Page 1: Configuration Guide
® 3Com Switch 4210 Family Configuration Guide Switch 4210 PWR 9-port Switch 4210 PWR 18-port Switch 4210 PWR 26-port Switch 4210 9-port Switch 4210 18-port Switch 4210 26-port www.3Com.com Part Number: 10016117 Rev. AA Published: August, 2007...
Page 2 LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.
Page 3: Table Of Contents
ONTENTS BOUT UIDE Conventions Related Documentation CLI C ONFIGURATION Introduction to the CLI Command Hierarchy CLI Views CLI Features OGGING INTO AN THERNET WITCH Supported User Interfaces Logging in through the Console Port Logging in through Telnet Telnet Configuration with Authentication Mode Being Scheme Logging in Using a Modem Logging in through the Web-based Network Management System Managing from an NMS...
Page 4 IP A DDRESSING ONFIGURATION IP Addressing Overview Configuring IP Addresses Displaying IP Addressing Configuration IP Address Configuration Examples IP P ERFORMANCE ONFIGURATION IP Performance Overview Configuring IP Performance Displaying and Maintaining IP Performance Configuration ASIC ONFIGURATION Ethernet Port Overview Ethernet Port Configuration Configuring the Interval to Perform Statistical Analysis on Port Traffic Disabling Up/Down Log Output on a Port Ethernet Port Configuration Example...
Page 5 Configuration Example MSTP C ONFIGURATION STP Overview MSTP Overview Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition STP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example ULTICAST VERVIEW...
Page 6 YSTEM UARD ONFIGURATION System-Guard Configuration Displaying and Maintaining the System-Guard Function AAA O VERVIEW Introduction to AAA Introduction to AAA Services AAA C ONFIGURATION AAA Configuration Task List RADIUS Configuration Task List Displaying and Maintaining AAA AAA Configuration Examples Troubleshooting AAA MAC A UTHENTICATION ONFIGURATION...
Page 7 Configuring a DHCP/BOOTP Client Displaying DHCP/BOOTP Client Configuration DHCP Client Configuration Example ACL C ONFIGURATION ACL Overview ACL Configuration Example for Upper-layer Software Referencing ACLs ONFIGURATION Overview QoS Supported By Switch 4210 Family QoS Configuration IRRORING ONFIGURATION Mirroring Overview Mirroring Configuration Example LUSTER Cluster Overview Cluster Configuration Tasks...
Page 8 RMON C ONFIGURATION Introduction to RMON RMON Configuration Displaying RMON RMON Configuration Examples NTP C ONFIGURATION Introduction to NTP NTP Configuration Tasks Configuring NTP Implementation Modes Configuring Access Control Right Configuring NTP Authentication Configuring Optional NTP Parameters Displaying NTP Configuration Configuration Example SSH C ONFIGURATION...
Page 9 OFTWARE OADING Introduction to Loading Approaches Local Boot ROM and Software Loading Remote Boot ROM and Software Loading ASIC YSTEM ONFIGURATION AND EBUGGING Basic System Configuration Displaying the System Status Debugging the System ETWORK ONNECTIVITY Network Connectivity Test EVICE ANAGEMENT Device Management Configuration Displaying the Device Management Configuration Remote Switch APP Upgrade Configuration Example...
Page 10 Password Control Configuration Displaying Password Control Password Control Configuration Example...
Page 11: About
(LAN) operations and familiarity with communication protocols that are used to interconnect LANs. Always download the Release Notes for your product from the 3Com World Wide Web site and check for the latest updates to software and product documentation: http://www.3com.com...
Page 12: Related Documentation
If information in this guide differs from information in the release notes, use the information in the Release Notes. These documents are available in Adobe Acrobat Reader Portable Document Format (PDF) on the CD-ROM that accompanies your router or on the 3Com World Wide Web site: http://www.3com.com/...
Page 13: Introduction To The Cli
CLI C ONFIGURATION Introduction to the CLI A command line interface (CLI) is a user interface to interact with a switch. Through the CLI on a switch, you can enter commands to configure the switch and check output information to verify the configuration. Each Switch 4210 provides an easy-to-use CLI and a set of configuration commands for configuring and managing your switch.
Page 14 1: CLI C HAPTER ONFIGURATION support for services. Commands concerning file system, FTP/TFTP/XModem downloading, user management, and level setting are at this level. By default, the Console user (a user who logs into the switch through the Console port) is a level-3 user and Telnet users are level-0 users. Switching User Levels After logging into the switch, users can change their current user levels through a command.
Page 15 Required command in a specific view level view view command CAUTION: 3Com recommends that you do not to change the level of a command ■ arbitrarily, for it may cause problems when operating and maintaining the switch. When you change the level of a command with multiple keywords, you should ■...
Page 16: Cli Views
1: CLI C HAPTER ONFIGURATION This allows general Telnet users to use the tftp get command to download file bootrom.btm and other files from TFTP server 192.168.0.1 and other TFTP servers. CLI Views CLI views are designed for different configuration tasks. When you first log into the switch, you are in user view, where you can perform simple operations such as checking the operation status and statistics information of the switch.
Page 17 CLI Views Table 4 CLI views View Available operation Prompt example Enter method Quit method Ethernet port Configure Ethernet port 100 Mbps Ethernet Execute the interface Execute the quit command to view parameters port view: ethernet command in return to system view. system view.
Page 18: Cli Features
1: CLI C HAPTER ONFIGURATION Table 4 CLI views View Available operation Prompt example Enter method Quit method Basic ACL view Define rules for a basic ACL [4210-acl- Execute the acl number Execute the quit (with ID ranging from 2000 basic-2000] command in system command to return to...
Page 19 CLI Features <4210> clock ? datetime Specify the time and date summer-time Configure summer time timezone Configure time zone If the question mark “?” is at an argument position in the command, the description of the argument displays: [4210] interface vlan-interface ? <1-4094>...
Page 20 1: CLI C HAPTER ONFIGURATION commands and execute them again. By default, the CLI stores up to 10 most recently executed commands for each user. You can view the command history by performing the operations listed in Table 6. Table 6 View history commands Purpose Operation Remarks...
Page 21 CLI Features Table 8 Edit operations Press... To... Right arrow key or <Ctrl+F> Move the cursor one character to the right. Up arrow key or <Ctrl+P> Display history commands. Down arrow key or <Ctrl+N> <Tab> Use the partial online help. That is, when you input an incomplete keyword and press <Tab>, if the input parameter uniquely identifies a complete keyword, the system substitutes the complete keyword for the input...
Page 22 1: CLI C HAPTER ONFIGURATION...
Page 23: Logging Into An Ethernet Switch
OGGING INTO AN THERNET WITCH You can log into a Switch 4210 in one of the following ways: Logging in locally through the Console port ■ Logging in locally or remotely through an Ethernet port by means of Telnet or ■...
Page 24 2: L HAPTER OGGING INTO AN THERNET WITCH 2 A relative user interface index can be obtained by appending a number to the identifier of a user interface type. It is generated by user interface type. The relative user interface indexes are as follows: AUX user interface is numbered 0.
Page 25: Logging In Through The Console Port
Logging in through the Console Port Logging in through Logging in through the Console port is the most common way to log into a the Console Port switch. If you do not know the IP address of the switch, it is the only way to log-in to the switch.It is also the prerequisite to configure other login methods, and is used to recover the switch in certain circumstances.
Page 26 2: L HAPTER OGGING INTO AN THERNET WITCH Figure 2 Create a connection Figure 3 Specify the port used to establish the connection...
Page 27 Logging in through the Console Port Figure 4 Set port parameters 3 Plug in the switch so it has power. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <4210>) appears after you press the Enter key, as shown in Figure 5.
Page 28 2: L HAPTER OGGING INTO AN THERNET WITCH Common Configurations Table 12 lists the common configurations of Console port login. Table 12 Common configuration of Console port login Configuration Remarks Console port Baud rate Optional configuration The default baud rate is 19,200 bps. Check mode Optional By default, the check mode of the Console port is set...
Page 29 Logging in through the Console Port Table 13 Console port login configurations for different authentication modes Authentication Console port login configuration Remarks mode Password Configure the Configure the Required password password for local authentication Perform common Perform common Optional configuration configuration for Refer to Table 12.
Page 30 2: L HAPTER OGGING INTO AN THERNET WITCH Table 14 Console port login configuration with the authentication mode being none Operation Command Description Configure the Set the baud rate speed speed-value Optional Console port The default baud rate of a Console port is 19,200 bps.
Page 31 Logging in through the Console Port Table 14 Console port login configuration with the authentication mode being none Operation Command Description Set the timeout time for the user idle-timeout minutes [ Optional interface seconds ] The default timeout time of a user interface is 10 minutes.
Page 32 2: L HAPTER OGGING INTO AN THERNET WITCH Network diagram Figure 6 Network diagram for AUX user interface configuration (with the authentication mode being none) Configuration procedure # Enter system view. <4210> system-view # Enter AUX user interface view. [4210] user-interface aux 0 # Specify not to authenticate users logging in through the Console port.
Page 33 Logging in through the Console Port [4210-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 4 to log into the switch successfully. Configuring Console Configuration Procedure Port Login to Require a...
Page 34 2: L HAPTER OGGING INTO AN THERNET WITCH Table 15 Console port login configuration with the authentication mode being password Operation Command Description Set history command buffer history-command Optional size max-size value The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.
Page 35 Logging in through the Console Port Network diagram Figure 7 Network diagram for AUX user interface configuration (with the authentication mode being password) Configuration procedure # Enter system view. <4210> system-view # Enter AUX user interface view. [4210] user-interface aux 0 # Specify to authenticate users logging in through the Console port using the local password.
Page 36 2: L HAPTER OGGING INTO AN THERNET WITCH # Set the timeout time of the AUX user interface to 6 minutes. [4210-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 4 to log into the switch successfully.
Page 37 Logging in through the Console Port Table 16 Console port login configuration with the authentication mode being scheme Operation Command Description Configure the Set the speed speed-value Optional Console port baud rate The default baud rate of the AUX port (also the Console port) is 9,600 bps.
Page 38 2: L HAPTER OGGING INTO AN THERNET WITCH Configuration Example Network requirements Assume the switch is configured to allow users to log in through Telnet, and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in through the console port (AUX user interface).
Page 39: Logging In Through Telnet
Logging in through Telnet [4210-luser-guest] service-type terminal level 2 [4210-luser-guest] quit # Enter AUX user interface view. [4210] user-interface aux 0 # Configure to authenticate users logging in through the Console port in the scheme mode. [4210-ui-aux0] authentication-mode scheme # Set the baud rate of the Console port to 19,200 bps. [4210-ui-aux0] speed 19200 # Set the maximum number of lines the screen can contain to 30.
Page 40 2: L HAPTER OGGING INTO AN THERNET WITCH Telnetting to a switch using IPv6 protocols is similar to Telnetting to a switch using IPv4 protocols. Refer to “IPv6 Mangement Configuration” on page 525 for related information. Common Configuration Table 18 lists the common Telnet configuration. Table 18 Common Telnet configuration Configuration Description...
Page 41 Logging in through Telnet Table 19 Telnet configurations for different authentication modes Authentication Telnet configuration Description mode Scheme Specify to Optional perform local configuration Local authentication is performed by authentication specifies default. or remote whether to RADIUS perform local Refer to “AAA Configuration” on authentication authentication page 245.
Page 42 2: L HAPTER OGGING INTO AN THERNET WITCH Table 20 Telnet configuration with the authentication mode being none Operation Command Description Configure the user privilege level level Optional command level By default, commands of level 0 available to users are available to users logging into logging into VTY user VTY user interfaces.
Page 43 Logging in through Telnet Telnet protocol is supported. ■ The screen can contain up to 30 lines. ■ The history command buffer can contain up to 20 commands. ■ The timeout time of VTY 0 is 6 minutes. ■ Network diagram Figure 9 Network diagram for Telnet configuration (with the authentication mode being none) RS-232 port...
Page 44 2: L HAPTER OGGING INTO AN THERNET WITCH Telnet Configuration Configuration Procedure with Authentication Table 21 Telnet configuration with the authentication mode being password Requiring a Password Operation Command Description Enter system view system-view Enter one or more VTY user-interface vty first-number [ user interface views last-number ] Configure to authenticate...
Page 45 Logging in through Telnet Table 21 Telnet configuration with the authentication mode being password Operation Command Description Set the timeout time of the idle-timeout minutes [ seconds ] Optional user interface The default timeout time of a user interface is 10 minutes.
Page 46: Telnet Configuration With Authentication Mode Being Scheme
2: L HAPTER OGGING INTO AN THERNET WITCH # Enter VTY 0 user interface view. [4210] user-interface vty 0 # Configure to authenticate users logging into VTY 0 using the password. [4210-ui-vty0] authentication-mode password # Set the local password to 123456 (in plain text). [4210-ui-vty0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging into VTY 0.
Page 47 Telnet Configuration with Authentication Mode Being Scheme Table 22 Telnet configuration with the authentication mode being scheme Operation Command Description Configure Enter the domain domain-name Optional default ISP By default, the local AAA scheme authenticati domain view is applied. If you specify to apply on scheme Configure scheme { local | none |...
Page 48 2: L HAPTER OGGING INTO AN THERNET WITCH Table 22 Telnet configuration with the authentication mode being scheme Operation Command Description Set the maximum number screen-length Optional of lines the screen can screen-length By default, the screen can contain contain up to 24 lines.
Page 49 Telnet Configuration with Authentication Mode Being Scheme Table 23 Determine the command level when users logging into switches are authenticated in the scheme mode Scenario Command level Authentication User type Command mode authentication- VTY users that The user privilege level level Level 0 mode scheme [ command is not executed, and the...
Page 50 2: L HAPTER OGGING INTO AN THERNET WITCH Configuration Example Network requirements Assume current user logins through the Console port and the user level is set to the administrator level (level 3). Perform the following configurations for users logging into VTY 0 using Telnet. Configure the local user name as "guest".
Page 51 Telnet Configuration with Authentication Mode Being Scheme # Configure Telnet protocol is supported. [4210-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [4210-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20.
Page 52 2: L HAPTER OGGING INTO AN THERNET WITCH Figure 13 The terminal window Perform the following operations in the terminal window to assign IP address ■ 202.38.160.92/24 to VLAN-interface 1 of the switch. <4210> system-view [4210] interface Vlan-interface 1 [4210-Vlan-interface1] ip address 202.38.160.92 255.255.255.0 2 Perform Telnet-related configuration on the switch according to instructions earlier in this chapter.
Page 53 "All user interfaces are used, please try later!". A 3Com series Ethernet switch can accommodate up to five Telnet connections at same time.
Page 54: Logging In Using A Modem
2: L HAPTER OGGING INTO AN THERNET WITCH Note that xxxx is the IP address or the host name of the switch operating as the Telnet server. You can use the ip host to assign a host name to a switch. 4 After successful login, the CLI prompt (such as <4210>) appears.
Page 55 Logging in Using a Modem Switch Configuration After logging into a switch through its Console port by using a modem, you will enter the AUX user interface. The corresponding configuration on the switch is the same as those when logging into the switch locally through its Console port except that: When you log in through the Console port using a modem, the baud rate of ■...
Page 56 2: L HAPTER OGGING INTO AN THERNET WITCH Figure 17 Establish the connection by using modems 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 18 through Figure 20.
Page 57 Logging in Using a Modem Figure 19 Set the telephone number Figure 20 Call the modem 5 If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <4210>) appears. You can then configure or manage the switch.
Page 58: Logging In Through The Web-Based Network Management System
2: L HAPTER OGGING INTO AN THERNET WITCH Logging in through A Switch 4210 has a Web server built in. It enables you to log into a Switch 4210 the Web-based through a Web browser and then manage and maintain the switch intuitively by Network Management interacting with the built-in Web server.
Page 59 Logging in through the Web-based Network Management System Figure 21 Establish an HTTP connection between your PC and the switch HTTP Connection Switch 4 Log into the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar.
Page 60 2: L HAPTER OGGING INTO AN THERNET WITCH Network diagram Figure 23 Network diagram for login banner configuration HTTP Connection Switch Configuration Procedure # Enter system view. <4210> system-view # Configure the banner "Welcome" to be displayed when a user logs into the switch through Web.
Page 61: Managing From An Nms
Managing from an NMS Table 27 Enable/Disable the WEB Server Operation Command Description Disable the Web server undo ip http Required shutdown To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration. Enabling the Web server (by using the undo ip http shutdown command) ■...
Page 62: User Control
2: L HAPTER OGGING INTO AN THERNET WITCH User Control Refer to“Password Control Configuration Operations” on page 555 for information about the ACL. A switch provides ways to control different types of login users, as listed in Table 29. Table 29 Ways to control different types of login users Login mode Control method...
Page 63 User Control Table 30 Control Telnet users by source IP addresses Operation Command Description Apply the ACL to acl acl-number { inbound | Required control Telnet users by outbound } The inbound keyword specifies to source IP addresses filter the users trying to Telnet to the current switch.
Page 64 2: L HAPTER OGGING INTO AN THERNET WITCH Table 32 Control Telnet users by source MAC addresses Operation Command Description Enter user interface user-interface [ type ] view first-number [ last-number ] Apply the ACL to acl acl-number inbound Required control Telnet users by By default, no ACL is applied for specified source MAC...
Page 65 User Control Prerequisites The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying). Controlling Network Management Users by Source IP Addresses Controlling network management users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999.
Page 66 2: L HAPTER OGGING INTO AN THERNET WITCH ACLs in the commands, the network management users are filtered by the SNMP group name and SNMP user name. Configuration Example Network requirements Only SNMP users sourced from the IP addresses of 10.110.100.52 are permitted to log into the switch.
Page 67 User Control Table 34 Control Web users by source IP addresses Operation Command Description Enter system view system-view Create a basic ACL or acl number acl-number [ As for the acl number command, enter basic ACL view match-order { config | auto } ] the config keyword is specified by default.
Page 68 2: L HAPTER OGGING INTO AN THERNET WITCH # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switch. [4210] ip http acl 2030...
Page 69: Configuration File Management
ONFIGURATION ANAGEMENT Introduction to A configuration file records and stores the user settings for a switch. It also enables Configuration File users to check switch configurations easily. Types of configuration The configuration of a device falls into two types: Saved configuration, a configuration file used for initialization. If this file does ■...
Page 70: Management Of Configuration File
.def file extension (e.g., 3comoscfg-26Port.def). This has factory-loaded default settings recommended by 3Com. There is a specific .def file for each switch type. Management of If the default (.def) configuration file does not exist, the switch will come up with Configuration File the switch internal defaults.
Page 71 Management of Configuration File configuration file in the device even if the device reboots or the power fails during the process. CAUTION: The configuration file to be used for next startup may be lost if the device reboots or the power fails during the configuration file saving process. In this case, the device reboots without loading any configuration file.
Page 72 3: C HAPTER ONFIGURATION ANAGEMENT While the reset saved-configuration [ main ] command erases the ■ configuration file with main attribute, it only erases the main attribute of a configuration file having both main and backup attribute. While the reset saved-configuration backup command erases the ■...
Page 73 Management of Configuration File Table 40 Display Device Configuration Operation Command Description Display the initial display configuration file saved in the saved-configuration [ unit storage device unit-id ] [ by-linenum ] Display the configuration file display startup [ unit unit-id used for this and next startup display Display the current VLAN...
Page 74 3: C HAPTER ONFIGURATION ANAGEMENT...
Page 75: Vlan O
VLAN O VERVIEW VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.
Page 76 4: VLAN O HAPTER VERVIEW Figure 29 A VLAN implementation Router Switch Switch VLAN A VLANB VLAN A VLANB VLAN A VLAN B Advantages of VLANs Compared with the traditional Ethernet, VLAN enjoys the following advantages. Broadcasts are confined to VLANs. This decreases bandwidth consumption and ■...
Page 77 (TPID), priority, canonical format indicator (CFI), and VLAN ID. TPID is a 16-bit field, indicating that this data frame is VLAN-tagged. By ■ default, it is 0x8100 in 3Com series Ethernet switches. Priority is a 3-bit field, referring to 802.1p priority. Refer to “QoS ■...
Page 78: Port-Based Vlan
4: VLAN O HAPTER VERVIEW Currently, the 3Com Switch 4210 Family adopts the IVL mode only. For more information about the MAC address forwarding table, refer to “MAC Address Table Management” on page 131. VLAN Classification Depending on how VLANs are established, VLANs fall into the following six categories.
Page 79: Vlan Configuration
VLAN C ONFIGURATION VLAN Configuration VLAN Configuration Table 41 VLAN configuration tasks Tasks Configuration tasks Description Related section Basic VLAN configuration Required “Basic VLAN Configuration” Basic VLAN interface Optional “Basic VLAN Interface configuration Configuration” Displaying VLAN configuration Optional “Displaying VLAN Configuration”...
Page 80 5: VLAN C HAPTER ONFIGURATION Basic VLAN Interface Configuration prerequisites Configuration Before configuring a VLAN interface, create the corresponding VLAN. Configuration procedure Table 43 Basic VLAN interface configuration Operation Command Description Enter system view system-view Create a VLAN interface Vlan-interface vlan-id Required interface and enter By default, there is no VLAN VLAN interface view...
Page 81: Configuring A Port-Based Vlan
Configuring a Port-Based VLAN Configuring a Port-Based VLAN Configuring a Configuration prerequisites Port-Based VLAN Create a VLAN before configuring a port-based VLAN. Configuration procedure Table 45 Configure a port-based VLAN Operation Command Description Enter system view system-view Enter VLAN view vlan vlan-id Add Ethernet ports to port interface-list...
Page 82 5: VLAN C HAPTER ONFIGURATION Configuration procedure Configure Switch A. ■ # Create VLAN 101, specify its descriptive string as "DMZ", and add Ethernet1/0/1 to VLAN 101. <SwitchA> system-view [SwitchA] vlan 101 [SwitchA-vlan101] description DMZ [SwitchA-vlan101] port Ethernet 1/0/1 [SwitchA-vlan101] quit # Create VLAN 201, and add Ethernet1/0/2 to VLAN 201.
Page 83 Configuring a Port-Based VLAN For the command of configuring a port link type (port link-type) and the command of allowing packets of certain VLANs to pass through a port (port trunk permit), refer to “Ethernet Port Configuration” on page 96 .
Page 84 5: VLAN C HAPTER ONFIGURATION...
Page 85: Managing The Vlan
VLAN ANAGING THE VLAN Overview To manage an Ethernet switch remotely through Telnet or the built-in Web server, the switch need to be assigned an IP address, and make sure that a route exists between the user and the switch. For the Switch 4210, only the management VLAN interface can be assigned an IP address.
Page 86: Configuring Vlan Management
6: M VLAN HAPTER ANAGING THE Configuring VLAN Before configuring the management VLAN, make sure the VLAN operating as the Management management VLAN exists. If VLAN 1 (the default VLAN) is the management VLAN, just go ahead. Overviw Table 46 Configure the management VLAN Operation Command Remarks...
Page 87 Configuring VLAN Management Network diagram Figure 33 Network diagram for management VLAN configuration Switch A Console cable RS -232 serial Console port interface Current Vlan - interface10 user 1. 1.1.1/ 24 Ethernet1/1 1.1.1. 2/ 24 Router Telnet user Configuration procedure Perform the following configurations after the current user logs in to Switch A through the Console port.
