Page 1: Configuration Guide
® 3Com Switch 4200G Family Configuration Guide 4200G 12-Port (3CR17660-91) 4200G 24-Port (3CR17661-91) 4200G 48-Port (3CR17662-91) www.3Com.com Part Number: 10014915 Rev. AD Published: May 2007...
Page 2 LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.
Page 3: Table Of Contents
ONTENTS BOUT UIDE Organization of the Manual Intended Readership Conventions Related Manuals CLI O VERVIEW Introduction to the CLI Command Level/Command View CLI Features Terminal Display OGGING INTO AN THERNET WITCH Logging into an Ethernet Switch Introduction to the User Interface OGGING IN THROUGH THE ONSOLE Introduction...
Page 4 ONTENTS ONFIGURATION FILE MANAGEMENT Introduction to Configuration File Configuration File-Related Configuration VLAN C ONFIGURATION VLAN Overview VLAN Configuration Displaying a VLAN VLAN Configuration Example VLAN C ANAGEMENT ONFIGURATION Introduction to Management VLAN Management VLAN Configuration Displaying and Debugging Management VLAN DHCP/BOOTP C LIENT ONFIGURATION...
Page 5 ONTENTS Port Isolation Configuration Displaying Port Isolation Port Isolation Configuration Example ECURITY ONFIGURATION Port Security Configuration Displaying Port Security Port Security Configuration Example MAC A DDRESS ABLE ANAGEMENT Overview MAC Address Table Management Displaying and Maintaining a MAC Address Table Configuration Example OGGING IN THROUGH ELNET...
Page 6 ONTENTS HABP Client Configuration Displaying and Debugging HABP AAA&RADIUS C ONFIGURATION Overview Configuration Tasks AAA Configuration RADIUS Configuration Displaying AAA&RADIUS Information AAA&RADIUS Configuration Example Troubleshooting AAA&RADIUS Configuration MAC A ENTRALIZED DDRESS UTHENTICATION ONFIGURATION Centralized MAC Address Authentication Overview Centralized MAC Address Authentication Configuration Displaying and Debugging Centralized MAC Address Authentication Centralized MAC Address Authentication Configuration Example ARP C...
Page 7 ONTENTS ONFIGURATION FOR IRRORING EATURES Mirroring Features Mirroring Supported by Switch 4200G Mirroring Configuration Displaying and Debugging Mirroring IGMP S NOOPING ONFIGURATION Overview of IGMP Snooping IGMP Snooping Configuration Displaying Information About IGMP Snooping IGMP Snooping Configuration Example Troubleshooting IGMP Snooping OUTING OIN TO ULTICAST...
Page 8 ONTENTS NTP Implementation Mode Configuration Access Control Permission Configuration NTP Authentication Configuration Configuration of Optional NTP Parameters Displaying and Debugging NTP Configuration Example SSH T ERMINAL ERVICES SSH Terminal Services SFTP Service YSTEM ANAGEMENT File Attribute Configuration File System Configuration Testing Tools for Network Connection TFTP C ONFIGURATION...
Page 9 ONTENTS EVICE ANAGEMENT Introduction to Device Management Device Management Configuration Displaying the Device Management Configuration Remote Switch Update Configuration Example ONFIGURATION OF EWLY DDED LUSTER UNCTIONS Introduction to the Newly Added Cluster Functions Displaying and Debugging a Cluster Configuration Example for Newly Added Cluster Functions DHCP R ELAY ONFIGURATION...
Page 10 ONTENTS...
Page 11: About This Guide
BOUT UIDE This guide provides information about configuring your network using the ® commands supported on the 3Com Switch 4200-G Family. The descriptions in this guide applies to the Switch 4200-G. Organization of the The Switch 4200 Family Configuration Guide consists of the following chapters: Manual CLI Overview—Provides an introduction to the CLI interface.
Page 12: Intended Readership
BOUT UIDE QoS—Details Quality of Service. ■ Mirroring—Details how to configure Mirroring. ■ IGMP Snooping—Details Internet Group Management Protocol Snooping ■ Multicast Protocol—Details how to configure multicast protocols. ■ Clustering—Details Clustering Configuration. ■ SNMP—Details Simple Network Management Protocol Configuration. ■ RMON—Details Remote Monitoring Configuration.
Page 13: Related Manuals
The vertical bars indicate that only one of the parameters is allowed. Related Manuals The 3Com Switch 4200 Family Getting Started Guide provides information about installation. The 3Com Switch 4200 Family Command Reference Guide provides all the...
Page 14 BOUT UIDE...
Page 15: Cli Overview
CLI O VERVIEW Introduction to the CLI A S4200G series Ethernet switch provides a command line interface (CLI) and commands for you to configure and manage the Ethernet switch. The CLI is featured by the following: Commands are grouped by levels. This prevents unauthorized users from ■...
Page 16 1: CLI O HAPTER VERVIEW Setting a user level switching password Table 1 lists the operations to set a user level switching password. Table 1 Set a user level switching password Operation Command Description Enter system view system-view — Set a password for super password [ level level ] Optional switching from a lower...
Page 17 Command Level/Command View System view ■ Ethernet port view ■ VLAN view ■ VLAN interface view ■ LoopBack interface view ■ Local user view ■ User interface view ■ FTP client view ■ SFTP client view ■ MST region view ■...
Page 18 1: CLI O HAPTER VERVIEW Table 4 CLI views (Continued) Available Prompt View operation example Enter method Quit method VLAN view Configure VLAN [4200G-Vlan1] Execute the vlan 1 Execute the quit parameters command in system command to view. return to system view.
Page 19 Command Level/Command View Table 4 CLI views (Continued) Available Prompt View operation example Enter method Quit method Cluster view Configure cluster [4200G-cluster] Execute the cluster Execute the quit parameters command in system command to view. return to system view. Execute the return command to return to user view.
Page 20: Cli Features
1: CLI O HAPTER VERVIEW CLI Features Online Help CLI provides two types of online help: complete online help and partial online help. They assist you with your configuration. Complete online help Enter a “?” character in any view on your terminal to display all the commands available in the view and their brief descriptions.
Page 21: Terminal Display
Terminal Display Enter a command, the first several characters of an available keyword which uniquely identifies the keyword, and press <Tab>, to complete the keyword will be automatically completed. Terminal Display CLI provides the following display feature: Display suspending. That is, the displaying of output information can be paused ■...
Page 22 1: CLI O HAPTER VERVIEW Command Edit The CLI provides basic command edit functions and supports multi-line editing. The maximum number of characters a command can contain is 256. Table 8 lists the CLI edit operations. Table 8 Edit operations Press…...
Page 23: Ogging Into An
OGGING INTO AN THERNET WITCH Logging into an You can log into an S4200-G series Ethernet switch in one of the following ways: Ethernet Switch Logging in locally through the Console port ■ Telneting locally or remotely to an Ethernet port ■...
Page 24 2: L HAPTER OGGING INTO AN THERNET WITCH Common User Interface Table 10 Common user interface configuration Configuration Operation Command Description Lock the current user lock Optional interface Execute this command in user view. A user interface is not locked by default.
Page 25: Ogging In Through The
OGGING IN THROUGH THE ONSOLE Introduction To log in through the Console port is the most common way to log into a switch. It is also the prerequisite to configure other login methods. By default, you can log into an S4200G series Ethernet switch through its Console port only.
Page 26 3: L HAPTER OGGING IN THROUGH THE ONSOLE Figure 2 Create a connection Figure 3 Specify the port used to establish the connection...
Page 27: Console Port Login Configuration
Console Port Login Configuration Figure 4 Set port parameters Turn on the switch. The user will be prompted to press the Enter key if the switch ■ successfully completes POST (power-on self test). The prompt (such as <S4200G>) appears after the user presses the Enter key. You can then configure the switch or check the information about the switch by ■...
Page 28 3: L HAPTER OGGING IN THROUGH THE ONSOLE Table 12 Common configuration of Console port login (Continued) Configuration Description Terminal Make terminal services Optional configuration available By default, terminal services are available in all user interfaces Set the maximum Optional number of lines the By default, the screen can contain up to 24 lines.
Page 29: Console Port Login Configuration With Authentication Mode Being None
Console Port Login Configuration with Authentication Mode Being None Table 13 Console port login configurations for different authentication modes (Continued) Authentication mode Console port login configuration Description Scheme Specify to AAA configuration Optional perform local specifies whether to Local authentication is performed authentication or perform local by default.
Page 30 3: L HAPTER OGGING IN THROUGH THE ONSOLE Table 14 Console port login configuration with the authentication mode being none Operation Command Description Configure Set the baud speed speed-value Optional the Console rate The default baud rate of an AUX port port (also the Console port) is 9,600 bps.
Page 31 Console Port Login Configuration with Authentication Mode Being None Note that the command level available to users logging into a switch depends on both the authentication-mode { password | scheme | none } command and the user privilege level level command, as listed in Table 15. Table 15 Determine the command level (A) Scenario Authentication mode...
Page 32: Console Port Login Configuration With Authentication Mode Being Password
3: L HAPTER OGGING IN THROUGH THE ONSOLE 3 Specify not to authenticate users logging in through the Console port. [4200G-ui-aux0] authentication-mode none 4 Specify commands of level 2 are available to users logging into the AUX user interface. [4200G-ui-aux0] user privilege level 2 5 Set the baud rate of the Console port to 19,200 bps.
Page 33 Console Port Login Configuration with Authentication Mode Being Password Table 16 Console port login configuration with the authentication mode being password Operation Command Description Make terminal services shell Optional available to the user By default, terminal services are interface available in all user interfaces. Set the maximum number screen-length screen-length Optional...
Page 34: Network Diagram
3: L HAPTER OGGING IN THROUGH THE ONSOLE The history command buffer can store up to 20 commands. ■ The timeout time of the AUX user interface is 6 minutes. ■ Network diagram Figure 6 Network diagram for AUX user interface configuration (with the authentication mode being password) Ethernet1/0/1 Ethernet1/0/1...
Page 35: Console Port Login Configuration With Authentication Mode Being Scheme
Console Port Login Configuration with Authentication Mode Being Scheme Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Table 18 Console port login configuration with authentication mode being scheme Operation Command Description Enter system view system-view — Configure Enter the domain system Optional...
Page 36 3: L HAPTER OGGING IN THROUGH THE ONSOLE Table 18 Console port login configuration with authentication mode being scheme Operation Command Description Configure Set the speed speed-value Optional the Console baud rate The default baud rate of the AUX port port (also the Console port) is 9,600 bps.
Page 37 Console Port Login Configuration with Authentication Mode Being Scheme Note that the level the commands of which are available to users logging into a switch depends on the authentication-mode { password | scheme | none } command, the user privilege level level command, and the service-type terminal [ level level ] command, as listed in Table 19.
Page 38 3: L HAPTER OGGING IN THROUGH THE ONSOLE Network diagram Figure 7 Network diagram for AUX user interface configuration (with the authentication mode being scheme) Ethernet1/0/1 Ethernet1/0/1 Ethernet Ethernet User PC running Telnet User PC running Telnet Configuration procedure 1 Enter system view. <S4200G>...
Page 39: Logging In Using Modem
OGGING IN SING ODEM Introduction The administrator can log into the Console port of a remote switch using a modem through PSTN (public switched telephone network) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely. When a network operates improperly or is inaccessible, you can log into the switches in the network in this way to configure these switches, to query logs and warning messages, and to locate problems.
Page 40: Modem Connection Establishment
4: L HAPTER OGGING IN SING ODEM Switch Configuration After logging into a switch through its Console port by using a modem, you will enter the AUX user interface. The corresponding configuration on the switch is the same as those when logging into the switch locally through its Console port except that: When you log in through the Console port using a modem, the baud rate of the ■...
Page 41 Modem Connection Establishment 3 Connect your PC, the modems, and the switch, as shown in Figure 8. Figure 8 Establish the connection by using modems Serial cable Serial cable Modem Modem Telephone line Telephone line PSTN PSTN Modem Modem Console port Console port Telephone number: 82882285 Telephone number: 82882285...
Page 42 4: L HAPTER OGGING IN SING ODEM Figure 10 Call the modem 5 Provide the password when prompted. If the password is correct, the prompt (such as <S4200G>) appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help.
Page 43: Ogging In Through
OGGING IN THROUGH BASED ETWORK ANAGEMENT YSTEM Introduction An S4200-G series switch has a Web server built in. You can log into an S4200-G series switch through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server. To log into an S4200-G series switch through the built-in Web-based network management system, you need to perform the related configuration on both the switch and the PC operating as the network management terminal.
Page 44 5: L HAPTER OGGING IN THROUGH BASED ETWORK ANAGEMENT YSTEM Launch a terminal emulation utility (such as Terminal in Windows 3.X or ■ HyperTerminal in Windows 9X) on the PC, with the baud rate set to 9,600 bps, data bits set to 8, parity check set to off, and flow control set to off. Turn on the switch.
Page 45 HTTP Connection Establishment 3 Establish an HTTP connection between your PC and the switch, as shown in Figure 13. Figure 13 Establish an HTTP connection between your PC and the switch Sw itch Sw itch Sw itch Sw itch HTTP Connection HTTP Connection HTTP Connection HTTP connection...
Page 46 5: L HAPTER OGGING IN THROUGH BASED ETWORK ANAGEMENT YSTEM...
Page 47: Nms
OGGING IN THROUGH Introduction You can also log into a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch. The agent here refers to the software running on network devices (switches) and ■...
Page 48 6: L HAPTER OGGING IN THROUGH...
Page 49: Controlling Login Users
ONTROLLING OGIN SERS Introduction A switch provides ways to control different types of login users, as listed in Table 24. Table 24 Ways to control different types of login users Login mode Control method Implementation Related section Telnet By source IP addresses Through basic ACLs Controlling Telnet Users by Source IP Addresses...
Page 50 7: C HAPTER ONTROLLING OGIN SERS Controlling Telnet Users Controlling Telnet users by source and destination IP addresses is achieved by applying by Source and advanced ACLs, which are numbered from 3000 to 3999. Refer to the ACL module Destination IP Addresses for information about defining an ACL.
Page 51: Controlling Network Management Users By Source Ip Addresses
Controlling Network Management Users by Source IP Addresses Controlling You can manage a S4200G series Ethernet switch through network management Network software. Network management users can access switches through SNMP. Management Users by Source You need to perform the following two operations to control network management IP Addresses users by source IP addresses.
Page 52 2 Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the switch. [4200G] snmp-agent community read 3Com acl 2000 [4200G] snmp-agent group v2c 3Comgroup acl 2000 [4200G] snmp-agent usm-user v2c 3Comuser 3Comgroup acl 2000...
Page 53: Controlling Web Users By Source Ip Address
Controlling Web Users by Source IP Address Controlling Web You can manage a S4200G series Ethernet switch remotely through Web. Web users Users by Source can access a switch through HTTP connections. IP Address You need to perform the following two operations to control Web users by source IP addresses.
Page 54 7: C HAPTER ONTROLLING OGIN SERS Configuration procedure 1 Define a basic ACL. <S4200G> system-view [4200G] acl number 2030 match-order config [4200G-acl-basic-2030] rule 1 permit source 10.110.100.46 0 [4200G-acl-basic-2030] rule 2 deny source any 2 Apply the ACL to only permit the Web users sourced from the IP address of 10.110.100.46 to access the switch.
Page 55: Configuration File Management
ONFIGURATION FILE MANAGEMENT Introduction to Configuration file records and stores user configurations performed to a switch. It Configuration File also enables users to check switch configurations easily. Upon powered on, a switch loads the configuration file known as saved-configuration file, which resides in the Flash, for initialization. If the Flash contains no configuration file, the system initializes using the default settings.
Page 56 8: C HAPTER ONFIGURATION FILE MANAGEMENT Table 30 Configure a configuration file (Continued) Operation Command Description Specify the startup saved-configuration Optional configuration file to be cfgfile [ backup | main ] By default, the main configuration used when the switch file is used.
Page 57: Vlan Overview
VLAN C ONFIGURATION VLAN Overview Introduction to VLAN The virtual local area network (VLAN) technology is developed for switches to control broadcast operations in LANs. By creating VLANs in a physical LAN, you can divide the LAN into multiple logical LANs, each of which has a broadcast domain of its own.
Page 58: Vlan Configuration
9: VLAN C HAPTER ONFIGURATION VLAN Classification You can create port-based and policy-based VLAN types a Switch 4200G: The port-based VLAN members are defined in terms of switch ports. You can add ports to which close-related hosts are connected to the same port-based VLAN. This is the simplest yet most effective way to create VLANs.
Page 59: Vlan Configuration Example
VLAN Configuration Example VLAN Configuration Example Port-based VLAN Network requirements Configuration Example Create VLAN 2 and VLAN 3, with the name of VLAN 2 being v2, and the ■ description string being home. Add GigabitEthernet1/0/1 and GigabitEthernet1/0/2 ports to VLAN 2; add ■...
Page 60 9: VLAN C HAPTER ONFIGURATION...
Page 61: Anagement Vlan Configuration
VLAN C ANAGEMENT ONFIGURATION Introduction to Management VLAN Management VLAN To manage an Ethernet switch remotely through Telnet or network management, the switch need to be assigned an IP address. As for a S4200G series Layer 2 Ethernet switch, only the management VLAN interface can be assigned an IP address. You can assign an IP address to a management VLAN interface in one of the following three ways: Using commands to assign IP addresses...
Page 62 10: M VLAN C HAPTER ANAGEMENT ONFIGURATION Configuring the Table 34 Configure the management VLAN Management VLAN Operation Command Description Enter system view system-view Configure a specified management-vlan vlan-id Required VLAN to be the By default, VLAN 1 operates as the management VLAN management VLAN.
Page 63: Displaying And Debugging Management Vlan
Displaying and Debugging Management VLAN Configuration procedure 1 Enter system view. <S4200GA> system-view 2 Create VLAN 10 and configure VLAN 10 to be the management VLAN. [4200GA] vlan 10 [4200GA-vlan10] quit [4200GA] management-vlan 10 3 Create the VLAN 10 interface and enter VLAN interface view. [4200GA] interface vlan-interface 10 4 Configure the IP address of VLAN 10 interface to be 1.1.1.1.
Page 64 10: M VLAN C HAPTER ANAGEMENT ONFIGURATION...
Page 65: Dhcp/Bootp C
DHCP/BOOTP C LIENT ONFIGURATION Introduction to DHCP As the network scale expands and the network complexity increases, the network Client configurations become more and more complex accordingly. It is usually the case that the computer locations change (such as the portable computers or wireless networks) or the number of the computers exceeds that of the available IP addresses.
