Page 1 H3C S5120-SI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 6W101-20090625 Product Version: Release 1101...
Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.
Page 3 About This Manual Organization H3C S5120-SI Series Switches Configuration Manual – Release 1101 is organized as follows: Chapter Contents Introduces the characteristics and implementations of the 00-1 Product Overview Ethernet switch. Introduces the command hierarchy, command view and CLI 01-Login features of the Ethernet switch.
Page 4 Chapter Contents 25-HABP Introduces the configuration of HABP. 26-ACL Introduces the configuration of ACL. Introduces the configuration of rebooting a device, upgrading 27-Device Management device software and identifying and diagnosing pluggable transceivers 28-NTP Introduces the configuration of NTP and the related configuration. Introduces the configuration of SNMP and the related 29-SNMP configuration.
Page 5 Means a complementary description. Means techniques helpful for you to make configuration with ease. Related Documentation In addition to this manual, each H3C S5120-SI Series Ethernet Switches documentation set includes the following: Manual Description H3C S5120-SI Series Ethernet Switches...
Page 6 Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: http://www.h3c.com. The following are the columns from which you can obtain different categories of product documentation: [Products & Solutions]: Provides information about products and technologies, as well as solutions.
Page 7: Table Of Contents
Table of Contents 1 Obtaining the Documentation ··················································································································1-1 H3C Website ···········································································································································1-1 Software Release Notes ·························································································································1-1 2 Correspondence Between Documentation and Software ·····································································2-1 Software Version·····································································································································2-1 Manual List··············································································································································2-1 3 Product Features ·······································································································································3-1 Introduction to Product ····························································································································3-1 Feature Lists ···········································································································································3-1 Features ··················································································································································3-1 4 Networking Applications ··························································································································4-1 Distribution Layer Switches·····················································································································4-1...
Page 8: Obtaining The Documentation
Obtaining the Documentation H3C Technologies Co., Ltd. provides various ways for you to obtain documentation, through which you can obtain the product documentations and those concerning newly added new features. The documentations are available in one of the following ways:...
Page 9: Correspondence Between Documentation And Software
Correspondence Between Documentation and Software Software Version H3C S5120-SI Series Ethernet Switches Operation Manual and H3C S5120-SI Series Ethernet Switches Command Manual are for the software version of Release 1101 of the S5120-SI series products. Manual List Table 2-1 配套手册清单...
Page 10: Product Features
Product Features Introduction to Product The H3C S5120-SI Series Ethernet Switches (hereinafter referred to as the S5120-SI series) are Layer 2 Gigabit Ethernet switches developed by Hangzhou H3C Technology Co., Ltd. They are intelligent manageable switches designed for network environments where high performance, high-density port distribution, and easy installation are required.
Page 11 Table 3-2 Features Features Description How to log in to your Ethernet switch Introduction to the user interface and common configurations Logging In Through the Console Port Logging In Through Telnet 01-Login Logging In Using Modem Logging in Through Web-based Network Management System Logging In Through NMS Specifying Source IP address/Interface for Telnet Packets Controlling Login Users...
Page 12 Features Description Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network 11-IP Performance Optimization Configuring TCP Attributes Configuring ICMP to Send Error Packets Configuring ARP Configuring Gratuitous ARP 12-ARP Configuring ARP Packet Rate Limit Configuring ARP Detection Configuring Periodic Sending of Gratuitous ARP Packets DHCP Relay Agent Configuration DHCP Client Configuration...
Page 13 Features Description Configuring Basic ACL Configuring Advanced ACL 26-ACL Configuring Ethernet Frame Header ACL Configuring ACL Application for Packet Filtering Device management overview Configuring the Exception Handling Method Rebooting a device 27-Device Configuring the scheduled automatic execution function Management Upgrading Device Software Clearing the 16-bit interface indexes not used in the current system Identifying and Diagnosing Pluggable Transceivers NTP overview...
Page 14: Networking Applications
GE interfaces, and thus can be used in networking flexibly. For example, the S5120-SI series can be used for Gigabit to the Desktop (GTTD) access in enterprise networks and connecting data center server clusters. Several typical networking applications are presented in this section.
Page 15: Access Switches
Access Switches The S5120-SI series can serve as access switches to provide large access bandwidth and high port density. Figure 4-2 Application of the S5120-SI series at the access layer Core/Aggregation S9500/S7500E Access S5120-SI S5120-SI...
Page 16 Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to User Interface··················································································································1-1 Supported User Interfaces ··············································································································1-1 User Interface Number ····················································································································1-1 Common Login in to an Ethernet Switch·································································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Setting Up the Connection to the Console Port ······················································································2-2 Console Port Login Configuration ···········································································································2-3...
Page 17 5 Logging In Through NMS··························································································································5-1 Introduction ·············································································································································5-1 Connection Establishment Using NMS ···································································································5-1 6 Specifying Source for Telnet Packets ·····································································································6-1 Introduction ·············································································································································6-1 Specifying Source IP address/Interface for Telnet Packets····································································6-1 Displaying the source IP address/Interface Specified for Telnet Packets ··············································6-2 7 Controlling Login Users····························································································································7-1 Introduction ·············································································································································7-1 Controlling Telnet Users ·························································································································7-1 Prerequisites····································································································································7-1...