Page 88: Displaying And Maintaining Management Vlan Configuration
6: M VLAN HAPTER ANAGING THE Displaying and Table 1-2 Displaying and Maintaining management VLAN configuration Maintaining Table 47 management VLAN Operation Command Remarks configuration Display the IP-related information display ip interface [ Optional about a management VLAN Vlan-interface vlan-id ] Available in any view.
Page 89: Ip Addressing
IP A DDRESSING ONFIGURATION IP Addressing Overview IP Address Classes IP addressing uses a 32-bit address to identify each host on a network. An example is 01010000100000001000000010000000 in binary. To make IP addresses in 32-bit form easier to read, they are written in dotted decimal notation, each being four octets in length, for example, 10.1.1.1 for the address just mentioned.
Page 90 7: IP A HAPTER DDRESSING ONFIGURATION Table 48 IP address classes and ranges Class Address range Description 0.0.0.0 to 127.255.255.255 Address 0.0.0.0 means this host no this network. This address is used by a host at bootstrap when it does not know its IP address.
Page 91: Configuring Ip Addresses
Configuring IP Addresses While allowing you to create multiple logical networks within a single Class A, B, or C network, subnetting is transparent to the rest of the Internet. All these networks still appear as one. As subnetting adds an additional level, subnet ID, to the two-level hierarchy with IP addressing, IP routing now involves three steps: delivery to the site, delivery to the subnet, and delivery to the host.
Page 92: Displaying Ip Addressing Configuration
7: IP A HAPTER DDRESSING ONFIGURATION Displaying IP After the above configuration, you can execute the display command in any view Addressing to display the operating status and configuration on the interface to verify your Configuration configuration. Table 50 Display IP addressing configuration Operation Command Remarks...
Page 93: Ip Performance Configuration
IP P ERFORMANCE ONFIGURATION IP Performance Overview Introduction to IP In some network environments, you need to adjust the IP parameters to achieve Performance best network performance. The IP performance configuration supported by Switch Configuration 4210 Family includes: Configuring TCP attributes ■...
Page 94 8: IP P HAPTER ERFORMANCE ONFIGURATION the system restarts the timer from receiving the last non-FIN packet. The connection is broken after the timer expires. Size of TCP receive/send buffer ■ Table 52 Configure TCP attributes Operation Command Remarks Enter system view system-view Configure TCP synwait timer’s tcp timer syn-timeout...
Page 95: Displaying And Maintaining Ip Performance Configuration
Displaying and Maintaining IP Performance Configuration Displaying and After the above configurations, you can execute the display command in any Maintaining IP view to display the running status to verify your IP performance configuration. Performance Use the reset command in user view to clear the IP, TCP, and UDP traffic statistics. Configuration Table 54 Display and maintain IP performance Operation...
Page 96 8: IP P HAPTER ERFORMANCE ONFIGURATION...
Page 97: Port Basic
ASIC ONFIGURATION Ethernet Port Overview Link Types of Ethernet An Ethernet port on an Switch 4210 can be of the following three link types. Ports Access. An access port can belong to only one VLAN. It is used to provide ■...
Page 98: Ethernet Port Configuration
9: P HAPTER ASIC ONFIGURATION Table 55 Processing of incoming/outgoing packets Processing of an incoming packet If the Processing of an outgoing Port type packet does If the packet carries a packet not carry a VLAN tag VLAN tag Access Receive the If the VLAN ID is just the Deprive the tag from the packet...
Page 99 Ethernet Port Configuration Table 56 Initially configure a port Operation Command Remarks Enable the Ethernet port undo shutdown Optional By default, the port is enabled. Use the shutdown command to disable the port. Set the description string for description text Optional the Ethernet port By default, the description...
Page 100 9: P HAPTER ASIC ONFIGURATION Table 57 Configure auto-negotiation speeds for a port Operation Command Remarks Configure the available speed auto [ 10 | 100 | 1000 Optional auto-negotiation speed(s) for By default, the port speed ■ the port is determined through auto-negotiation.
Page 101 Ethernet Port Configuration The local switch sends a message to notify the peer switch of stopping sending ■ packets to itself or reducing the sending rate temporarily. The peer switch will stop sending packets to the local switch or reduce the ■...
Page 102 9: P HAPTER ASIC ONFIGURATION Configuring a Trunk Port Table 62 Configure trunk port attribute Operation Command Remarks Enter system view System-view Enter Ethernet port view interface interface-type interface-number Set the link type of the port to port link-type trunk Required trunk Set the default VLAN ID for...
Page 103 Ethernet Port Configuration If loopback is found on an access port, the system disables the port, sends a ■ Trap message to the client and removes the corresponding MAC forwarding entry. If loopback is found on a trunk or hybrid port, the system sends a Trap message ■...
Page 104: Configuring The Interval To Perform Statistical Analysis On Port Traffic
9: P HAPTER ASIC ONFIGURATION external: Performs external loop test. In the external loop test, self-loop ■ headers must be used on the port of the switch ( for 100M port, the self-loop headers are made from four cores of the 8-core cables, for 1000M port, the self-loop header are made from eight cores of the 8-core cables, then the packets forwarded by the port will be received by itself.).
Page 105: Disabling Up/Down Log Output On A Port
Disabling Up/Down Log Output on a Port Table 67 Set the interval to perform statistical analysis on port traffic Operation Command Description Enter system view system-view Enter Ethernet port view interface interface-type interface-number Set the interval to perform flow-interval interval Optional statistical analysis on port By default, this interval is 300...
Page 106: Ethernet Port Configuration Example
9: P HAPTER ASIC ONFIGURATION # After you disable Ethernet 1/0/1 from outputting Up/Down log information and execute the shutdown command or the undo shutdown command on Ethernet 1/0/1, no Up/Down log information is output for Ethernet 1/0/1. [4210-Ethernet1/0/1] undo enable log updown [4210-Ethernet1/0/1] shutdown [4210-Ethernet1/0/1] undo shutdown Displaying and...
Page 107: Troubleshooting Ethernet Port Configuration
Troubleshooting Ethernet Port Configuration Configuration procedure Only the configuration for Switch A is listed below. The configuration for ■ Switch B is similar to that of Switch A. This example supposes that VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 ■...
Page 108 9: P HAPTER ASIC ONFIGURATION...
Page 109: Link Aggregation
GGREGATION ONFIGURATION Overview Introduction to Link Link aggregation can aggregate multiple Ethernet ports together to form a logical Aggregation aggregation group. To upper layer entities, all the physical links in an aggregation group are a single logical link. Link aggregation is designed to increase bandwidth by implementing outgoing/incoming load sharing among the member ports in an aggregation group.
Page 110: Link Aggregation Classification
10: L HAPTER GGREGATION ONFIGURATION Link Aggregation Depending on different aggregation modes, the following three types of link Classification aggregation exist: Manual aggregation ■ Static LACP aggregation ■ Dynamic LACP aggregation ■ Manual Aggregation Introduction to manual aggregation group Group A manual aggregation group is manually created.
Page 111 Link Aggregation Classification must contain at least one port. When a static aggregation group contains only one port, you cannot remove the port unless you remove the whole aggregation group. LACP is enabled on the member ports of static aggregation groups. When you remove a static aggregation group, all the member ports in up state form one or multiple dynamic aggregations with LACP enabled.
Page 112: Aggregation Group Categories
10: L HAPTER GGREGATION ONFIGURATION Port status of dynamic aggregation group A port in a dynamic aggregation group can be in one of the two states: selected and unselected. Both the selected and the unselected ports can receive/transmit LACP protocol ■...
Page 113: Link Aggregation Configuration
Link Aggregation Configuration Load-sharing aggregation resources are allocated to aggregation groups in the following order: An aggregation group containing special ports which require hardware ■ aggregation resources has higher priority than any aggregation group containing no special port. A manual or static aggregation group has higher priority than a dynamic ■...
Page 114 10: L HAPTER GGREGATION ONFIGURATION Configuring a Manual You can create a manual aggregation group, or remove an existing manual Aggregation Group aggregation group (after that, all the member ports will be removed from the group). For a manual aggregation group, a port can only be manually added/removed to/from the manual aggregation group.
Page 115 Link Aggregation Configuration Table 71 Configure a static LACP aggregation group Operation Command Remarks Enter Ethernet port view interface interface-type interface-number Add the port to the port link-aggregation Required aggregation group group agg-id For a static LACP aggregation group or a manual aggregation group, you are recommended not to cross cables between the two devices at the two ends of the aggregation group.
Page 116: Displaying And Maintaining Link Aggregation Configuration
10: L HAPTER GGREGATION ONFIGURATION Table 73 Configure a description for an aggregation group Operation Command Remarks Configure a description link-aggregation group agg-id Optional for an aggregation description agg-name By default, no description is group configured for an aggregation group. CAUTION: If you have saved the current configuration with the save command, after system reboot, the configuration concerning manual and static aggregation groups and their descriptions still exists, but that of dynamic aggregation groups...
Page 117 Link Aggregation Configuration Example Network diagram Figure 38 Network diagram for link aggregation configuration Switch A Switch A Link aggregation Link aggregation Switch B Switch B Configuration procedure The following example only lists the configuration required on Switch A; you must perform the same configuration proceedure on Switch B to implement link aggregation.
Page 118 10: L HAPTER GGREGATION ONFIGURATION [4210-Ethernet1/0/3] port link-aggregation group 1 3 Adopting dynamic LACP aggregation mode # Enable LACP on Ethernet1/0/1 through Ethernet1/0/3. <4210> system-view [4210] interface Ethernet1/0/1 [4210-Ethernet1/0/1] lacp enable [4210-Ethernet1/0/1] quit [4210] interface Ethernet1/0/2 [4210-Ethernet1/0/2] lacp enable [4210-Ethernet1/0/2] quit [4210] interface Ethernet1/0/3 [4210-Ethernet1/0/3] lacp enable CAUTION: The three LACP-enabled ports can be aggregated into one dynamic...
Page 119: Port Isolation Configuration
SOLATION ONFIGURATION Port Isolation Through the port isolation feature, you can add the ports to be controlled into an Overview isolation group to isolate the Layer 2 and Layer 3 data between each port in the isolation group. Thus, you can construct your network in a more flexible way and improve your network security.
Page 120: Displaying Port Isolation Configuration
11: P HAPTER SOLATION ONFIGURATION Displaying Port After the above configuration, you can execute the display command in any view Isolation to display the result of your port isolation configuration, thus verifying your Configuration configuration. Table 76 Display port isolation configuration Operation Command Description...
Page 121 Port Isolation Configuration Example [4210] interface ethernet1/0/4 [4210-Ethernet1/0/4] port isolate [4210-Ethernet1/0/4] quit [4210] quit # Display information about the ports in the isolation group. <4210> display isolate port Isolated port(s) on UNIT 1: Ethernet1/0/2, Ethernet1/0/3, Ethernet1/0/4...
Page 122 11: P HAPTER SOLATION ONFIGURATION...
Page 123: Port Security Configuration
ECURITY ONFIGURATION Port Security Overview Introduction Port security is a security mechanism for network access control. It brings together both 802.1x access control and MAC address authentication and allows for combinations of these technologies. Port security allows you to define various security modes that enable devices to learn legal source MAC addresses, so that you can implement different network security management as needed.
Page 124 12: P HAPTER ECURITY ONFIGURATION Table 77 Description of port security modes Security mode Description Feature noRestriction In this mode, access to the port is In this mode, neither the NTK not restricted. nor the intrusion protection feature is triggered. autolearn In this mode, the port In either mode, the device will...
Page 125 Port Security Overview Table 77 Description of port security modes Security mode Description Feature userLoginSecure MAC-based 802.1x In any of these modes, the authentication is performed on device triggers the NTK and the access user. The port is Intrusion Protection features enabled only after the upon detecting an illegal authentication succeeds.
Page 126: Port Security Configuration
12: P HAPTER ECURITY ONFIGURATION Table 77 Description of port security modes Security mode Description Feature macAddressElseUserLo MAC authentication is performed ginSecure first on the access user. If the MAC authentication succeeds, the access user has the accessibility; otherwise, 802.1x authentication is performed on the access user.
Page 127 Port Security Configuration Table 78 Port security configuration tasks Task Remarks “Configuring Security MAC Addresses” Optional Enabling Port Security Before enabling port security, you need to disable 802.1x and MAC authentication globally. Table 79 Enable port security Operation Command Remarks Enter system view system-view Enable port security...
Page 128 12: P HAPTER ECURITY ONFIGURATION Table 80 Set the maximum number of MAC addresses allowed on a port Operation Command Remarks Set the maximum number of port-security Required MAC addresses allowed on max-mac-count count-value Not limited by default the port Assume that, in the macAddressOrUserLoginSecureExt port security mode, ■...
Page 129 Port Security Configuration After you set the port security mode to autolearn, you cannot configure any ■ static or blackhole MAC addresses on the port. If the port is in a security mode other than noRestriction, before you can ■ change the port security mode, you need to restore the port security mode to noRestriction with the undo port-security port-mode command.
Page 130 12: P HAPTER ECURITY ONFIGURATION Configuring the Trap feature Table 84 Configure port security trapping Operation Command Remarks Enter system view system-view Enable sending traps for the port-security trap { Required specified type of event addresslearned | By default, no trap is sent. dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure |...
Page 131: Displaying Port Security Configuration
Displaying Port Security Configuration Before continuing, make sure that: Port security is enabled. ■ The maximum number of security MAC addresses allowed on the port is set. ■ The security mode of the port is set to autolearn. ■ Table 86 Configure a security MAC address Operation Command Remarks...
Page 132 12: P HAPTER ECURITY ONFIGURATION Network diagram Figure 40 Network diagram for port security configuration Eth1/0/1 Internet Host Switch MAC:0001-0002-0003 Configuration procedure # Enter system view. <4210> system-view # Enable port security. [4210] port-security enable # Enter Ethernet1/0/1 port view. [4210] interface Ethernet1/0/1 # Set the maximum number of MAC addresses allowed on the port to 80.
Page 133: Mac Address Table Management
MAC A DDRESS ABLE ANAGEMENT This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to “Multicast Overview” on page 185. Introduction to the An Ethernet switch is mainly used to forward packets at the data link layer, that is, MAC Address Table transmit the packets to the corresponding ports according to the destination MAC address of the packets.
Page 134 13: MAC A HAPTER DDRESS ABLE ANAGEMENT packet, that is, the address "MAC-A" of User A to the MAC address table of the switch, forming an entry shown in Figure 42. Figure 41 MAC address learning diagram (1) User B User C Eth1/0 /4 Eth1/0/3...
Page 135: Managing Mac Address Table
Managing MAC Address Table switch records the association between the MAC address of User B and the corresponding port to the MAC address table of the switch. Figure 44 MAC address learning diagram (3) User B User C Eth1/0 /4 Eth1/0/3 Eth1/0/1 User A...
Page 136: Configuring Mac Address Table Management
13: MAC A HAPTER DDRESS ABLE ANAGEMENT Aging timer only takes effect on dynamic MAC address entries. Entries in a MAC address table Entries in a MAC address table fall into the following categories according to their characteristics and configuration methods: Static MAC address entry: Also known as permanent MAC address entry.
Page 137 Configuring MAC Address Table Management Configuring a MAC You can add, modify, or remove a MAC address entry, remove all MAC address Address Entry entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). You can add a MAC address entry in either system view or Ethernet port view.
Page 138: Displaying Mac Address Table Information
13: MAC A HAPTER DDRESS ABLE ANAGEMENT Table 92 Set aging time of MAC address entries Operation Command Description Enter system view system-view Set the aging time of MAC mac-address timer { aging Required address entries age | no-aging } The default aging time is 300 seconds.
Page 139: Configuration Example
Configuration Example Configuration Example Adding a Static MAC Network requirements Address Entry Manually The server connects to the switch through Ethernet 1/0/2. To prevent the switch from broadcasting packets destined for the server, it is required to add the MAC address of the server to the MAC address table of the switch, which then forwards packets destined for the server through Ethernet 1/0/2.
Page 140 13: MAC A HAPTER DDRESS ABLE ANAGEMENT...
Page 141: Stp Overview
MSTP C ONFIGURATION STP Overview Functions of STP Spanning tree protocol (STP) is a protocol conforming to IEEE 802.1d. It aims to eliminate loops on data link layer in a local area network (LAN). Devices running this protocol detect loops in the network by exchanging packets with one another and eliminate the loops detected by blocking specific ports until the network is pruned into one with tree topology.
Page 142 14: MSTP C HAPTER ONFIGURATION non-root-bridge device has one and only one root port. The root bridge has no root port. 3 Designated bridge and designated port Refer to Table 95 for the description of designated bridge and designated port. Table 95 Designated bridge and designated port Classification Designated bridge...
Page 143 STP Overview How STP works STP identifies the network topology by transmitting configuration BPDUs between network devices. Configuration BPDUs contain sufficient information for network devices to complete the spanning tree calculation. Important fields in a configuration BPDU include: Root bridge ID, consisting of root bridge priority and MAC address. ■...
Page 144 14: MSTP C HAPTER ONFIGURATION Principle for configuration BPDU comparison: The configuration BPDU that has the lowest root bridge ID has the highest ■ priority. If all the configuration BPDUs have the same root bridge ID, they will be ■ compared for their root path costs.
Page 145 STP Overview The following is an example of how the STP algorithm works. The specific network diagram is shown in Figure 47. The priority of Device A is 0, the priority of Device B is 1, the priority of Device C is 2, and the path costs of these links are 5, 10 and 4 respectively.
Page 146 14: MSTP C HAPTER ONFIGURATION Table 99 Comparison process and result on each device BPDU of port after Device Comparison process comparison Device A Port AP1 receives the configuration BPDU of Device B AP1: {0, 0, 0, AP1} ■ {1, 0, 1, BP1}. Device A finds that the configuration AP2: {0, 0, 0, AP2} BPDU of the local port {0, 0, 0, AP1} is superior to the configuration received message, and discards the...
Page 147 STP Overview Table 99 Comparison process and result on each device BPDU of port after Device Comparison process comparison Device C Port CP1 receives the configuration BPDU of Device A CP1: {0, 0, 0, AP2} ■ {0, 0, 0, AP2}. Device C finds that the received CP2: {1, 0, 1, BP2} configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the...
Page 148 14: MSTP C HAPTER ONFIGURATION Figure 48 The final calculated spanning tree Device A With priority 0 AP 1 AP 2 BP 1 BP 2 CP 2 Device B With priority 1 Device C With priority 2 To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated.
Page 149: Mstp Overview
MSTP Overview designated port begin to forward data as soon as they are elected, loops may temporarily occur. For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state.
Page 150 14: MSTP C HAPTER ONFIGURATION MSTP supports mapping VLANs to MST instances by means of a ■ VLAN-to-instance mapping table. MSTP introduces "instance" (integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization. MSTP divides a switched network into multiple regions, each containing ■...
Page 151 MSTP Overview A switched network can contain multiple MST regions. You can group multiple switches into one MST region by using the corresponding MSTP configuration commands. As shown in Figure 49, all the switches in region A0 are of the same MST region-related configuration, including: Region name ■...
Page 152 14: MSTP C HAPTER ONFIGURATION Region root A region root is the root of the IST or an MSTI in an MST region. Different spanning trees in an MST region may have different topologies and thus have different region roots. In region D0 shown in Figure 49, the region root of MSTI 1 is switch B, and the region root of MSTI 2 is switch C.
Page 153: Port State
MSTP Overview Figure 50 Port roles Connected to the Connected to the Connected to the Connected to the common root common root common root common root Edge port Edge port Edge port Edge port Port 2 Port 2 Port 2 Port 2 MST region MST region...
Page 154 14: MSTP C HAPTER ONFIGURATION Calculate an MSTI In an MST region, different MSTIs are generated for different VLANs based on the VLAN-to-MSTI mappings. Each spanning tree is calculated independently, in the same way as how STP/RSTP is calculated. Implement STP algorithm In the beginning, each switch regards itself as the root, and generates a configuration BPDU for each port on it as a root, with the root path cost being 0, the ID of the designated bridge being that of the switch, and the designated port...
Page 155: Configuring Root Bridge
Switches recognize the protocol packets of STP and RSTP and use them for spanning tree calculation. In addition to the basic MSTP functions, 3Com series switches also provide the following functions for users to manage their switches. Root bridge hold ■...
Page 156 14: MSTP C HAPTER ONFIGURATION Table 101 Configure a root bridge Operation Description Related section Enable MSTP Required “Enabling MSTP” To prevent network topology jitter caused by other related configurations, you are recommended to enable MSTP after other related configurations are performed. Configure an MST region Required “Configuring an MST Region”...
Page 157 Configuring Root Bridge Configuring an MST Configuration procedure Region Table 102 Configure an MST region Operation Command Description Enter system view system-view Enter MST region view stp region-configuration Configure the name of the region-name name Required MST region The default MST region name of a switch is its MAC address.
Page 158 14: MSTP C HAPTER ONFIGURATION [4210-mst-region] instance 2 vlan 20 to 30 [4210-mst-region] revision-level 1 [4210-mst-region] active region-configuration # Verify the above configuration. [4210-mst-region] check region-configuration Admin configuration Format selector Region name :info Revision level Instance Vlans Mapped 11 to 19, 31 to 4094 1 to 10 20 to 30 Specifying the Current...
Page 159 Configuring Root Bridge When the root bridge fails or is turned off, the secondary root bridge becomes the root bridge if no new root bridge is configured. If you configure multiple secondary root bridges for a spanning tree instance, the one with the smallest MAC address replaces the root bridge when the latter fails.
Page 160 14: MSTP C HAPTER ONFIGURATION During the selection of the root bridge, if multiple switches have the same ■ bridge priority, the one with the smallest MAC address becomes the root bridge. Configuration example # Set the bridge priority of the current switch to 4,096 in spanning tree instance 1. <4210>...
Page 161 Configuring Root Bridge Table 106 Configure the mode a port recognizes and sends MSTP packets (in system view) Operation Command Description Configure the mode a port stp interface interface-type Required recognizes and sends MSTP interface-number By default, a port recognizes packets compliance { auto | dot1s | and sends MSTP packets in...
Page 162 14: MSTP C HAPTER ONFIGURATION Configuration procedure Table 108 Configure the MSTP operation mode Operation Command Description Enter system view system-view Configure the MSTP stp mode { stp | rstp | mstp } Required operation mode An MSTP-enabled switch operates in the MSTP mode by default.
Page 163 Configuring Root Bridge Configuring the In a switched network, any two switches can communicate with each other Network Diameter of through a specific path made up of multiple switches. The network diameter of a the Switched Network network is measured by the number of switches; it equals the number of the switches on the longest path (that is, the path containing the maximum number of switches).
Page 164 14: MSTP C HAPTER ONFIGURATION All switches in a switched network adopt the three time-related parameters configured on the CIST root bridge. CAUTION: The forward delay parameter and the network diameter are correlated. ■ Normally, a large network diameter corresponds to a large forward delay. A too small forward delay parameter may result in temporary redundant paths.
Page 165 Configuring Root Bridge number to avoid such cases. Normally, the timeout time can be four or more times of the hello time. For a steady network, the timeout time can be five to seven times of the hello time. Configuration procedure Table 112 Configure the timeout time factor Operation Command...