Page 66 11: DHCP/BOOTP C HAPTER LIENT ONFIGURATION Figure 22 Interaction between a DHCP client and a DHCP server DHCP Client DHCP Client DHCP Client DHCP Server DHCP Server DHCP Server DHCP Client DHCP Client DHCP Client DHCP Server DHCP Server DHCP Server DHCP Client DHCP Client DHCP Client...
Page 67: Introduction To Bootp Client
Introduction to BOOTP Client 2 The DHCP client accesses the network for the second time In this case, the DHCP client establishes connections with the DHCP server through the following steps. a After accessing the network successfully for the first time, the DHCP client can access the network again by broadcasting a DHCP_Request packet that contains the IP address assigned to it last time instead of a DHCP_Discover packet.
Page 68 11: DHCP/BOOTP C HAPTER LIENT ONFIGURATION Configuring a Table 36 Configure DHCP/BOOTP client DHCP/BOOTP Client Operation Command Description Enter system view system-view Required Configure a specified management-vlan vlan-id Required VLAN to be the By default, VLAN 1 operates as the management VLAN management VLAN.
Page 69: Oice Vlan Configuration
VLAN C OICE ONFIGURATION Voice VLAN Configuration Introduction to Voice Voice VLANs are VLANs configured specially for voice data stream. By adding the VLAN ports with voice devices attached to voice VLANs, you can perform QoS-related configuration for voice data, ensuring the transmission priority of voice data stream and voice quality.
Page 70 12: V VLAN C HAPTER OICE ONFIGURATION As multiple types of IP phones exist, you need to match port mode with types of voice stream sent by IP phones, as listed in Table 37. Table 37 Port modes and voice stream types Port voice Voice stream VLAN mode...
Page 71: Voice Vlan Configuration
Voice VLAN Configuration Voice VLAN Configuration Configuration Create the corresponding VLAN before configuring a voice VLAN. ■ Prerequisites VLAN 1 is the default VLAN and do not need to be created. But VLAN 1 does not ■ support the voice VLAN function. Configuring a voice Table 38 Configure a voice VLAN to operate in automatic mode VLAN to operate in...
Page 72 12: V VLAN C HAPTER OICE ONFIGURATION Table 39 Configure a voice VLAN to operate in manual mode (Continued) Operation Command Description Add a Access Enter VLAN vlan vlan-id Required port to port view Add the port port port-type port-num VLAN to the VLAN Trunk or...
Page 73: Voice Vlan Displaying And Debugging
Voice VLAN Displaying and Debugging Voice VLAN Displaying Table 40 Display and debug a voice VLAN and Debugging Operation Command Description Display voice VLAN display voice vlan status You can execute the display configuration command in any view. Display the currently display voice vlan oui valid OUI addresses Display the ports...
Page 74 12: V VLAN C HAPTER OICE ONFIGURATION Configuration procedure 1 Create VLAN 3. <S4200G> system-view System View: return to User View with Ctrl+Z. [4200G] vlan 3 2 Configure GigabitEthernet1/0/3 port to be a trunk port and add it to VLAN 3. [4200G] interface GigabitEthernet1/0/3 [4200G-GigabitEthernet1/0/3] port link-type trunk [4200G-GigabitEthernet1/0/3] port trunk permit vlan 3...
Page 75: Introduction To Gvrp
GVRP C ONFIGURATION Introduction to GVRP GVRP (GARP VLAN registration protocol) is an application of GARP (generic attribute registration protocol). GVRP is based on the mechanism of GARP; it maintains dynamic VLAN registration information and propagates the information to other switches.
Page 76 13: GVRP C HAPTER ONFIGURATION Leave timer, and unregisters the attribute information if it does not receives a Join message again before the timer times out. LeaveAll: Once a GARP entity starts up, it starts the LeaveAll timer, and sends out a ■...
Page 77: Gvrp Configuration
GVRP Configuration Table 41describes the packet fields Figure 23. Table 41 Description of the packet fields Field Description Value Protocol ID Protocol ID Message Each message consists of two parts: — Attribute Type and Attribute List. Attribute Type It is defined by specific GARP The attribute type of GVRP is 0x01.
Page 78 13: GVRP C HAPTER ONFIGURATION Table 42 Configuration procedure (Continued) Operation Command Description Enable GVRP globally gvrp Required By default, GVRP is disabled globally. Enter Ethernet port interface interface-type — view interface-number Enable GVRP on the gvrp Required port By default, GVRP is disabled on the port.
Page 79: Displaying And Maintaining Gvrp
Displaying and Maintaining GVRP Network diagram Figure 24 Network diagram for GVRP configuration E 1 / 0 / 1 E 1 / 0 / 2 i t c h A i t c h A i t c h A i t c h A i t c h B i t c h B...
Page 80 13: GVRP C HAPTER ONFIGURATION...
Page 81: Basic Port Configuration
Number of Device Model Type and number of fixed ports expansion slots Switch 4200G 12-port 12 × 10/100/1000M electrical interfaces Four Gigabit SFP Combo ports Switch 4200G 24-port 24 × 10/100/1000M electrical interfaces Four Gigabit SFP Combo ports Switch 4200G 48-port 48 × 10/100/1000M electrical interfaces...
Page 82 14: B HAPTER ASIC ONFIGURATION Configuring the Default An access port can belong to only one VLAN. Therefore, the VLAN an access port VLAN ID for an Ethernet belongs to is also the default VLAN of the access port. A hybrid/trunk port can belong Port to several VLANs, and so a default VLAN ID for the port is required.
Page 83: Configuring Ethernet Ports
Configuring Ethernet Ports Configuring Ethernet Ports Making Basic Port Table 47 Make basic port configuration Configuration Operation Command Remarks Enter system view system-view — Enter Ethernet port view interface interface-type — interface-number Enable the Ethernet port undo shutdown By default, the port is enabled.
Page 84 14: B HAPTER ASIC ONFIGURATION If you execute the command in Ethernet port view, the command takes effect only ■ on current port. Table 48 Set the Ethernet port broadcast suppression ratio Operation Command Remarks Enter system view system-view — Set the global broadcast broadcast-suppression { ratio | pps By default, the ratio is...
Page 85 Configuring Ethernet Ports Table 51 Configure hybrid port attribute Add the current hybrid port hybrid vlan vlan-id-list Optional port into the specified { tagged | untagged } For a hybrid port, you can VLAN configure to tag the packets of specific VLANs, based on which the packets of those VLANs can be processed in differently ways.
Page 86 14: B HAPTER ASIC ONFIGURATION Setting Loopback Loopback detection is used to monitor if loopback occurs on a switch port. Detection for an After you enable loopback detection on Ethernet ports, the switch can monitor if Ethernet Port external loopback occurs on them. If there is a loopback port found, the switch will put it under control.
Page 87: Ethernet Port Configuration Example
Ethernet Port Configuration Example Table 55 Configure the Ethernet port to run loopback test Configure the Ethernet port to run loopback { external | internal } Optional loopback test After you use the shutdown command on a port, the port cannot run loopback test. You cannot use the speed, duplex, mdi and shutdown commands on the ports running loopback test.
Page 88: Troubleshooting Ethernet Port Configuration
14: B HAPTER ASIC ONFIGURATION Network diagram Figure 25 Network diagram for default VLAN ID configuration Switch A Switch B Configuration procedure The following configuration is used for Switch A. Configure Switch B in a similar way. 1 Enter port view of GigabitEthernet1/0/1. [4200G] interface GigabitEthernet1/0/1 2 Set GigabitEthernet1/0/1 as a trunk port and allow the packets of VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 to pass the port.
Page 89: Link Aggregation Configuration
GGREGATION ONFIGURATION Overview Introduction to Link Link aggregation means aggregating several ports together to form an aggregation Aggregation group, so as to implement outgoing/incoming load sharing among the member ports in the group and to enhance the connection reliability. Depending on different aggregation modes, aggregation groups fall into three types: manual, static LACP, and dynamic LACP.
Page 90 15: L HAPTER GGREGATION ONFIGURATION 4 The member ports in a dynamic aggregation group must have the same operation key. Manual Aggregation Introduction to manual aggregation group Group A manual aggregation group is manually created. All its member ports are manually added and can be manually removed (it inhibits the system from automatically adding/removing ports to/from it).
Page 91 Overview Static LACP Aggregation Introduction to static LACP aggregation Group A static LACP aggregation group is also manually created. All its member ports are manually added and can be manually removed (it inhibits the system from automatically adding/removing ports to/from it). Each static aggregation group must contain at least one port.
Page 92 15: L HAPTER GGREGATION ONFIGURATION Besides multiple-port aggregation groups, the system is also able to create single-port aggregation groups, each of which contains only one port. LACP is enabled on the member ports of dynamic aggregation groups. Port status of dynamic aggregation group A port in a dynamic aggregation group can be in one of the two states: selected or unselected.
Page 93: Link Aggregation Configuration
Link Aggregation Configuration Aggregation Group Depending on whether or not load sharing is implemented, aggregation groups can Categories be load-sharing or non-load-sharing aggregation groups. In general, the system only provides limited load-sharing aggregation resources (currently 64 load-sharing aggregation groups can be created at most), so the system needs to reasonably allocate the resources among different aggregation groups.
Page 94 15: L HAPTER GGREGATION ONFIGURATION Table 59 Configure a manual aggregation group (Continued) Operation Command Description Configure a description for link-aggregation group agg-id description Optional the aggregation group agg-name By default, an aggregation group has no description. Enter Ethernet port view interface interface-type interface-num —...
Page 95: Displaying And Maintaining Link Aggregation Information
Displaying and Maintaining Link Aggregation Information Table 60 Configure a static LACP aggregation group (Continued) Operation Command Description Add the port to the port link-aggregation group agg-id Required aggregation group Enable LACP on the port lacp enable Optional, the system will automatically enable LACP on the port added to a static aggregation...
Page 96: Link Aggregation Configuration Example
15: L HAPTER GGREGATION ONFIGURATION You can also execute the reset command in user view to clear statistics on LACP ports. Table 62 Display and maintain link aggregation information Operation Command Display summary information of all display link-aggregation summary aggregation groups Display detailed information of a display link-aggregation verbose [ agg-id ] specified aggregation group or all...
Page 97 Link Aggregation Configuration Example 2 Adopting static LACP aggregation mode a Create static aggregation group 1. <S4200G> system-view [4200G] link-aggregation group 1 mode static b Add ports GigabitEthernet1/0/1 through GigabitEthernet1/0/3 to aggregation group 1. [4200G] interface GigabitEthernet1/0/1 [4200G-GigabitEthernet1/0/1] port link-aggregation group 1 [4200G-GigabitEthernet1/0/1] interface GigabitEthernet1/0/2 [4200G-GigabitEthernet1/0/2] port link-aggregation group 1 [4200G-GigabitEthernet1/0/2] interface GigabitEthernet1/0/3...
Page 98 15: L HAPTER GGREGATION ONFIGURATION...
Page 99: Port Isolation Configuration
SOLATION ONFIGURATION Port Isolation Overview Introduction to Port The port isolation function enables you to isolate the ports to be controlled on Layer 2 Isolation by adding the ports to an isolation group, through which you can improve network security and network in a more flexible way. Currently, you can configure only one isolation group on a switch.
Page 100 16: P HAPTER SOLATION ONFIGURATION Network diagram Figure 27 Network diagram for port isolation configuration Internet Internet Internet Internet GE1/0/1 GE1/0/1 Switch Switch GE1/0/2 GE1/0/2 GE1/0/4 GE1/0/4 GE1/0/3 GE1/0/3 Configuration procedure 1 Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports to the isolation group. <S4200G>system-view System View: return to User View with Ctrl+Z.
Page 101: Port Security
ECURITY ONFIGURATION Port Security Configuration Introduction to Port Port security is a security mechanism that controls network access. It is an expansion Security to the current 802.1x and MAC address authentication. This scheme controls the incoming/outgoing packets on port by checking the MAC addresses contained in data frames, and provides multiple security and authentication modes;...
Page 102 17: P HAPTER ECURITY ONFIGURATION Table 65 Description of the port security modes (Continued) Security mode Description Feature userlogin- The port opens only after the access user passes the In these modes, only secure 802.1x authentication. Even after the port opens, only the NTK and the packets of the successfully authenticated user can Intrusion Protection...
Page 103 Port Security Configuration Table 66 Configure port security (Continued) Operation Command Description Set the security mode port-security port-mode mode Required of a port Users can choose the optimal mode as necessary. Set the maximum port-security max-mac-count count-value Optional number of MAC By default, there is no addresses that can be limit on the number of...
Page 104: Displaying Port Security
17: P HAPTER ECURITY ONFIGURATION Security MAC can be learned by the autolearn function of Port-Security feature, and can be configured by the command or MIB manually. Before adding Security MAC, you may configure the port security mode to autolearn and then the MAC address learning method will change: Original dynamic MAC address will be deleted;...
Page 105: Port Security Configuration Example
Port Security Configuration Example Table 68 Display port security (Continued) Operation Command Display the information about port display am user-bind [ interface interface-type binding interface-number | mac-addr | ip-addr ] Port Security Network requirements Configuration Enable port security on port GigabitEthernet1/0/1 of switch A, and set the ■...
Page 106 17: P HAPTER ECURITY ONFIGURATION 9 Enable the sending of intrusion trap messages. [4200G] port-security trap intrusion 10 Bind the MAC and IP addresses of PC1 to GigabitEthernet1/0/1 port. [4200G] am user-bind mac-address 00e0-fc00-4200G ip-address 10.153.1.1 interface GigabitEthernet1/0/1...
Page 107: Mac Address Table Management
MAC A DDRESS ABLE ANAGEMENT This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to Chapter 29. Overview Introduction to MAC A MAC address table is a port-based Layer 2 address table. It is the base for Ethernet Address Table switch to perform Layer 2 packet forwarding.
Page 108 18: MAC A HAPTER DDRESS ABLE ANAGEMENT MAC Address Learning The MAC address learning mechanism enables a switch to acquire the MAC Mechanism addresses of the network devices on the segments connected to the ports of the switch. A packet can be directly forwarded if its destination MAC address is already learnt by the switch.
Page 109: Mac Address Table Management
MAC Address Table Management By setting the maximum numbers of MAC addresses that can be learnt from individual ports, you can control the number of the MAC address entries the MAC address table can dynamically maintains. When the number of the MAC address entries learnt from a port reaches the set value, the port stops learning MAC addresses.
Page 110: Displaying And Maintaining A Mac Address Table
18: MAC A HAPTER DDRESS ABLE ANAGEMENT Disabling MAC Address You can disable a switch from learning MAC addresses in specific VLANs to improve learning for a VLAN stability and security for the users belong to these VLANs and prevent unauthorized accesses.
Page 111 Configuration Example Configuration procedure 1 Enter system view. <S4200G> system-view 2 Add a static MAC address entry. [4200G] mac-address static 00e0-fc35-dc71 interface GigabitEthernet1/0/2 vlan 1 3 Set the aging time to 500 seconds. [4200G] mac-address timer aging 500 4 Display the information about the MAC address table. [4200G] display mac-address interface GigabitEthernet1/0/2 MAC ADDR VLAN ID...
Page 112 18: MAC A HAPTER DDRESS ABLE ANAGEMENT...
Page 113: Logging In Through Telnet
OGGING IN THROUGH ELNET Introduction You can telnet to a remote switch to manage and maintain the switch. To achieve this, you need to configure both the switch and the Telnet terminal properly. Table 74 Requirements for Telnet to a switch Item Requirement Switch...
Page 114: Telnet Configuration With Authentication Mode Being None
19: L HAPTER OGGING IN THROUGH ELNET Table 76 Telnet configurations for different authentication modes (Continued) Authentication mode Telnet configuration Description Scheme Specify to AAA configuration Optional perform local specifies whether to Local authentication is authentication or perform local performed by default. RADIUS authentication or Refer to “AAA&RADIUS...
Page 115 Telnet Configuration with Authentication Mode Being None 101 Table 77 Telnet configuration with the authentication mode being none Operation Command Description Set the history history-command max-size Optional command buffer size value The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.
Page 116: Telnet Configuration With Authentication Mode Being Password
19: L HAPTER OGGING IN THROUGH ELNET Network diagram Figure 30 Network diagram for Telnet configuration (with the authentication mode being none) RS-232 RS-232 Console port Console port Console cable Console cable Configuration procedure 1 Enter system view. <S4200G> system-view 2 Enter VTY 0 user interface view.
Page 117 Telnet Configuration with Authentication Mode Being Password 103 Table 79 Telnet configuration with the authentication mode being password (Continued) Operation Command Description Configure to authentication-mode password Required authenticate users logging into VTY user interfaces using the local password Set the local password set authentication password Required { cipher | simple } password...
Page 118 19: L HAPTER OGGING IN THROUGH ELNET Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0: Authenticate users logging into VTY 0 using the local password. ■...
Page 119: Telnet Configuration With Authentication Mode Being Scheme
Telnet Configuration with Authentication Mode Being Scheme 105 Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Table 81 Telnet configuration with the authentication mode being scheme Operation Command Description Enter system view system-view — Configure Enter the domain system Optional default ISP By default, the local AAA scheme is...
Page 120 19: L HAPTER OGGING IN THROUGH ELNET Table 81 Telnet configuration with the authentication mode being scheme (Continued) Operation Command Description Set the maximum number of screen-length Optional lines the screen can contain screen-length By default, the screen can contain up to 24 lines.
Page 121 Telnet Configuration with Authentication Mode Being Scheme 107 Note that if you configure to authenticate the users in the scheme mode, the command level available to users logging into a switch depends on the authentication-mode { password | scheme | none } command, the user privilege level level command, and the service-type { ftp [ ftp-directory directory ] | lan-access | { ssh | telnet | terminal }* [ level level ] } command, as listed in Table 80...
Page 122 19: L HAPTER OGGING IN THROUGH ELNET Refer to the corresponding modules in this manual for information about AAA, RADIUS, and SSH. Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0: Configure the name of the local user to be “guest”.
Page 123: Telnet Connection Establishment
Telnet Connection Establishment 109 [4200G-ui-vty0] user privilege level 2 8 Configure Telnet protocol is supported. [4200G-ui-vty0] protocol inbound telnet 9 Set the maximum number of lines the screen can contain to 30. [4200G-ui-vty0] screen-length 30 10 Set the maximum number of commands the history command buffer can store to 20. [4200G-ui-vty0] history-command max-size 20 11 Set the timeout time to 6 minutes.
Page 124 19: L HAPTER OGGING IN THROUGH ELNET Figure 34 Launch Telnet 4 Enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <S4200G>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
Page 125 Telnet Connection Establishment 111 Where xxxx is the IP address or the host name of the switch operating as the Telnet server. You can use the ip host to assign a host name to a switch. 4 Enter the password. If the password is correct, the CLI prompt (such as <S4200G>) appears.
