. ■ SNMP—Details Simple Network Management Protocol Configuration. ■ Source IP Address—Details Source IP Address Configuration for the FTP client ■...
Page 23: Related Manuals
The vertical bars indicate that only one of the parameters is allowed. Related Manuals The 3Com Switch 5500 Family Getting Started Guide provides information about installation. The 3Com Switch 5500 Family Command Reference Guide provides all the...
Page 24 BOUT UIDE...
Page 25: Getting Started
Product Overview The Switch 5500 Family are Layer 3 switching products supporting expandable resilient networking (XRN). The Switch 5500 can be one of two series: Switch 5500-SI or the Switch 5500-EI. The Switch 5500 family supports simple routing, basic service features, and basic XRN;...
Page 26: Xrn Overview
Fabric. Trans-unit link aggregation can bring convenient aggregation setting and effectively reduce single points of failure. The Switch 5500-SI supports basic XRN, that is DDM and DLA; the Switch 5500-EI supports enhanced XRN, including DDM, DRR, and DLA. Typical Networking Typical XRN networking topology is as shown in Figure 1.
Page 27: Product Features
Product Features Figure 1 Networking Topology with XRN Server Unit 1 Unit3 Core Fabric switches Unit 4 Unit 2 Workgroup switches Desktop Product Features Table 4 describes the features: Table 4 Function Features Features Description Port 802.1D Learning Static MAC (unicast/multicast) Jumbo Frame (9k) (EI models only) Unidirectional Link Detection (UDLD) VLAN...
Page 28 1: G HAPTER ETTING TARTED Table 4 Function Features (continued) Features Description Multicast Internet Group Management Protocol (IGMP) Snooping Multicast VLAN Registration (MVR) Internet Group Management Protocol (IGMP) (EI models only) Protocol-Independent Multicast-Dense Mode (PIM-DM) (EI models only) Protocol-Independent Multicast-Sparse Mode (PIM-SM) (EI models only) Mulitcast Source Discovery Protocol (MSDP) (EI models only) IP routing...
Page 29: Logging In To The Switch
Logging in to the Switch Table 4 Function Features (continued) Features Description Management and Command line interface configuration Maintenance Configuration through console port Remote configuration through Telnet or SSH Configuration through dialing the Modem SNMP v1/2c/3 System log Level alarms Output of debugging information Ping and Tracert Remote maintenance with Telnet, Modem and SSHv2...
Page 30 1: G HAPTER ETTING TARTED Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection...
Page 31: Setting Up Configuration Environment Through Telnet
Logging in to the Switch Figure 5 Setting Communication Parameters 3 The Switch is powered on and it displays self-test information. Press < Enter> to show the command line prompt such as <SW5500> 4 Enter a command to configure the Switch or view the operation state. Enter a view online help.
Page 32 1: G HAPTER ETTING TARTED Figure 6 Setting up the Configuration Environment through Telnet Workstation Workstation Ethernet port Ethernet port Ethernet Ethernet Server Server Workstation Workstation PC ( for configuri n g the switch PC ( for configuri n g the switch via Telnet ) via Telnet ) 3 Run Telnet on the PC and enter the IP address of the VLAN connected to the network...
Page 33: Setting Up Configuration Environment Through A Dial-Up Modem
Logging in to the Switch Figure 8 Providing Telnet Client Service Telnet Server Telnet Client 1 Authenticate the Telnet user through the console port on the Telnet Server (a Switch) before login. By default, the password is required to authenticate Telnet users and to enable them to log on to the Switch.
Page 34 The Modem configuration commands and outputs may be different according to different Modems. For details, refer to the User Manual of the Modem. 3Com recommends that the transmission rate on the console port must lower than that of Modem, otherwise packets may be lost.
Page 35 Logging in to the Switch Figure 9 Setting up Remote Configuration Environment Modem serial port line Modem Telephone line PSTN Modem Console port Remote tel: 1234567 4 Dial for connection to the Switch, using the terminal emulator and Modem on the remote end.
Page 36 1: G HAPTER ETTING TARTED Figure 11 Dialing on the Remote PC 5 Enter the preset login password on the remote terminal emulator and wait for the prompt . Then you can configure and manage the Switch. Enter to view <SW5500>...
Page 37: Command Line Interface
Command Line Interface Command Line The Switch 5500 family provide a series of configuration commands and command Interface line interfaces for configuring and managing the Switch. The command line interface has the following characteristics: Local configuration through the console port. ■...
Page 38 1: G HAPTER ETTING TARTED user has entered ..) For super password level level simple cipher password the sake of confidentiality, on the screen the user cannot see the password that they entered. Only when correct password is input three times, can the user switch to the higher level.
Page 39 Command Line Interface Table 5 Features of Command Views (continued) Command view Function Prompt Command to enter Command to exit VLAN Interface Configure IP Enter interface quit returns to [SW5500-Vlan-interface1] View interface vlan-interface 1 in System View parameters for a System View return returns to VLAN or a VLAN...
Page 40: Features And Functions Of Command Line
[SW5500-radius-1] Group View parameters in System View System View return returns to User View ISP Domain Configure ISP Enter domain 3Com.net in quit returns to [SW5500-isp-3Com.net] View domain System View System View parameters return returns to User View...
Page 41 Command Line Interface Displaying Characteristics of the Command Line The command line interface provides a pausing function. If the information to be displayed exceeds one screen, users have three choices, as shown in Table 6. Table 6 Functions of Displaying Key or Command Function Press <Ctrl+C>...
Page 42: User Interface Configuration
1: G HAPTER ETTING TARTED Editing Characteristics of Command Line The command line interface provides basic command editing and supports the editing of multiple lines. A command cannot be longer than 256 characters. See Table 9. Table 9 Editing Functions Function Common keys Insert from the cursor position and the cursor moves to...
Page 43: User Interface Configuration
User Interface Configuration To number the user interface by relative number, represented by interface + number assigned to each type of user interface: AUX user interface = AUX 0. ■ The first VTY interface = VTY 0, the second one = VTY 1, and so on. ■...
Page 44 1: G HAPTER ETTING TARTED Configuring the Attributes of AUX (Console) Port Use the , and commands to speed flow control parity stop bit data bit configure these attributes of the AUX (console) port. Perform the following configurations in User Interface (AUX user interface only) View. Configuring the Transmission Speed on the AUX (Console) Port Table 12 Configuring the Transmission Speed on the AUX (Console) Port Operation...
Page 45 User Interface Configuration Configuring the Terminal Attributes The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring terminal screen length, and history command buffer size. Perform the following configuration in User Interface View. Perform the lock command in User View.
Page 46 1: G HAPTER ETTING TARTED Setting the Screen Length If a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more conveniently.
Page 47 In the following example, local username and password authentication are configured. Perform username and password authentication when a user logs in through VTY 0 user interface and set the username and password to zbr and 3Com respectively. [SW5500-ui-vty0]authentication-mode scheme [SW5500-ui-vty0]quit...
Page 48 1: G HAPTER ETTING TARTED By default, the specified logged-in user can access the commands at Level 1. Setting the Command Level used after a User Logs In from a User Interface You can use the following command to set the command level after a user logs in from a specific user interface, so that a user is able to execute the commands at such command level.
Page 49: Displaying And Debugging User Interface
User Interface Configuration auto-execute command The following command is used to automatically run a command after you log in. After a command is configured to be run automatically, it will be automatically executed when you log in again. This command is usually used to automatically execute the command on the telnet terminal, which will connect the user to a designated device automatically.
Page 50 1: G HAPTER ETTING TARTED...
Page 51: Address Management Configuration
DDRESS ANAGEMENT ONFIGURATION Introduction to You can easily configure the switch on which the Address Manage (AM) feature is Address Management enabled to allow a user with the specified MAC address to gain network access through the specified IP address in a small network, such as a campus network. This facilitates the implementation of user management and accounting.
Page 52: Address Management Configuration Example
2: A HAPTER DDRESS ANAGEMENT ONFIGURATION Perform the following operations to bind the MAC address and IP address of a legal user to the specified port; no other configuration is required. Table 31 Bind the MAC address and IP address of a legal user to the specified port Operation Command Description...
Page 53: Configuration Example Of Binding The Mac Address And Ip Address Of A Legal User
Address Management Configuration Example To configure an address management IP address pool on GigabitEthernet 1/0/1, allowing 20 IP addresses starting from 202.10.20.1 to 202.10.20.20 to access the network, enter the following: [S5500] interface GigabitEthernet 1/0/1 [S5500-GigabitEthernet 1/0/1] am ip-pool 202.10.20.1 20 Configuration Example Network requirements of Binding the MAC...
Page 54 2: A HAPTER DDRESS ANAGEMENT ONFIGURATION...
Page 55: Port Operation
PERATION This chapter covers the following topics: Ethernet Port Configuration Introduction ■ Link Aggregation Configuration ■ Global Broadcast Suppression Feature ■ Configuring VCT ■ Global Broadcast Suppression Feature ■ Displaying Port Configuration Information in Brief ■ Displaying Information About a Specified Optical Port ■...
Page 56 3: P HAPTER PERATION Entering Ethernet Port View Before configuring an Ethernet port, enter Ethernet Port View. Perform the following configuration in System View. Table 32 Entering Ethernet Port View Operation Command Enter Ethernet Port View interface { interface_type interface_num | interface_name } Enabling/Disabling an Ethernet Port Use the following command to disable or enable the port.
Page 57 Ethernet Port Configuration Introduction duplex and can be configured to operate in full (full duplex) or auto (auto-negotiation) mode. The port defaults to auto (auto-negotiation) mode. Setting Speed on the Ethernet Port Use the following command to set the speed of the Ethernet port. If the speed is set to auto-negotiation mode, the local and peer ports will automatically negotiate the port speed.
Page 58 3: P HAPTER PERATION Permitting/Forbidding Jumbo Frames to Pass through an Ethernet Port An Ethernet port may encounter jumbo frames exceeding the standard frame length, when switching large throughput data like transmitting files. This command can forbid or permit jumbo frames to pass through an Ethernet port. Perform the following configuration in Ethernet Port View.
Page 59 For the Switch 5500-SI 28-Port, Switch 5500-EI 28-Port, and Switch 5500-EI PWR ■ 28-Port, GigabitEthernet1/0/27 and GigabitEthernet1/0/28 ports can be configured as a stack port;...
Page 60 3: P HAPTER PERATION can configure to tag some VLAN packets, based on which the packets can be processed differently. Setting the Default VLAN ID for the Ethernet Port Because the access port can only be included in one VLAN, its default VLAN is the one to which it belongs.
Page 61 Ethernet Port Configuration Introduction Table 44 Configure loopback detection for Ethernet port (continued) Operation Command Description Enter the Ethernet port view interface interface-type interface-number Enable the loopback detection loopback-detection Optional.By default, the loopback function for a specified port enable detection function is disabled. Enable the loopback detection loopback-detection Optional.By default, the loopback...
Page 62: Ethernetport Security Features
3: P HAPTER PERATION By default, port loopback detection and the loopback detection control function on trunk and hybrid ports are disabled. The detection interval is 30 seconds, and the system detects the default VLAN on the trunk and hybrid ports. Configuring VCT You can start the virtual cable test (VCT) to make the system test the cable connected to the current electrical Ethernet port, and the system will return the test results in five...
Page 63 Ethernet Port Configuration Introduction authenticated devices can obtain data frames from the port so as to prevent illegal devices from filching network data. 2 Intrusion Protection: By way of checking the source MAC addresses of the data frames received on a port, this feature discovers illegal packets and takes appropriate action (temporarily/permanently disabling the port, or filtering out the packets with these MAC addresses) to guarantee the security on the port.
Page 64 3 The dot1x, dot1x port-method, dot1x port-control, and mac-authentication commands cannot be used. For detailed description of 802.1x authentication, refer to the security module of the 3Com S5500 Series Ethernet Switches Operation Manual. Port Security Configuration Example Network requirements Enable port security on port Ethernet1/0/1 of switch A, and set the maximum ■...
Page 65 Ethernet Port Configuration Introduction Network diagram Figure 14 Network diagram for port security configuration Switch A Switch A Switch A Switch A Switch A Switch A Switch A Switch B Switch B Switch B Switch B Switch B Switch B Switch B GigabitEthernet1/0/1 GigabitEthernet1/0/1...
Page 66: Displaying And Debugging Ethernet Port
3: P HAPTER PERATION statistics. The VLAN setting includes permitted VLAN types, and default VLAN ID. The port setting includes port link type, port speed, and duplex mode. LACP setting includes LACP enabling/disabling. Perform the following configuration in System View. Table 48 Copying Port Configuration to Other Ports Operation Command...
Page 67: Displaying Port Configuration Information In Brief
Ethernet Port Configuration Introduction Displaying Port This S5500 version has a new command, display brief interface for you to display the Configuration port configuration information in brief, including the port type, link state, link rate, Information in Brief duplex attribute, link type and default VLAN ID. Table 50 Display the port configuration information in brief Operation Command...
Page 68: Ethernet Port Troubleshooting
Series can support up to 32 aggregation groups. Each group can have a maximum of eight 100 Mbps Ethernet ports or four Gigabit SFP ports. For the Switch 5500-SI series, the ports in an aggregation group must physically belong to the same unit, but for the Switch 5500-EI series, an aggregation group can contain ports which physically belong to different units.
Page 69 Link Aggregation Configuration Types of Link Aggregation The types of link aggregation are described in the following sections: Manual Aggregation and Static LACP Aggregation ■ Dynamic LACP Aggregation ■ Manual Aggregation and Static LACP Aggregation Both manual aggregation and static LACP aggregation require manual configuration of aggregation groups and prohibit automatic adding or deleting of member ports by the system.
Page 70 3: P HAPTER PERATION The system sets to inactive state the ports with basic configurations different from ■ that of the active port with minimum port number. Because only a defined number of ports can be supported in an aggregation group, if the active ports in an aggregation group exceed the port quantity threshold for that group, the system shall set some ports with smaller port numbers (in ascending order) as selected ports and others as standby ports.
Page 71: Link Aggregation Configuration
Link Aggregation Configuration Aggregation groups with the minimum master port numbers if they reach the ■ equal rate with other groups after the resources are allocated to them When aggregation groups of higher priority levels appear, the aggregation groups of lower priority levels release their hardware resources.
Page 72 3: P HAPTER PERATION Creating/Deleting an Aggregation Group Use the following command to create a manual aggregation group or static LACP aggregation group, but the dynamic LACP aggregation group is established by the system when LACP is enabled on the ports. You can also delete an existing aggregation group: when you delete a manual aggregation group, all its member ports are disaggregated;...
Page 73 Link Aggregation Configuration port with static ARP configured ■ port with 802.1x enabled. ■ You must delete the aggregation group, instead of the port, if the manual or static ■ LACP aggregation group contains only one port. Setting/Deleting the Aggregation Group Descriptor Perform the following configuration in System View.
Page 74: Displaying And Debugging Link Aggregation
3: P HAPTER PERATION Perform the following configuration in Ethernet Port View. Table 56 Configuring Port Priority Operation Command Configure port priority lacp port-priority port_priority_value Restore the default port priority undo lacp port-priority By default, port priority is 32768. Displaying and After the above configuration, enter the command in any view to display the display...
Page 75: Link Aggregation Configuration Example
Link Aggregation Configuration Link Aggregation Networking Requirement Configuration Example Switch A connects Switch B with three aggregation ports, numbered as Ethernet1/0/1 to Ethernet1/0/3, so that incoming/outgoing load can be balanced among the member ports. Networking Diagram Figure 16 Networking for Link Aggregation Switch A Link aggregation Switch B...
Page 76: Global Broadcast Suppression Feature
3: P HAPTER PERATION Only when the three ports are configured with identical basic configuration, rate and duplex mode, can they be added into a same dynamic aggregation group after LACP is enabled on them, for load sharing. Global Broadcast This section describes how to configure the Global Broadcast Suppression feature.
Page 77: Displaying Information About A Specified Optical Port
Displaying Information About a Specified Optical Port Displaying You can use the display transceiver-information interface command to display the Information About a following information about a specified optical port: Specified Optical Port Hardware type ■ Interface type ■ Wavelength ■ Vender ■...
Page 78 3: P HAPTER PERATION...
Page 79: Xrn Configuration
XRN C ONFIGURATION This chapter covers the following topics: Introduction to XRN Configuring an XRN Fabric Fabric Configuration Example Introduction to XRN Several XRN Switches of the same model can be interconnected to create a “Fabric”, in which each Switch is a unit. The ports used to interconnect all the units are called Fabric ports, while the other ports that are used to connect the Fabric to users are called user ports.
Page 80: Specifying The Stacking Vlan Of The Switch
4: XRN C HAPTER ONFIGURATION Table 60 Configuring FTM Device Configuration Default Settings Comment Switch Specify the stacking The stacking You should specify the stacking VLAN of the Switch VLAN is VLAN VLAN before the Fabric is 4093 established. Set unit IDs for the The unit ID of a Make sure that you have set Switches...
Page 81: Saving The Unit Id Of Each Unit In The Fabric
Configuring an XRN Fabric If the modified unit ID is an existing one, the Switch prompts you to confirm if you really want to change the unit ID. If you choose to change, the existing unit ID is replaced and the priority is set to 5. Then you can use the fabric save-unit-id command to save the modified unit ID into the unit Flash memory and clear the information about the existing one.
Page 82: Setting An Xrn Authentication Mode For Switches
4: XRN C HAPTER ONFIGURATION Table 66 Setting a Fabric Name for Switches Operation Command Set a Fabric name for Switches sysname sysname Restore the default Fabric name undo sysname By default, the Fabric name is “5500-EI”. Setting an XRN Only the Switches with the same Fabric name and XRN authentication mode can Authentication Mode constitute a Fabric.
Page 83: Rmon On Xrn
RMON on XRN Networking Diagram Figure 18 Networking Diagram of a Fabric Fabric Fabric Fabric Fabric S w itch A S w itch A S w itch B S w itch B user port user port user port user port Fabric port Fabric port Fabric port...
Page 84: Configuration Commands For Rmon On Xrn
4: XRN C HAPTER ONFIGURATION If you configure the same entry in the same ROM group for devices of a fabric to be different values, the entry values of all the conflicting devices will adopt that of the conflicting device with the smallest Unit ID when you synchronize the devices. Such a mechanism eliminates configuration conflicts between the devices in a fabric.
Page 85: Prompt Information And Solution
Peer Fabric Port Detection If the switch can receive DISC packets sent by the peer, the FTM module determines whether peer sending ports correspond to local receiving ports according to information in the packet. That is, if a DISC packet received by the left port of the switch is sent by the right port of the peer device, the packet is regarded legal.
Page 86: Multiple Fabric Port Candidates
4: XRN C HAPTER ONFIGURATION reached max units Analysis: The "reached max units" message indicates that the maximum number of units allowed by the current fabric is reached. You will fail to add new devices to the fabric in this case. Solution: Remove the new device or existing devices in the fabric.
Page 87 Multiple Fabric Port Candidates A port cannot be a fabric port if the jumboframe function is enabled on the port. So make sure the jumboframe function is disabled on a port if you want to configure the port to be a fabric port. With a port group of a switch being the current fabric port group, you need to invalidate the current fabric port group before configuring the other port group to be a fabric port group.
Page 88 4: XRN C HAPTER ONFIGURATION...
Page 89: Dldp Configuration
DLDP C ONFIGURATION This chapter contains DLDP overview, fundamentals, precautions during configuration, and configuration information. DLDP Overview You may have encountered unidirectional links in networking. When a unidirectional link occurs, the local device can receive packets from the peer device through the link layer, but the peer device cannot receive packets from the local device.
Page 90: Dldp Fundamentals
5: DLDP C HAPTER ONFIGURATION DLDP provides the following features: As a link layer protocol, it works together with the physical layer protocol to monitor the link status of a device. While the auto-negotiation mechanism on the physical layer detects physical signals and faults;...
Page 91: Dldp Implementation
DLDP Overview Table 72 (continued) DLDP timers Timer Description Entry aging timer When a new neighbor joins, a neighbor entry is created, and the corresponding entry aging timer is enabled.When an advertisement packet is received from a neighbor, the neighbor entry is updated, and the corresponding entry aging timer is reset.In normal mode, if no packet is received from the neighbor when the entry aging timer expires, DLDP sends an advertisement packet with RSY tag, and deletes the neighbor...
Page 92 5: DLDP C HAPTER ONFIGURATION 2 DLDP analyzes and processes received packets as follows: In authentication mode, DLDP authenticates the packets on the port, and discards those do not pass the authentication. DLDP processes the received DLDP packets as follows: Table 75 Process received DLDP packets Packet type...
Page 93: Precautions During Dldp Configuration
DLDP Configuration Precautions During DLDP It is recommended that the following precautions be taken during DLDP Configuration configuration: DLDP works only when the link is up. To ensure unidirectional links can be detected, you should make sure: DLDP is enabled on both ends, and the time interval for sending advertisement packets, authentication mode and password are set consistent on both ends.
Page 94: Resetting Dldp Status
5: DLDP C HAPTER ONFIGURATION Table 77 (continued) DLDP configuration tasks Operation Command Description Set the DLDP handling mode when an dldp Optional, by default, the unidirectional link is detected unidirectional-shutdown { handling mode is auto. auto | manual } Set the DLDP operating mode dldp work-mode { enhance | Optional;...
Page 95: Network Diagram
DLDP Configuration Example Network diagram Figure 21 Fiber cross-connection Figure 22 Correct connection/disconnection in one direction Configuration procedure 1 1Configure SwitchA a Configure the ports to work in mandatory full duplex mode <S5500A> system-view [S5500A] interface gigabitethernet 2/0/3 [S5500A-GigabitEthernet2/0/3] duplex full [S5500A-GigabitEthernet2/0/3] speed 1000 [S5500A-GigabitEthernet2/0/3] quit [S5500A] interface gigabitethernet 2/0/4...
Page 96 5: DLDP C HAPTER ONFIGURATION e Set the DLDP handling mode for unidirectional links to auto [S5500A] dldp unidirectional-shutdown auto f Display the DLDP status on Switch A [S5500A] display dldp 2 If the fibers are correctly connected between the two switches, the system displays the connections with the neighbor as bidirectional links, or else, it displays the connections with the neighbor as unidirectional links.
Page 97: Vlan O
VLAN O PERATION This chapter covers the following topics: VLAN Configuration ■ Voice VLAN Configuration ■ VLAN Configuration This chapter describes how to configure a VLAN VLAN Overview A virtual local area network (VLAN) creates logical groups of LAN devices into segments to implement virtual workgroups.
Page 98 6: VLAN O HAPTER PERATION Adding Ethernet Ports to a VLAN Use the following command to add Ethernet ports to a VLAN. Perform the following configuration in VLAN View. Table 80 Adding Ethernet Ports to a VLAN Operation Command Add Ethernet ports to a VLAN port interface_list Remove Ethernet ports from a VLAN undo port interface_list...
Page 99: Displaying And Debugging Vlan
VLAN Configuration Shutting Down/Enabling the VLAN Interface Use the following command to shut down/enable a VLAN interface. Perform the following configuration in VLAN Interface View. Table 83 Shutting Down/Enabling the VLAN Interface Operation Command Shut down the VLAN interface shutdown Enabling the VLAN interface undo shutdown The operation of shutting down or enabling the VLAN interface has no effect on the...
Page 100: Vlan Configuration Example Two
6: VLAN O HAPTER PERATION Configuration Procedure 1 Create VLAN 2 and enter its view. [SW5500]vlan 2 2 Add Ethernet1/0/1 and Ethernet1/0/2 to VLAN2. [SW5500-vlan2]port ethernet1/0/1 to ethernet1/0/2 3 Create VLAN 3 and enter its view. [SW5500-vlan2]vlan 3 4 Add Ethernet1/0/3 and Ethernet1/0/4 to VLAN3. [SW5500-vlan3]port ethernet1/0/3 to ethernet1/0/4 VLAN Configuration Networking Requirements...
Page 101: Displaying The Information About Protocol-Based Vlans
Protocol-Based VLAN Configuration 101 I. Creating a VLAN protocol type Table 85 lists the operations to create a VLAN protocol type. Table 85 Create a VLAN protocol type Operation Command Description Enter system view system-view Enter VLAN view vlan vlan-id Required Create a VLAN protocol-vlan [ protocol-index ] { at | ip |...
Page 102: Voice Vlan Configuration
6: VLAN O HAPTER PERATION Voice VLAN Voice VLAN is specially designed for users’ voice flow, and it distributes different port Configuration precedence in different cases. The system uses the source MAC of the traffic travelling through the port to identify the IP Phone data flow.
Page 103 Remove the OUI undo voice vlan mac_address oui address learned by Voice VLAN There are four default OUI addresses after the system starts. Table 92 Default OUI Addresses Description 00:E0:BB 3Com phone 00:03:6B Cisco phone 00:E0:75 Polycom phone 00:D0:1E Pingtel phone...
Page 104 6: VLAN O HAPTER PERATION Enabling/Disabling Voice VLAN Security Mode In security mode, the system can filter out the traffic whose source MAC is not OUI within the Voice VLAN, while the other VLANs are not influenced. If security mode is disabled, the system cannot filter anything.
Page 105 Voice VLAN Configuration 105 Configuring a voice VLAN to operate in manual mode Refer to Table 96 to configure a VLAN in manual mode. Table 96 Configure a voice VLAN to operate in manual mode Operation Command Description Enter system view system-view Enter port view interface...
Page 106: Displaying And Debugging Of Voice Vlan
6: VLAN O HAPTER PERATION Displaying and After completing the above configuration, enter the command in any view display Debugging of Voice to view the configuration and running state of Voice VLAN. VLAN Table 97 Displaying Voice VLAN Operation Command Display the status of Voice VLAN display voice vlan status Display the OUI address supported by the current system...
Page 107: Creating Vlans In Batches
Creating VLANs in Batches 107 Creating VLANs in To improve efficiency, you can create VLANs in batches by performing the operations Batches listed in Table 98. Table 98 Create VLANs in batches Operation Command Description Enter system view system-view Create VLANs by specifying a vlan { vlan-id1 to vlan-id2 | all } Required VLAN ID range...
Page 108: Configuring The Voice Vlan Function
6: VLAN O HAPTER PERATION As multiple types of IP phones exist, you need to match port mode with types of voice stream sent by IP phones, as listed in Table 99T Table 99 Port modes and types of voice stream types Port voice Voice stream VLAN mode...
Page 109: Voice Vlan Displaying And Debugging
Voice VLAN Configuration 109 Configuring a voice VLAN to operate in automatic mode Table 100 Configure a voice VLAN to operate in automatic mode Operation Command Description Enter system view system-view Enter port view interface Required interface-type interface-number Enable the voice VLAN voice vlan enable Required function for the port By default, the voice VLAN function is disabled.