Page 18: Logging In To An Ethernet Switch
VTY users. As the AUX port and the Console port of a H3C series switch are the same one, you will be in the AUX user interface if you log in through this port. User Interface Number Two kinds of user interface index exist: absolute user interface index and relative user interface index.
Page 19: Common Login In To An Ethernet Switch
VTY user interfaces: Numbered after AUX user interfaces and increases in the step of 1 A relative user interface index can be obtained by appending a number to the identifier of a user interface type. It is generated by user interface type. The relative user interface indexes are as follows: AUX user interface: AUX 0 VTY user interfaces: VTY 0, VTY 1, VTY 2, and so on.
Page 20 To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a Set the timeout time for the idle-timeout minutes user interface is terminated if user interface [ seconds ] no operation is performed in the...
Page 21: Logging In Through The Console Port
Console Port Login Configuration with Authentication Mode Being Scheme The default system name of an H3C S5120-SI series Ethernet switch is H3C, that is, the command line prompt is H3C. All the following examples take H3C as the command line prompt.
Page 22: Setting Up The Connection To The Console Port
Setting Up the Connection to the Console Port Connect the serial port of your PC/terminal to the Console port of the switch, as shown in Figure 2-1. Figure 2-1 Diagram for setting the connection to the Console port If you use a PC to connect to the Console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown in Figure 2-2...
Page 23: Console Port Login Configuration
Figure 2-4 Set port parameters terminal window Turn on the switch. The user will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after the user presses the Enter key.
Page 24: Console Port Login Configurations For Different Authentication Modes
Configuration Description Configure the command Optional user level available interface By default, commands of level 3 are available to the users logging in to the configuration users logging in to the AUX user interface. AUX user interface Optional Define a shortcut key for The default shortcut key combination for aborting aborting tasks tasks is <...
Page 25: Console Port Login Configuration With Authentication Mode Being None
Authentication Console port login configuration Description mode AAA configuration Optional Specify to specifies whether perform local Local authentication is performed by to perform local authentication default. authentication or or RADIUS Refer to the AAA Configuration for RADIUS authentication details. authentication Required The user name and password of a local user are configured on the...
Page 26 To do… Use the command… Remarks Optional Set the check parity { even | mark | none | By default, the check mode of a mode odd | space } Console port is set to none, that is, no check bit. Optional Set the stop stopbits { 1 | 1.5 | 2 }...
Page 27: Configuration Example
Table 2-4 Determine the command level (A) Scenario Command level Authentication User type Command mode The user privilege level level Level 3 command not executed None Users logging in (authentication-mod through Determined The user privilege level level e none) Console ports level command already executed argument...
Page 28: Console Port Login Configuration With Authentication Mode Being Password
# Specify commands of level 2 are available to the user logging in to the AUX user interface. [Sysname-ui-aux0] user privilege level 2 # Set the baud rate of the Console port to 19200 bps. [Sysname-ui-aux0] speed 19200 # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-aux0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20.
Page 29 To do… Use the command… Remarks Optional Set the speed speed-value The default baud rate of an AUX port baud rate (also the Console port) is 9,600 bps. Optional Set the parity { even | mark | none check By default, the check mode of a Console | odd | space } Configure mode...
Page 30: Configuration Example
Note that if you configure to authenticate the users in the password mode, the command level available to users logging in to a switch depends on both the authentication-mode password and the user privilege level level command, as listed in the following table. Table 2-5 Determine the command level (B) Scenario Command level...
Page 31: Console Port Login Configuration With Authentication Mode Being Scheme
[Sysname] user-interface aux 0 # Specify to authenticate the user logging in through the Console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to the user logging in to the AUX user interface. [Sysname-ui-aux0] user privilege level 2 # Set the baud rate of the Console port to 19200 bps.
Page 32 To do… Use the command… Remarks Enter system view system-view — Enter Optional default ISP By default, the local AAA scheme is domain domain name domain applied. If you specify to apply the local view AAA scheme, you need to perform the configuration concerning local user as Specify the authentication...
Page 33: Configuration Example
To do… Use the command… Remarks Optional Define a shortcut key for starting terminal activation-key character By default, pressing Enter key starts the sessions terminal session. Optional Define a shortcut key for escape-key { default | The default shortcut key combination for aborting tasks character } aborting tasks is <...
Page 34 Network diagram Figure 2-7 Network diagram for AUX user interface configuration (with the authentication mode being scheme) Configuration procedure # Enter system view. <Sysname> system-view # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password to 123456 (in plain text).
Page 35: Logging In Through Telnet/Ssh
Logging In Through Telnet/SSH When logging in through Telnet, go to these sections for information you are interested in: Introduction Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password Telnet Configuration with Authentication Mode Being Scheme Telnet Connection Establishment Introduction You can telnet to a remote switch to manage and maintain the switch.
Page 36: Telnet Connection Establishment
Telnet Connection Establishment Telnetting to a Switch from a Terminal You can telnet to a switch and then configure the switch if the interface of the management VLAN of the switch is assigned with an IP address. (By default, VLAN 1 is the management VLAN.) Following are procedures to establish a Telnet connection to a switch: Step 1: Log in to the switch through the Console port, enable the Telnet server function and assign an IP address to the management VLAN interface of the switch.