Page 126 19: L HAPTER OGGING IN THROUGH ELNET...
Page 127: Mstp Configuration
MSTP C ONFIGURATION MSTP Overview Spanning tree protocol (STP) cannot enable Ethernet ports to transit their states rapidly. It costs two times of the forward delay for a port to transit to the forwarding state even if the port is on a point-to-point link or the port is an edge port. This slows down the spanning tree convergence of STP.
Page 128 20: MSTP C HAPTER ONFIGURATION Figure 36 Basic MSTP terminologies MST region An MST region (multiple spanning tree region) comprises multiple physically-interconnected MSTP-enabled switches and the corresponding network segments connected to these switches. These switches have the same region name, the same VLAN-to-spanning-tree mapping configuration and the same MSTP revision level.
Page 129 MSTP Overview 115 An internal spanning tree (IST) is a spanning tree in an MST region. ISTs together with the common spanning tree (CST) form the common and internal spanning tree (CIST) of the entire switched network. An IST is a special MSTI; it belongs to an MST region and is a branch of CIST.
Page 130 20: MSTP C HAPTER ONFIGURATION In Figure 37, switch A, B, C, and D form an MST region. Port 1 and port 2 on switch A connect upstream to the common root. Port 5 and port 6 on switch C form a loop. Port 3 and port 4 on switch D connect downstream to other MST regions.
Page 131 MSTP Overview 117 Implementation of MSTP MSTP divides a network into multiple MST regions at Layer 2. The CST is generated between these MST regions, and multiple spanning trees (or, MSTIs) can be generated in each MST region. As well as RSTP, MSTP uses configuration BPDUs to generate spanning trees.
Page 132: Root Bridge Configuration
20: MSTP C HAPTER ONFIGURATION First, the switch generates a designated port configuration BPDU for each of its port using the root port configuration BPDU and the root port path cost, with the root ID being replaced with that of the root port configuration BPDU, root path cost being replaced with the sum of the path cost of the root port configuration BPDU and the path cost of the root port, the ID of the designated bridge being replaced with that of the switch, and the ID of the designated port being replaced...
Page 133 Root Bridge Configuration 119 Table 84 Root bridge configuration (Continued) Operation Description Related section Network diameter Optional Network Diameter configuration Configuration The default is recommended. MSTP time-related Optional MSTP Time-related configuration Configuration The defaults are recommended. Timeout time factor Optional Timeout Time Factor configuration Configuration...
Page 134 20: MSTP C HAPTER ONFIGURATION MST Region Configuration procedure Configuration Table 85 Configure an MST region Operation Command Description Enter system view system-view — Enter MST region view stp region-configuration — Configure a name for region-name name Required the MST region The default MST region name of a switch is its MAC address.
Page 135 Root Bridge Configuration 121 Admin configuration Format selector Region name :info Revision level Instance Vlans Mapped 11 to 19, 31 to 4094 1 to 10 20 to 30 MSTP can automatically choose a switch as a root bridge. You can also manually Root Bridge/Secondary Root Bridge specify the current switch as a root bridge by using the corresponding commands.
Page 136 20: MSTP C HAPTER ONFIGURATION You can configure a switch as the root bridges of multiple spanning tree instances. But you cannot configure two or more root bridges for one spanning tree instance. So, do not configure root bridges for the same spanning tree instance on two or more switches using the stp root primary command.
Page 137 Root Bridge Configuration 123 RSTP mode: In this mode, the protocol packets sent out of the ports of the switch ■ are RSTP packets. If the switched network contains RSTP-enabled switches, you can configure the current MSTP-enabled switch to operate in this mode by using the stp mode rstp command.
Page 138 20: MSTP C HAPTER ONFIGURATION Configuration example 1 Configure the maximum hops of the MST region to be 30 (assuming that the current switch operates as the region root). <S4200G> system-view System View: return to User View with Ctrl+Z. [4200G] stp max-hops 30 In a switched network, any two switches can communicate with each other through a Network Diameter Configuration...
Page 139 Root Bridge Configuration 125 The Max age parameter is used to judge whether or not a configuration BPDU is ■ obsolete. Obsolete configuration BPDUs will be discarded. Configuration procedure Table 92 Configure MSTP time-related parameters Operation Command Description Enter system view system-view —...
Page 140 20: MSTP C HAPTER ONFIGURATION Configuration example 1 Configure the Forward delay parameter to be 1,600 centiseconds, the Hello time parameter to be 300 centiseconds, and the Max age parameter to be 2,100 centiseconds (assuming that the current switch operates as the CIST root bridge). <S4200G>...
Page 141 Root Bridge Configuration 127 Configuration procedure (in system view) Table 94 Configure the maximum transmitting speed for specified ports in system view Operation Command Description Enter system view system-view — Configure the stp interface interface-list Required maximum transmitting transmit-limit packetnumber The maximum transmitting speed speed for specified of all Ethernet ports on a switch...
Page 142 20: MSTP C HAPTER ONFIGURATION Configuration procedure (in system view) Table 96 Configure a port as an edge port (in system view) Operation Command Description Enter system view system-view — Configure the specified stp interface interface-list Required ports as edge ports edged-port enable By default, all the Ethernet ports of a switch are non-edge ports.
Page 143 Root Bridge Configuration 129 Configuration procedure (in system view) Table 98 Specify whether or not the links connected to the specified ports are point-to-point links (in system view) Operation Command Description Enter system view system-view — Specify whether or not stp interface interface-list Required the links connected to...
Page 144 20: MSTP C HAPTER ONFIGURATION System View: return to User View with Ctrl+Z. [4200G] stp interface GigabitEthernet1/0/1 point-to-point force-true Configure in Ethernet port view. ■ <S4200G> system-view System View: return to User View with Ctrl+Z. [4200G] b [4200G-GigabitEthernet1/0/1] stp point-to-point force-true Configuration procedure MSTP Configuration Table 100 Enable MSTP in system view...
Page 145: Leaf Node Configuration
Leaf Node Configuration 131 Configure in Ethernet port view. ■ <S4200G> system-view System View: return to User View with Ctrl+Z. [4200G] stp enable [4200G] interface GigabitEthernet1/0/1 [4200G-GigabitEthernet1/0/1] stp disable Leaf Node Table 102 lists MSTP-related configurations about leaf nodes. Configuration Table 102 Leaf node configuration Operation Description...
Page 146 Adopts the IEEE 802.1t standard to calculate the default path costs of ■ ports. legacy: Adopts the standard defined by 3Com to calculate the default path costs ■ of ports. Table 103 Specify the standard for calculating path costs...
Page 147 Table 104 Transmission speeds and the corresponding path costs (Continued) Transmiss Operation mode Standard ion speed (half-/full-duplex) 802.1D-1998 IEEE 802.1t defined by 3Com 10 Gbps Full-duplex 2,000 Aggregated link 2 ports 1,000 Aggregated link 3 ports Aggregated link 4 ports Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port operating in half-duplex mode.
Page 148 20: MSTP C HAPTER ONFIGURATION Configure in Ethernet port view. ■ <S4200G> system-view System View: return to User View with Ctrl+Z. [4200G] interface GigabitEthernet1/0/1 [4200G-GigabitEthernet1/0/1] stp instance 1 cost 2000 Configuration example (B) 1 Change the path cost of GigabitEthernet1/0/1 port in spanning tree instance 1 to the default one calculated with the IEEE 802.1D-1998 standard.
Page 149: The Mcheck Configuration
The mCheck Configuration 135 A lower port priority value indicates a higher port priority. If all the ports of a switch have the same port priority value, the port priorities are determined by the port indexes. Changing the priority of a port will cause spanning tree regeneration. You can configure port priorities according to actual networking requirements.
Page 150: Protection Function Configuration
20: MSTP C HAPTER ONFIGURATION Performing the mCheck operation in system view Table 109 Perform the mCheck operation in system view Operation Command Description Enter system view System-view — Perform the mCheck stp [ interface interface-list ] Required operation mcheck Performing the mCheck operation in Ethernet port view Table 110 Perform the mCheck operation in Ethernet port view Operation...
Page 151 Protection Function Configuration 137 Root protection A root bridge and its secondary root bridges must reside in the same region. A CIST and its secondary root bridges are usually located in the high-bandwidth core region. Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge, which causes new root bridge to be elected and network topology jitter to occur.
Page 152 20: MSTP C HAPTER ONFIGURATION BPDU Protection Configuration procedure Configuration Table 111 Enable the BPDU protection function Operation Command Description Enter system view system-view — Enable the BPDU stp bpdu-protection Required protection function The BPDU protection function is disabled by default. Configuration example Enable the BPDU protection function.
Page 153: Bpdu Tunnel Configuration
BPDU Tunnel Configuration 139 Enabling the loop prevention function on specified ports in system view Table 114 Enable the loop prevention function on specified ports in system view Operation Command Description Enter system view system-view — Enable the loop stp interface interface-list Required prevention function on loop-protection...
Page 154 20: MSTP C HAPTER ONFIGURATION As shown in Figure 38, the upper part is the operator’s network, and the lower part is the user network. The operator’s network comprises packet ingress/egress devices, and the user network has networks A and B. On the operator’s network, configure the arriving BPDU packets at the ingress to have MAC addresses in a special format, and reconvert them back to their original formats at the egress.
Page 155: Digest Snooping Configuration
Digest Snooping Configuration 141 Digest Snooping Configuration Introduction According to IEEE 802.1s, two interconnected MSTP switches can interwork with each other through MSTIs in an MST region only when the two switches have the same MST region-related configuration. Interconnected MSTP switches determine whether or not they are in the same MST region by checking the configuration IDs of the BPDUs between them.
Page 156: Rapid Transition Configuration
20: MSTP C HAPTER ONFIGURATION To enable the digest snooping feature, the interconnected switches must be ■ configured with exactly the same MST region-related configuration. The digest snooping feature must be enabled on all the ports of your S4200G ■ switch that are connected to partners' proprietary protocol-adopted switches in the same MST region..
Page 157 Rapid Transition Configuration 143 Figure 40 The MSTP rapid transition mechanism Upstream sw itch Upstream sw itch Dow nstream sw itch Dow nstream sw itch Send proposal packets Send proposal packets Root port blocks Root port blocks to request rapid transition to request rapid transition other non-edge ports other non-edge ports...
Page 158 20: MSTP C HAPTER ONFIGURATION Figure 41 Network diagram for rapid transition configuration Sw itch coming from other manufacturers Sw itch coming from other manufacturers Port 1 Port 1 Port 2 Port 2 Quidw ay Switch Quidw ay Switch Configuration procedure Table 119 Configure the rapid transition feature in system view Operation Command...
Page 159: Mstp Displaying And Debugging
MSTP Displaying and Debugging 145 MSTP Displaying and You can verify the above configurations by executing the display commands in any Debugging view. Execute the reset command in user view to clear MSTP statistics. Execute the debugging command in user view to debug the MSTP module. Table 121 Display and debug MSTP Operation Command...
Page 160 20: MSTP C HAPTER ONFIGURATION b Configure the MST region. [4200G-mst-region] region-name example [4200G-mst-region] instance 1 vlan 10 [4200G-mst-region] instance 3 vlan 30 [4200G-mst-region] instance 4 vlan 40 [4200G-mst-region] revision-level 0 c Activate the settings of the MST region. [4200G-mst-region] active region-configuration d Specify Switch A as the root bridge of spanning tree instance 1.
Page 161 MSTP Implementation Example 147 b Configure the MST region. [4200G-mst-region] region-name example [4200G-mst-region] instance 1 vlan 10 [4200G-mst-region] instance 3 vlan 30 [4200G-mst-region] instance 4 vlan 40 [4200G-mst-region] revision-level 0 c Activate the settings of the MST region. [4200G-mst-region] active region-configuration...
Page 162 20: MSTP C HAPTER ONFIGURATION...
Page 163: Configuration
802.1 ONFIGURATION Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs. It was then used in Ethernet as a common access control mechanism for LAN ports to address mainly authentication and security problems.
Page 164 21: 802.1 HAPTER ONFIGURATION A PAE (port access entity) is responsible for the implementation of algorithm and protocol-related operations in the authentication mechanism. The authenticator system PAE authenticates the supplicant systems when they log into the LAN and controls the authorizing state (on/off) of the controlled ports according to the authentication result.
Page 165 Introduction to 802.1x 151 EAP protocol packets transmitted between the supplicant system and the ■ authenticator system are encapsulated as EAPoL packets. EAP protocol packets transmitted between the supplicant system PAE and the ■ RADIUS server can either be encapsulated as EAPoR (EAP over RADIUS) packets or be terminated at system PAEs (The system PAEs then communicate with RADIUS servers through PAP (password authentication protocol) or CHAP (challenge-handshake authentication protocol) protocol packets.)
Page 166 21: 802.1 HAPTER ONFIGURATION Note that EAPoL-Start, EAPoL-Logoff, and EAPoL-Key packets are only transmitted between the supplicant system and the authenticator system. EAP-packets are encapsulated by RADIUS protocol to allow them successfully reach the authentication servers. Network management-related information (such as alarming information) is encapsulated in EAPoL-Encapsulated-ASF-Alert packets, which are terminated by authenticator systems.
Page 167 Introduction to 802.1x 153 Figure 48 The format of an EAP-message field Type Type Length Length String String EAP packet EAP packet The Message-authenticator field, as shown in Figure 49, is used to prevent unauthorized interception of access requesting packets during authentications using CHAP, EAP, and so on.
Page 168 21: 802.1 HAPTER ONFIGURATION Figure 50 802.1x authentication procedure (in EAP relay mode) EAPoR EAPoR EAPoR EAPoL EAPoL EAPoL RADIUS s erv er RADIUS s erv er RADIUS s erv er RADIUS s erv er RADIUS s erv er RADIUS s erv er RADIUS s erv er RADIUS s erv er RADIUS s erv er...
Page 169 Introduction to 802.1x 155 The RADIUS server compares the received encrypted password (contained in a ■ RADIUS access-request packet) with the locally-encrypted password. If the two match, it will then send feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authorized.
Page 170 21: 802.1 HAPTER ONFIGURATION Figure 51 802.1x authentication procedure (in EAP terminating mode) EAPOL EAPOL EAPOL RADIUS RADIUS RADIUS RAD IUS ser ver RAD IUS ser ver RAD IUS ser ver Sup plicant Sup plicant Sup plicant Switc h Switc h Switc h system system...
Page 171 Implementing the Guest VLAN function ■ CAMS server is a service management system developed by 3Com. It can cooperate with network devices to carry out functions such as AAA and permission management. It enables a network to operate in the desired way and enables you to manage a network in a easy way.
Page 172: Configuration
21: 802.1 HAPTER ONFIGURATION After the maximum number of authentication retries have been made and there ■ are still ports that have not sent any response back, the switch will then add these ports into the Guest VLAN. When the maximum number of authentication retries is reached, the switch adds ■...
Page 173: Timer And Maximum User Number Configuration
Timer and Maximum User Number Configuration 159 Configuring Basic 802.1x Table 122 Configure basic 802.1x functions Functions Operation Command Description Enter system view system-view — Enable 802.1x globally dot1x Required By default, 802.1x is disabled globally. Enable 802.1x for Use the following command in Required specified ports system view:...
Page 174: Advanced 802.1X Configuration
21: 802.1 HAPTER ONFIGURATION Table 123 Configure 802.1x timers and the maximum number of users (Continued) Operation Command Description Configure 802.1x dot1x timer Optional timers { handshake-period The default values of 802.1x timers handshake-period-value | are as follows: quiet-period quiet-period-value | handshake-period-value: 15 tx-period tx-period-value | seconds...
Page 175 Advanced 802.1x Configuration 161 The proxy checking function needs the support of 3Com's 802.1x client program. The configuration listed in Table 124 takes effect only when it is performed on CAMS as well as on the switch and the client version checking function is enabled on the switch (by the dot1x version-check command).
Page 176: Displaying And Debugging 802.1X
21: 802.1 HAPTER ONFIGURATION Supplicant systems that are not authenticated, fail to pass the authentication, or are offline belong to Guest VLANs. Displaying and You can verify the 802.1x-related configuration by executing the display command Debugging 802.1x in any view. You can clear 802.1x-related statistics information by executing the reset command in user view.
Page 177 Configuration Example 163 and the authenticating RADIUS server to be name, and money for interaction between the switch and the counting RADIUS. Configure the waiting period for the switch to resend packets to the RADIUS server to be 5 seconds, that is, if after 5 seconds the RADIUS still has not sent any responses back, the switch will resend packets.
Page 178 21: 802.1 HAPTER ONFIGURATION 6 Assign IP addresses to the secondary authentication and accounting RADIUS server. [4200G-radius-radius1] secondary authentication 10.11.1.2 [4200G-radius-radius1] secondary accounting 10.11.1.1 7 Set the password for the switch and the authentication RADIUS servers to exchange messages. [4200G -radius-radius1] key authentication name 8 Set the password for the switch and the accounting RADIUS servers to exchange messages.
Page 179: Habp Configuration
802.1x, their received packets will be filtered. This means that users can no longer manage the attached switches. To address this problem, 3Com authentication bypass protocol (HABP) has been developed. An HABP packet carries the MAC addresses of the attached switches with it. It can bypass the 802.1x authentications when traveling between HABP-enabled switches,...
Page 180: Habp Client Configuration
22: HABP C HAPTER ONFIGURATION HABP Client HABP clients reside on switches attached to HABP servers. After you enable HABP for Configuration a switch, the switch operates as an HABP client by default. So you only need to enable HABP on a switch to make it an HABP client. Table 130 Configure an HABP client Operation Command...
Page 181: Aaa&Radius Configuration
AAA&RADIUS C ONFIGURATION Overview Introduction to AAA AAA is shortened from the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure the three security functions to implement the network security management. The network security mentioned here mainly refers to access control. It mainly controls: Which users can access the network, ■...
Page 182 23: AAA&RADIUS C HAPTER ONFIGURATION Generally, AAA adopts the client/server structure, where the client acts as the managed resource and the server stores user information. This structure has good scalability and facilitates the centralized management of user information. Introduction to ISP An Internet service provider (ISP) domain is a group of users who belong to the same Domain ISP.