Page 110 6: VLAN O HAPTER PERATION 3 Enable the voice VLAN function for the port and configure the port to operate in manual mode. [S5500-vlan3] quit [S5500] interface Ethernet1/0/3 [S5500-Ethernet1/0/3] voice vlan enable [S5500-Ethernet1/0/3] undo voice vlan mode auto [S5500-Ethernet1/0/3] quit 4 Specify the OUI address.
Page 111: Gvrp Configuration
GVRP C ONFIGURATION This chapter contains GVRP configuration information. Introduction to GVRP GVRP (GARP VLAN Registration Protocol) is an application of GARP (Generic Attribute Registration Protocol). GVRP is based on the work scheme of GARP; it maintains dynamic VLAN registration information and propagates the information to other switches.
Page 112 7: GVRP C HAPTER ONFIGURATION Leave: When a GARP entity expects to unregister a piece of attribute information, ■ it sends out a Leave message. Any GARP entity receives this message starts its Leave timer, and unregister the attribute information after the timer times out if it does not receives a Join message again before the timeout.
Page 113: Gvrp Packet Format
Introduction to GVRP 113 GVRP Packet Format The GVRP packets are in the following format: Figure 26 Format of GVRP packets Table 102 describes the packet fields in Figure 26. Table 102 Description of the packet fields Field Description Value Protocol ID Protocol ID Message...
Page 114: Gvrp Configuration
7: GVRP C HAPTER ONFIGURATION GVRP Configuration The GVRP configuration tasks include configuring the timers, enabling GVRP, and configuring the GVRP port registration mode. Configuration The port on which GVRP will be enabled must be configured to the Trunk port. Prerequisite Configuration Procedure Refer to Table 103 for configuration procedures...
Page 115: Configuration Example
GVRP Configuration 115 Table 104 describes the relations between the timers: Table 104 Relations between the timers Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is less than or equal to one-half of the value of the Join timer. You can change the threshold by changing the value of the Join timer.
Page 116: Displaying Gvrp
7: GVRP C HAPTER ONFIGURATION b Configure the port Ethernet1/0/2 to the Trunk port, and allow all VLAN packets to pass [S5500] interface Ethernet1/0/2 [S5500-Ethernet1/0/2] port link-type trunk [S5500-Ethernet1/0/2] port trunk permit vlan all c Enable GVRP on the Trunk port. [S5500-Ethernet1/0/2] gvrp Displaying GVRP You can use the display commands here to display the GVRP configuration.
Page 117: Vlan-Vpn Configuration
VLAN-VPN C ONFIGURATION This chapter contains configuration information to create VLAN-VPNs. VLAN-VPN Overview The VLAN-VPN function enables packets to be transmitted across the operators' backbone networks with VLAN tags of private networks nested in those of public networks. In public networks, packets of this type are transmitted by their outer VLAN tags (that is, the VLAN tags of public networks).
Page 118: Adjusting The Tpid Values Of Vlan-Vpn Packet
8: VLAN-VPN C HAPTER ONFIGURATION Adjusting the TPID Tag protocol identifier (TPID) is a portion of the VLAN tag field. IEEE 802.1Q specifies Values of VLAN-VPN the value of TPID to be 0x8100. Packet Figure 30 illustrates the structure of the Tag field of an Ethernet frame defined by IEEE 802.1Q.
Page 119: Inner Vlan Tag Priority Replication Configuration
Inner VLAN Tag Priority Replication Configuration 119 Table 106 Configure the VLAN-VPN function for a port (continued) Operation Command Description Display VLAN VPN display port vlan-vpn You can execute the display command in any configuration information view. about all ports The VLAN-VPN function is unavailable if the port has any of the protocols among GVRP, GMRP, XRN, NTDP, STP and 802.1x enabled.
Page 120: Vlan-Vpn Configuration Example
8: VLAN-VPN C HAPTER ONFIGURATION Table 108 Adjust TPID values for VLAN-VPN packets (continued) Operation Command Description Display VLAN-VPN display port You can execute the display command in any configuration information vlan-vpn view. about all ports You can execute the vlan-vpn enable or vlan-vpn uplink enable command for a port, but do not execute both of the two commands for a port.
Page 121: Configuration Procedure
VLAN-VPN Configuration Example 121 Configuration Procedure Perform the following procedure to configure switches A and C. 1 Configure Switch A and Switch C. As the configuration performed on Switch A and Switch C is the same, configuration on Switch C is omitted. a Configure Ethernet1/0/2 port of Switch A to be a VLAN-VPN uplink port and add it to VLAN 10.
Page 122 8: VLAN-VPN C HAPTER ONFIGURATION...
Page 123: Dhcp Overview
DHCP O VERVIEW Introduction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators.
Page 124: Dhcp Ip Address Assignment
Table 109 lists the device information provided by 5500 series Ethernet switches through DHCP requests. Table 109 Device information that 5500 series Ethernet switches add to DHCP Option60 Model Device information in Option60 5500-SI 28-Port 3Com-Switch-5500-SI 5500-SI 52-Port 3Com-Switch-5500-SI 5500-EI 28-Port...
Page 125: Dhcp Server Configuration
DHCP S ERVER ONFIGURATION Introduction to DHCP This section contains configuration introduction on DHCP Server. Server Usage of DHCP Server Generally, DHCP servers are used in the following networks to assign IP addresses: Large-sized networks, where manual configuration method bears heavy load and ■...
Page 126 10: DHCP S HAPTER ERVER ONFIGURATION IP address lease update After a DHCP server dynamically assigns an IP address to a DHCP client, the IP address keeps valid only within a specified lease time and will be reclaimed by the DHCP server when the lease expires.
Page 127: Dhcp Packet Processing Modes
Introduction to DHCP Server 127 DHCP Packet Processing Global address pool: In response to the DHCP packets received from DHCP clients, ■ Modes the DHCP server picks IP addresses from its global address pools and assigns them to the DHCP clients. Interface address pool: In response to the DHCP packets received from DHCP ■...
Page 128: Global Address Pool-Based Dhcp Server Configuration
10: DHCP S HAPTER ERVER ONFIGURATION (such as domain name), you just need to configure them on the network segment or the corresponding subnets. The following is the details of configuration inheritance. A newly created child address pool inherits the configurations of its parent address ■...
Page 129: Configuring Global Address Pool Mode On Interface(S)
Global Address Pool-Based DHCP Server Configuration 129 Configuring Global You can configure the global address pool mode on the specified or all interfaces of a Address Pool Mode on DHCP server. After that, when the DHCP server receives DHCP packets from DHCP Interface(s) clients through these interfaces, it assigns IP addresses in local global address pools to the DHCP clients.
Page 130: Configuring Dns Services For Dhcp Clients
10: DHCP S HAPTER ERVER ONFIGURATION The static-bind ip-address command and the static-bind mac-address command can be executed repeatedly. In this case, the new configuration overwrites the previous one. Configuring to assign IP addresses dynamically IP addresses dynamically assigned to DHCP clients (including those that are permanently leased and those that are temporarily leased) belong to addresses segments that are previously specified.
Page 131: Configuring Netbios Services For Dhcp Clients
Global Address Pool-Based DHCP Server Configuration 131 You can configure domain names to be used by DHCP clients for address pools. After you do this, the DHCP server provides the domain names to the DHCP clients as well while the former assigns IP addresses to the DHCP clients. Table 115 Configure DNS services for DHCP clients Operation Command...
Page 132: Customizing Dhcp Service
10: DHCP S HAPTER ERVER ONFIGURATION Customizing DHCP With the evolution of DHCP, new options are constantly coming into being. You can Service add the new options as the properties of DHCP servers by performing the following configuration. Table 117 Customize DHCP service Operation Command Description...
Page 133: Enabling Dhcp
Interface Address Pool-based DHCP Server Configuration 133 interfaces eases configuration work load and makes you to configure in a more convenient way. Table 119 Overview of interface address pool-based DHCP server configuration Operation Description Related section Enable DHCP Required Enabling DHCP Configure to assign the IP addresses of the Required Configuring to Assign the IP...
Page 134 10: DHCP S HAPTER ERVER ONFIGURATION bound to a DHCP client to come from a special DHCP address pool that contains only the IP address. Configuring to assign IP addresses by static binding Some DHCP clients, such as WWW servers, need to be assigned fixed IP addresses. This is achieved by binding IP addresses to the MAC addresses of these DHCP clients.
Page 135: Configuring Dns Services For Dhcp Clients
Interface Address Pool-based DHCP Server Configuration 135 Table 123 Configure to assign IP addresses dynamically (continued) Operation Command Description Specify the IP addresses that are not dhcp server Optional dynamically assigned forbidden-ip By default, all IP addresses in a low-ip-address [ DHCP address pool are high-ip-address ] available for being dynamically...
Page 136: Configuring Netbios Services For Dhcp Clients
10: DHCP S HAPTER ERVER ONFIGURATION Configuring NetBIOS For Microsoft Windows-based DHCP clients that communicate through NetBIOS Services for DHCP protocol, the host name-to-IP address translation is carried out by WINS servers. So Clients you need to perform WINS-related configuration for most Windows-based hosts. Currently, you can configure up to eight NetBIOS addresses for a DHCP address pool.
Page 137: Customizing Dhcp Service
DHCP Security Configuration 137 Customizing DHCP With the evolution of DHCP, new options are constantly coming into being. You can Service add the new options as the properties of DHCP servers by performing the following configuration. Table 126 Customize DHCP service Operation Command Description...
Page 138: Option 184 Supporting Configuration
Option 184 is an RFC reserved option, and the information it carries can be Supporting customized. 3Com defines four proprietary sub-options for this option, enabling the Configuration DHCP server to put the information required by a DHCP client in the response packet to the client.
Page 139: Prerequisites
Option 184 Supporting Configuration 139 The sub-option 3 of option 184 comprises two parts, which carry the previously mentioned two items respectively. A flag value of 0 indicates that the voice VLAN identification function is not enabled, in which case the information carried by the VLAN ID part will be neglected.
Page 140 10: DHCP S HAPTER ERVER ONFIGURATION Configuring the option 184 supporting function in system view Table 129 Configure the option 184 supporting function in system view Operation Command Description Enter system view system-view Configure the interface to dhcp select interface { all | interface Required operate in DHCP server interface-type interface-number [ to...
Page 141 Option 184 Supporting Configuration 141 Configuring the option 184 supporting function in interface view Table 130 Configure the option 184 supporting function in interface view Operation Command Description Enter system view System-view Enter interface view interface interface-type interface-number Configure an IP address ip address ip-address for the interface net-mask...
Page 142: Configuration Example
Configuration Example Network requirements A 3COM VCX device operating as a DHCP client requests the DHCP server for all sub-options of option 184. A S5500 series switch operates as the DHCP server. The option 184 supporting function is configured for a global DHCP address pool. The sub-options of option 184 are as follows: NCP-IP: 3.3.3.3...
Page 143 DHCP client DHCP client Configuration procedure 1 Configure the DHCP client Configure the 3COM VCX device to operate as a DHCP client and to request for all sub-options of option 184. (Omitted) 2 Configure the DHCP server. a Enter system view.
Page 144: Dhcp Server Displaying And Debugging
10: DHCP S HAPTER ERVER ONFIGURATION DHCP Server You can verify your DHCP-related configuration by executing the display command in Displaying and any view. Debugging To clear the information about DHCP servers, execute the reset command in user view. Table 132 Display and debug a DHCP server Operation Command Display the statistics on IP...
Page 145 DHCP Server Configuration Example 145 The DHCP settings of the 10.1.1.0/25 network segment are as follows: Lease time: 10 days plus 12 hours ■ Domain name: aabbcc.com ■ DNS server: 10.1.1.2 ■ NetBIOS server: none ■ Gateway: 10.1.1.126 ■ The DHCP settings of the 10.1.1.128/25 network segment are as follows: Lease time: 5 days ■...
Page 146: Troubleshooting Dhcp Server
10: DHCP S HAPTER ERVER ONFIGURATION 5 Return to system view. [S5500-dhcp-pool-1] quit 6 Configure DHCP address pool 2, including address range, domain name, DNS server address, lease time, NetBIOS server address, and gateway address. [S5500] dhcp server ip-pool 2 [S5500-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128 [S5500-dhcp-pool-2] domain-name aabbcc.com [S5500-dhcp-pool-2] dns-list 10.1.1.2...
Page 147: Dhcp Relay Fundamentals
DHCP R ELAY ONFIGURATION Introduction to DHCP This section contains an introduction to DHCP Relay Relay Usage of DHCP Relay Early DHCP implementations assumes that DHCP clients and DHCP servers are on the same network segment, that is, you need to deploy at least one DHCP server for each network segment, which is far from economical.
Page 148: Dhcp Relay Configuration
11: DHCP R HAPTER ELAY ONFIGURATION Actually, a DHCP relay enables DHCP clients and DHCP servers on different networks to communicate with each other by forwarding the DHCP broadcasting packets transparently between them. DHCP Relay If a switch belongs to a fabric, you need to enable the UDP-helper function on it Configuration before configure it to be a DHCP relay.
Page 149: Dhcp Relay Displaying
DHCP Relay Displaying 149 The group number referenced in the dhcp-server groupNo command must has already been configured by using the dhcp-server groupNo ip ipaddress1 [ ipaddress-list ] command. DHCP Relay Displaying You can verify your DHCP relay-related configuration by executing the following display commands in any view.
Page 150: Troubleshooting Dhcp Relay
11: DHCP R HAPTER ELAY ONFIGURATION 5 Configure an IP address for VLAN 2 interface, so that this interface is on the same network segment with the DHCP clients.) [S5500-Vlan-interface2] ip address 10.110.1.1 255.255.0.0 You need to perform corresponding configurations on the DHCP server to enable the DHCP clients to obtain IP addresses from the DHCP server.
Page 151: Vrrp Configuration
VRRP C ONFIGURATION VRRP Overview Virtual router redundancy protocol (VRRP) is a fault-tolerant protocol. As shown in Figure 37, in general, A default route (for example, the next hop address of the default route is ■ 10.100.10.1, as shown in Figure 37) is configured for every host on a network. The packets destined to the external network segments and sourced from these ■...
Page 152: Virtual Router Overview
12: VRRP C HAPTER ONFIGURATION Figure 38 Virtual router The switches in the backup group have the following features: This virtual router has its own IP address: 10.100.10.1 (which can be the interface ■ address of a switch within the backup group). The switches within the backup group have their own IP addresses (such as ■...
Page 153: Introduction To Backup Group
VRRP Overview 153 The virtual router IP addresses and the real IP addresses used by the member ■ switches in the backup group must belong to the same network segment. If they are not in the same network segment, the backup group will be in initial state. A backup group is removed if its last virtual router IP address is removed from the ■...
Page 154 12: VRRP C HAPTER ONFIGURATION Configuring switch priority The status of each switch in a backup group is determined by its priority. The master switch in a backup group is the one currently with the highest priority. Switch priority ranges from 0 to 255 (a larger number indicates a higher switch priority) and defaults to 100.
Page 155: Vrrp Configuration
VRRP Configuration 155 Configuring VRRP timer The master switch advertises its normal operation state to the switches within the VRRP backup group by sending VRRP packets once in each specified interval (determined by the adver-interval argument). If the backup switches do not receive VRRP packets from the master after a specific period (determined by the master-down-interval argument), they consider the master is down and initiates the process to determine the master switch.
Page 156: Configuring Backup Group-Related Parameters
12: VRRP C HAPTER ONFIGURATION Table 137 Configure a virtual router IP address (continued) Operation Command Description Configure a virtual vrrp vrid virtual-router-ID Optional router IP address virtual-ip virtual-address virtual-router-ID: VRRP backup group virtual-address: Virtual router IP address to be configured. Configuring Backup Table 138 lists the operations to configure a switch in a backup group.
Page 157: Displaying And Clearing Vrrp Information
Displaying and Clearing VRRP Information 157 Displaying and You can execute the display command in any view to view VRRP configuration. Clearing VRRP Table 139 Display and Clear VRRP Information Information Operation Command Description Display VRRP state display vrrp [ interface You can execute the display vrrp information and vlan-interface vlan-id |...
Page 158: Vrrp Tracking Interface Example
12: VRRP C HAPTER ONFIGURATION Configuration procedure 1 Configure Switch A. a Configure VLAN 2. <LSW-A> system-view System View: return to User View with Ctrl+Z. [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet 1/0/6 [LSW-A-vlan2] quit [LSW-A] interface vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 [LSW-A-Vlan-interface2] quit b Configure VRRP.
Page 159 VRRP Configuration Example 159 Network diagram Figure 40 Network diagram for interface tracking configuration 10.2.3.1 10.2.3.1 Host B Host B Internet Internet Vlan-interface3: 10.100.10.2 Vlan-interface3: 10.100.10.2 Switch_A Switch_A Switch_B Switch_B Vlan-interface2: 202.38.160.2 Vlan-interface2: 202.38.160.2 Vlan-interface2: 202.38.160.1 Vlan-interface2: 202.38.160.1 Virtual IP address: 202.38.160.111 Virtual IP address: 202.38.160.111 202.38.160.3 202.38.160.3...
Page 160: Multiple-Vrrp Backup Group Configuration Example
12: VRRP C HAPTER ONFIGURATION 2 Configure switch B. a Configure VLAN 2. <LSW-B> system-view System View: return to User View with Ctrl+Z. [LSW-B] vlan 2 [LSW-B-vlan2] port Ethernet 1/0/5 [LSW-B-vlan2] quit [LSW-B] interface vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 [LSW-B-Vlan-interface2] quit b Configure that the virtual router can be pinged.
Page 161: Configure Vlan
VRRP Configuration Example 161 Network diagram Figure 41 Network diagram for multiple-VRRP backup group configuration 10.2.3.1 10.2.3.1 Host B Host B Internet Internet Vlan-interface3: 10.100.10.2 Vlan-interface3: 10.100.10.2 Switch_A Switch_A Switch_B Switch_B Vlan-interface2: 202.38.160.2 Vlan-interface2: 202.38.160.2 Vlan-interface2: 202.38.160.1 Vlan-interface2: 202.38.160.1 Backup goup 2: Backup goup 2: Backup goup 1: Backup goup 1:...
Page 162: Troubleshooting Vrrp
12: VRRP C HAPTER ONFIGURATION b Create backup group 1. [LSW-B-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 c Create backup group 2. [LSW-B-Vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 d Set the priority for backup group 2. [LSW-B-Vlan-interface2] vrrp vrid 2 priority 110 Normally, multiple backup groups are used in actual use.
Page 163: Mstp Configuration
MSTP C ONFIGURATION MSTP Overview Spanning tree protocol (STP) cannot enable Ethernet ports to transit their states rapidly. It costs two times of the forward delay for a port to transit to the forwarding state even if the port is on a point-to-point link or is an edge port. Rapid spanning tree protocol (RSTP) supports rapid convergence.
Page 164: Basic Mstp Terminologies
13: MSTP C HAPTER ONFIGURATION Basic MSTP Figure 42 illustrates primary MSTP terms (assuming that each switch in it has MSTP Terminologies employed). Figure 42 Basic MSTP terminologies MST region A multiple spanning tree (MST) region comprises multiple switches and the connected network segments.
Page 165 MSTP Overview 165 An internal spanning tree (IST) is a spanning tree in an MST region. ISTs, along with the common spanning tree (CST), form the common and internal spanning tree (CIST) of the entire switched network. An IST is a branch of CIST and is a special MSTI.
Page 166: Fundamentals Of Mstp
13: MSTP C HAPTER ONFIGURATION The role of a region edge port is consistent with that of the port in the CIST. For example, port 1 on switch A shown in Figure 43 is a region edge port, and it is a master port in the CIST.
Page 167 MSTP Overview 167 Determining an MSTI In an MST region, MSTP generates different MSTIs for different VLANs according to VLAN-to-spanning tree mappings. MSTP calculates each spanning tree independently in the same way as STP/RSTP does. Implementation of STP algorithm In the beginning, each of the ports on each switch generate its own BPDU, taking the switch as the root, setting the root path cost to 0, the ID of the designated bridge to that of the switch, and the designated port to itself.
Page 168: Mstp Implementation On Switches
13: MSTP C HAPTER ONFIGURATION MSTP Implementation MSTP is compatible with both STP and RSTP. That is, switches running MSTP can on Switches recognize STP and RSTP packets and use them to calculate spanning trees. In addition to the basic MSTP functions, a S5500 series switch also provides many special functions for ease of management to further meet the needs of users, as listed in the following.
Page 169 Root Bridge Configuration 169 Prerequisites Before configuration, determine what roles the switches will play in the spanning trees, that is, whether a switch will be the root, a branch, or a leaf in a spanning tree. Configuring an Configuration procedure MST Region Table 142 Configure an MST region Operation...
Page 170: Setting The Switch As The Root/Secondary Root Bridge
13: MSTP C HAPTER ONFIGURATION Configuration example 1 Configure an MST region, with the name being info, the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to MSTI 1, and VLAN 20 through VLAN 30 being mapped to MSTI 2. <S5500>...
Page 171: Setting The Bridge Priority Of A Switch
Root Bridge Configuration 171 A secondary root bridge becomes a root bridge if the original root bridge fails or is turned off. A secondary root bridge remains unchanged if a new root bridge is configured. If you configure multiple secondary root bridges for a spanning tree instance, the one with the least MAC address replaces the root bridge if the latter goes down.
Page 172: Configuring Mstp Operation Mode
13: MSTP C HAPTER ONFIGURATION Configuration example Configure the bridge priority of the current switch to be 4,096 in spanning tree instance 1. <S5500> system-view System View: return to User View with Ctrl+Z. [S5500] stp instance 1 priority 4096 Configuring MSTP A switch running MSTP can operate in one of these three modes: Operation Mode STP mode: In this mode, ports of the switch send STP packets.
Page 173: Configuring The Diameter Of A Switched Network
Root Bridge Configuration 173 Configuration procedure Table 147 Configure the maximum hop count of an MST region Operation Command Description Enter system view system-view — Configure the maximum hop stp max-hops hops Required count of an MST region By default, the maximum hop count of an MST region is 20.
Page 174 13: MSTP C HAPTER ONFIGURATION To solve this problem, MSTP adopts the state transition mechanism. With this mechanism, new root ports and designated ports must go through an intermediate state to the forwarding state, so that the new BPDUs can be advertised throughout the network.
Page 175: Configuring The Timeout Time Factor
Root Bridge Configuration 175 It is recommended that you specify the network diameter and the Hello time by using the stp root primary or stp root secondary command. MSTP will then automatically calculate the optimal values of the three parameters. Configuration example Set the Forward delay to 1,600 centiseconds, the Hello time to 300 centiseconds, and the Max age to 2,100 centiseconds on the future CIST root bridge.
Page 176: Setting A Port As An Edge Port
13: MSTP C HAPTER ONFIGURATION Configuration procedure in system view Table 151 Configure the maximum transmission speed of specified ports in system view Operation Command Description Enter system view system-view Configure the maximum stp interface interface-list Required transmission speed of transmit-limit packetnum The maximum transmission speed specified ports...
Page 177: Specifying Whether A Port Connect To Point-To-Point Link
Root Bridge Configuration 177 Configuration procedure in system view Table 153 Set a port as an edge port in system view Operation Command Description Enter system view system-view Configure the specified ports stp interface interface-list Required to be edge ports edged-port enable By default, all Ethernet ports of a switch are non-edge ports.
Page 178 13: MSTP C HAPTER ONFIGURATION Configuration procedure in system view Table 155 Configure a port to connect to a point-to-point link in system view Operation Command Description Enter system view system-view Specify whether the specified stp interface interface-list Required ports connect to point-to-point { force-true | The auto keyword is specified by point-to-point links or not...
Page 179: Enabling Mstp
Root Bridge Configuration 179 Configuration example Configure Ethernet1/0/1 port to connect to point-to-point link. 1 Configure in system view. <S5500> system-view System View: return to User View with Ctrl+Z. [S5500] stp interface ethernet1/0/1 point-to-point force-true 2 Configure in Ethernet port view. <S5500>...
Page 180: Leaf Node Configuration
13: MSTP C HAPTER ONFIGURATION Configuration example Enable MSTP on the switch and disable MSTP on port Ethernet1/0/1. 1 Configure in system view. <S5500> system-view System View: return to User View with Ctrl+Z. [S5500] stp enable [S5500] stp interface ethernet1/0/1 disable 2 Configure in Ethernet port view.
Page 181: Configuring Mstp Operation Mode
Adopts the IEEE 802.1t standard to calculate the default path costs of ■ ports. legacy: Adopts the standard defined by 3Com-3Com Technology Co., Ltd to ■ calculate the default path costs of ports. Table 160 Specify the standard for calculating path costs...
Page 182 13: MSTP C HAPTER ONFIGURATION Table 161 Transmission speeds and the corresponding path costs (continued) Transmission Operation mode 3Com-3Com speed (half-/full-duplex) 802.1D-1998 IEEE 802.1t standard 100 Mbps Half-Duplex 200,000 Full-Duplex 199,999 Aggregated Link 2 Ports 100,000 Aggregated Link 3 Ports...
Page 183: Configuring The Priority Of A Port
Leaf Node Configuration 183 Configuration example (A) Configure the path cost of port Ethernet1/0/1 in spanning tree instance 1 to be 2,000. 1 Configure in system view. <S5500> system-view System View: return to User View with Ctrl+Z. [S5500] stp interface ethernet1/0/1 instance 1 cost 2000 2 Configure in Ethernet port view.
Page 184: Configuring A Port To Connect To Point-To-Point Link
13: MSTP C HAPTER ONFIGURATION Configuring the priority of a port in Ethernet port view Table 165 Configure the priority of a port in Ethernet port view Operation Command Description Enter system view system-view Enter Ethernet port view interface interface-type interface-number Configure the port priority of stp [ instance instance-id ]...
Page 185: Configuration Procedure
Protection Functions Configuration 185 Configuration Procedure You can perform the mCheck operation in the following two ways. Performing the mCheck operation in system view Table 166 Perform the mCheck operation in system view Operation Command Description Enter system view system-view Perform the mCheck operation stp [ interface interface-list ] Required...
Page 186: Prerequisites
13: MSTP C HAPTER ONFIGURATION automatically shut it down and notifies the network administrator of the situation. Only the administrator can restore edge ports that are shut down. Root protection A root bridge and its secondary root bridges must reside in the same region. Particularly, a CIST and its secondary root bridges are usually located in the core region, which is equipped with high bandwidth.
Page 187: Configuring Bpdu Protection
Protection Functions Configuration 187 Configuring BPDU Configuration procedure Protection Table 168 Enable the BPDU protection function Operation Command Description Enter system view system-view Enable the BPDU protection stp bpdu-protection Required function The BPDU protection function is disabled by default. Configuration example Enable the BPDU protection function.
Page 188: Configuring Loop Prevention
13: MSTP C HAPTER ONFIGURATION Configuring Loop Configuration procedure Prevention Table 171 Enable the loop prevention function Operation Command Description Enter system view system-view Enter Ethernet port view interface interface-type interface-number Enable the loop prevention stp loop-protection Required function The loop prevention function is disabled by default.
Page 189: Configuring Bpdu Tunnel
BPDU Tunnel Configuration 189 Figure 44 BPDU Tunnel network hierarchy Configuring BPDU Table 173 Configure the BPDU tunnel function Tunnel Operation Command Description Enter system view system-view Enable MSTP stp enable Enable the BPDU tunnel function vlan-vpn tunnel Required Enter Ethernet port view Interface interface-type Make sure that you enter the interface-number...
Page 190: Displaying And Debugging Mstp
13: MSTP C HAPTER ONFIGURATION Displaying and After completing the above configurations, you can display MSTP operation and Debugging MSTP verify your configuration by executing the display command in any view. You can also clear MSTP-related statistics by executing the reset command in user view or debug the MSTP module by executing the debugging command in user view.
Page 191 MSTP Configuration Example 191 Configuration procedure 1 Configure Switch A. a Enter MST region view. <S5500> system-view System View: return to User View with Ctrl+Z. [S5500] stp region-configuration b Configure the MST region. [S5500-mst-region] region-name example [S5500-mst-region] instance 1 vlan 10 [S5500-mst-region] instance 3 vlan 30 [S5500-mst-region] instance 4 vlan 40 [S5500-mst-region] revision-level 0...