Page 37: Telnetting To Another Switch From The Current Switch
Step 5: Enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <H3C>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
Page 38: Common Configuration
Step 4: Enter the password. If the password is correct, the CLI prompt (such as <H3C>) appears. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
Page 39: Telnet Configurations For Different Authentication Modes
The auto-execute command command may cause you unable to perform common configuration in the user interface, so use it with caution. Before executing the auto-execute command command and save your configuration, make sure you can log in to the switch in other modes and cancel the configuration. Telnet Configurations for Different Authentication Modes Table 3-3 lists Telnet configurations for different authentication modes.
Page 40 To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user user-interface vty first-number — interface views [ last-number ] Required Configure not to authenticate users logging in to VTY user authentication-mode none By default, VTY users are interfaces authenticated after logging in.
Page 41: Configuration Example
Note that if you configure not to authenticate the users, the command level available to users logging in to a switch depends on both the authentication-mode none command and the user privilege level level command, as listed in Table 3-4. Table 3-4 Determine the command level when users logging in to switches are not authenticated Scenario Command level...
Page 42: Telnet Configuration With Authentication Mode Being Password
# Configure Telnet protocol is supported. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes.
Page 43: Configuration Example
To do… Use the command… Remarks Optional By default, the screen can contain up to 24 lines. Set the maximum number of screen-length screen-length You can use the screen-length lines the screen can contain 0 command to disable the function to display information in pages.
Page 44: Telnet Configuration With Authentication Mode Being Scheme
Commands of level 2 are available to users logging in to VTY 0. Telnet protocol is supported. The screen can contain up to 30 lines. The history command buffer can contain up to 20 commands. The timeout time of VTY 0 is 6 minutes. Network diagram Figure 3-5 Network diagram for Telnet configuration (with the authentication mode being password) Configuration procedure...
Page 45 To do… Use the command… Remarks Enter system view system-view — Enter Optional default domain domain name By default, the local AAA scheme is domain view applied. If you specify to apply the local AAA scheme, you need to Configure authentication default perform the configuration concerning...
Page 46: Configuration Example
To do… Use the command… Remarks Optional Make terminal services shell Terminal services are available in all available use interfaces by default. Optional By default, the screen can contain up Set the maximum number screen-length to 24 lines. of lines the screen can screen-length You can use the screen-length 0 contain...
Page 47 The screen can contain up to 30 lines. The history command buffer can store up to 20 commands. The timeout time of VTY 0 is 6 minutes. Network diagram Figure 3-6 Network diagram for Telnet configuration (with the authentication mode being scheme) Configuration procedure # Enter system view, and enable the Telnet service.
Page 48: Introduction
Management System Introduction An S5120-SI series switch has a Web server built in. You can log in to an S5120-SI series switch through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server.
Page 49: Displaying Web Users
To do… Use the command… Remarks Optional Specify the service types for service-type telnet By default, no service is the local user authorized to a user. Required Start the Web server ip http enable Execute this command in system view. Displaying Web Users After the above configurations, execute the display command in any view to display the information about Web users, and thus to verify the configuration effect.
Page 50 Step 4: Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch (here it is http://10.153.17.82). (Make sure the route between the Web-based network management terminal and the switch is available.) Step 5: When the login interface (shown in Figure...
Page 51: Logging In Through Nms
Logging In Through NMS When logging in through NMS, go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch.
Page 52: Specifying Source For Telnet Packets
Specifying Source for Telnet Packets When specifying source IP address/interface for Telnet packets, go to these sections for information you are interested in: Introduction Specifying Source IP address/Interface for Telnet Packets Displaying the source IP address/Interface Specified for Telnet Packets Introduction To improve security and make it easier to manage services, you can specify source IP addresses/interfaces for Telnet clients.
Page 53: Displaying The Source Ip Address/Interface Specified For Telnet Packets
To do… Use the command… Remarks telnet client source { ip Optional Specify source IP ip-address | interface address/interface for Telnet By default, no source IP interface-type packets address/interface is specified. interface-number } The IP address specified must be a local IP address. When specifying the source interface for Telnet packets, make sure the interface already exists.
Page 54: Controlling Login Users
Controlling Login Users When controlling login users, go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Introduction Multiple ways are available for controlling different types of login users, as listed in Table 7-1.
Page 55: Controlling Telnet Users By Source And Destination Ip Addresses
To do… Use the command… Remarks number acl-number number Create a basic ACL or enter [ match-order { config | command, the config keyword basic ACL view auto } ] is specified by default. rule [ rule-id ] { permit | deny } source sour-addr Define rules for the ACL...
Page 56: Controlling Telnet Users By Source Mac Addresses
Controlling Telnet Users by Source MAC Addresses This configuration needs to be implemented by Layer 2 ACL; a Layer 2 ACL ranges from 4000 to 4999. For the definition of ACL, refer to ACL Configuration. Follow these steps to control Telnet users by source MAC addresses: To do…...