Page 183 Overview 169 Figure 54 Databases in RADIUS server RADIUS server RADIUS server Dictionary Dictionary Users Users Clients Clients In addition, the RADIUS server can act as the client of some other AAA server to provide the authentication or accounting proxy service. Basic message exchange procedure of RADIUS The messages exchanged between a RADIUS client (a switch, for example) and the RADIUS server are verified by using a shared key.
Page 184 23: AAA&RADIUS C HAPTER ONFIGURATION 3 The RADIUS server compares the received user information with that in the Users database to authenticate the user. If the authentication succeeds, it sends back an authentication response (Access-Accept), which contains the information of user’s rights, to the RADIUS client.
Page 185 Overview 171 Table 132 Description on major values of the Code field (Continued) Code Packet type Packet description Accounting-Request Direction: client->server. The client transmits this packet to the server to request the server to start or end the accounting (whether to start or to end the accounting is determined by the Acct-Status-Type attribute in the packet).
Page 186 23: AAA&RADIUS C HAPTER ONFIGURATION Table 133 RADIUS attributes (Continued) Value of the Value of the Type field Attribute type Type field Attribute type Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply_Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-ID NAS-Port-Type...
Page 187: Configuration Tasks
Configuration Tasks 173 Configuration Tasks Table 134 Configuration tasks Configuration task Description Related section Create an ISP domain Required Creating an ISP Domain configuration Configure the attributes of the Optional Configuring the Attributes ISP domain of an ISP Domain Configure an AAA scheme for Required Configuring an AAA the ISP domain...
Page 188: Aaa Configuration
23: AAA&RADIUS C HAPTER ONFIGURATION AAA Configuration The goal of AAA configuration is to protect network devices against unauthorized access and at the same time provide network access services to legal users. If you need to use ISP domains to implement AAA management on access users, you can configure the ISP domains.
Page 189 A server installed with the self-service software is called a self-service server. 3Com's CAMS Server is a service management system used to manage networks and secure networks and user information. Cooperating with other network devices (such...
Page 190 23: AAA&RADIUS C HAPTER ONFIGURATION If you execute the scheme local command, the local scheme is adopted as the ■ primary scheme. In this case, only local authentication is performed, no RADIUS authentication is performed. If you execute the scheme none command, no authentication is performed. ■...
Page 191 AAA Configuration 177 Configuring Dynamic The dynamic VLAN assignment feature enables a switch to dynamically add the VLAN Assignment switch ports of successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access.
Page 192 23: AAA&RADIUS C HAPTER ONFIGURATION Configuring the When local scheme is chosen as the AAA scheme, you should create local users on Attributes of a Local the switch and configure the relevant attributes. User The local users are users set on the switch, with each user uniquely identified by a user name.
Page 193: Radius Configuration
RADIUS Configuration 179 If the configured authentication method is none or requires a password, the ■ command level that a user can access after login is determined by the level of the user interface Cutting Down User Table 141 Cut down user connection forcibly Connections Forcibly Operation Command...
Page 194: Configuring Radius Accounting Servers
23: AAA&RADIUS C HAPTER ONFIGURATION Configuring RADIUS Table 143 Configure RADIUS authentication/authorization server Authentication/Auth orization Servers Operation Command Description Enter system view system-view — Create a RADIUS scheme and enter radius scheme Required its view radius-scheme-name By default, a RADIUS scheme named “system”...
Page 195 By default, the shared key for the authentication/authori RADIUS authentication/authorization zation packets packets is “3Com”. Set a shared key for key accounting string Required the RADIUS accounting By default, the shared key for the packets RADIUS accounting packets is “3Com”.
Page 196 By default, a RADIUS scheme named view “system” has already been created in the system. Specify the type of server-type { 3Com | Optional RADIUS server standard } By default, the switch supports the standard supported by the switch type of RADIUS server.
Page 197 RADIUS Configuration 183 When both the primary and secondary servers are in active or block state, the switch sends packets only to the primary server. Table 148 Set the status of RADIUS servers Operation Command Description Enter system view system-view —...
Page 198 By default, a local RADIUS authentication server has already been created, whose NAS-IP and key are 127.0.0.1 and 3Com respectively. CAUTION: When you use the local RADIUS authentication server function, the UDP port ■ number for the authentication/authorization service must be 1645, the UDP port number for the accounting service is 1646, and the IP addresses of the servers must be set to the addresses of the switch.
Page 199 RADIUS Configuration 185 To charge the users in real time, you should set the interval of real-time accounting. After the setting, the switch sends the accounting information of online users to the RADIUS server at regular intervals. Table 151 Set the timers of RADIUS server Operation Command Description...
Page 200: Displaying Aaa&Radius Information
23: AAA&RADIUS C HAPTER ONFIGURATION The user re-authentication upon device restart function is designed to resolve the above problem. After this function is enabled, every time the switch restarts: 1 The switch generates an Accounting-On packet, which mainly contains the following information: NAS-ID, NAS-IP address (source IP address), and session ID.
Page 201: Aaa&Radius Configuration Example
RADIUS server to “expert”. You can use a CAMS server as the RADIUS server. If you use a third-party RADIUS server, you can select standard or 3Com as the server type in the RADIUS scheme. On the RADIUS server: Set the shared key it uses to exchange packets with the switch to “expert”.
Page 202: Local Authentication
4 Configure a RADIUS scheme. [4200G] radius scheme cams [4200G-radius-cams] accounting optional [4200G-radius-cams] primary authentication 10.110.91.164 1812 [4200G-radius-cams] key authentication expert [4200G-radius-cams] server-type 3Com [4200G-radius-cams] user-name-format with-domain [4200G-radius-cams] quit 5 Associate the ISP domain with the RADIUS scheme. [4200G] domain cams...
Page 203: Troubleshooting Aaa&Radius Configuration
RADIUS Authentication of Telnet/SSH Users”. You only need to change the server IP address, the authentication password, and the UDP port number for authentication service in configuration step “Configure a RADIUS scheme” in “Remote RADIUS Authentication of Telnet/SSH Users”to 127.0.0.1, 3Com, and 1645 respectively, and configure local users. Troubleshooting The RADIUS protocol is at the application layer in the TCP/IP protocol suite.
Page 204 23: AAA&RADIUS C HAPTER ONFIGURATION Possible reasons and solutions: The user name is not in the userid@isp-name format, or no default ISP domain is ■ specified on the switch—Use the correct user name format, or set a default ISP domain on the switch. The user is not configured in the database of the RADIUS server—Check the ■...
Page 205: Centralized Mac Address Authentication Configuration
MAC A ENTRALIZED DDRESS UTHENTICATION ONFIGURATION Centralized MAC Centralized MAC address authentication is port-/MAC address-based authentication Address used to control user permissions to access a network. Centralized MAC address Authentication authentication can be performed without client-side software. With this type of Overview authentication employed, a switch authenticates a user upon detecting the MAC address of the user for the first time.
Page 206 24: C MAC A HAPTER ENTRALIZED DDRESS UTHENTICATION ONFIGURATION Configuring the ISP Domain for MAC Address Authentication Users ■ Configuring the Timers Used in Centralized MAC Address Authentication ■ The configuration of the maximum number of learned MAC addresses (refer to the mac-address max-mac-count command) is unavailable for the ports with centralized MAC address authentication enabled.
Page 207: Displaying And Debugging Centralized Mac Address Authentication 193
Displaying and Debugging Centralized MAC Address Authentication 193 Configuring the ISP Table 159 lists the operations to configure the ISP domain for centralized MAC Domain for MAC address authentication users. Address Authentication Table 159 Configure the ISP domain for MAC address authentication users Users Operation Command...
Page 208: Centralized Mac Address Authentication Configuration Example
24: C MAC A HAPTER ENTRALIZED DDRESS UTHENTICATION ONFIGURATION Centralized MAC Centralized MAC address authentication configuration is similar to 802.1x. In this Address example, the differences between the two lie in the following: Authentication Centralized MAC address authentication needs to be enabled both globally and for Configuration port.
Page 209: Arp Configuration
ARP C ONFIGURATION Introduction to ARP Address resolution protocol (ARP) is used to resolve IP addresses into MAC addresses. Necessity of the Address IP address is used on the network layer and cannot be used directly for Resolution communication, because network devices can only identify MAC addresses. To enable packets travel on the network layer to reach the destination host, the MAC address of the host is required.
Page 210 25: ARP C HAPTER ONFIGURATION Table 163 Description on the fields of an ARP packet (Continued) Field Description Hardware address of the receiver For an ARP request packet, this field is null. For an ARP reply packet, this field carries the hardware address of the receiver.
Page 211: Introduction To Gratuitous Arp
Introduction to Gratuitous ARP 197 Table 165 describes the APR mapping table fields. Table 165 Description on the fields of an ARP table Field Description IF index Index of the physical interface/port on the device owning the physical address and IP address contained in the entry Physical address Physical address of the device, that is, the MAC address IP address...
Page 212: Arp Configuration
25: ARP C HAPTER ONFIGURATION By sending gratuitous ARP packets, a network device can: Determine whether or not IP address conflicts exist between it and other network ■ devices. Trigger other network devices to update its hardware address stored in their ■...
Page 213: Gratuitous Arp Packet Learning Configuration
Gratuitous ARP Packet Learning configuration 199 Enabling the ARP Entry When multiple hosts share one multicast MAC address, you can specify whether or Checking Function not to create multicast MAC address ARP entries for MAC addresses learned by performing the operations listed in Table 169. Table 169 Enable the ARP entry checking function Operation Command...
Page 214 25: ARP C HAPTER ONFIGURATION Table 171 Display and debug ARP Operation Command Remark Display the setting of display arp timer aging This command can be executed in the ARP aging timer any view. Clear ARP mapping reset arp [ dynamic | static | entries interface interface-type interface-number ]...
Page 215: Acl Configuration
ACL C ONFIGURATION ACL Overview An access control list (ACL) is used primarily to identify traffic flows. In order to filter data packets, a series of match rules must be configured on the network device to identify the packets to be filtered. After the specific packets are identified, and based on the predefined policy, the network device can permit/prohibit the corresponding packets to pass.
Page 216: Configuring Time Ranges
26: ACL C HAPTER ONFIGURATION ACL Match Order An ACL may contain a number of rules, and each rule specifies a different packet range. This brings about the issue of match order when packets are matched. An ACL supports the following four types of match orders: Configured order: ACL rules are matched according to the configured order.
Page 217: Defining Basic Acls
Defining Basic ACLs 203 Configuration Procedure Table 172 Configure a time range Operation Command Description Enter system view system-view Create a time range time-range time-name { start-time to Required end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date } Display a time range...
Page 218: Defining Advanced Acls
26: ACL C HAPTER ONFIGURATION Configuration Procedure Table 173 Define a basic ACL rule Operation Command Description Enter system view system-view Enter basic ACL view acl number acl-number [ match-order By the default, the match { config | auto } ] order is config Define an rule rule [ rule-id ] { permit | deny } [...
Page 219 Defining Advanced ACLs 205 Configuration Before configuring an ACL rule containing time range arguments, you need to Preparation configure define the corresponding time ranges. For the configuration of time ranges, refer to ?Advanced ACL. The values of source and destination IP addresses, the type of protocol over IP, and protocol-specific features in the rule have been defined.
Page 220 26: ACL C HAPTER ONFIGURATION Table 175 Rule information (Continued) Parameter Type Function Description destination Destination Specifies the dest-addr dest-wildcard is used to { dest-addr address destination address specify the destination address of dest-wildcard | any } information information in the the packet, expressed in dotted rule decimal notation...
Page 221: Defining Layer 2 Acls
Defining Layer 2 ACLs 207 If the protocol type is ICMP, you can also directly input the ICMP message name after the icmp-type argument. Table 178 describes some common ICMP messages. Table 178 ICMP messages Name ICMP TYPE ICMP CODE echo Type=8 Code=0...
Page 222 26: ACL C HAPTER ONFIGURATION Configuration Tasks Table 179 Configure a Layer 2 ACL rule Operation Command Description Enter system view system-view Create or enter layer acl number acl-number [ By the default, the match order is 2 ACL view match-order { config | auto } ] config Define an rule...
Page 223: Applying Acls On Ports
Applying ACLs on Ports 209 Table 180 Rule information (Continued) Parameter Type Function Description cos vlan-pri Priority Defines the vlan-pri: VLAN priority, in the range 802.1p priority of of 0 to 7 the rule time-range Time range Specifies the time time-name: specifies the name of the time-name information...
Page 224: Displaying And Debugging Acl Configuration
26: ACL C HAPTER ONFIGURATION Configuration Example Apply ACL 2100 in the inbound direction on GigabitEthernet 1/0/1 to filter packets. <S4200G> system-view [4200G] interface gigabitethernet 1/0/1 [4200G-GigabitEthernet1/0/1] packet-filter inbound ip-group 2100 Displaying and After the about-mentioned configuration, you can use the display command in any Debugging ACL view to view the ACL running information, so as to verify configuration result.
Page 225 ACL Configuration Examples 211 Configuration procedure Only the commands related to the ACL configuration are listed below. 1 Define a time range that contain a periodic time section from 8:00 to 18:00. <S4200G> system-view [4200G] time-range test 8:00 to 18:00 working-day 2 Define an ACL on traffic to the wage server.
Page 226 26: ACL C HAPTER ONFIGURATION Layer 2 ACL Network requirements Configuration Example Through Layer 2 ACL configuration, packets with the source MAC address of 00e0-fc01-0101 and destination MAC address of 00e0-fc01-0303 are to be filtered within the time range from 8:00 to 18:00 everyday. Network diagram Figure 63 Network diagram for Layer 2 ACL configuration Configuration procedure...
Page 227: O S Configuration
ONFIGURATION Introduction to QoS QoS (Quality of Service) is a concept generally existing in occasions with service supply and demand. It evaluates the ability to meet the need of the customers in service. Generally, the evaluation is not to grade precisely. Its purpose is to analyze the conditions when the service is the best and the conditions when the service still needs improvement and then to make improvements in the specified aspects.
Page 228 27: Q HAPTER ONFIGURATION RFC2474 re-defines the ToS field in the IP packet header, which is called the DS ■ field. The first six (bit 0-bit 5) bits of the DS field indicate DSCP precedence in the range of 0 to 63.The first three bits in DSCP precedence are class selector codepoints, bit 4 and bit 5 indicate drop precedence, and bit 6 is zero indicating that the device sets the service class with the DS model.
Page 229 Introduction to QoS 215 Table 185 Description on DSCP values (Continued) Key word DSCP value (decimal) DSCP value (binary) af42 100100 af43 100110 001000 010000 011000 100000 101000 110000 111000 default (be) 000000 2 802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured in Layer 2.
Page 230 27: Q HAPTER ONFIGURATION Table 186 Description on 802.1p priority (Continued) IP Precedence IP Precedence (decimal) (binary) Description excellent-effort controlled-load video voice network-management The precedence is called 802.1p priority because the related applications of this precedence are defined in detail in the 802.1p specification. Priority Remark The priority remark function is to use ACL rules in traffic identifying and remark the priority for the packets matching with the ACL rules.
Page 231 Introduction to QoS 217 Figure 67 Evaluate the traffic with the token bucket Put tokens into the bucket at the set rate Put tokens into the bucket at the set rate Put tokens into the bucket at the set rate Put tokens into the bucket at the set rate 按规定的速率向桶内放置令牌...
Page 232 27: Q HAPTER ONFIGURATION Two token buckets are used in this evaluation. Their rates of putting tokens into the buckets are CIR and PIR respectively, and their sizes are CBS and EBS respectively (the two buckets are called C bucket and E bucket respectively for short), representing different permitted burst levels.
Page 233 Introduction to QoS 219 For example, if the device A sends packets to the device B. The device B will perform TP on packets from the device A to drop the packets beyond the specification. In order to avoid meaningless packet loss, you can perform TS on the packets on the egress of the device A and cache the packets beyond the TP specification in the device A.
Page 234 27: Q HAPTER ONFIGURATION The disadvantage of SP queue is that: if there are packets in the queues with higher priority for a long time in congestion, the packets in the queues with lower priority will be “starved to death” because they are not served. 2 WRR queue Figure 70 Diagram for WRR queue1 weight1...
Page 235: Priority Mapping
Priority Mapping 221 Table 187 Queue-scheduling sequence of SDWRR Scheduling algorithm Queue-scheduling sequence Description 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1 0 indicates packets in queue0 SDWRR 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0 1 indicates packets in queue1 Traffic-based Traffic...
Page 236 27: Q HAPTER ONFIGURATION You can select the priority trust mode of the port as you require. In the mode of trusting the packet precedence, the switch can trust the following priorities as you configure: Trust the 802.1p priority of the packets ■...
Page 237: Qos Supported By Switch 4200G
QoS Supported by Switch 4200G 223 Figure 73 The mapping process of trusting the DSCP precedence in the default mode and automap mode DSCP － > DSCP － > DSCP － > DSCP － > other precedence mapping table other precedence mapping table other precedence mapping table other precedence mapping table DSCP...
Page 238: Configuring Priority Mapping
27: Q HAPTER ONFIGURATION Table 188 The QoS functions supported by S4200G and related commands (Continued) Specificati Related command Link Traffic Supported traffic-statistic Configuring Traffic statistics Statistics Set the Supported protocol-priority Setting the Precedence of priority of Protocol Packet protocol packets Configuring Priority Refer to Priority Mapping for introduction to priority mapping.
Page 239 Configuring Priority Mapping 225 Table 190 The “COS-->other precedence” mapping table and its default value 802.1p Local-pre Drop DSCP Configuration prerequisites The priority trust mode is specified to trusting the 802.1p priority of the packets ■ The value of the “COS-->other precedence” mapping table is specified ■...
Page 240 27: Q HAPTER ONFIGURATION Configuration procedure Table 191 Setting to trust the 802.1p priority of the packets Operation Command Description Enter system view system-view Modify the “COS->Local-pre” qos cos-local-precedence-map Optional mapping relationship cos0-map-local-prec Refer to Table 190 The cos1-map-local-prec “COS-->other cos2-map-local-prec precedence”...
