3Com 400 Family Configuration Manual
  1. Manuals
  2. Brands
  3. 3Com Manuals
  4. Network Router
  5. 400 Family
  6. Configuration manual
3Com 400 Family Configuration Manual

3Com 400 Family Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
3Com Switch 4500 Family

Configuration Guide

http://www.3Com.com/
Part number: 10015003
Published: March 2006

Advertisement

Table of Contents
loading

Related Manuals for 3Com 400 Family

Summary of Contents for 3Com 400 Family

  • Page 1: Configuration Guide

    3Com Switch 4500 Family Configuration Guide http://www.3Com.com/ Part number: 10015003 Published: March 2006...
  • Page 2 All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software.

  • Page 3: Table Of Contents

    ONTENTS BOUT UIDE How This Guide is Organized Intended Readership Conventions Related Documentation ETTING TARTED Product Overview Stacking Overview Brief Introduction Typical Networking Topology Product Features Logging In to the Switch Setting up Configuration Environment Through the Console Port Setting up Configuration Environment Through Telnet Setting up Configuration Environment Through a Dial-up Modem Command Line Interface Command Line View...
  • Page 4 VLAN O PERATION VLAN Configuration VLAN Overview Configuring a VLAN Displaying and Debugging VLAN VLAN Configuration Example One VLAN Configuration Example Two Voice VLAN Configuration Introduction to Voice VLAN Voice VLAN Configuration Displaying and Debugging of Voice VLAN Voice VLAN Configuration Example OWER OVER THERNET ONFIGURATION...
  • Page 5 Access Management Configuration Access Management Overview Configuring Access Management Displaying and Debugging Access Management Access Management Configuration Example Access Management via the Web UDP Helper Configuration Overview of UDP Helper UDP Helper Configuration Displaying and Debugging UDP Helper Configuration UDP Helper Configuration Example IP Performance Configuration IP Performance Configuration Displaying and Debugging IP Performance...
  • Page 6 ACL C ONFIGURATION Brief Introduction to ACL ACL Supported by the Switch Configuring ACL Defining ACL Activating ACL Displaying and Debugging ACL Advanced ACL Configuration Example Basic ACL Configuration Example Link ACL Configuration Example QoS Configuration QoS Configuration Setting Port Priority Configuring Trust Packet Priority Setting Port Mirroring Configuring Traffic Mirroring...
  • Page 7 RSTP C ONFIGURATION STP Overview Implement STP Configuration BPDU Forwarding Mechanism in STP Implement RSTP on the Switch RSTP Configuration Enable/Disable RSTP on a Switch Enable/Disable RSTP on a Port Configure RSTP Operating Mode Configure the STP-Ignore attribute of VLANs on a Switch Set Priority of a Specified Bridge Specify the Switch as Primary or Secondary Root Bridge Set Forward Delay of a Specified Bridge...
  • Page 8 Setting the Timers of the RADIUS Server Displaying and Debugging AAA and RADIUS Protocol AAA and RADIUS Protocol Configuration Example Configuring the Switch 4500 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting Problem Diagnosis 3Com-User-Access-Level YSTEM ANAGEMENT File System Overview Directory Operation File Operation...
  • Page 9 FTP Overview Enabling/Disabling FTP Server Configuring the FTP Server Authentication and Authorization Configuring the Running Parameters of FTP Server Displaying and Debugging FTP Server Introduction to FTP Client FTP Server Configuration Example TFTP Overview Downloading Files by means of TFTP Uploading Files by means of TFTP TFTP Client Configuration Example MAC Address Table Management...
  • Page 10 Creating/Updating View Information or Deleting a View Setting the Size of SNMP Packet Sent/Received by an Agent Enabling/Disabling a Port Transmitting Trap Information SNMP Agent Disabling SNMP Agent Displaying and Debugging SNMP SNMP Configuration Example Reading Usmusr Table Configuration Example RMON Configuration Configuring RMON Displaying and Debugging RMON...
  • Page 11 WITCH WITH ISCO ECURE Cisco Secure ACS (TACACS+) and the 3Com Switch 4500 Setting Up the Cisco Secure ACS (TACACS+) Server Adding a 3Com Switch 4500 as a RADIUS Client Adding a User for Network Login Adding a User for Switch Login...

  • Page 13: About This Guide

    BOUT UIDE This guide provides information about configuring your network using the commands supported on the 3Com ® Switch 4500. How This Guide is The Switch 4500 Configuration Guide consists of the following chapters: Organized Getting Started — Details the main features and configurations of the Switch ■...

  • Page 14: Conventions

    BOUT UIDE Conventions This guide uses the following conventions: Table 1 Icons Icon Notice Type Description Information note Information that describes important features or instructions. Caution Information that alerts you to potential loss of data or potential damage to an application, system, or device. Warning Information that alerts you to potential personal injury.

  • Page 15: Related Documentation

    Related Documentation Related The 3Com Switch 4500 Getting Started Guide provides information about Documentation installation. The 3Com Switch 4500 Command Reference Guide provides all the information you need to use the configuration commands.
  • Page 16 BOUT UIDE...

  • Page 17: Getting Started

    ETTING TARTED This chapter covers the following topics: Product Overview ■ Stacking Overview ■ Product Features ■ Logging In to the Switch ■ Command Line Interface ■ User Interface Configuration ■ Product Overview Table 3 lists the models in the Switch 4500 family Table 3 Models in the Switch 4500 family Power...

  • Page 18: Stacking Overview

    Stacking Overview Brief Introduction With the 3Com Switch 4500, up to eight units can be operated together as a single larger logical unit to simplify administration. This is called stacking. Stacking allows you to add ports in a site or location incrementally, without adding complexity to the management of the switch.

  • Page 19: Logging In To The Switch

    Logging In to the Switch Table 4 Function Features Features Description Security features Multi-level user management and password protect 802.1X authentication Packet filtering Quality of Service (QoS) Traffic classification Bandwidth control Priority Queues of different priority on the port Management and Command line interface configuration Maintenance Configuration through console port...
  • Page 20 1: G HAPTER ETTING TARTED Databit = 8 ■ Parity check = none ■ Stopbit = 1 ■ Flow control = none ■ Terminal type = VT100 ■ Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection...

  • Page 21: Setting Up Configuration Environment Through Telnet

    Logging In to the Switch Figure 5 Setting Communication Parameters 3 The Switch is powered on and it displays self-test information. Press < Enter> to show the command line prompt such as <4500> 4 Enter a command to configure the Switch or view the operation state. Enter a view online help.
  • Page 22 1: G HAPTER ETTING TARTED Figure 6 Setting up the Configuration Environment through Telnet Workstation Workstation Ethernet port Ethernet port Ethernet Ethernet Serv er Serv er Workstation Workstation PC ( for configuri n g the switch PC ( for configuri n g the switch via Telnet ) via Telnet ) 3 Run Telnet on the PC and enter the IP address of the VLAN connected to the...

  • Page 23: Setting Up Configuration Environment Through A Dial-Up Modem

    Logging In to the Switch Figure 8 Providing Telnet Client Service Telnet Server Telnet Client 1 Authenticate the Telnet user through the console port on the Telnet Server (a Switch) before login. By default, the password is required to authenticate Telnet users and to enable them to log on to the Switch.
  • Page 24 The Modem configuration commands and outputs may be different according to different Modems. For details, refer to the User Guide of the Modem. 3Com recommends that the transmission rate on the console port must lower than that of Modem, otherwise packets may be lost.
  • Page 25 Logging In to the Switch Figure 10 Setting the Dialed Number Figure 11 Dialing on the Remote PC 5 Enter the preset login password on the remote terminal emulator and wait for the prompt . Then you can configure and manage the Switch. Enter to view <4500>...

  • Page 26: Command Line Interface

    1: G HAPTER ETTING TARTED Command Line The Switch 4500 Family provides a series of configuration commands and Interface command line interfaces for configuring and managing the Switch. The command line interface has the following characteristics: Local configuration through the console port. ■...
  • Page 27 Command Line Interface To prevent unauthorized users from illegal intrusion, the user will be identified when switching from a lower level to a higher level with the super level command. User ID authentication is performed when users at lower level become users at a higher level.
  • Page 28 1: G HAPTER ETTING TARTED Table 5 Features of Command Views Command view Function Prompt Command to enter Command to exit User View Show the basic This is the view you are in quit disconnects <4500> information about after connecting to the to the Switch operation and Switch...
  • Page 29 [4500-radius-1] Group View parameters in System View System View return returns to User View ISP Domain Configure ISP Enter domain 3Com.net in quit returns to [4500-isp-3Com.net] View domain System View System View parameters return returns to User View...

  • Page 30: Features And Functions Of Command Line

    1: G HAPTER ETTING TARTED Features and Functions Command Line Help of Command Line The command line interface provides full and partial online help. You can get help information through the online help commands, which are described below: 1 Enter in any view to get all the commands in that view.
  • Page 31 Command Line Interface command buffer is defaulted as 10. That is, the command line interface stores 10 history commands for each user. The operations are shown in Table Table 7 Retrieving History Command Operation Result Display history command Display history command by display user inputting history-command...

  • Page 32: User Interface Configuration

    1: G HAPTER ETTING TARTED Table 9 Editing Functions Function <Tab> Press <Tab> after typing an incomplete keyword and the system will display partial help: If the keyword matching the one entered is unique, the system will replace it with the complete keyword and display it in a new line;...

  • Page 33: User Interface Configuration

    User Interface Configuration User Interface Tasks for configuring the user interface are described in the following sections: Configuration Entering User Interface View ■ Configuring the User Interface-Supported Protocol ■ Configuring the Attributes of AUX (Console) Port ■ Configuring the Terminal Attributes ■...
  • Page 34 1: G HAPTER ETTING TARTED Perform the following configurations in User Interface (AUX user interface only) View. Configuring the Transmission Speed on the AUX (Console) Port Table 12 Configuring the Transmission Speed on the AUX (Console) Port Operation Command Configure the transmission speed on the AUX speed speed_value (console) port Restore the default transmission speed on the AUX...
  • Page 35 User Interface Configuration Configuring the Terminal Attributes The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring terminal screen length, and history command buffer size. Perform the following configuration in User Interface View. Perform the lock command in User View.
  • Page 36 1: G HAPTER ETTING TARTED Setting the Screen Length If a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more conveniently.
  • Page 37 In the following example, local username and password authentication are configured. Perform username and password authentication when a user logs in through VTY 0 user interface and set the username and password to zbr and 3Com respectively. [4500-ui-vty0]authentication-mode scheme [4500-ui-vty0]quit...
  • Page 38 1: G HAPTER ETTING TARTED Table 24 Setting the Command Level used after a User Logs In Operation Command Restore the default undo service-type { ftp [ ftp-directory ] command level used after lan-access | { ssh | telnet | terminal }* } a user logs in By default, the specified logged-in user can access the commands at Level 1.

  • Page 39: Displaying And Debugging User Interface

    User Interface Configuration Configuring Redirection send command The following command can be used for sending messages between user interfaces. Perform the following configuration in User View. Table 27 Configuring to Send Messages Between Different User Interfaces Operation Command Configuring to send messages between send { all | number | type number } different user interfaces.
  • Page 40 1: G HAPTER ETTING TARTED Table 29 Displaying and Debugging User Interface Operation Command Display the user application display users [ all ] information of the user interface Display the physical attributes and display user-interface [ type number | some configurations of the user number ] [ summary ] interface...

  • Page 41: Port

    PERATION This chapter covers the following topics: Ethernet Port Configuration ■ Link Aggregation Configuration ■ Ethernet Port Configuration Ethernet Port Overview The following features are found in the Ethernet ports of the Switch 4500 10/100BASE-T Ethernet ports support MDI/MDI-X auto-sensing. They can ■...
  • Page 42 2: P HAPTER PERATION Entering Ethernet Port View Before configuring an Ethernet port, enter Ethernet Port View. Perform the following configuration in System View. Table 30 Entering Ethernet Port View Operation Command Enter Ethernet Port View interface { interface_type interface_num | interface_name } Enabling/Disabling an Ethernet Port Use the following command to disable or enable the port.
  • Page 43 Ethernet Port Configuration Note that 10/100BASE-T Ethernet ports support full duplex, half duplex and auto-negotiation, which can be set as required. Gigabit Ethernet ports support full duplex and can be configured to operate in full (full duplex) or auto (auto-negotiation) mode. The port defaults to auto (auto-negotiation) mode.
  • Page 44 2: P HAPTER PERATION Perform the following configuration in Ethernet Port View. Table 36 Enabling/Disabling Flow Control for an Ethernet Port Operation Command Enable Ethernet port flow control flow-control Disable Ethernet port flow control undo flow-control By default, Ethernet port flow control is disabled. Setting the Ethernet Port Suppression Ratio Use the following commands to restrict broadcast/multicast/unicast traffic.
  • Page 45 Ethernet Port Configuration Table 38 Setting the Link Type for the Ethernet Port Operation Command Configure the port as a hybrid port port link-type hybrid Configure the port as a trunk port port link-type trunk Configure the port as a stack port port link-type xrn-fabric Restore the default link type, that is, access port undo port link-type...
  • Page 46 2: P HAPTER PERATION port, you can configure to tag some VLAN packets, based on which the packets can be processed differently. Setting the Default VLAN ID for the Ethernet Port Because the access port can only be included in one VLAN, its default VLAN is the one to which it belongs.

  • Page 47: Displaying And Debugging Ethernet Port

    Ethernet Port Configuration Table 41 Setting Loopback Detection for the Ethernet Port Operation Command Set the external loopback detection interval of loopback-detection the port (System View) interval-time time Restore the default external loopback detection undo loopback-detection interval of the port (System View) interval-time Configure that the system performs loopback loopback-detection per-vlan...

  • Page 48: Ethernet Port Configuration Example

    2: P HAPTER PERATION Enter the command in Ethernet Port View to check whether the loopback Ethernet port works normally. In the process of the loopback test, the port cannot forward any packets. The loop test will finish automatically after a short time. Table 43 Displaying and Debugging Ethernet Port Operation Command...