Page 57: Controlling Network Management Users By Source Ip Addresses
[Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses You can manage a H3C S5120-SI series Ethernet switch through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP addresses.
Page 58: Configuration Example
To do… Use the command… Remarks number acl-number number Create a basic ACL or enter [ match-order { config | command, the config keyword basic ACL view auto } ] is specified by default. rule [ rule-id ] { permit | deny } source sour-addr Define rules for the ACL...
Page 59: Controlling Web Users By Source Ip Addresses
# Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the switch. [Sysname] snmp-agent community read h3c acl 2000 [Sysname] snmp-agent group v2c h3cgroup acl 2000 [Sysname] snmp-agent usm-user v2c h3cuser h3cgroup acl 2000...
Page 60: Forcing Online Web Users Offline
To do… Use the command… Remarks Required Create a basic ACL or enter acl number acl-number [ match-order The config keyword is basic ACL view { config | auto } ] specified by default. rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | Define rules for the ACL Required...
Page 61 [Sysname] ip http acl 2030...
Page 62 Table of Contents 1 Ethernet port Configuration ·····················································································································1-1 General Ethernet port Configuration ·······································································································1-1 Basic Ethernet port Configuration ···································································································1-1 Configuring Flow Control on an Ethernet port·················································································1-2 Configuring Loopback Testing on an Ethernet port·········································································1-2 Enabling Auto Power Down on an Ethernet port·············································································1-3 Configuring a Port Group·················································································································1-3 Configuring an Auto-negotiation Transmission Rate·······································································1-4 Configuring Storm Suppression ······································································································1-5...
Page 63: Ethernet Port Configuration
Ethernet port Configuration When configuring Ethernet ports, go to these sections for information you are interested in: General Ethernet port Configuration Displaying and Maintaining an General Ethernet port Configuration Basic Ethernet port Configuration Configuring an Ethernet port Three types of duplex modes are available to Ethernet ports: Full-duplex mode (full).
Page 64: Configuring Flow Control On An Ethernet Port
To do… Use the command… Remarks Optional The optical interface of a SFP port does not support the 10 or 100 Set the transmission rate speed { 10 | 100 | 1000 | auto } keyword. By default, the port speed is in the auto-negotiation mode.
Page 65: Enabling Auto Power Down On An Ethernet Port
To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Optional Enable loopback testing loopback { external | internal } Disabled by default. As for the internal loopback test and external loopback test, if an interface is down, only the former is available on it;...
Page 66: Configuring An Auto-Negotiation Transmission Rate
To do… Use the command… Remarks Enter system view system-view — Create a manual port group and port-group manual Required enter manual port group view port-group-name Add Ethernet ports to the manual Required group-member interface-list port group Configuring an Auto-negotiation Transmission Rate Usually, the transmission rate on an Ethernet port is determined through negotiation with the peer end, which can be any rate within the capacity range.
Page 67: Configuring Storm Suppression
This function is available for auto-negotiation-capable Gigabit Layer-2 Ethernet electrical ports only. If you repeatedly use the speed and the speed auto commands to configure the transmission rate on an interface, only the latest configuration takes effect. Configuring Storm Suppression You can use the storm suppression function to limit the size of a particular type of traffic (currently broadcast, multicast and unknown unicast traffic) on a per-interface basis in Ethernet port view or port group view.
Page 68: Setting The Interval For Collecting Ethernet Port Statistics
As for an Ethernet port belongs to a port group, if you set a storm suppression ratio for the interface in both Ethernet port view and port group view, the one configured the last takes effect. Setting the Interval for Collecting Ethernet port Statistics Follow these steps to configure the interval for collecting interface statistics: To do…...
Page 69: Enabling Loopback Detection On An Ethernet Port
Enabling Loopback Detection on an Ethernet port If an interface receives a packet that it sent out, a loop occurs. Loops may cause broadcast storms. The purpose of loopback detection is to detect loops on an interface. When loopback detection is enabled on an Ethernet port, the device periodically checks for loops on the interface.
Page 70: Enabling Bridging On An Ethernet Port
Two types of Ethernet cables can be used to connect Ethernet devices: crossover cable and straight-through cable. To accommodate these two types of cables, an Ethernet port on a device can operate in one of the following three Medium Dependent Interface (MDI) modes: Across mode Normal mode Auto mode...
Page 71: Testing The Cable On An Ethernet Port
Testing the Cable on an Ethernet port The optical interface of a SFP port does not support this feature. A link in the up state goes down and then up automatically if you perform the operation described in this section on one of the Ethernet ports forming the link. Follow these steps to test the current operating state of the cable connected to an Ethernet port: To do…...
Page 72 Follow these steps to configure the storm constrain function on an Ethernet port: To do… Use the command… Remarks Enter system view system-view — Optional Set the interval for generating storm-constrain interval traffic statistics seconds 10 seconds by default interface interface-type Enter Ethernet port view —...
Page 73: Displaying And Maintaining An Ethernet Port
Displaying and Maintaining an Ethernet port To do… Use the command… Remarks Display the current state of an display interface [ interface-type interface and the related Available in any view [ interface-number ] ] information display brief interface [ interface-type Display the summary of an [ interface-number ] ] [ | { begin | exclude Available in any view...