Page 166 14: MSTP C HAPTER ONFIGURATION prevent MSTP from occupying too many network resources. The default value is recommended. Configuration example # Set the maximum transmitting speed of Ethernet 1/0/1 to 15. 1 Configure the maximum transmitting speed in system view <4210>...
Page 167 Configuring Root Bridge Configuration example # Configure Ethernet 1/0/1 as an edge port. 1 Configure Ethernet1/0/1 as an edge port in system view <4210> system-view [4210] stp interface Ethernet1/0/1 edged-port enable 2 Configure Ethernet 1/0/1 as an edge port in Ethernet port view <4210>...
Page 168 14: MSTP C HAPTER ONFIGURATION link of a port is not a point-to-point link and you forcibly configure the link as a point-to-point link, loops may occur temporarily. Configuration example # Configure the link connected to Ethernet 1/0/1 as a point-to-point link. 1 Perform this configuration in system view <4210>...
Page 169: Configuring Leaf Nodes
Configuring Leaf Nodes Table 120 Enable MSTP in Ethernet port view Operation Command Description Disable MSTP on the port stp disable Optional By default, MSTP is enabled on all ports after you enable MSTP in system view. To enable a switch to operate more flexibly, you can disable MSTP on specific ports.
Page 170 14: MSTP C HAPTER ONFIGURATION Table 121 Configure leaf nodes Operation Description Related section Configure the current port as Optional “Configuring the Current Port an edge port as an Edge Port” Configure the path cost for a Optional “Configuring the Path Cost port for a Port”...
Page 171 Configuring Leaf Nodes Standards for calculating path costs of ports Currently, a switch can calculate the path costs of ports based on one of the following standards: dot1d-1998: Adopts the IEEE 802.1D-1998 standard to calculate the default ■ path costs of ports. dot1t: Adopts the IEEE 802.1t standard to calculate the default path costs of ■...
Page 172 14: MSTP C HAPTER ONFIGURATION whereas the 802.1T standard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000/ link transmission speed, where ‘link transmission speed" is the sum of the speeds of all the unblocked ports on the aggregated link measured in 100 Kbps.
Page 173 Configuring Leaf Nodes <4210> system-view [4210] interface Ethernet1/0/1 [4210-Ethernet1/0/1] stp instance 1 cost 2000 Configuration example (B) # Configure the path cost of Ethernet 1/0/1 in spanning tree instance 1 to be calculated by the MSTP-enabled switch according to the IEEE 802.1D-1998 standard.
Page 174: Performing Mcheck Operation
14: MSTP C HAPTER ONFIGURATION A smaller port priority value indicates a higher possibility for the port to become the root port. If all the ports of a switch have the same port priority value, the port priorities are determined by the port indexes. Changing the priority of a port will cause spanning tree recalculation.
Page 175: Configuring Guard Functions
Configuring Guard Functions Perform the mCheck operation in system view Table 128 Perform the mCheck operation in system view Operation Command Description Enter system view system-view Perform the mCheck stp [ interface interface-list ] Required operation mcheck Perform the mCheck operation in Ethernet port view Table 129 Perform the mCheck operation in Ethernet port view Operation Command...
Page 176 14: MSTP C HAPTER ONFIGURATION Root guard A root bridge and its secondary root bridges must reside in the same region. The root bridge of the CIST and its secondary root bridges are usually located in the high-bandwidth core region. Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge, which causes a new root bridge to be elected and network topology jitter to occur.
Page 177 Configuring Guard Functions the maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for only 100 times within the period.
Page 178 14: MSTP C HAPTER ONFIGURATION <4210> system-view [4210] interface Ethernet1/0/1 [4210-Ethernet1/0/1] stp root-protection Configuring Loop Guard Configuration procedure Table 133 Configure loop guard Operation Command Description Enter system view system-view Enter Ethernet port view interface interface-type interface-number Enable the loop guard stp loop-protection Required function on the current port...
Page 179: Configuring Digest Snooping
Configuring Digest Snooping Configuring Digest Snooping Introduction According to IEEE802.1s, two interconnected switches can communicate with each other through MSTIs in an MST region only when the two switches have the same MST region-related configuration. Interconnected MSTP-enabled switches determine whether or not they are in the same MST region by checking the configuration IDs of the BPDUs between them.
Page 180: Configuring Rapid Transition
14: MSTP C HAPTER ONFIGURATION Table 135 Configure digest snooping Operation Command Description Display the current display You can execute this configuration current-configuration command in any view. When the digest snooping feature is enabled on a port, the port state turns to ■...
Page 181 RSTP in the way to implement rapid transition on designated ports. When a switch of this kind operating as the upstream switch connects with a 3Com series switch running MSTP, the upstream designated port fails to change its state rapidly.
Page 182 ONFIGURATION manufacturer’s switch running proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the 3Com series switch operating as the downstream switch. Among these ports, those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch.
Page 183: Stp Maintenance Configuration
STP Maintenance Configuration Table 137 Configure the rapid transition feature in Ethernet port view Operation Command Description Enter Ethernet port view interface interface-type interface-number Enable the rapid transition stp no-agreement-check Required feature By default, the rapid transition feature is disabled on a port. The rapid transition feature can be enabled on only root ports or alternate ■...
Page 184: Displaying And Maintaining Mstp
14: MSTP C HAPTER ONFIGURATION Network topology changes are detected. ■ Configuration procedure Table 139 Enable trap messages conforming to 802.1d standard Operation Command Description Enter system view system-view Enable trap messages stp [ instance instance-id ] Required conforming to 802.1d dot1d-trap [ newroot | standard in an instance topologychange ] enable...
Page 185 MSTP Configuration Example Switch B are configured as the root bridges of spanning tree instance 1 and spanning tree instance 3 respectively. Switch C is configured as the root bridge of spanning tree instance 4. Network diagram Figure 54 Network diagram for MSTP configuration The word "permit"...
Page 186 14: MSTP C HAPTER ONFIGURATION [4210-mst-region] active region-configuration # Specify Switch B as the root bridge of spanning tree instance 3. [4210] stp instance 3 root primary 3 Configure Switch C. # Enter MST region view. <4210> system-view [4210] stp region-configuration # Configure the MST region.
Page 187: Multicast
ULTICAST VERVIEW Multicast Overview With development of networks on the Internet, more and more interaction services such as data, voice, and video services are running on the networks. In addition, highly bandwidth- and time-critical services, such as e-commerce, Web conference, online auction, video on demand (VoD), and tele-education have come into being.
Page 188 15: M HAPTER ULTICAST VERVIEW the server must send many pieces of information with the same content to the users. Therefore, the limited bandwidth becomes the bottleneck in information transmission. This shows that unicast is not good for the transmission of a great deal of information.
Page 189 Multicast Overview the information only once. With multicast distribution trees established for multicast data packets through multicast routing protocols, the packets are duplicated and distributed at the nearest nodes, as shown in Figure 57: Figure 57 Information transmission in the multicast mode Host A Receiver Host B...
Page 190 15: M HAPTER ULTICAST VERVIEW All receivers interested in the same information form a multicast group. ■ Multicast groups are not subject to geographic restrictions. A router that supports Layer 3 multicast is called multicast router or Layer 3 ■ multicast device.
Page 191: Multicast Models
Multicast Models Multicast Models Based on the multicast source processing modes, there are three multicast models: Any-Source Multicast (ASM) ■ Source-Filtered Multicast (SFM) ■ Source-Specific Multicast (SSM) ■ ASM model In the ASM model, any sender can become a multicast source and send information to a multicast group;...
Page 192 15: M HAPTER ULTICAST VERVIEW Host registration: A receiving host joins and leaves a multicast group ■ dynamically using the membership registration mechanism. Multicast routing: A router or switch transports packets from a multicast source ■ to receivers by building a multicast distribution tree with multicast routes. Multicast application: A multicast source must support multicast applications, ■...
Page 193 Multicast Architecture Class D IP addresses range from 224.0.0.0 to 239.255.255.255. For details, see Table 142. Table 142 Range and description of Class D IP addresses Class D address range Description 224.0.0.0 to 224.0.0.255 Reserved multicast addresses (IP addresses for permanent multicast groups).
Page 194 15: M HAPTER ULTICAST VERVIEW Ethernet multicast MAC address When a unicast IP packet is transported in an Ethernet network, the destination MAC address is the MAC address of the receiver. When a multicast packet is transported in an Ethernet network, a multicast MAC address is used as the destination address because the destination is a group with an uncertain number of members.
Page 195 Multicast Architecture Figure 59 Positions of Layer 2 multicast protocols Source IGMP Snooping Receiver Receiver multicast packets Running on Layer 2 devices, Internet Group Management Protocol Snooping (IGMP Snooping) are multicast constraining mechanisms that manage and control multicast groups by listening to and analyzing IGMP messages exchanged between the hosts and Layer 3 multicast devices, thus effectively controlling the flooding of multicast data in a Layer 2 network.
Page 196 15: M HAPTER ULTICAST VERVIEW Figure 60 Positions of Layer 3 multicast protocol AS 1 AS 2 Receiver Receiver IGMP IGMP MSDP IGMP Receiver Source Multicast management protocols ■ Typically, the Internet Group Management Protocol (IGMP) is used between hosts and Layer 3 multicast devices directly connected with the hosts. These protocols define the mechanism of establishing and maintaining group memberships between hosts and Layer 3 multicast devices.
Page 197: Multicast Packet Forwarding Mechanism
Multicast Packet Forwarding Mechanism Multicast Packet In a multicast model, a multicast source sends information to the host group Forwarding identified by the multicast group address in the destination address field of the IP Mechanism packets. Therefore, to deliver multicast packets to receivers located in different parts of the network, multicast routers on the forwarding path usually need to forward multicast packets received on one incoming interface to multiple outgoing interfaces.
Page 198 15: M HAPTER ULTICAST VERVIEW RPF Check The basis for an RPF check is a unicast route. A unicast routing table contains the shortest path to each destination subnet. A multicast routing protocol does not independently maintain any type of unicast route; instead, it relies on the existing unicast routing information in creating multicast routing entries.
Page 199: Igmp Snooping
IGMP S NOOPING ONFIGURATION IGMP Snooping Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast Overview constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. Principle of IGMP By analyzing received IGMP messages, a Layer 2 device running IGMP Snooping Snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.
Page 200 16: IGMP S HAPTER NOOPING ONFIGURATION Figure 63 IGMP Snooping related ports Ports involved in IGMP Snooping, as shown in Figure 63, are described as follows: Router port: A router port is a port on the Layer 3 multicast device (DR or IGMP ■...
Page 201 IGMP Snooping Overview Upon receiving an IGMP general query, the switch forwards it through all ports in the VLAN except the receiving port and performs the following to the receiving port: If the receiving port is a router port existing in its router port list, the switch ■...
Page 202: Igmp Snooping Configuration
16: IGMP S HAPTER NOOPING ONFIGURATION the forwarding entry corresponding to that port from the forwarding table; instead, it resets the aging timer of the member port. Upon receiving the IGMP leave message from a host, the IGMP querier resolves from the message the address of the multicast group that the host just left and sends an IGMP group-specific query to that multicast group through the port that received the leave message.
Page 203 IGMP Snooping Configuration Table 146 Enable IGMP Snooping Operation Command Remarks Enter VLAN view vlan vlan-id Enable IGMP Snooping on igmp-snooping enable Required the VLAN By default, IGMP Snooping is disabled on all the VLANs. Caution: Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping ■...
Page 204 16: IGMP S HAPTER NOOPING ONFIGURATION Table 148 Configure timers Operation Command Remarks Configure the aging igmp-snooping Optional timer of the multicast host-aging-time seconds By default, the aging time of multicast member port member ports is 260 seconds Configuring Fast Leave With fast leave processing enabled, when the switch receives an IGMP leave Processing message on a port, the switch directly removes that port from the forwarding...
Page 205 IGMP Snooping Configuration Configuring a Multicast On an IGMP Snooping-enabled switch, the configuration of a multicast group Group Filter allows the service provider to define restrictions on multicast programs available to different users. In an actual application, when a user requests a multicast program, the user's host initiates an IGMP report.
Page 206 16: IGMP S HAPTER NOOPING ONFIGURATION Configuring the By configuring the maximum number of multicast groups that can be joined on a Maximum Number of port, you can limit the number of multicast programs on-demand available to Multicast Groups on a users, thus to regulate traffic on the port.
Page 207 IGMP Snooping Configuration In Ethernet port view Table 154 Configure a static multicast group member port in Ethernet port view Operation Command Remarks Enter system view system-view Enter Ethernet port view interface interface-type interface-number Configure the current port as a multicast static-group Required static member port for a...
Page 208 16: IGMP S HAPTER NOOPING ONFIGURATION In Ethernet port view Table 156 Configure a static router port in Ethernet port view Operation Command Remarks Enter system view system-view Enter Ethernet port view interface interface-type interface-number Configure the current port multicast Required as a static router port static-router-port vlan...
Page 209: Displaying And Maintaining Igmp Snooping
Displaying and Maintaining IGMP Snooping Table 158 Configure a port as a simulated group member Operation Command Remarks Configure the current port as a igmp host-join Optional simulated multicast group group-address [source-ip Simulated joining is disabled member source-address ] vlan by default.
Page 210: Igmp Snooping Configuration Examples
16: IGMP S HAPTER NOOPING ONFIGURATION Display and maintain IGMP Snooping Table 160 Operation Command Remarks Clear IGMP Snooping reset igmp-snooping You can execute the reset statistics statistics command in user view. IGMP Snooping Configuration Examples Configuring IGMP Network requirements Snooping To prevent multicast traffic from being flooded at Layer 2, enable IGMP snooping on Layer 2 switches.
Page 211 IGMP Snooping Configuration Examples # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet1/0/1. <RouterA> system-view [RouterA] multicast routing-enable [RouterA] interface Ethernet 1/0/1 [RouterA-Ethernet1/0/1] igmp enable [RouterA-Ethernet1/0/1] pim dm [RouterA-Ethernet1/0/1] quit [RouterA-Ethernet1/0/1] quit [RouterA] interface Ethernet 1/0/2 [RouterA-Ethernet1/0/2] pim dm [RouterA-Ethernet1/0/2] quit 3 Configure Switch A...
Page 212: Troubleshooting Igmp Snooping
16: IGMP S HAPTER NOOPING ONFIGURATION Troubleshooting IGMP Symptom: Multicast function does not work on the switch. Snooping Solution: Possible reasons are: IGMP Snooping is not enabled. ■ Use the display current-configuration command to check the status of IGMP ■ Snooping.
Page 213: Introduction To 802.1X
802.1 ONFIGURATION The online user handshaking function is added. See “Configuring Basic 802.1x ■ Functions”. The configuration of 802.1x re-authentication is added. See “Configuring ■ 802.1x Re-Authentication”. The configuration of the 802.1x re-authentication interval is added. See ■ “Configuring the 802.1x Re-Authentication Timer” . Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs.
Page 214 The authenticator system is another entity residing at one end of a LAN ■ segment. It authenticates the connected supplicant systems. The authenticator system is usually an 802.1x-supported network device (such as a 3Com series switch). It provides the port (physical or logical) for the supplicant system to access the LAN.
Page 215 Introduction to 802.1x The way a port is controlled A port of a 3Com series switch can be controlled in the following two ways. Port-based authentication. When a port is controlled in this way, all the ■ supplicant systems connected to the port can access the network without being authenticated after one supplicant system among them passes the authentication.
Page 216 17: 802.1 HAPTER ONFIGURATION In an EAPoL packet: The PAE Ethernet type field holds the protocol identifier. The identifier for ■ 802.1x is 0x888E. The Protocol version field holds the version of the protocol supported by the ■ sender of the EAPoL packet. The Type field can be one of the following: ■...
Page 217 Introduction to 802.1x The Length field indicates the size of an EAP packet, which includes the Code, ■ Identifier, Length, and Data fields. The Data field contains information about an EAP packet. Its format is different ■ than the Code field. A Success or Failure packet does not contain the Data field, so the Length field of it is 4.
Page 218 17: 802.1 HAPTER ONFIGURATION 802.1x Authentication The Switch 4210 can authenticate supplicant systems in EAP terminating mode or Procedure EAP relay mode. EAP relay mode This mode is defined in 802.1x. In this mode, EAP-packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server.
Page 219 Introduction to 802.1x Figure 72 802.1x authentication procedure (in EAP relay mode) EAPOL EAPOR Authenticator System RADUIS Supplicant System server EAPOL-Start EAP-Request / Identity RADIUS Access-Request EAP-Response / Identity (EAP-Response / Identity) RADIUS Access-Challenge EAP-Request / MD5 challenge (EAP-Request / MD5 challenge) RADIUS Access-Request EAP-Response / MD5 challenge (EAP-Response / MD5 challenge)
Page 220 17: 802.1 HAPTER ONFIGURATION Upon receiving the key (encapsulated in an EAP-request/MD5 challenge ■ packet) from the switch, the client program encrypts the password of the supplicant system with the key and sends the encrypted password (contained in an EAP-response/MD5 challenge packet) to the RADIUS server through the switch.
Page 221 Introduction to 802.1x Figure 73 802.1x authentication procedure (in EAP terminating mode) Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL-Start EAP-Request /Identity EAP-Response/Identity EAP-Request /MD5 Challenge EAP-Response/MD5 Challenge RADIUS Access-Request (CHAP-Response/MD5 Challenge ) RADIUS Access-Accept (CHAP-Success) EAP-Success Port authorized Handshake timer Handshake request...
Page 222 The Guest VLAN function ■ 3Com’s CAMS Server is a service management system used to manage networks and to secure networks and user information. With the cooperation of other networking devices (such as switches) in the network, a CAMS server can implement the AAA functions and rights management.
Page 223 IE proxies, it prompts the 802.1x client to disable use of multiple network adapters, proxies, or IE proxies through messages after the supplicant system passes the authentication. The client-checking function needs the support of 3Com’s 802.1x client ■ program.
Page 224 17: 802.1 HAPTER ONFIGURATION Users belonging to the Guest VLAN can access the resources of the Guest ■ VLAN without being authenticated. But they need to be authenticated when accessing external resources. Normally, the Guest VLAN function is coupled with the dynamic VLAN delivery function.
Page 225: Configuration
802.1x Configuration 802.1x Configuration 802.1x provides a solution for authenticating users. To implement this solution, you need to execute 802.1x-related commands. You also need to configure AAA schemes on switches and specify the authentication scheme (RADIUS, HWTACACS or local authentication scheme). Figure 75 802.1x configuration Local Local...
Page 226 Handshaking packets need the support of the 3Com-proprietary client. They ■ are used to test whether or not a user is online. As clients that are not of 3Com do not support the online user handshaking ■ function, switches cannot receive handshaking acknowledgement packets...
Page 227 Basic 802.1x Configuration from them in handshaking periods. To prevent users being falsely considered offline, you need to disable the online user handshaking function in this case. For the handshaking packet secure function to take effect, the clients that ■ enable the function need to cooperate with the authentication server.
Page 228: Advanced 802.1X Configuration
{ logoff | trap } quit The proxy checking function needs the cooperation of 3Com’s 802.1x client ■ (iNode) program. The proxy checking function depends on the online user handshaking function. ■ To enable the proxy detecting function, you need to enable the online user handshaking function first.
Page 229 Advanced 802.1x Configuration Table 165 Configure client version checking Operation Command Remarks Enable In system dot1x version-check [ Required 802.1x view interface interface-list ] By default, 802.1x client version client In port interface interface-type checking is disabled on a port. version view interface-number...
Page 230 17: 802.1 HAPTER ONFIGURATION CAUTION: The Guest VLAN function is available only when the switch operates in the ■ port-based authentication mode. Only one Guest VLAN can be configured for each switch. ■ The Guest VLAN function cannot be implemented when the switch executes ■...
Page 231: Displaying And Debugging 802.1X
Displaying and Debugging 802.1x Displaying and After performing the above configurations, you can display and verify the Debugging 802.1x 802.1x-related configuration by executing the display command in any view. You can clear 802.1x-related statistics information by executing the reset command in user view. Table 170 Display and debug 802.1x Operation Command...
Page 232 17: 802.1 HAPTER ONFIGURATION Network diagram Figure 76 Network diagram for AAA configuration with 802.1x and RADIUS enabled Authentication Servers (IP Address: 10.11.1.1 10.11.1.2) Switch Ethernet 1/0/1 IP network Authenticator Supplicant Configuration procedure Following configuration covers the major AAA/RADIUS configuration commands. Refer to “AAA Configuration”...
Page 233 Configuration Example [4210-radius-radius1] key authentication name # Set the password for the switch and the accounting RADIUS servers to exchange messages. [4210-radius-radius1] key accounting money # Set the interval and the number of the retries for the switch to send packets to the RADIUS servers.
Page 234 17: 802.1 HAPTER ONFIGURATION...
Page 235: Introduction To Habp
802.1x. This means that you cannot manage the attached switches. 3Com authentication bypass protocol (HABP) is designed to address this problem. An HABP packet carries the MAC addresses of the attached switches with it. It can bypass the 802.1x authentications when traveling between HABP-enabled...
Page 236: Habp Client Configuration
18: HABP C HAPTER ONFIGURATION Table 171 Configure an HABP server Operation Command Remarks Configure the interval habp timer interval Optional to send HABP request The default interval for an HABP packets. server to send HABP request packets is 20 seconds. HABP Client HABP clients reside on switches attached to HABP servers.
Page 237: System
YSTEM UARD ONFIGURATION The system-guard function checks system-guard-enabled ports regularly to determine if the ports are under attack. With this function enabled, if the number of the packets received by a system-guard-enabled port exceeds the set threshold, the port is regarded to be under attack. The switch then limits the rate of the port and resumes port checking operation after a specific period elapses.
Page 238: Displaying And Maintaining The System-Guard Function
19: S HAPTER YSTEM UARD ONFIGURATION Enabling System-Guard Table 176 lists the operations to enable system-guard on ports. on Ports Table 176 Enable system-guard on ports Operation Command Description Enter system view system-view Enable system-guard system-guard Required on specified ports permit interface-list After system-guard is enabled on a port, if the number of packets the port...
Page 239: Aaa Overview
Remote authentication: Users are authenticated remotely through the RADIUS ■ protocol. This device (for example, a 3Com series switch) acts as the client to communicate with the RADIUS server. You can use standard or extended RADIUS protocols in conjunction with such systems as iTELLIN/CAMS for user authentication.
Page 240: Introduction To Aaa Services
20: AAA O HAPTER VERVIEW Accounting AAA supports the following accounting methods: None accounting: No accounting is performed for users. ■ Remote accounting: User accounting is performed on a remote RADIUS server. ■ Introduction to ISP An Internet service provider (ISP) domain is a group of users who belong to the Domain same ISP.
Page 241 Introduction to AAA Services Users: This database stores information about users (such as user name, ■ password, protocol adopted and IP address). Clients: This database stores information about RADIUS clients (such as shared ■ key). Dictionary: The information stored in this database is used to interpret the ■...
Page 242 20: AAA O HAPTER VERVIEW The basic message exchange procedure of RADIUS is as follows: 1 The user enters the user name and password. 2 The RADIUS client receives the user name and password, and then sends an authentication request (Access-Request) to the RADIUS server. 3 The RADIUS server compares the received user information with that in the Users database to authenticate the user.
Page 243 Introduction to AAA Services Figure 79 RADIUS message format Code Identifier Length Authenticator Attribute 1 The Code field (one byte) decides the type of RADIUS message, as shown in Table 178. Table 178 Description of the major values of the Code field Code Message type Message description...