Page 241 Configuring Priority Mapping 227 Setting to Trust the Refer to Trusting the DSCP Precedence of the Packets for the description on trusting DSCP Precedence of the the DSCP precedence of the packets. Packets You can modify the “DSCP-->other precedence” mapping relationship as required. Table 192 The “DSCP-->other precedence”...
Page 242 27: Q HAPTER ONFIGURATION Configuration procedure Table 194 Setting to trust the DSCP precedence of the packets Operation Command Description Enter system view system-view Modify the “DSCP->Local-pre” Optional mapping relationship dscp-local-precedence-map Refer to for the Table 192 and dscp-list : local-precedence Table 193 for the default Modify the “DSCP->Drop value.
Page 243: Configuring Tp
Configuring TP 229 Configuring TP Refer to T for the introduction to TP. Configuration ACL rules used for traffic identifying are defined. Refer to the ACL module in the ■ Prerequisites book for defining ACL rules The limit rate for TP, the actions for the packets within the specified traffic and the ■...
Page 244: Configuring Ts
27: Q HAPTER ONFIGURATION Table 197 Clearing the statistics of TP Display the statistics of TP display qos-interface Required { interface-type The statistics of TP includes the bytes of interface-num | unit-id } the packets within the limited rate and traffic-limit the bytes of the packets beyond the limited rate.
Page 245: Configuring Queue-Scheduling
Configuring Queue-scheduling 231 Table 198 Configuring TS Start TS and send the traffic-shape [ queue Required packets at a even rate queue-id ] max-rate burst-size The switch supports two forms of TS: TS for all the traffic on the port. ■...
Page 246: Configuring Traffic Statistics
27: Q HAPTER ONFIGURATION Configuration Procedure Table 200 Configuring the SDWRR queue scheduling of the SDWRR Queue Scheduling Operation Command Description Enter system view system-view Set the SDWRR queue-scheduler wrr { group1 Required queue-scheduling { queue-id queue-weight } algorithm and its &<1-8>...
Page 247: Setting The Precedence Of Protocol Packet
Setting the Precedence of Protocol Packet 233 acl-rule: Issued ACL rules which can be the combination of various ACL rules. The way of combination is described Table 202 Table 202 The ways of issuing combined ACLs The way of combination The form of acl-rule Issue all the rules in an IP ACL separately ip-group acl-number...
Page 248: Displaying And Maintaining Qos
27: Q HAPTER ONFIGURATION Table 204 Setting the precedence of the protocol packet Set the precedence of protocol-priority protocol-type Required the protocol packet protocol-type { ip-precedence You can modify the IP precedence ip-precedence | dscp dscp-value } or DSCP precedence of the protocol packet Only the precedence of TELNET, SNMP, and ICMP protocol packets...
Page 249: Qos Configuration Example
QoS Configuration Example 235 Table 205 Displaying and maintaining QoS (Continued) Operation Command Display the parameter display qos-interface { interface-type interface-num | configurations of traffic policing unit-id } traffic-limit Display the parameter display qos-interface { interface-type interface-num | configurations of TS unit-id } traffic-shape Display the traffic statistics display qos-interface { interface-type interface-num |...
Page 250 27: Q HAPTER ONFIGURATION [4200G-acl-adv-3000] quit 2 Limit the outbound traffic of the salary query server a Limit the average rate of outbound traffic within 640kbps and set the precedence of packets exceeding the specification to 4. [4200G] interface gigabitEthernet1/0/1 [4200G-GigabitEthernet1/0/1] traffic-limit inbound ip-group 3000 640 exceed remark-dscp 4...
Page 251: Configuration For Mirroring Features
ONFIGURATION FOR IRRORING EATURES Mirroring Features Mirroring refers to the process of copying packets that meet the specified rules to a destination port. Generally, a destination port is connected to a data detect device, which users can use to analyze the mirrored packets for monitoring and troubleshooting the network.
Page 252 28: C HAPTER ONFIGURATION FOR IRRORING EATURES Intermediate switch: the switch between the source and the destination switch on ■ the network. Destination switch: the switch to which the destination port for remote mirroring ■ belongs. Table 206 describes how the ports on various switches are involved in the mirroring operation.
Page 253: Mirroring Supported By Switch 4200G
Mirroring Supported by Switch 4200G 239 MAC-Based Mirroring In MAC-based mirroring, the device mirrors the following packets to the destination port. Packets whose source MAC addresses match the specified MAC addresses ■ Packets whose destination MAC addresses match the specified MAC addresses ■...
Page 254 28: C HAPTER ONFIGURATION FOR IRRORING EATURES Configuration procedure Table 208 Configure traffic mirroring Operation Command Description Enter system view system-view Enter Ethernet port view of interface interface-type the destination port interface-number Define the current port as monitor-port Required the destination port Exit current view quit Enter Ethernet port view of...
Page 255 Mirroring Configuration 241 Configuration prerequisites Configuring Port Mirroring The source port is specified and whether the packets to be mirrored are inbound ■ or outbound is specified: inbound: only mirrors the packets received using the port; outbound: only mirrors the packets sent by the port; both: mirrors the packets received and sent by the port at the same time.
Page 256 28: C HAPTER ONFIGURATION FOR IRRORING EATURES Configuring port mirroring in system view Table 212 Configure port mirroring in system view Operation Command Description Enter system view system-view Create a port mirroring mirroring-group group-id local Required group Configure the destination mirroring-group group-id Required port...
Page 257 Mirroring Configuration 243 Configuration procedure Table 213 Configure MAC-based mirroring Operation Command Description Enter system view system-view Define a MAC-based local mirroring-group group-id local Required mirroring group Configure MAC-based mirroring-group group-id Required mirroring mirroring-mac mac vlan vlan-id Enter Ethernet port view of interface interface-type the destination port interface-number...
Page 258 28: C HAPTER ONFIGURATION FOR IRRORING EATURES Configuration procedure Table 214 Configure VLAN-based mirroring Operation Command Description Enter system view system-view Define a VLAN-based local mirroring-group group-id local Required mirroring group Configure VLAN-based mirroring-group group-id Required mirroring mirroring-vlan vlan-id inbound Enter Ethernet port view of interface interface-type the destination port...
Page 259 Mirroring Configuration 245 Configuring RSPAN on the source switch Table 215 Configure RSPAN on the source switch Operation Command Description Enter system view system-view Create a remote-probe vlan vlan-id vlan-id is the ID of the VLAN and enter VLAN view remote-probe VLAN.
Page 260 28: C HAPTER ONFIGURATION FOR IRRORING EATURES Table 216 Configure RSPAN on the intermediate switch (Continued) Operation Command Description Configure Trunk port to port trunk permit vlan Required permit packets from the remote-probe-vlan-id This configuration is remote-probe VLAN necessary for ports on the intermediate switch that are connected to the source switch or the destination...
Page 261 Mirroring Configuration 247 To meet the requirement above by using the RSPAN function, perform the following configuration: Define VLAN10 as remote-probe VLAN. ■ Define Switch A as the destination switch; configure Ethernet1/0/2, the port that is ■ connected to the data detect device, as the destination port for remote mirroring. Disable the STP function on GigabitEthernet1/0/2.
Page 262: Displaying And Debugging Mirroring
28: C HAPTER ONFIGURATION FOR IRRORING EATURES [4200G] interface gigabitethernet1/0/1 [4200G-GigabitEthernet1/0/1] port trunk permit vlan 10 [4200G-GigabitEthernet1/0/1] quit [4200G] interface gigabitethernet1/0/2 [4200G-GigabitEthernet1/0/2] port trunk permit vlan 10 3 Configure Switch A. <S4200G> system-view [4200G] vlan 10 [4200G-vlan10] remote-probe vlan enable [4200G-vlan10] quit [4200G] interface gigabitethernet1/0/1 [4200G-GigabitEthernet1/0/1] port trunk permit vlan 10...
Page 263: Igmp Snooping
IGMP S NOOPING ONFIGURATION Overview of IGMP Snooping IGMP Snooping IGMP Snooping (Internet Group Management Protocol Snooping) is a multicast Fundamentals control mechanism running on Layer 2 switch. It is used to manage and control multicast groups. When the IGMP messages transferred from the hosts to the router pass through the Layer 2 switch, the switch uses IGMP Snooping to analyze and process the IGMP messages.
Page 264 29: IGMP S HAPTER NOOPING ONFIGURATION IGMP Snooping IGMP Snooping terminologies Fundamentals Before going on, we first describe the following terms involved in IGMP Snooping: Router port: the switch port directly connected to the multicast router. ■ Multicast member port: a switch port connected to a multicast group member (a ■...
Page 265 Overview of IGMP Snooping 251 To implement Layer 2 multicast, the switch processes four different types of IGMP messages it received, as shown in Table 221. Table 221 IGMP Snooping messages Message Sender Receiver Purpose Switch action IGMP general Multicast Multicast Query if the Check if the message comes from...
Page 266: Igmp Snooping Configuration
29: IGMP S HAPTER NOOPING ONFIGURATION IGMP Snooping The following sections describe the IGMP Snooping configuration tasks. Configuration Enabling IGMP Snooping ■ Configuring Timers ■ Enabling IGMP Fast Leave Processing ■ Configuring IGMP Snooping Filtering ACL ■ Configuring to Limit Port Multicast Group Number ■...
Page 267 IGMP Snooping Configuration 253 Configuring Timers This configuration task is to manually configure the aging time of the router port, the aging time of the multicast member ports, and the query response timeout time. If the switch receives no general query message from a router within the aging ■...
Page 268 29: IGMP S HAPTER NOOPING ONFIGURATION In practice, when a user orders a multicast program, an IGMP report message is generated. When the message arrives at the switch, the switch examines the multicast filtering ACL configured on the access port to determine if the port can join the corresponding multicast group or not.
Page 269 IGMP Snooping Configuration 255 Multicast VLAN is mainly used in Layer 2 switching, but you must make corresponding configuration on the Layer 3 switch. Table 227 Configure multicast VLAN on Layer 3 switch Operation Command Description Enter system view system-view —...
Page 270: Displaying Information About Igmp Snooping
29: IGMP S HAPTER NOOPING ONFIGURATION You cannot set the isolate VLAN as a multicast VLAN. ■ One port can belong to only one multicast VLAN. ■ The port connected to a user end can only be as set as a hybrid port. ■...
Page 271 IGMP Snooping Configuration Example 257 2 Enable IGMP Snooping on VLAN 10 where no Layer 3 multicast protocol is enabled. [4200G] vlan 10 [4200G-vlan10] igmp-snooping enable Example 2 Configure multicast VLAN on Layer 2 and Layer 3 switches. Network requirements Table 230 describes the network devices involved in this example and the configurations you should make on them.
Page 272 29: IGMP S HAPTER NOOPING ONFIGURATION Configuration procedure The following configuration is based on the prerequisite that the devices are properly connected and all the required IP addresses are already configured. 1 Configure Switch A: a Set the interface IP address of VLAN 20 to 168.10.1.1 and enable the PIM DM protocol on the VLAN interface.
Page 273: Troubleshooting Igmp Snooping
Troubleshooting IGMP Snooping 259 [ Switch B-GigabitEthernet 1/0/1] quit e Define the GigabitEthernet 1/0/2 port as a hybrid port, add the port to VLAN 3 and VLAN 10, and configure the port to exclude VLAN tags in its outbound packets for VLAN 3 and VLAN 10, and set VLAN 3 as the default VLAN of the port. [ Switch B] interface GigabitEthernet 1/0/1 [ Switch B-GigabitEthernet 1/0/2] port link-type hybrid [ Switch B-GigabitEthernet 1/0/2] port hybrid vlan 3 10 untagged...
Page 274 29: IGMP S HAPTER NOOPING ONFIGURATION...
Page 275: Routing Port Oin To Multicast Group
OUTING OIN TO ULTICAST ROUP ONFIGURATION Routing Port Join to Multicast Group Configuration Introduction Normally, an IGMP host responds to IGMP query messages of the multicast router. In case of response failure, the multicast router may consider that there is no multicast member on this network segment and cancel the corresponding path.
Page 276 30: R HAPTER OUTING OIN TO ULTICAST ROUP ONFIGURATION...
Page 277: Multicast Mac Address Entry
MAC A ULTICAST DDRESS NTRY ONFIGURATION Introduction In Layer 2 multicast, the system can add multicast forwarding entries dynamically through Layer 2 multicast protocol. However, you can also statically bind a port to a multicast address entry by configuring a multicast MAC address manually. Generally, when receiving a multicast packet whose multicast address has not yet been registered on the switch, the switch broadcasts the packet in the VLAN.
Page 278: Displaying Multicast Mac Address Configuration
31: M MAC A HAPTER ULTICAST DDRESS NTRY ONFIGURATION You cannot enable port aggregation on a port where you have configured a ■ multicast MAC address; and you cannot configure a multicast MAC address on an aggregation port. Displaying Multicast You can use the following display command in any view to display the multicast MAC Address MAC address entry/entries you configured manually.
Page 279: Cluster Configuration
LUSTER ONFIGURATION Cluster Overview Introduction to Cluster A cluster is implemented through HGMP V2. By employing HGMP V2, a network administrator can manage multiple switches using the public IP address of a switch known as a management device. The switches under the management of the management device are member devices.
Page 280 32: C HAPTER LUSTER ONFIGURATION HGMP V2 provides the following functions: Topology discovery: HGMP V2 implements NDP (neighbor discovery protocol) to ■ discover the information about the directly connected neighbor devices, including device type, software/hardware version, connecting port and so on. The information such as device ID, port mode (duplex or half duplex), product version, and BootROM version can also be given.
Page 281 Cluster Overview 267 Figure 84 Role changing rule Candidate device Candidate device Management device Management device Member device Member device Each cluster has one (and only one) management device. A management device ■ collects NDP/NTDP information to discover and determine candidate devices, which can be then added into the cluster through manual configurations.
Page 282: Management Device Configuration
32: C HAPTER LUSTER ONFIGURATION Upon detecting a change occurred on a neighbor, a member device informs the management device of the change through handshake packets. The management device then collects the specified topology information through NTDP. Such a mechanism enables topology changes to be tracked in time. As for NTDP implementing, you need to perform configurations on the management device, the member devices, and the candidate devices as follows: On the management device, enable NTDP both globally and for specific ports, and...
Page 283 Management Device Configuration 269 Enabling NDP Globally Table 235 Enable NDP globally and for a specific port and for Specific Ports Operation Command Description Enter system view system-view — Enable NDP globally ndp enable Required Enable NDP for ndp enable interface port-list Optional specified ports Enter Ethernet port...
Page 284 32: C HAPTER LUSTER ONFIGURATION Enabling the Cluster Table 239 Enable the cluster function Function Operation Command Description Enter system view system-view — Enable the cluster cluster enable Required function globally Configuring Cluster Configuring cluster parameters manually Parameters Table 240 Configure cluster parameters manually Operation Command Description...
Page 285: Member Device Configuration
Member Device Configuration 271 Configuring Table 242 Configure internal-external interaction Internal-External Interaction Operation Command Description Enter system view system-view Enter cluster view cluster Required Configure an FTP server ftp-server ip-address Optional for the cluster Configure a TFTP server tftp-server ip-address Optional for the cluster Configure a log host...
Page 286: Intra-Cluster Configuration
32: C HAPTER LUSTER ONFIGURATION Specifying the cluster Table 245 Specify the cluster FTP/TFTP server FTP/TFTP server Operation Command Description Establish a connection ftp cluster Optional with the cluster FTP server Download a file from tftp cluster get source-file [ Optional the cluster TFTP server destination-file ]...
Page 287: Hgmp V2 Configuration Example 273
HGMP V2 Configuration Example 273 Table 247 Display and maintain cluster configurations (Continued) Operation Command Remark Display state and display cluster Optional statistics information This command can be executed in about a cluster any view. Display the information display cluster candidates [ Optional about the candidate mac-address H-H-H | verbose ]...
Page 288 32: C HAPTER LUSTER ONFIGURATION Network diagram Figure 85 Network diagram for HGMP cluster configuration SNMP host/log host SNMP host/log host SNMP host/log host 69.172.55.4 69.172.55.4 69.172.55.4 69.172.55.4 69.172.55.4 69.172.55.4 FTP server/TFTP server FTP server/TFTP server FTP server/TFTP server FTP server/TFTP server FTP server/TFTP server Network Network...
Page 289 HGMP V2 Configuration Example 275 f Configure the delay time for topology-collection request packets to be forwarded on member devices to be 150 ms. [4200G] ntdp timer hop-delay 150 g Configure the delay time for topology-collection request packets to be forwarded through the ports of member devices to be 15 ms.
Page 290 32: C HAPTER LUSTER ONFIGURATION d Establish a connection with the cluster FTP server. <aaa_1.S4200G> ftp cluster e Download the file named aaa.txt from the cluster TFTP server. <aaa_1.S4200G> tftp cluster get aaa.txt f Upload the file named bbb.txt to the cluster TFTP server. <aaa_1.S4200G>...
Page 291: Snmp Configuration
SNMP C ONFIGURATION SNMP Overview By far, the simple network management protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes.
Page 292 33: SNMP C HAPTER ONFIGURATION MIBs Supported by The management variable in the SNMP packet describes management objects of a the Device device. To uniquely identify the management objects of the device in SNMP messages, SNMP adopts the hierarchical naming scheme to identify the managed objects. It is like a tree, and each tree node represents a managed object, as shown in Figure 86.
Page 293: Configuring Snmp Basic Functions
By default, the contact location sys-location | information for system version { { v1 | v2c | v3 }* | maintenance is "R&D all } } Beijing, 3Com", the system location is "Beijing China", and the SNMP version is SNMP V3.
Page 294 | information for system version { { v1 | v2c | v3 }* | maintenance is "R&D all } } Beijing, 3Com.", the system location is "Beijing China", and the SNMP version is SNMP V3. Set an SNMP group...
Page 295: Configuring Trap
Configuring Trap 281 Table 250 Configure SNMP basic functions (SNMP V3) (Continued) Operation Command Description Set the size of SNMP packet that the snmp-agent packet Optional Agent can send/receive max-size byte-count By default, it is 1,500 bytes. Set the device engine ID snmp-agent local-engineid Optional engineid...
Page 296: Setting The Logging Function For Network Management
33: SNMP C HAPTER ONFIGURATION Setting the Logging Table 252 Set the logging function for network management Function for Network Management Operation Command Description Enter system view system-view — Set the logging function snmp-agent log { set-operation | Optional; for network get-operation | all } By default, the logging management...
Page 297 5000 params securityname public Configuring NMS The Ethernet Switch supports 3Com’s Quidview NMS. SNMP V3 adopts user name and password authentication. In [ Quidview Authentication Parameter], you need to set a user name, choose security level, and set authorization mode, authorization password, encryption mode, encryption password respectively according to different security levels.
Page 298 33: SNMP C HAPTER ONFIGURATION...
Page 299: Rmon C