Page 74 Table of Contents 1 Loopback Interface and Null Interface Configuration············································································1-1 Loopback Interface··································································································································1-1 Introduction to Loopback Interface ··································································································1-1 Configuring a Loopback Interface ···································································································1-2 Null Interface ···········································································································································1-2 Introduction to Null Interface ···········································································································1-2 Configuring Null 0 Interface·············································································································1-3 Displaying and Maintaining Loopback and Null Interfaces ·····································································1-3...
Page 75: Loopback Interface
Loopback Interface and Null Interface Configuration When configuring loopback interfaces and null interfaces, go to these sections for information you are interested in: Loopback Interface Null Interface Displaying and Maintaining Loopback and Null Interfaces Loopback Interface Introduction to Loopback Interface A loopback interface is a software-only virtual interface.
Page 76: Configuring A Loopback Interface
Configuring a Loopback Interface Follow these steps to configure a loopback interface: To do… Use the command… Remarks Enter system view system-view — Create a Loopback interface interface loopback and enter Loopback interface — interface-number view Optional Set a description for the By default, the description of an description text loopback interface...
Page 77: Configuring Null 0 Interface
Configuring Null 0 Interface Follow these steps to enter null interface view: To do… Use the command… Remarks Enter system view system-view — Required The Null 0 interface is the default null Enter null interface view interface null 0 interface on your device. It cannot be manually created or removed.
Page 78 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Basic Concepts of Link Aggregation ·······························································································1-1 Link Aggregation Modes··················································································································1-3 Load Sharing Mode of an Aggregation Group ················································································1-5 Link Aggregation Configuration Task List ·······························································································1-5 Configuring an Aggregation Group ·········································································································1-5 Configuring a Static Aggregation Group··························································································1-5 Configuring a Dynamic Aggregation Group·····················································································1-6 Configuring an Aggregate Interface ········································································································1-7 Configuring the Description of an Aggregate Interface ···································································1-7...
Page 79: Link Aggregation Configuration
Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Configuration Task List Configuring an Aggregation Group Configuring an Aggregation Group Displaying and Maintaining Link Aggregation Link Aggregation Configuration Examples Overview Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group.
Page 80 The current device only supports Layer 2 aggregation groups. States of the member ports in an aggregation group A member port in an aggregation group can be in one of the following two states: Selected: a selected port can forward user traffic. Unselected: an unselected port cannot forward user traffic.
Page 81: Link Aggregation Modes
Some configurations are called class-one configurations. Such configurations, for example, MSTP, can be configured on aggregate interfaces and member ports but will not affect the select state of link aggregation member ports. The change of a class-two configuration setting may affect the select state of link aggregation member ports and thus the ongoing service.
Page 82 Dynamic aggregation mode LACP is enabled on member ports in a dynamic aggregation group. In a dynamic aggregation group, A selected port can receive and transmit LACPDUs. An unselected port can receive and send LACPDUs only if it is up and with the same configurations as those on the aggregate interface.
Page 83: Load Sharing Mode Of An Aggregation Group
Load Sharing Mode of an Aggregation Group The link aggregation groups created on the S5120-SI series Ethernet switches always operate in load sharing mode, even when they contain only one member port. Link Aggregation Configuration Task List Complete the following tasks to configure link aggregation:...
Page 84: Configuring A Dynamic Aggregation Group
Removing a Layer 2 aggregate interface also removes the corresponding aggregation group. At the same time, the member ports of the aggregation group, if any, leave the aggregation group. To guarantee a successful static aggregation, ensure that the ports at the two ends of each link to be aggregated are consistent in the selected/unselected state.
Page 85: Configuring An Aggregate Interface
Removing a dynamic aggregate interface also removes the corresponding aggregation group. At the same time, the member ports of the aggregation group, if any, leave the aggregation group. To guarantee a successful dynamic aggregation, ensure that the peer ports of the ports aggregated at one end are also aggregated.
Page 86: Shutting Down An Aggregate Interface
To do... Use the command... Remarks Optional By default, Enable the trap function snmp-agent trap enable [ standard linkUp/linkDown trap globally [ linkdown | linkup ] * ] generation is enabled globally and on all interfaces. Enter Layer 2 aggregate interface bridge-aggregation —...
Page 87: Link Aggregation Configuration Examples
To do... Use the command... Remarks Display the summary display link-aggregation information of all aggregation Available in any view summary groups display link-aggregation Display detailed information of verbose [ bridge-aggregation Available in any view aggregation groups [ interface-number ] ] reset lacp statistics [ interface Clear the LACP statistics of interface-type interface-number...
Page 88: Layer 2 Dynamic Aggregation Configuration Example
Figure 1-1 Network diagram for Layer 2 static aggregation Configuration procedure Configure Device A # Create Layer 2 aggregate interface Bridge-aggregation 1. <DeviceA> system-view [DeviceA] interface bridge-aggregation 1 [DeviceA-Bridge-Aggregation1] quit # Assign Layer 2 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1.