  • Page 49: Ethernet Port Troubleshooting

    Link Aggregation Configuration Networking Diagram Figure 12 Configuring the Default VLAN for a Trunk Port Switch A Switch B Configuration Procedure The following configurations are used for Switch A. Configure Switch B in the similar way. 1 Enter the Ethernet Port View of Ethernet1/0/1. [4500]interface ethernet1/0/1 2 Set the Ethernet1/0/1 as a trunk port and allow VLAN 2, 6 through 50, and 100 to pass through.
  • Page 50 2: P HAPTER PERATION The basic configuration includes STP setting, QoS setting, VLAN setting, and port setting. The STP setting includes STP enabling/disabling, link attribute (point-to-point or not), STP priority, path cost, max transmission speed, loop protection, root protection, edge port or not. The QoS setting includes traffic limiting, priority marking, default 802.1p priority, bandwidth assurance, congestion avoidance, traffic redirection, and traffic statistics.
  • Page 51 Link Aggregation Configuration with the minimum port number serves as the master port, while others as sub-ports. In a manual aggregation group, the system sets the ports to active or inactive state by using these rules: The system sets the port with the highest priority to active state, and others to ■...
  • Page 52 2: P HAPTER PERATION systems as well as under manual control through direct manipulation of the state variables of Link Aggregation (for example, keys) by a network manager. Dynamic LACP aggregation can be established even for a single port, as is called single port aggregation.

  • Page 53: Link Aggregation Configuration

    Link Aggregation Configuration A load sharing aggregation group may contain several selected ports, but a non-load sharing aggregation group can only have one selected port, while others are standby ports. Selection criteria of selected ports vary for different types of aggregation groups.
  • Page 54 2: P HAPTER PERATION aggregation group: when you delete a manual aggregation group, all its member ports are disaggregated; when you delete a static or dynamic LACP aggregation group, its member ports form one or several dynamic LACP aggregation groups. Perform the following configuration in System View.
  • Page 55 Link Aggregation Configuration port with 802.1X enabled. ■ You must delete the aggregation group, instead of the port, if the manual or ■ static LACP aggregation group contains only one port. Setting/Deleting the Aggregation Group Descriptor Perform the following configuration in System View. Table 47 Setting/Deleting the Aggregation Group Descriptor Operation Command...

  • Page 56: Displaying And Debugging Link Aggregation

    2: P HAPTER PERATION Perform the following configuration in Ethernet Port View. Table 49 Configuring Port Priority Operation Command Configure port priority lacp port-priority port_priority_value Restore the default port priority undo lacp port-priority By default, port priority is 32768. Displaying and After the above configuration, enter the command in any view to display display...
  • Page 57 Link Aggregation Configuration Networking Diagram Figure 13 Networking for Link Aggregation Switch A Link aggregation Switch B Configuration Procedure The following only lists the configuration for Switch A; configure Switch B similarly. 1 Manual link aggregation a Create manual aggregation group 1. [4500]link-aggregation group 1 mode manual b Add Ethernet ports Ethernet1/0/1 to Ethernet1/0/3 into aggregation group 1.
  • Page 58 2: P HAPTER PERATION...

  • Page 59: Vlan Operation

    VLAN O PERATION This chapter covers the following topics: VLAN Configuration ■ Voice VLAN Configuration ■ VLAN Configuration VLAN Overview A virtual local area network (VLAN) creates logical groups of LAN devices into segments to implement virtual workgroups. IEEE issued the IEEE 802.1Q in 1999, which was intended to standardize VLAN implementation solutions.
  • Page 60 3: VLAN O HAPTER PERATION Table 51 Creating/Deleting a VLAN Operation Command Delete the specified VLAN undo vlan { vlan_id [ to vlan_id ] | all } Note that the default VLAN, namely VLAN 1, cannot be deleted. Adding Ethernet Ports to a VLAN Use the following command to add Ethernet ports to a VLAN.

  • Page 61: Displaying And Debugging Vlan

    VLAN Configuration Table 54 Specifying/Removing the VLAN Interface Operation Command Remove the specified VLAN interface undo interface vlan-interface vlan_id Create a VLAN first before creating an interface for it. For this configuration task, takes the VLAN ID. vlan_id Shutting Down/Enabling the VLAN Interface Use the following command to shut down/enable a VLAN interface.

  • Page 62: Vlan Configuration Example Two

    3: VLAN O HAPTER PERATION Networking Diagram Figure 14 VLAN Configuration Example Switch Switch Switch Switch E1/0/1 E1/0/1 E1/0/2 E1/0/2 E1/0/3 E1/0/3 E1/0/4 E1/0/4 VLAN2 VLAN2 VLAN3 VLAN3 VLAN3 VLAN3 Configuration Procedure 1 Create VLAN 2 and enter its view. [4500]vlan 2 2 Add Ethernet1/0/1 and Ethernet1/0/2 to VLAN2.

  • Page 63: Voice Vlan Configuration

    Voice VLAN Configuration Voice VLAN Configuration Introduction to Voice Voice VLAN is specially designed for users’ voice flow, and it distributes different VLAN port precedence in different cases. The system uses the source MAC of the traffic traveling through the port to identify the IP Phone data flow.
  • Page 64 3: VLAN O HAPTER PERATION Setting/Removing the OUI Address Learned by Voice VLAN ■ Enabling/Disabling Voice VLAN Security Mode ■ Enabling/Disabling Voice VLAN Auto Mode ■ Setting the Aging Time of Voice VLAN ■ If you change the status of Voice VLAN security mode, you must first enable Voice VLAN features globally.
  • Page 65 Voice VLAN Configuration There are four default OUI addresses after the system starts. Table 61 Default OUI Addresses Description 00:E0:BB 3Com phone 00:03:6B Cisco phone 00:E0:75 Polycom phone 00:D0:1E Pingtel phone Enabling/Disabling Voice VLAN Security Mode In security mode, the system can filter out the traffic whose source MAC is not OUI within the Voice VLAN, while the other VLANs are not influenced.

  • Page 66: Displaying And Debugging Of Voice Vlan

    3: VLAN O HAPTER PERATION Perform the following configuration in System View. Table 64 Configuring the Aging Time of Voice VLAN Operation command Set the aging time of Voice VLAN voice vlan aging minutes Restore the default aging time undo voice vlan aging The default aging time is 1440 minutes.
  • Page 67 Voice VLAN Configuration [4500 -Ethernet1/0/2]quit [4500]undo voice vlan mode auto [4500]voice vlan mac_address 0011-2200-0000 mask ffff-ff00-0000 description private [4500]voice vlan 2 enable [4500]voice vlan aging 100...
  • Page 68 3: VLAN O HAPTER PERATION...

  • Page 69: Power Over Ethernet Configuration

    OWER OVER THERNET ONFIGURATION This chapter covers the following topics: PoE Overview ■ PoE Configuration ■ PoE Overview The Switch 4500 26 Port PWR and Switch 4500 50 Port PWR support Power over Ethernet (PoE). This feature uses twisted pairs to provide -44 through -62 VDC power to remote powered devices (PDs), such as IP Phones, WLAN APs, Network Cameras, and so on.

  • Page 70: Poe Configuration

    4: P HAPTER OWER OVER THERNET ONFIGURATION When using the PWR switches to supply power to remote PDs, the PDs need ■ not have any external power supply. If a remote PD has an external power supply, the PWR switches and the ■...

  • Page 71: Setting The Maximum Power Output On A Port

    PoE Configuration Setting the Maximum The maximum power that can be supplied by an Ethernet port of the Switch 4500 Power Output on a Port 26-Port PWR and Switch 4500 50-Port PWR to its PD is 15400 mW. In practice, you can set the maximum power on a port depending on the actual power of the PD, with a range from 1000 to 15400 mW and in the increment of 100 mW.

  • Page 72: Setting The Poe Mode On A Port

    4: P HAPTER OWER OVER THERNET ONFIGURATION Table 69 Setting the Power Supply Management Mode on the Switch Operation Command Set the power supply management mode on the poe power-management auto Switch to auto Set the power supply management mode on the poe power-management manual Switch to manual Restore the default power supply management mode...

  • Page 73: Upgrading The Pse Processing Software Online

    PoE Configuration Upgrading the PSE The online upgrading of PSE processing software can update the processing Processing Software software or repair the software if it is damaged. After upgrading files are Online downloaded, you can use the following command to perform online upgrading on the PSE processing software.
  • Page 74 4: P HAPTER OWER OVER THERNET ONFIGURATION to guarantee the power feeding to the PD that will be connected to the Ethernet1/0/24 even when the Switch 4500 PWR is in full load. Network Diagram Figure 17 PoE Remote Power Supply Configuration Procedure Update the PSE processing software online.

  • Page 75: Network Protocol Operation

    ETWORK ROTOCOL PERATION This chapter covers the following topics: IP Address Configuration ■ ARP Configuration ■ DHCP Configuration ■ Access Management Configuration ■ UDP Helper Configuration ■ IP Performance Configuration ■ IP Address Configuration IP Address Overview IP Address Classification and Indications An IP address is a 32-bit address allocated to the devices which access the Internet.
  • Page 76 5: N HAPTER ETWORK ROTOCOL PERATION The IP address is in dotted decimal format. Each IP address contains 4 integers in dotted decimal notation. Each integer corresponds to one byte, for example, 10.110.50.101. When using IP addresses, note that some of them are reserved for special uses, and are seldom used.

  • Page 77: Configuring Ip Address

    IP Address Configuration A mask is a 32-bit number corresponding to an IP address. The number consists of 1s and 0s. Principally, these 1s and 0s can be combined randomly. However, the first consecutive bits are set to 1s when designing the mask. The mask divides the IP address into two parts: subnet address and host address.

  • Page 78: Displaying And Debugging Ip Address

    5: N HAPTER ETWORK ROTOCOL PERATION The IP address configuration is described in the following sections: Configuring the Hostname and Host IP Address ■ Configuring the IP Address of the VLAN Interface ■ Configuring the Hostname and Host IP Address The host name is corresponded to the IP address by using this command.

  • Page 79: Ip Address Configuration Example

    ARP Configuration IP Address Networking Requirements Configuration Example Configure the IP address as 129.2.2.1 and subnet mask as 255.255.255.0 for VLAN interface 1 of the Switch. Networking Diagram Figure 20 IP Address Configuration Networking Console cable Switch Configuration Procedure 1 Enter VLAN interface 1. [4500]interface vlan-interface 1 2 Configure the IP address for VLAN interface 1.

  • Page 80: Configuring Arp

    5: N HAPTER ETWORK ROTOCOL PERATION dynamic ARP mapping entry is not in use for a specified period of time, the host will remove it from the ARP mapping table so as to save the memory space and shorten the interval for Switch to search ARP mapping table. Suppose there are two hosts on the same network segment: Host A and Host B.
  • Page 81 ARP Configuration Table 79 Manually Adding/Deleting Static ARP Mapping Entries Operation Command Manually add a static ARP arp static ip_address mac_address vlan_id mapping entry (Ethernet Port View) Manually delete a static ARP undo arp ip_address mapping entry (System View or Ethernet Port View) By default, the ARP mapping table is empty and the address mapping is obtained through dynamic ARP.

  • Page 82: Displaying And Debugging Arp

    5: N HAPTER ETWORK ROTOCOL PERATION By default, this feature is enabled. Displaying and After the above configuration, enter the command in any view to display display Debugging ARP the running of the ARP configuration, and to verify the effect of the configuration. Enter the command in User View to debug ARP configuration.
  • Page 83 DHCP Configuration Figure 21 Typical DHCP Application. DHCP Client DHCP Client DHCP Server DHCP Client DHCP Client To obtain valid dynamic IP addresses, the DHCP client exchanges different types of information with the server at different stages. One of the following three situations may occur: A DHCP client logs into the network for the first time ■...
  • Page 84 5: N HAPTER ETWORK ROTOCOL PERATION If the requested IP address becomes unavailable (for example, having been ■ allocated to another client), the DHCP server returns the DHCP_NAK message. After receiving the DHCP_NAK message, the client sends the DHCP_Discover message to request another new IP address. A DHCP client extends its IP lease period ■...

  • Page 85: Dhcp Client Configuration

    DHCP Configuration The DHCP server determines a correct configuration based on the information ■ from the client and returns the configuration information back to the client through DHCP relay. In fact, several such interactions may be needed to complete a DHCP relay configuration.

  • Page 86: Displaying And Debugging Dhcp Configuration

    5: N HAPTER ETWORK ROTOCOL PERATION Configuring the DHCP Server Group for the VLAN Interfaces Perform the following configuration in VLAN Interface View. Table 85 Configuring the DHCP Server Group Corresponding to VLAN Interfaces Operation Command Configure DHCP server group corresponding to VLAN dhcp-server groupNo interfaces Delete DHCP server group...

  • Page 87: Dhcp Relay Configuration Example Two

    DHCP Configuration Networking Diagram Figure 23 Configuring DHCP Relay DHCP client DHCP client DHCP Server 10.110.0.0 202.38.1.2 Ethernet 10.110.1.1 202.38.1.1 Internet Ethernet 202.38.0.0 Switch ( DHCP Relay ) Configuration Procedure 1 Create a DHCP server group that will use two DHCP servers (a master and an optional backup) and assign it the IP addresses of the two DHCP servers (the first IP address is the master).

  • Page 88: Troubleshooting Dhcp Relay Configuration

    5: N HAPTER ETWORK ROTOCOL PERATION Networking Diagram Figure 24 Networking Diagram of Configuration DHCP Relay DHCP client DHCP client DHCP Server 10.110.0.0 202.38.1.2 Ethernet 10.110.1.1 202.38.1.1 Internet Ethernet 202.38.0.0 Switch ( DHCP Relay ) Configuration Procedure 1 Configure the group number of DHCP Server as 1 and the IP address as 202.38.1.2.