Page 192: Bpdu Tunnel Configuration Example
13: MSTP C HAPTER ONFIGURATION 4 Configure Switch D. a Enter MST region view. <S5500> system-view System View: return to User View with Ctrl+Z. [S5500] stp region-configuration b Configure the MST region. [S5500-mst-region] region-name example [S5500-mst-region] instance 1 vlan 10 [S5500-mst-region] instance 3 vlan 30 [S5500-mst-region] instance 4 vlan 40 [S5500-mst-region] revision-level 0...
Page 193 BPDU Tunnel Configuration Example 193 2 Configure Switch B. a Enable RSTP. <S5500> system-view System View: return to User View with Ctrl+Z. [S5500] stp enable b Add Ethernet0/1 port to VLAN 10. [S5500] vlan 10 [S5500-Vlan10] port Ethernet 0/1 3 Configure Switch C. a Enable MSTP.
Page 194 13: MSTP C HAPTER ONFIGURATION f Add the trunk port to all VLANs. [S5500-Ethernet1/0/1] port trunk permit vlan all Notes: You must enable STP on a device before enabling the BPDU tunnel function on it. ■ The BPDU tunnel function is only available to access ports. ■...
Page 195: Centralized Mac Address Authentication Configuration
MAC A ENTRALIZED DDRESS UTHENTICATION ONFIGURATION Introduction to Centralized MAC address authentication controls accesses to a network through Centralized MAC ports and MAC addresses. This kind of authentication requires no client software. Address When operating in centralized MAC address authentication mode, a switch begins to Authentication authenticate the user if it detects a new user MAC address.
Page 196: Centralized Mac Address Authentication Configuration
14: C MAC A HAPTER ENTRALIZED DDRESS UTHENTICATION ONFIGURATION Centralized MAC The following sections describe centralized MAC address authentication Address configuration tasks: Authentication Enabling Global/Port-based Centralized MAC Address Authentication ■ Configuration Setting Centralized MAC Address Authentication Timers ■ Setting Centralized MAC Address Authentication Timers ■...
Page 197: Displaying And Debugging Centralized Mac Address Authentication
Centralized MAC Address Authentication Configuration 197 Server-timeout timer. If the connection between a switch and a RADIUS server ■ times out when the switch authenticates a user on one of its ports, the switch turns down the user. You can use the server-timeout timer to set the time out time.
Page 198 14: C MAC A HAPTER ENTRALIZED DDRESS UTHENTICATION ONFIGURATION 4 Enable global centralized MAC address authentication. [S5500] mac-authentication 5 Configure the domain name for centralized MAC address authentication user to be aabbcc163.net. [S5500] mac-authentication domain aabbcc163.net...
Page 199: Ssh Terminal Services
SSH T ERMINAL ERVICES SSH Terminal Services This section contains information for SSH Terminal Services. ntroduction to SSH Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the Switch remotely using an insecure network environment.
Page 200 15: SSH T HAPTER ERMINAL ERVICES Figure 48 Establish SSH channels through WAN Workstation Workstation Local Switch Local Switch Local Switch Local Ethernet Local Ethernet Local Ethernet Laptop Laptop Laptop Laptop Laptop Workstation Workstation Server Server Server SSH-Client SSH-Client SSH-Client Remote Ethernet Remote Ethernet Remote Switch...
Page 201: Ssh Server Configuration
SSH Terminal Services 201 The client authenticates information from the user at the server till the ■ authentication succeeds or the connection is turned off due to authentication timeout. SSH supports two authentication types: password authentication and RSA authentication. 1 Password authentication works as follows: The client sends its username and password to the server.
Page 202 15: SSH T HAPTER ERMINAL ERVICES Configuring supported protocols Table 180 Configure supported protocols Operation Command Description Enter system view system-view Enter one or multiple user user-interface [ type-keyword ] Required interface views number [ ending-number ] Configure the protocols supported protocol inbound { all |ssh | Optional in the user interface view(s)
Page 203 SSH Terminal Services 203 Configuring authentication type New users must specify authentication type. Otherwise, they cannot access the switch. Table 182 Configure authentication type Operation Command Description Enter system view system-view Configure authentication type ssh user username Required for SSH users authentication-type { password | password-publickey | rsa | all } If RSA authentication type is defined, then the RSA public key of the client user must...
Page 204 15: SSH T HAPTER ERMINAL ERVICES Table 184 Configure client public keys Operation Command Description Enter system view system-view Enter public key view rsa peer-public-key Required key-name Enter public key edit view public-key-code begin Required You can key in a blank space between characters, since the system can remove the blank space automatically.
Page 205: Ssh Client Configuration
SSH Terminal Services 205 SSH Client Configuration Table 186 describes SSH configuration tasks. Table 186 Configure SSH client Operation Command Description Enter system view system-view Enable the connection ssh2 host-ipaddr [ port ] [ prefer_kex { Required between SSH client and dh_group1 | dh_exchange_group } ] [ You can use this command to server...
Page 206: Ssh Server Configuration Example
15: SSH T HAPTER ERMINAL ERVICES SSH Server Network requirements Configuration Example As shown in Figure 49, configure a local connection from the SSH client to the switch. The PC runs the SSH 2.0-supported client software. Network diagram Figure 49 Network diagram for SSH server configuration S w i t c h S w i t c h S S H S e r v e r...
Page 207: Ssh Client Configuration Example
SSH Terminal Services 207 RSA public key authentication 1 Set AAA authentication on the user interfaces. [S5500] user-interface vty 0 4 [S5500-ui-vty0-4] authentication-mode scheme 2 Set the user interfaces to support SSH. [S5500-ui-vty0-4] protocol inbound ssh 3 Configure the login protocol for the client002 user as SSH and authentication type as RSA public key.
Page 208 15: SSH T HAPTER ERMINAL ERVICES Network diagram Figure 50 Network diagram for SSH client configuration Switch B Switch B SSH Server SSH Server IP address ： 10.165.87.136 IP address ： 10.165.87.136 Switch A Switch A SSH Client SSH Client Configuration procedure 1 Configure the client to run the initial authentication.
Page 209: Ssh Keygen Program
<<<<<The key is the same as in step 2. ---- END SSH2 PUBLIC KEY ---- 4 Using sshkey.exe convert the key into the 3Com hex format and copy it into your switch. 5 Configure the switch and execute the command to log on /ssh -2 -l usrname -i /home/user/ssh_rsa_key xx.xx.xx.xx (ip address of...
Page 210: Sftp Service
15: SSH T HAPTER ERMINAL ERVICES BOTH the private AND public key MUST be in /home/user/ for OpenSSH to work. result: [root@localhost openssh-4.2p1]# ./ssh -2 -l 1 -i /home/user/ssh_rsa_key 192.168.0.131 SFTP Service The following sections describe SFTP service. SFTP Overview Secure FTP (SFTP) is a new feature introduced in SSH 2.0.
Page 211: Sftp Client Configuration
SFTP Service 211 SFTP Client The following sections describe SFTP client configuration tasks: Configuration Configuring SFTP client ■ Enabling the SFTP client ■ Disabling the SFTP client ■ Operating with SFTP directories ■ Operating with SFTP files ■ Configuring SFTP client Table 191 Configuring SFTP client Serial Operation...
Page 212 15: SSH T HAPTER ERMINAL ERVICES Disabling the SFTP client Table 193 Disable the SFTP client Operation Command Description Enter system view system-view Enter SFTP client view sftp { host-ip | host-name } Disable the SFTP client The three commands have the same function.
Page 213: Sftp Configuration Example
SFTP Service 213 Displaying help information You can display help information about a command, such as syntax and parameters. Table 196 Display help information about SFTP client commands Operation Command Description Enter system view system-view Enter SFTP client view sftp { host-ip | host-name } Display help information about SFTP client help [ command-name ] Optional...
Page 214 15: SSH T HAPTER ERMINAL ERVICES 2 Configure Switch A (SFTP client) a Establish a connection to the remote SFTP server and enter SFTP client view. [S5500] sftp 10.111.27.91 b Display the current directory on the SFTP server, delete file z and verify the operation.
Page 215 SFTP Service 215 f Upload file pu to the SFTP server and rename it to puk. Verify the operations. sftp-client> put pu puk Local file: pu ---> Remote file: flash:/puk Uploading file successfully ended sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 vrpcfg.cfg -rwxrwxrwx 1 noone...
Page 216 15: SSH T HAPTER ERMINAL ERVICES...
Page 217: Ip Routing Protocol Operation
IP R OUTING ROTOCOL PERATION IP Routing Protocol Routers select an appropriate path through a network for an IP packet according to Overview the destination address of the packet. Each router on the path receives the packet and forwards it to the next router. The last router in the path submits the packet to the destination host.
Page 218: Selecting Routes Through The Routing Table
16: IP R HAPTER OUTING ROTOCOL PERATION Configuring the IP Routing Protocol is described in the following sections: Selecting Routes Through the Routing Table ■ Routing Management Policy ■ Selecting Routes For a router, the routing table is the key to forwarding packets. Each router saves a Through the Routing routing table in its memory, and each entry in this table specifies the physical port of Table...
Page 219: Routing Management Policy
IP Routing Protocol Overview 219 Figure 53 The routing table 16.0.0.3 16.0.0.3 16.0.0.2 16.0.0.2 16.0.0.0 16.0.0.0 The routing table of router R8 The routing table of router R8 15.0.0.2 15.0.0.2 10.0.0.2 10.0.0.2 Destination Destination Forwarding Forwarding Port Port host host passed passed 16.0.0.2...
Page 220: Static Routes
16: IP R HAPTER OUTING ROTOCOL PERATION Supporting Load Sharing and Route Backup I. Load sharing Supports multi-route mode, allowing the user to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached using multiple different paths, whose precedences are equal.
Page 221: Configuring Static Routes
Static Routes 221 The following routes are static routes: Reachable route—The IP packet is sent to the next hop towards the destination. ■ This is a common type of static route. Unreachable route—When a static route to a destination has the reject attribute, ■...
Page 222 16: IP R HAPTER OUTING ROTOCOL PERATION The parameters are explained as follows: IP address and mask ■ The IP address and mask use a decimal format. Because the 1s in the 32-bit mask must be consecutive, the dotted decimal mask can also be replaced by the mask-length which refers to the digits of the consecutive 1s in the mask.
Page 223: Example: Typical Static Route Configuration
Static Routes 223 Displaying and Debugging Static Routes After you configure static and default routes, execute the command in any display view to display the static route configuration, and to verify the effect of the configuration. Table 201 Displaying and debugging the routing table Operation Command View routing table summary...
Page 224: Troubleshooting Static Routes
16: IP R HAPTER OUTING ROTOCOL PERATION 2 Configure the static route for Ethernet Switch B [Switch B]ip route-static 1.1.2.0 255.255.255.0 1.1.3.1 [Switch B]ip route-static 1.1.5.0 255.255.255.0 1.1.3.1 [Switch B]ip route-static 1.1.1.0 255.255.255.0 1.1.3.1 3 Configure the static route for Ethernet Switch C [Switch C]ip route-static 1.1.1.0 255.255.255.0 1.1.2.1 [Switch C]ip route-static 1.1.4.0 255.255.255.0 1.1.3.2 4 Configure the default gateway of the Host A to be 1.1.5.2...
Page 225: Configuring Rip
RIP 225 Cost—The cost for the router to reach the destination, which should be an integer ■ in the range of 0 to 16. Timer—The length of time from the last time that the routing entry was modified ■ until now. The timer is reset to 0 whenever a routing entry is modified. Route tag—The indication whether the route is generated by an interior routing ■...
Page 226 16: IP R HAPTER OUTING ROTOCOL PERATION Enabling RIP to Import Routes of Other Protocols ■ Configuring the Default Cost for the Imported Route ■ Setting the RIP Preference ■ Setting Additional Routing Metrics ■ Configuring Route Filtering ■ Enabling RIP and Entering the RIP View Perform the following configurations in System View Table 202 Enabling RIP and Entering the RIP View Operation...
Page 227 RIP 227 3Com does not recommend the use of this command, because the destination address does not need to receive two copies of the same message at the same time. Note that should be restricted using the following commands: peer...
Page 228 16: IP R HAPTER OUTING ROTOCOL PERATION By default, the values of the period update and timeout timers are 30 seconds and 180 seconds respectively. The value of the garbage-collection timer is four times of that of Period Update timer: 120 seconds. In fact, you may find that the timeout time of the garbage-collection timer is not fixed.
Page 229 RIP 229 In addition, the command is functionally equivalent to both the rip work rip input commands. rip output By default, all interfaces except loopback interfaces both receive and transmit RIP update packets. Disabling Host Route In some cases, the router can receive many host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources.
Page 230 16: IP R HAPTER OUTING ROTOCOL PERATION Perform the following configuration in Interface View: Table 211 Setting RIP-2 Packet Authentication Operation Command Configure RIP-2 simple authentication key rip authentication-mode simple password_string Configure RIP-2 MD5 authentication with rip authentication-mode md5 usual packet type following RFC 1723 key_string Configure RIP-2 MD5 authentication with...
Page 231 RIP 231 Perform the following configurations in RIP View. Table 214 Configuring the Default Cost for the Imported Route Operation Command Configure default cost for the imported route default cost value Restore the default cost of the imported route undo default cost By default, the cost for the RIP imported route is 1.
Page 232 16: IP R HAPTER OUTING ROTOCOL PERATION Perform the following configurations in RIP View. Configuring RIP to Filter the Received Routes Table 217 Configuring RIP to Filter the Received Routes Operation Command Filter the received routing information filter-policy gateway ip_prefix_name distributed by the specified address import Cancel filtering of the received routing...
Page 233: Traffic Sharing Across Rip Interfaces
RIP 233 Traffic Sharing Across Equal-cost routes are routes with the same destination but different next hop RIP Interfaces addresses in a routing table. After traffic sharing across RIP interfaces is enabled, the system averagely distributes the traffic to its RIP interfaces through equal-cost routes. Configuration Procedure You can perform the following operations to configure traffic sharing across RIP interfaces.
Page 234: Troubleshooting Rip
16: IP R HAPTER OUTING ROTOCOL PERATION Networking Diagram Figure 55 RIP configuration networking Network address: 155.10.1.0/24 Interface address: 155.10.1.1/24 SwitchA Interface address: Ethernet 110.11.2.1/24 Network address: 110.11.2.2/24 SwitchC SwitchB Interface address: Interface address: 117.102.0.1/16 Network address: 196.38.165.1/24 196.38.165.0/24 Network address: 117.102.0.0/16 Configuration Procedure The following configuration only shows the operations related to RIP.
Page 235: Ospf Configuration
OSPF Configuration 235 OSPF Configuration Open Shortest Path First (OSPF) is an Interior Gateway Protocol based on the link state developed by IETF. Only the Switch 5500-EI supports the OSPF protocol. The Switch 5500 uses OSPF version 2 (RFC2328), which has the following features: Scope—Supports networks of various sizes and can support several hundred ■...
Page 236: Basic Concepts Related To Ospf
16: IP R HAPTER OUTING ROTOCOL PERATION OSPF Packets OSPF uses five types of packets: Hello Packet. ■ The Hello Packet is the most common packet sent by the OSPF protocol. A router periodically sends it to its neighbor. It contains the values of some timers, DR, BDR and the known neighbor.
Page 237: Configuring Ospf
OSPF Configuration 237 Backup Designated Router (BDR) ■ If the DR fails, a new DR must be elected and synchronized with the other routers on the segment. This process will take a relatively long time, during which the route calculation is incorrect. To shorten the process, OSPF creates a BDR as backup for the DR.
Page 238 When enabling OSPF, note the following: By default, the OSPF process ID is 1. ■ If a router is running multiple OSPF processes, 3Com recommends that you to use ■ in the command to specify different Router IDs for different processes.
Page 239 OSPF Configuration 239 Entering OSPF Area View Perform the following configurations in OSPF View. Table 222 Entering OSPF Area View Operation Command Enter an OSPF Area View area area_id Delete a designated OSPF area undo area area_id is the ID of the OSPF area, which can be a decimal integer or in IP address area_id format.
Page 240 16: IP R HAPTER OUTING ROTOCOL PERATION Configuring the Network Type on the OSPF Interface The route calculation of OSPF is based upon the topology of the adjacent network of the local router. Each router describes the topology of its adjacent network and transmits it to all the other routers.
Page 241 OSPF Configuration 241 Configuring the Cost for Sending Packets on an Interface You can control network traffic by configuring different message sending costs for different interfaces. Otherwise, OSPF automatically calculates the cost according to the baud rate on the current interface. Perform the following configuration in Interface View: Table 226 Configuring the cost for sending packets on the Interface Operation...
Page 242 16: IP R HAPTER OUTING ROTOCOL PERATION Perform the following configuration in Interface View: Table 227 Setting the Interface Priority for DR Election Operation Command Configure the interface with a priority for DR ospf dr-priority priority_num election Restore the default interface priority undo ospf dr-priority By default, the priority of the Interface is 1 in the DR election.
Page 243 OSPF Configuration 243 Setting a Dead Timer for the Neighboring Routers If hello packets are not received from a neighboring router, that router is considered dead. The dead timer of neighboring routers refers to the interval after which a router considers a neighboring router dead.
Page 244 16: IP R HAPTER OUTING ROTOCOL PERATION The value of should be bigger than the interval in which a packet can be interval transmitted and returned between two routers. An LSA retransmission interval that is too small will cause unnecessary retransmission. Setting a Shortest Path First (SPF) Calculation Interval for OSPF Whenever the OSPF LSDB changes, the shortest path requires recalculation.
Page 245 OSPF Configuration 245 By default, the STUB area is not configured, and the cost of the default route to the STUB area is 1. Configuring the NSSA of OSPF To keep the advantages of stub areas and simultaneously improve the networking flexibility, RFC1587 (OSPF NSSA Option) defines a new type of area, namely NSSA, which has the capability of importing external routes in a limited way.
Page 246 16: IP R HAPTER OUTING ROTOCOL PERATION generated on the ABR, even though the default route 0.0.0.0 is not in the routing table. On an ASBR, however, the default type-7 LSA route can be generated only if the default route 0.0.0.0 is in the routing table. Executing the command on the ASBR prevents the external routes no-import-route...
Page 247 OSPF Configuration 247 After the summarization of imported routes is configured, if the local router is an autonomous system border router (ASBR), this command summarizes the imported Type-5 LSAs in the summary address range. When NSSA is configured, this command will also summarize the imported Type-7 LSA in the summary address range.
Page 248 16: IP R HAPTER OUTING ROTOCOL PERATION Configuring the OSPF Area to Support Packet Authentication All the routers in an area must use the same authentication mode. In addition, all routers on the same segment must use the same authentication key password. Use command to configure a simple authentication authentication-mode simple password for the area, and the...
Page 249 2, cost is 1 and the tag is 1. variable specifies a source routing protocol that can be imported. This protocol can be Direct, Static or RIP. 3Com recommends that you configure the route together in type cost one command.
Page 250 16: IP R HAPTER OUTING ROTOCOL PERATION Table 242 Configuring Parameters for OSPF to Import External routes (continued) Operation Command Restore the default upper limit to the external routes that undo default limit can be imported at a time Configure the default cost for the OSPF to import external default cost value routes Restore the default cost for the OSPF to import external...
Page 251 OSPF Configuration 251 Configuring OSPF Route Filtering Perform the following configuration in OSPF View. Configuring OSPF to Filter the Received Routes Table 245 Enabling OSPF to filter the received routes Operation Command Disable to filter the received global filter-policy { acl_number | ip-prefix routing information ip_prefix_name | gateway ip_prefix_name } import...
Page 252 16: IP R HAPTER OUTING ROTOCOL PERATION Disabling the Interface to Send OSPF Packets Use the command to prevent the interface from transmitting silent-interface OSPF packets. Perform the following configuration in OSPF View. Table 248 Disabling the interface to send OSPF packets Operation Command Prevent the interface from...
Page 253: Displaying And Debugging Ospf
OSPF Configuration 253 Perform the following configuration in System View. Table 250 Enabling/disabling OSPF TRAP function Operation Command Enable OSPF snmp-agent trap enable ospf [ process_id ] [ TRAP function ifstatechange | virifstatechange | nbrstatechange | virnbrstatechange | ifcfgerror | virifcfgerror | ifauthfail | virifauthfail | ifrxbadpkt | virifrxbadpkt | txretransmit | viriftxretransmit | originatelsa | maxagelsa | lsdboverflow | lsdbapproachoverflow ]...
Page 254: Example: Configuring Dr Election Based On Ospf Priority
16: IP R HAPTER OUTING ROTOCOL PERATION Table 252 Displaying and debugging OSPF Operation Command Display OSPF routing table display ospf [ process_id ] routing Display OSPF virtual links display ospf [ process_id ] vlink Display OSPF request list display ospf [ process_id ] request-queue Display OSPF retransmission list display ospf [ process_id ] retrans-queue Display the information of OSPF...
Page 255 OSPF Configuration 255 The commands listed in the following examples enable Switch A and Switch C to be DR and BDR, respectively. The priority of Switch A is 100, which is the highest on the network, so it is elected as the DR. Switch C has the second highest priority, so it is elected as the BDR.
Page 256: Example: Configuring Ospf Virtual Link
16: IP R HAPTER OUTING ROTOCOL PERATION Only when the current DR is offline does the DR change. Shut down Switch A, and command on Switch D to display its neighbors. Note that display ospf peer the original BDR (Switch C) becomes the DR, and Switch B is the new BDR. If all Ethernet Switches on the network are removed and added again, Switch B is elected as the DR (with a priority of 200), and Switch A becomes the BDR (with a priority of 100).
Page 257: Troubleshooting Ospf
OSPF Configuration 257 [Switch B-ospf-1]area 1 [Switch B-ospf-1-area-0.0.0.1]network 197.1.1.0 0.0.0.255 [Switch B-ospf-1-area-0.0.0.1]vlink-peer 3.3.3.3 3 Configure Switch C: [Switch C]interface Vlan-interface 1 [Switch C-Vlan-interface1]ip address 152.1.1.1 255.255.255.0 [Switch C]interface Vlan-interface 2 [Switch C-Vlan-interface2]ip address 197.1.1.1 255.255.255.0 [Switch C]router id 3.3.3.3 [Switch C]ospf [Switch C-ospf-1]area 1 [Switch C-ospf-1-area-0.0.0.1]network 197.1.1.0 0.0.0.255 [Switch C-ospf-1-area-0.0.0.1]vlink-peer 2.2.2.2...
Page 258: Ip Routing Policy
16: IP R HAPTER OUTING ROTOCOL PERATION Ensure the backbone area connects with all other areas. ■ The virtual links cannot pass through the STUB area. ■ Troubleshooting globally: If OSPF cannot discover the remote routes and you have checked all troubleshooting items listed above, check the following configurations: If more than two areas are configured on a router, at least one area should be ■...
Page 259: Configuring An Ip Routing Policy
IP Routing Policy 259 and the matching objects are attributes of routing information. The relationship of clauses for a node uses a series of Boolean “AND” statements. As a result, if-match a match is found unless all the matching conditions specified by the if-match clauses are satisfied.
Page 260 16: IP R HAPTER OUTING ROTOCOL PERATION Defining a Route Policy A route policy can include multiple nodes. Each node is a unit for the matching operation. The nodes are tested against the node_number Perform the following configurations in System View. Table 253 Defining a route-policy Operation Command...
Page 261 IP Routing Policy 261 Table 254 Defining if-match Conditions (continued) Operation Command Cancel the matched next-hop of undo if-match ip next-hop the routing information set by ACL Cancel the matched next-hop of undo if-match ip next-hop ip-prefix the routing information set by the address prefix list Match the routing cost of the if-match cost cost...
Page 262 16: IP R HAPTER OUTING ROTOCOL PERATION Perform the following configuration in Routing Protocol View. Table 256 Configuring to import the routes of other protocols Operation Command Import routes of other protocols import-route protocol [ cost cost ] [ tag value ] type { 1 | 2 } [ route-policy route_policy_name ] Do not import routes of other...
Page 263: Forwarding Layer 3 Broadcast Packets
IP Routing Policy 263 Table 258 Configuring the Filtering of Received Routes Operation Command Configure to filter the received filter-policy gateway ip_prefix_name routing information distributed by import the specified address Cancel the filtering of the received undo filter-policy gateway ip_prefix_name routing information distributed by import the specified address...
Page 264: Displaying And Debugging The Routing Policy
16: IP R HAPTER OUTING ROTOCOL PERATION stop forwarding the packet to the network. Using the following configuration tasks, you can choose to forward the broadcast packet to the network for broadcast. Perform the following configuration in system view. Table 260 Configuring to forward layer 3 broadcast packets Operation Command Description...
Page 265: Troubleshooting Routing Protocols
Route Capacity Configuration 265 c Enable OSPF protocol and specifies the number of the area to which the interface belongs. [Switch A]router id 1.1.1.1 [Switch A]ospf [Switch A-ospf-1]area 0 [Switch A-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255 d Import the static routes [Switch A-ospf-1]import-route static 2 Configure Switch B: a Configure the IP address of VLAN interface.
Page 266: Limiting Route Capacity
16: IP R HAPTER OUTING ROTOCOL PERATION to add new routes to the routing table and whether or not to keep connection with a routing protocol. The default value normally meets the network requirements. You must be careful when modifying the configuration to avoid reducing the stability of the network. Limiting Route Capacity The size of the routing table is determined by OSPF routes.
Page 267: Displaying And Debugging Route Capacity
Route Capacity Configuration 267 Displaying and Enter the command in any view to display the operation of the Route display Debugging Route Capacity configuration. Capacity Table 264 Displaying and debugging route capacity Operation Command Display the route capacity memory information display memory [ unit unit_id ] Display the route capacity memory setting and display memory limit state information...
Page 268 16: IP R HAPTER OUTING ROTOCOL PERATION...
Page 269: Network
ETWORK ROTOCOL PERATION This chapter covers the following topics: IP Address Configuration ■ ARP Configuration ■ Resilient ARP Configuration ■ BOOTP Client Configuration ■ DHCP Configuration ■ Access Management Configuration ■ UDP Helper Configuration ■ IP Performance Configuration ■ IP Address This section contains IP Address Configuration information.
Page 270 17: N HAPTER ETWORK ROTOCOL PERATION When using IP addresses, note that some of them are reserved for special uses, and are seldom used. The IP addresses you can use are listed in Table 265. Table 265 IP Address Classes and Ranges Network class Address range...
Page 271: Configuring Ip Address
IP Address Configuration 271 address. If there is no subnet division, then its subnet mask is the default value and the length of "1" indicates the net-id length. Therefore, for IP addresses of classes A, B and C, the default values of corresponding subnet mask are 255.0.0.0, 255.255.0.0 and 255.255.255.0 respectively.
Page 272: Displaying And Debugging Ip Address
17: N HAPTER ETWORK ROTOCOL PERATION Perform the following configuration in System View. Table 266 Configuring the Host Name and the Corresponding IP Address Operation Command Configure the hostname and the corresponding ip host hostname ip_address IP address Delete the hostname and the corresponding IP undo ip host hostname [ ip_address ] address By default, there is no host name associated to any host IP address.
Page 273: Ip Address Configuration Example
ARP Configuration 273 IP Address Configuration Networking Requirements Example Configure the IP address as 129.2.2.1 and subnet mask as 255.255.255.0 for VLAN interface 1 of the Switch. Networking Diagram Figure 63 IP Address Configuration Networking C o n s o l e c a b l e S w i t c h Configuration Procedure 1 Enter VLAN interface 1.
Page 274: Configuring Arp
17: N HAPTER ETWORK ROTOCOL PERATION Suppose there are two hosts on the same network segment: Host A and Host B. The IP address of Host A is IP_A and the IP address of Host B is IP_B. Host A will transmit messages to Host B.
Page 275: Introduction To Gratuitous Arp