Page 89 Figure 1-2 Network diagram for Layer 2 dynamic aggregation Configuration procedure Configure Device A # Create a Layer 2 aggregate interface Bridge-Aggregation 1 and configure the interface to work in dynamic aggregation mode. <DeviceA> system-view [DeviceA] interface bridge-aggregation 1 [DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic [DeviceA-Bridge-Aggregation1] quit # Assign Layer 2 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1.
Page 90 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Introduction to Port Isolation ···················································································································1-1 Configuring an Isolation Group for a Multiple-Isolation-Group Device ···················································1-1 Adding a Port to an Isolation Group ································································································1-1 Displaying and Maintaining Isolation Groups··························································································1-2 Port Isolation Configuration Example······································································································1-2...
Page 91 VLAN, allowing for great flexibility and security. Currently: S5120-SI series Ethernet switches support multiple isolation groups which can be configured manually. These devices are referred to as multiple-isolation-group devices. There is no restriction on the number of ports assigned to an isolation group.
Page 92 To do… Use the command… Remarks Required Add the port/ports to an port-isolate enable group isolation group as an No ports are added to an group-number isolated port/isolated ports isolation group by default. Displaying and Maintaining Isolation Groups To do… Use the command…...
Page 93 [Device-GigabitEthernet1/0/1] port-isolate enable group 2 [Device-GigabitEthernet1/0/1] quit [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] port-isolate enable group 2 [Device-GigabitEthernet1/0/2] quit [Device] interface gigabitethernet 1/0/3 [Device-GigabitEthernet1/0/3] port-isolate enable group 2 # Display information of isolation group 2. <Device> display port-isolate group 2 Port-isolate group information: Uplink port support: YES Group ID: 2 Group members:...
Page 94 Table of Contents 1 Port Mirroring Configuration ····················································································································1-1 Introduction to Port Mirroring ··················································································································1-1 Classification of Port Mirroring ········································································································1-1 Implementing Port Mirroring ············································································································1-1 Configuring Local Port Mirroring ·············································································································1-2 Displaying and Maintaining Port Mirroring ······························································································1-3 Port Mirroring Configuration Examples ···································································································1-3 Local Port Mirroring Configuration Example····················································································1-3...
Page 95: Port Mirroring Configuration
Implementing Port Mirroring In local port mirroring, all packets (including protocol packets and data packets) passing through a port can be mirrored. Local port mirroring is implemented through a local mirroring group. An S5120-SI series switch supports one local mirroring group.
Page 96: Configuring Local Port Mirroring
As shown in Figure 1-1, packets on the mirroring port are mirrored to the monitor port for the data monitoring device to analyze. Figure 1-1 Local port mirroring implementation Configuring Local Port Mirroring Configuring local port mirroring is to configure local mirroring groups. A local mirroring group comprises one or multiple mirroring ports and one monitor port.
Page 97: Displaying And Maintaining Port Mirroring
A local mirroring group takes effect only after you configure a monitor port and mirroring ports for it. To ensure the smooth operation of your device, do not enable STP, MSTP, or RSTP on the monitor port. You are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.
Page 98 Configuration procedure Configuration scheme 1 # Create a local mirroring group. <DeviceC> system-view [DeviceC] mirroring-group 1 local # Configure ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as mirroring ports and port GigabitEthernet 1/0/3 as the monitor port in the mirroring group. [DeviceC] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 gigabitethernet 1/0/2 both [DeviceC] mirroring-group 1 monitor-port gigabitethernet 1/0/3 # Display the configuration of all port mirroring groups.
Page 99 Table of Contents 1 LLDP Configuration···································································································································1-1 Overview ·················································································································································1-1 Background ·····································································································································1-1 Basic Concepts································································································································1-1 Operating Modes of LLDP···············································································································1-5 How LLDP Works ····························································································································1-6 Protocols and Standards ·················································································································1-6 LLDP Configuration Task List ·················································································································1-6 Performing Basic LLDP Configuration ····································································································1-7 Enabling LLDP·································································································································1-7 Setting LLDP Operating Mode ········································································································1-7 Setting the LLDP Re-Initialization Delay ·························································································1-8 Enabling LLDP Polling·····················································································································1-8 Configuring the TLVs to Be Advertised ···························································································1-8...
Page 100: Lldp Configuration
LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: Overview LLDP Configuration Task List Performing Basic LLDP Configuration Configuring CDP Compatibility Configuring LLDP Trapping Displaying and Maintaining LLDP LLDP Configuration Examples Overview Background In a heterogeneous network, it is important that different types of network devices from different vendors can discover one other and exchange configuration for interoperability and management sake.
Page 101 Figure 1-1 LLDPDU encapsulated in Ethernet II The fields in the frame are described in Table 1-1: Table 1-1 Description of the fields in an Ethernet II encapsulated LLDPDU Field Description The MAC address to which the LLDPDU is advertised. It is fixed Destination MAC address to 0x0180-C200-000E, a multicast MAC address.
Page 102 Field Description The MAC address of the sending port. If the port does not have a Source MAC address MAC address, the MAC address of the sending bridge is used. The SNAP type for the upper layer protocol. It is Type 0xAAAA-0300-0000-88CC for LLDP.