Page 244 20: AAA O HAPTER VERVIEW 3 The Length field (two bytes) specifies the total length of the message (including the Code, Identifier, Length, Authenticator and Attributes fields). The bytes beyond the length are regarded as padding and are ignored upon reception. If a received message is shorter than what the Length field indicates, it is discarded.
Page 245 Introduction to AAA Services Figure 80 depicts the format of attribute 26. The Vendor-ID field used to identify a vendor occupies four bytes, where the first byte is 0, and the other three bytes are defined in RFC 1700. Here, the vendor can encapsulate multiple customized sub-attributes (containing vendor-specific Type, Length and Value) to implement a RADIUS extension.
Page 246 20: AAA O HAPTER VERVIEW...
Page 247: Aaa Configuration Task List
AAA C ONFIGURATION AAA Configuration You need to configure AAA to provide network access services for legal users Task List while protecting network devices and preventing unauthorized access and repudiation behavior. Table 180 AAA configuration tasks (configuring a combined AAA scheme for an ISP domain) Task Remarks...
Page 248 21: AAA C HAPTER ONFIGURATION Creating an ISP Domain Table 182 Create an ISP domain and configure its attributes and Configuring Its Attributes Operation Command Remarks Enter system view system-view Configure the form of the domain delimiter { at | dot } Optional delimiter between the user By default, the delimiter name and the ISP domain...
Page 249 (CAMS). Through self-service, users can manage and control their account or card numbers by themselves. A server installed with self-service software is called a self-service server. 3Com’s CAMS Server is a service management system used to manage ■ networks and ensure network and user information security. With the cooperation of other networking devices (such as switches) in a network, a CAMS server can implement the AAA functions and right management.
Page 250 21: AAA C HAPTER ONFIGURATION Configuring separate AAA schemes You can use the authentication, authorization, and accounting commands to specify a scheme for each of the three AAA functions (authentication, authorization and accounting) respectively. The following gives the implementations of this separate way for the services supported by AAA. 1 For terminal users Authentication: RADIUS, local, or none.
Page 251 AAA Configuration Task List Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, ■ you can set the VLAN assignment mode to integer on the switch (this is also the default mode on the switch). Then, upon receiving an integer ID assigned by the RADIUS authentication server, the switch adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID.
Page 252 21: AAA C HAPTER ONFIGURATION Table 186 Configure the attributes of a local user Operation Command Remarks Enter system view system-view Set the password display local-user Optional mode of all local users password-display-mode { By default, the password cipher-force | auto } display mode of all access users is auto, indicating the passwords of access users are...
Page 253: Radius Configuration Task List
You can use the display connection command to view the connections of Telnet users, but you cannot use the cut connection command to cut down their connections. RADIUS Configuration 3Com’s Ethernet switches can function not only as RADIUS clients but also as local Task List RADIUS servers.
Page 254 21: AAA C HAPTER ONFIGURATION Table 188 RADIUS configuration tasks (the switch functions as a RADIUS client) Task Remarks Configuring the RADIUS client “Creating a RADIUS Required Scheme” “Configuring RADIUS Required Authentication/Authorizati on Servers” “Configuring RADIUS Required Accounting Servers” “Configuring Shared Keys Optional for RADIUS Messages”...
Page 255 RADIUS Configuration Task List Table 189 RADIUS configuration tasks (the switch functions as a local RADIUS server) Task Remarks Configuring the RADIUS server “Creating a RADIUS Required Scheme” “Configuring RADIUS Required Authentication/Authorizati on Servers” “Configuring RADIUS Required Accounting Servers” “Configuring Shared Keys Optional for RADIUS Messages”...
Page 256 21: AAA C HAPTER ONFIGURATION Actually, the RADIUS service configuration only defines the parameters for information exchange between switch and RADIUS server. To make these parameters take effect, you must reference the RADIUS scheme configured with these parameters in an ISP domain view (refer to “AAA Configuration Task List” on page 245).
Page 257 RADIUS Configuration Task List In an actual network environment, you can specify one server as both the ■ primary and secondary authentication/authorization servers, as well as specifying two RADIUS servers as the primary and secondary authentication/authorization servers respectively. The IP address and port number of the primary authentication server used by ■...
Page 258 21: AAA C HAPTER ONFIGURATION With stop-accounting request buffering enabled, the switch first buffers the ■ stop-accounting request that gets no response from the RADIUS accounting server, and then retransmits the request to the RADIUS accounting server until it gets a response, or the maximum number of transmission attempts is reached (in this case, it discards the request).
Page 259 RADIUS Configuration Task List Table 194 Configure the maximum transmission attempts of a RADIUS request Operation Command Remarks Create a RADIUS scheme and radius scheme Required enter its view radius-scheme-name By default, a RADIUS scheme named "system" has already been created in the system. Set the maximum number of retry retry-times Optional...
Page 260 21: AAA C HAPTER ONFIGURATION Table 196 Set the status of RADIUS servers Operation Command Remarks Create a RADIUS scheme and radius scheme Required enter its view radius-scheme-name By default, a RADIUS scheme named "system" has already been created in the system. Set the status of the primary state primary Optional...
Page 261 RADIUS Configuration Task List RADIUS servers cannot accept the user names that carry ISP domain names. In this case, it is necessary to remove domain names from user names before sending the user names to RADIUS server. For this reason, the user-name-format command is designed for you to specify whether or not ISP domain names are carried in the user names to be sent to RADIUS server.
Page 262 21: AAA C HAPTER ONFIGURATION the switch can provide authentication service to up to 16 network access servers (including the switch itself) at the same time. When acting as the local RADIUS authentication server, the switch does not ■ support EAP authentication. Configuring Timers for After sending out a RADIUS request (authentication/authorization request or RADIUS Servers...
Page 263 RADIUS Configuration Task List Enabling Sending Trap Table 200 Specify to send trap message when a RADIUS server goes down Message when a RADIUS Server Goes Operation Command Remarks Down Enter system view system-view Enable the sending of trap radius trap { Optional message when a RADIUS authentication-server-dow...
Page 264: Displaying And Maintaining Aaa
21: AAA C HAPTER ONFIGURATION you choose to manually configure the attribute, be sure to configure an appropriate valid IP address. If this attribute is not configured, the switch will automatically choose the IP address of a VLAN interface as the NAS-IP-address. Table 201 Enable the user re-authentication at restart function Operation Command...
Page 265: Aaa Configuration Examples
AAA Configuration Examples Table 203 Display and maintain RADIUS protocol information Operation Command Remarks Display RADIUS message display local-server You can execute the display statistics about local RADIUS statistics command in any view. authentication server Display configuration display radius scheme [ information about one radius-scheme-name ] specific or all RADIUS schemes...
Page 266 21: AAA C HAPTER ONFIGURATION On the RADIUS server, set the shared key it uses to exchange messages with ■ the switch to "aabbcc," set the authentication port number, and add Telnet user names and login passwords. The Telnet user names added to the RADIUS server must be in the format of userid@isp-name if you have configured the switch to include domain names in the user names to be sent to the RADIUS server in the RADIUS scheme.
Page 267 AAA Configuration Examples A Telnet user logging into the switch by a name in the format of userid @cams belongs to the cams domain and will be authenticated according to the configuration of the cams domain. Local Authentication of FTP/Telnet Users The configuration procedure for local authentication of FTP users is similar to that for Telnet users.
Page 268: Troubleshooting Aaa
21: AAA C HAPTER ONFIGURATION This method is similar to the remote authentication method described in “Remote RADIUS Authentication of Telnet/SSH Users”. However, you need to Change the server IP address, and the UDP port number of the authentication ■ server to 127.0.0.1, and 1645 respectively in the configuration step "Configure a RADIUS scheme"...
Page 269 Troubleshooting AAA The switch requests that both the authentication/authorization server and the ■ accounting server use the same device (with the same IP address), but in fact they are not resident on the same device - Be sure to configure the RADIUS servers on the switch according to the actual situation.
Page 270 21: AAA C HAPTER ONFIGURATION...
Page 271: Mac Authentication Overview
MAC A UTHENTICATION ONFIGURATION MAC Authentication MAC authentication provides a way for authenticating users based on ports and Overview MAC addresses, without requiring any client software to be installed on the hosts. Once detecting a new MAC address, it initiates the authentication process. During authentication, the user does not need to enter username or password manually.
Page 272: Related Concepts
22: MAC A HAPTER UTHENTICATION ONFIGURATION The service type of a local user needs to be configured as lan-access. ■ Related Concepts MAC Authentication The following timers function in the process of MAC authentication: Timers Offline detect timer: At this interval, the switch checks to see whether an ■...
Page 273: Mac Address Authentication Enhanced Function Configuration
MAC Address Authentication Enhanced Function Configuration Table 204 Configure basic MAC authentication functions Operation Command Remarks Set the user Set the user name in fixed mac-authentica Optional name in fixed mode for MAC authentication tion authmode By default, the user mode for MAC usernamefixed name is "mac"...
Page 274 22: MAC A HAPTER UTHENTICATION ONFIGURATION Configuring a Guest VLAN Different from Guest VLANs described in the 802.1x and System-Guard chapters, Guest VLANs mentioned in this section refer to Guest VLANs dedicated to MAC address authentication. After completing configuration tasks in “Configuring Basic MAC Authentication Functions”...
Page 275 MAC Address Authentication Enhanced Function Configuration Table 206 Configure a Guest VLAN Operation Command Description Configure the Guest VLAN for mac-authentication Required the current port guest-vlan vlan-id By default, no Guest VLAN is configured for a port by default. Return to system view quit Configure the interval at which mac-authentication timer...
Page 276: Displaying And Debugging Mac Authentication
22: MAC A HAPTER UTHENTICATION ONFIGURATION Table 207 Configure the maximum number of MAC address authentication users allowed to access a port Operation Command Description Configure the maximum mac-authentication Required number of MAC address max-auth-num user-number By default, the maximum authentication users allowed number of MAC address to access a port...
Page 277: Mac Authentication Configuration Example
MAC Authentication Configuration Example MAC Authentication Network requirements Configuration As illustrated in Figure 83, a supplicant is connected to the switch through port Example Ethernet 1/0/2. MAC authentication is required on port Ethernet 1/0/2 to control user access to ■ the Internet.
Page 278 22: MAC A HAPTER UTHENTICATION ONFIGURATION # Enable MAC authentication globally (This is usually the last step in configuring access control related features. Otherwise, a user may be denied of access to the networks because of incomplete configuaration.) [4210] mac-authentication After doing so, your MAC authentication configuration will take effect immediately.
Page 279: Introduction To Arp
ARP C ONFIGURATION Introduction to ARP ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. An IP address is the address of a host at the network layer. To send a network layer packet to a destination host, the device must know the data link layer address (MAC address, for example) of the destination host or the next hop.
Page 280 23: ARP C HAPTER ONFIGURATION Table 210 Description of the ARP packet fields Field Description Hardware Type Type of the hardware interface. Refer to Table 211 for the information about the field values. Protocol type Type of protocol address to be mapped. 0x0800 indicates an IP address.
Page 281: Arp Configuration
ARP Configuration ARP Process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B. The resolution process is as follows: 1 Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B.
Page 282: Arp Configuration Example
23: ARP C HAPTER ONFIGURATION Table 213 Display and debug ARP Operation Command Remarks Display specific ARP mapping display arp [ static | Available in any view. table entries dynamic | ip-address ] Display the ARP mapping display arp [ dynamic | entries related to a specified static ] | { begin | include | string in a specified way...
Page 283: Dhcp Overview
DHCP O VERVIEW Introduction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators.
Page 284 24: DHCP O HAPTER VERVIEW Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for ■ predetermined period of time. In this case, a DHCP client must apply for an IP address again at the expiration of the period. This policy applies to most clients. Obtaining IP Addresses A DHCP client undergoes the following four phases to dynamically obtain an IP Dynamically...
Page 285: Dhcp Packet Format
DHCP Packet Format If the DHCP client fails to update its IP address lease when half of the lease time elapses, it will update its IP address lease by broadcasting a DHCP-REQUEST packet to the DHCP servers again when seven-eighths of the lease time elapses. The DHCP server performs the same operations as those described above.
Page 286: Protocol Specification
24: DHCP O HAPTER VERVIEW sname: Name of the DHCP server. ■ file: Path and name of the boot configuration file that the DHCP server ■ specifies for the DHCP client. option: Optional variable-length fields, including packet type, valid lease time, ■...
Page 287: Dhcp Snooping
DHCP S NOOPING ONFIGURATION Introduction to DHCP For the sake of security, the IP addresses used by online DHCP clients need to be Snooping tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients.
Page 288: Dhcp Snooping Configuration
25: DHCP S HAPTER NOOPING ONFIGURATION DHCP Snooping Configuration Table 214 Configure DHCP snooping Operation Command Description Enter system view system-view Enable DHCP snooping dhcp-snooping Required By default, the DHCP snooping function is disabled. Display the user IP-MAC address display You can execute the display mapping entries recorded by the dhcp-snooping [...
Page 289: Dhcp/Bootp Client
DHCP/BOOTP C LIENT ONFIGURATION Introduction to DHCP After you specify a VLAN interface as a DHCP client, the device can use DHCP to Client obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and management. “Obtaining IP Addresses Dynamically”...
Page 290: Displaying Dhcp/Bootp Client Configuration
26: DHCP/BOOTP C HAPTER LIENT ONFIGURATION Table 215 Configure a DHCP/BOOTP client Operation Command Description Configure the VLAN interface to ip address { bootp-alloc Required obtain IP address through DHCP | dhcp-alloc } By default, no IP address is or BOOTP configured for the VLAN interface.
Page 291 DHCP Client Configuration Example Network diagram Figure 89 A DHCP network DHCP Client WINS server DHCP Server Vlan - interface 1 Switch A DHCP Client DNS server Configuration procedure The following describes only the configuration on Switch A serving as a DHCP client.
Page 292 26: DHCP/BOOTP C HAPTER LIENT ONFIGURATION...
Page 293: Acl Overview
ACL C ONFIGURATION ACL Overview The Switch 4210 supports software-based ACLs for the purpose of controlling management access into the Switch 4210 from Telnet and SNMP management stations. As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management.
Page 294 27: ACL C HAPTER ONFIGURATION For depth-first rule, there are two cases: Depth-first match order for rules of a basic ACL 1 Range of source IP address: The smaller the source IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority. 2 Fragment keyword: A rule with the fragment keyword is prior to others.
Page 295: Acl Configuration
ACL Configuration auto, where the rules in an ACL are matched in the order determined by the ■ system, namely the "depth-first" order. When applying an ACL in this way, you can specify the order in which the rules in the ACL are matched.
Page 296 27: ACL C HAPTER ONFIGURATION Note that: If only a periodic time section is defined in a time range, the time range is ■ active only when the system time is within the defined periodic time section. If multiple periodic time sections are defined in a time range, the time range is active only when the system time is within one of the periodic time sections.
Page 297 ACL Configuration Configuration Procedure Table 217 Define a basic ACL rule Operation Command Description Enter system view system-view Create an ACL and enter basic acl number acl-number [ Required ACL view match-order { auto | config config by default Define an ACL rule rule [ rule-id ] { deny | permit Required } [ rule-string ]...
Page 298 27: ACL C HAPTER ONFIGURATION An advanced ACL can be numbered from 3000 to 3999. Note that ACL 3998 and ACL 3999 cannot be configured because they are reserved for cluster management. Advanced ACLs support analysis and processing of three packet priority levels: type of service (ToS) priority, IP priority and differentiated services codepoint (DSCP) priority.
Page 299: Example For Upper-Layer Software Referencing Acls
Example for Upper-layer Software Referencing ACLs Configuration Example # Configure ACL 3000 to permit the TCP packets sourced from the network 129.9.0.0/16 and destined for the network 202.38.160.0/24 and with the destination port number being 80. <4210> system-view [4210] acl number 3000 [4210-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 # Display the configuration information of ACL 3000.
Page 300 27: ACL C HAPTER ONFIGURATION Configuration procedure # Define ACL 2000. <4210> system-view [4210] acl number 2000 [4210-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [4210-acl-basic-2000] quit # Reference ACL 2000 on VTY user interface to control Telnet login users. [4210] user-interface vty 0 4 [4210-ui-vty0-4] acl 2000 inbound Example for Controlling Network requirements...
Page 301: Overview
ONFIGURATION Overview Introduction to QoS Quality of service (QoS) is a concept generally existing in occasions with service supply and demand. It evaluates the ability to meet the need of the customers in service. Generally, the evaluation is not to grade precisely. Its purpose is to analyze the conditions where the service is the best and the conditions where the service still needs improvement and then to make improvements in the specified aspects.
Page 302: Qos Supported By Switch 4210 Family
28: Q HAPTER ONFIGURATION delay may cause unexpected results. That is, they need to get serviced in time even if congestion occurs. Newly emerging applications demand higher service performance from IP networks. In addition to simply delivering packets to their destinations, better network services are demanded, such as allocating dedicated bandwidth, reducing packet loss ratio, avoiding congestion, regulating network traffic, and setting priority of the packets.
Page 303 QoS Supported By Switch 4210 Family consisting of source address, source port number, protocol number, destination address, and destination port number. It can also be simply a network segment. Precedence IP precedence, ToS precedence, and DSCP precedence Figure 92 DS field and ToS byte Bits: Bits: Preced...
Page 304 28: Q HAPTER ONFIGURATION Class selector (CS) class: This class comes from the IP ToS field and includes ■ eight subclasses; Best Effort (BE) class: This class is a special class without any assurance in the CS ■ class. The AF class can be degraded to the BE class if it exceeds the limit. Current IP network traffic belongs to this class by default.
Page 305 QoS Supported By Switch 4210 Family The 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length). Figure 94 describes the detailed contents of an 802.1Q tag header.
Page 306 28: Q HAPTER ONFIGURATION You can also configure to trust packet priority. In this case, a received packet is processed in one of the following three ways: With the 802.1p precedence of a packet trusted, the switch obtains the ■ corresponding local precedence by looking up the 802.1p precedence of the packet in the 802.1p-precedence-to-local-precedence mapping table and assigns the local precedence to the packet.
Page 307 QoS Supported By Switch 4210 Family Table 225 IP-precedence-to-local-precedence mapping table IP precedence Local precedence Port Rate Limiting Port rate limiting refers to limiting the total rate of inbound or outbound packets on a port. Port rate limiting can be implemented through token buckets. The token bucket can be considered as a container with a certain capacity to hold tokens.
Page 308 28: Q HAPTER ONFIGURATION In the following section, weighted round robin (WRR), and HQ-WRR (High Queue-WRR) queues are introduced. WRR queuing Figure 96 Diagram for WRR queuing Queue 1 Weight 1 Packets to be sent Sent packets through this port Queue 2 Weight 2 Queue 2 weight 2...
Page 309: Qos Configuration
QoS Configuration Although the burst function helps reduce the packet loss ratio and improve packet processing capability in the networks mentioned above, it may affect QoS performance. So, use this function with caution. QoS Configuration Table 226 QoS configuration tasks Task Remarks Configuring Port Priority...
Page 310 28: Q HAPTER ONFIGURATION Configuring to Trust the You can configure the switch to trust the 802.1p precedence of the received 802.1p Precedence of packets. In this case, the priority of the receiving port is not used as the 802.1p the Received Packets precedence of the received packet.
Page 311 QoS Configuration Configuring Priority Mapping You can modify the COS-precedence-to-local-precedence, DSCP-precedence-to-local-precedence and IP-precedence-to-local-precedence mapping tables as required to mark packets with different priorities. Configuration prerequisites The target COS-precedence-to-local-precedence, DSCP-precedence-to-local-precedence and IP-precedence-to-local-precedence mapping tables are determined. Configuration procedure Table 230 Configure COS-precedence-to-local-precedence mapping table Operation Command Description...
Page 312 28: Q HAPTER ONFIGURATION cos(802.1p) : ----------------------------------------------------------------------- local precedence(queue) : Configuring Port Rate Refer to “Port Rate Limiting” on page 305 for information about port rate Limiting limiting. Configuration prerequisites The port on which port rate limiting configuration is to be performed is ■...
Page 313 QoS Configuration Configuration procedure Table 234 Configure queue scheduling Operation Command Description Enter system view system-view Configure queue queue-scheduler { hq-wrr Required scheduling queue0-weight queue1-weight By default, all the ports adotp the queue2-weight | wrr WRR queue scheduling algorithm, queue0-weight queue1-weight wtih the weight for queue 0, queue queue2-weight queue3-weight } 1, queue 2, and queue 3 as 1, 2, 3,...
Page 314 28: Q HAPTER ONFIGURATION Displaying QoS After the above configuration, you can execute the display command in any view to view the running status of QoS and verify the configuration. Table 236 Display QoS Operation Command Description Display the display qos Available in any view COS-precedence-to-local-preced cos-local-precedence-map...
Page 315: Mirroring
IRRORING ONFIGURATION Mirroring Overview Mirroring refers to the process of copying packets of one or more ports (source ports) to a destination port which is connected to a data detection device. Users can then use the data detection device to analyze the mirrored packets on the destination port for monitoring and troubleshooting the network.
Page 316: Mirroring Configuration Example
29: M HAPTER IRRORING ONFIGURATION Table 237 Configuring local port mirroring Operation Command Description Configure In system mirroring-group group-id Use either approach the source view mirroring-port You can configure multiple port for the mirroring-port-list { both | source ports at a time in system port inbound | outbound } view, or you can configure the...
Page 317 Mirroring Configuration Example Use the local port mirroring function to meet the requirement. Perform the following configurations on Switch C. Configure Ethernet 1/0/1 and Ethernet 1/0/2 as mirroring source ports. ■ Configure Ethernet 1/0/3 as the mirroring destination port. ■ Network diagram Figure 98 Network diagram for local port mirroring R&D...
Page 318 29: M HAPTER IRRORING ONFIGURATION...
Page 319: Cluster
A cluster contains a group of switches. Through cluster management, you can Clustering manage multiple geographically dispersed in a centralized way. Cluster management is implemented through 3Com group management protocol (Switch Clustering). Switch Clustering version 2 (Switch Clusteringv2) is used at present.
Page 320 30: C HAPTER LUSTER Figure 99 A cluster implementation Network Mangerment Station Network 69 .110 .1.100 Mangerment Device 69 .110 .1.1 Member Device Cluster Member Device Member Device Switch Clustering V2 has the following advantages: It eases the configuration and management of multiple switches: You just need ■...
Page 321 Cluster Overview Table 239 Description of cluster roles Role Configuration Function Management device Configured with a external IP Provides an interface for ■ address managing all the switches in a cluster Manages member devices ■ through command redirection, that is, it forwards the commands intended for specific member devices.