RMON C ONFIGURATION Introduction to RMON Remote monitoring (RMON) is a kind of management information base (MIB) defined by Internet Engineering Task Force (IETF) and is a most important enhancement made to MIB II standards. RMON is mainly used to monitor the data traffic across a network segment or even the entire network, and is currently a commonly used network management standard.
Page 300 34: RMON C HAPTER ONFIGURATION You can specify a network device to act in one of the following ways in response to an event: Logging the event ■ Sending trap messages to the NMS ■ Logging the event and sending trap messages to the NMS ■...
Page 301: Rmon Configuration
RMON Configuration 287 With the RMON statistics management function, you can monitor the usage of a port and make statistics on the errors occurred when the ports are being used. RMON Configuration Prerequisites Before performing RMON configuration, make sure the SNMP agents are correctly configured.
Page 302: Displaying And Debugging Rmon
34: RMON C HAPTER ONFIGURATION Displaying and After the above configuration, you can execute the display command in any view to Debugging RMON display the RMON running status, and verify the effect of the configuration. Table 255 Display and debug RMON Operation Command Display RMON statistics...
Page 303 RMON Configuration Example 289 2 Display RMON configuration. [4200G-GigabitEthernet1/0/1] display rmon statistics GigabitEthernet1/0/1 Statistics entry 1 owned by user1-rmon is VALID. Interface : GagabitEthernet1/0/1<ifIndex.4227817> etherStatsOctets , etherStatsPkts etherStatsBroadcastPkts , etherStatsMulticastPkts : 0 etherStatsUndersizePkts , etherStatsOversizePkts etherStatsFragments , etherStatsJabbers etherStatsCRCAlignErrors : 0 , etherStatsCollisions etherStatsDropEvents (insufficient resources): 0 Packets received according to length:...
Page 304 34: RMON C HAPTER ONFIGURATION...
Page 305: Ntp Configuration
NTP C ONFIGURATION Introduction to NTP Network time protocol (NTP) is a time synchronization protocol defined by RFC1305. It is used for time synchronization among a set of distributed time servers and clients. NTP is based on user datagram protocol (UDP). NTP is intended for time synchronization of all devices that have clocks in a network, so that the clocks of all devices can keep consistent.
Page 306 35: NTP C HAPTER ONFIGURATION Working Principle of NTP The working principle of NTP is shown in Figure 89. In Figure 89, The Ethernet switch A (LS_A) is connected to the Ethernet switch B (LS_B) through their Ethernet ports. Both of them have system clocks of their own, and they need to synchronize the clocks of each other through NTP.
Page 307 Introduction to NTP 293 At this time, LS_A has enough information to calculate the following two parameters: The delay for an NTP packet to make a round trip between LS_A and LS_B: delay = ■ )-(T The time offset of LS_A with regard to LS_B: offset = ((T ) + (T ))/2.
Page 308: Multicast Mode
35: NTP C HAPTER ONFIGURATION Broadcast mode Figure 92 NTP implementation mode: broadcast mode Server Server Server Server Client Client Client Client Netw ork Netw ork Netw ork Netw ork Initiate a client/server mode Initiate a client/server mode Broadcast clock synchronization Broadcast clock synchronization Broadcast clock synchronization Broadcast clock synchronization...
Page 309: Ntp Implementation Mode Configuration
NTP Implementation Mode Configuration 295 Table 256 NTP implementation modes on an S4200G series switch (Continued) NTP implementation mode Configuration on S4200G switches Multicast mode Configure the S4200G to operate in NTP ■ multicast server mode. In this case, the S4200G switch sends multicast NTP packets through the VLAN interface configure on it.
Page 310 35: NTP C HAPTER ONFIGURATION Table 257 Configure NTP implementation modes (Continued) Operation Command Description Configure to operate in ntp-service broadcast-client Optional NTP broadcast client mode Configure to operate in ntp-service broadcast-server [ Optional NTP broadcast server authentication-keyid key-id | By default, the number argument is mode version number ]*...
Page 311: Access Control Permission Configuration
Access Control Permission Configuration 297 The total number of the servers and peers configured for a switch can be up to ■ 128. After the configuration, the S4200G series switch does not establish connections ■ with the peer if it operates in NTP server mode. Whereas if it operates in any of the other modes, it establishes connections with the peer.
Page 312 35: NTP C HAPTER ONFIGURATION Configuring NTP Configuring NTP authentication on the client Authentication Table 259 Configure NTP authentication on the client Operation Command Description Enter system view system-view — Enable NTP ntp-service authentication enable Required authentication globally By default, the NTP authentication is disabled.
Page 313: Configuration Of Optional Ntp Parameters
Configuration of Optional NTP Parameters 299 Configuring NTP authentication on the server Table 260 Configure NTP authentication on the server Operation Command Description Enter system view system-view — Enable NTP ntp-service authentication Required authentication enable By default, NTP authentication. Configure NTP ntp-service Required authentication key...
Page 314: Displaying And Debugging Ntp
35: NTP C HAPTER ONFIGURATION Table 261 Configure optional NTP parameters (Continued) Operation Command Description Disable the interface ntp-service in-interface disable Optional from receiving NTP By default, a VLAN interface packets receives NTP packets. Display the session display ntp-service sessions [ This command can be executed in information maintained verbose ]...
Page 315: Configuration Procedures
Configuration Example 301 Network diagram Figure 94 Network diagram for the NTP server mode configuration Configuration procedures The following configurations are for the S4200G 1 switch. 1 Display the NTP status of the S4200G 1 switch before synchronization. <S4200G> display ntp-service status clock status: unsynchronized clock stratum: 16 reference clock ID: none...
Page 316 35: NTP C HAPTER ONFIGURATION note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Network requirements NTP Peer Mode Configuration S4200G 2 sets the local clock to be the NTP master clock, with the clock stratum being 2. Configure an S4200G 1 series switch to operate as a client, with S4200G 2 as the time server.
Page 317 Configuration Example 303 Display the status of the S4200G switch after the synchronization. [S4200G] display ntp-service status Clock status: synchronized Clock stratum: 2 Reference clock ID: 3.0.1.32 Nominal frequency: 250.0000 Hz Actual frequency: 249.9992 Hz Clock precision: 2^19 clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms...
Page 318 35: NTP C HAPTER ONFIGURATION Configuration procedures 1 Configure S4200G 3. a Enter system view. <S4200G> system-view System View: return to User View with Ctrl+Z. [S4200G] b Enter VLAN interface 2 view. [S4200G] interface vlan-interface 2 [S4200G-Vlan-interface2] c Configure S4200G 3 to be the broadcast server and send broadcast packets through VLAN interface 2.
Page 319 Configuration Example 305 Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Sep 6 2001 (BF422AE4.05AEA86C) The output information indicates that S4200G 1 is synchronized to S4200G 3, with the clock stratum of 3, one stratum higher than S4200G 3. d Display the information about the NTP sessions of S4200G and you can see that a connection is established between S4200G and S4200G3.
Page 320 35: NTP C HAPTER ONFIGURATION 2 Configure S4200G 1. a Enter system view. <S4200G> system-view System View: return to User View with Ctrl+Z. [S4200G] b Enter VLAN interface 2 view. [[S4200G] interface vlan-interface 2 c Configure S4200G 4 to be a multicast client. [S4200G-Vlan-interface2] ntp-service multicast-client 3 Configure S4200G.2 a Enter system view.
Page 321 Configuration Example 307 Network requirements NTP Server Mode with Authentication The local clock of S4200G1 operates as the master NTP clock, with the clock stratum Configuration set to 2. A S4200G 2 series switch operates in client mode with S4200G 1 as the time server. S4200G 1 operates in the server mode automatically.
Page 322 35: NTP C HAPTER ONFIGURATION After the above configuration, the S4200G 2 series switch can be synchronized to S4200G 1. You can display the status of S4200G 2 after the synchronization. [S4200G] display ntp-service status clock status: synchronized clock stratum: 3 reference clock ID: 1.0.1.11 nominal frequence: 250.0000 Hz actual frequence: 249.9992 Hz...
Page 323: Ssh Terminal
SSH T ERMINAL ERVICES SSH Terminal Services Introduction to SSH Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the Switch remotely using an insecure network environment. A Switch can connect to multiple SSH clients.
Page 324 36: SSH T HAPTER ERMINAL ERVICES Figure 100 Establish SSH channels through WAN Workstation Workstation Workstation Workstation Local Switch Local Switch Local Switch Local Switch Local Switch Local Switch Local Ethernet Local Ethernet Local Ethernet Local Ethernet Local Ethernet Local Ethernet Laptop Laptop Laptop...
Page 325 SSH Terminal Services 311 SSH supports two authentication types: password authentication and RSA authentication. (1) Password authentication works as follows: The client sends its username and password to the server. ■ The server compares the username and password received with those configured ■...
Page 326 36: SSH T HAPTER ERMINAL ERVICES Configuring supported protocols Table 264 Configure supported protocols Operation Command Remarks Enter system view system-view Enter one or multiple user user-interface [ type-keyword ] Required interface views number [ ending-number ] Configure the protocols supported protocol inbound { all |ssh | Optional in the user interface view(s)
Page 327 SSH Terminal Services 313 Configuring authentication type New users must specify authentication type. Otherwise, they cannot access the switch. Table 266 Configure authentication type Operation Command Remarks Enter system view system-view Configure authentication type for ssh user username Required SSH users authentication-type { password | password-publickey | rsa| all } CAUTION:...
Page 328 36: SSH T HAPTER ERMINAL ERVICES Table 268 Configure client public keys (Continued) Operation Command Remarks Return to system view from peer-public-key end public key view Allocate public keys to SSH users ssh user username assign Required rsa-key keyname Keyname is the name of an existing public key.
Page 329 SSH Terminal Services 315 SSH Server Network requirements Configuration Example As shown in Figure 101, configure a local connection from the SSH client to the switch. The PC runs the SSH2.0-supported client software. Network diagram Figure 101 Network diagram for SSH server configuration S w i t c h S w i t c h S S H S e r v e r...
Page 330 36: SSH T HAPTER ERMINAL ERVICES Configure the login protocol for the client002 user as SSH and authentication type as RSA public key. [4200G] ssh user client002 authentication-type rsa Generate randomly RSA key pairs on the SSH2.0 client and send the corresponding public keys to the server.
Page 331: Sftp Service
SFTP Service 317 [4200G-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [4200G-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [4200G-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [4200G-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [4200G-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [4200G-rsa-key-code] public-key-code end [4200G-rsa-public-key] peer-public-key end [4200G] ssh client 10.165.87.136 assign rsa-key public 3 Start SSH client. Settings for the two authentication types are described respectively in the following: Use the password authentication and start the client using the default encryption ■...
Page 332 36: SSH T HAPTER ERMINAL ERVICES SFTP Server The following sections describe SFTP server configuration tasks: Configuration Configuring service type for an SSH user ■ Enabling the SFTP server ■ Setting connection timeout time ■ Configuring service type for an SSH user Table 271 Configure service type for an SSH user Operation Command...
Page 333 SFTP Service 319 SFTP Client The following sections describe SFTP client configuration tasks: Configuration Table 274 Configuring SFTP client Serial Command Operation Key word View Remarks Enable the SFTP client sftp System view Required Disable the SFTP client SFTP client view Optional exit quit SFTP...
Page 334 36: SSH T HAPTER ERMINAL ERVICES Disabling the SFTP client Table 276 Disable the SFTP client Operation Command Remarks Enter system view system-view Enter SFTP client view sftp { host-ip | host-name } Disable the SFTP client The three commands have the same function.
Page 335 SFTP Service 321 Displaying help information You can display help information about a command, such as syntax and parameters. Table 279 Display help information about SFTP client commands Operation Command Remarks Enter system view system-view Enter SFTP client view sftp { host-ip | host-name } Display help information about help [ command-name ] Optional...
Page 336 36: SSH T HAPTER ERMINAL ERVICES b Display the current directory on the SFTP server, delete file z and verify the operation. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 vrpcfg.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup...
Page 337 SFTP Service 323 -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk sftp-client> g Exit from SFTP. sftp-client> quit [4200G]...
Page 338 36: SSH T HAPTER ERMINAL ERVICES...
Page 339: File
YSTEM ANAGEMENT File Attribute Configuration Introduction to File An app file, a configuration file, or a Web file can be of one of these three attributes: Attributes main, backup and none, as described in Table 280. Table 280 Descriptions on file attributes Attribute name Description...
Page 340: File System Configuration
37: F HAPTER YSTEM ANAGEMENT Perform the following configuration in user view. Table 281 Configure file attributes Operation Command Description Configure the app file boot boot-loader file-url Optional with the main attribute for the next startup Configure the app file boot boot-loader Optional with the backup...
Page 341 File System Configuration 327 According to the operation objects, the operations on the file system fall into the following categories: Directory operation ■ File operation ■ Storage device operation ■ Prompt mode configuration ■ File path and file name can be represented in one of the following ways: In URL (universal resource locator) format and starting with unit[ No.]>flash:/ ([ No.] represents the unit ID of a switch).
Page 342 37: F HAPTER YSTEM ANAGEMENT Managing a configuration file ■ Renaming a file ■ Copying a file ■ Moving a file ■ Displaying the content of a file ■ Displaying the information about a file ■ Checking file system ■ Table 283 describes the file-related operations.
Page 343 File System Configuration 329 As for the save command listed in Table 283 the safely keyword determines the ways to save the current configuration, as described in the following. If you execute this command with the safely keyword not specified, the system ■...
Page 344 37: F HAPTER YSTEM ANAGEMENT -rw- 296368 Apr 02 2000 00:34:16 s3u01_00.btm -rw- 951305 Apr 02 2000 00:34:25 s3v01_00.web -rw- 8451 Apr 01 2000 23:56:53 3comoscfgdef.old -rw- 3114 Apr 02 2000 23:21:44 l3config.old 11(*) -rw- 3628 Apr 09 2000 00:11:00 updt.cfg -rwh Apr 05 2000 21:33:33...
Page 345: Testing Tools For Network Connection
Testing Tools for Network Connection 331 Display the file information after the copy operation. <4200G>dir flash:/test Directory of unit1>flash:/ drw- Apr 16 2000 01:22:48 test 15367 KB total (623 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute <4200G>...
Page 346 37: F HAPTER YSTEM ANAGEMENT You can configure up to 50 IP addresses by using the command repeatedly. tracert is used for testing the gateways passed by the packets from the source tracert host to the destination one. It is mainly used for checking if the network is connected and analyzing where the fault occurs in the network.
Page 347: Ftp And Tftp Configuration
TFTP C ONFIGURATION FTP Configuration Introduction to FTP FTP (File Transfer Protocol) is commonly used in IP-based networks to transmit files. Before World Wide Web comes into being, files are transferred through command lines, and the most popular application is FTP. At present, although E-mail and Web are the usual methods for file transmission, FTP still has its strongholds.
Page 348 38: FTP TFTP C HAPTER ONFIGURATION Table 289 describes the operations needed when a switch operates as an FTP server. Table 289 Configurations needed when a switch operates as an FTP server Device Configuration Default Description Switch Enable the FTP server The FTP function You can run the display ftp-server function...
Page 349 FTP Configuration 335 FTP services are implemented in this way: An FTP client sends FTP requests to the FTP server. The FTP server receives the requests, perform operations accordingly, and return the results to the FTP client. To prevent unauthorized accesses, an FTP server disconnects a FTP connection when it does not receive requests from the FTP client for a specific period of time known as the connection idle time.
Page 350 38: FTP TFTP C HAPTER ONFIGURATION Table 292 FTP client operations (Continued) Operation Command Description Query the specified dir [ filename ] [ localfile ] Optional files Query a specified ls [ remotefile ] [ localfile ] Optional remote file Download a remote file get remotefile [ localfile ] Optional Upload a local file to...
Page 351 FTP Configuration 337 Network diagram Figure 106 Network diagram for FTP configuration (A) Network Network Network Network Switch Switch Configuration procedure 1 Perform FTP server-related configurations on the PC, that is, create a user account on the FTP server, with the user name being switch, password being hello, and the permission to access the directory named Switch assigned to the user account.
Page 352 38: FTP TFTP C HAPTER ONFIGURATION 6 Specify the downloaded file (the file named switch.bin) to be the startup file used when the switch starts the next time and restart the switch. Thus the switch application is upgraded. <S4200G> boot boot-loader switch.bin <S4200G>...
Page 353: Tftp Configuration
TFTP Configuration 339 3 After uploading the application, you can update the application on the switch. Specify the downloaded file (the file named switch.bin) to be the startup file used when the switch starts the next time and restart the switch. Thus the switch application is upgraded.
Page 354 38: FTP TFTP C HAPTER ONFIGURATION Table 293 describes the operations needed when a switch operates as an TFTP client. Table 293 Configurations needed when a switch operates as a TFTP client Device Configuration Default Description Switch Configure an IP address for the —...
Page 355 TFTP Configuration 341 Network diagram Figure 109 Network diagram for TFTP configuration N e tw o rk N e tw o rk S w itc h S w itc h S w itc h Configuration procedure 1 Start the TFTP server and configure the work directory on the PC. 2 Configure the switch.
Page 356 38: FTP TFTP C HAPTER ONFIGURATION...
Page 357: Information Center
Here, angle brackets “<>”, spaces, slashes “/” and colon are valid and required. Below is an example of log output to a log host: <188>Apr 9 17:28:50 2004 3Com 4200G IFNET/5/UPDOWN:Line protocol on the interface M-Ethernet0/0/0 is UP (SIP=10.5.1.5 ,SP=1080)
Page 358 39: I HAPTER NFORMATION ENTER 4 Module name It indicates the modules that generate the information. Table 295 gives some examples of the modules. Table 295 Examples of some module names Module name Module and description 8021X 802.1x Access control list Address resolution protocol CFAX Configuration agent...
Page 359: Information Center Configuration
Information Center Configuration 345 Information Center The switch supports information output to six directions. Configuration By far, each output direction is assigned with an information channel, as shown in Table 297. Table 297 Information channel names and numbers Output direction Channel number Default channel name Console...
Page 360 39: I HAPTER NFORMATION ENTER Enabling Information Table 299 lists the related configurations on the switch. Output to a Log Host Table 299 Enable information output to a log host Operation Command Description Enter system view system-view — Enable the information info-center enable Optional center...