Page 103 VLAN Name A specific VLAN name on the port Protocol Identity Protocols supported on the port Currently, H3C devices support receiving but not sending protocol identity TLVs. IEEE 802.3 organizationally specific TLVs Table 1-5 IEEE 802.3 organizationally specific TLVs Type...
Page 104: Operating Modes Of Lldp
management. In addition, LLDP-MED TLVs make deploying voice devices in Ethernet easier. LLDP-MED TLVs are shown in Table 1-6. Table 1-6 LLDP-MED TLVs Type Description Allows a MED endpoint to advertise the supported LLDP-MED TLVs LLDP-MED Capabilities and its device type. Allows a network device or MED endpoint to advertise LAN type and Network Policy VLAN ID of the specific port, and the Layer 2 and Layer 3 priorities for...
Page 105: How Lldp Works
How LLDP Works Transmitting LLDPDUs An LLDP-enabled port operating in TxRx mode or Tx mode sends LLDPDUs to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by LLDPDUs at times of frequent local device information change, an interval is introduced between two successive LLDPDUs.
Page 106: Performing Basic Lldp Configuration
LLDP-related configurations made in Ethernet interface view takes effect only on the current port, and those made in port group view takes effect on all ports in the current port group. Performing Basic LLDP Configuration Enabling LLDP To make LLDP take effect on certain ports, you need to enable LLDP both globally and on these ports. Follow these steps to enable LLDP: To do…...
Page 107: Setting The Lldp Re-Initialization Delay
Setting the LLDP Re-Initialization Delay When LLDP operating mode changes on a port, the port initializes the protocol state machines after a certain delay. By adjusting the LLDP re-initialization delay, you can avoid frequent initializations caused by frequent LLDP operating mode changes on a port. Follow these steps to set the LLDP re-initialization delay for ports: To do…...
Page 108: Configuring The Management Address And Its Encoding Format
To do… Use the command… Remarks lldp tlv-enable { basic-tlv { all | port-description | system-capability | system-description | system-name } | dot1-tlv { all | port-vlan-id | protocol-vlan-id [ vlan-id ] | Optional vlan-name [ vlan-id ] } | dot3-tlv { all | By default, all types of LLDP Configure the TLVs to be link-aggregation | mac-physic |...
Page 109: Setting Other Lldp Parameters
Setting Other LLDP Parameters The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device. You can configure the TTL of locally sent LLDPDUs to determine how long information about the local device can be saved on a neighbor device by setting the TTL multiplier.
Page 110: Configuring Cdp Compatibility
To do… Use the command… Remarks Enter system view system-view — Enter interface interface-type Enter Ethernet Ethernet interface-number Required interface view interface view or port group Use either command. Enter port view port-group manual port-group-name group view Required Ethernet II encapsulation format Set the encapsulation format applies by default.
Page 111: Configuring Cdp Compatibility
Configuring CDP Compatibility CDP-compatible LLDP operates in one of the follows two modes: TxRx, where CDP packets can be transmitted and received. Disable, where CDP packets can neither be transmitted nor be received. To make CDP-compatible LLDP take effect on certain ports, first enable CDP-compatible LLDP globally in system view, and then configure CDP-compatible LLDP to operate in TxRx mode on the port or port group connected to an IP phone in Ethernet interface view or port group view.
Page 112: Displaying And Maintaining Lldp
To do… Use the command… Remarks — Enter system view system-view Enter Enter Ethernet interface interface-type Ethernet interface view interface-number Required interface Use either command. Enter port view or port port-group manual port-group-name group view group view Required lldp notification remote-change Enable LLDP trap sending enable Disabled by default...
Page 113 Figure 1-4 Network diagram for basic LLDP configuration Configuration procedure Configure Switch A. # Enable LLDP globally. <SwitchA> system-view [SwitchA] lldp enable # Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, setting the LLDP operating mode to [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] lldp enable [SwitchA-GigabitEthernet1/0/1] lldp admin-status rx [SwitchA-GigabitEthernet1/0/1] quit...
Page 114 Reinit delay : 2s Transmit delay : 2s Trap interval : 5s Fast start times Port 1 [GigabitEthernet1/0/1]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV...
Page 115: Cdp-Compatible Lldp Configuration Example
Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV Port 2 [GigabitEthernet1/0/2]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors...
Page 116 [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] voice vlan 2 enable [SwitchA-GigabitEthernet1/0/2] quit Configure CDP-compatible LLDP on Switch A. # Enable LLDP globally and enable LLDP to be compatible with CDP globally. [SwitchA] lldp enable [SwitchA] lldp compliance cdp # Enable LLDP, configure LLDP to operate in TxRx mode, and configure CDP-compatible LLDP to operate in TxRx mode on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
Page 117 Table of Contents 1 VLAN Configuration ··································································································································1-1 Introduction to VLAN ·······························································································································1-1 VLAN Overview ·······························································································································1-1 VLAN Fundamentals ·······················································································································1-2 Types of VLAN ································································································································1-3 Configuring Basic VLAN Settings ···········································································································1-3 Configuring Basic Settings of a VLAN Interface ·····················································································1-4 Port-Based VLAN Configuration ·············································································································1-5 Introduction to Port-Based VLAN ····································································································1-5 Assigning an Access Port to a VLAN ······························································································1-6 Assigning a Trunk Port to a VLAN···································································································1-7 Assigning a Hybrid Port to a VLAN ·································································································1-8...