Page 322 30: C HAPTER LUSTER Figure 100 State machine of cluster role Candidate device Management device Member device A candidate device becomes a management device when you create a cluster ■ on it. Note that a cluster must have one (and only one) management device. On becoming a management device, the device collects network topology information and tries to discover and determine candidate devices, which can then be added to the cluster through configurations.
Page 323 Cluster Overview All devices use NDP to collect the information about their neighbors, including ■ software version, host name, MAC address, and port name. The management device uses NTDP to collect the information about the ■ devices within specific hops and the topology information about the devices. It also determines the candidate devices according to the information collected.
Page 324 30: C HAPTER LUSTER The management device sends NTDP topology collection requests periodically ■ through its NTDP-enabled ports. Upon receiving an NTDP topology collection request, the device returns a NTDP ■ topology collection response to the management device and forwards the request to its neighbor devices through its NTDP-enable ports.
Page 325 Cluster Overview On the management device, you need to enable the cluster function and configure cluster parameters. On the member/candidate devices, however, you only need to enable the cluster function so that they can be managed by the management device. Cluster maintenance 1 Adding a candidate device to a cluster To create a cluster, you need to determine the device to operate as the...
Page 326 30: C HAPTER LUSTER which case the management device considers the member device disconnected. Likewise, if this member device, which is in Connect state, receives a handshake packet or management packet from the management device within the information holdtime, it changes its state to Active; otherwise, it changes its state to Disconnect.
Page 327: Cluster Configuration Tasks
Cluster Configuration Tasks Cluster Configuration Before configuring a cluster, you need to determine the roles and functions the Tasks switches play. You also need to configure the related functions, preparing for the communication between devices within the cluster. Table 240 Cluster configuration tasks: Configuration task Remarks “Configuring the Management Device”...
Page 328 30: C HAPTER LUSTER Table 242 Enable NDP globally and on specific ports Operation Command Description Enable NDP globally ndp enable Required By default, NDP is enabled globally. Enable NDP In system view ndp enable interface Use either approach. on specified port-list By default, NDP is Ethernet...
Page 329 Cluster Configuration Tasks Table 245 Configure NTDP-related parameters Operation Command Description Configure the device forward ntdp timer hop-delay time Optional delay of topology collection By default, the device forward requests delay is 200 ms. Configure the port forward ntdp timer port-delay time Optional delay of topology collection By default, the port forward...
Page 330 30: C HAPTER LUSTER Table 247 Establish a cluster and configure cluster parameters in manual mode Operation Command Description Set the holdtime of member holdtime seconds Optional switches By default, the holdtime is 60 seconds. Set the interval to send timer interval Optional handshake packets...
Page 331 Cluster Configuration Tasks When you execute the add-member command on the management device to ■ add a candidate device to a cluster, the candidate device changes to a member device and its UDP port 40000 is opened at the same time. When you execute the auto-build command on the management device to ■...
Page 332 30: C HAPTER LUSTER Table 252 Enable the cluster function Operation Command Description Enable the cluster function cluster enable Optional globally By default, the cluster function is enabled. Accessing the shared FTP/TFTP server from a member device Perform the following operations in user view on a member device. Table 253 Access the shared FTP/TFTP server from a member device Operation Command...
Page 333 Cluster Configuration Tasks When using the tracemac command to locate a device by its IP address, the ■ switch will query the corresponding ARP entry of the IP address, and then query the MAC address based on the ARP entry to locate the specified device finally.
Page 334 30: C HAPTER LUSTER Configure cluster topology management function 1 Configuration prerequisites Before configuring the cluster topology management function, make sure that: The basic cluster configuration is completed. ■ Devices in the cluster work normally. ■ 2 Configuration procedure Perform the following configuration on the management device. Table 256 Configure cluster topology management function Operation Command...
Page 335: Displaying And Maintaining Cluster Configuration
Displaying and Maintaining Cluster Configuration Table 257 Configure the cluster device blacklist Operation Command Description Delete the specified MAC black-list delete-mac Optional address from the cluster mac-address blacklist Delete a device from the delete-member member-id [ Optional cluster add this device to the to-black-list ] cluster blacklist Displays the information...
Page 336 30: C HAPTER LUSTER Serving as the management device, the Switch 4210 manages the two member devices. The configuration for the cluster is as follows: The two member devices connect to the management device through Ethernet ■ 1/0/2 and Ethernet 1/0/3. The management device connects to the Internet through Ethernet 1/0/1.
Page 337 Cluster Configuration Example [4210] ntdp enable [4210] interface Ethernet 1/1 [4210-Ethernet1/1] ntdp enable [4210-Ethernet1/1] quit # Enable the cluster function. [4210] cluster enable 2 Configure the management device # Enable NDP globally and on Ethernet 1/0/2 and Ethernet 1/0/3. <4210> system-view [4210] ndp enable [4210] interface Ethernet 1/0/2 [4210-Ethernet1/0/2] ndp enable...
Page 338 # Name and build the cluster. [4210-cluster] build aaa [aaa_0.3Com-cluster] # Add the attached two switches to the cluster. [aaa_0.3Com-cluster] add-member 1 mac-address 000f-e20f-0011 [aaa_0.3Com-cluster] add-member 17 mac-address 000f-e20f-0012 # Set the holdtime of member device information to 100 seconds. [aaa_0.3Com-cluster] holdtime 100 # Set the interval to send handshake packets to 10 seconds.
Page 339 Figure 103 Network diagram for the enhanced cluster feature configuration Configuration procedure # Enter cluster view. <aaa_0.3Com> system-view [aaa_0.3Com] cluster # Add the MAC address 0001-2034-a0e5 to the cluster blacklist. [aaa_0.3Com-cluster] black-list add-mac 0001-2034-a0e5 # Backup the current topology. [aaa_0.3Com-cluster] topology accept all save-to local-flash...
Page 340 30: C HAPTER LUSTER...
Page 341: Poe Overview
Wireless APs, network cameras and so on. PI: PIs are RJ45 interfaces which connect PSE/PDs to network cables. ■ PoE Features Supported PoE-enabled Switch 4210s: by the Switch 4210 Switch 4210 PWR 9-Port ■ Switch 4210 PWR 18-Port ■ Switch 4210 PWR 26-Port ■...
Page 342: Poe Configuration
Maximum Input power supplying each electrical PoE output Switch supply power distance port power 4210 PWR 9-Port AC input 100 m 15400 mW 70 W 4210 PWR 18-Port AC input 135 W 4210 PWR 26-Port DC input 370 W AC input...
Page 343 PoE Configuration Table 260 PoE configuration tasks Task Remarks “Configuring the PD Compatibility Detection Function” Optional “Configuring PoE Over-Temperature Protection on the Optional Switch” “Upgrading the PSE Processing Software Online” Optional “Upgrading the PSE Processing Software Online” Optional “Displaying PoE Configuration” Optional Configuring PoE Over-Temperature Protection on the Switch Optional...
Page 344 31: P HAPTER ONFIGURATION priority. For example: Port A has the priority of critical. When the switch PoE is close to its full load and a new PD is now added to port A, the switch will power down the PD connected to the port with the lowest priority and turn to supply power to this new PD.
Page 345 PoE Configuration After the PoE feature is enabled, perform the following configuration to enable the PD compatibility detection function. Table 265 Configure the PD compatibility detection function Operation Command Description Enter system view system-view Enable the PD compatibility poe legacy enable Required detection function Disabled by default.
Page 346: Poe Configuration Example
31: P HAPTER ONFIGURATION Table 268 Upgrade PSE processing software online Operation Command Description Enter system view system-view Upgrade the PSE processing poe update { refresh | full } Required software online filename The specified PSE processing software is a file with the extension .s19.
Page 347 PoE Configuration Example The Ethernet 1/0/1 and Ethernet 1/0/2 ports of Switch A are connected to ■ Switch B and an AP respectively; the Ethernet 1/0/8 port is intended to be connected with an important AP. The PSE processing software of Switch A is first upgraded online. The remotely ■...
Page 348 31: P HAPTER ONFIGURATION [SwitchA-Ethernet1/0/8] poe priority critical [SwitchA-Ethernet1/0/8] quit # Set the PoE management mode on the switch to auto (it is the default mode, so this step can be omitted). [SwitchA] poe power-management auto # Enable the PD compatibility detect of the switch to allow the switch to supply power to part of the devices noncompliant with the 802.3af standard.
Page 349: O E Profile
ROFILE ONFIGURATION Introduction to PoE On a large-sized network or a network with mobile users, to help network Profile administrators monitor the switch’s PoE features , the Switch 4210 provides the PoE profile features. A PoE profile is a set of PoE configurations, including multiple PoE features.
Page 350: Displaying Poe Profile Configuration
32: P HAPTER ROFILE ONFIGURATION Table 270 Configure PoE profile Operation Command Description Apply the In system view apply poe-profile Use either existing PoE profile-name interface approach. profile to the interface-type specified interface-number [ to Ethernet port interface-type interface-number ] In Ethernet Enter interface interface-type...
Page 351: Poe Profile Configuration Example
PoE Profile Configuration Example PoE Profile Configuration Example PoE Profile Application Network requirements Example Switch A is a Switch 4210 that supports PoE. Ethernet 1/0/1 through Ethernet 1/0/10 of Switch A are used by users of group A, who have the following requirements: The PoE function can be enabled on all ports in use.
Page 352: Configuration Procedure
32: P HAPTER ROFILE ONFIGURATION Configuration procedure # Create Profile1, and enter PoE profile view. <SwitchA> system-view [SwitchA] poe-profile Profile1 # In Profile1, add the PoE policy configuration applicable to Ethernet 1/0/1 through Ethernet 1/0/5 ports for users of group A. [SwitchA-poe-profile-Profile1] poe enable [SwitchA-poe-profile-Profile1] poe mode signal [SwitchA-poe-profile-Profile1] poe priority critical...
Page 353: Snmp C
SNMP C ONFIGURATION SNMP Overview The simple network management protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes. In this way, network administrators can easily retrieve and modify the information about any node on the network. In the meantime, they can locate faults promptly and implement the fault diagnosis, capacity planning and report generating.
Page 354 33: SNMP C HAPTER ONFIGURATION information, while those with read-write permission can configure the switch as well. Set the basic ACL specified by the community name. ■ Supported MIBs An SNMP packet carries management variables with it. Management variable is used to describe the management objects of a switch.
Page 355: Configuring Basic Snmp Functions
| information for system version { { v1 | v2c | v3 }* | maintenance is "R&D all } } Hangzhou, 3Com Technology Co., Ltd.", the system location is "Hangzhou China", and the SNMP version is SNMPv3.
Page 356 | information for system version { { v1 | v2c | v3 }* | all maintenance is "R&D Hangzhou, 3Com Technology Co., Ltd.", the system location is "Hangzhou China", and the SNMP version is SNMPv3. Set an SNMP group...
Page 357: Configuring Trap Parameters
Configuring Trap Parameters Table 274 Configure basic SNMP functions (SNMPv3) Operation Command Description Encrypt a plain-text password snmp-agent Optional to generate a cipher-text one calculate-password This command is used if plain-password mode { md5 | password in cipher-text is sha } { local-switch fabricid | needed for adding a new specified-switch fabricid user.
Page 358 33: SNMP C HAPTER ONFIGURATION Table 275 Configure basic Trap Operation Command Description Enable the switch to send Trap messages to snmp-agent trap enable Optional [ configuration | flash | By default, a port is standard [ enabled to send all authentication | types of Traps.
Page 359: Enabling Logging For Network Management
Enabling Logging for Network Management Enabling Logging for Table 277 Enable logging for network management Network Management Operation Command Description Enter system view system-view Enable logging for network snmp-agent log { Optional management set-operation | Disabled by default. get-operation | all } IUse the display logbuffer command to view the log of the get and set operations requested by the NMS.
Page 360 33: SNMP C HAPTER ONFIGURATION Thus, the NMS is able to access Switch A and receive the trap messages sent by Switch A. Network diagram Figure 107 Network diagram for SNMP configuration 10 .10 .10 .2 10.10.10.1 Switch A Ethernet Network procedure # Enable SNMP agent, and set the SNMPv1 and SNMPv2c community names.
Page 361 Configuring the NMS The Switch 4210 supports 3Com’s Netork Management System (NMS). SNMPv3 adopts user name and password authentication. When you use 3Com’s NMS, you need to set user names and choose the security level in [Authentication Parameter]. For each security level, you need to set authorization mode, authorization password, encryption mode, encryption password, and so on.
Page 362 33: SNMP C HAPTER ONFIGURATION...
Page 363: Rmon C
(instead of all the information in the RMON MIB): alarm group, event group, history group, and statistics group. The 3Com Switch 4210 implements RMON in the second way. With an RMON agent embedded, the Switch 4210 can serve as a network device with the RMON probe function.
Page 364 34: RMON C HAPTER ONFIGURATION managed network devices are connected. Thus, the NMS can further manage the networks. Commonly Used RMON Event group Groups Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms.
Page 365: Rmon Configuration
RMON Configuration With the history data management function, you can configure network devices to collect history data, sample and store data of a specific port periodically. Statistics group Statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created.
Page 366: Displaying Rmon
34: RMON C HAPTER ONFIGURATION The rmon alarm and rmon prialarm commands take effect on existing nodes ■ only. For each port, only one RMON statistics entry can be created. That is, if an ■ RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.
Page 367 RMON Configuration Examples [4210-Ethernet1/0/1] rmon statistics 1 [4210-Ethernet1/0/1] quit # Add the event entries numbered 1 and 2 to the event table, which will be trigg ered by the following extended alarm. [4210] rmon event 1 log [4210] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers...
Page 368 34: RMON C HAPTER ONFIGURATION...
Page 369: Introduction To Ntp
NTP C ONFIGURATION Introduction to NTP Network time protocol (NTP) is a time synchronization protocol defined in RFC 1305. It is used for time synchronization between a set of distributed time servers and clients. Carried over UDP, NTP transmits packets through UDP port 123. NTP is intended for time synchronization between all devices that have clocks in a network so that the clocks of all devices can keep consistent.
Page 370 35: NTP C HAPTER ONFIGURATION as the stratum number increases. A stratum 16 clock is in the unsynchronized state and cannot serve as a reference clock. The local clock of a Switch 4210 cannot be set as a reference clock. It can serve ■...
Page 371 Introduction to NTP When the message arrives at Device B, Device B inserts its own timestamp ■ 11:00:01 am (T ) into the packet. When the NTP message leaves Device B, Device B inserts its own timestamp ■ 11:00:02 am (T ) into the packet.
Page 372 35: NTP C HAPTER ONFIGURATION Symmetric peer mode Figure 111 Symmetric peer mode Active peer Passive peer Network Clock synchronization Works in passive peer request mode automatically Response In peer mode, both sides can be synchronized to Synchronize each other In the symmetric peer mode, the local Switch 4210 serves as the symmetric-active peer and sends clock synchronization request first, while the remote server serves as the symmetric-passive peer automatically.
Page 373: Ntp Configuration Tasks
The NTP server mode, NTP broadcast mode, or NTP multicast mode takes effect ■ only after the local clock of the 3Com Switch 4210 has been synchronized. When symmetric peer mode is configured on two Ethernet switches, to ■...
Page 374: Configuring Ntp Implementation Modes
“Configuring NTP Multicast Mode” ■ To protect unused sockets against attacks by malicious users and improve security, the 3Com Switch 4210 Family provides the following functions: UDP port 123 is opened only when the NTP feature is enabled. ■ UDP port 123 is closed as the NTP feature is disabled.
Page 375 NTP messages, so as to start the clock synchronization. A 3Com Switch 4210 can operate as a broadcast server or a broadcast client. Refer to Table 285 for configuring a switch to work in the NTP broadcast server ■...
Page 376 NTP messages, so as to start the clock synchronization. A 3Com Switch 4210 can work as a multicast server or a multicast client. Refer to Table 287 for configuring a switch to work in the NTP multicast server ■...
Page 377: Configuring Access Control Right
Configuring Access Control Right Configuring a switch to work in the multicast client mode Table 288 Configure a switch to work in the NTP multicast client mode Operation Command Description Enter system view system-view Enter VLAN interface view interface Vlan-interface vlan-id Configure the switch to work ntp-service multicast-client...
Page 378: Configuring Ntp Authentication
35: NTP C HAPTER ONFIGURATION The access-control right mechanism provides only a minimum degree of security protection for the local switch. A more secure method is identity authentication. Configuring NTP In networks with higher security requirements, the NTP authentication function Authentication must be enabled to run NTP.
Page 379 Configuring NTP Authentication Configuration Procedure Configuring NTP authentication on the client Table 291 Configure NTP authentication on the client Operation Command Description Enter system view system-view Enable the NTP authentication ntp-service authentication Required function enable Disabled by default. Configure the NTP ntp-service Required authentication key...
Page 380: Configuring Optional Ntp Parameters
35: NTP C HAPTER ONFIGURATION Table 292 Configure NTP authentication on the server Operation Command Description Associate the Configure on ntp-service In NTP broadcast server ■ specified key the NTP broadcast-server mode and NTP multicast with the broadcast server authentication-keyid key-id server mode, you need to correspondin associate the specified key...
Page 381: Displaying Ntp Configuration
Displaying NTP Configuration upon the receipt of a message, rather than creating an association (static or dynamic). In the symmetric mode, static associations will be created at the symmetric-active peer side, and dynamic associations will be created at the symmetric-passive peer side; In the broadcast or multicast mode, static associations will be created at the server side, and dynamic associations will be created at the client side.
Page 382 35: NTP C HAPTER ONFIGURATION Configure Device B to work in the client mode, and then Device A will ■ automatically work in the server mode. Network diagram Figure 114 Network diagram for the NTP server/client mode configuration 1.0.1.11/24 1 .0.1.12/24 Device A Device B Configuration procedure...
Page 383 Configuration Example [DeviceB] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [12345]1.0.1.11 127.127.1.0 350.1 15.1 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : Configuring NTP Network requirements Symmetric Peer Mode The local clock of Device A is set as the NTP master clock, with the clock ■...
Page 384 35: NTP C HAPTER ONFIGURATION Clock stratum: 2 Reference clock ID: 3.0.1.32 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that the clock of Device C is synchronized to that of Device B and the stratum level of its local clock is 2, one level lower than Device # View the information about the NTP sessions of Device C (you can see that a...
Page 385 Configuration Example <DeviceC> system-view # Set Device C as the broadcast server, which sends broadcast messages through Vlan-interface2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service broadcast-server 2 Configure Device A. (perform the same configuration on Device D) # Enter system view. <DeviceA>...
Page 386 35: NTP C HAPTER ONFIGURATION Network diagram Figure 117 Network diagram for NTP multicast mode configuration Vlan -int2 3.0.1.31/24 Device C Vlan -int2 1.0.1.31/24 Device A Device B Vlan -int2 3.0.1.32/24 Device D Configuration procedure 1 Configure Device C. # Enter system view. <DeviceC>...
Page 387 Configuration Example Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that Device D is synchronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C. # View the information about the NTP sessions of Device D (You can see that a connection is established between Device D and Device C).
Page 388 35: NTP C HAPTER ONFIGURATION 2 To synchronize Device B, you need to perform the following configurations on Device A. # Enable the NTP authentication function. [DeviceA] system-view [DeviceA] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey.
Page 389: Ssh Overview
SSH C ONFIGURATION SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in insecure network environments. In an SSH connection, data are encrypted before being sent out and decrypted after they reach the destination. This prevents attacks such as plain text password interception.
Page 390 36: SSH C HAPTER ONFIGURATION while the private key is effective only for the local end. Normally you cannot use the private key through the public key. Asymmetric key algorithm encrypts data using the public key and decrypts the data using the private key, thus ensuring data security. You can also use the asymmetric key algorithm for data signature.
Page 391 SSH Overview All the packets above are transferred in plain text. ■ Key negotiation The server and the client send algorithm negotiation packets to each other, ■ which contain public key algorithm lists supported by the server and the client, encrypted algorithm list, message authentication code (MAC) algorithm list, and compressed algorithm list.
Page 392: Configuring The Ssh Server
36: SSH C HAPTER ONFIGURATION and goes on to the interactive session stage with the client. Otherwise, the server sends back to the client an SSH_SMSG_FAILURE packet, indicating that the processing fails or it cannot resolve the request. The client sends a session request to the server, which processes the request and establishes a session.
Page 393 Configuring the SSH Server Table 300 Configure the protocol(s) that a user interface supports Operation Command Description Specify the supported protocol inbound { all |ssh | Optional protocol(s) telnet } By default, both Telnet and SSH are supported. CAUTION: If you have configured a user interface to support SSH protocol, you must ■...
Page 394 36: SSH C HAPTER ONFIGURATION Exporting the RSA or You can display the generated RSA or DSA key pair on the screen in a specified DSA Public Key format, or export it to a specified file for configuring the key at a remote end. Table 302 Export the RSA public key Operation Command...
Page 395 Configuring the SSH Server remote server. And the user can use its username and password configured on the remote server to access the network. Both publickey and rsa indicate public key authentication. They are ■ implemented with the same method. Under the publickey authentication mode, the level of commands available to ■...
Page 396 36: SSH C HAPTER ONFIGURATION For details of the header command, see the corresponding section in Login ■ Command. Configuring the Client Public Key on the Server This configuration is not necessary if the password authentication mode is configured for SSH users. With the publickey authentication mode configured for an SSH client, you must configure the client’s RSA or DSA host public key(s) on the server for authentication.
Page 397 Configuring the SSH Server Table 309 Configure the client RSA public key manually Operation Command Description Enter system view system-view Enter public key view rsa peer-public-key Required keyname Enter public key edit view public-key-code begin Configure the client RSA Enter the content of the RSA The content must be a public key public key...
Page 398: Configuring The Ssh Client
36: SSH C HAPTER ONFIGURATION Configuring the SSH An SSH client software or SSH2-capable switch can serve as an SSH client to access Client the SSH server. SSH Client Configuration Table 311 SSH client configuration tasks Tasks Tasks Description Configuring the SSH Using an SSH client software Use either approach client...
Page 399 Configuring the SSH Client Figure 120 Generate a client key (1) Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 121.
Page 400 36: SSH C HAPTER ONFIGURATION Figure 121 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key. Figure 122 Generate the client keys (3)
Page 401 Configuring the SSH Client Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key ("private" in this case) to save the private key.
Page 402 36: SSH C HAPTER ONFIGURATION Figure 125 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client.
Page 403 Configuring the SSH Client Figure 126 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2.
Page 404 36: SSH C HAPTER ONFIGURATION Figure 127 SSH client configuration interface 3 Click Browse... to bring up the file selection window, navigate to the private key file and click Open to enter the following SSH client interface. If the connection is normal, a user will be prompted for a username.
Page 405 Configuring the SSH Client Figure 128 SSH client interface (1) Open an SSH connection with password authentication From the window shown in Figure 127, click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 129.
Page 406 36: SSH C HAPTER ONFIGURATION Figure 129 SSH client interface (2) Enter the username and password to establish an SSH connection. To log out, enter the quit command. Configuring the SSH Table 313 Configuration tasks when an SSH2-capable switch is used as the client Client on an SSH2-Capable Switch Tasks...