  • Page 89: Access Management Configuration

    Access Management Configuration in User View and then use the debugging dhcp-relay terminal debugging command to output the debugging information to the console. In this way, you can view the detailed information of all DHCP packets on the console as they apply for the IP address, and so locate the problem.
  • Page 90 5: N HAPTER ETWORK ROTOCOL PERATION Table 88 Configuring the Access Management IP Address Pool Based on the Port Operation Command Cancel part or all of the IP addresses in the access undo am ip-pool { all | management IP address pool of the port address_list } By default, the IP address pools for access management on the port are null and all the packets are permitted.

  • Page 91: Displaying And Debugging Access Management

    Access Management Configuration Enabling/Disabling Access Management Trap You can enable the access management trap function using the following commands. When this function is enabled, the trap information of access management is delivered to the console for the purpose of monitoring. Perform the following configuration in System View.

  • Page 92: Access Management Via The Web

    5: N HAPTER ETWORK ROTOCOL PERATION 2 Configure the IP address pool for access management on port 1. [4500]interface ethernet1/0/1 [4500-Ethernet1/0/1]am ip-pool 202.10.20.1 20 3 Add port 1 into isolation group. [4500-Ethernet1/0/1]port isolate 4 Configure the IP address pool for access management on port 2 [4500-Ethernet1/0/1]interface ethernt1/0/2 [4500-Ethernet1/0/2]am ip-pool 202.10.20.21 30 5 Add port 2 into isolation group.

  • Page 93: Udp Helper Configuration

    UDP Helper Configuration UDP Helper UDP Helper configuration includes: Configuration Enabling/Disabling UDP Helper Function ■ Configuring UDP Port with Replay Function ■ Configuring the Relay Destination Server for Broadcast Packet ■ Enabling/Disabling UDP Helper Function When the UDP Helper function is enabled, you can configure the UDP ports where UDP function is required and the relay function is enabled at UDP ports 69, 53, 37, 137, 138, and 49.

  • Page 94: Displaying And Debugging Udp Helper Configuration

    5: N HAPTER ETWORK ROTOCOL PERATION For example, the command is equivalent to the udp-helper port 53 command in function. udp-helper port dns The default UDP ports are not displayed when using the ■ display command. But its ID is displayed after its relay current-configuration function is disabled.

  • Page 95: Ip Performance Configuration

    IP Performance Configuration Networking Diagram Figure 26 Networking for UDP Helper Configuration Serv er 10.110.0.0 202.38.1.2 Ethernet 10.110.1.1 202.38.1.1 Internet Ethernet 202.38.0.0 Sw itch ( UDP Helper ) Configuration Procedure 1 Enable UDP Helper function. [4500]udp-helper enable 2 Set to relay-forward the broadcast packets with destination UDP port 55. [4500]udp-helper port 55 3 Set the IP address of the destination server corresponding to VLAN interface 2 as 202.38.1.2.

  • Page 96: Displaying And Debugging Ip Performance

    5: N HAPTER ETWORK ROTOCOL PERATION Table 97 Configuring TCP Attributes Operation Command Restore synwait timer undo tcp timer syn-timeout Configure FIN_WAIT_2 timer in TCP tcp timer fin-timeout time_value Restore FIN_WAIT_2 timer undo tcp timer fin-timeout Configure the Socket receiving/sending tcp window window_size buffer size of TCP Restore the socket receiving/sending buffer...
  • Page 97 IP Performance Configuration Use the command to output the debugging information ■ terminal debugging to the console. Use the command to enable the UDP debugging to ■ debugging udp packet trace the UDP packet. The following are the UDP packet formats: UDP output packet: Source IP address:202.38.160.1 Source port:1024...
  • Page 98 5: N HAPTER ETWORK ROTOCOL PERATION...

  • Page 99: Ip Routing Protocol Operation

    IP R OUTING ROTOCOL PERATION IP Routing Protocol Routers select an appropriate path through a network for an IP packet according Overview to the destination address of the packet. Each router on the path receives the packet and forwards it to the next router. The last router in the path submits the packet to the destination host.

  • Page 100: Selecting Routes Through The Routing Table

    6: IP R HAPTER OUTING ROTOCOL PERATION the optimal route. For example, routing through three LAN route segments may be much faster than routing through two WAN route segments. Configuring the IP Routing Protocol is described in the following sections: Selecting Routes Through the Routing Table ■...

  • Page 101: Routing Management Policy

    IP Routing Protocol Overview In a complicated Internet configuration, as shown in Figure 28, the number in each network is the network address. The router R8 is connected to three networks, so it has three IP addresses and three physical ports. Its routing table is shown in Figure 2.

  • Page 102: Static Routes

    6: IP R HAPTER OUTING ROTOCOL PERATION Supporting Load Sharing and Route Backup I. Load sharing The Switch 4500 supports multi-route mode, allowing the user to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached via multiple different paths, whose precedences are equal.

  • Page 103: Configuring Static Routes

    Static Routes The following routes are static routes: Reachable route — The IP packet is sent to the next hop towards the ■ destination. This is a common type of static route. Unreachable route — When a static route to a destination has the reject ■...
  • Page 104 6: IP R HAPTER OUTING ROTOCOL PERATION The parameters are explained as follows: IP address and mask ■ The IP address and mask use a decimal format. Because the 1s in the 32-bit mask must be consecutive, the dotted decimal mask can also be replaced by the mask-length which refers to the digits of the consecutive 1s in the mask.

  • Page 105: Example: Typical Static Route Configuration

    Static Routes Displaying and Debugging Static Routes After you configure static and default routes, execute the command in display any view to display the static route configuration, and to verify the effect of the configuration. Table 103 Displaying and debugging the routing table Operation Command View routing table summary...

  • Page 106: Troubleshooting Static Routes

    6: IP R HAPTER OUTING ROTOCOL PERATION [Switch A]ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 2 Configure the static route for Ethernet Switch B [Switch B]ip route-static 1.1.2.0 255.255.255.0 1.1.3.1 [Switch B]ip route-static 1.1.5.0 255.255.255.0 1.1.3.1 [Switch B]ip route-static 1.1.1.0 255.255.255.0 1.1.3.1 3 Configure the static route for Ethernet Switch C [Switch C]ip route-static 1.1.1.0 255.255.255.0 1.1.2.1 [Switch C]ip route-static 1.1.4.0 255.255.255.0 1.1.3.2...

  • Page 107: Configuring Rip

    Next hop address — The address of the next router that an IP packet will pass ■ through for reaching the destination. Interface — The interface through which the IP packet should be forwarded. ■ Cost — The cost for the router to reach the destination, which should be an ■...
  • Page 108 6: IP R HAPTER OUTING ROTOCOL PERATION After RIP is disabled, the interface-related features also become invalid. The RIP configuration tasks are described in the following sections: Enabling RIP and Entering the RIP View ■ Enabling RIP on a Specified Network ■...
  • Page 109 By default, RIP does not send messages to unicast addresses. 3Com does not recommend the use of this command, because the destination address does not need to receive two copies of the same message at the same time.
  • Page 110 6: IP R HAPTER OUTING ROTOCOL PERATION By default, the interface receives and sends the RIP-1 packets. It transmits packets in multicast mode when the interface RIP version is set to RIP-2. Configuring RIP Timers As stipulated in RFC1058, RIP is controlled by three timers: period update, timeout, and garbage-collection: Period update is triggered periodically to send all RIP routes to all neighbors.
  • Page 111 Perform the following configurations in RIP View. Table 109 Configuring Zero Field Check of the Interface Packets Operation Command Configure zero field check on the RIP-1 packet checkzero Disable zero field check on the RIP-1 packet undo checkzero Specifying the Operating State of the Interface In the Interface View, you can specify whether RIP update packets are sent and received on the interface.
  • Page 112 6: IP R HAPTER OUTING ROTOCOL PERATION Enabling RIP-2 Route Aggregation Route aggregation means that different subnet routes in the same natural network can be aggregated into one natural mask route for transmission when they are sent to other networks. Route aggregation can be performed to reduce the routing traffic on the network as well as to reduce the size of the routing table.
  • Page 113 generation of routing loops, but in some special cases, split horizon must be disabled to obtain correct advertising at the cost of efficiency. Disabling split horizon has no effect on P2P connected links but is applicable on the Ethernet. Perform the following configuration in Interface View: Table 114 Configuring Split Horizon Operation Command...
  • Page 114 6: IP R HAPTER OUTING ROTOCOL PERATION Setting the RIP Preference Each routing protocol has its own preference by which the routing policy selects the optimal route from the routes of different protocols. The greater the preference value, the lower the preference. The preference of RIP can be set manually.

  • Page 115: Displaying And Debugging Rip

    Configuring RIP to Filter the Received Routes Table 119 Configuring RIP to Filter the Received Routes Operation Command Filter the received routing information filter-policy gateway distributed by the specified address ip_prefix_name import Cancel filtering of the received routing undo filter-policy gateway information distributed by the specified ip_prefix_name [ gateway address...

  • Page 116: Example: Typical Rip Configuration

    6: IP R HAPTER OUTING ROTOCOL PERATION Table 121 Displaying and Debugging RIP Operation Command Enable the debugging of RIP receiving packet debugging rip receive Disable the debugging of RIP receiving packet undo debugging rip receive Enable the debugging of RIP sending packet debugging rip send Disable the debugging of RIP sending packet undo debugging rip send...

  • Page 117: Troubleshooting Rip

    IP Routing Policy 3 Configure RIP on Switch C [Switch C]rip [Switch C-rip]network 117.102.0.0 [Switch C-rip]network 110.11.2.0 Troubleshooting RIP The Switch 4500 cannot receive the update packets when the physical connection to the peer routing device is normal. RIP does not operate on the corresponding interface (for example, the ■...

  • Page 118: Configuring An Ip Routing Policy

    6: IP R HAPTER OUTING ROTOCOL PERATION the route is permitted by a single node in the route-policy, the route passes the matching test of the route policy without attempting the test of the next node. The access control list (ACL) used by the route policy can be divided into three types: advanced ACL, basic ACL and interface ACL.
  • Page 119 IP Routing Policy Perform the following configurations in System View. Table 122 Defining a route-policy Operation Command Enter Route Policy View route-policy route_policy_name { permit | deny } node { node_number } Remove the specified route-policy undo route-policy route_policy_name [ permit | deny | node node_number ] parameter specifies that if a route satisfies all the clauses of...
  • Page 120 6: IP R HAPTER OUTING ROTOCOL PERATION Table 123 Defining if-match Conditions Operation Command Cancel the matched next-hop of undo if-match ip next-hop ip-prefix the routing information set by the address prefix list Match the routing cost of the if-match cost cost routing information Cancel the matched routing cost of undo if-match cost...

  • Page 121: Displaying And Debugging The Routing Policy

    IP Routing Policy Perform the following configurations in System View. Table 125 Defining Prefix-list Operation Command Define a Prefix-list ip ip-prefix ip_prefix_name [ index index_number ] { permit | deny } network len [ greater-equal greater_equal ] [ less-equal less_equal ] Remove a Prefix-list undo ip ip-prefix ip_prefix_name [ index index_number | permit | deny ]...

  • Page 122: Configuration Procedure

    6: IP R HAPTER OUTING ROTOCOL PERATION Networking diagram Figure 31 Filtering the received routing information static 20.0.0.0/8 area 0 30.0.0.0/8 Rout er ID:1.1.1.1 Router ID:2.2.2.2 40.0.0.0/8 Vlan-interface100 Vlan-interface200 10.0.0.1/8 Vlan-interface100 12.0.0.1/8 10.0.0.2/8 Switch A Swit ch B Configuration procedure 1 Configure Switch A: a Configure the IP address of VLAN interface.

  • Page 123: Troubleshooting Routing Protocols

    IP Routing Policy Troubleshooting Routing Routing information filtering cannot be implemented in normal operation of the Protocols routing protocol Check for the following faults: The if-match mode of at least one node of the Route Policy should be the ■ mode.
  • Page 124 6: IP R HAPTER OUTING ROTOCOL PERATION...

  • Page 125: Igmp Snooping

    IGMP S NOOPING IGMP Snooping IGMP Snooping (Internet Group Management Protocol Snooping) is a multicast Overview control mechanism running on Layer 2 (the link layer) of the switch. It is used for multicast group management and control. When receiving IGMP messages transmitted between the host and router, the Switch 4500 uses IGMP Snooping to analyze the information carried in the IGMP messages.
  • Page 126 7: IGMP S HAPTER NOOPING Figure 33 Multicast packet transmission when IGMP Snooping runs Video stream Internet / Intranet Multicast router Video stream VOD Server Layer 2 Ethernet Switch Switch 4500 Video stream Video stream Video stream Multicast group member Non-multicast Non-multicast group member...
  • Page 127 IGMP Snooping Overview Figure 34 Implementing IGMP Snooping Internet A router running IGMP IGMP packets Switch 4500 running A Ethernet Switch IGMP Snooping running IGMP Snooping IGMP packets Table 128 explains IGMP Snooping terminology. Table 128 IGMP Snooping Terminology Term Meaning IGMP general query message Transmitted by the multicast router to query which multicast...

  • Page 128: Configuring Igmp Snooping

    7: IGMP S HAPTER NOOPING Table 128 IGMP Snooping Terminology Term Meaning IGMP specific query message Transmitted from the multicast router to the multicast members and used for querying if a specific group contains any member. When received IGMP specific query message, the switch only transmits the specific query message to the IP multicast group which is queried.

  • Page 129: Configuring Router Port Aging Time

    Configuring IGMP Snooping Perform the following configuration in System View and VLAN View. Table 129 Enabling/Disabling IGMP Snooping Operation Command Enable/disable IGMP Snooping igmp-snooping { enable | disable } Although layer 2 and layer 3 multicast protocols can run together, they cannot run on the same VLAN or its corresponding VLAN interface at the same time.