Introduction to Gratuitous ARP 275 Note that: Static ARP map entry will be always valid as long as the Switch works normally. But ■ if the VLAN corresponding to the ARP mapping entry is deleted, the ARP mapping entry will be also deleted. The valid period of dynamic ARP map entries will last only 20 minutes by default.
Page 276: Gratuitous Arp Packet Learning Configuration
17: N HAPTER ETWORK ROTOCOL PERATION By sending gratuitous ARP packets, a network device can: Determine whether or not IP address conflicts exist between it and other network ■ devices. Trigger other network devices to update its hardware address stored in their ■...
Page 277: Resilient Arp Configuration
Introduction to Gratuitous ARP 277 Resilient ARP This section contains configuration information for Resilient ARP. Configuration Overview of Resilient ARP To support resilient networking in XRN applications, redundant links are required between the XRN fabric and other devices. But if intra-fabric connections are broken and the original fabric is split, these redundant links may cause a situation where the network connects to two or more layer 3 devices of the same configuration and they run the same routing function.
Page 278: Displaying And Debugging Resilient Arp Configuration
17: N HAPTER ETWORK ROTOCOL PERATION You can use the following command to configure through which VLAN interface the resilient ARP packet is sent. The system provides a default VLAN interface to send resilient ARP packets. Perform the following configuration in System View. Table 275 Configuring/Deleting Resilient ARP Packet-sending VLAN Interface Operation Command...
Page 279: Bootp Client Configuration
BOOTP Client Configuration 279 Networking Diagram Figure 64 Networking for Resilient ARP Configuration S w itc h S w itc h U n it 1 U n it 1 U n it3 U n it3 X R N X R N U n it 4 U n it 4 U n it 2...
Page 280: Bootp Client Configuration
17: N HAPTER ETWORK ROTOCOL PERATION BOOTP Client BOOTP client is described in the following section. Configuration Configuring a VLAN Interface to Obtain the IP Address Using BOOTP Perform the following configuration in VLAN Interface View. Table 277 Configuring a VLAN Interface to Obtain the IP Address Using BOOTP Operation Command Configure VLAN interface to obtain an IP address...
Page 281 DHCP Configuration Figure 65 Typical DHCP Application. DHCP Client DHCP Client DHCP Server DHCP Client DHCP Client To obtain valid dynamic IP addresses, the DHCP client exchanges different types of information with the server at different stages. One of the following three situations may occur: A DHCP client logs into the network for the first time ■...
Page 282 17: N HAPTER ETWORK ROTOCOL PERATION A DHCP client extends its IP lease period ■ There is a time limit for the IP addresses leased to DHCP clients. The DHCP server shall withdraw the IP addresses when their lease period expires. If the DHCP client wants to continue use of the old IP address, it has to extend the IP lease.
Page 283: Option 82 Supporting
DHCP Configuration Option 82 supporting Introduction to option 82 supporting Option 82 is a relay agent information option in DHCP packets. When a request packet from a DHCP client travels through a DHCP relay on its way to the DHCP server, the DHCP relay adds option 82 into the request packet.
Page 284 17: N HAPTER ETWORK ROTOCOL PERATION Len: Specifies the Length of the agent information field. ■ Agent information field: Specifies the sub-options used. ■ 2 Sub-option format Figure 68 illustrates the sub-option format. Figure 68 Sub-option format SubOpt: Sub-option number. Currently, the value of this sub-field can be 1, 2, and ■...
Page 285: Dhcp Client Configuration
DHCP Configuration Mechanism of option 82 supporting on DHCP relay The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay is exactly the same as that for the client to obtain an IP address from a DHCP server directly.
Page 286: Dhcp Relay Configuration
17: N HAPTER ETWORK ROTOCOL PERATION DHCP Relay DHCP relay configuration is described in the following sections: Configuration Enabling DHCP ■ Enabling DHCP ■ Configuring the DHCP Server Group for the VLAN Interfaces ■ Configuring the User Address Entry for the DHCP Server Group ■...
Page 287: Configuring Dhcp Relay Security
DHCP Configuration Configuring the User Address Entry for the DHCP Server Group To ensure that a valid user with a fixed IP address in a VLAN configured with DHCP Relay passes the address validity check of the DHCP security feature, you must add a static address entry which indicates the correspondence between an IP address and a MAC address.
Page 288: Option 82 Supporting Configuration
17: N HAPTER ETWORK ROTOCOL PERATION to DHCP servers by DHCP clients through unicast when the DHCP clients release IP addresses, the user address entries maintained by the DHCP cannot be updated in time. The dynamic user address entry updating function is developed to resolve this problem.
Page 289: Option 82 Supporting Configuration Example
DHCP Configuration Table 287 Enable option 82 supporting on a DHCP relay Operation Command Description Enable option 82 supporting dhcp relay Required on the DHCP relay information enable By default, this function is disabled. Configure the strategy for dhcp relay Optional the DHCP relay to process information...
Page 290: Introduction To Dhcp Snooping
17: N HAPTER ETWORK ROTOCOL PERATION 6 Return to system view. [S5500-vlan-interface 100] quit 7 Enable option 82 supporting on the DHCP relay, with the keep keyword specified. [S5500] dhcp relay information enable [S5500] dhcp relay information strategy keep Introduction to DHCP For the sake of security, the IP addresses used by online DHCP clients need to be Snooping tracked for the administrator to verify the corresponding relationship between the IP...
Page 291: Dhcp Snooping Configuration
DHCP Configuration Figure 71 Interaction between a DHCP client and a DHCP server DHCP snooping listens the following two types of packets to retrieve the IP ■ addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: DHCP-ACK packet ■...
Page 292: Configuration Example
17: N HAPTER ETWORK ROTOCOL PERATION Configuration Example I. Network requirements As shown in Figure 71, the Ethernet1/0/1 port of Switch A (an S5500 series switch) is connected to Switch B (acting as a DHCP relay). A network segment containing some DHCP clients is connect to the Ethernet1/0/2 port of Switch A.
Page 293 Introduction to DHCP Accounting 293 Length: Two bytes, identifying the total length of the accounting packet. ■ Authenticator: 16 bytes, identifying the information between the RADIUS server ■ and client. The Attributes field contains multiple sub-fields. The content of the Attributes field is slightly different between an Accounting START packet and an Accounting STOP packet, as described in the following text.
Page 294: Dhcp Accounting Fundamentals
17: N HAPTER ETWORK ROTOCOL PERATION DHCP Accounting After you complete AAA and RADIUS configuration on a switch with the DHCP server Fundamentals function enabled, the DHCP server acts as a RADIUS client. For the authentication process of the DHCP server acting as a RADIUS client. The following describes only the accounting interaction between DHCP server and RADIUS server.
Page 295: Introduction To Dhcp Accounting
Introduction to DHCP Accounting 295 DHCP accounting is enabled on the DHCP server. ■ The IP addresses of the global DHCP address pool belongs to the network segment ■ 10.1.1.0/24. The DHCP server operates as a RADIUS client and adopts AAA for authentication.
Page 296: Displaying And Debugging Dhcp Configuration
17: N HAPTER ETWORK ROTOCOL PERATION 11 Enter VLAN 3 interface view and assign the IP address 10.1.2.1/24 to the VLAN interface. [S5500] interface vlan-interface 3 [S5500-Vlan-interface3] ip address 10.1.2.1 24 12 Return to system view. [S5500-Vlan-interface3] quit 13 Create a domain and a RADIUS scheme. Associate the domain with the RADIUS scheme.
Page 297: Dhcp Relay Configuration Example One
Introduction to DHCP Accounting 297 DHCP Relay Displaying You can verify your DHCP relay-related configuration by executing the following display commands in any view. Table 291 Display DHCP relay information Operation Command Display information about a specified DHCP display dhcp-server groupNo server group Display information about the DHCP server display dhcp-server interface vlan-interface vlan-id...
Page 298: Dhcp Relay Configuration Example Two
17: N HAPTER ETWORK ROTOCOL PERATION Configuration Procedure 1 Create a DHCP server group that will use two DHCP servers (a master and an optional backup) and assign it the IP addresses of the two DHCP servers (the first IP address is the master).
Page 299: Troubleshooting Dhcp Relay Configuration
Access Management Configuration 299 Troubleshooting DHCP Perform the following procedure if a user cannot apply for an IP address dynamically: Relay Configuration 1 Use the command to check if the IP address of the display dhcp-server groupNo corresponding DHCP Server has been configured. 2 Use the commands to display vlan...
Page 300 17: N HAPTER ETWORK ROTOCOL PERATION Table 293 Enabling/Disabling the Access Management Function Operation Command Disable access management function undo am enable By default, the system disables the access management function. Configuring the Access Management IP Address Pool Based on the Port You can use the following command to set the IP address pool for access management on a port.
Page 301: Displaying And Debugging Access Management
Access Management Configuration 301 In the same aggregation group, the port isolation feature on one unit is ■ consistent. If a port is removed from an aggregation group, its port isolation configuration ■ will not change. If a port of an aggregation group is isolated on unit 1, then you can achieve ■...
Page 302: Access Management Configuration Example
17: N HAPTER ETWORK ROTOCOL PERATION Access Management Networking Requirements Configuration Example Organization 1 is connected to port 1 of the Switch, and organization 2 to port 2. Ports 1 and 2 belong to the same VLAN. The IP addresses range 202.10.20.1 to 202.10.20.20 can be accessed from port 1 and the range 202.10.20.21 to 202.10.20.50 from the port 2.
Page 303: Udp Helper Configuration
UDP Helper Configuration 303 To delete this feature, enter: <SW5500>system-view [SW5500]acl number 2500 [SW5500-acl-basic-2500]undo rule 0 UDP Helper This section contains UDP Helper configuration information. Configuration Overview of UDP Helper The major function of the UDP Helper is to relay-forward UDP broadcast packets, that is, it can convert UDP broadcast packets into unicast packets and send them to the designated server, as a relay.
Page 304 17: N HAPTER ETWORK ROTOCOL PERATION Table 300 Default UDP Ports List Protocol UDP port ID NetBIOS Name Service (NetBIOS-NS) NetBIOS Datagram Service (NetBIOS-DS) Terminal Access Controller Access Control System (TACACS) Perform the following configuration in System View. Table 301 Configuring UDP Port with Replay Function Operation Command Configure UDP port with...
Page 305: Displaying And Debugging Udp Helper Configuration
IP Performance Configuration 305 Displaying and After the above configuration, enter the command in any view to display the display Debugging UDP Helper running of the UDP Helper destination server, and to verify the effect of the Configuration configuration. Enter the command in User View to debug UDP Helper debugging configuration.
Page 306: Displaying And Debugging Ip Performance
17: N HAPTER ETWORK ROTOCOL PERATION be terminated. The timeout of synwait timer range is 2 to 600 seconds and it is 75 seconds by default. finwait timer: When the TCP connection state turns from FIN_WAIT_1 to ■ FIN_WAIT_2, finwait timer will be started. If FIN packets are not received before finwait timer timeout, the TCP connection will be terminated.
Page 307: Troubleshooting Ip Performance
IP Performance Configuration 307 Table 305 Displaying and Debugging IP Performance Operation Command Display the total number of FIB entries display fib statistics[{begin|include |exclude}text] Reset IP statistics information reset ip statistics Reset TCP statistics information reset tcp statistics Reset UDP statistics information reset udp statistics Troubleshooting IP Fault: IP layer protocol works normally but TCP and UDP cannot work normally.
Page 308 17: N HAPTER ETWORK ROTOCOL PERATION...
Page 309: Multicast Protocol
IP Multicast Overview The Switch 5500-EI supports all of the multicast protocols listed in this manual; however, the Switch 5500-SI only supports the IGMP Snooping protocol. Many transmission methods can be used when the destination (including data, voice and video) is the secondary use of the network. If the multicast method is used you should establish an independent data transmission path for each user.
Page 310: Multicast Addresses
18: M HAPTER ULTICAST ROTOCOL Figure 78 Comparison between the unicast and multicast transmission Unicast Receiver Receiver Server Receiver Receiver Receiver Server Multicast Receiver A multicast source does not necessarily belong to a multicast group. It only sends data to the multicast group and it is not necessarily a receiver. Multiple sources can send packets to a multicast group simultaneously.
Page 311 IP Multicast Overview 311 Ranges and meanings of Class D addresses are shown in Table 306 Table 306 Ranges and meaning of Class D addresses Class D address range Meaning 224.0.0.0~224.0.0.255 Reserved multicast addresses (addresses of permanent groups). Address 224.0.0.0 is reserved. The other addresses can be used by routing protocols.
Page 312: Ip Multicast Protocols
18: M HAPTER ULTICAST ROTOCOL Figure 79 Mapping between the multicast IP address and the Ethernet MAC address 3 2 b its IP a d d r e s s 1 1 1 0 X X X X X X X X X X X X X X X X X X X X...
Page 313: Forwarding Ip Multicast Packets
IP Multicast Overview 313 PIM-DM (Protocol-Independent Multicast Dense Mode, PIM-DM) PIM dense mode is suitable for small networks. It assumes that each subnet in the network contains at least one receiver interested in the multicast source. As a result, multicast packets are flooded to all points of the network, consuming network bandwidth and increasing router processing.
Page 314: Applying Multicast
18: M HAPTER ULTICAST ROTOCOL Applying Multicast IP multicast technology effectively solves the problem of packet forwarding from single-point to multi-point. It implements highly-efficient data transmission from single-point to multi-point in IP networks and can save a large amount of network bandwidth and reduce network loads.
Page 315 IGMP Snooping 315 Figure 81 Multicast packet transmission when IGMP Snooping runs Video stream Internet / Intranet Multicast router Video stream VOD Server Layer 2 Ethernet Switch Switch 5500 Video stream Video stream Video stream Multicast group member Non-multicast Non-multicast group member group member IGMP Snooping Terminology...
Page 316 18: M HAPTER ULTICAST ROTOCOL Figure 82 Implementing IGMP Snooping Internet A router running IGM P IGM P packets Switch 5500 running A Ethernet Switch IGMP Snooping running IGM P Snooping IGMP packets Table 309 explains IGMP Snooping terminology. Table 309 IGMP Snooping Terminology Term Meaning IGMP general query message...
Page 317: Configuring Igmp Snooping
IGMP Snooping 317 Table 309 IGMP Snooping Terminology (continued) Term Meaning IGMP leave message Transmitted from the multicast group member to the multicast router, to notify that a host has left the multicast group. The Switch 5500 transmits the specific query message, concerning the group, to the port that received the message in an effort to check if the host still has other members of this group, and then starts a maximum response timer.
Page 318: Enabling Igmp Fast Leave Processing
18: M HAPTER ULTICAST ROTOCOL Perform the following configuration in system view. Table 311 Configuring router port aging time Operation Command Configure router port aging time igmp-snooping router-aging-time seconds Restore the default aging time undo igmp-snooping router-aging-time By default, the port aging time is 105 seconds. Configuring Maximum Response Time Use the commands in Table 312 to manually configure the maximum response time.
Page 319: Configuring Igmp Snooping Filter Acl
IGMP Snooping 319 If IGMP fast leave processing is enabled, when receiving an IGMP Leave message, IGMP Snooping immediately removes the port from the multicast group. When a port has only one user, enabling IGMP fast leave processing on the port can save bandwidth.
Page 320: Configuring Multicast Vlan
18: M HAPTER ULTICAST ROTOCOL Table 316 Configure the maximum number of multicast groups on a port (continued) Operation Command Description Configure the maximum igmp-snooping group-limit [ Required number of multicast groups vlan vlan-list | By default, there is no limit on the port can join.
Page 321: Displaying And Debugging Igmp Snooping
IGMP Snooping 321 Table 318 Configure multicast VLAN on Layer 2 switch (continued) Operation Command Description Enable multicast VLAN service-type multicast Required Exit the VLAN view quit — Enter the view of the Ethernet interface interface-type — port connected to the Layer 3 interface-num switch Define the port as a trunk or...
Page 322: Configuration Example-Enable Igmp Snooping
18: M HAPTER ULTICAST ROTOCOL Configuration Networking Requirements Example—Enable IGMP To implement IGMP Snooping on the switch, first enable it. The switch is connected Snooping to the router via the router port, and with user PCs through the non-router ports on vlan 10.
Page 323: Common Multicast Configuration
Common Multicast Configuration 323 Diagnosis 3: Multicast forwarding table set up on the bottom layer is wrong. 1 Enable IGMP Snooping group in user view and then input the command display to check if MAC multicast forwarding table in the bottom igmp-snooping group layer and that created by IGMP Snooping is consistent.
Page 324: Multicast Mac Address Entry Configuration
18: M HAPTER ULTICAST ROTOCOL Multicast MAC Address In Layer 2 multicast, the system can add multicast forwarding entries dynamically Entry Configuration through Layer 2 multicast protocol. However, you can also manually create a static multicast address entry to bind a port to a multicast address. Generally, when receiving a multicast packet whose multicast address has not yet been registered on the switch, the switch broadcasts the packet in the VLAN.
Page 325: Multicast Source Deny Configuration
Common Multicast Configuration 325 Multicast Source Deny The purpose of the multicast source deny feature is to filter out multicast packets on Configuration an unauthorized multicast source port to prevent the user connected to the port from setting up a multicast server without permission. Enabling Multicast Source Deny Table 324 Enable multicast source deny Operation...
Page 326: Displaying And Debugging Common Multicast Configuration
18: M HAPTER ULTICAST ROTOCOL The forwarding entries in MFC are deleted along with the routing entries in the multicast kernel routing table. Displaying and Execute command in any view to display the running of the multicast display Debugging Common configuration, and to verify the effect of the configuration.
Page 327 Internet Group Management Protocol (IGMP) 327 IGMP is not symmetric on hosts and routers. Hosts need to respond to IGMP query messages from the multicast router, —, report the group membership to the router. The router needs to send membership query messages periodically to discover whether hosts join the specified group on its subnets according to the received response messages.
Page 328: Configuring Igmp
18: M HAPTER ULTICAST ROTOCOL Configuring IGMP Basic IGMP configuration includes: Enabling Multicast ■ Enabling IGMP on an Interface ■ Advanced IGMP configuration includes: Configuring the IGMP Version ■ Configuring the Interval and the Number of IGMP Query Packets ■ Configuring the Limit of IGMP Groups on an Interface ■...
Page 329 Internet Group Management Protocol (IGMP) 329 Configuring the Interval for Querying IGMP Packets The router finds out which multicast groups on its connected network segment have members by sending IGMP query messages periodically. Upon the reception of a response message, the router refreshes the membership information of the corresponding multicast group.
Page 330 18: M HAPTER ULTICAST ROTOCOL Table 331 Configuring interval for querying IGMP packets Operation Command Configure interval for querying IGMP igmp lastmember-queryinterval seconds packets Restore the default query interval undo igmp lastmember-queryinterval Table 332 Configure the number of last member querying Operation Command Configure number of last member querying...
Page 331 Internet Group Management Protocol (IGMP) 331 Table 334 Configuring a router to join specified multicast group Operation Command Configure a router to join igmp host-join group_address port interface_type specified multicast group interface_ num interface_name (VLAN Interface View) interface_type interface_ num interface_name Quit from specified undo igmp host-join group-address port...
Page 332 18: M HAPTER ULTICAST ROTOCOL Configuring the Present Time of IGMP Querier The IGMP querier present timer defines the period of time before the router takes over as the querier sending query messages, after the previous querier has stopped doing so. Perform the following configuration in Interface view.
Page 333: Displaying And Debugging Igmp
PIM-DM Overview 333 Displaying and After the above configuration, execute command in any view to display the display debugging IGMP running of IGMP configuration, and to verify the effect of the configuration. Execute command in user view for the debugging of IGMP. debugging Table 340 Displaying and debugging IGMP Operation...
Page 334 18: M HAPTER ULTICAST ROTOCOL This process is called “flood & prune” process. In addition, nodes that are pruned provide timeout mechanism. Each router re-starts the “flood & prune” process upon pruning timeout. The consistent “flood & prune” process of PIM-DM is performed periodically.
Page 335: Configuring Pim-Dm
Clearing Multicast Route Entries from PIM Routing Table ■ Clearing PIM Neighbors ■ When the router is run in the PIM-DM domain, 3Com recommends that you enable PIM-DM on all interfaces of the non-border router. Enabling Multicast Refer to “Common Multicast Configuration” on page 323.
Page 336 18: M HAPTER ULTICAST ROTOCOL Using command, you can clear the configuration in PIM view, and back to undo pim system view. Configuring Sending Interval for the Hello Packets After PIM is enabled on an interface, it will send Hello messages periodically on the interface.
Page 337 PIM-DM Overview 337 Only the routers that match the filtering rule in the ACL can serve as a PIM neighbor of the current interface. Configuring the Maximum Number of PIM Neighbor on an Interface The maximum number of PIM neighbors of a router interface can be configured to avoid exhausting the memory of the router or router faults.
Page 338: Displaying And Debugging Pim-Dm
18: M HAPTER ULTICAST ROTOCOL Displaying and After the above configuration, execute the command in any view to display display Debugging PIM-DM the running of PIM-DM configuration, and to verify the effect of the configuration. Execute the command in user view for the debugging of PIM-DM. debugging Table 349 Displaying and debugging PIM-DM Operation...
Page 339: Pim-Sm Overview
PIM-SM Overview 339 Configuration Procedure This section only describes the configuration procedure for Switch_A. Follow a similar configuration procedure for Switch_B and Switch_C. 1 Enable the multicast routing protocol. [SW5500]multicast routing-enable 2 Enable IGMP and PIM-DM. [SW5500]vlan 10 [SW5500-vlan10]port ethernet 1/0/2 to ethernet 1/0/3 [SW5500-vlan10]quit [SW5500]vlan 11 [SW5500-vlan11]port ethernet 1/0/4 to ethernet 1/0/5...
Page 340: Pim-Sm Operating Principle
18: M HAPTER ULTICAST ROTOCOL PIM-SM Operating The working procedures for PIM-SM include: neighbor discovery, building the Principle RP-rooted shared tree (RPT), multicast source registration and switch over to the SPT. Neighbor Discovery The PIM-SM router uses Hello messages to perform neighbor discovery when it is started.
Page 341: Preparations Before Configuring Pim-Sm
PIM-SM Overview 341 Preparations before Configuring Candidate RPs Configuring PIM-SM In a PIM-SM network, multiple RPs (candidate-RPs) can be configured. Each Candidate-RP (C-RP) is responsible for forwarding multicast packets with the destination addresses in a certain range. Configuring multiple C-RPs is to implement load balancing of the RP.
Page 342 18: M HAPTER ULTICAST ROTOCOL Clearing PIM Neighbors ■ It should be noted that at least one router in an entire PIM-SM domain should be configured with Candidate-RPs and Candidate-BSRs. Enabling Multicast Refer to “Common Multicast Configuration” on page 323. Enabling PIM-SM This configuration can be effective only after multicast is enabled.
Page 343 When configuring RP, if the range of the served multicast group is not specified, the RP will serve all multicast groups. Otherwise, the range of the served multicast group is the multicast group in the specified range. 3Com recommends that you configure Candidate RP on the backbone router.
Page 344 18: M HAPTER ULTICAST ROTOCOL Configuring Static RP Static RP serves as the backup of dynamic RP, so as to improve network robusticity. Perform the following configuration in PIM view. static RP Table 355 Configuring Operation Command Configure static RP static-rp rp_address [ acl_number ] Remove the configured static RP undo static-rp rp_address...
Page 345 PIM-SM Overview 345 Perform the following configuration in PIM view. Table 357 Configuring RP to filter the register messages sent by DR Operation Command Configure RP to filter the register messages sent by DR register-policy acl_number Cancel the configured filter of messages undo register-policy If an entry of a source group is denied by the ACL, or the ACL does not define operation to it, or there is no ACL defined, the RP will send RegisterStop messages to...
Page 346: Displaying And Debugging Pim-Sm
18: M HAPTER ULTICAST ROTOCOL In BSR mechanism, a C-RP router unicasts C-RP messages to the BSR, which then propagates the C-RP messages among the network by BSR message. To prevent C-RP spoofing, you need to configure on the BSR to limit legal C-RP range and crp-policy their service group range.
Page 347: Networking Diagram
PIM-SM Overview 347 Networking Diagram Figure 87 PIM-SM configuration networking Host A Host A Host B Host B VLAN11 VLAN11 VLAN12 VLAN12 VLAN12 VLAN12 VLAN10 VLAN10 Switch_A Switch_C LS_A LS_A LS_C LS_C VLAN10 VLAN10 VLAN11 VLAN11 VLAN11 VLAN11 VLAN10 VLAN10 Switch_B LS_B LS_B...
Page 348 18: M HAPTER ULTICAST ROTOCOL [SW5500]vlan 11 [SW5500-vlan11]port ethernet 1/0/4 to ethernet 1/0/5 [SW5500-vlan11]quit [SW5500]interface vlan-interface 11 [SW5500-vlan-interface11]igmp enable [SW5500-vlan-interface11]pim sm [SW5500-vlan-interface11]quit [SW5500]vlan 12 [SW5500-vlan12]port ethernet 1/0/6 to ethernet 1/0/7 [SW5500-vlan12]quit [SW5500]interface vlan-interface 12 [SW5500-vlan-interface12]igmp enable [SW5500-vlan-interface12]pim sm [SW5500-vlan-interface12]quit b Configure the C-BSR. [SW5500]pim [SW5500-pim]c-bsr vlan-interface 10 30 2 c Configure the C-RP.
Page 350 18: M HAPTER ULTICAST ROTOCOL...
Page 351: Acl Configuration
ACL C ONFIGURATION This chapter covers the following topics: Brief Introduction to ACL ■ QoS Configuration ■ QoS Profile Configuration ■ ACL Control Configuration ■ ACL Control Configuration ■ Brief Introduction to A series of matching rules are required for the network devices to identify the packets to be filtered.
Page 352: Acl Supported By The Switch
19: ACL C HAPTER ONFIGURATION The depth-first principle is to put the statement specifying the smallest range of packets on the top of the list. This can be implemented through comparing the wildcards of the addresses. The smaller the wildcard is, the less hosts it can specify. For example, 129.102.1.1 0.0.0.0 specifies a host, while 129.102.1.1 0.0.255.255 specifies a network segment, 129.102.0.1 through 129.102.255.255.
Page 353: Defining Acl
Brief Introduction to ACL 353 Table 362 Set the Absolute Time Range Operation Command Set the time range time-range time-name { start_time to end_time days_of_the_week [ from start_time start_date ] [ to end_time end_date ] | from start_time start_date [ to end_time end_date ] | to end_time end_date } Delete the time range undo time-range time-name [ start_time to end_time...
Page 354 19: ACL C HAPTER ONFIGURATION Table 363 Define Basic ACL Operation Command Enter basic ACL view (from System acl number acl_number [ match-order { View) config | auto } ] add a sub-item to the ACL (from rule [ rule_id ] { permit | deny } [ Basic ACL View) source { source_addr wildcard | any } | fragment | logging | time-range name ]*...
Page 355: Activating Acl
Brief Introduction to ACL 355 Table 365 Define Layer-2 ACL Operation Command Enter Layer-2 ACL view (from acl number acl_number [ match-order { config | System View) auto } Add a sub-item to the ACL rule [ rule_id ] { permit | deny } [ [ type (from Layer-2 ACL View) protocol_type type_mask | lsap lsap_type type_mask ] | format_type | cos cos | source {...
Page 356: Displaying And Debugging Acl
19: ACL C HAPTER ONFIGURATION Table 367 Activate ACL Operation Command Activate an ACL packet-filter { inbound | outbound } { user-group acl_number [ rule rule ] | ip-group acl_number [ rule rule [ link-group acl_number rule rule ] ] | link-group acl_number [ rule rule ] } Deactivate an ACL undo packet-filter { inbound | outbound } { user-group acl_number [ rule rule ] | ip-group acl_number [ rule rule...
Page 357: Basic Acl Configuration Example
1 Define the work time range Define time range from 8:00 to 18:00. [SW5500]time-range 3Com 8:00 to 18:00 working-day 2 Define the ACL to access the payment server. a Enter the numbered advanced ACL, number as 3000. [SW5500]acl number 3000 match-order config b Define the rules for other department to access the payment server.
Page 358: Link Acl Configuration Example
19: ACL C HAPTER ONFIGURATION [SW5500]acl number 2000 b Define the rules for packet which source IP is 10.1.1.1. [SW5500-acl-basic-2000]rule 1 deny source 10.1.1.1 0 time-range 3Com 3 Activate ACL. Activate the ACL 2000. [SW5500-GigabitEthernet1/0/50]packet-filter inbound ip-group 2000 Link ACL Configuration...