Page 407 Configuring the SSH Client Table 314 Enable the device to support first-time authentication Operation Command Description Enter system view system-view Enable the device to support ssh client first-time enable Optional first-time authentication By default, the client is enabled to run initial authentication.
Page 408: Displaying Ssh Configuration
36: SSH C HAPTER ONFIGURATION Displaying SSH After the above configuration, you can execute the display command in any view Configuration to display the configuration information and running status of SSH, so as to verify your configuration. Table 317 Display SSH configuration Operation Command Description...
Page 409 SSH Configuration Examples # Generate RSA and DSA key pairs. [4210] public-key local create rsa [4210] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [4210] user-interface vty 0 4 [4210-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [4210-ui-vty0-4] protocol inbound ssh [4210-ui-vty0-4] quit # Create local client "client001", and set the authentication password to...
Page 410 36: SSH C HAPTER ONFIGURATION Take SSH client software "Putty" (version 0.58) as an example: 1 Run PuTTY.exe to enter the following configuration interface. Figure 131 SSH client configuration interface In the Host Name (or IP address) text box, enter the IP address of the SSH server.
Page 411 SSH Configuration Examples Figure 132 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. 3 As shown in Figure 131, click Open to enter the following interface. If the connection is normal, you will be prompted to enter the user name "client001" and password "abc".
Page 412 36: SSH C HAPTER ONFIGURATION Figure 133 SSH client interface When the Switch Acts as Network requirements an SSH Server and the As shown in Figure 134, establish an SSH connection between the host (SSH Authentication Type is client) and the switch (SSH Server) for secure data exchange. The host runs SSH2.0 Publickey client software.
Page 413 SSH Configuration Examples # Generate RSA and DSA key pairs. [4210] public-key local create rsa [4210] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [4210] user-interface vty 0 4 [4210-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [4210-ui-vty0-4] protocol inbound ssh # Set the client’s command privilege level to 3 [4210-ui-vty0-4] user privilege level 3...
Page 414 36: SSH C HAPTER ONFIGURATION # Generate an RSA key pair, taking PuTTYGen as an example. 1 Run PuTTYGen.exe, choose SSH2(RSA) and click Generate. Figure 135 Generate a client key pair (1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 136.
Page 415 SSH Configuration Examples Figure 136 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key ("public" in this case). Figure 137 Generate a client key pair (3)
Page 416 36: SSH C HAPTER ONFIGURATION Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key ("private.ppk" in this case).
Page 417 SSH Configuration Examples Figure 140 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. 3 Select Connection/SSH/Auth. The following window appears.
Page 418 36: SSH C HAPTER ONFIGURATION Figure 141 SSH client configuration interface (2) Click Browse... to bring up the file selection window, navigate to the private key file and click OK. 4 From the window shown in Figure 141, click Open. The following SSH client interface appears.
Page 419 SSH Configuration Examples Figure 142 SSH client interface When the Switch Acts as Network requirements an SSH Client and the As shown in Figure 143, establish an SSH connection between Switch A (SSH Authentication Type is Client) and Switch B (SSH Server) for secure data exchange. The user name for Password login is client001 and the SSH server’s IP address is 10.165.87.136.
Page 420 The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server’s public key?(Y/N):n Enter password: ************************************************************************* * Copyright(c) 2004-2007 3Com Corporation. * Without the owner’s prior written consent, * no decompiling or reverse-switch fabricering shall be allowed. ************************************************************************* <4210>...
Page 421 SSH Configuration Examples Network diagram Figure 144 Network diagram of SSH client configuration when using publickey authentication Switch B Switch A SSH Server VLAN-Interface 1 SSH Client 10 .165 .87.137./24 VLAN-Interface 1 10.165 .87 .136 ./24 Configuration procedure In public key authentication, you can use either RSA or DSA public key. Here takes the DSA public key as an example.
Page 422 The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server’s public key?(Y/N):n ************************************************************************* * Copyright(c) 2004-2007 3Com Corporation * Without the owner’s prior written consent, * no decompiling or reverse-switch fabricering shall be allowed.
Page 423 SSH Configuration Examples <4210> system-view [4210] interface vlan-interface 1 [4210-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [4210-Vlan-interface1] quit Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [4210] public-key local create rsa [4210] public-key local create dsa # Set AAA authentication on user interfaces.
Page 424 [4210] ssh2 10.165.87.136 identity-key dsa Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... ************************************************************************* * Copyright(c) 2004-2007 3Com Corporation. * Without the owner’s prior written consent, * no decompiling or reverse-switch fabricering shall be allowed. ************************************************************************* <4210>...
Page 425: File
YSTEM ANAGEMENT ONFIGURATION File System To facilitate management on the switch’s memory, the Switch 4210 provides the Configuration file system function, allowing you to access and manage the files and directories. You can create, remove, copy or delete a file through command lines, and you can manage files using directories.
Page 426 37: F HAPTER YSTEM ANAGEMENT ONFIGURATION Only empty directories can be deleted by using the rmdir command. ■ In the output information of the dir /all command, deleted files (that is, those ■ stored in the recycle bin) are embraced in brackets. File Operations The file system also provides file-related functions listed in Table 320.
Page 427 File System Configuration Flash Memory Perform the following Flash memory operations using commands listed in Operations Table 321. Perform the following configuration in user view. Table 321 Operations on the Flash memory To do... Use the command... Remarks Format the Flash memory format device Required Restore space on the Flash...
Page 428: File Attribute Configuration
37: F HAPTER YSTEM ANAGEMENT ONFIGURATION <4210> dir /all Directory of unit1>flash:/ 1 (*) -rw- 3579326 Mar 28 2007 10:51:22 s3100.bin 2 (*) -rw- 1235 Apr 03 2000 16:04:52 config.cfg -rwh Apr 03 2000 16:04:55 private-data.txt -rwh Apr 04 2000 17:27:35 hostkey -rwh Apr 04 2000 17:27:41...
Page 429 File Attribute Configuration Table 323 Descriptions on file attributes Attribute name Description Feature Identifier none Identifies files that are None neither of main attribute nor backup attribute. A file can have both the main and backup attributes. Files of this kind are labeled Note that, there can be only one app file, one configuration file and one Web file with the main attribute in the Flash memory.
Page 430 37: F HAPTER YSTEM ANAGEMENT ONFIGURATION Table 324 Configure file attributes To do... Use the command... Remarks Display the information about display boot-loader [ unit Optional the app file used as the unit-id ] Available in any view startup file Display information about the display web package Web file used by the device...
Page 431: Introduction To Ftp And Sftp
Binary mode for program file transfer ■ ASCII mode for text file transfer ■ A 3Com Switch 4210 can operate as an FTP client or the FTP server in FTP-employed data transmission: Table 325 The Switch 4210 FTP Roles Item...
Page 432: Ftp Configuration
38: FTP SFTP C HAPTER ONFIGURATION Introduction to SFTP Secure FTP (SFTP) is established based on an SSH2 connection. It allows a remote user to log in to a switch to manage and transmit files, providing a securer guarantee for data transmission. In addition, since the switch can be used as a client, you can log in to remote devices to transfer files securely.
Page 433 FTP Configuration Operating as an FTP server, the Switch 4210 cannot receive a file whose size ■ exceeds its storage space. The clients that attempt to upload such a file will be disconnected with the FTP server due to lack of storage space on the FTP server. To protect unused sockets against attacks, the Switch 4210 provides the following functions: TCP 21 is enabled only when you start the FTP server.
Page 434 38: FTP SFTP C HAPTER ONFIGURATION Figure 147 Process of displaying a shell banner Table 330 Configure the banner display for an FTP server Operation Command Description Enter system view system-view Configure a login banner header login text Required Configure a shell banner header shell text Use either command or both.
Page 435 FTP Configuration Table 332 Basic configurations on an FTP client Operation Command Description Specify to transfer files in ascii Use either command ASCII characters By default, files are Specify to transfer files in binary transferred in ASCII binary streams characters. Set the data transfer mode to passive Optional...
Page 436 38: FTP SFTP C HAPTER ONFIGURATION Configuration Example: Network requirements A Switch Operating as A switch operates as an FTP server and a remote PC as an FTP client. The an FTP Server application switch.bin of the switch is stored on the PC. Upload the application to the remote switch through FTP and use the boot boot-loader command to specify switch.bin as the application for next startup.
Page 437 If you have to delete the files in use to make room for the file to be uploaded, you can only delete/download them through the Boot ROM menu. 3Com series switch is not shipped with FTP client application software. You ■ need to purchase and install it by yourself.
Page 438 38: FTP SFTP C HAPTER ONFIGURATION FTP Banner Display Network requirements Configuration Example Configure the Ethernet switch as an FTP server and the remote PC as an FTP client. After a connection between the FTP client and the FTP server is established and login succeeds, the banner is displayed on the FTP client.
Page 439 FTP Configuration FTP Configuration: A Network requirements Switch Operating as an A switch operates as an FTP client and a remote PC as an FTP server. The switch FTP Client application named switch.bin is stored on the PC. Download it to the switch through FTP and use the boot boot-loader command to specify switch.bin as the application for next startup.
Page 440: Sftp Configuration
38: FTP SFTP C HAPTER ONFIGURATION Password: 230 User logged in. [ftp] # Enter the authorized directory on the FTP server. [ftp] cd switch # Execute the put command to upload the configuration file named config.cfg to the FTP server. [ftp] put config.cfg # Execute the get command to download the file named switch.bin to the Flash memory of the switch.
Page 441 SFTP Configuration Table 334 Enable an SFTP server Operation Command Description Enter system view system-view Enable an SFTP server sftp server enable Required Disabled by default Configuring connection idle time After the idle time is configured, if the server does not receive service requests from a client within a specified time period, it terminates the connection with the client, thus preventing a user from occupying the connection for a long time without performing any operation.
Page 442 38: FTP SFTP C HAPTER ONFIGURATION Table 336 Basic configurations on an SFTP client Operation Command Description Enter system view system-view Enter SFTP client view sftp { host-ip | host-name } [ Required port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des |...
Page 443 SFTP Configuration If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key;...
Page 444 38: FTP SFTP C HAPTER ONFIGURATION # Configure the authentication mode as password. Authentication timeout time, retry number, and update time of the server key adopt the default values. [4210] ssh user client001 authentication-type password # Specify the service type as SFTP. [4210] ssh user client001 service-type sftp # Enable the SFTP server.
Page 445 SFTP Configuration -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub Received status: End of file...
Page 446 38: FTP SFTP C HAPTER ONFIGURATION -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub -rwxrwxrwx 1 noone nogroup...
Page 447: Introduction To Tftp
TFTP C ONFIGURATION Introduction to TFTP Compared with FTP, TFTP (trivial file transfer protocol) features simple interactive access interface and no authentication control. Therefore, TFTP is applicable in the networks where client-server interactions are relatively simple. TFTP is implemented based on UDP. It transfers data through UDP port 69. Basic TFTP operations are described in RFC 1986.
Page 448: Tftp Configuration
39: TFTP C HAPTER ONFIGURATION TFTP Configuration Basic configurations on By default a switch can operate as a TFTP client. In this case you can connect the a TFTP client switch to the TFTP server to perform TFTP-related operations (such as creating/removing a directory) by executing commands on the switch.
Page 449 TFTP Configuration # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the "Login" module for detailed information.) CAUTION: If available space on the Flash memory of the switch is not enough to hold the file to be uploaded, you need to delete files not in use from the Flash memory to make room for the file, and then upload the file again.
Page 450 39: TFTP C HAPTER ONFIGURATION...
Page 452 39: TFTP C HAPTER ONFIGURATION...
Page 453: Information Center
NFORMATION ENTER Information Center Overview Introduction to Acting as the system information hub, information center classifies and manages Information Center system information. Together with the debugging function (the debugging command), information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
Page 454 40: I HAPTER NFORMATION ENTER If the threshold is set to 1, only information with the severity being ■ emergencies will be output; If the threshold is set to 8, information of all severities will be output. ■ Ten channels and six output directions of system information The system supports six information output directions, including the Console, Monitor terminal (monitor), logbuffer, loghost, trapbuffer and SNMP.
Page 455 FTPS FTP server module High availability module HABP 3Com authentication bypass protocol module HTTPD HTTP server module HWCM 3Com Configuration Management private MIB module Remote Ping module IFNET Interface management module IGSP IGMP snooping module Internet protocol module LAGG Link aggregation module...
Page 456 Below is an example of the format of log information to be output to a log host: % <188>Dec 6 10:44:55:283 2006 3Com NTP/5/NTP_LOG:- 1 - NTP service enable ("-1-" indicates that the unit number of the device is 1.)
Page 457 Information Center Overview With the UTC time zone, the time stamp is in the format of "Mmm dd ■ hh:mm:ss:ms yyyy [GMT +|- hh:mm:ss]". Each field is described as follows: "Mmm" represents the month, and the available values are: Jan, Feb, Mar, Apr, ■...
Page 458: Information Center Configuration
40: I HAPTER NFORMATION ENTER Between "module" and "level" is a "/". Level (Severity) System information can be divided into eight levels based on its severity, from 1 to 8. Refer to Table 338 for definition and description of these severity levels. Note that there is a forward slash "/"...
Page 459: Displaying The Time Stamp With The Utc Time Zone
Information Center Configuration Table 342 Configure synchronous information output Operation Command Description Enter system view system-view Enable synchronous info-center synchronous Required information output Disabled by default If the system information is output before you input any information following ■ the current command line prompt, the system does not echo any command line prompt after the system information output.
Page 460 40: I HAPTER NFORMATION ENTER Table 344 Set to output system information to the console Operation Command Description Enable system information info-center console channel Optional output to the console { channel-number | By default, the switch uses channel-name } information channel 0 to output log/debugging/trap information to the console.
Page 461: Setting To Output System Information To A Monitor Terminal
Information Center Configuration Table 346 Enable the system information display on the console: Operation Command Description Enable debugging terminal debugging Optional information terminal display Disabled by default. function Enable log information terminal logging Optional terminal display function Enabled by default. Enable trap information terminal trapping Optional...
Page 462 40: I HAPTER NFORMATION ENTER and enable debugging for corresponding modules through the debugging command. Enabling system information display on a monitor terminal After setting to output system information to a monitor terminal, you need to enable the associated display function in order to display the output information on the monitor terminal.
Page 463: Setting To Output System Information To The Trap Buffer
Information Center Configuration Table 349 Set to output system information to a log host Operation Command Description Configure the output rules of info-center source { Optional system information modu-name | default } Refer to Table 345 for the channel { channel-number | default output rules of system channel-name } [ { log | trap | information.
Page 464: Displaying And Maintaining Information Center
40: I HAPTER NFORMATION ENTER Table 351 Set to output system information to the log buffer Operation Command Description Configure the output rules of info-center source { Optional system information modu-name | default } Refer to Table 345 for the channel { channel-number | default output rules of system channel-name } [ { log | trap |...
Page 465: Information Center Configuration Examples
Information Center Configuration Examples Table 353 Display and maintain information center Operation Command Description Display information on an display channel [ Available in any view information channel channel-number | channel-name ] Display the operation status of display info-center [ unit information center, the unit-id ] configuration of information...
Page 466 40: I HAPTER NFORMATION ENTER # Configure the host whose IP address is 202.38.1.10 as the log host. Permit ARP and IP modules to output information with severity level higher than informational to the log host. [Switch] info-center loghost 202.38.1.10 facility local4 [Switch] info-center source arp channel loghost log level informational debug state off trap state off [Switch] info-center source ip channel loghost log level informational debug...
Page 467 Information Center Configuration Examples Network diagram Figure 154 Network diagram for log output to a Linux log host Internet Switch Configuration procedure 1 Configure the switch: # Enable the information center. <Switch> system-view [Switch] info-center enable # Configure the host whose IP address is 202.38.1.10 as the log host. Permit all modules to output log information with severity level higher than error to the log host.
Page 468 40: I HAPTER NFORMATION ENTER After all the above operations, the switch can record information in the corresponding log file. Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file "syslog.conf", you can sort information precisely for filtering.
Page 469 Information Center Configuration Examples Internet Switch Configuration procedure # Name the local time zone z8 and configure it to be eight hours ahead of UTC time. <4210> clock timezone z8 add 08:00:00 # Set the time stamp format of the log information to be output to the log host to date.
Page 470 40: I HAPTER NFORMATION ENTER...
Page 471: Boot Rom And
"6" or <Ctrl+U> and <Enter> after entering the BOOT menu and the system gives different prompts. The following text mainly describes the Boot ROM loading process. BOOT Menu Starting..*********************************************************** 3Com Switch 4210 26-Port BOOTROM, Version 507* ***********************************************************...
Page 472 41: B HAPTER OFTWARE OADING Copyright (c) 2004-2007 3Com Corporation Creation date : Apr 17 2007, 10:12:36 CPU Clock Speed : 200MHz BUS Clock Speed : 33MHz Memory Size : 64MB Mac Address : 000fe2123456 Press Ctrl-B to enter Boot Menu...
Page 473 Local Boot ROM and Software Loading Loading Boot ROM Follow these steps to load the Boot ROM: Step 1: At the prompt "Enter your choice(0-9):" in the BOOT Menu, press <6> or <Ctrl+U>, and then press <Enter> to enter the Boot ROM update menu shown below: Bootrom update menu: 1.
Page 474 41: B HAPTER OFTWARE OADING Figure 157 Properties dialog box Figure 158 Console port configuration dialog box...
Page 475 Local Boot ROM and Software Loading Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 159. Figure 159 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program.
Page 476 41: B HAPTER OFTWARE OADING Figure 161 Sending file page Step 9: After the sending process completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baudrate to 9600 bps (refer to Step 4 and 5). Then, press any key as prompted.
Page 477 Step 2: Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded. CAUTION: TFTP server program is not provided with the 3Com Series Ethernet Switches. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch.
Page 478 41: B HAPTER OFTWARE OADING 0. Return to boot menu Enter your choice(0-3): Step 4: Enter 1 in the above menu to download the Boot ROM using TFTP. Then set the following TFTP-related parameters as required: Load File name : switch_02.btm Switch IP address :1.1.1.2 Server IP address...
Page 479 Local Boot ROM and Software Loading Figure 163 Local loading using FTP client Switch Console port Ethernet port FTP Client FTP Server 1 As shown in Figure 163, connect the switch through an Ethernet port to the FTP server, and connect the switch through the Console port to the configuration PC. You can use one computer as both configuration device and FTP server.
Page 480: Remote Boot Rom And Software Loading
41: B HAPTER OFTWARE OADING 0. Return to boot menu Enter your choice(0-3): 2 Enter 2 in the above menu to download the host software using FTP. The subsequent steps are the same as those for loading the Boot ROM, except for that the system gives the prompt for host software loading instead of Boot ROM loading.
Page 481 Remote Boot ROM and Software Loading Step 3: Restart the switch. <4210> reboot Before restarting the switch, make sure you have saved all other configurations that you want, so as to avoid losing configuration information. 2 Loading host software Loading the host software is the same as loading the Boot ROM program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for next startup of the switch.
Page 482 41: B HAPTER OFTWARE OADING c Enable FTP service on the switch, and configure the FTP user name to test and password to pass. [4210-Vlan-interface1] quit [4210] ftp server enable [4210] local-user test New local user added. [4210-luser-test] password simple pass [4210-luser-test] service-type ftp d Enable FTP client software on the PC.
Page 483 Remote Boot ROM and Software Loading Figure 167 Enter Boot ROM directory f Enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in Figure 168, to log on to the FTP server. Figure 168 Log on to the FTP server g Use the put command to upload the file switch.btm to the switch, as shown in Figure 169.
Page 484 41: B HAPTER OFTWARE OADING Figure 169 Upload file switch.btm to the switch h Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. <4210> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait...
Page 485: Basic
ASIC YSTEM ONFIGURATION AND EBUGGING Basic System Table 354 Basic System Configuration Configuration Operation Command Description Set the current date and time clock datetime HH:MM:SS { Required of the system YYYY/MM/DD | Execute this command in user MM/DD/YYYY } view. The default value is 23:55:00 04/01/2000 when the system starts up.
Page 486: Displaying The System Status
42: B HAPTER ASIC YSTEM ONFIGURATION AND EBUGGING Displaying the System You can use the following display commands to check the status and Status configuration information about the system. For information about protocols and ports, and the associated display commands, refer to relevant sections. Table 355 System information display commands Operation Command...
Page 487 Debugging the System Figure 170 The relationship between the protocol and screen debugging switch Debugging Debugging information information Protocol debugging switch Protocol debugging switch Screen Screen output output switch switch Displaying debugging information on the terminal is the most commonly used way to output debugging information.
Page 488 42: B HAPTER ASIC YSTEM ONFIGURATION AND EBUGGING Displaying Operating When an Ethernet switch is in trouble, you may need to view a lot of operating Information about information to locate the problem. Each functional module has its corresponding Modules in System operating information display command(s).
Page 489: Network
ETWORK ONNECTIVITY Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. Table 359 The ping command Operation Command Description Check the IP network ping [ -a ip-address ] [-c count You can execute this connectivity and the ] [ -d ] [ -f ] [ -h ttl ] [ -i...
Page 490 43: N HAPTER ETWORK ONNECTIVITY Table 360 The tracert command Operation Command Description View the gateways that a tracert [ -a source-ip ] [ -f You can execute the tracert packet passes from the source first-ttl ] [ -m max-ttl ] [ -p port command in any view.
Page 491: Device Management
EVICE ANAGEMENT Device Management Configuration Device Management Table 361 Device management configuration tasks Configuration Tasks Task Remarks “Rebooting the Ethernet Switch” Optional “Scheduling a Reboot on the Switch” Optional “Configuring Real-time Monitoring of the Optional Running Status of the System” “Specifying the APP to be Used at Reboot”...
Page 492 44: D HAPTER EVICE ANAGEMENT The switch timer can be set to precision of one minute, that is, the switch will reboot within one minute after the specified reboot date and time. Configuring Real-time This function enables you to dynamically record the system running status, such as Monitoring of the CPU, thus facilitating analysis and solution of the problems of the device.