  • Page 130: Displaying And Debugging Igmp Snooping

    7: IGMP S HAPTER NOOPING Perform the following configuration in system view. Table 132 Configuring aging time of the multicast member Operation Command Configure aging time of the igmp-snooping host-aging-time seconds multicast member Restore the default setting undo igmp-snooping host-aging-time By default, the aging time of the multicast member is 260 seconds.

  • Page 131: Igmp Snooping Fault Diagnosis And Troubleshooting

    IGMP Snooping Fault Diagnosis and Troubleshooting Networking Diagram Figure 35 IGMP Snooping configuration network Internet Router Multicast Switch Configuration Procedure Enable IGMP Snooping globally. [4500]igmp-snooping enable Enable IGMP Snooping on VLAN 10. [4500]vlan 10 [4500-vlan10]igmp-snooping enable IGMP Snooping Fault Fault: Multicast function cannot be implemented on the switch. Diagnosis and Troubleshooting: Troubleshooting...
  • Page 132 7: IGMP S HAPTER NOOPING Diagnosis 3: Multicast forwarding table set up on the bottom layer is wrong. 1 Enable IGMP Snooping group in user view and then input the command display to check if MAC multicast forwarding table in the bottom igmp-snooping group layer and that created by IGMP Snooping is consistent.

  • Page 133: Acl Configuration

    ACL C ONFIGURATION This chapter covers the following topics: Brief Introduction to ACL ■ QoS Configuration ■ ACL Control Configuration ■ Brief Introduction to A series of matching rules are required for the network devices to identify the packets to be filtered. After identifying the packets, the Switch can permit or deny them to pass through according to the defined policy.

  • Page 134: Acl Supported By The Switch

    8: ACL C HAPTER ONFIGURATION The depth-first principle is to put the statement specifying the smallest range of packets on the top of the list. This can be implemented through comparing the wildcards of the addresses. The smaller the wildcard is, the less hosts it can specify. For example, 129.102.1.1 0.0.0.0 specifies a host, while 129.102.1.1 0.0.255.255 specifies a network segment, 129.102.0.1 through 129.102.255.255.
  • Page 135 Brief Introduction to ACL If ACL is used to filter or classify the data transmitted by the hardware of the ■ Switch, the match order defined in the acl command will not be effective. If ACL is used to filter or classify the data treated by the software of the Switch, the match order of ACL’s sub-rules will be effective.
  • Page 136 8: ACL C HAPTER ONFIGURATION Operation Command Delete a sub-item from the ACL undo rule rule_id [ source | destination | (from Advanced ACL View) source-port | destination-port | icmp-type | precedence | tos | dscp | fragment | vpn-instance ]* Delete one ACL or all the ACL undo acl { number acl_number | all } (from System View)

  • Page 137: Activating Acl

    Brief Introduction to ACL Table 138 Defining the User-defined ACL Operation Command Enter user-defined ACL view (from System acl number acl_number [ View) match-order { config | auto } ] Add a sub-item to the ACL (from rule [ rule_id ] { permit | deny User-defined ACL View) } { rule_string rule_mask offset }&<1-8>...

  • Page 138: Advanced Acl Configuration Example

    1 Define the work time range Define time range from 8:00 to 18:00. [4500]time-range 3Com 8:00 to 18:00 working-day 2 Define the ACL to access the payment server. a Enter the numbered advanced ACL, number as 3000. [4500]acl number 3000 match-order config b Define the rules for other department to access the payment server.

  • Page 139: Basic Acl Configuration Example

    Enter the number basic ACL, number as 2000. [4500]acl number 2000 b Define the rules for packet which source IP is 10.1.1.1. [4500-acl-basic-2000]rule 1 deny source 10.1.1.1 0 time-range 3Com 3 Activate ACL. Activate the ACL 2000. [4500-GigabitEthernet1/0/50]packet-filter inbound ip-group 2000...

  • Page 140: Qos Configuration

    1 Define the time range Define time range from 8:00 to 18:00. [4500]time-range 3Com 8:00 to 18:00 daily 2 Define the ACL for the packet whose source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303. a Enter the numbered link ACL, number as 4000.
  • Page 141 QoS Configuration Packet Filter Packet filter is used to filter traffic. For example, the operation “deny” discards the traffic that is matched with a traffic classification rule, while allowing other traffic to pass through. With the complex traffic classification rules, the Switch enables the filtering of various information carried in Layer 2 traffic to discard the useless, unreliable or doubtful traffic, thereby enhancing network security.

  • Page 142: Qos Configuration

    8: ACL C HAPTER ONFIGURATION QoS Configuration The process of traffic based QoS: 1 Identify the traffic by ACL 2 Perform the QoS operation to the traffic. The configuration steps of traffic based QoS: 1 Define the ACL 2 Configure the QoS operation If QoS is not based on traffic, you need not define ACL first.

  • Page 143: Setting Port Mirroring

    QoS Configuration Setting Port Mirroring Port mirroring means duplicating data on the monitored port to the designated mirror port, for purpose of data analysis and supervision. The Switch supports one monitor port and multiple mirroring ports. If several Switches form a Fabric, multiple mirroring ports and only one monitor port and one mirroring port can be configured in the Fabric.
  • Page 144 8: ACL C HAPTER ONFIGURATION Only one monitor port can be configured on one Switch. If a group of Switches form a Fabric, only one monitor port can be configured on one Fabric. 2 Configure traffic mirroring Perform the following configuration in the Ethernet Port View. Table 148 Configuring Traffic Mirroring Operation Command...

  • Page 145: Setting Traffic Limit

    QoS Configuration Table 152 Map Configuration Operation Command Configure “COS qos cos-local-precedence-map ->Local-precedence” map cos0_map_local_prec cos1_map_local_prec cos2_map_local_prec cos3_map_local_prec cos4-map-local-prec cos5_map_local-prec cos6_map_local_prec cos7_map_local_prec Restore its default value undo qos cos-local-precedence-map By default, the Switch uses the default mapping relationship. Setting Traffic Limit Traffic limit refers to rate limit based on traffic.

  • Page 146: Displaying And Debugging Qos Configuration

    8: ACL C HAPTER ONFIGURATION Perform the following configuration in the Ethernet Port View. Table 155 Configuring WRED Operation Operation Command Configure WRED Operation wred queue_index qstart probability Cancel the configuration of WRED undo wred queue_index Operation For details about the command, refer to the Command Reference Guide. Displaying and You can use the command in any view to see the QoS operation and to...

  • Page 147: Port Mirroring Configuration Example

    QoS Configuration Networking Diagram Figure 39 QoS Configuration Example Wage server 129.110.1.2 GE2/0/1 Switch To switch Configuration Procedure Only the commands concerning QoS/ACL configuration are listed here. 1 Define outbound traffic for the wage server. a Enter numbered advanced ACL view. [4500]acl number 3000 b Define the traffic-of-pay server rule in the advanced ACL 3000.

  • Page 148: Acl Control Configuration

    8: ACL C HAPTER ONFIGURATION Networking Diagram Figure 40 QoS Configuration Example E3/0/1 E3/0/8 Server E3/0/2 Configuration Procedure Define port mirroring, with monitoring port being Ethernet3/0/8. [4500-Ethernet3/0/8]monitor-port [4500-Ethernet3/0/1]mirroring-port both ACL Control The Switch provides three modes for users to access devices remotely: Configuration TELNET access ■...
  • Page 149 ACL Control Configuration Configuration Tasks Table 157 lists the commands that you can execute to configure TELNET or SSH user ACL. Table 157 Commands for Configuring TELNET/SSH User ACL In This View Type This Command Description Enter system system-view view Define ACLs and Required.
  • Page 150 8: ACL C HAPTER ONFIGURATION ACLs, the incoming/outgoing calls are restricted on the basis of source MAC addresses. As a result, when you use the rules for L2 ACLs, only the source MAC and the corresponding mask, and the time-range keyword take effect. When you control telnet and SSH users on the basis of L2 ACLs, only the ■...
  • Page 151 ACL Control Configuration Basic ACL Configuration Example Configuration Prerequisites Only the TELNET users, whose IP addresses are 10.110.100.52 and 10.110.100.46, are allowed to access switches. Figure 42 Source IP Control Over TELNET User Accessing Switch Configuration Steps # Define basic ACLs. <4500>system-view System View: return to User View with Ctrl+Z.

  • Page 152: Acl Control Over Users Accessing Switches By Snmp

    8: ACL C HAPTER ONFIGURATION ACL Control Over Users The Switch supports remote management through network management Accessing Switches by software. Network management users can access switches by simple network SNMP management protocol (SNMP). The ACL control over these users can filter illegal network management users so that the illegal users cannot log into this Switch.
  • Page 153 ACL Control Configuration Table 158 Commands for Controlling ACL Access via SNMP Type This Command Description Use ACLs, and Use ACLs when SNMP community snmp-agent community control users configuring the name is a feature of { read | write } accessing switches SNMP community SNMP V1 and SNMP...

  • Page 154: Configuring Acl Control For Http Users

    8: ACL C HAPTER ONFIGURATION Figure 43 ACL Control Over SNMP Users of the Switch Configuration Steps # Define basic ACLs and rules. <4500>system-view System View: return to User View with Ctrl+Z. [4500] acl number 2000 match-order config [4500-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [4500-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [4500-acl-basic-2000] rule 3 deny source any [4500-acl-basic-2000] quit...
  • Page 155 ACL Control Configuration Calling ACL to Control HTTP Users To control the Web network management users with ACL, call the defined ACL. You can use the following commands to call an ACL. Perform the following configuration in System View. Table 159 Calling ACL to Control HTTP Users Operation Command Call an ACL to control the WEB NM users.
  • Page 156 8: ACL C HAPTER ONFIGURATION...

  • Page 157: Stacking

    TACKING This chapter covers the following topics: Introduction to Stacking ■ Configuring a Stack ■ Stack Configuration Example ■ Introduction to Several Switch 4500 units can be interconnected to create a “stack”, in which Stacking each Switch is a unit. The ports used to interconnect all the units are called stacking ports, while the other ports that are used to connect the stack to users are called user ports.

  • Page 158: Specifying The Stacking Vlan Of The Switch

    9: S HAPTER TACKING Device Configuration Default Settings Comment Set unit IDs for the The unit ID of a Make sure that you have set Switches Switch is set to 1 different unit IDs to different Switches, so that the stack can operate normally after all the Switches are interconnected.

  • Page 159: Saving The Unit Id Of Each Unit In The Stack

    } enable Only the Gigabit combo ports can be used to interconnect the Switch units to form a stack. In the 3Com switch operating system, the term "fabric" is used as a general expression for stack. Setting Unit Names for...

  • Page 160: Setting An Xrn Authentication Mode For Switches

    Switches Note: “XRN” is a proprietary 3Com technology for enterprise-level stacking on our Switch 5500-EI switches. Because the Switch 4500 shares its operating system with the Switch 5500 family, the XRN terminology is referred to when setting authentication mode.

  • Page 161: Stack Configuration Example

    Stack Configuration Example Stack Configuration Networking Requirements Example Configure unit ID, unit name, stack name, and authentication mode for four Switches, and interconnect them to form a stack. The configuration details are as follows: Unit IDs: 1, 2, 3, 4 ■...
  • Page 162 9: S HAPTER TACKING Configure Switch D: [4500]change unit-id 1 to auto-numbering [4500]fabric-port gigabitethernet4/0/51 enable [4500]fabric-port gigabitethernet4/0/52 enable [4500]sysname hello [hello]xrn-fabric authentication-mode simple welcome In the example, it is assumed that the system will automatically change the unit ■ IDs of Switch B, Switch C and Switch D to 2, 3 and 4 after you choose auto-numbering for unit-id.

  • Page 163: Rstp Configuration

    RSTP C ONFIGURATION This chapter covers the following topics: STP Overview ■ RSTP Configuration ■ RSTP Configuration Example ■ STP Overview Spanning Tree Protocol (STP) is applied in loop networks to block some undesirable redundant paths with certain algorithms and prune the network into a loop-free tree, thereby avoiding the proliferation and infinite cycling of the packet in the loop network.
  • Page 164 10: RSTP C HAPTER ONFIGURATION What are the Designated Bridge and Designated Port? Figure 47 Designated Bridge and Designated Port Switch A Switch C Switch B For a Switch, the designated bridge is a Switch in charge of forwarding BPDU to the local Switch via a port called the designated port.
  • Page 165 STP Overview in the figure above, the priorities of Switch A, B and C are 0, 1 and 2 and the path costs of their links are 5, 10 and 4 respectively. 1 Initial state When initialized, each port of the Switches will generate the configuration BPDU taking itself as the root with a root path cost as 0, designated bridge IDs as their own Switch IDs and the designated ports as their ports.
  • Page 166 10: RSTP C HAPTER ONFIGURATION The comparison process of each Switch is as follows. Switch A: ■ AP1 receives the configuration BPDU from Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the received configuration BPDU.

  • Page 167: Configuration Bpdu Forwarding Mechanism In Stp

    STP Overview CP2 will receive the updated configuration BPDU, {0, 5, 1, BP2}, from Switch B. Since this configuration BPDU is better then the old one, the old BPDU will be updated to {0, 5, 1, BP2}. Meanwhile, CP1 receives the configuration BPDU from Switch A but its configuration BPDU will not be updated and retain {0, 0, 0, AP2}.

  • Page 168: Implement Rstp On The Switch

    10: RSTP C HAPTER ONFIGURATION designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state. Implement RSTP on the The Switch implements the Rapid Spanning Tree Protocol (RSTP), an enhanced Switch form of STP.

  • Page 169: Rstp Configuration

    RSTP Configuration RSTP Configuration The configuration of RSTP changes with the position of the Switch in the network, as discussed below. Figure 50 Configuring STP Switch A and Switch B: Root Switch C and Switch D: Switch E, Switch F and Switch bridge and backup root Intermediate Switches in the G: Switches directly...
  • Page 170 10: RSTP C HAPTER ONFIGURATION Device Configuration Default Value Note Configure the The Bridge A Switch can be made the root bridge by Bridge preference of a specifying its Bridge preference to 0. preference of a Switch is 32768. Switch Specify Forward Forward Delay fixes The other Switches copies the...
  • Page 171 RSTP Configuration Device Configuration Default Value Note Configure the The Switch, if has In a stable network, it is recommended to timeout time not received any set the timeout time factor to 5, 6, or 7. factor of a Hello packet from Then the Switch will not consider the Switch the upstream...