Page 359: Qos Configuration
QoS Configuration 359 QoS Configuration Traffic Traffic refers to all packets passing through a Switch. Traffic Classification Traffic classification means identifying the packets with certain characteristics, using the matching rule called classification rule, set by the configuration administrator based on the actual requirements. The rule can be very simple. For example, the traffic with different priorities can be identified according to the ToS field in IP packet header.
Page 360 19: ACL C HAPTER ONFIGURATION Figure 91 SP high priority queue 7 Packets sent via this queue 6 interface Packets sent queue 5 queue 4 Dequeue Sending queue Classify queue 3 queue 2 queue 1 queue 0 Low priority The SP is designed for the key service application. A significant feature of the key service is the need for priority to enjoy the service to reduce the responding delay when congestion occurs.
Page 361: Qos Configuration
QoS Configuration 361 QoS Configuration The process of QoS based traffic: 1 Identify the traffic by ACL 2 Perform the QoS operation to the traffic. The configuration steps of QoS based traffic: 1 Define the ACL 2 Configure the QoS operation If QoS is not based on traffic, you need not define ACL first.
Page 362: Setting Port Mirroring
19: ACL C HAPTER ONFIGURATION Configuration example for setting priority of a protocol packet 1 Change OSPF protocol packets’ IP priority to be 3.Enter system view. <S5500> system-view [S5500] 2 Set OSPF protocol packets’ IP priority to be 3. [S5500] protocol-priority protocol-type OSPF ip-precedence 3 3 Display the priority of protocol packets.
Page 363 QoS Configuration 363 Configure Traffic Mirroring 1 Configure monitor port Perform the following configuration in the Ethernet Port View. Table 375 Configure Monitor Port Operation Command Configure a monitor port. monitor-port Only one monitor port can be configured on one Switch. If a group of Switches form a Fabric, only one monitor port can be configured on one Fabric.
Page 364: Setting Traffic Limit
19: ACL C HAPTER ONFIGURATION 802.1p priority level Queues Configuring the Mapping Relationship Between COS and Local Precedence Using the following commands, you can configure the maps. Perform the following configuration in System View. Table 380 Map Configuration Operation Command Configure “COS qos cos-local-precedence-map ->Local-precedence”...
Page 365: Setting Line Limit
QoS Configuration 365 Operation Command Remove traffic undo traffic-limit inbound { user-group acl_number [ limit rule rule ] | ip-group acl-number [ rule rule [ link-group acl_number rule rule ] ] | link-group acl_number [ rule rule ] } You should first define an ACL before this configuration task. The granularity of traffic limit is 64kbps.
Page 366: Configuring Wred Operation
19: ACL C HAPTER ONFIGURATION Table 385 Configuring Traffic Statistics Operation Command Configure traffic traffic-statistic inbound { user-group acl_number [ statistics rule rule ] | ip-group acl_number [ rule rule [ link-group acl_number rule rule ] ] | link-group acl_number [ rule rule ] } Cancel the undo traffic-statistic inbound...
Page 367 QoS Configuration 367 Table 388 Control Telnet using source IP Configuration Procedure Command Description Create or enter basic ACL acl number acl-number [ By default, the matching order is view match-order { config | auto } config. Define the rule rule [ rule-id ] { permit | deny Required.
Page 368 19: ACL C HAPTER ONFIGURATION Controlling Telnet using Source MAC This configuration can be implemented by means of Layer 2 ACL, which ranges from 4000 to 4999. For the definition of ACL, refer to ACL part. Table 390 Control Telnet using Source MAC Configuration Procedure Command...
Page 369: Displaying And Debugging Qos Configuration
QoS Configuration 369 Displaying and You can use the command in any view to see the QoS operation and to display Debugging QoS check the status of the configuration. You can also clear the statistic information Configuration using the command in the Ethernet Interface View. reset Table 391 Displaying and Debugging QoS Configuration Operation...
Page 370: Port Mirroring Configuration Example
19: ACL C HAPTER ONFIGURATION Networking Diagram Figure 93 QoS Configuration Example Wage server 129.110.1.2 GE2/0/1 Switch To switch Configuration Procedure Only the commands concerning QoS/ACL configuration are listed here. 1 Define outbound traffic for the wage server. a Enter numbered advanced ACL view. [SW5500]acl number 3000 b Define the traffic-of-payserver rule in the advanced ACL 3000.
Page 371: Priority Relabeling Configuration Example
2.0.0.1/8 Configuration Procedure 1 Define the time range. Define the time range 8:00~18:00. [SW5500]time-range 3Com 8:00 to 18:00 daily 2 Define traffic rules for PC packets. a Enter the number-based basic ACL and select the ACL 2000. [SW5500]acl number 2000 b Define traffic classification rules for PC1 packets.
Page 372: Qos Profile Configuration
19: ACL C HAPTER ONFIGURATION QoS Profile When used together with the 802.1x authentication function, the QoS profile Configuration function can offer preconfigured QoS settings for a qualified user in authentication (or a group of users). When the user passes the 802.1x authentication, the Switch delivers the right profile dynamically to the port from which the user is accessed after referring to the mapping between user names and profiles stored on the AAA server.
Page 373: Configuring Profile Application Mode
QoS Profile Configuration 373 Perform the following configuration in System View. Table 393 Entering QoS Profile View Operation Command Enter QoS profile view qos-profile profile-name Delete the QoS profile undo qos-profile profile-name You cannot delete the specific QoS profile which has been applied to the port. Adding/Removing Traffic Action to a QoS Profile From the QoS Profile View, you can configure the QoS actions for current QoS profile.
Page 374: Applying Qos Profile To The Port
19: ACL C HAPTER ONFIGURATION Port-based mode: The Switch delivers the traffic actions in the QoS profile directly ■ to the user port. Perform the following configuration in Ethernet Port View. Table 395 Configuring Profile Application Mode Operation Command Configure the user-based mode on the port qos-profile user-based Restore the default (port-based) mode on undo qos-profile profile_name the port...
Page 375 QoS Profile Configuration 375 The user (with user name and authentication password ) is accessed someone hello from the Ethernet1/0/1 port into the Switch. The user is assigned into the 3com163.net domain. The QoS profile example references the ACL with bandwidth limited to 128 kbps and new DSCP preference value 46.
Page 376: Acl Control Configuration
19: ACL C HAPTER ONFIGURATION g Configure the QoS profile [SW5500]qos-profile example [SW5500-qos-profile-example]traffic-limit inbound ip-group 3000 128 exceed drop [SW5500-qos-profile-example]traffic-priority inbound ip-group 3000 dscp 46 [SW5500-qos-profile-example]quit h Set user based mode on the Ethernet1/0/1 port [SW5500]interface ethernet1/0/1 [SW5500-Ethernet1/0/1]qos-profile user-based ACL Control The Switch supports three major access modes: SNMP (Simple Network Management Configuration Protocol) access, Telnet access and HTTP (Hypertext Transfer Protocol) access.
Page 377: Importing Acl
ACL Control Configuration 377 Importing ACL You can import a defined ACL in User Interface View to achieve ACL control. Perform the following configurations respectively in System View and User Interface View. Table 400 Importing ACL Operation Command Enter user interface view user-interface [ type ] first_number [ (System View) last_number ]...
Page 378 19: ACL C HAPTER ONFIGURATION Importing ACL Import the defined ACL into the commands with SNMP community, username and group name configured, to achieve ACL control over SNMP users. Perform the following configurations in System View. Table 401 Importing ACL Operation Command Import the defined ACL into...
Page 379: Configuration Example
[SW5500-acl-baisc-2000]rule 1 permit source 10.110.100.52 0 [SW5500-acl-baisc-2000]rule 2 permit source 10.110.100.46 0 [SW5500-acl-baisc-2000]quit 2 Import the ACL. [SW5500]snmp-agent community read 3Com acl 2000 [SW5500]snmp-agent group v2c 3Comgroup acl 2000 [SW5500]snmp-agent usm-user v2c 3Comuser 3Comgroup acl 2000 Configuring ACL Control The Switch 5500 Family supports the remote management through the Web over the HTTP Users interface.
Page 380: Configuration Example
19: ACL C HAPTER ONFIGURATION Table 402 Calling ACL to Control HTTP Users Operation Command Call an ACL to control the WEB NM users. ip http acl acl_number Cancel the ACL control function. undo ip http acl For more about the commands, refer to the Command Reference Manual. Only the numbered basic ACL can be called for WEB NM user control.
Page 381: Onfiguration For
ONFIGURATION FOR EATURES RSPAN Features Remote switched port analyzer (RSPAN) refers to remote port mirroring. It breaks through the limitation that the mirrored port and the mirroring port have to be located in the same switch, and makes it possible that the mirrored and mirroring ports be located across several devices in the network, and greatly enhances the way that the network administrator can manage the switch.
Page 382: Configuration Prerequisite
20: C HAPTER ONFIGURATION FOR EATURES To implement the remote port management, a special VLAN, called Remote-probe VLAN, needs to be defined in all three types of switches. All the mirrored packets will be forwarded to destination switch from the source switch using this VLAN, and therefore the destination switch can monitor the port packets sent from the source switch.
Page 383: Configuration Procedures In The Source Switch
RSPAN Features 383 Configuration Table 404 Configuration procedures in the source switch Procedures in the Source Switch Operation Command Description Enter system view system-view — Establish Remote-probe vlan vlan-id The parameter vlan-id represents VLAN, and enter VLAN view the ID of the Remote-probe VLAN. Define the current VLAN as remote-probe vlan enable Required.
Page 384: Configuration Procedures In The Source Switch
20: C HAPTER ONFIGURATION FOR EATURES Configuration Procedures in the Source Table 406 Configuration procedures in the source switch Switch Operation Command Description Enter system view system-view — Establish remote-probe VLAN, vlan vlan-id The parameter vlan-id represents and enter VLAN view the ID of the remote-probe VLAN.
Page 385 RSPAN Features 385 Configure Switch C to be the source switch, Ethernet1/0/2 to be the source port of ■ remote mirroring, and Ethernet1/0/5 to be the reflector port. Set Ethernet1/0/5 to be Access port, with STP disabled. Network Diagram Figure 102 Network diagram for RSPAN Configuration Procedure 1 Configure Switch C.
Page 386: Features Of Traffic Statistics
ACL rules. For detailed configuration regarding traffic statistics, refer to the QoS/ACL part of 3Com Switch 5500 Family Operation Manual. Improving the Depth The depth first order of ACL matching can be configured by selecting auto option First Order of ACL while defining the ACL matching order.
Page 387: Displaying Information Of The Display Acl Command
Displaying Information of the display acl command 387 A fixed weighting value is deducted from the weighting value of each element of ■ the rule. The rule with the smallest weighting value left has the highest priority. If the number and type of elements are the same for all rules, then the rule with ■...
Page 388: The Synchronization Feature Of Queue Scheduling For Aggregation Ports
20: C HAPTER ONFIGURATION FOR EATURES The Synchronization This feature provides the synchronization function of queue scheduling on each Feature of Queue individual port of the aggregation port group, as illustrated as follows: Scheduling for Aggregation Ports 1 The new feature supports the synchronization of queue scheduling within the aggregation port group.
Page 389: Controlling Telnet Using Source Ip
Configuring Control Over Telnet 389 Controlling Telnet using This configuration can be implemented by means of basic ACL, which ranges from Source IP 2000 to 2999. Table 409 Control Telnet using source IP Configuration Procedure Command Description Enter system view system-view —...
Page 390: Controlling Telnet Using Source Mac
20: C HAPTER ONFIGURATION FOR EATURES Controlling Telnet using This configuration can be implemented by means of Layer 2 ACL, which ranges from Source MAC 4000 to 4999. For the definition of ACL, refer to ACL part. Table 411 Control Telnet using Source MAC Configuration Procedure Command Description...
Page 391: Configuration
The devices at the user side such as the computers need to be installed with the 802.1x client Supplicant (User) software, for example, the 802.1x client provided by 3Com (or by Microsoft Windows XP). The 802.1x Authentication Server system normally stays in the carrier's AAA center.
Page 392: Authentication Process
21: 802.1 HAPTER ONFIGURATION Authenticator and Authentication Server exchange information through EAP (Extensible Authentication Protocol) frames. The user and the Authenticator exchange information through the EAPoL (Extensible Authentication Protocol over LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which is to be encapsulated in the packets of other AAA upper layer protocols (for example, RADIUS) so as to go through the complicated network to reach the Authentication Server.
Page 393: Implementing 802.1X On The Switch
Configuring 802.1x 393 Implementing 802.1x on The Switch 5500 Family not only supports the port access authentication method the Switch regulated by 802.1x, but also extends and optimizes it in the following way: Support to connect several End Stations in the downstream using a physical port. ■...
Page 394: Setting The Port Access Control Mode
21: 802.1 HAPTER ONFIGURATION Setting the Port Access The following commands can be used for setting 802.1x access control mode on the Control Mode specified port. When no port is specified, the access control mode of all ports is configured. Perform the following configurations in System View or Ethernet Port View.
Page 395: Setting The User Number On A Port
Configuring 802.1x 395 Setting the User Number The following commands are used for setting the number of users allowed by 802.1x on a Port on a specified port. When no port is specified, all the ports accept the same number of users.
Page 396 21: 802.1 HAPTER ONFIGURATION The EAP-TLS mode authenticates supplicant systems by authenticating licenses of both authentication servers and supplicant systems on both sides. In this mode, supplicant systems are authenticated by their licenses only, which are applied for from authentication servers. User name and password are not needed. Before the course of authentication, a supplicant system and the authentication server negotiate with each other by invoking TLS mechanism to obtain the way to encrypt session and then verify the licenses of each other in the way just negotiated.
Page 397: Setting The Maximum Times Of Authentication Request Message Retransmission
Configuring 802.1x 397 Network diagram Figure 105 Network diagram for 802.1x PEAP configuration Authentication Servers Authentication Servers Authentication Servers (RADIUS Server Cluster (RADIUS Server Cluster (RADIUS Server Cluster IP Address: 10.11.1.1 IP Address: 10.11.1.1 IP Address: 10.11.1.1 10.11.1.2) 10.11.1.2) 10.11.1.2) Sw itch Sw itch Sw itch...
Page 398: Configuring Timers
21: 802.1 HAPTER ONFIGURATION Configuring Timers The following commands are used for configuring the 802.1x timers. Perform the following configurations in System View. Table 421 Configuring Timers Operation Command Configure timers dot1x timer { { handshake-period handshake-period-value | quiet-period quiet_period_value | tx-period tx_period_value | supp-timeout supp_timeout_value | server-timeout server_timeout_value } Restore default...
Page 399: Enabling/Disabling A Quiet-Period Timer
802.1x Client Version Checking Configuration 399 Enabling/Disabling a You can use the following commands to enable/disable a quiet-period timer of an Quiet-Period Timer Authenticator (which can be a Switch 5500). If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by command) before launching the authentication again.
Page 400: Configuring The Version Checking Timer
21: 802.1 HAPTER ONFIGURATION the supplicant system. Such a process goes on and on until the maximum number of retries is reached. If the maximum number of retries is reached and the supplicant system still does not respond, the switch ceases checking the client version of the supplicant system and continues the followed authentication procedures.
Page 401: Guest Vlan Configuration
802.1x Client Version Checking Configuration 401 When the Guest VLAN function is enabled: The switch broadcasts active authentication packets to all 802.1x-enabled ports. ■ The switch adds the ports that do not return response packets to Guest VLAN ■ When the maximum number of authentication retries is reached. Users belonging to the Guest VLAN can access the resources of the Guest VLAN ■...
Page 402: The 802.1X Trusted Mac Address Synchronization Function
21: 802.1 HAPTER ONFIGURATION Configuration procedure 1 Enter system view. <S5500> system-view 2 Create VLAN 2. [S5500] vlan 2 3 Enter Ethernet1/0/1 port view. [S5500] interface ethernet1/0/1 4 Configure the port to operate in port-based authentication mode. [S5500-Ethernet1/0/1] dot1x port-method portbased 5 Configure Guest VLAN for the port.
Page 403: Displaying And Debugging 802.1X
IE proxies through messages after the supplicant system passes the authentication. This function needs the support of 3Com’s 802.1x client. As for the proxy detecting function, you need to enable this function on both the 802.1x client and CAMS. You need also to enable client version detecting on the switch (refer to the dot1x version-check command for more).
Page 404 21: 802.1 HAPTER ONFIGURATION A server group, consisting of two RADIUS servers at 10.11.1.1 and 10.11.1.2 respectively, is connected to the switch. The former one acts as the primary-authentication/second-accounting server. The latter one acts as the secondary-authentication/primary-accounting server. Set the encryption key as “name”...
Page 405: Centralized Mac Address Authentication
Centralized MAC Address Authentication 405 6 Set the encryption key when the system exchanges packets with the authentication RADIUS server. [SW5500-radius-radius1]key authentication name 7 Set the encryption key when the system exchanges packets with the accounting RADIUS server. [SW5500-radius-radius1]key accounting money 8 Set the timeouts and times for the system to retransmit packets to the RADIUS server.
Page 406: Centralized Mac Address Authentication Configuration
21: 802.1 HAPTER ONFIGURATION Centralized MAC Centralized MAC address authentication configuration includes: Address Authentication Enabling MAC address authentication both globally and on the port ■ Configuration Configuring domain name used by the MAC address authentication user ■ Configuring centralized MAC address authentication timers ■...
Page 407: Configuring The User Name And Password For Fixed Mode
Centralized MAC Address Authentication 407 Configuring the User If you configure the centralized MAC address authentication mode to be fixed mode, Name and Password for you need to configure the user name and password for fixed mode. Fixed Mode Table 432 Configure the user name and password for fixed mode Operation Command Description...
Page 408: Displaying And Debugging Centralized Mac Address Authentication
21: 802.1 HAPTER ONFIGURATION Displaying and After the above configuration, perform the command in any view, you can display Debugging Centralized view the centralized MAC address authentication running state and check the MAC Address configuration result. Perform the command in User View, you can debug debugging Authentication the centralized MAC address authentication.
Page 409: Aaa And Radius Protocol Configuration
AAA and RADIUS Protocol Configuration 409 2 Add local access user. a Set the user name and password. [SW5500]local-user 00e0fc010101 [SW5500-luser-00e0fc010101]password simple 00e0fc010101 b Set the service type of the user to lan-access. [SW5500-luser-00e0fc010101]service-type lan-access 3 Enable the MAC address authentication globally. [SW5500]mac-authentication 4 Configure the ISP domain used by the user.
Page 410: Implementing Aaa/Radius On The Ethernet Switch
21: 802.1 HAPTER ONFIGURATION returns the configuration information and accounting data to NAS. Here, NAS controls users and corresponding connections, while the RADIUS protocol regulates how to transmit configuration and accounting information between NAS and RADIUS. NAS and RADIUS exchange the information with UDP packets. During the interaction, both sides encrypt the packets with keys before uploading user configuration information (for example, password) to avoid being intercepted or stolen.
Page 411: Creating/Deleting An Isp Domain
AAA and RADIUS Protocol Configuration 411 Among the above configuration tasks, creating ISP domain is compulsory, otherwise the user attributes cannot be distinguished. The other tasks are optional. You can configure them at requirements. Creating/Deleting an ISP What is Internet Service Provider (ISP) domain? To make it simple, ISP domain is a Domain group of users belonging to the same ISP.
Page 412 21: 802.1 HAPTER ONFIGURATION None—no authentication and accounting. ■ Table 438 Configuring AAA Scheme Adopted by the ISP Domain Operation Command Configure an AAA scheme for the domain. scheme { radius-scheme radius_scheme_name | local | none } Configure a RADIUS scheme radius-scheme radius_scheme_name Restore the default AAA scheme.
Page 413: Aaa Separation
AAA Separation 413 Enabling the Selection of the RADIUS Accounting Option If no RADIUS server is available or if the RADIUS accounting server fails when the is configured, the user can still use the network resource, accounting optional otherwise, the user will be disconnected. The user configured with the accounting command in RADIUS scheme will no longer send real-time accounting optional...
Page 414: Configuring Separate Aaa Schemes
21: 802.1 HAPTER ONFIGURATION Configuring Separate Table 443 Configure separate AAA schemes AAA Schemes Operation Command Description Enter system view system-view — Create an ISP domain or domain isp-name Required enter an existing ISP domain view Configure an authentication authentication { Optional scheme for the ISP domain radius-scheme...
Page 415: Enabling/Disabling The Messenger Alert
AAA Separation 415 Network diagram Figure 108 Network diagram for separate AAA schemes Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers...
Page 416: Configuring Self-Service Server Url
21: 802.1 HAPTER ONFIGURATION If the threshold is reached, the switch sends messages containing the user's ■ remaining online time to the client at the interval you configured. The client keeps the user informed of the updated remaining online time through ■...
Page 417: Dynamic Vlan Assignment
Dynamic VLAN Assignment 417 Dynamic VLAN Through dynamic VLAN assignment, the Ethernet switch dynamically adds the ports Assignment of the successfully authenticated users to different VLANs depending on the attribute values assigned by RADIUS server, so as to control the network resources the users can access.
Page 418: Creating A Local User
21: 802.1 HAPTER ONFIGURATION Network diagram Figure 109 Network diagram for dynamic VLAN assignment RADIUS authentication servers RADIUS authentication servers IP address: 1.11.1.1 IP address: 1.11.1.1 Switch Switch Switch Switch Switch Switch Switch Ethernet0/1 Ethernet0/1 Internet Internet Internet Internet Internet Internet Internet Authenticator...
Page 419: Setting Attributes Of The Local User
Dynamic VLAN Assignment 419 Setting Attributes of the The attributes of a local user include its password display mode, state, service type Local User and some other settings. Setting the Password Display Mode Perform the following configurations in System View. Table 447 Setting the Password Display Mode of Local Users Operation Command...
Page 420: Disconnecting A User By Force
However, the user-privilege level is a global value for all service types. Entering the following two commands will result in the user having a level of 3 for all service types. In this case both telnet and SSH: [5500-SI-luser-adminpwd]service-type telnet level 1 [5500-SI-luser-adminpwd]service-type ssh level 3 You can use either...
Page 421: Creating/Deleting A Radius Scheme
Dynamic VLAN Assignment 421 Among the above tasks, creating the RADIUS scheme and setting the IP address of the RADIUS server are required, while other tasks are optional and can be performed as per your requirements. Creating/Deleting a As mentioned above, RADIUS protocol configurations are performed on the per RADIUS Scheme RADIUS scheme basis.
Page 422: Configuring Radius Accounting Servers And The Related Attributes
21: 802.1 HAPTER ONFIGURATION The authorization information from the RADIUS server is sent to RADIUS clients in authentication response packets, so you do not need to specify a separate authorization server. In real networking environments, you may specify two RADIUS servers as primary and secondary authentication/authorization servers respectively, or specify one server to function as both.
Page 423 Dynamic VLAN Assignment 423 Setting the Maximum Times of Real-time Accounting Request Failing to be Responded to A RADIUS server usually checks if a user is online with a timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS for a while, it will consider that there is device failure and stop accounting.
Page 424: User Re-Authentication At Reboot
21: 802.1 HAPTER ONFIGURATION Table 455 Setting the Maximum Retransmitting Times of Stopping Accounting Request Operation Command Set the maximum retransmitting times of stopping retry stop-accounting accounting request retry_times Restore the maximum retransmitting times of undo retry stop-accounting stopping accounting request to the default value By default, the stopping accounting request can be retransmitted up to 500 times.
Page 425: Configuring User Re-Authentication At Reboot
User Re-authentication at Reboot 425 The switch can automatically generate the main attributes (NAS-ID, NAS-IP and session ID) of the Accounting-On packets. However, you can also manually configure the NAS-IP attribute with the nas-ip command. When doing this, be sure to configure a correct and valid IP address.
Page 426: Tag Vlan Assignment On Trunk/Hybrid Port Supported By 802.1X Authentication
Portal, RADIUS 802.1x, and PPPoE. For the non-3Com client block function, you can limit its operation range to only 802.1x authentication, that is, allow the function to take effect only when the identifier authentication method attribute is 802.1x.
Page 427: Setting The Radius Server State
By default, the newly created RADIUS scheme supports the server type standard while the "system" RADIUS scheme created by the system supports the server type 3com Setting the RADIUS For the primary and secondary servers (no matter if they are an...
Page 428: Setting The Unit Of Data Flow That Transmitted To The Radius Server
By default, the IP address of the local RADIUS authentication server is 127.0.0.1 and the password is 3com. 1) When using local RADIUS server function of 3com, remember the number of the UDP port used for authentication is 1645 and that for accounting is 1646.
Page 429: Setting The Timers Of The Radius Server
NAS and RADIUS that are required. When there are a large amount of users (more than 1000, inclusive), 3Com suggests a larger value. Table 468 recommends the ratio of value to the number of minute users.
Page 430: Displaying And Debugging Aaa And Radius Protocol
21: 802.1 HAPTER ONFIGURATION Configure the RADIUS Server Response Timer If the NAS receives no response from the RADIUS server after sending a RADIUS request (authentication/authorization or accounting request) for a period of time, the NAS resends the request, thus ensuring the user can obtain the RADIUS service. You can specify this period by setting the RADIUS server response timeout timer, taking into consideration the network condition and the desired system performance.
Page 431: Aaa And Radius Protocol Configuration Example
User Re-authentication at Reboot 431 Table 470 Displaying and Debugging AAA and RADIUS Protocol (continued) Operation Command Clear stop-accounting packets from the reset stop-accounting-buffer { buffer. radius-scheme radius_scheme_name | session-id session_id | time-range start_time stop_time | user-name user_name } Reset the statistics of RADIUS server. reset radius statistics Enable RADIUS packet debugging debugging radius packet...
Page 432: Networking Requirements
Apply AAA authentication to Telnet users. [SW5500-ui-vty0-4]authentication-mode scheme b Create a local user telnet. [SW5500]local-user telnet [SW5500-luser-telnet]service-type telnet [SW5500-luser-telnet]password simple 3com [SW5500-luser-telnet]attribute idle-cut 300 access-limit 5 [SW5500]domain system [SW5500-isp-system]scheme local Telnet users use usernames in the “userid@system” format to log onto the network...
Page 433: Configuring The Switch 5500
2 Method 2: Using Local RADIUS authentication server. Local server method is similar to remote RADIUS authentication. But you should modify the server IP address to 127.0.0.1, authentication password to 3com, the UDP port number of the authentication server to 1645.
Page 434 21: 802.1 HAPTER ONFIGURATION And that completes the configuration of the new radius server and associating it with a domain. Network Login Network login must first be enabled globally by issuing the command dot1x: [5500-xx]dot1x 802.1x is enabled globally (where is either EI or SI) Once enabled globally, the network login needs to be enabled on a per port basis.
Page 435: Aaa And Radius Protocol Fault Diagnosis And Troubleshooting
User Re-authentication at Reboot 435 Once the RADIUS scheme and domain have been set up, see Domain and RADIUS scheme creation, then switch login is enabled. By default, when you use the username admin to login, you are actually logging in as "admin@local".
Page 436: Problem Diagnosis