Page 493: Displaying The Device Management Configuration
Displaying the Device Management Configuration Displaying the Device After the above configurations, you can execute the display command in any Management view to display the operating status of the device management to verify the Configuration configuration effects. Table 367 Display the operating status of the device management Operation Command Description...
Page 494 44: D HAPTER EVICE ANAGEMENT Network diagram Figure 171 Network diagram for FTP configuration Configuration procedure 1 Configure the following FTP server-related parameters on the PC: an FTP user with the username as switch and password as hello, who is authorized with the read-write right on the directory Switch on the PC.
Page 495 Remote Switch APP Upgrade Configuration Example Upgrading BOOTROM, please wait... Upgrade BOOTROM succeeded! 9 Specify the downloaded program as the host software to be adopted when the switch starts next time. <4210> boot boot-loader switch.bin The specified file will be booted next time on unit 1! <4210>...
Page 496 44: D HAPTER EVICE ANAGEMENT...
Page 497: Remote -Ping Configuration
EMOTE ONFIGURATION Remote-Ping Overview Introduction to Remote-Ping (pronounced Hua’Wei Ping) is a network diagnostic tool. It is used to Remote-Ping test the performance of various protocols running in networks. Remote-Ping provides more functions than the ping command. The ping command can only use the ICMP protocol to test the round trip time ■...
Page 498 45: R HAPTER EMOTE ONFIGURATION Test Types Supported by Remote-Ping Table 368 Test types supported by Remote-Ping Supported test types Description ICMP test For these types of tests, you need to configure Remote-Ping client and corresponding servers. DHCP test FTP test HTTP test DNS test SNMP test...
Page 499 Remote-Ping Overview Table 369 Remote-Ping test parameters Test parameter Description Source address (source-ip) For Remote-Ping tests other than DHCP test, you can specify a source IP address for test packets, which will be used by the server as the destination address of response packets. Source port (source-port) For Remote-Ping tests other than ICMP, DHCP and DNS, you can specify a source...
Page 500: Remote-Ping Configuration
45: R HAPTER EMOTE ONFIGURATION Table 369 Remote-Ping test parameters Test parameter Description FTP operation type (ftp-operation) This parameter is used to set the type of FTP interaction operation between Remote-Ping client and FTP server. FTP login username and password (username The two parameters are used to set the and password) username and password to be used for FTP...
Page 501 Remote-Ping Configuration Remote-Ping server configuration tasks Table 370 Remote-Ping server configuration tasks Item Description Related section Enable the Remote-Ping The Remote-Ping server “Remote-Ping server server function function is needed only for configuration” jitter, TCP, and UDP tests. Configure a listening service You can configure multiple “Remote-Ping server on the Remote-Ping server...
Page 502 45: R HAPTER EMOTE ONFIGURATION Table 372 Configure ICMP test on Remote-Ping client Operation Command Description Create a Remote-Ping test Remote-Ping Required group and enter its view administrator-name By default, no test group is operation-tag configured. Configure the destination IP destination-ip ip-address Required address...
Page 503 Remote-Ping Configuration Table 373 Configure DHCP test on Remote-Ping client Operation Command Description Enable the Remote-Ping client Remote-Ping-agent enable Required function By default, the Remote-Ping client function is disabled. Create a Remote-Ping test Remote-Ping Required group and enter its view administrator-name By default, no test group is operation-tag...
Page 504 45: R HAPTER EMOTE ONFIGURATION Table 374 Configure FTP test on Remote-Ping client Operation Command Description Configure the source port source-port port-number Optional By default, no source port is configured. Configure the test type test-type ftp Required By default, the test type is ICMP.
Page 505 IP address. Configure dns-server dns-server ip-address Required: When you use 3Com’s Switche 4210 Family as a Remote-Ping Client for http test and set the destination address as host name. Configure the source IP...
Page 506 45: R HAPTER EMOTE ONFIGURATION Table 375 Configure HTTP test on Remote-Ping client Operation Command Description Configure the type of HTTP http-operation { get | post } Optional operation By default, the type of HTTP operation is get, that is, the HTTP operation will get data from the HTTP server.
Page 507 Remote-Ping Configuration Table 376 Configure jitter test on Remote-Ping client Operation Command Description Configure the number of count times Optional probes per test By default, each test makes one probe. Configure the maximum history-records number Figure 175 Optional number of history records that By default, the maximum can be saved number is 50.
Page 508 45: R HAPTER EMOTE ONFIGURATION Table 377 Configure SNMP test on Remote-Ping client Operation Command Description Configure the source IP source-ip ip-address Optional address By default, no source IP address is configured. Configure the source port source-port port-number Optional By default, no source port is configured.
Page 509 Remote-Ping Configuration Table 378 Configure TCP test on Remote-Ping client Operation Command Description Configure the destination destination-ip ip-address Required address This IP address and the one configured on the Remote-Ping server for listening services must be the same. By default, no destination address is configured.
Page 510 45: R HAPTER EMOTE ONFIGURATION Table 378 Configure TCP test on Remote-Ping client Operation Command Description Display test results display Remote-Ping results [ Required admin-name operation-tag ] The display command can be executed in any view. 8 Configuring UDP test on Remote-Ping client Table 379 Configure UDP test on Remote-Ping client Operation Command...
Page 511 Remote-Ping Configuration Table 379 Configure UDP test on Remote-Ping client Operation Command Description Configure the number of count times Optional probes per test By default, one probe is made per test. Configure the maximum history-records number Figure 178 Optional number of history records that By default, the maximum can be saved number is 50.
Page 512 45: R HAPTER EMOTE ONFIGURATION Table 380 Configure DNS test on Remote-Ping client Operation Command Description Configure the maximum history-records number Figure 179 Optional number of history records that By default, the maximum can be saved number is 50. Configure the automatic test frequency interval Optional interval...
Page 513: Remote-Ping Configuration Example
Remote-Ping Configuration Example Table 381 Configure the Remote-Ping client to send Trap messages Operation Command Description Configure the number of probe-failtimes times Optional consecutive unsuccessful By default, Trap messages are Remote-Ping probes before sent each time a probe fails. Trap output Displaying Remote-Ping Configuration After the above-mentioned configuration, you can use the display commands to view the results of the latest test and history information.
Page 514: Network Diagram
45: R HAPTER EMOTE ONFIGURATION [4210-Remote-Ping-administrator-icmp] test-type icmp # Configure the destination IP address as 10.2.2.2. [4210-Remote-Ping-administrator-icmp] destination-ip 10.2.2.2 # Configure to make 10 probes per test. [4210-Remote-Ping-administrator-icmp] count 10 # Set the probe timeout time to 5 seconds. [4210-Remote-Ping-administrator-icmp] timeout 5 # Start the test.
Page 515 Remote-Ping Configuration Example Configuration procedure Configure DHCP Server(Switch B): ■ Configure Remote-Ping Client (Switch A): ■ # Enable the Remote-Ping client. <4210> system-view [4210] Remote-Ping-agent enable # Create a Remote-Ping test group, setting the administrator name to "administrator" and test tag to "DHCP". [4210] Remote-Ping administrator dhcp # Configure the test type as dhcp.
Page 516 45: R HAPTER EMOTE ONFIGURATION FTP Test Network requirements Both the Remote-Ping client and the FTP server are Switch 4210s. Perform a Remote-Ping FTP test between the two switches to test the connectivity to the specified FTP server and the time required to upload a file to the server after the connection is established.
Page 517 HTTP Test Network requirements A 3Com Switch 4210 serves as the Remote-Ping client, and a PC serves as the HTTP server. Perform a Remote-Ping HTTP test between the switch and the HTTP server to test the connectivity and the time required to download a file from the...
Page 518 45: R HAPTER EMOTE ONFIGURATION Network diagram Figure 183 Network diagram for the HTTP test IP network 10.1.1.1/8 10.2.2.2/8 Switch HTTP Server HWPing Client Configuration procedure Configure the HTTP Server. Use a Windows 2003 Server as the HTTP server and ■...
Page 519 Remote-Ping Configuration Example TCP Connect Time: 73 HTTP Operation Min Time: 27 TCP Connect Min Time: 5 HTTP Operation Max Time: 80 TCP Connect Max Time: 20 TCP Connect Timeout Times: 0 [4210-Remote-Ping-administrator-http] display Remote-Ping history administrator h Remote-Ping entry(admin administrator, tag http) history record: Index Response Status...
Page 520 45: R HAPTER EMOTE ONFIGURATION # Configure the test type as jitter [4210-Remote-Ping-administrator-Jitter] test-type Jitter # Configure the IP address of the Remote-Ping server as 10.2.2.2. [4210-Remote-Ping-administrator-Jitter] destination-ip 10.2.2.2 # Configure the destination port on the Remote-Ping server. [4210-Remote-Ping-administrator-Jitter] destination-port 9000 # Configure to make 10 probes per test.
Page 521 Remote-Ping Configuration Example For detailed output description, see the corresponding command manual. SNMP Test Network requirements Both the Remote-Ping client and the SNMP Agent are Switch 4210s. Perform Remote-Ping SNMP tests between the two switches to test the time required from Switch A sends an SNMP query message to Switch B (SNMP Agent) to it receives a response from Switch B.
Page 522 45: R HAPTER EMOTE ONFIGURATION [4210-Remote-Ping-administrator-snmp] timeout 30 # Start the test. [4210-Remote-Ping-administrator-snmp] test-enable # Display test results [4210-Remote-Ping-administrator-snmp] display Remote-Ping results administrator s Remote-Ping entry(admin administrator, tag snmp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 9/11/10 Square-Sum of Round Trip Time: 983 Last complete test time: 2000-4-3 8:57:20.0...
Page 523 Remote-Ping Configuration Example <4210> system-view [4210] Remote-Ping-server enable [4210] Remote-Ping-server tcpconnect 10.2.2.2 8000 Configure Remote-Ping Client (Switch A): ■ # Enable the Remote-Ping client. <4210> system-view [4210] Remote-Ping-agent enable # Create a Remote-Ping test group, setting the administrator name to "administrator"...
Page 524 45: R HAPTER EMOTE ONFIGURATION For detailed output description, see the corresponding command manual. UDP Test (Udpprivate Network requirements Test) on the Specified Both the Remote-Ping client and the Remote-Ping server are Switch 4210s. Ports Perform a Remote-Ping Udpprivate test on the specified ports between the two switches to test the RTT of UDP packets between this end (Remote-Ping client) and the specified destination end (Remote-Ping server).
Page 525 Remote-Ping Configuration Example [4210-Remote-Ping-administrator-udpprivate] display Remote-Ping results administr ator udpprivate Remote-Ping entry(admin administrator, tag udpprivate) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 10/12/10 Square-Sum of Round Trip Time: 1170 Last complete test time: 2000-4-2 8:29:45.5 Extend result: SD Maximal delay: 0 DS Maximal delay: 0...
Page 526 45: R HAPTER EMOTE ONFIGURATION # Configure the test type as dns. [4210-Remote-Ping-administrator-dns] test-type dns # Configure the IP address of the DNS server as 10.2.2.2. [4210-Remote-Ping-administrator-dns] dns-server 10.2.2.2 # Configure to resolve the domain name www.test.com. [4210-Remote-Ping-administrator-dns] dns resolve-target www.test.com # Configure to make 10 probes per test.
Page 527: Ip V 6 Mangement
The term "router" in this document refers to a router in a generic sense or an ■ Ethernet switch running a routing protocol. 3Com Switch 4210 Family supports IPv6 management features, but does not ■ support IPv6 forwarding and related features.
Page 528 46: IP HAPTER ANGEMENT ONFIGURATION Hierarchical address structure IPv6 adopts the hierarchical address structure to quicken route search and reduce the system source occupied by the IPv6 routing table by means of route aggregation. Automatic address configuration To simplify the host configuration, IPv6 supports stateful address configuration and stateless address configuration.
Page 529 IPv6 Overview Leading zeros in each group can be removed. For example, the ■ above-mentioned address can be represented in shorter format as 2001:0:130F:0:0:9C0:876A:130B. If an IPv6 address contains two or more consecutive groups of zeros, they can ■ be replaced by the double-colon :: option. For example, the above-mentioned address can be represented in the shortest format as 2001:0:130F::9C0:876A:130B.
Page 530 46: IP HAPTER ANGEMENT ONFIGURATION Table 383 Mapping between address types and format prefixes Type Format prefix (binary) IPv6 prefix ID Anycast address Anycast addresses are taken from unicast address space and are not syntactically distinguishable from unicast addresses. Unicast address There are several forms of unicast address assignment in IPv6, including global unicast address, link-local address, and site-local address.
Page 531 IPv6 Overview Where, FF02:0:0:0:0:1:FF is permanent and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 address. Interface identifier in IEEE EUI-64 format Interface identifiers in IPv6 unicast addresses are used to identify interfaces on a link and they are required to be unique on that link.
Page 532 3Com Switch 4210 Family do not support RS, RA, or Redirect message. ■ Of the above mentioned IPv6 NDP functions, 3Com Switch 4210 Family ■...
Page 533 IPv6 Overview solicited-node multicast address of node B. The NS message contains the link-layer address of node A. 2 After receiving the NS message, node B judges whether the destination address of the packet is the corresponding solicited-node multicast address of its own IPv6 address.
Page 534: Ipv6 Configuration Task List
46: IP HAPTER ANGEMENT ONFIGURATION Introduction to IPv6 DNS In the IPv6 network, a domain name system (DNS) supporting IPv6 converts domain names into IPv6 addresses. Different from an IPv4 DNS, an IPv6 DNS converts domain names into IPv6 addresses, instead of IPv4 addresses. However, just like an IPv4 DNS, an IPv6 DNS also covers static domain name resolution and dynamic domain name resolution.
Page 535 IPv6 Configuration Task List To enable a host to access a public IPv6 network, you need to assign an IPv6 ■ global unicast address to it. IPv6 site-local addresses and global unicast addresses can be configured in either of the following ways: EUI-64 format: When the EUI-64 format is adopted to form IPv6 addresses, the ■...
Page 536 46: IP HAPTER ANGEMENT ONFIGURATION manually assigned link-local address is deleted, the automatically generated link-local address takes effect. The manual assignment takes precedence over the automatic generation. That ■ is, if you first adopt the automatic generation and then the manual assignment, the manually assigned link-local address will overwrite the automatically generated one.
Page 537 IPv6 Configuration Task List Table 389 Configure the maximum number of neighbors dynamically learned: To do... Use the command... Remarks Enter VLAN interface view interface interface-type interface-number Configure the maximum ipv6 neighbors Optional number of neighbors max-learning-num number The default value is 2,048 dynamically learned by an interface Configure the attempts to send an ns message for duplicate address...
Page 538 46: IP HAPTER ANGEMENT ONFIGURATION Table 392 Configure the NS interval To do... Use the command... Remarks Specify the NS interval ipv6 nd ns retrans-timer value Optional 1,000 milliseconds by default Configure the neighbor reachable timeout time on an interface After a neighbor passed the reachability detection, the device considers the neighbor to be reachable in a specific period.
Page 539 IPv6 Configuration Task List Table 395 Configure IPv6 TCP properties To do... Use the command... Remarks Set the finwait timer of IPv6 TCP tcp ipv6 timer Optional packets fin-timeout wait-time 675 seconds by default Set the synwait timer of IPv6 TCP tcp ipv6 timer Optional packets...
Page 540 46: IP HAPTER ANGEMENT ONFIGURATION Configure dynamic DNS resolution If you want to use the dynamic domain name function, you can use the following command to enable the dynamic domain name resolution function. In addition, you should configure a DNS server so that a query request message can be sent to the correct server for resolution.
Page 541 IPv6 Configuration Task List Displaying and Table 399 Display and maintain IPv6 Maintaining IPv6 To do... Use the command... Remarks Display DNS domain name suffix display dns domain [ dynamic ] Available in information any view Display IPv6 dynamic domain name display dns ipv6 dynamic-host cache information.
Page 542: Ipv6 Configuration Example
46: IP HAPTER ANGEMENT ONFIGURATION IPv6 Configuration Example IPv6 Unicast Address Network requirements Configuration Two switches are directly connected through two Ethernet ports. The Ethernet ports belong to VLAN 2. IPv6 addresses are configured for the interface Vlan-interface2 on each switch to verify the connectivity between the two switches.
Page 543 IPv6 Configuration Example Joined group address(es): FF02::1:FF00:1 FF02::1:FF47:4CA3 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Display the brief IPv6 information of the interface on Switch B.
Page 544 46: IP HAPTER ANGEMENT ONFIGURATION bytes=56 Sequence=3 hop limit=64 time = 6 ms Reply from 3001::2 bytes=56 Sequence=4 hop limit=64 time = 5 ms Reply from 3001::2 bytes=56 Sequence=5 hop limit=64 time = 6 ms --- 3001::2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss...
Page 545: Introduction To Ipv6 Application
PPLICATION ONFIGURATION Introduction to IPv6 IPv6 are supporting more and more applications. Most of IPv6 applications are the Application same as those of IPv4. The applications supported on 3Com Switch 4210 Family are: Ping ■ Traceroute ■ TFTP ■ Telnet ■...
Page 546 47: IP HAPTER PPLICATION ONFIGURATION Figure 194 Traceroute process Hop Limit=1 Hop Limit exceeded Hop Limit = 2 Hop Limit exceeded Hop Limit = n UDP port unreachable As Figure 194 shows, the traceroute process is as follows: The source sends an IP datagram with the Hop Limit of 1. ■...
Page 547 IPv6 Application Configuration Table 402 Download/upload files to TFTP servers To do... Use the command... Remarks Download/ Upload files tftp ipv6 remote-system [ -i interface-type Required from TFTP server interface-number ] { get | put } Available in user source-filename [ destination-filename ] view CAUTION: When you use the tftp ipv6 command to connect to the TFTP server, you must specify the "-i"...
Page 548: Ipv6 Application Configuration Example
47: IP HAPTER PPLICATION ONFIGURATION IPv6 Application Configuration Example IPv6 Applications Network requirements In Figure 196, SWA, SWB, and SWC are three switches, among which SWA is an Switch 4210, SWB and SWC are two switches supporting IPv6 forwarding. In a LAN, there is a Telnet server and a TFTP server for providing Telnet service and TFTP service to the switch respectively.
Page 549: Troubleshooting Ipv6 Application
Troubleshooting IPv6 Application 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 31/46/110 ms # On SWA, configure static routes to SWC, the Telnet Server, and the TFTP Server. <SWA> system-view [SWA] ipv6 route-static 3002:: 64 3003::1 [SWA] ipv6 route-static 3001:: 64 3003::1 [SWA] quit # Trace the IPv6 route from SWA to SWC.
Page 550 47: IP HAPTER PPLICATION ONFIGURATION Unable to Run Symptom Traceroute Unable to trace the route by performing traceroute operations. Solution Check that the destination host can be pinged. ■ If the host can be pinged through, check whether the UDP port that was ■...
Page 551: Dns Overview
DNS C ONFIGURATION This chapter covers only IPv4 DNS configuration. For details about IPv6 DNS, refer to “IPv6 Mangement Configuration” on page 525. DNS Overview Domain name system (DNS) is a mechanism used for TCP/IP applications to provide domain name-to-IP address translation. With DNS, you can use memorizable and meaningful domain names in some applications and let the DNS server resolve it into correct IP addresses.
Page 552 48: DNS C HAPTER ONFIGURATION Figure 197 Dynamic domain name resolution Request Request User Resolver program Response Response DNS server Read Save Cache DNS client Figure 197 shows the relationship between user program, DNS client, and DNS server. The resolver and cache comprise the DNS client. The user program and DNS client run on the same device, while the DNS server and the DNS client usually run on different devices.
Page 553: Configuring Domain Name Resolution
Configuring Domain Name Resolution Configuring Domain Name Resolution Configuring Static Table 405 Configure static domain name resolution Domain Name Resolution Operation Command Remarks Enter system view system-view Configure a mapping ip host hostname ip-address Required between a host name and No IP address is an IP address assigned to a host...
Page 554: Dns Configuration Example
48: DNS C HAPTER ONFIGURATION Table 407 Display and maintain DNS Operation Command… Remarks Display the DNS server display dns server [ information dynamic ] Display the DNS display dns domain [ suffixes dynamic ] Display the information display dns dynamic-host in the dynamic domain name cache Display the DNS...
Page 555 DNS Configuration Example 0.00% packet loss round-trip min/avg/max = 2/3/5 ms Dynamic Domain Name Network requirements Resolution As shown in Figure 199, the switch serving as a DNS client uses dynamic domain Configuration Example name resolution to access the host at 3.1.1.1/16 through its domain name host. The DNS server has the IP address 2.1.1.2/16.
Page 556: Troubleshooting Dns
48: DNS C HAPTER ONFIGURATION Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 3.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss...
Page 557: Introduction To Password Control Configuration
ASSWORD ONTROL ONFIGURATION PERATIONS Introduction to The password control feature is designed to manage the following passwords: Password Control Telnet passwords: passwords for logging into the switch through Telnet. ■ Configuration SSH passwords: passwords for logging into the switch through SSH. ■...
Page 558 49: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS Table 408 Functions provided by password control Function Description Application Login attempt Login attempt limitation: You can use this function to Telnet and limitation and failure enable the switch to limit the number of login attempts processing.
Page 559 Password Control Configuration “Configuring History Password Recording” ■ “Configuring a User Login Password in Interactive Mode” ■ “Configuring Login Attempt Times Limitation and Failure Processing Mode” ■ “Configuring the Password Authentication Timeout Time” ■ “Configuring Password Composition Policies” ■ After the above configuration, you can execute the display password-control command in any view to check the information about the password control for all users, including the enabled/disabled state of password aging, the aging time, enabled/disabled state of password composition policy, minimum number of types...
Page 560 49: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS Settings in the local user view apply to the local user password only. ■ Settings on the parameters of the super passwords apply to super passwords ■ only. The priority of these settings is as follows: For local user passwords, the settings in local user view override those in system ■...
Page 561 Password Control Configuration Table 410 Configure the limitation of the minimum password length Operation Command Description Enable the limitation of password-control length Optional minimum password length enable By default, the limitation of minimum password length is enabled. Configure the minimum password-control length length Optional password length globally By default, the minimum...
Page 562 49: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS CAUTION: When the system adds a new record but the number of the recorded history ■ passwords has reached the configured maximum number, the system replaces the oldest record with the new one. When you configure the maximum number of history password records for a ■...
Page 563 Password Control Configuration Table 413 Configure a user login password in interactive mode Operation Command Description Configure a user login password Optional password in interactive Input a password according mode to the system prompt and ensure the two input passwords are consistent. Configuring Login Table 414 Configure the login attempts limitation and the failure processing mode Attempt Times...
Page 564 49: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS Table 415 Manually remove one or all user entries in the blacklist Operation Command Description Delete one specific or all reset password-control Executing this command without user entries in the blacklist blacklist [ user-name the user-name user-name user-name ] option removes all the user...
Page 565 Displaying Password Control Table 417 Configure password composition policy Operation Command Description Enable the password password-control Optional composition check function composition enable By default, the password composition check function is enabled. Configure the password password-control Optional composition policy, globally composition type-number By default, the minimum policy-type [ type-length number of types a password...
Page 566 49: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS Table 418 Displaying password control Operation Command Display the information about the display password-control password control for all users Display the information about the display password-control super super password control Display the information about one display password-control blacklist [ user-name or all users who have been added user-name | ip ip-address ]...
Page 567 Password Control Configuration Example # Set the aging time for the local user password to 20 days. [4210-luser-test] password-control aging 20 # Configure the password of local user. [4210-luser-test] password simple 11111#####...