  • Page 172: Enable/Disable Rstp On A Switch

    10: RSTP C HAPTER ONFIGURATION Device Configuration Default Value Note Configure the The Switch, if has In a stable network, it is recommended to timeout time not received any set the timeout time factor to 5, 6, or 7. factor of a Hello packet from Then the Switch will not consider the Switch...

  • Page 173: Enable/Disable Rstp On A Port

    RSTP Configuration Operation Command Restore RSTP to the default value undo stp Only after the RSTP is enabled on the Switch can other configurations take effect. By default, RSTP is enabled. Enable/Disable RSTP on You can use the following command to enable/disable the RSTP on the designated a Port port.

  • Page 174: Set Priority Of A Specified Bridge

    10: RSTP C HAPTER ONFIGURATION consequent blocking by configuring the STP-Ignore attribute on the appropriate Switch. Once an STP-Ignored VLAN is configured, the packets of this VLAN will be forwarded on any Switch port, with no restriction from the calculated STP path. You can configure the STP-Ignore attribute on a Switch by using the following commands.

  • Page 175: Set Forward Delay Of A Specified Bridge

    You can configure more than one secondary root for a spanning tree through specifying the secondary STI root on two or more Switches. Generally, 3Com recommends designating one primary root and two or more secondary roots for a spanning tree.

  • Page 176: Set Hello Time Of The Specified Bridge

    10: RSTP C HAPTER ONFIGURATION that if the Forward Delay is configured too short, occasional path redundancy may occur. If the Forward Delay is configured too long, restoring the network connection may take a long time. It is recommended to use the default setting. By default, the bridge Forward Delay is 15 seconds.

  • Page 177: Specifying The Maximum Transmission Rate Of Stp Packets On A Port

    RSTP Configuration You can use the following command to set the multiple value of hello time of a specified bridge. Perform the following configurations in System View. Table 179 Set Timeout Factor of the Bridge Operation Command Set the multiple value of hello time of a specified bridge stp timeout-factor number Restore the default multiple value of hello time undo stp timeout-factor...

  • Page 178: Specifying The Path Cost On A Port

    10: RSTP C HAPTER ONFIGURATION Ethernet port is not connected with any Ethernet port of other bridges, this port should be set as an EdgePort. If a specified port connected to a port of any other bridge is configured as an edge port, RSTP will automatically detect and reconfigure it as a non-EdgePort.

  • Page 179: Set The Priority Of A Specified Port

    RSTP Configuration Operation Command Restore the default standard to be used undo stp pathcost-standard By default, the Switch calculates the default Path Cost of a port by the IEEE 802.1t standard. Set the Priority of a The port priority is an important basis to decide if the port can be a root port. In Specified Port the calculation of the spanning tree, the port with the highest priority will be selected as the root assuming all other conditions are the same.

  • Page 180: Set Mcheck Of The Specified Port

    10: RSTP C HAPTER ONFIGURATION link. Note that, for an aggregated port, only the master port can be configured to connect with the point-to-point link. After auto-negotiation, the port working in full duplex can also be configured to connect with such a link. You can manually configure the active Ethernet port to connect with the point-to-point link.

  • Page 181: Display And Debug Rstp

    RSTP Configuration again. In this case, the former root port will turn into a BPDU specified port and the former blocked ports will enter into a forwarding state, as a result, a link loop will be generated. The security functions can control the generation of loops. After it is enabled, the root port cannot be changed, the blocked port will remain in “Discarding”...

  • Page 182: Rstp Configuration Example

    10: RSTP C HAPTER ONFIGURATION Table 188 Display and Debug RSTP Operation Command Display RSTP configuration information about display stp [ interface the local Switch and the specified ports interface_list ] Display the list of STP-Ignored VLANs display stp ignored-vlan Clear RSTP statistics information reset stp [ interface interface_list ]...
  • Page 183 RSTP Configuration Example however, be careful and do not disable those involved. (The following configuration takes GigabitEthernet 1/0/25 as an example.) [4500]interface gigabitethernet 1/0/25 [4500-GigabitEthernet1/0/25]stp disable c To configure Switch A as a root, you can either configure the Bridge priority of it as 0 or simply use the command to specify it as the root.
  • Page 184 10: RSTP C HAPTER ONFIGURATION c Configure Switch C and Switch B to serve as standby of each other and sets the Bridge priority of Switch C to 8192. [4500]stp priority 8192 d Enable the Root protection function on every designated port. [4500]interface Ethernet 1/0/1 [4500-Ethernet1/0/1]stp root-protection [4500]interface Ethernet 1/0/2...

  • Page 185: Configuration

    802.1X C ONFIGURATION This chapter covers the following topics: IEEE 802.1X Overview ■ Configuring 802.1X ■ AAA and RADIUS Protocol Configuration ■ For information on setting up a RADIUS server and RADIUS client refer to Appendix For details on how to authenticate the Switch 4500 with a Cisco Secure ACS server with TACACS+, refer to Appendix IEEE 802.1X Overview...

  • Page 186: Authentication Process

    11: 802.1X C HAPTER ONFIGURATION provided by 3Com (or by Microsoft Windows XP). The 802.1X Authentication Server system normally stays in the carrier's AAA center. Authenticator and Authentication Server exchange information through EAP (Extensible Authentication Protocol) frames. The user and the Authenticator exchange information through the EAPoL (Extensible Authentication Protocol over LANs) frame defined by IEEE 802.1X.

  • Page 187: Implementing 802.1X On The Switch

    Configuring 802.1X The EAPoL-Encapsulated-ASF-Alert is related to the network management information and terminated by the Authenticator. Although 802.1X provides user ID authentication, 802.1X itself is not enough to implement the scheme. The administrator of the access device should configure the AAA scheme by selecting RADIUS or local authentication to assist 802.1X to implement the user ID authentication.

  • Page 188: Setting The Port Access Control Mode

    11: 802.1X C HAPTER ONFIGURATION this command is used in Ethernet port view, the parameter interface-list cannot be input and 802.1X can only be enabled on the current port.. Perform the following configurations in System View or Ethernet Port View. Table 189 Enabling/Disabling 802.1X Operation Command...

  • Page 189: Checking The Users That Log On The Switch Via Proxy

    Configuring 802.1X Checking the Users that The following commands are used for checking the users that log on the Switch Log on the Switch via via proxy. Proxy Perform the following configurations in System View or Ethernet Port View. Table 192 Checking the Users that Log on the Switch via Proxy Operation Command Enable the check for...

  • Page 190: Configuring The Authentication Method For 802.1X User

    11: 802.1X C HAPTER ONFIGURATION Configuring the The following commands can be used to configure the authentication method for Authentication Method 802.1X user. Three methods are available: PAP authentication (the RADIUS server for 802.1X User must support PAP authentication), CHAP authentication (the RADIUS server must support CHAP authentication), EAP relay authentication (the Switch sends authentication information to the RADIUS server in the form of EAP packets directly and the RADIUS server must support EAP authentication).

  • Page 191: Enabling/Disabling A Quiet-Period Timer

    Configuring 802.1X : Handshake period. The value ranges from 1 to 1024 in handshake-period-value units of second and defaults to 15. : Specify the quiet timer. If an 802.1X user has not passed the quiet-period authentication, the Authenticator will keep quiet for a while (which is specified by timer) before launching the authentication again.

  • Page 192: Displaying And Debugging 802.1X

    11: 802.1X C HAPTER ONFIGURATION Displaying and After the above configuration, execute command in any view to display display Debugging 802.1X the running of the VLAN configuration, and to verify the effect of the configuration. Execute command in User View to reset 802.1X statistics. reset Execute command in User View to debug 802.1X.
  • Page 193 Configuring 802.1X Networking Diagram Figure 53 Enabling 802.1X and RADIUS to Perform AAA on the User Authentication Servers Authentication Servers Authentication Servers Authentication Servers Authentication Servers (RADIUS Server Cluster (RADIUS Server Cluster (RADIUS Server Cluster (RADIUS Server Cluster (RADIUS Server Cluster IP Address: 10.11.1.1 IP Address: 10.11.1.1 IP Address: 10.11.1.1...

  • Page 194: Aaa And Radius Protocol Configuration

    11: 802.1X C HAPTER ONFIGURATION [4500-radius-radius1]timer 5 [4500-radius-radius1]retry 5 9 Set the interval for the system to transmit real-time accounting packets to the RADIUS server. [4500-radius-radius1]timer realtime-accounting 15 10 Configure the system to transmit the user name to the RADIUS server after removing the domain name.

  • Page 195: Implementing Aaa/Radius On The Ethernet Switch

    AAA and RADIUS Protocol Configuration What is RADIUS? Remote Authentication Dial-In User Service, RADIUS for short, is a type of distributed information switching protocol in Client/Server architecture. RADIUS can prevent the network from interruption of unauthorized access and it is often used in the network environments requiring both high security and remote user access.

  • Page 196: Configuring Aaa

    11: 802.1X C HAPTER ONFIGURATION Figure 54 Networking when Switch 4500 Units are Applying RADIUS Authentication Authentication PC user1 Server PC user2 Accounting Server1 SW 5500 ISP1 Accounting Server2 PC user3 PC user4 SW 5500 Authentication Internet Internet Internet Server ISP2 Accounting Server...

  • Page 197: Configuring Relevant Attributes Of The Isp Domain

    AAA and RADIUS Protocol Configuration Table 201 Creating/Deleting an ISP Domain Operation Command Create ISP domain or enter the view domain isp_name of a specified domain. Remove a specified ISP domain undo domain isp_name Enable the default ISP domain domain default enable isp_name specified by isp-name Restore the default ISP domain to domain default disable...
  • Page 198 11: 802.1X C HAPTER ONFIGURATION Table 203 Configuring ISP Domain State Operation Command Specify the ISP domain state to be active state active Specify the ISP domain state to be block state block By default, after an ISP domain is created, the state of the domain is active Setting Access Limit Maximum number of users specifies how many users can be contained in the ISP.

  • Page 199: Enabling/Disabling The Messenger Alert

    AAA and RADIUS Protocol Configuration Enabling/Disabling the Messenger alert function allows the clients to inform the online users about their Messenger Alert remaining online time through the message alert dialog box. The implementation of this function is as follows: On the switch, use the following command to enable this function and to ■...

  • Page 200: Creating A Local User

    11: 802.1X C HAPTER ONFIGURATION Note that, if " " is contained in the URL, you must replace it with " " when inputting the URL in the command line. The "Change user password" option is available only when the user passes the authentication;...

  • Page 201: Disconnecting A User By Force

    AAA and RADIUS Protocol Configuration Operation Command Set a service type for the specified service-type { ftp [ ftp-directory user directory ] | lan-access | { ssh | telnet | terminal }* } Cancel the service type of the undo service-type { ftp [ ftp-directory specified user ] | lan-access | { ssh | telnet | terminal }* [ level level ] }...

  • Page 202: Configuring The Radius Protocol

    11: 802.1X C HAPTER ONFIGURATION Configuring the RADIUS For the Switch 4500, the RADIUS protocol is configured on the per RADIUS Protocol scheme basis. In a real networking environment, a RADIUS scheme can be an independent RADIUS server or a set of primary/secondary RADIUS servers with the same configuration but two different IP addresses.

  • Page 203: Configuring Radius Authentication/Authorization Servers

    AAA and RADIUS Protocol Configuration Several ISP domains can use a RADIUS scheme at the same time. You can configure up to 16 RADIUS schemes, including the default scheme named as system By default, the system has a RADIUS scheme named as whose attributes system are all default values.
  • Page 204 11: 802.1X C HAPTER ONFIGURATION Perform the following configurations in RADIUS Scheme View. Table 215 Configuring RADIUS Accounting Servers Operation Command Set IP address and port number of primary RADIUS primary accounting accounting server. ip_address [ port_number ] Restore IP address and port number of primary RADIUS undo primary accounting accounting server to the default values.
  • Page 205 AAA and RADIUS Protocol Configuration Table 216 Setting the Maximum Times of Real-time Accounting Request Failing to be Responded Operation Command Set maximum times of real-time accounting retry realtime-accounting request failing to be responded retry_times Restore the maximum times to the default value undo retry realtime-accounting How to calculate the value of ? Suppose that RADIUS server retry-times...

  • Page 206: Setting The Radius Packet Encryption Key

    Restore the default RADIUS accounting packet key undo key accounting By default, the keys of RADIUS authentication/authorization and accounting packets are all “3com”. Setting Retransmission Since RADIUS protocol uses UDP packets to carry the data, the communication Times of RADIUS process is not reliable.

  • Page 207: Setting The Radius Server State

    Table 222 Setting the Supported Type of the RADIUS Server Operation Command Setting the Supported Type of RADIUS Server server-type { 3com | standard } Restore the RADIUS server type to the default setting undo server_type By default, the newly created RADIUS scheme supports the server type standard while the "system"...

  • Page 208: Setting The Unit Of Data Flow That Transmitted To The Radius Server

    By default, the IP address of the local RADIUS authentication server is 127.0.0.1 and the password is 3com. 1) When using local RADIUS server function of 3com, remember the number of the UDP port used for authentication is 1645 and that for accounting is 1646.

  • Page 209: Configuring Source Address For Radius Packets Sent By Nas

    AAA and RADIUS Protocol Configuration Configuring Source Perform the following configurations in the corresponding view. Address for RADIUS Table 227 Configuring Source Address for the RADIUS Packets sent by the NAS Packets Sent by NAS Operation Command Configure the source address to be carried in the RADIUS nas-ip ip_address packets sent by the NAS(RADIUS scheme view).