RADIUS debugging, enter the command: ■ <5500-xx> debugging radius packet 3Com-User-Access-Level This determines the Access level a user will have with Switch login. This can be administrator, manager , monitor or visitor. You may need to add the return list attributes to a dictionary file using the following...
Page 437: File System Management
YSTEM ANAGEMENT This chapter covers the following topics: File System Overview ■ File Attribute Configuration ■ Configuring File Management ■ Configuration File Backup and Restoration ■ FTP Overview ■ TFTP Overview ■ MAC Address Table Management ■ Device Management ■ System Maintenance and Debugging ■...
Page 438: Directory Operation
22: F HAPTER YSTEM ANAGEMENT Based on the operated objects, the file system can be divided as follows: Directory operation ■ File operation ■ Storage device operation ■ Set the prompt mode of the file system ■ Directory Operation You can use the file system to create or delete a directory, display the current working directory, and display the information about the files or directories under a specified directory.
Page 439: File Attribute Configuration
File Attribute Configuration 439 File Attribute You can assign the main/backup attribute to a file so as to use this file as the Configuration main/backup startup file upon next startup of switch, check the main and backup files, and toggle between the main and backup attributes of file. You can use an App, BootROM, or Web file on one unit in the fabric to update all other units in the fabric.
Page 440: File Operation
22: F HAPTER YSTEM ANAGEMENT File Operation The file system can be used to delete or undelete a file and permanently delete a file. Also, it can be used to display file contents, rename, copy and move a file and display the information about a specified file.
Page 441: Setting The Prompt Mode Of The File System
Configuring File Management 441 Setting the Prompt The following command can be used for setting the prompt mode of the current file Mode of the File System system. Perform the following configuration in System View. Table 477 File System Operation Operation Command Set the file system prompt mode.
Page 442: Saving The Current-Configuration
22: F HAPTER YSTEM ANAGEMENT The configuration files are displayed in their corresponding saving formats. Saving the Use the command to save the current-configuration in the Flash Memory, and save Current-configuration the configurations will become the saved-configuration when the system is powered on for the next time.
Page 443: Configuration File Backup And Restoration
Configuration File Backup and Restoration 443 Configuration File The configuration file backup and restoration feature enables you to perform the Backup and following tasks: Restoration 1 Copy the current configurations on switch to a file on a TFTP server as a backup. 2 Download the configuration file backed up on the TFTP server to switch, and set this file as the configuration file that will be used upon next start.
Page 444: Enabling/Disabling Ftp Server
22: F HAPTER YSTEM ANAGEMENT Table 484 Configuration of the Switch as FTP Client Device Configuration Default Description Switch Log into the remote FTP server directly with the ftp command. You need first get FTP user command and password, and then log into the remote FTP server.
Page 445: Configuring The Ftp Server Authentication And Authorization
FTP Overview 445 Table 487 Configure source IP address for FTP Server and Client (continued) Operation Command Remarks Use a specified source interface to ftp { cluster | remote-server } Optional establish a connection with an FTP source-interface interface-type server interface-number Specify source IP address for the FTP ftp source-ip ip-addr...
Page 446: Displaying And Debugging Ftp Server
22: F HAPTER YSTEM ANAGEMENT Displaying and After the above configuration, execute command in all views to display the display Debugging FTP Server running of the FTP Server configuration, and to verify the effect of the configuration. Table 490 Display and Debug FTP Server Operation Command Display FTP server...
Page 447 FTP Overview 447 Displaying the Source IP Address of the FTP Client Use the display command in any view to display the source IP address of the FTP client for service packets. Table 493 Display the source IP address of the FTP Client Operation Command Display the source IP address of the TFTP client...
Page 448: Ftp Server Configuration Example
22: F HAPTER YSTEM ANAGEMENT Password:***** 230 Logged in successfully [ftp] 3 Type in the authorized directory of the FTP server. [ftp]cd switch 4 Use the command to upload the config.cfg to the FTP server. [ftp]put config.cfg 5 Use the command to download the switch.app from the FTP server to the flash directory on the FTP server.
Page 449: Tftp Overview
TFTP Overview 449 3 Run FTP client on the PC and establish FTP connection. Upload the to the switch.app Switch under the Flash directory and download the from the Switch. FTP config.cfg client is not shipped with the Switch, so you need to buy it separately. If the flash memory of the Switch is not enough, you need to first delete the existing programs in the flash memory and then upload the new ones.
Page 450: Downloading Files By Means Of Tftp
22: F HAPTER YSTEM ANAGEMENT Downloading Files by To download a file, the client sends a request to the TFTP server and then receives means of TFTP data from it and sends acknowledgement to it. You can use the following commands to download files by means of TFTP.
Page 451: Mac Address Table Management
MAC Address Table Management 451 3 Enter System View and download the switch.app from the TFTP server to the flash memory of the Switch. <SW5500> system-view [SW5500] 4 Configure IP address 1.1.1.1 for the VLAN interface, ensure the port connecting the PC is also in this VALN (VLAN 1 in this example).
Page 452: Mac Address Table Configuration
22: F HAPTER YSTEM ANAGEMENT Figure 117 The Switch Forwards Packets with MAC Address Table MAC Address Port MACA MACB MACC MACD MACA ..MACD Port 1 MACD MACA ..Port 2 The Switch also provides the function of MAC address aging. If the Switch receives no packet for a period of time, it will delete the related entry from the MAC address table.
Page 453 MAC Address Table Management 453 Setting MAC Address Aging Time Setting an appropriate aging time implements MAC address aging. Too long or too short an aging time set by subscribers will cause the Ethernet switch to flood a large amount of data packets. This affects the switch operation performance. If the aging time is set too long, the Switch will store a great number of out-of-date MAC address tables.
Page 454: Displaying Mac Address Table
22: F HAPTER YSTEM ANAGEMENT Displaying MAC Address After the above configuration, execute the command in all views to display display Table the running of the MAC address table configuration, and to verify the effect of the configuration. Execute the command in User View to debug MAC address table debugging configuration.
Page 455: Mac Address Table Management Configuration Example
MAC Address Table Management 455 Configuration procedure command shows a stack wide view of the MAC address table. display [SW5500]display mac-address MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 00e0-fc00-3943 1 Learned Ethernet1/0/11 0000-0000-5100 1 Learned Ethernet2/0/22 0020-9c08-e774 1 Learned Ethernet2/0/7 0000-0000-5000 1 Learned Ethernet2/0/3 4 mac address(es) found...
Page 456: Device Management
22: F HAPTER YSTEM ANAGEMENT Device Management With the device management function, the Switch can display the current running state and event debugging information about the unit, thereby implementing the maintenance and management of the state and communication of the physical devices.
Page 457: Device Management Configuration Example
Device Management 457 Upgrading BootROM You can use this command to upgrade the BootROM with the BootROM program in the Flash Memory. This configuration task facilitates the remote upgrade. You can upload the BootROM program file from a remote end to the Switch using FTP and then use this command to upgrade the BootROM.
Page 458 22: F HAPTER YSTEM ANAGEMENT Networking Diagram Figure 120 Networking for FTP Configuration N e tw o rk N e tw o rk S w itc h S w itc h S w itc h Configuration Procedure 1 Configure FTP server parameters on the PC. Define a user named as Switch password , read and write authority over the Switch directory on the PC.
Page 459: System Maintenance And Debugging
System Maintenance and Debugging 459 8 Use the command to specify the downloaded program as the boot boot-loader application at the next login and reboot the Switch. <SW5500> boot boot-loader switch.app <SW5500>display boot-loader The app to boot at the next time is: flash:/Switch.app The app to boot of board 0 at this time is: flash:/PLAT.APP <SW5500>...
Page 460: Basic System Configuration
22: F HAPTER YSTEM ANAGEMENT Basic System Setting the System Name for the Switch Configuration Perform the operation of command in the System View. sysname Table 508 Set the Name for the Switch Operation Command Set the Switch system name sysname sysname Restore Switch system name to default value undo sysname...
Page 461: Terminating The Ftp Connection Of A Specified User
Terminating the FTP Connection of a Specified User 461 Terminating the FTP By using the following command, the network administrator can forcibly terminate Connection of a the FTP connection of a specified user on the FTP server, in order to secure the Specified User operation of the network.
Page 462: System Debugging
22: F HAPTER YSTEM ANAGEMENT Table 514 The Display Commands of the System (continued) Operation Command Display the current-configuration display current-configuration [ controller | interface interface-type [ interface-number ] | configuration [ configuration ] ] [ | { begin | exclude | include } regular-expression ] Display the state of the display debugging [ interface {...
Page 463 Displaying the State and Information of the System 463 Table 515 Enable/Disable the Debugging Operation Command Enable the protocol debugging debugging { all [ timeout interval ] | module-name [ debugging-option ] } Disable the protocol debugging undo debugging { all | { protocol-name | function-name } [ debugging-option ] } Enable the terminal debugging terminal debugging...
Page 464: Testing Tools For Network Connection
22: F HAPTER YSTEM ANAGEMENT Testing Tools for This section contains the tools necessary to test network connections. Network Connection ping command can be used to check the network connection and if the host is ping reachable. Perform the following operation in all views. Table 517 The ping Command Operation Command...
Page 465: Introduction To Remote-Ping
Introduction to Remote-ping 465 The execution process of is described as follows: Send a packet with TTL tracert value as 1 and the first hop sends back an ICMP error message indicating that the packet cannot be sent, for the TTL is timeout. Re-send the packet with TTL value as 2 and the second hop returns the TTL timeout message.
Page 466: Remote-Ping Configuration
22: F HAPTER YSTEM ANAGEMENT Remote-ping This section contains information on remote-ping. Configuration Introduction to The configuration tasks for remote-ping include: Remote-ping Enabling remote-ping Client Configuration ■ Creating test group ■ Configuring test parameters ■ The test parameters that you can configure include: Destination IP address ■...
Page 467: Configuration Example
Remote-ping Configuration 467 Table 519 Configure Remote-ping (continued) Operation Command Description Configure the test Configure destination-ip ip-address Required parameters By default, no destination IP destination IP address is configured. address of the test Configure test-type type Optional the type of By default, the test type is the test.
Page 468: Logging Function
22: F HAPTER YSTEM ANAGEMENT 5 Display the test results. [S5500-remote-ping-administrator-icmp] display remote-ping results administrator icmp [S5500-remote-ping-administrator-icmp] display remote-ping history administrator icmp Logging Function This section contains information on the Logging function. Introduction to The Info-center serves as an information center of the system software modules. The Info-center logging system is responsible for most of the information outputs, and it also makes detailed classification to filter the information efficiently.
Page 469 Logging Function 469 " " is the year field. yyyy If changed to boot format, it represents the milliseconds from system booting. Generally, the data are so large that two 32 bits integers are used, and separated with a dot '.'. For example: <189>0.166970 SW5500 IFNET/6/UPDOWN:Line protocol on interface Ethernet1/0/2, changed state to UP...
Page 470 22: F HAPTER YSTEM ANAGEMENT Table 520 Module Names in Logging Information Module name Description IP module Inter-process communication module IPMC IP multicast module L2INF Interface management module LACL LANswitch ACL module LQOS LANswitch QoS module Local server module Multicast port management module Network time protocol module PPRDT Protocol packet redirection module...
Page 471: Info-Center Configuration
Logging Function 471 Table 521 Info-Center-Defined Severity Severity Description emergencies Extremely emergent errors alerts Errors that need to be corrected immediately critical Critical errors errors Errors that need to be addressed but are not critical warnings Warning, there may be some types of errors notifications Information that should be noted informational...
Page 472 22: F HAPTER YSTEM ANAGEMENT 1 Sending the information to loghost. Table 523 Sending the Information to Loghost Device Configuration Default Value Configuration Description Switch Enable info-center By default, info-center Other configurations are valid only if is enabled. the info-center is enabled. Set the information The configuration about the loghost on output direction to...
Page 473 Logging Function 473 3 Sending the Information to monitor terminal Table 525 Sending the Information to Monitor Terminal Device Configuration Default Value Configuration Description Switch Enable info-center By default, Other configurations are valid only if the info-center is info-center is enabled. enabled.
Page 474: Sending The Information To Loghost
22: F HAPTER YSTEM ANAGEMENT 6 Sending the Information to SNMP Table 528 Sending the Information to SNMP Device Configuration Default value Configuration description Switch Enable info-center By default, Other configurations are valid only info-center is if the info-center is enabled. enabled.
Page 475 Logging Function 475 Table 530 Configuring to Output Information to Loghost Operation Command Output information to loghost info-center loghost host-ip-addr [ channel { channel-number | channel-name } ] [ facility local-number ] [ language { chinese | english } ] Cancel the configuration of undo info-center loghost host-ip-addr outputting information to loghost...
Page 476: Sending The Information To Control Terminal
22: F HAPTER YSTEM ANAGEMENT 4 Configuring loghost The configuration on the loghost must be the same with that on the Switch. For related configuration, see the configuration examples in the latter part of this chapter. Setting Format of Time Stamps Due to be Sent to Log Host Table 532 describes the detailed configuration tasks on the switch.
Page 477 Logging Function 477 Table 534 Configuring to Output Information to Control Terminal Operation Command Output information to Console info-center console channel{ channel-number | channel-name } Cancel the configuration of undo info-center console channel outputting information to Console 3 Configuring the information source on the Switch. With this configuration, you can define the information sent to the control terminal that is generated by which modules, information type, information level, and so on.
Page 478: Sending The Information To Telnet Terminal Or Dumb Terminal
22: F HAPTER YSTEM ANAGEMENT Perform the following operation in User View: Table 537 Enabling Terminal Display Function Operation Command Enable terminal display function of debugging terminal debugging information Disable terminal display function of debugging undo terminal debugging information Enable terminal display function of log information terminal logging Disable terminal display function of log information undo terminal logging...
Page 479 Logging Function 479 specifies the module name; represents all the modules; modu-name default level refers to the severity levels; specifies the severity level of information. The severity information with the level below it will not be output. specifies the channel-number channel number and specifies the channel name.
Page 480: Sending The Information To The Log Buffer
22: F HAPTER YSTEM ANAGEMENT Operation Command Disable terminal display function of trap information undo terminal trapping Sending the Information To send information to the log buffer, follow the steps below: to the Log Buffer 1 Enabling info-center Perform the following operation in System View. Table 543 Enabling/Disabling Info-center Operation Command...
Page 481: Sending The Information To The Trap Buffer
Logging Function 481 If you want to view the debugging information of some modules on the Switch, you must select as the information type when configuring the information debugging source, meantime using the command to turn on the debugging Switch debugging of those modules.
Page 482: Sending The Information To Snmp Network Management
22: F HAPTER YSTEM ANAGEMENT specifies the module name; represents all the modules; modu-name default level refers to the severity levels; specifies the severity level of information. The severity information with the level below it will not be output. specifies the channel-number channel number and specifies the channel name.
Page 483 Logging Function 483 3 Configuring the information source on the Switch. With this configuration, you can define the information that is sent to SNMP NM: generated by which modules, information type, information level, and so on. Perform the following operation in System View. Table 553 Defining Information Source Operation Command...
Page 484 22: F HAPTER YSTEM ANAGEMENT The Switch provides a command to turn on/off the synchronization Switch in every Switch. If the synchronization Switch of a Switch is turned off, it does not send information to other Switches but still receives information from others. 1 Enable info-center Perform the following operation in System View.
Page 485: Configuring Synchronous Information Output Function
Logging Function 485 Configuring Synchronous information output function works to prevent users’ input from being Synchronous interrupted by system output. While enabled, this function allows users to view their Information Output input so far after each system output; thus avoids displaying commands on separate Function lines and increases the system usability.
Page 486: Configuration Examples For Sending Log To Linux Loghost
22: F HAPTER YSTEM ANAGEMENT 2 Configuration on the loghost This configuration is performed on the loghost. The following example is performed on SunOS 4.0 and the operation on Unix operation system produced by other manufactures is generally the same to the operation on SunOS 4.0. a Perform the following command as the super user (root).
Page 487 Logging Function 487 Networking diagram Figure 128 Schematic Diagram of Configuration N e tw o rk N e tw o rk S w itc h S w itc h S w itc h Configuration Procedure 1 Enabling info-center [SW5500]info-center enable Set the host with the IP address of 202.38.1.10 as the loghost;...
Page 488: Configuration Examples Of Sending Log To Control Terminal
22: F HAPTER YSTEM ANAGEMENT c After the establishment of information (log file) and the revision of , you should view the number of (system daemon) /etc/syslog.conf syslogd through the following command, kill syslogd daemon and reuse -r option the start syslogd in daemon.
Page 489: Rmon Configuration
RMON Configuration 489 RMON Configuration Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It is mainly used for monitoring the data traffic on a segment and even on a whole network. It is one of the most widely used Network Management standards.
Page 490 22: F HAPTER YSTEM ANAGEMENT You can use the following commands to add/delete an entry to/from the alarm table. Perform the following configuration in System View. Table 558 Add/Delete an Entry to/from the Alarm Table Operation Command Add an entry to the alarm table. rmon alarm entry-number alarm-variable sampling-time { delta | absolute } rising-threshold threshold-value1...
Page 491: Displaying And Debugging Rmon
RMON Configuration 491 Table 561 Add/Delete an Entry to/from the Extended RMON Alarm Table Operation Command Add an entry to the extended rmon prialarm entry-number alarm-var [ RMON alarm table. alarm-des ] sampling-timer { delta | absolute | changeratio } rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 entrytype { forever | cycle...
Page 492: Rmon Configuration Example
1 Configure RMON. [SW5500-Ethernet1/0/1]rmon statistics 1 owner 3com-rmon 2 View the configurations in User View. <SW5500> display rmon statistics Ethernet 1/0/1 Statistics entry 1 owned by 3com-rmon is VALID. Gathers statistics of interface Ethernet1/0/1. Received: octets : 270149,packets : 1954...
Page 493 NTP Overview 493 Record for an application when a user logs in to a system, a file is modified, or ■ Basic Operating Principle of NTP Figure 131 illustrates the basic operating principle of NTP: Figure 131 Basic Operating Principle of NTP NTP消息包...
Page 494: Ntp Configuration
22: F HAPTER YSTEM ANAGEMENT In this way, Switch A uses the above information to set the local clock and synchronize it with the clock on Switch B. The operating principle of NTP is briefly introduced above. For more information, refer to RFC1305.
Page 495 NTP Configuration 495 Table 563 Configure NTP Time Server Operation Command Configure NTP time server ntp-service unicast-server ip-address [ version number ] [ authentication-keyid keyid ] [ source-interface { interface-name | interface-type interface-number } ] [ priority ] Cancel NTP server mode undo ntp-service unicast-server ip-address NTP version number ranges from 1 to 3 and defaults to 3;...
Page 496 22: F HAPTER YSTEM ANAGEMENT Configuring NTP Broadcast Client Mode Designate an interface on the local Switch to receive NTP broadcast messages and operate in broadcast client mode. The local Switch listens to the broadcast from the server. When it receives the first broadcast packets, it starts a brief client/server mode to Switch messages with a remote server for estimating the network delay.
Page 497 NTP Configuration 497 Multicast IP address defaults to 224.0.1.1. This command can only be ip-address configured on the interface where the NTP multicast packets will be received. Configuring NTP ID Authentication Enable NTP authentication, set MD5 authentication key, and specify the reliable key. A client will synchronize itself by a server only if the server can provide a reliable key.
Page 498 22: F HAPTER YSTEM ANAGEMENT Operation Command Cancel the interface to transmit undo ntp-service source-interface NTP message An interface is specified by interface-name interface-type interface-number The source address of the packets will be taken from the IP address of the interface. If command also ntp-service unicast-server ntp-service unicast-peer...
Page 499: Displaying And Debugging Ntp
Typical NTP Configuration Examples 499 Setting Maximum Local Sessions This configuration task is to set the maximum local sessions. Perform the following configurations in System View. Table 575 Set the Maximum Local Sessions Operation Command Set the maximum local sessions ntp-service max-dynamic-sessions number Resume the maximum number of undo ntp-service max-dynamic-sessions...
Page 500 22: F HAPTER YSTEM ANAGEMENT Networking Diagram Figure 132 Typical NTP Configuration Networking Diagram Vlan-interface2: 3.0.1.31 Vlan-interface2: Quidway3 Switch 3 1.0.1.11 Switch 1 Quidway1 Vlan-interface2: 1.0.1.2 3.0.1.2 3.0.1.32 Switch 4 Quidway0 Quidway4 Switch 0 Vlan-interface2: 1.0.1.12 Vlan-interface2: Quidway2 Switch 2 3.0.1.33 Quidway5 Switch 5...
Page 501: Ntp Peer Configuration
Typical NTP Configuration Examples 501 After the synchronization, Switch 2 turns into the following status: [switch2]display ntp-service status clock status: synchronized clock stratum: 8 reference clock ID: 1.0.1.11 nominal frequency: 100.0000 Hz actual frequency: 100.0000 Hz clock precision: 2^17 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 10.94 ms peer dispersion: 10.00 ms...
Page 502: Configure Ntp Broadcast Mode
22: F HAPTER YSTEM ANAGEMENT 3 Configure Switch 5: (Switch 4 has been synchronized by Switch 3) a Enter System View. <switch5> system-view b After performing local synchronization, set Switch 4 as a peer. [switch5]ntp-service unicast-peer 3.0.1.32 The above examples configure Switch 4 and Switch 5 as peers and configures Switch 5 in active peer mode and Switch 4 in passive peer mode.
Page 503 Typical NTP Configuration Examples 503 c Enter Vlan-interface2 view. [switch3]interface vlan-interface 2 d Set it as broadcast server. [switch3-Vlan-Interface2]ntp-service broadcast-server 2 Configure Switch 4: a Enter System View. <switch4> system-view b Enter Vlan-interface2 view. [switch4]interface vlan-interface 2 [switch4-Vlan-Interface2]ntp-service broadcast-client 3 Configure Switch 1: a Enter System View.
Page 504: Configure Ntp Multicast Mode
22: F HAPTER YSTEM ANAGEMENT Configure NTP Multicast Network Requirements Mode Switch 3 sets the local clock as the master clock at stratum 2 and multicast packets from Vlan-interface2. Set Switch 4 and Switch 1 to receive multicast messages from their respective Vlan-interface2.
Page 505: Configure Authentication-Enabled Ntp Server Mode
Typical NTP Configuration Examples 505 Configure Network Requirements Authentication-enabled Switch 1 sets the local clock as the NTP master clock at stratum 2. Switch 2 sets NTP Server Mode Switch 1 as its time server in server mode and itself in client mode and enables authentication.
Page 506: Ssh Terminal Services
22: F HAPTER YSTEM ANAGEMENT SSH Terminal Services Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the Switch remotely from an insecure network environment. A Switch can connect to multiple SSH clients.
Page 507: Configuring Ssh Server
SSH Terminal Services 507 way: The RSA public key of the client user is configured at the server. The client first sends the member modules of its RSA public key to the server, which checks its validity. If it is valid, the server generates a random number, which is sent to the client after being encrypted with RSA public key.
Page 508 22: F HAPTER YSTEM ANAGEMENT Configuring and Canceling Local RSA Key Pair In executing this command, if you have configured RSA host key pair, the system gives an alarm after using this command and prompts that the existing one will be replaced.
Page 509 SSH Terminal Services 509 Defining SSH Authentication Retry Value Setting SSH authentication retry value can effectively prevent malicious registration attempt. Perform the following configurations in System View. Table 582 Defining SSH Authentication Retry Value Operation Command Define SSH authentication retry value ssh server authentication-retries times Restore the default retry value undo ssh server authentication-retries By default, the retry value is 3.
Page 510: Configuring Ssh Client
22: F HAPTER YSTEM ANAGEMENT Configuring SSH Client There are several types of SSH client software, such as PuTTY and FreeBSD. You should first configure the client’s connection with the server. The basic configuration tasks on the client include: Specifying server IP address. ■...
Page 511 SSH Terminal Services 511 Figure 137 SSH key convert. Use the save button to save this converted key to a file. Open the public key file in Notepad and the following lines of text before the existing text: rsa peer-public-key mykey public-key-code begin where is a name used to identify the key within the switch, you may choose...
Page 512 22: F HAPTER YSTEM ANAGEMENT Figure 138 Text file of myKey Save this to a file ending with a ".bat" extension e.g "keys.bat". This file can be transferred to the switch using FTP or TFTP. The key is installed using the execute command in the System view [SW5500]execute keys.bat Specifying Server IP Address Start PuTTY program and the client configuration interface pops up.
Page 513 SSH Terminal Services 513 In the Host Name (or IP address) text box key in the IP address of the Switch, for example, 10.110.28.10. You can also input the IP address of an interface in UP state, but its route to SSH client PC must be reachable. Selecting SSH Protocol Select SSH for the Protocol item.
Page 514 22: F HAPTER YSTEM ANAGEMENT Figure 141 SSH client configuration interface (3) Click Browse to enter the File Select interface. Choose a desired file and click OK. Opening SSH Connection Click Open to enter SSH client interface. If it runs normally, you are prompted to enter username and password.
Page 515: Ssh Configuration Example
[SW5500]user-interface vty 0 4 [SW5500-ui-vty0-4]authentication-mode scheme [SW5500-ui-vty0-4]protocol inbound ssh [SW5500]local-user client001 [SW5500-luser-client001]password simple 3com [SW5500-luser-client001]service-type ssh [SW5500]ssh user client001 authentication-type password Select the default values for SSH authentication timeout value, retry value and update interval of server key. Then run SSH1.5 client program on the PC which is connected to the Switch and access the Switch using username “client001”...
Page 516: File System Configuration
22: F HAPTER YSTEM ANAGEMENT [SW5500-luser-client002]service-type ssh 4 Specify AAA authentication on the user interface. [SW5500]user-interface vty 0 4 [SW5500-ui-vty0-4]authentication-mode scheme 5 Select SSH protocol on the Switch. [SW5500-ui-vty0-4]protocol inbound ssh 6 Specify RSA authentication on the Switch. [SW5500]ssh user client002 authentication-type RSA 7 Configure RSA key pair on the Switch.
Page 517: File System Configuration
File System Configuration 517 File System Perform the following file system configuration in user view. Configuration Table 585 Configure the file system Operation Command Description Delete file(s) delete [ /unreserved ] file-url Optional You can use the undelete delete { running-files | command to restore the files standby-files } [ /fabric ] [ which are deleted by using...