Page 361 Information Center Configuration 347 Table 301 Enable debug/log/trap terminal display Operation Command Description Enable debug terminal terminal debugging Optional display By default, debug terminal display is disabled for terminal users. Enable log terminal terminal logging Optional display By default, log terminal display is enabled for console users.
Page 362 39: I HAPTER NFORMATION ENTER Perform the following configuration in user view. Table 303 Enable debug/log/trap terminal display Operation Command Description Enable the terminal monitor Optional debug/log/trap By default, this function is enabled for terminal display console user. function Enable debugging terminal debugging Optional terminal display...
Page 363 Information Center Configuration 349 Table 305 Enable information output to the trap buffer Operation Command Description Enable information info-center trapbuffer Optional output to the trap [ channel { channel-number | By default, the switch outputs buffer channel-name } ] [ size information to the trap buffer, buffersize] which can holds up to 256 items by...
Page 364: Displaying And Debugging Information Center
39: I HAPTER NFORMATION ENTER Displaying and After the performing the above configurations, you can execute the display Debugging command in any view to display the running status of the information center, and Information Center thus validate your configurations. You can also execute the reset command to clear statistics on the information center.
Page 365 Information Center Configuration Example 351 <S4200G> terminal logging...
Page 366 39: I HAPTER NFORMATION ENTER...
Page 367: Boot Rom And Host Software Loading
<Enter> after entering the Boot Menu and the system gives different prompts. The following text mainly describes the BootROM loading process. Boot Menu Starting…… *********************************************************** Switch 4200G 24-Port BOOTROM, Version 108 *********************************************************** Copyright (C) 2003-2005, 3Com All rights reserved. Creation date : Nov 30 2005, 16:54:35...
Page 368 40: B HAPTER OFTWARE OADING CPU type : BCM4704 CPU Clock Speed : 200MHz BUS Clock Speed : 33MHz Memory Size : 64MB Mac Address : 00e0fc005104 Press Ctrl-B to enter Boot Menu… 5 Press <Ctrl+B>. The system displays: Password : To enter the Boot Menu, you should press <Ctrl+B>...
Page 369 Local Software Loading 355 Loading BootROM software Follow these steps to load the BootROM software: 1 At the prompt "Enter your choice(0-9):" in the Boot Menu, press <6> or <Ctrl+U>, and then press <Enter> to enter the BootROM update menu shown below: Bootrom update menu: 1.
Page 370 40: B HAPTER OFTWARE OADING Figure 111 Properties dialog box Figure 112 Console port configuration dialog box 5 Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch.
Page 371 Local Software Loading 357 Figure 113 Connect and disconnect buttons The new baud rate takes effect only after you disconnect and reconnect the terminal emulation program. 6 Press <Enter> to start downloading the program. The system displays the following information: Now please start transfer file with XMODEM protocol.
Page 372 40: B HAPTER OFTWARE OADING Figure 115 Sending file page After the download completes, the system displays the following information: Loading …CCCCCCCCCC done! You need not reset the HyperTerminal’s baud rate and can skip the last step if you have chosen 9600 bps. In this case, the system display the prompt “BootROM is updating now……………………………….done!”...
Page 373 Local Software Loading 359 Loading Software Using Introduction to TFTP TFTP Through Ethernet TFTP, one protocol in TCP/IP protocol suite, is used for trivial file transfer between Port client and server. It uses UDP to provide unreliable data stream transfer service. Loading BootROM Figure 116 Local loading using TFTP software...
Page 374 40: B HAPTER OFTWARE OADING Loading host software Follow these steps to load the host software. 1 Select <1> in Boot Menu. The system displays the following information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0.
Page 375: Remote Software Loading
Remote Software Loading 361 4 Enter 2 in the above menu to download the BootROM software using FTP. Then set the following FTP-related parameters as required: Load File name :S4200G.btm Switch IP address :10.1.1.2 Server IP address :10.1.1.1 FTP User Name :4200G FTP User Password :abc...
Page 376 40: B HAPTER OFTWARE OADING Figure 118 Remote loading using FTP FTP server FTP server 10.1.1.1 10.1.1.1 Internet Internet Internet Internet Switch Switch Ethernet port Ethernet port FTP client FTP client 1 Download the software to the switch using FTP commands. <S4200G>...
Page 377 Remote Software Loading 363 After the above operations, the BootROM and host software loading is completed. Pay attention to the following: The loading of host software takes effect only after you restart the switch with the ■ reboot command. If the space of the Flash memory is not enough, you can delete the useless files in ■...
Page 378 40: B HAPTER OFTWARE OADING...
Page 379: Basic System Configuration And Debugging
Basic System Configuration and Debugging Basic System The following sections describe the basic system configuration and management Configuration tasks: Setting the System Name of the Switch ■ Setting the Date and Time of the System ■ Setting the Local Time Zone ■...
Page 380 41: Basic System Configuration and Debugging HAPTER Perform the following configuration in user view. Table 310 Set the local time zone Operation Command Description Set the local time zone clock timezone zone-name { add | Optional minus } HH:MM:SS By default, it is the UTC time zone.
Page 381: Displaying The System Status
Displaying the System Status 367 Entering System View Perform the following configuration in user view. from User View Table 315 Enter system view from user view Operation Command Description Enter system view from system-view — user view Displaying the System You can use the following display commands to check the status and configuration Status information about the system.
Page 382 41: Basic System Configuration and Debugging HAPTER The relation between the two switches is as follows: Figure 119 Debugging information output Debugging information Debugging information Protocol debugging switches Protocol debugging switches Terminal display switches Terminal display switches You can use the following commands to operate the two kinds of switches. Perform the following operations in user view.
Page 383 System Debugging 369 Displaying Operating When your Ethernet switch is in trouble, you may need to view a lot of operating Information about information to locate the problem. Each functional module has its own operating Modules in System information display command(s). You can use the command here to display the current operating information about the modules (settled when this command is designed) in the system for troubleshooting your system.
Page 384 41: Basic System Configuration and Debugging HAPTER...
Page 385: Ip Performance
IP P ERFORMANCE ONFIGURATION IP Performance Configuration Introduction to TCP You can configure the following TCP attributes of the Ethernet switch: Attributes synwait timer: When a SYN packet is sent, TCP starts the synwait timer. If no ■ response packet is received before the synwait timer times out, the TCP connection is terminated.
Page 386: Troubleshooting The Ip Performance Configuration
42: IP P HAPTER ERFORMANCE ONFIGURATION You can execute the reset commands in user view to clear the IP, TCP and UDP traffic statistics. You can also execute the debugging commands to enable different IP performance debugging. Table 321 Display and debug the IP performance Operation Command Description...
Page 387: Network
ETWORK ONNECTIVITY Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. Table 322 The ping command Operation Command Description Check the IP network ping [ -a ip-address ] [ -c count ] [ -d ] [ You can use this connectivity and the -f ] [ -h ttl ] [ -i { interface-type...
Page 388 43: N HAPTER ETWORK ONNECTIVITY...
Page 389: Device Management
EVICE ANAGEMENT Introduction to Device The device management function of the Ethernet switch can report the current status Management and event-debugging information of the boards to you. Through this function, you can maintain and manage your physical device, and restart the system when some functions of the system are abnormal.
Page 390: Displaying The Device Management Configuration
44: D HAPTER EVICE ANAGEMENT Specifying the APP to be APP is the host software of the switch. If multiple APPs exist in the Flash memory, you Adopted at Reboot can use the command here to specify the one that will be adopted when the switch reboots.
Page 391 Remote Switch Update Configuration Example 377 Perform the following configuration on the FTP server. Configure an FTP user, whose name and password are switch and hello ■ respectively. Authorize the user with the read-write right of the Switch directory on the PC.
Page 392 44: D HAPTER EVICE ANAGEMENT d Enter the authorized path on the FTP server. [ ftp] cd switch e Execute the get command to download the switch.bin and boot.btm files on the FTP server to the Flash memory of the switch. [ ftp] get switch.bin [ ftp] get boot.btm f Execute the quit command to terminate the FTP connection and return to user...
Page 393: Introduction To The Newly Added Cluster Functions
ONFIGURATION OF EWLY DDED LUSTER UNCTIONS Introduction to the The newly added cluster functions aim to improve switch performance. They extend Newly Added Cluster switch functionality. Functions With the cluster function employed, you can manage and maintain all the member switches in a cluster through the master switch.
Page 394: Onfiguration Of
45: C HAPTER ONFIGURATION OF EWLY DDED LUSTER UNCTIONS Configuration of the Configuring the TFTP Server and SNMP Host for a Cluster Newly Added Cluster You can perform the operations listed in Table 329 on the master device of a cluster Functions to configure the TFTP Server and SNMP host for the cluster.
Page 395 Introduction to the Newly Added Cluster Functions 381 Notes Perform the operations listed in Table 330 in cluster view on the master device. The configuration can only be synchronized to the member devices in the white list only. The configuration remains valid on a member device even if it quits the cluster or is removed from the white list.
Page 396 45: C HAPTER ONFIGURATION OF EWLY DDED LUSTER UNCTIONS # Display the current topology. [chwn_0.S4200G-cluster]display cluster current-topology -------------------------------------------------------------------- (PeerPort) ConnectFlag (NativePort) [SysName:DeviceMac] -------------------------------------------------------------------- ConnectFlag: <--> normal connect ---> odd connect **** in blacklist ???? lost device ++++ new device -¦+- STP discarding -------------------------------------------------------------------- [chwn_0.S4200G:000f-e224-0562] +-(P_1/0/4)<-->(P_1/0/3)[S4200G:000f-e224-0560]...
Page 397 Introduction to the Newly Added Cluster Functions 383 Finish to synchronize the command. # Configure the group name to be ggg. [chwn_0.S4200G-cluster] cluster-snmp-agent group v3 ggg Member 2 succeeded in the group configuration. Member 1 succeeded in the group configuration. Finish to synchronize the command.
Page 398 45: C HAPTER ONFIGURATION OF EWLY DDED LUSTER UNCTIONS radius scheme system domain system vlan 1 snmp-agent snmp-agent local-engineid 800007DB000FE224055F6877 snmp-agent community read aaa@cm2 snmp-agent community write bbb@cm2 snmp-agent sys-info version all snmp-agent group v3 ggg snmp-agent target-host trap address udp-domain 168.192.0.1 params securityname cluster snmp-agent mib-view included mmm org...
Page 399 Introduction to the Newly Added Cluster Functions 385 Configure member management Table 331 (Continued) Operation Command Description Reboot the specified Optional reboot member { member device member-number | mac-address mac-address } [ eraseflash ] Locate a device with Optional tracemac { by-mac the MAC address or You can execute this command mac-address vlan vlan-id |...
Page 400 45: C HAPTER ONFIGURATION OF EWLY DDED LUSTER UNCTIONS Configure topology management Table 332 (Continued) Operation Command Description Release a device from the Optional black-list blacklist delete-mac { all | mac-address } Confirm the current Optional topology accept { all [ topology information of the save-to { administrator | cluster and save that as a...
Page 401 Introduction to the Newly Added Cluster Functions 387 Synchronizing User User Name and Password Synchronization of Web users simplifies user configuration. Name and Password With this function employed, the configuration performed on the master device is synchronized to all the member devices in the cluster. These configurations are mainly used for WEB users to log into a cluster.
Page 402 45: C HAPTER ONFIGURATION OF EWLY DDED LUSTER UNCTIONS user-interface aux 0 user-interface vty 0 4 return Configuring Topology You can save a reference topology file that serves as the basis of the current network Authentication topology. It can be used to locate problems in subsequent network topologies. After you confirm the structure of the current network through CLI according to the actual cluster deployment, the master device generates a reference topology file named topology.top.
Page 403: Displaying And Debugging A Cluster
Displaying and Debugging a Cluster 389 Configuration procedure Configure enhanced cluster functions Table 335 Operation Command Description Enter system view system-view Enter cluster view cluster Configure an FTP Server Required ftp-server ip-address for the cluster Confirm the current Optional topology accept { all [ topology of the cluster save-to local-flash...
Page 404: Configuration Example For Newly Added Cluster Functions
45: C HAPTER ONFIGURATION OF EWLY DDED LUSTER UNCTIONS Configuration Example for Newly Added Cluster Functions Network requirements In a cluster formed by Switch A, Switch B, Switch C, and Switch D, Switch A is the master switch. NDP and NTDP configurations are performed on the related devices. The cluster is enabled and you can manage member devices on the master device.
Page 405 Configuration Example for Newly Added Cluster Functions 391 Configuration procedure Perform the following configurations on the master device (Switch A). # Configure a TFTP server and SNMP host for the cluster. [S4200G] cluster [S4200G-cluster]tftp-server 10.1.1.15 [S4200G-cluster] snmp-host 10.1.1.16 [S4200G-cluster] topology accept all save-to local-flash # Remove the member device numbered 3 from the cluster and add it to the black list.
Page 406 45: C HAPTER ONFIGURATION OF EWLY DDED LUSTER UNCTIONS...
Page 407: Dhcp Relay
DHCP R ELAY ONFIGURATION Introduction to DHCP Relay Usage of DHCP Relay Early DHCP implementations assumes that DHCP clients and DHCP servers are on the same network segment, that is, you need to deploy at least one DHCP server for each network segment, which is far from economical.
Page 408 46: DHCP R HAPTER ELAY ONFIGURATION Note that such an interacting process may be repeated several times for a DHCP client to be successfully configured. Actually, a DHCP relay enables DHCP clients and DHCP servers on different networks to communicate with each other by forwarding the DHCP broadcasting packets transparently between them.
Page 409: Dhcp Relay Configuration
DHCP Relay Configuration 395 3 If the packet contains option 82, the DHCP relay processes the packet depending on the configured policy (that is, discards the packet, replaces the original option 82 in the packet with its own, or leaves the original option 82 unchanged in the packet), and forwards the packet (if not discarded) to the DHCP server.
Page 410 46: DHCP R HAPTER ELAY ONFIGURATION You can configure an interface to forward DHCP packets received from DHCP clients to a group of external DHCP server(s), so that the DHCP server(s) in this group can assign IP addresses to the DHCP clients under this interface. Table 339 Configure an interface to operate in DHCP relay mode Operation Command...
Page 411: Option 82 Supporting Configuration
Option 82 Supporting Configuration 397 Configuring the dynamic user address entry updating function When a DHCP client obtains an IP address from a DHCP server with the help of a DHCP relay, the DHCP relay creates an entry (dynamic entry) in the user address table to track the binding information about the IP address and MAC address of the DHCP client.
Page 412 46: DHCP R HAPTER ELAY ONFIGURATION Option 82 Supporting Network requirements Configuration Example Two DHCP clients are on the network segment 10.110.0.0 (255.255.0.0). They obtain IP addresses from a DHCP server through a switch acting as DHCP relay. Option 82 supporting is enabled on the DHCP relay.
Page 413: Dhcp Relay Displaying
DHCP Relay Displaying 399 DHCP Relay Displaying You can verify your DHCP relay-related configuration by executing the following display commands in any view. Table 343 Display DHCP relay information Operation Command Display information about a specified DHCP server display dhcp-server groupNo group Display information about the DHCP server group display dhcp-server interface...
Page 414: Troubleshooting Dhcp Relay
46: DHCP R HAPTER ELAY ONFIGURATION You need to perform corresponding configurations on the DHCP server to enable the DHCP clients to obtain IP addresses from the DHCP server. The DHCP server configurations differ depending on different DHCP server devices and are thus omitted.
Page 415: Static
TATIC OUTE ONFIGURATION Introduction to Static Route Attributes and Functions A static route is a special route. You can set up an interconnecting network with the of Static Route static route configuration. The problem for such configuration is when a fault occurs to the network, the static route cannot change automatically to steer away from the node causing the fault, if without the help of an administrator.
Page 416: Static Route Configuration
47: S HAPTER TATIC OUTE ONFIGURATION Static Route Static Route Configuration includes: Configuration Configuring a static route ■ Configuring a default route ■ Deleting all the static routes ■ Configuring a static Perform the following configurations in system view. route Table 344 Configuring a static route Operation Command...
Page 417: Displaying And Debugging Static Route
Displaying and Debugging Static Route 403 Configuring a default Perform the following configurations in system view. route Table 345 Configuring a default route Operation Command Configure a default ip route-static 0.0.0.0 { 0.0.0.0 | 0 } { interface-type interface-number | route next-hop } [ preference value ] [ reject | blackhole ] Delete a default route...
Page 418: Static Route Fault Diagnosis And Troubleshooting
47: S HAPTER TATIC OUTE ONFIGURATION Networking diagram Figure 126 Networking diagram of the static route configuration example Host 1.1.5.2/24 1.1.5.1/24 1.1.2.2/24 1.1.3.1/24 Switch C 1.1.2.1/24 1.1.3.2/24 1.1.1.1/24 1.1.4.1/24 Switch A Switch B Host 1.1.4.2/24 Host 1.1.1.2/24 Configuration procedure 1 Configure the static route for Ethernet Switch A [ Switch A] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [ Switch A] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [ Switch A] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2...
Page 419: Udp Helper
UDP H ELPER ONFIGURATION Overview of UDP The major function of UDP Helper is to relay-forward UDP broadcast packets, that is, Helper it can convert UDP broadcast packets into unicast packets and send to the designated server, as a relay. When UDP Helper starts, the switch can judge if to forward the UDP broadcast packets received at the port based on UDP port ID.
Page 420 48: UDP H HAPTER ELPER ONFIGURATION Perform the following configuration in system view. Table 350 Configuring a UDP port with replay function Operation Command Configure a UDP port with replay function udp-helper port { port | dns | netbios-ds | netbios-ns | tacacs | tftp | time } Remove the configuration undo udp-helper port { port | dns | netbios-ds...
Page 421 Overview of UDP Helper 407 UDP Helper Networking requirement Configuration Example The IP address of VLAN interface 2 on the switch is 10.110.1.1, which is connected with network segment 10.110.0.0. Set to relay-forward the broadcast packets with destination IP of all 1s and destination UDP port 55 in the network segment 10.110.0.0 to the destination server 202.38.1.2.
Page 422 48: UDP H HAPTER ELPER ONFIGURATION...