  • Page 210: Displaying And Debugging Aaa And Radius Protocol

    NAS and RADIUS that are required. When there are a large amount of users (more than 1000, inclusive), 3Com suggests a larger value. The following table recommends the ratio of value to the number of users.

  • Page 211: Aaa And Radius Protocol Configuration Example

    AAA and RADIUS Protocol Configuration Operation Command Display related information of the local user display local-user [ domain isp_name | idle-cut { disable | enable } | service-type { telnet | ftp | lan-access | ssh | terminal } | state { active | block } | user-name user_name | vlan vlan_id ] Display the statistics of local RADIUS display local-server statistics...
  • Page 212 [4500]domain cams [4500-isp-cams]quit 4 Configure RADIUS scheme. [4500]radius scheme cams [4500-radius-cams]primary authentication 10.110.91.146 1812 [4500-radius-cams]key authentication expert [4500-radius-cams]server-type 3com [4500-radius-cams]user-name-format without-domain 5 Configuration association between domain and RADIUS. [4500-radius-cams]quit [4500]domain cams [4500-isp-cams]scheme radius-scheme cams Configuring the FTP/Telnet User Local Authentication Configuring local authentication for FTP users is similar to that for Telnet users.

  • Page 213: Configuring The Switch 4500

    2 Method 2: Using Local RADIUS authentication server. Local server method is similar to remote RADIUS authentication. But you should modify the server IP address to 127.0.0.1, authentication password to 3com, the UDP port number of the authentication server to 1645.
  • Page 214 11: 802.1X C HAPTER ONFIGURATION It is not recommended that you change the system domain, as it could result in locking all users out of the switch. This could happen if you change the default local scheme to use an external RADIUS server, which is unavailable. 1 A new RADIUS scheme should be created as follows: [4500]radius scheme NewSchemeName New Radius scheme...
  • Page 215 AAA and RADIUS Protocol Configuration 802.1X is enabled on port Ethernet1/0/10 802.1X is enabled on port Ethernet1/0/11 802.1X is enabled on port Ethernet1/0/12 802.1X is enabled on port Ethernet1/0/14 802.1X is enabled on port Ethernet1/0/15 802.1X is enabled on port Ethernet1/0/16 802.1X is enabled on port Ethernet1/0/17 802.1X is enabled on port Ethernet1/0/18 802.1X is enabled on port Ethernet1/0/19...

  • Page 216: Aaa And Radius Protocol Fault Diagnosis And Troubleshooting

    11: 802.1X C HAPTER ONFIGURATION AAA and RADIUS The RADIUS protocol of the TCP/IP protocol suite is located on the application Protocol Fault Diagnosis layer. It mainly specifies how to exchange user information between NAS and and Troubleshooting RADIUS server of ISP. So it is likely to be invalid. Fault One: User Authentication/Authorization Always Fails Troubleshooting: The username may not be in the...

  • Page 217: Problem Diagnosis

    RADIUS debugging, enter the command: ■ <4500-xx> debugging radius packet 3Com-User-Access-Level This determines the Access level a user will have with Switch login. This can be administrator, manager , monitor or visitor. You may need to add the return list attributes to a dictionary file using the...
  • Page 218 11: 802.1X C HAPTER ONFIGURATION...

  • Page 219: File System Management

    YSTEM ANAGEMENT This chapter covers the following topics: File System Overview ■ Configuring File Management ■ FTP Overview ■ TFTP Overview ■ MAC Address Table Management ■ Device Management ■ System Maintenance and Debugging ■ Displaying the State and Information of the System ■...

  • Page 220: File Operation

    12: F HAPTER YSTEM ANAGEMENT a specified directory. You can use the following commands to perform directory operations. Perform the following configuration in User View. Table 233 Directory Operation Operation Command Create a directory mkdir directory Delete a directory rmdir directory Display the current working directory Display the information about directories or files dir [ / all ] [ file-url ]...

  • Page 221: Storage Device Operation

    Configuring File Management Table 235 Execute the Specified Batch File Operation Command Execute the specified batch file execute filename Storage Device The file system can be used to format a specified memory device. You can use the Operation following commands to format a specified memory device. Perform the following configuration in User View.

  • Page 222: Displaying The Current-Configuration And Saved-Configuration Of The Switch

    12: F HAPTER YSTEM ANAGEMENT Displaying the After being powered on, the system reads the configuration files from Flash for Current-configuration the initialization of the device. (Such configuration files are called and Saved-configuration saved-configuration files.) If there is no configuration file in Flash, the system will of the Switch begin the initialization with the default parameters.

  • Page 223: Configuring The Name Of The Configuration File Used For The Next Startup

    FTP Overview You may erase the configuration files from the Flash in the following cases: After being upgraded, the software does not match with the configuration ■ files. The configuration files in flash are damaged. (A common case is that a wrong ■...

  • Page 224: Enabling/Disabling Ftp Server

    12: F HAPTER YSTEM ANAGEMENT Table 243 Configuration of the Switch as FTP Client Device Configuration Default Description Switch Log into the remote FTP server directly with the ftp command. You need first get FTP user command and password, and then log into the remote FTP server.

  • Page 225: Configuring The Running Parameters Of Ftp Server

    FTP Overview Operation Command Configure service type for local user (Local User service-type ftp ftp-directory View) directory Cancel password for local user (Local User View) undo password Cancel service type for local user (Local User undo service-type ftp [ View) ftp-directory ] Only the clients who have passed the authentication and authorization successfully can access the FTP server.
  • Page 226 12: F HAPTER YSTEM ANAGEMENT on the PC. The IP address of a VLAN interface on the Switch is 1.1.1.1, and that of the PC is 2.2.2.2. The Switch and PC are reachable. The Switch application is stored on the PC. Using FTP, the Switch can switch.app download the from the remote FTP server and upload the...

  • Page 227: Ftp Server Configuration Example

    FTP Overview [ftp]quit <4500> 7 Use the command to specify the downloaded program as the boot boot-loader application at the next login and reboot the Switch. <4500> boot boot-loader switch.app <4500> reboot FTP Server Configuration Networking Requirement Example The Switch serves as FTP server and the remote PC as FTP client. The configuration on FTP server: Configure a FTP user named as Switch, with password hello and with read and write authority over the flash root directory on the PC.

  • Page 228: Tftp Overview

    12: F HAPTER YSTEM ANAGEMENT <4500> boot boot-loader switch.app <4500> reboot TFTP Overview Trivial File Transfer Protocol (TFTP) is a simple protocol for file transmission. Compared with FTP, another file transmission protocol, TFTP has no complicated interactive access interface or authentication control, and therefore it can be used when there is no complicated interaction between the clients and server.

  • Page 229: Uploading Files By Means Of Tftp

    TFTP Overview Uploading Files by To upload a file, the client sends a request to the TFTP server and then transmits means of TFTP data to it and receives the acknowledgement from it. You can use the following commands to upload files. Perform the following configuration in User View.

  • Page 230: Mac Address Table Management

    12: F HAPTER YSTEM ANAGEMENT [4500-vlan-interface1]quit 5 Upload the to the TFTP server. config.cfg <4500> tftp 1.1.1.2 put config.cfg config.cfg 6 Download the from the TFTP server. switch.app <4500> tftp 1.1.1.2 get switch.app switch.app 7 Use the command to specify the downloaded program as the boot boot-loader application at the next login and reboot the Switch.

  • Page 231: Mac Address Table Configuration

    MAC Address Table Management You can configure (add or modify) the MAC address entries manually according to the actual networking environment. The entries can be static ones or dynamic ones. MAC Address Table MAC address table management includes: Configuration Set MAC Address Table Entries ■...

  • Page 232: Displaying Mac Address Table

    12: F HAPTER YSTEM ANAGEMENT Table 253 Set the MAC Address Aging Time for the System Operation Command Set the dynamic MAC address aging time mac-address timer { aging age | no-aging } Restore the default MAC address aging time undo mac-address timer aging In addition, this command takes effect on all the ports.

  • Page 233: Mac Address Table Management Display Example

    MAC Address Table Management Operation Command Display the aging time of dynamic display mac-address aging-time address table entries MAC Address Table Networking Requirements Management Display The user logs into the Switch via the Console port to display the MAC address Example table.

  • Page 234: Device Management

    12: F HAPTER YSTEM ANAGEMENT Networking Diagram Figure 64 Typical Configuration of Address Table Management Internet Network Port Console Port Switch Configuration Procedure 1 Enter the System View of the Switch. <4500> system-view 2 Add a MAC address (specify the native VLAN, port and state). [4500]mac-address static 00e0-fc35-dc71 interface ethernet1/0/2 vlan 3 Set the address aging time to 500s.
  • Page 235 Device Management Table 256 Reboot the Switch Operation Command Reboot the Switch reboot [ unit unit-id ] Enabling the Timing Reboot Function After enabling the timing reboot function on the Switch, the Switch will be rebooted at the specified time. Perform the following configuration in User View, and the display schedule command can be performed in any view.

  • Page 236: Device Management Configuration Example

    12: F HAPTER YSTEM ANAGEMENT Table 260 Display and Debug Device Management Operation Command Display the module types and running states display device [ unit unit-id ] of each card. Display the running state of the built-in fans. display fan [ unit unit-id ] Display the Used status of Switch memory display memory [ unit unit-id ] Display the state of the power.

  • Page 237: System Maintenance And Debugging

    System Maintenance and Debugging CAUTION: If the flash memory of the Switch is not enough, you need to first delete the existing programs in the flash memory and then upload the new ones. 3 Type in the correct command in User View to establish FTP connection, then enter the correct username and password to log into the FTP server.

  • Page 238: Displaying The State And Information Of The System

    12: F HAPTER YSTEM ANAGEMENT Setting the System Clock Perform the operation of command in the User View. clock datetime Table 262 Set the System Clock Operation Command Set the system clock clock datetime time date Setting the Time Zone You can configure the name of the local time zone and the time difference between the local time and the standard Universal Time Coordinated (UTC).

  • Page 239: System Debugging

    Displaying the State and Information of the System Sending output information of the commands from the Switch you have ■ logged into to your terminal. Supporting simultaneous configuration of multiple users. ■ You cannot configure the configuration agent, but can view the statistics of the configuration agent.
  • Page 240 12: F HAPTER YSTEM ANAGEMENT Figure 66 Debug Output Debugging information Protocol debugging switch Screen output switch You can use the following commands to control the above-mentioned debugging. Perform the following operations in User View. Table 266 Enable/Disable the Debugging Operation Command Enable the protocol debugging...

  • Page 241: Testing Tools For Network Connection

    Testing Tools for Network Connection After the synchronization of the whole fabric, a great deal of terminal display is generated. You are recommended not to enable the information synchronization switch of the whole fabric. If you enabled the information synchronization switch, after the synchronization information statistics and detection, you must execute command to disable the Switch in time.

  • Page 242: Logging Function

    12: F HAPTER YSTEM ANAGEMENT Table 269 Test Periodically if the IP address is Reachable Operation Command Configure the IP address end-station polling ip-address requiring periodical testing ip-address Delete the IP address requiring undo end-station polling ip-address periodical testing ip-address The Switch can ping an IP address every one minute to test if it is reachable.
  • Page 243 Logging Function When the log information is output to the info-center, the first part will be “ ”. <Priority> For example: <187>Jun 7 05:22:03 2003 4500 IFNET/6/UPDOWN:Line protocol on interface Ethernet1/0/2, changed state to UP The description of the components of log information is as follows: 1 Priority The priority is computed according to following formula: facility*8+severity-1.
  • Page 244 12: F HAPTER YSTEM ANAGEMENT There is a blank between sysname and module name. 4 Module name The module name is the name of module which created this logging information, the following sheet lists some examples: Table 270 Module Names in Logging Information Module name Description 8021X...
  • Page 245 Logging Function Module name Description Radius module Routing management RMON Remote monitor module Revest, shamir and adleman encryption system RTPRO Routing protocol SHELL User interface SNMP Simple network management protocol SOCKET Socket Secure shell module Spanning tree protocol module SYSMIB System MIB module TELNET Telnet module...

  • Page 246: Info-Center Configuration

    12: F HAPTER YSTEM ANAGEMENT Note that there is a colon between digest and content. 7 Content It is the contents of logging information. Info-Center The Switch supports six output directions of information. Configuration The system assigns a channel in each output direction by default. See the table below.
  • Page 247 Logging Function 2 Sending the information to the control terminal. Table 274 Sending the Information to the Control Terminal. Device Configuration Default Value Configuration Description Enable info-center By default, info-center Other configurations are valid is enabled. only if the info-center is enabled.
  • Page 248 12: F HAPTER YSTEM ANAGEMENT Table 276 Sending the Information to Log Buffer Device Configuration Default Value Configuration Description Enable info-center By default, Other configurations are valid info-center is only if the info-center is enabled. enabled. Set the information output You can configure the size of the direction to logbuffer log buffer at the same time.

  • Page 249: Sending The Information To Loghost

    Logging Function Figure 68 Turn on/off the Information Synchronization Switch in Fabric Configuration Device Configuration Default Value Description Enable info-center By default, info-center is Other configurations are enabled. valid only if the info-center is enabled. Switch Set the information By default, Switches of master This configuration can output direction to log in Fabric, debugging and trap...

  • Page 250: Sending The Information To Control Terminal

    12: F HAPTER YSTEM ANAGEMENT Figure 69 Defining Information Source Operation Command Define information source info-center source { modu-name | default } channel { channel-number | channel-name } [ { log | trap | debug }* { level severity | state state }* ] Cancel the configuration of undo info-center source { modu-name | default...
  • Page 251 Logging Function Info-center is enabled by default. After info-center is enabled, system performances are affected when the system processes much information because of information classification and outputting. 2 Configuring to output information to the control terminal. Perform the following operation in System View. Table 283 Configuring to Output Information to Control Terminal Operation Command...