Page 518: Ftp Lighting Configuration
22: F HAPTER YSTEM ANAGEMENT To ensure that the switch can use the current configurations after it restarts, you are recommended to save the current configurations by using the save command before restarting the switch. If multiple switches compose one fabric, executing the save command will make each unit in the fabric save its own startup configuration file FTP Lighting This section contains configuration information for FTP Lighting.
Page 519 FTP Lighting Configuration 519 Enabling FTP Server on Switch After FTP server is enabled on an SWITCH 5500 switch, the seven-segment digital LED on the front panel of the switch will rotate clockwise when an FTP client is uploading file to the FTP server (the SWITCH 5500 switch), and will stop rotating when the file uploading is finished, as show in Figure 145.
Page 520: Tftp Lighting Configuration
22: F HAPTER YSTEM ANAGEMENT Enabling FTP Client on the Switch After FTP client is enabled on an SWITCH 5500 switch, the seven-segment digital LED on the front panel of the switch will rotate clockwise when the FTP client (the SWITCH 5500 switch) is downloading file from a FTP server, and will stop rotating when the file downloading is finished, as show in Figure 145.
Page 521: Tftp Lighting Procedure
TFTP Lighting Configuration 521 The switch can only act as a TFTP client. Figure 146 Network diagram for TFTP configuration N e tw o rk N e tw o rk S w itc h S w itc h S w itc h TFTP Lighting Procedure The TFTP server and the TFTP client must be reachable to each other for the TFTP function operates normally.
Page 522 22: F HAPTER YSTEM ANAGEMENT...
Page 523: Introduction To The Port Tracking Function
RACKING ONFIGURATION Introduction to the With the port tracking function enabled, you can specify to track the link state of the Port Tracking Function master’s uplink port and decrease the priority of the switch when the port fails. This in turn triggers the new master to be determined in the backup group. Port Tracking This section contains configuration information for Port Tracking.
Page 524 23: P HAPTER RACKING ONFIGURATION Network diagram Figure 147 Network diagram for port tracking configuration Network Network Netw ork Netw ork Actual IP address10.100.10.2 Actual IP address10.100.10.2 Actual IP address10.100.10.3 Actual IP address10.100.10.3 Master Master Backup Backup Virtual IP address10.100.10.1 Virtual IP address10.100.10.1 Ethernet Ethernet...
Page 525: Introduction To Dynamically Apply Acl By Radius Server
RADIUS YNAMICALLY PPLY ERVER ONFIGURATION Introduction to The switch can dynamically provide pre-defined ACL rules for one or one group of Dynamically Apply authenticated user(s) through the combination of Dynamically Apply ACL by RADIUS ACL by RADIUS Server Server function and 802.1x authentication function. After you have passed the 802.1x authentication mode, the switch will dynamically issue the corresponding ACLs to your login port according to the matching relationship between the user name and the ACL configured on the RADIUS server.
Page 526: Network Requirements
24: D RADIUS S HAPTER YNAMICALLY PPLY ERVER ONFIGURATION Configuration This section contains a configuration example. Example Network requirements The switch implements the Dynamically Apply ACL by RADIUS Server function for the access users. The IP address of the VLAN interface, which connects the switch and the RADIUS Server, is 10.153.1.1.
Page 527: Configuration Procedure
Configuration Example 527 Configuration procedure Configuration on the RADIUS server 1 Click User/Manage Users. See Figure 150. Figure 150 The first step 2 Create a new user, and then on the General Attributes page input the password of the user, meanwhile set the "Account Expiration Date" as Dec-31-2049. See Figure 151.
Page 528 24: D RADIUS S HAPTER YNAMICALLY PPLY ERVER ONFIGURATION Figure 152 The third step 4 Click Options/Encryption Keys, set the encryption key. See Figure 153. Figure 153 The fourth step 5 Input the NAS IP and the encryption key. See Figure 154.
Page 529: Configuration On The Switch
Configuration Example 529 Figure 154 The fifth step Configuration on the switch 1 Enable 802.1x. <S5500> system-view [S5500] dot1x [S5500] dot1x interface ethernet 1/0/1 2 Configure the IP address information for the RADIUS server. [S5500] radius scheme radius1 [S5500-radius-radius1] primary authentication 10.153.1.2 1645 [S5500-radius-radius1] primary accounting 10.153.1.2 1646 3 Set the encryption passwords for the switch to exchange packets with the authentication RADIUS servers and accounting RADIUS servers.
Page 530 24: D RADIUS S HAPTER YNAMICALLY PPLY ERVER ONFIGURATION On Unit 1:Total 1 connections matched, 1 listed. Total 1 connections matched, 1 listed. [S5500] display connection ucibindex 28 ------------------------Unit 1------------------------ Index=28 , Username=test@test163.net MAC=000a-eb7e-d28e , IP=10.153.1.9 Access=8021X ,Auth=CHAP ,Port=Ether ,Port NO=0x10001001 Initial VLAN=1, Authorization VLAN=1 ACL Group=3000 CAR=Disable...
Page 531: Introduction To The Auto Detect Function
ETECT ONFIGURATION Introduction to the The auto detect function uses ICMP request/reply packets to test the connectivity of a Auto Detect Function network regularly. The auto detect function is carried out through detecting groups. A detecting group comprises of a group of the IP addresses to be detected. You can examine the connectivity of a network by checking the results of detecting groups, which in turn enables you to locate network problems in time and take proper measures.
Page 532: Auto Detect Implementation
25: A HAPTER ETECT ONFIGURATION Network diagram Figure 155 Network diagram for auto detect configuration 1 9 2 .1 6 8 .1 .2 1 9 2 .1 6 8 .1 .2 /2 4 1 9 2 .1 6 8 .1 .2 1 9 2 .1 6 8 .1 .2 /2 4 1 0 .1 .1 .3 1 0 .1 .1 .3 /2 4...
Page 533: Auto Detect Implementation In Static Routing
Auto Detect Implementation in Static Routing 533 You can utilize a single detecting group simultaneously in multiple implementations mentioned above. Refer to the Routing Protocol part in Switch 5500 Series Switch Operation Manual for information about static routing. Refer to the Reliability part in Switch 5500 Series Switch Operation Manual for information about VRRP.
Page 534: Auto Detect Implementation In Vrrp
25: A HAPTER ETECT ONFIGURATION Configuration procedure Configure Switch A. <S5500 A> system-view [S5500 A] detect-group 8 [S5500 A-detect-group-8] detect-list 1 ip address 10.1.1.4 nexthop 192.168.1.2 [S5500 A] ip route-static 10.1.1.4 24 192.168.1.2 detect-group 8 Auto Detect You can control the preferences of VRRP backup groups according to auto detect Implementation in results to enable automatic switch between the master and the backup switch as VRRP...
Page 535 Auto Detect Implementation in VRRP 535 Network diagram Figure 157 Network diagram for VRRP V L A N 1 V L A N 1 1 9 2 .1 6 8 .1 .2 1 9 2 .1 6 8 .1 .2 /2 4 1 9 2 .1 6 8 .1 .2 1 9 2 .1 6 8 .1 .2 /2 4 1 0 .1 .1 .3...
Page 536: Auto Detect Implementation In Vlan Interface Backup
25: A HAPTER ETECT ONFIGURATION c Set the backup group preference value of Switch D to 100. [S5500 D-vlan-interface1] vrrp vrid 1 priority 100 Auto Detect The interface backup function is used to back up VLAN interfaces by using the auto Implementation in detect function.
Page 537 Auto Detect Implementation in VLAN Interface Backup 537 Network diagram Figure 158 Network diagram for VLAN interface backup 1 9 2 . 1 6 8 . 1 . 2 1 9 2 . 1 6 8 . 1 . 2 1 9 2 .
Page 538 25: A HAPTER ETECT ONFIGURATION g Add the IP address of 10.1.1.4 to detecting group 10 to detect the reachability of the IP address, with the IP address of 192.168.1.2 as the next hop, and set the detecting number to 1. [S5500 A-detect-group-10] detect-list 1 ip address 10.1.1.4 nexthop 192.168.1.2 [S5500 A-detect-group-10] quit...
Page 539: Stp Overview
RSTP C ONFIGURATION This chapter covers the following topics: STP Overview ■ RSTP Configuration ■ RSTP Configuration Example ■ STP Overview Spanning Tree Protocol (STP) is applied in loop networks to block some undesirable redundant paths with certain algorithms and prune the network into a loop-free tree, thereby avoiding the proliferation and infinite cycling of the packet in the loop network.
Page 540 26: RSTP C HAPTER ONFIGURATION For a Switch, the designated bridge is a Switch in charge of forwarding BPDU to the local Switch using a port called the designated port. For a LAN, the designated bridge is a Switch that is in charge of forwarding BPDU to the network segment using a port called the designated port.
Page 541 STP Overview 541 2 Select the optimum configuration BPDU Every Switch transmits its configuration BPDU to others. When a port receives a configuration BPDU with a lower priority than that of its own, it will discard the message and keep the local BPDU unchanged. When a higher-priority configuration BPDU is received, the local BPDU is updated.
Page 542 26: RSTP C HAPTER ONFIGURATION Switch B compares the configuration BPDUs of the ports and selects the BP1 BPDU as the optimum one. Thus BP1 is elected as the root port and the configuration BPDUs of Switch B ports are updated as follows. The configuration BPDU of the root port BP1 retains as {0, 0, 0, BP1}.
Page 543: Configuration Bpdu Forwarding Mechanism In Stp
STP Overview 543 To facilitate the descriptions, the description of the example is simplified. For example, the root ID and the designated bridge ID in actual calculation should comprise both Switch priority and Switch MAC address. Designated port ID should comprise port priority and port MAC address.
Page 544: Rstp Configuration
26: RSTP C HAPTER ONFIGURATION In a Switch equipped with the XRN feature, RSTP has the following characteristics: 1) Processing the whole Fabric as a node; 2) Participation of all ports except those used as Fabric ports in role selection; 3) A single root port and bridge id for the whole Fabric;...
Page 545 RSTP Configuration 545 Table 595 RSTP Configuration (continued) Device Configuration Default Value Note Specify a Switch The role of the A Switch can be made the root bridge by as the root or current Switch as the specifying its Bridge preference to 0. backup root root or backup root bridge...
Page 546 26: RSTP C HAPTER ONFIGURATION Table 595 RSTP Configuration (continued) Device Configuration Default Value Note Configure the The Switch, if has not In a stable network, it is recommended to timeout time received any Hello set the timeout time factor to 5, 6, or 7. factor of a packet from the Then the Switch will not consider the...
Page 547: Enable/Disable Rstp On A Switch
RSTP Configuration 547 Table 595 RSTP Configuration (continued) Device Configuration Default Value Note Specify the No Ethernet pot can The more STP packets a port sends within maximum send more than 3 STP one Hello Time, the more resources are transmission packets within one consumed.
Page 548: Configure Rstp Operating Mode
26: RSTP C HAPTER ONFIGURATION Perform the following configurations in Ethernet Port View. Table 597 Enable/Disable RSTP on a Port Operation Command Enable RSTP on a specified port stp enable Disable RSTP on a specified port stp disable Note that the redundancy route may be generated after RSTP is disabled on the Ethernet port.
Page 549: Set Priority Of A Specified Bridge
RSTP Configuration 549 Set Priority of a Whether a bridge can be selected as the “root” of the spanning tree depends on its Specified Bridge priority. By assigning a lower priority, a bridge can be artificially specified as the root of the spanning tree.
Page 550: Set Forward Delay Of A Specified Bridge
26: RSTP C HAPTER ONFIGURATION By default, a Switch is neither the primary root nor the secondary root of the spanning tree. Set Forward Delay of a Link failure will cause recalculation of the spanning tree and change its structure. Specified Bridge However, the newly calculated configuration BPDU cannot be propagated throughout the network immediately.
Page 551: Set Timeout Factor Of The Bridge
RSTP Configuration 551 Table 604 Set Max Age of the Specified Bridge Operation Command Set Max Age of the specified bridge stp timer max-age centiseconds Restore the default Max Age of the specified bridge undo stp timer max-age If the Max Age is too short, it will result in frequent calculation of spanning tree or misjudge the network congestion as a link fault.
Page 552: Set Specified Port To Be An Edgeport
26: RSTP C HAPTER ONFIGURATION By default, an Ethernet port can transmit at most 3 STP packets within one Hello Time. Set Specified Port to be EdgePort is not connected to any Switch directly or indirectly using the connected an EdgePort network.
Page 553: Set The Priority Of A Specified Port
RSTP Configuration 553 Specify the standard to be followed in Path Cost calculation The following two standards are currently available on the Switch: dot1d-1998: The Switch calculates the default Path Cost of a port by the IEEE ■ 802.1D-1998 standard. dot1t: The Switch calculates the default Path Cost of a port by the IEEE 802.1t ■...
Page 554: Set Mcheck Of The Specified Port
26: RSTP C HAPTER ONFIGURATION Table 611 Configure a Specified Port to be Connected to a Point-to-Point Link Operation Command Configure a specified port to be connected to a stp point-to-point point-to-point link force-true Configure a specified port not to be connected to a stp point-to-point point-to-point link force-false...
Page 555 RSTP Configuration 555 causes the network topology to reconfigure and may cause links to switch state. In normal cases, these ports will not receive STP BPDU. If someone forges a BPDU to attack the Switch, the network topology to reconfigure. BPDU protection function is used against such network attack.
Page 556: Display And Debug Rstp
26: RSTP C HAPTER ONFIGURATION For detailed information about the configuration commands, refer to the Command Manual. Display and Debug RSTP After the above configuration, execute command in all views to display the display running of the RSTP configuration, and to verify the effect of the configuration. Execute command in User View to clear the statistics of RSTP module.
Page 557 RSTP Configuration Example 557 Configuration Procedure 1 Configure Switch A a Enable RSTP globally. [SW5500]stp enable b The port RSTP defaults are enabled after global RSTP is enabled. You can disable RSTP on those ports that are not involved in the RSTP calculation, however, be careful and do not disable those involved.
Page 558 26: RSTP C HAPTER ONFIGURATION b The port RSTP defaults are enabled after global RSTP is enabled. You can disable RSTP on those ports that are not involved in RSTP calculation, however, be careful and do not disable those involved. (The following configuration takes Ethernet 1/0/4 as an example.) [SW5500]interface Ethernet 1/0/4 [SW5500-Ethernet1/0/4]stp disable...
Page 559: Poe Profile Configuration
On a large-sized network or a network with mobile users, to help network PoE Profile administrators to monitor the PoE features of the switch, 3Com Switch 5500 Family have provided PoE Profile features. Features of PoE Profile: Various PoE Profiles can be created. PoE policy configurations applicable to ■...
Page 560: Poe Profile Configuration Example
27: P HAPTER ROFILE ONFIGURATION Table 615 PoE Profile Configuration (continued) Operation Command Description Display detailed configuration display poe-profile { all-profile | You can use the display information on the existing PoE interface interface-type command under any Profile interface-number | name view.
Page 561: Configuration Procedures
PoE Profile Configuration 561 Figure 164 PoE Profile application S3928P-PWR S3928P-PWR S3928P-PWR S3928P-PWR Network Network Network Network Ethernet1/0/1~Ethernet1/0/5 Ethernet1/0/1~Ethernet1/0/5 Ethernet1/0/6~Ethernet1/0/10 Ethernet1/0/6~Ethernet1/0/10 IP phone IP phone IP phone IP phone IP phone IP phone IP phone IP phone Configuration procedures 1 Create Profile 1, and enter PoE Profile view. <S5500>...
Page 562 27: P HAPTER ROFILE ONFIGURATION 7 Apply the configured Profile 1 to Ethernet1/0/1 through Ethernet1/0/5 ports. [S5500] apply poe-profile profile1 interface ethernet1/0/1 to ethernet1/0/5 8 Apply the configured Profile 2 to Ethernet1/0/6 through Ethernet1/0/10 ports. [S5500] apply poe-profile profile2 interface ethernet1/0/6 to ethernet1/0/10...
Page 563: Snmp Configuration Introduction
SNMP C ONFIGURATION SNMP Configuration The Simple Network Management Protocol (SNMP) has gained the most extensive Introduction application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes.
Page 564 28: SNMP C HAPTER ONFIGURATION The current SNMP Agent of the Switch supports SNMP V1, V2C and V3. The MIBs supported are listed in Table 616. Table 616 MIBs Supported by the Switch (Sheet 1 of 2) MIB attribute MIB content References Public MIB MIB II based on TCP/IP network device...
Page 565: Configure Snmp
SNMP Configuration Introduction 565 Table 616 MIBs Supported by the Switch (Sheet 2 of 2) MIB attribute MIB content References Private MIB Configuration Management MIB Flash Management MIB System Management MIB MIBs for LGMP Snooping MIBs for DHCP Client MIBs for DHCP Relay MIBs for DHCP Server MIBs for MSTP Entity Environment MIB...
Page 566: Enabling/Disabling Snmp Agent To Send Trap
28: SNMP C HAPTER ONFIGURATION Setting Community Name SNMP V1 and SNMPV2C adopt the community name authentication scheme. The SNMP message incompliant with the community name accepted by the device will be discarded. SNMP Community is named with a character string, which is called Community Name.
Page 567: Setting Lifetime Of Trap Message
SNMP Configuration Introduction 567 Setting Lifetime of Trap You can use the following command to set the lifetime of a Trap message. A trap Message message that exists longer than the set lifetime will be dropped. Perform the following configuration in System View. Table 620 Set the Lifetime of Trap Message Operation Command...
Page 568: Setting The Source Address Of Trap
28: SNMP C HAPTER ONFIGURATION Table 623 Set/Delete an SNMP Group Operation Command Setting an SNMP group snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-list ] snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [notify-view notify-view ] [ acl...
Page 569: Enabling/Disabling A Port Transmitting Trap Information Snmp Agent
SNMP Configuration Introduction 569 Table 627 Set the Size of SNMP Packet sent/received by an Agent Operation Command Set the size of SNMP packet sent/received snmp-agent packet max-size byte-count by an agent Restore the default size of SNMP packet undo snmp-agent packet max-size sent/received by an agent The agent can receive/send the SNMP packets of the sizes ranging from 484 to 17940, measured in bytes.
Page 570: Displaying And Debugging Snmp
28: SNMP C HAPTER ONFIGURATION Displaying and After the above configuration, execute the command in all views to display display Debugging SNMP the running of the SNMP configuration, and to verify the effect of the configuration. Execute the debugging command in User View to debug SNMP configuration. Table 631 Display and Debug SNMP Operation Command...
Page 571: Reading Usmusr Table Configuration Example
[SW5500]snmp-agent target-host trap address udp-domain 129.102.149.23 udp-port 5000 params securityname public Configure Network Management System The Switch supports 3Com Network Director. Users can query and configure the Switch through the network management system. For more information, refer to the network management user documentation.
Page 572 28: SNMP C HAPTER ONFIGURATION Networking diagram Figure 167 SNMP configuration example 129.102.0.1 129.102.149.23 Ethernet Configuration procedure [SW5500]snmp-agent community read public [SW5500]snmp-agent community write private [SW5500]snmp-agent sys-info version all [SW5500]snmp-agent group v3 sdsdsd [SW5500]snmp-agent usm-user v3 paul sdsdsd authentication-mode md5 hello [SW5500]snmp-agent mib-view included ViewDefault snmpUsmMIB [SW5500]snmp-agent mib-view included ViewDefault snmpVacmMIB...
Page 573: Configuring Source Ip Address For Service Packets
IP A OURCE DDRESS ONFIGURATION Configuring Source IP You can configure source IP address or source interface for the FTP server, FTP client, Address for Service TFTP client, Telnet server, Telnet client, SSH server, SSH2 client and SFTP client to Packets enhance service manageability.
Page 574: Displaying The Source Ip Address Configuration
29: S IP A HAPTER OURCE DDRESS ONFIGURATION Table 632 Configure source IP address for service packets (continued) Operation Command Remarks Specify source IP address for the SFTP sftp source-ip ip-addr Optional client Specify source interface for the SFTP sftp source-interface interface-type Optional client interface-number...
Page 575: Introduction To Password Control Configuration
ASSWORD ONTROL ONFIGURATION PERATIONS Introduction to The password control feature is designed to manage the following passwords: Password Control Telnet passwords: passwords for logging into the switch through Telnet. ■ Configuration SSH passwords: passwords for logging into the switch through SSH. ■...
Page 576: Password Control Configuration
30: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS Table 634 Functions provided by password control (continued) Function Description Application Login attempt You can use this function to enable the switch to limit the number of login Telnet, SSH, and FTP passwords: the limitation and attempts allowed for each user.
Page 577: Configuring Password Aging
Password Control Configuration 577 length limitation, the configured minimum password length (if available); the enable/disable state of history password recording, the maximum number of history password records, the time when the password history was last cleared; the timeout time for password authentication; the maximum number of attempts, and the processing mode for login attempt failures.
Page 578: Configuring The Limitation Of Minimum Password Length
30: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS After password aging is enabled, the device will decide whether the user password ages out when a user logging into the system is undergoing the password authentication. This has three cases: 1 The password has not expired. The user logs in before the configured alert time. In this case, the user logs in successfully.
Page 579: Configuring History Password Recording
Password Control Configuration 579 Configuring History With this function enabled, when a login password expires, the system requires the Password Recording user to input a new password and save the old password automatically. You can configure the maximum number of history records allowed for each user. The purpose is to inhibit the users from using one single password or using an old password for a long time to enhance the security.
Page 580: Configuring A User Login Password In Encryption Mode
30: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS Configuring a User Login Table 639 Configuring a user login password in encryption mode Password in Encryption Mode Operation Command Description Enter system view system-view — ocal-user username Enter the specified user — view Configure a user login password...
Page 581: Configuring The Timeout Time For Users To Be Authenticated
AAA configuration. For more details, see the Security Part of 3Com SWITCH 5500 Series Ethernet Switches Operation Manual. If a password authentication is not completed before the authentication timeout expires, the authentication fails, and the system terminates the connection and makes some logging.
Page 582: Password Control Configuration Example
30: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS Password Control Network requirements Configuration A PC is connected to the switch to be configured. You can configure the password Example control parameters as required. Network diagram Figure 168 Network diagram for password control configuration co n s o le co n s o le co n s o le...
Page 583 Password Control Configuration Example 583 7 Display the information about the password control for all users. S5500[S5500] display password-control Global password settings for all users: Password Aging: Enabled (90 days) Password Length: Enabled (10 Characters) Password History: Enabled (Max history-record num : 6) Password alert-before-expire: days...
Page 584 30: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS...
Page 585: Introduction To Msdp
MSDP C ONFIGURATION Among Switch 5500 Series Ethernet Switches, only Switch 5500-EI Series Ethernet Switches support the configurations described in this chapter. Routers and router icons in this chapter represent routers in the common sense and Ethernet switches running routing protocols. Introduction to MSDP Internet service providers (ISP) are not willing rely on devices of their competitors to forward multicast traffic.
Page 586 31: MSDP C HAPTER ONFIGURATION MSDP peers are interconnected over TCP connections (using port 639). A TCP connection can be established between RPs in different PIM-SM domains, between RPs in the same PIM-SM domain, between an RP and a common router, or between common routers.
Page 587 Introduction to MSDP 587 Figure 170 Typical networking of Anycast RP MSDP us er us er PIM-SM us er us er us er SA message MSDP peers Typically, a multicast source S registers to the nearest RP to create an SPT, and receivers also send Join messages to the nearest RP to construct an RPT, so it is likely that the RP to which the multicast source has registered is not the RP that receivers Join.
Page 588 31: MSDP C HAPTER ONFIGURATION Figure 171 Identifying the multicast source and receiving multicast data PIM-SM 2 user Source PIM-SM 4 PIM-SM 1 user PIM-SM 3 Flow MSDP peers The complete interoperation process between a multicast source S in the PIM-SM1 domain and receivers in the PIM-SM1 and PIM-SM4 domains is as follows: 1 The multicast source S in the PIM-SM1 domain begins to send data packets.
Page 589 Introduction to MSDP 589 Figure 172 Forwarding SA messages between MSDP peers mesh group static peer Source MSDP peers SA message As shown above, RP1 belongs to AS1. RP2, RP3 and RP4 belong to AS2. RP5 and RP6 belong to AS3. An MSDP peering relationship exists among these RPs. RP2, RP3, and RP4 form a mesh group.
Page 590: Configuring Msdp Basic Functions
31: MSDP C HAPTER ONFIGURATION Configuring MSDP To enable exchange of information from the multicast source S between two PIM-SM Basic Functions domains, you need to establish MSDP peering relationships between RPs in these PIM-SM domains, so that the information from the multicast source can be sent through SA messages between the MSDP peers, and the receivers in other PIM-SM domains can finally receive the multicast source information.
Page 591: Configuring Connection Between Msdp Peers
Configuring Connection Between MSDP Peers 591 Configuring MSDP Basic Table 644 Configure MSDP basic functions Functions Operation Command Description Enter system view system-view Enable IP multicast routing multicast routing-enable Required The multicast function must be enabled before other multicast configurations can take effect. Enable MSDP function msdp Required...
Page 592: Configuring Description Information For Msdp Peers
31: MSDP C HAPTER ONFIGURATION Configuring Description You can configure description information for each MSDP peer to manage and Information for MSDP memorize the MSDP peers. Peers Table 645 Configure description information for an MSDP peer Operation Command Description Enter system view system-view Enter MSDP view msdp...
Page 593: Configuring Msdp Peer Connection Control
Configuring SA Message Transmission 593 Configuring MSDP Peer The connection between MSDP peers can be flexibly controlled. You can disable the Connection Control MSDP peering relationships temporarily by shutting down the MSDP peers. As a result, SA messages cannot be transmitted between such two peers. On the other hand, when resetting an MSDP peering relationship between faulty MSDP peers or bringing faulty MSDP peers back to work, you can adjust the retry interval of establishing a peering relationship through the following configuration.
Page 594: Configuring The Transmission And Filtering Of Sa Request Messages
31: MSDP C HAPTER ONFIGURATION Configuring the After you enable sending SA request messages to MSDP peers, when a router receives Transmission and a Join message, it sends an SA request message to the specified remote MSDP peer, Filtering of SA Request which responds with an SA message that it has cached.
Page 595: Configuring A Rule For Filtering Received And Forwarded Sa Messages
Configuring SA Message Transmission 595 Configuring a Rule for Besides the creation of source information, controlling multicast source information Filtering Received and allows you to control the forwarding and reception of source information. You can Forwarded SA Messages control the reception of SA messages using the MSDP inbound filter (corresponding to the import keyword);...
Page 596: Displaying And Debugging Msdp Configuration
31: MSDP C HAPTER ONFIGURATION Table 652 Configure SA message cache (continued) Operation Command Description Configure the maximum peer peer-address Optional number of SA messages sa-cache-maximum sa-limit By default, the maximum number of cached SA messages cached on a router is 2,048.
Page 597 MSDP Configuration Example 597 The PIM-SM network implements OSPF to provide unicast routes and establish MSDP peers between SwitchC and SwitchD. Meanwhile, the Loopback10 interfaces of SwitchC and SwitchD play the roles of C-BSR and C-RP. Network diagram Figure 173 Network diagram for Anycast RP configuration users users Vlan -interface 100...
Page 598 31: MSDP C HAPTER ONFIGURATION c When the multicast source S1 in the PIM-SM domain sends multicast information, the receivers attached to SwitchD can receive the multicast information and can view the PIM routing information on the switch by using the display pim routing-table command.
Page 599: Troubleshooting Msdp Configuration
Troubleshooting MSDP Configuration 599 Troubleshooting The following sections provide troubleshooting guidelines for MSDP configuration. MSDP Configuration MSDP Peer Always in Symptom the Down State An MSDP peer is configured, but it is always in the down state. Analysis An MSDP peer relationship between the locally configured connect-interface interface address and the configured peer address is based on a TCP connection.