This manual is also suitable for:

4210 9-port 4210 18-port 4210 26-port Switch 4210 pwr 9-port Switch 4210 pwr 18-port Switch 4500 pwr 26-port

3Com 4210 PWR Configuration Manual

About

Bout this Guide

1 Cli Configuration

2 Logging into an Ethernet Switch

3 Configuration File Management

4 Vlan O

5 Vlan Configuration

6 Managing the Vlan

7 Ip Addressing

8 Ip Performance Configuration

9 Port Basic

10 Link Aggregation

11 Port Isolation Configuration

12 Port Security Configuration

13 Mac Address Table Management

14 Mstp C Onfiguration

15 Multicast

16 Igmp Snooping

17 802.1X Configuration

18 Habp C Onfiguration

19 System

20 Aaa Overview

21 Aaa Configuration

22 Mac Authenticationconfiguration

23 Arp Configuration

24 Dhcp Overview

25 Dhcp Snooping

26 Dhcp/Bootp Client

27 Acl Configuration

28 Qos Configuration

29 Mirroring

30 Cluster

31 Poe Configuration

32 O E Profile

33 Snmp C

34 Rmon C

35 Ntp Configuration

36 Ssh Configuration

37 File

38 Ftpand Sftp Configuration

39 Tftp Configuration

40 Information Center

41 Boot Rom and

42 Basic

43 Network

44 Device Management

45 Remote -Ping Configuration

46 Ip V 6 Mangement

47 Ipv6 Applicationconfiguration

48 Dns Configuration

49 Password Controlconfigurationoperations

Quick Links

Configuration Guide

Troubleshooting

Related Manuals for 3Com 4210 PWR

Summary of Contents for 3Com 4210 PWR