  • Page 252: Sending The Information To Telnet Terminal Or Dumb Terminal

    12: F HAPTER YSTEM ANAGEMENT Table 285 Configuring the Output Format of Time-stamp Operation Command Configure the output format of info-center timestamp { log | trap | the time-stamp debugging } { boot | date | none } Output time-stamp is disabled undo info-center timestamp { log | trap | debugging } 4 Enable terminal display function...
  • Page 253 Logging Function 3 Configuring information source on the Switch With this configuration, you can define the information that is sent to the Telnet terminal or dumb terminal that is generated by which modules, information type, information level, and so on. Perform the following operation in System View: Table 289 Defining Information Source Operation...

  • Page 254: Sending The Information To The Log Buffer

    12: F HAPTER YSTEM ANAGEMENT For example, if you have set the log information as the information sent to the Telnet terminal or dumb terminal, you need to use the terminal logging command to enable the terminal display function of log information on the Switch, then you can view the information at the Telnet terminal or dumb terminal.

  • Page 255: Sending The Information To The Trap Buffer

    Logging Function Perform the following operation in System View: Table 294 Defining the Information Source Operation Command Define information info-center source { modu-name | default } channel source { channel-number | channel-name } [ { log | trap | debug }* { level severity | state state }* ] Cancel the undo info-center source { modu-name | default } configuration of...
  • Page 256 12: F HAPTER YSTEM ANAGEMENT Info-center is enabled by default. After info-center is enabled, system performances are affected when the system processes much information because of information classification and outputting. 2 Configuring to output information to the trap buffer. Perform the following operation in System View. Table 297 Configuring to Output Information to Trap Buffer Operation Command...

  • Page 257: Sending The Information To Snmp Network Management

    Logging Function Table 299 Configuring the Output Format of Time-stamp Operation Command Configure the output format of info-center timestamp { log | trap | the time-stamp debugging } { boot | date | none } Output time-stamp is disabled undo info-center timestamp { log | trap | debugging } Sending the Information To send information to SNMP NM, follow the steps below:...
  • Page 258 12: F HAPTER YSTEM ANAGEMENT Every channel has been set with a default record, whose module name is default and the module number is 0xffff0000. However, for different channels, the default record may have different default settings of log, trap and debugging. When there is no specific configuration record for a module in the channel, use the default one.

  • Page 259: Configuration Examples Of Sending Log To Unix Loghost

    Logging Function Table 305 Turn on/off the Information Synchronization Switch of every Switch Operation Command Turn on the information info-center switch-on { unit-id | synchronization Switch of the master | all } [ debugging | logging specified Switch | trapping ]* Turn off the information undo info-center switch-on { unit-id synchronization Switch of the...
  • Page 260 12: F HAPTER YSTEM ANAGEMENT Networking Diagram Figure 71 Schematic Diagram of Configuration Network Network Switch Switch Switch Configuration Procedure 1 Configuration on the Switch a Enabling info-center [4500]info-center enable b Set the host with the IP address of 202.38.1.10 as the loghost; set the severity level threshold value as informational, set the output language to English;...

  • Page 261: Configuration Examples For Sending Log To Linux Loghost

    Logging Function c After the establishment of information (log file) and the revision of , you should send a HUP signal to (system /etc/syslog.conf syslogd daemon), through the following command, to make syslogd reread its configuration file /etc/syslog.conf # ps -ae | grep syslogd # kill -HUP 147 After the above operation, the Switch system can record information in related log files.

  • Page 262: Configuration Examples Of Sending Log To Control Terminal

    12: F HAPTER YSTEM ANAGEMENT a Perform the following command as the super user (root). # mkdir /var/log/4500 # touch /var/log/4500/information b Edit file as the super user (root), add the following /etc/syslog.conf selector/actor pairs. # 4500 configuration messages local7.info /var/log/4500/information Note the following points when editing /etc/syslog.conf: (1) The note must occupy a line and start with the character #.

  • Page 263: Snmp Configuration

    SNMP Configuration Networking Diagram Figure 73 Schematic Diagram of Configuration console console console console Switch Switch Switch Switch Configuration Procedure 1 Configuration on the Switch Enabling info-center [4500]info-center enable 2 Configure control terminal log output; allow modules ARP and IP to output information;...

  • Page 264: Snmp Versions And Supported Mib

    12: F HAPTER YSTEM ANAGEMENT SNMP Versions and To uniquely identify the management variables of a device in SNMP messages, Supported MIB SNMP adopts the hierarchical naming scheme to identify the managed objects. It is like a tree. A tree node represents a managed object, as shown in the figure below.

  • Page 265: Configure Snmp

    SNMP Configuration Configure SNMP The main configuration of SNMP includes: Set community name ■ Set the Method of Identifying and Contacting the Administrator ■ Enable/Disable snmp Agent to Send Trap ■ Set the Destination Address of Trap ■ Set SNMP System Information ■...

  • Page 266: Setting The Destination Address Of Trap

    12: F HAPTER YSTEM ANAGEMENT Table 308 Enable/Disable SNMP Agent to Send Trap Operation Command Enable to send trap snmp-agent trap enable [ configuration | flash | ospf [ process-id ] [ ospf-trap-list ] | standard [ authentication | coldstart | linkdown | linkup | warmstart ]* | system ] Disable to send trap undo snmp-agent trap enable [ bgp [...

  • Page 267: Setting The Engine Id Of A Local Or Remote Device

    SNMP Configuration Operation Command Restore the default SNMP System undo snmp-agent sys-info [ { contact | Information of the Switch location }* | version { { v1 | v2c | v3 }* | all } ] By default, the sysLocation is specified as a blank string, that is, “”. Setting the Engine ID of You can use the following commands to set the engine ID of a local or remote a Local or Remote...

  • Page 268: Creating/Updating View Information Or Deleting A View

    12: F HAPTER YSTEM ANAGEMENT Table 315 Add/Delete a user to/from an SNMP Group Operation Command Add a user to an SNMP snmp-agent usm-user { v1 | v2c } username group. groupname [ acl acl-list ] snmp-agent usm-user v3 username groupname [ authentication-mode { md5 | sha } authpassstring [ privacy-mode { des56 privpassstring } ] ] [ acl acl-list ] Delete a user from an...

  • Page 269: Displaying And Debugging Snmp

    SNMP Configuration If user disable NMP Agent, it will be enabled whatever command is snmp-agent configured thereafter. Displaying and After the above configuration, execute the command in all views to display Debugging SNMP display the running of the SNMP configuration, and to verify the effect of the configuration.
  • Page 270 [4500]snmp-agent target-host trap address udp-domain 129.102.149.23 udp-port 5000 params securityname public Configure Network Management System The Switch supports 3Com Network Director. Users can query and configure the Switch through the network management system. For more information, refer to the network management user documentation.

  • Page 271: Reading Usmusr Table Configuration Example

    SNMP Configuration Reading Usmusr Table Networking Requirements Configuration Example ViewDefault view should be reconfigured if you use SNMP V3 to read the usmusr table. The snmpVacmMIB and snmpUsmMIB should be included in ViewDefault view. Networking Diagram Figure 76 SNMP configuration example 129.102.0.1 129.102.149.23 Ethernet...

  • Page 272: Rmon Configuration

    12: F HAPTER YSTEM ANAGEMENT View name:ViewDefault MIB Subtree:snmpModules.18 Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active RMON Configuration Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It is mainly used for monitoring the data traffic on a segment and even on a whole network.
  • Page 273 RMON Configuration Add/Delete an Entry to/from the Statistics table ■ Adding/Deleting an Entry to/from the Alarm Table RMON alarm management can monitor the specified alarm variables such as the statistics on a port. When a value of the monitored data exceeds the defined threshold, an alarm event will be generated.

  • Page 274: Displaying And Debugging Rmon

    12: F HAPTER YSTEM ANAGEMENT Table 323 Add/Delete an Entry to/from the History Control Terminal Operation Command Add an entry to the history rmon history entry-number buckets number control terminal. interval sampling-interval [ owner text-string ] Delete an entry from the undo rmon history entry-number history control terminal.

  • Page 275: Rmon Configuration Example

    1 Configure RMON. [4500-Ethernet1/0/1]rmon statistics 1 owner 3com-rmon 2 View the configurations in User View. <4500> display rmon statistics Ethernet 1/0/1 Statistics entry 1 owned by 3com-rmon is VALID. Gathers statistics of interface Ethernet1/0/1. Received: octets : 270149,packets : 1954...

  • Page 276: Ssh Terminal Services

    12: F HAPTER YSTEM ANAGEMENT SSH Terminal Services Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the Switch remotely from an insecure network environment. A Switch can connect to multiple SSH clients.

  • Page 277: Configuring Ssh Server

    SSH Terminal Services authentication and RSA authentication. In the first type, the server compares the username and password received with those configured locally. The user is allowed to log on to the Switch if the usernames and passwords match exactly. RSA authentication works in this way: The RSA public key of the client user is configured at the server.
  • Page 278 12: F HAPTER YSTEM ANAGEMENT CAUTION: If SSH protocol is specified, to ensure a successful login, you must configure the AAA authentication using the authentication-mode scheme command. The configuration fails if you configure protocol inbound ssh . When you authentication-mode password authentication-mode none configure SSH protocol successfully for the user interface, then you cannot configure...
  • Page 279 SSH Terminal Services By default, the system does not update server key. Defining SSH Authentication Timeout Value Perform the following configurations in System View. Table 331 Defining SSH Authentication Timeout Value Operation Command Define SSH authentication timeout value ssh server timeout seconds Restore the default timeout value undo ssh server timeout By default, the timeout value for SSH authentication is 60 seconds.

  • Page 280: Configuring Ssh Client

    12: F HAPTER YSTEM ANAGEMENT Figure 79 Starting/Terminating Public Key Editing Operation Command Enter public key edit view public-key-code begin Terminate public key edit view public-key-code end Quit public key view peer-public-key end Associating Public Key with SSH User Please perform the following configurations in System View. Figure 80 Associating Public Key with SSH User Operation Command...
  • Page 281 SSH Terminal Services Figure 81 PuTTy key generator When the generation process has finished, save the generated public and private keys to files using the Save buttons. Run the sshkey program. This converts SSH public key to the format required by the Switch.
  • Page 282 12: F HAPTER YSTEM ANAGEMENT Figure 82 SSH key convert. Use the save button to save this converted key to a file. Open the public key file in notepad and the following lines of text before the existing text: rsa peer-public-key mykey public-key-code begin where is a name used to identify the key within the Switch, you may choose...
  • Page 283 SSH Terminal Services Figure 83 Text file of myKey Save this to a file ending with a ".bat" extension, for example,"keys.bat". This file can be transferred to the Switch using FTP or TFTP. The key is installed using the execute command in the System view [4500]execute keys.bat Specifying Server IP Address Start PuTTY program and the client configuration interface pops up.
  • Page 284 12: F HAPTER YSTEM ANAGEMENT Figure 84 SSH Client Configuration Interface (1) In the Host Name (or IP address) text box key in the IP address of the Switch, for example, 10.110.28.10. You can also input the IP address of an interface in UP state, but its route to SSH client PC must be reachable.
  • Page 285 SSH Terminal Services Figure 85 SSH Client Configuration Interface (2) You can select 1, as shown in the above figure. Specifying RSA Private Key File If you want to enable RSA authentication, you must specify RSA private key file, which is not required for password authentication. Click [SSH/Auth] to enter the interface as shown in the following figure:...
  • Page 286 12: F HAPTER YSTEM ANAGEMENT Figure 86 SSH client configuration interface (3) Click Browse to enter the File Select interface. Choose a desired file and click OK. Opening SSH Connection Click Open to enter SSH client interface. If it runs normally, you are prompted to enter username and password.

  • Page 287: Ssh Configuration Example

    [4500]user-interface vty 0 4 [4500-ui-vty0-4]authentication-mode scheme [4500-ui-vty0-4]protocol inbound ssh [4500]local-user client001 [4500-luser-client001]password simple 3com [4500-luser-client001]service-type ssh [4500]ssh user client001 authentication-type password Select the default values for SSH authentication timeout value, retry value and update interval of server key. Then run SSH1.5 client program on the PC which is...
  • Page 288 12: F HAPTER YSTEM ANAGEMENT connected to the Switch and access the Switch using username “client001” and password “3com”. 3 For RSA authentication mode: Create local user client002 [4500]local-user client002 [4500-luser-client002]service-type ssh 4 Specify AAA authentication on the user interface.

  • Page 289: Password Control Configuration Operations

    ASSWORD ONTROL ONFIGURATION PERATIONS Introduction to The password control feature is designed to manage the following passwords: Password Control Telnet passwords: passwords used by the users who log in the switch through ■ Configuration Telnet. SSH passwords: passwords used by the users who log in the switch through ■...
  • Page 290 13: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS Table 335 Functions Provided by Password Control Function Description Application History password The password configured and once Telnet, SSH, super, and FTP recording used by a user is called a history (old) passwords. password.

  • Page 291: Password Control Configuration

    Password Control Configuration Table 335 Functions Provided by Password Control Function Description Application User blacklist If the maximum attempt times is exceeded, the user cannot log in the switch and is added to the blacklist by the switch. All users in the blacklist are not allowed to log in the switch.

  • Page 292: Configuring Password Aging

    13: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS minimum password length (if available), the enable/disable state of history password recording, the procession mode for login attempt failures, and the time when the password history was last cleared. If all the password attempts of a user fail, the system adds the user to the blacklist. You can execute the display password-control blacklist command in any view to check the names and the IP addresses of such users.

  • Page 293: Configuring The Minimum Password Length

    Password Control Configuration CAUTION: After the user updates the password successfully, the switch saves the old password in a readable file in the flash memory. CAUTION: The switch does not provide the alert function for super passwords. CAUTION: The switch does not provide the alert function for FTP passwords. And when a FTP user logs in with a wrong password, the system just inform the user of the password error, it does not allow the user to change the password.