Page 600 31: MSDP C HAPTER ONFIGURATION...
Page 601: Clustering Overview
LUSTERING Clustering Overview Clustering enables the network to manage multiple switches through the public IP address of a switch named the management device. Managed switches in a cluster are member devices, and often may not have an assigned public IP address. Management and maintenance on member devices are made through management device redirection.
Page 602: Switch Roles
32: C HAPTER LUSTERING Topology collection: Clustering implements NTDP (Neighbor Topology Discovery ■ Protocol) to collect information on device connections and candidate devices within a specified hop range. Member recognition: Members in the cluster can be located, thus the ■ management device can recognize them and deliver configuration and management commands.
Page 603: Introduction To Ndp
Clustering Overview 603 Figure 175 Role changing rule Candidate device Candidate device Management device Management device Member device Member device A cluster can have only one management device, which is necessary to the cluster. ■ The management device collects NDP/NTDP information to discover and confirm candidate devices, which can be then added into the cluster through manual configurations.
Page 604: Introduction To Cluster Roles
32: C HAPTER LUSTERING When the NDP on the member device finds changes of neighbors, it will advertise the changes to the management device by handshake packets. The management device can run NTDP to collect the specified topology information and show the network topology changes in time.
Page 605: Management Device Configuration
Management Device Configuration 605 Management Device Management device configuration involves: Configuration Enable system and port NDP ■ Configure NDP parameters ■ Enable system and port NTDP ■ Configure NTDP parameters ■ Enable the cluster function ■ Configure cluster parameters ■ Configuring internal-external interaction ■...
Page 606: Configuring Cluster Parameters
32: C HAPTER LUSTERING Table 659 Configure NTDP parameters (continued) Operation Command Remark Configure the time that ntdp timer hop-delay time Optional collected devices wait Argument time is the delay time. before forwarding the topology-collection request Configure the time that a ntdp timer port-delay time Optional port waits before it Argument time is the delay time.
Page 607: Configuring Internal-External Interaction
Management Device Configuration 607 Table 661 Configure cluster parameters manually (continued) Operation Command Remark Configure VLAN check port-tagged management-vlan Optional on the management device for the communication inside a cluster Exit system view quit — Configuring a cluster Automatically Table 662 Configure a cluster automatically Operation Command Remark...
Page 608: Member Device Configuration
32: C HAPTER LUSTERING Member Device Member device configuration involves: Configuration Enable system and port NDP ■ Enable system and port NTDP ■ Specifying the cluster FTP/TFTP server ■ Enabling System and Table 665 Enable system and port NDP Port NDP Operation Command Remark...
Page 609: Displaying And Maintaining Cluster Configurations
Configuring Cluster Parameters 609 Configuring Cluster Table 668 Configure cluster parameters Parameters Operation Command Remark Enter system view system-view — Enter cluster view cluster — Add a candidate add-member [ member-number This is to add a new member. device to a cluster ] mac-address H-H-H [ Arguments member-number, H-H-H password password ]...
Page 610: Clustering Configuration Example
32: C HAPTER LUSTERING Clustering Network requirements Configuration Three switches form a cluster, in which: Example Switch 5500 acts as the management device. ■ Other two switches act as member devices. ■ As the management device, Switch 5500 manages the member devices and is configured as follows: It attaches two member devices through ports Ethernet1/0/2 and Ethernet1/0/3 ■...
Page 611 Clustering Configuration Example 611 b Configure holdtime of NDP information as 200 seconds. [S5500] ndp timer aging 200 c Configure interval of NDP packets as 70 seconds. [S5500] ndp timer hello 70 d Enable system NTDP and port NTDP on E1/0/2 and E1/0/3. [S5500] ntdp enable [S5500] interface ethernet 1/0/2 [S5500-Ethernet1/0/2] ntdp enable...
Page 612: Nm Interface For Cluster Management Configuration Example
32: C HAPTER LUSTERING 2 Configure member devices (take one member as example) a Enable system NDP and port NDP on port Ethernet1/1. [S5500] ndp enable [S5500] interface ethernet 1/1 [S5500-Ethernet1/1] ndp enable b Enable system NTDP and port NTDP on port Ethernet1/1. [S5500] ntdp enable [S5500] interface ethernet 1/1 [S5500-Ethernet1/1] ntdp enable...
Page 613 Clustering Configuration Example 613 Network diagram Figure 176 Network diagram for the interfaces of cluster management network V L A N 2 V L A N 2 V L A N 2 V L A N 2 V L A N 2 V L A N 2 V L A N 2 V L A N 2...
Page 614 32: C HAPTER LUSTERING...
Page 615: Configuring Hwtacacs
HWTACACS C ONFIGURATION Configuring This chapter contains information on HWTACACS configuration. HWTACACS HWTACACS Refer to the tasks in Table 671 to configure HWTACACS. configuration tasks Table 671 HWTACACS configuration Section Task Command View Description Creating a Creating a hwtacacs scheme System Creating a scheme HWTACAS HWTACACS scheme...
Page 616: Creating A Hwtacas Scheme
33: HWTACACS C HAPTER ONFIGURATION Table 671 HWTACACS configuration (continued) Section Task Command View Description Setting the Setting the user-name- HWTACACS Configuring the Username username format for format format of user name Format the TACACS server Acceptable to the TACACS Server Setting the Unit Setting the data flow...
Page 617: Configuring Hwtacacs Authentication Servers
Configuring HWTACACS 617 Configuring HWTACACS Perform the following configuration in HWTACACS view. Authentication Servers Table 673 Configuring HWTACACS authentication servers Operation Command Configure the HWTACACS primary primary authentication ip-address [ port ] authentication server. Delete the HWTACACS primary authentication undo primary authentication server.
Page 618: Configuring Source Address For Hwtacacs Packets Sent By Nas
33: HWTACACS C HAPTER ONFIGURATION Configuring Source Perform the following configuration in the corresponding view. Address for HWTACACS Table 676 Configuring source address for HWTACACS packets sent by the NAS Packets Sent by NAS Operation Command Configure the source address for HWTACACS packets sent nas-ip ip-address from the NAS (HWTACACS view).
Page 619: Setting The Unit Of Data Flows Destined For The Tacacs Server
Configuring HWTACACS 619 Setting the Unit of Data Perform the following configuration in HWTACACS view. Flows Destined for the Table 679 Setting the unit of data flows destined for the TACACS server TACACS Server Operation Command Set the unit of data flows destined for data-flow-format data { byte | giga-byte | kilo-byte | the TACACS server mega-byte }...
Page 620: Displaying And Debugging Hwtacacs Protocol
33: HWTACACS C HAPTER ONFIGURATION The setting of real-time accounting interval somewhat depends on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive).
Page 621: Hwtacacs Protocol Configuration Example
HWTACACS Protocol Configuration Example 621 Table 684 Displaying and debugging AAA and RADIUS/HWTACACS protocol (continued) Operation Command Reset the statistics of HWTACACS server reset hwtacacs statistics { accounting | authentication | authorization | all } Enable RADIUS packet debugging debugging radius packet Disable RADIUS packet debugging undo debugging radius packet Enable debugging of local RADIUS...
Page 622 33: HWTACACS C HAPTER ONFIGURATION Configuration procedure 1 Configure a HWTACACS scheme. [S5500] hwtacacs scheme hwtac [S5500-hwtacacs-hwtac] primary authentication 10.110.91.164 49 [S5500-hwtacacs-hwtac] primary authorization 10.110.91.164 49 [S5500-hwtacacs-hwtac] key authentication expert [S5500-hwtacacs-hwtac] key authorization expert [S5500-hwtacacs-hwtac] undo user-name-format with-domain [S5500-hwtacacs-hwtac] quit 2 Associate the domain with the HWTACACS.
Page 623: Introduction
However, if the password recovery mechanism is disabled and the user configurable bootrom password is lost, there is no recovery mechanism available. In this instance, the Switch will need to be returned to 3Com for repair. The following commands are all executed from the Bootrom directly using the console.
Page 624: Bootrom Interface
A: P HAPTER ASSWORD ECOVERY ROCESS Bootrom Interface During the initial boot phase of the Switch (when directly connected using the console), various messages are displayed and the following prompt is shown with a five second countdown timer: Press Ctrl-B to enter Boot Menu... 4 Before the countdown reaches 0 enter <CTRL>B.
Page 625: Skipping The Current Configuration File
Bootrom Interface Table 685 Configuration Files Filename Description 3comoscfg.def This file contains the factory default configurations. It is only used if there is no other configuration file present. This file should not be modified. 3comoscfg.cfg This file contains the live configurations and is always used to load the active configuration into the Switch unless the bootrom Skip current configuration file is specified.
Page 626: Bootrom Password Recovery
If the user configured bootrom password is lost, a fixed, unit unique password can be provided by 3Com Technical Support to bypass the lost password. Please ensure that the Switch is registered with 3Com promptly as the unit unique password will only be supplied to the registered owner of the Switch.
Page 627: Setting Up A Radius Server
FreeRADIUS The remainder of this section describes how to setup a RADIUS server using these products. Microsoft IAS RADIUS, Funk RADIUS and FreeRADIUS are not 3Com products and are not supported by 3Com. Configuring Microsoft 3Com has successfully installed and tested Microsoft IAS RADIUS running on a IAS RADIUS Windows server in a network with Switch 5500 deployed.
Page 628 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP b The server will need to run in Native mode in order to support EAP-TLS which is not available in Mixed mode. To change mode go to the Active Directory Users and Computers window, right-click Domain and choose Properties, select Change Mode.
Page 629 Setting Up A RADIUS Server d Follow the wizard to create a user, enter the required information at each stage e The password for the user must be set to be stored in reversible encryption. Right-click the user account and select Properties. Select the Account tab, check the box labelled Store password using reversible encryption.
Page 630 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP a Go to Control Panel > Add/Remove Programs > Add/Remove Windows Components. The Certificate Services component should be checked. b Select Next and continue through the wizard. In the Certificate Authority Type window select Enterprise root CA Enter information to identify the Certificate Authority on the CA Identifying Information window.
Page 631 Setting Up A RADIUS Server 4 Install the Internet Authentication Service (IAS) program. a Go to Control Panel > Add/Remove Programs > Add/Remove Windows Components. Enable Networking Services and ensure Internet Authentication Service component is checked. b Select OK to end the wizard. 5 Configure a Certificate Authority a Go to Programs >...
Page 632 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP d Go to Programs > Administrative Tools > Active Directory Users and Computers and right-click your active directory domain. Select Properties e Select the Group Policy tab, and ensure that the Default Domain Policy is highlighted.
Page 633 Setting Up A RADIUS Server g The Certificate Request Wizard will start. Select Next > Computer certificate template and click Next. h Ensure that your Certificate Authority is checked, then click Next. Review the Policy Change Information and click Finish. Open up a command prompt (Start >...
Page 634 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP e Give the policy a name, for example EAP-TLS, and select Next. f Click Add... g Set the conditions for using the policy to access the network. Select Day-And-Time-Restrictions, and click Add... Click Permitted, then OK.
Page 635 Setting Up A RADIUS Server k Select the appropriate certificate and click OK. There should be at least one certificate. This is the certificate that has been created during the installation of the Certification Authority Service. Windows may ask if you wish to view the Help topic for EAP. Select No if you want to continue with the installation.
Page 636 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP b When you are prompted for a login, enter the user account name and password that you will be using for the certificate. c Select Request a certificate and click Next > There are two ways to request a certificate: the Advanced Request or the Standard Request.
Page 637 Setting Up A RADIUS Server f Either copy the settings from the screenshot below or choose different key options. Click Save to save the PKCS #10 file. The PKCS #10 file is used to generate a certificate. g You will receive this warning messages, select Yes followed by this warning message, select Yes and then OK The PKCS #10 file is now saved to the local drive.
Page 638 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP Select the second option as shown in the screenshot below, and click Next > k Open the previously saved PKCS #10 certificate file in Notepad, select all (Control + a) and copy (Control + c), as shown below Paste the copied information into the Saved Request field as shown below.
Page 639 Setting Up A RADIUS Server m Download the certificate and certification path. Click on the Download CA Certificate hyperlink to save the certificate. Save the file as DER encoded. Click on the Download CA certification path hyperlink to save the PKCS #7, and select Save The certificate is also installed on the Certification Authority.
Page 640 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP p Leave the settings on the next screen as is, click Next > followed by Finish and OK. This will install the certificate, q Launch the Certification Authority management tool on the server and expand the Issued Certificates folder.
Page 641 Setting Up A RADIUS Server Save the certificate using DER x.509 encoding, select DER encoded binary followed by Next. Provide a name for the certificate and save it to a specified location. Click Finish and followed by OK. t Exit the Certification Authority management tool and launch the Active Directory Users and Computers management tool.
Page 642 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP u Select the user that becomes the IEEE 802.1x client. Right-click on the user and select Name mappings. Select Add v Select the certificate that you have just exported and click Open. Click OK w In the Security Identity Mapping screen, click OK to close it.
Page 643 Setting Up A RADIUS Server b Create a new remote access policy under IAS and name it Switch Login. Select Next> c Specify Switch Login to match the users in the switch access group, select Next > d Allow Switch Login to grant access to these users, select Next >...
Page 644 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP e Use the Edit button to change the Service-Type to Administrative. f Add a Vendor specific attribute to indicate the access level that should be provided:...
Page 645 Setting Up A RADIUS Server The Value 010600000003 indicates admin privileges for the switch. 01 at the end indicates monitor and 02 indicates manager access. On the Switch 5500, 00 indicates visitor level. 11 Configure the RADIUS client. Refer to “Setting Up the RADIUS Client” for information on setting up the client.
Page 646 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP Follow these steps to set up auto VLAN and QoS for use by Microsoft IAS: 1 Define the VLAN Groups on the Active Directory server and assign the user accounts to each VLAN Group. Go to Programs > Administrative Tools > Active Directory Users and Computers a For example, to create one group that will represent VLAN 4 select the Users folder from the domain (see below),...
Page 647 Setting Up A RADIUS Server d Go to Programs > Administrative Tools > Internet Authentication Service. and select Remote Access Policies. Select the policy that you configured earlier, right-click and select Properties. e Click Add to add policy membership. f Select the Windows-Groups attribute type, and select Add and Add again...
Page 648 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP g Select the VLAN group that you have just created and click Add and then OK to confirm. h Click OK again to return you to the Security Policy properties.
Page 649 Setting Up A RADIUS Server Click Edit Profile... and select the Advanced tab. Click Add. Refer to Table 686 and Table 687 for the RADIUS attributes to add to the profile. Table 686 Summary of auto VLAN attributes For Auto VLAN Return String Comment Tunnel-Medium-type...
Page 650 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP m Select the Tunnel-Pvt-Group-ID entry and click Add. n Click Add, ensure that the Attribute value is set to 4 (Attribute value in string format), and click OK. This value represents the VLAN ID. o Click OK again on the Multivalued Attribute Information screen to return to the the Add Attributes screen.
Page 651 Setting Up A RADIUS Server p Click Add again. In the pull down menu, select Virtual LANs and click OK. q Click OK again and to return to the Add Attributes screen. Click Close. You will now see the added attributes r Click OK to close the Profile screen and OK again to close the Policy screen.
Page 652: Configuring Funk Radius
HAPTER ERVER AND LIENT ETUP Configuring Funk 3Com has successfully installed and tested Funk RADIUS running on a Windows RADIUS server in a network with Switch 5500 deployed. Download the Funk Steel-Belted RADIUS Server application from www.funk.com and install the application. Once installed you have a 30 day license to use it.
Page 653 Funk RADIUS is now ready to run. If you intend to use auto VLAN and QoS, you will need to create VLAN and QoS profiles on the 3Com Switch 5500 and follow the instructions in Configuring auto VLAN and QoS for Funk RADIUS.
Page 654 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP Passwords are case sensitive. 6 Enter the shared secret to encrypt the authentication data. The shared secret must be identical on the Switch 5500 and the RADIUS Server a Select RAS Clients from the left hand list, enter a Client name , the IP address and the Shared secret.
Page 655 Setting Up A RADIUS Server Configuring auto VLAN and QoS for Funk RADIUS To set up auto VLAN and QoS using Funk RADIUS, follow these steps: 1 Edit the dictionary file so that Return list attributes from the Funk radius.dct RADIUS server are returned to the Switch 5500.
Page 656: Configuring Freeradius
The following example shows the User name HOMER with the correct Return list Attributes inserted, The VLANs and QoS profiles must also be created on the 3Com Switch 5500. Configuring FreeRADIUS 3Com has successfully installed and tested FreeRADIUS running on Solaris 2.6 and RedHat Linux servers in networks with the Switch 5500 deployed.
Page 657 Add an entry for Switch Login. For example user-name Auth-Type = System, 3Com-User-Access-Level = Administrator This indicates that the server should return the 3Com vendor specific attribute in the Access-Accept message for that user. 3Com-User-Access-Level b Add an entry for Network Login. For example user-name Auth-Type := Local, User-Password == "password"...
Page 658: Setting Up The Radius Client
B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP In the example above, Tunnel-Medium-Type has been set to TMT802, to force FreeRADIUS to treat 802 as a string requiring to be looked up in the dictionary and return integer 6, rather than return integer 802 which would be the case if Tunnel-Medium-Type was set to 802.
Page 659: Aegis Client Installation
Setting Up the RADIUS Client generate an EAPOL-Logoff message when the user logs-off, which leaves the port authorized. To reduce the impact of this issue, decrease the "session-timeout" return list attribute to force re-authentication of the port more often. Alternatively, use a RADIUS client without this security flaw, for example the Aegis client A patch for the Windows XP RADIUS client may be available from Microsoft since publishing this guide.
Page 660 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP b This screen will appear: c Leave the Profile as default. The Identity is an account created on the RADIUS Server with the Password. d Click OK to finish the configuration. e Restart the client either by rebooting, or stopping and re-starting the service.
Page 661: Cisco Secure Acs (Tacacs+) And The 3Com Switch 5500
3Com Switch 5500 contain a Cisco Secure ACS server with TACACS+ to provide centralized control over network and management access, can also deploy the 3Com Switch 5500 on their network. Although 3Com does not directly support the proprietary TACACS+ protocol, 3Com switches can still be authenticated in networks which use TACACS+ and Cisco Secure ACS.
Page 662: Adding A 3Com Switch 5500 As A Radius Client
1 Select Network Configuration from the left hand side 2 Select Add Entry from under AAA Clients. 3 Enter the details of the 3Com switch. Spaces are not permitted in the AAA Client Host name. An example is shown below...
Page 663 Setting Up the Cisco Secure ACS (TACACS+) server 5 Select Interface Configuration from the left hand side. 6 Select RADIUS (IETF) from the list under Interface Configuration. 7 Check the RADIUS attributes that you wish to install. If you want to use auto VLAN and QoS, ensure that you have the following options selected for both the User and Group: Filter-ID Tunnel-Type...
Page 664: Adding A User For Network Login
C: A 5500 HAPTER UTHENTICATING THE WITCH WITH ISCO ECURE 8 Select Submit. 9 Repeat step 1 through step 8 for each Switch 5500 on your network. When all of the Switch 5500s have been added as clients to the Cisco Secure ACS server, restart the Secure ACS server by selecting System Configuration from the left hand side, then select Service Control and click Restart.
Page 665: Adding A User For Switch Login
The User can now access the network through Network Login. Adding a User for Adding a user for switch login is slightly more complex, as 3Com specific RADIUS Switch Login attributes need to be returned to the 3Com Switch 5500. These RADIUS attributes define the access level of the the user to the management interface.
Page 666 This will stop the Cisco Secure ACS server, add the RADIUS information (by adding the contents of 3Com.ini to UDV (User Defined Vendor) slot 0),and then restart the server. Once complete, log into the Secure ACS server again and complete...
Page 667 Setting Up the Cisco Secure ACS (TACACS+) server 2 To use the new RADIUS attributes, a client needs to be a user of RADIUS (3Com) attributes. Select Network Configuration from the left hand side and select an existing device or add a new device. In the AAA Client Setup window select RADIUS (3COM) from the Authenticate Using pull down list.
Page 668 User List in the right hand window) or Add a new user (see Adding a User for Network Login). Set the user’s access level to the 3Com Switch 5500 by scrolling to the bottom of the user profile where there should be the option for...
Page 669 Setting Up the Cisco Secure ACS (TACACS+) server 7 In the RADIUS (3Com) Attribute box , check 3Com-User-Access-Level and select Administrator from the pull down list, see below: 8 Select Submit. The Switch 5500 can now be managed by the Network Administrator through the...
Page 670 C: A 5500 HAPTER UTHENTICATING THE WITCH WITH ISCO ECURE...
Page 671 For detailed descriptions of the web interface operations and the command line interface (CLI) commands that you require to manage the Switch please refer to the Command Reference Guide supplied in PDF format on the 3Com Web site at www.3com.com.
Page 672: Supported Switches
Fabric Interconnect ports. XRN Terminology This section contains a glossary of the common XRN terminology. eXpandable Resilient XRN is developed by 3Com that allows you to implement fault tolerant, high Network (XRN) performance and scalable multilayer networks. Fabric Interconnect Fabric Interconnect is the interconnection between XRN Switches that form the Distributed Fabric.
Page 673: Benefits Of Xrn
Fabric grows. Link Aggregation supported across the Distributed Fabric. Flexibility provided by: Support across any of the Switches within an individual 3Com Switch 5500 family to create an XRN Distributed Fabric. XRN Features This section describes the key features of XRN.
Page 674: Distributed Link Aggregation (Dla)
D: 3C PPENDIX Switch units within the Distributed Fabric provide the same router interfaces and mirror each other’s routing tables. This allows each unit to keep the routing local to the unit for locally connected hosts and devices. In the example shown in Figure 178, there is a single logical router across the XRN Distributed Fabric with router interfaces (R1, R2, and R3) shared by both units.
Page 675 Table 691 Aggregated Links and Member Links Supported within a Fabric Max number of member Number of Aggregated Switch Family links Links Switch 5500-SI Family 8 Fast Ethernet or 14 (28 port) or 4 Gigabit Ethernet 26 (52 port) 8 per stack...
Page 676: How To Implement Xrn—Overview
(CLI) commands that you require to manage the Switch please refer to the Command Guide supplied in PDF format on the CD-ROM that accompanies your Switch or on the 3Com Web site. Important This section contains important points and recommendations that you need to Considerations and consider or be aware of when designing a network using XRN .
Page 677: Recommendations For Achieving Maximum Resilience
Loop Switch 5500G-EI Family Loop It is not possible to interconnect a 3Com Switch 5500 with any other 3Com device or mix Enhanced Image (EI) Switch 5500 units with Standard Image (SI) units. It is not possible to create an XRN Distributed Fabric with Switches from different 3Com Switch 5500 families, for example, a Switch 5500 EI with a 5500G-EI.
Page 678: Unit Id Numbering Mechanism
MAC address assumes the ID in question and the other unit will automatically renumber. 3Com recommends that you manually assign the unit IDs within the Fabric if you wish to have predictability of knowing which units have which IDs at all times.
Page 679 5 Ensure that RSTP is enabled across the network. Legacy aggregated links are not resilient to an interconnect failure. Hence the 3Com recommendation to use IEEE 802.3ad aggregated links (LACP) for maximum resilience. If an automatic aggregated link (created by LACP) contains ports with different VLAN membership, the aggregated link will inherit the VLAN membership of the first port that comes up in the aggregated link.
Page 680: Recovering Your Xrn Network
D: 3C PPENDIX Recovering your XRN In the event of a failure within your XRN network, 3Com recommends that you Network follow the recommendations below. Unit Failure The steps below outline the procedure to recover your XRN network in the event of a unit failure within your Distributed Fabric.
Page 681: How Xrn Interacts With Other Features
VLAN membership. This will result in the different VLANs not being able to communicate. 3Com recommends that you set individual ports that are to be members of an aggregated link to the same VLAN membership. This ensures communication between all VLANs at all times.
Page 682: Legacy Aggregated Links
D: 3C PPENDIX Figure 182 How XRN interacts with VLANs—Example 2 Legacy Aggregated Legacy aggregated links, will react in the normal way if a unit within the Links Distributed Fabric fails, that is, all traffic will be redirected down the link(s) to the unit that is still operating.
Page 683: Stp/Rstp
How XRN Interacts with other Features STP/RSTP STP/RSTP should be used for multihomed links if you are not able to use aggregated links. Figure 184 shows how STP will prevent a loop occurring on a multihomed link. STP/RSTP should always be enabled if your multihomed links are aggregated links. Figure 182 shows how, on interconnect failure, STP/RSTP will detect the potential loop caused by the aggregated links splitting and block a path to prevent the loop occurring.
Page 684: How A Failure Affects The Distributed Fabric
D: 3C PPENDIX How a Failure affects This section provides supplementary information on how the Distributed Fabric the Distributed Fabric and traffic flow is affected by failure of an Fabric Interconnect and of a unit in the Distributed Fabric. Loss of a Switch within When a Switch unit in the Distributed Fabric fails, assuming you have followed the the XRN Distributed recommendations in “Important Considerations and Recommendations”...
Page 685 The Switch 4300 legacy aggregated link will be split between the two Switches in the Distributed Fabric and will no longer operate and will cause network disruption. Legacy aggregated links are not resilient to an interconnect failure. Hence the 3Com recommendation to use IEEE 802.3ad aggregated links (LACP) for maximum resilience.
Page 686 D: 3C PPENDIX IEEE802.1D (Legacy STP) and RSTP The Switch 4200 is using legacy STP. STP (and RSTP) will reconfigure the network to open the previously blocked link to Switch B. The STP reconfiguration will cause all Switch forwarding databases (MAC address tables) to be fast aged (if using RSTP, they will be flushed).

This manual is also suitable for:

5500-ei 5500g-ei

3Com 5500-SI Configuration Manual

About this Guide

Getting Started

Address Management Configuration

Port Operation

4 Chapter 4 4 Chapter: Contents

Xrn Configuration

Dldp Configuration

Vlan O

Gvrp Configuration

Vlan-Vpn Configuration

Dhcp Overview

6 Chapter 6 6 Chapter: Contents

Dhcp Server Configuration

DHCP Relay Fundamentals

Vrrp Configuration

Mstp Configuration

8 Chapter 8 8 Chapter: Contents

Centralized Mac Address Authentication Configuration

Ssh Terminal Services

Ip Routing Protocol Operation

Network

Quick Links

Configuration Guide

Troubleshooting

Related Manuals for 3Com 5500-SI

Summary of Contents for 3Com 5500-SI