This manual is also suitable for:

4200g 48-port 4200g 24-port 3cr17660-91 3cr17661-91 3cr17662-91

3Com 4200G 12-Port Configuration Manual

About this Guide

151 Cli Overview

2 Ogging into an

Ethernet Switch

3 Ogging in through the

Console Port

4 Logging in Using Modem

5 Ogging in through

Web - Based

Management System

Nms

7 Controlling Login Users

8 Configuration File Management

10 Anagement Vlan Configuration

11 Dhcp/Bootp C

12 Oice Vlan Configuration

13 Gvrp C Onfiguration

14 Basic Port Configuration

15 Link Aggregation Configuration

16 Port Isolation Configuration

17 Port Security

18 Mac Address Table Management

19 Logging in through Telnet

20 Mstp Configuration

21 802.1X Configuration

22 Habp Configuration

23 Aaa&Radius Configuration

24 Centralized Mac Address Authentication Configuration

25 Arp Configuration

26 Acl Configuration

27 O S Configuration

28 Configuration for Mirroringfeatures

29 Igmp Snooping

30 Routing Port Oin to Multicast Group

31 Multicast Mac Address Entry

32 Cluster Configuration

33 Snmp Configuration

34 Rmon C

35 Ntp Configuration

36 Ssh Terminal

37 File

38 Ftp and Tftp Configuration

39 Information Center

40 Boot Rom and Host Software Loading

41 Basic System Configuration and Debugging

42 Ip Performance

43 Network

44 Device Management

45 Onfiguration of

46 Dhcp Relay

47 Static

48 Udp Helper

Quick Links

Configuration Guide

Troubleshooting

Related Manuals for 3Com 4200G 12-Port

Summary of Contents for 3Com 4200G 12-Port