  • Page 294: Configuring User Login Password In Encryption Mode

    13: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS CAUTION: When updating a password, do not reuse one of the recorded history passwords, or else, the system will give a prompt to reset a password. The system administrator can perform the following operations to manually remove history password records.

  • Page 295: Configuring The Timeout For User Password Authentication

    Password Control Configuration Table 341 Configure Login Attempts Limitation and Failure Procession Mode Operation Command Description Display the information about You can execute the display display one or all users added in the command in any view password-control blacklist blacklist [ username username | ipaddress ip-address ]...

  • Page 296: Displaying Password Control

    13: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS If a password authentication is completed without timing out, the user will log in the switch normally. Table 343 Configuring the Timeout for User Password Authentication Operation Command Description Enter system view system-view Configure the timeout time of By default, it is 60 seconds.

  • Page 297: Configuration Procedure

    Password Control Configuration Example Configuration Procedure # Configure the system login password. <4500>system-view System View: return to User View with Ctrl+Z. [4500]local-user test New local user added. [4500-luser-test]password Password:********** confirm:********** # Change the system login password to 0123456789. [4500-luser-test]password Password:********** Confirm :********** Updating the password file ,please wait ...
  • Page 298 13: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS...

  • Page 299: Password Recovery Process

    However, if the password recovery mechanism is disabled and the user configurable bootrom password is lost, there is no recovery mechanism available. In this instance, the Switch will need to be returned to 3Com for repair. The following commands are all executed from the Bootrom directly via the console.

  • Page 300: Bootrom Interface

    A: P PPENDIX ASSWORD ECOVERY ROCESS Bootrom Interface During the initial boot phase of the Switch (when directly connected via the console), various messages are displayed and the following prompt is shown with a five second countdown timer: Press Ctrl-B to enter Boot Menu... 4 Before the countdown reaches 0 enter <CTRL>B.

  • Page 301: Skipping The Current Configuration File

    If the user configured bootrom password is lost, a fixed, unit unique password can be provided by 3Com Technical Support to bypass the lost password. Please ensure that the Switch is registered with 3Com promptly as the unit unique password will only be supplied to the registered owner of the Switch.

  • Page 302: Bootrom Password Recovery

    This option allows the user to disable the fixed, unit unique password recovery mechanism. If this is disabled and the bootrom password recovery is lost then a recovery will not be possible. In this instance, the Switch will need to be returned to 3Com for repair.

  • Page 303: Setting Up A Radius Server

    ■ The remainder of this section describes how to setup a RADIUS server using these products. Microsoft IAS RADIUS, Funk RADIUS and FreeRADIUS are not 3Com products and are not supported by 3Com. Configuring Microsoft 3Com has successfully installed and tested Microsoft IAS RADIUS running on a IAS RADIUS Windows server in a network with Switch 4500 deployed.
  • Page 304 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP and Computers window, right-click Domain and choose Properties, select Change Mode. c Add a user that is allowed to use the network. Go to Active Directory Users and Computers, from the left hand window right-click the Users folder and choose New >...
  • Page 305 Setting Up a RADIUS Server e The password for the user must be set to be stored in reversible encryption. Right-click the user account and select Properties. Select the Account tab, check the box labeled Store password using reversible encryption. f Now re-enter the password for the account, right-click the user account and select Reset Password…...
  • Page 306 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP In the Certificate Authority Type window select Enterprise root CA Enter information to identify the Certificate Authority on the CA Identifying Information window. Enter the storage location on the Data Storage Location window. To complete the installation and set up of the certificates server, the wizard will require the Install CD for Microsoft Windows 2000 Server.
  • Page 307 Setting Up a RADIUS Server 5 Configure a Certificate Authority a Go to Programs > Administrative Tools > Certification Authority and right-click Policy Settings under your Certificate Authority server. b Select New > Certificate to Issue c Select Authenticated Session and select OK. d Go to Programs >...
  • Page 308 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP e Select the Group Policy tab, and ensure that the Default Domain Policy is highlighted. Click Edit to launch the Group Policy editor. f Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies, and right-click Automatic Certificate Request Settings.
  • Page 309 Setting Up a RADIUS Server Open up a command prompt (Start > Run, enter ). Enter secedit . The command may take a few minutes to /refreshpolicy machine_policy take effect. 6 Setup the Internet Authentication Service (IAS) RADIUS Server a Go to Programs > Administrative Tools > Internet Authentication Service, right-click Clients, and Select New Client.
  • Page 310 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP h Select Grant remote access permission, and select Next Click on Edit Profile... and select the Authentication tab. Ensure Extensible Authentication Protocol is selected, and Smart Card or other Certificate is set. Deselect any other authentication methods listed.
  • Page 311 Setting Up a RADIUS Server b Select the Dial-in tab from the client Properties window. Select Allow access. Click OK. c Click OK to confirm. 8 Configure the Switch 4500 for RADUIS access and client authentication see Chapter 11 “802.1X Configuration”.
  • Page 312 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP d Select Advanced request and click Next > e Select the first option and click Next > f Either copy the settings from the screenshot below or choose different key options.
  • Page 313 Setting Up a RADIUS Server followed by this warning message, select Yes and then OK The PKCS #10 file is now saved to the local drive. h To generate a portable certificate using PKCS #10, click the Home hyperlink at the top right of the CA Webpage.
  • Page 314 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Paste the copied information into the Saved Request field as shown below. Select Authenticated Session from the Certificate Template selector and click Submit > m Download the certificate and certification path. Click on the Download CA Certificate hyperlink to save the certificate.
  • Page 315 Setting Up a RADIUS Server o Click Install Certificate to launch the certificate import wizard p Leave the settings on the next screen as is, click Next > followed by Finish and OK. This will install the certificate, q Launch the Certification Authority management tool on the server and expand the Issued Certificates folder.
  • Page 316 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP s Click Copy to File to save the certificate. This action is actually already performed with the Advanced Request, but this is an alternative way to save the certificate. Click Next when the wizard is launched. Save the certificate using DER x.509 encoding, select DER encoded binary followed by Next.
  • Page 317 Setting Up a RADIUS Server u Select the user that becomes the IEEE 802.1X client. Right-click on the user and select Name mappings. Select Add v Select the certificate that you have just exported and click Open. Click OK w In the Security Identity Mapping screen, click OK to close it. x Close the Active Directory Users and Domains management tool.
  • Page 318 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP b Create a new remote access policy under IAS and name it Switch Login. Select Next>.. c Specify Switch Login to match the users in the switch access group, select Next >...
  • Page 319 Setting Up a RADIUS Server e Use the Edit button to change the Service-Type to Administrative. f Add a Vendor specific attribute to indicate the access level that should be provided:...
  • Page 320 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP The Value 010600000003 indicates admin privileges for the Switch. 01 at the end indicates monitor and 02 indicates manager access. On the Switch 4500, 00 indicates visitor level. 11 Configure the RADIUS client. Refer to section Setting Up the RADIUS Client information on setting up the client.
  • Page 321 Setting Up a RADIUS Server Follow these steps to set up auto VLAN and QoS for use by Microsoft IAS: 1 Define the VLAN Groups on the Active Directory server and assign the user accounts to each VLAN Group. Go to Programs > Administrative Tools > Active Directory Users and Computers a For example, to create one group that will represent VLAN 4 select the Users folder from the domain (see below),...
  • Page 322 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP d Go to Programs > Administrative Tools > Internet Authentication Service. and select Remote Access Policies. Select the policy that you configured earlier, right-click and select Properties. e Click Add to add policy membership. f Select the Windows-Groups attribute type, and select Add and Add again...
  • Page 323 Setting Up a RADIUS Server g Select the VLAN group that you have just created and click Add and then OK to confirm. h Click OK again to return you to the Security Policy properties. Click Edit Profile... and select the Advanced tab. Click Add. Refer to Table 346 Table 348 for the RADIUS attributes to add to the profile.
  • Page 324 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Table 346 Summary of auto VLAN attributes Table 347 For Auto VLAN Return String Comment Tunnel-Medium-type Tunnel-Private-Group-ID VLAN value Tunnel-Type VLAN Table 348 Summary of QoS attributes Table 349 For Auto QoS Return String Comment Filter-id...
  • Page 325 Setting Up a RADIUS Server m Select the Tunnel-Pvt-Group-ID entry and click Add. n Click Add, ensure that the Attribute value is set to 4 (Attribute value in string format), and click OK. This value represents the VLAN ID. o Click OK again on the Multivalued Attribute Information screen to return to the Add Attributes screen.

  • Page 326: Configuring Funk Radius

    For troubleshooting, you can use the Event Viewer on both the workstation and the RADIUS server. Configuring Funk 3Com has successfully installed and tested Funk RADIUS running on a Windows RADIUS server in a network with Switch 4500 deployed. Download the Funk Steel-Belted RADIUS Server application from www.funk.com...
  • Page 327 Setting Up a RADIUS Server To configure Funk RADIUS as a RADIUS server for networks with the Switch 4500, follow these steps: 1 Open file and remove the ";" before the eap.ini \radius\service MD5-Challenge Line. This enables the MD5-challenge 2 Open file and change the log level to 5.
  • Page 328 Funk RADIUS is now ready to run. If you intend to use auto VLAN and QoS, you will need to create VLAN and QoS profiles on the 3Com Switch 4500 and follow the instructions in Configuring Auto VLAN and QoS for Funk RADIUS.
  • Page 329 Setting Up a RADIUS Server Passwords are case sensitive. 6 Enter the shared secret to encrypt the authentication data. The shared secret must be identical on the Switch 4500 and the RADIUS Server a Select RAS Clients from the left hand list, enter a Client name , the IP address and the Shared secret.
  • Page 330 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Configuring Auto VLAN and QoS for Funk RADIUS To set up auto VLAN and QoS using Funk RADIUS, follow these steps: 1 Edit the dictionary file so that Return list attributes from the Funk radius.dct RADIUS server are returned to the Switch 4500.

  • Page 331: Configuring Freeradius

    The following example shows the User name HOMER with the correct Return list Attributes inserted, The VLANs and QoS profiles must also be created on the 3Com Switch 4500. Configuring FreeRADIUS 3Com has successfully installed and tested FreeRADIUS running on Solaris 2.6 and RedHat Linux servers in networks with the Switch 4500 deployed.

  • Page 332: Setting Up The Radius Client

    Add an entry for Switch Login. For example user-name Auth-Type = System, 3Com-User-Access-Level = Administrator This indicates that the server should return the 3Com vendor specific attribute in the Access-Accept message for that user. 3Com-User-Access-Level b Add an entry for Network Login. For example user-name Auth-Type := Local, User-Password == "password"...

  • Page 333: Windows 2000 Built-In Client

    Setting Up the RADIUS Client Windows 2000 Built-in Windows 2000 requires Service Pack 3 and the IEEE 802.1X client patch for Client Windows 2000. 1 Downloaded the patches if required from: http://www.microsoft.com/Downloads/details.aspx?displaylang=en&Famil yID=6B78EDBE-D3CA-4880-929F-453C695B9637 2 After the updates have been installed, start the Wireless Authentication Service in Component Services on the Windows 2000 workstation (set the service to startup type Automatic).
  • Page 334 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Follow these steps to install the Aegis client: 1 Registering the Aegis Client. When using the Aegis client for the first time, a license key will be requested. To obtain a valid license key, complete an online form on the Meetinghouse website giving the System ID.
  • Page 335 Setting Up the RADIUS Client d Click OK to finish the configuration. e Restart the client either by rebooting, or stopping and re-starting the service. f Click the OK button, then return to the Aegis Client main interface. To restart the client, press the button with the red-cross.
  • Page 336 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP...

  • Page 337: Uthenticating The

    3Com Switch 4500 contain a Cisco Secure ACS server with TACACS+ to provide centralized control over network and management access, can also deploy the 3Com Switch 4500 on their network. Although 3Com does not directly support the proprietary TACACS+ protocol, 3Com Switches can still be authenticated in networks which use TACACS+ and Cisco Secure ACS.

  • Page 338: Adding A 3Com Switch 4500 As A Radius Client

    1 Select Network Configuration from the left hand side 2 Select Add Entry from under AAA Clients. 3 Enter the details of the 3Com Switch. Spaces are not permitted in the AAA Client Host name. An example is shown below...
  • Page 339 Setting Up the Cisco Secure ACS (TACACS+) Server 5 Select Interface Configuration from the left hand side. 6 Select RADIUS (IETF) from the list under Interface Configuration. 7 Check the RADIUS attributes that you wish to install. If you want to use auto VLAN and QoS, ensure that you have the following options selected for both the User and Group: Filter-ID ■...

  • Page 340: Adding A User For Network Login

    C: A 4500 PPENDIX UTHENTICATING THE WITCH WITH ISCO ECURE 8 Select Submit. 9 Repeat steps 1 to 8 for each Switch 4500 on your network. When all of the Switch 4500s have been added as clients to the Cisco Secure ACS server, restart the Secure ACS server by selecting System Configuration from the left hand side, then select Service Control and click Restart.

  • Page 341: Adding A User For Switch Login

    The User can now access the network through Network Login. Adding a User for Adding a user for switch login is slightly more complex, as 3Com specific RADIUS Switch Login attributes need to be returned to the 3Com Switch 4500. These RADIUS attributes define the access level of the user to the management interface.
  • Page 342 Once complete, log into the Secure ACS server again and complete steps 2 and 3. 2 To use the new RADIUS attributes, a client needs to be a user of RADIUS (3Com) attributes. Select Network Configuration from the left hand side and select an existing device or add a new device.
  • Page 343 Setting Up the Cisco Secure ACS (TACACS+) Server 3 Select Submit+Restart The IETF attributes will still be available to the device, the 3Com attributes are simply appended to them. 4 Select Interface Configuration, followed by RADIUS (3Com) a Ensure that the 3Com-User-Access-Level option is selected for both User and...
  • Page 344 6 In the RADIUS (3Com) Attribute box , check 3Com-User-Access-Level and select Administrator from the pull down list, see below: 7 Select Submit.

Table of Contents