Page 118: Vlan Configuration
VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: Introduction to VLAN Configuring Basic VLAN Settings Configuring Basic Settings of a VLAN Interface Port-Based VLAN Configuration Displaying and Maintaining VLAN VLAN Configuration Example Introduction to VLAN VLAN Overview Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism.
Page 119: Vlan Fundamentals
Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required. Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations, network construction and maintenance is much easier and more flexible.
Page 120: Types Of Vlan
The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw, are also supported by Ethernet. The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification.
Page 121: Configuring Basic Settings Of A Vlan Interface
As the default VLAN, VLAN 1 cannot be created or removed. You cannot manually create or remove VLANs reserved for special purposes. Dynamic VLANs cannot be removed with the undo vlan command. A VLAN with a QoS policy applied cannot be removed. Configuring Basic Settings of a VLAN Interface For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform layer 3 forwarding.
Page 122: Port-Based Vlan Configuration
Port-Based VLAN Configuration Introduction to Port-Based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid. The three link types use different VLAN tag handling methods.
Page 123: Assigning An Access Port To A Vlan
Ports of different link types handle frames as follows: Actions (in the inbound direction) Actions (in the outbound Port type direction) Untagged frame Tagged frame Receive the frame if its VLAN ID is the same as the default VLAN ID. Tag the frame with the Remove the default VLAN Access...
Page 124: Assigning A Trunk Port To A Vlan
To do… Use the command… Remarks Enter Ethernet interface interface-type Required interface view interface-number Use either command. In Ethernet interface view, Enter Layer-2 interface bridge-aggregation subsequent aggregate interface-number configurations apply to the interface view current port. Enter In port group view, the interface subsequent configurations view or port...
Page 125: Assigning A Hybrid Port To A Vlan
To do… Use the command… Remarks Configure the link type of the port link-type trunk Required port or ports as trunk Required Assign the trunk port(s) to the port trunk permit vlan By default, a trunk port carries specified VLAN(s) { vlan-id-list | all } only VLAN 1.
Page 126: Displaying And Maintaining Vlan
To do… Use the command… Remarks Required Assign the hybrid port(s) to port hybrid vlan vlan-id-list By default, a hybrid port allows the specified VLAN(s) { tagged | untagged } only packets of VLAN 1 to pass through untagged. Optional Configure the default VLAN of port hybrid pvid vlan vlan-id the hybrid port...
Page 127 Figure 1-4 Network diagram for port-based VLAN configuration Configuration procedure Configure Device A # Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100. <DeviceA> system-view [DeviceA] vlan 2 [DeviceA-vlan2] quit [DeviceA] vlan 100 [DeviceA-vlan100] vlan 6 to 50 Please wait...
Page 128 The Maximum Frame Length is 10240 Broadcast MAX-ratio: 100% Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% PVID: 100 Mdi type: auto Link delay is 0(sec) Port link-type: trunk VLAN passing : 2, 6-50, 100 VLAN permitted: 2, 6-50, 100 Trunk port encapsulation: IEEE 802.1q Port priority: 0 Last 300 seconds input: 0 packets/sec 0 bytes/sec...
Page 129: Voice Vlan Configuration
Voice VLAN Configuration When configuring a voice VLAN, go to these sections for information you are interested in: Overview Configuring a Voice VLAN Displaying and Maintaining Voice VLAN Voice VLAN Configuration Overview A voice VLAN is configured specially for voice traffic. After assigning the ports connecting to voice devices to a voice VLAN, you can configure quality of service (QoS) parameters for the voice traffic, thus improving transmission priority and ensuring voice quality.
Page 130: Voice Vlan Assignment Modes
In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique identifier assigned to a vendor by IEEE. OUI addresses mentioned in this document, however, are different from those in common sense. OUI addresses in this document are used by the system to determine whether a received packet is a voice packet.
Page 131: Security Mode And Normal Mode Of Voice Vlans
Voice VLAN assignment Voice traffic type Port link type mode Access: not supported Trunk: supported if the default VLAN of the connecting port exists and is not the voice VLAN and the connecting Tagged voice traffic port belongs to the default VLAN Hybrid: supported if the default VLAN of the connecting port exists and is not the voice VLAN Manual mode...
Page 132: Configuring A Voice Vlan
VLANs are vulnerable to traffic attacks. Vicious users can forge a large amount of voice packets and send them to voice VLAN-enabled ports to consume the voice VLAN bandwidth, affecting normal voice communication. Security mode: In this mode, only voice packets whose source MAC addresses comply with the recognizable OUI addresses can pass through the voice VLAN-enabled inbound port, while all other packets are dropped.
Page 133: Setting A Port To Operate In Manual Voice Vlan Assignment Mode
To do... Use the command... Remarks Optional By default, each voice VLAN voice vlan mac-address oui Add a recognizable OUI has default OUI addresses mask oui-mask [ description address configured. Refer to Table 2-1 text ] for the default OUI addresses of different vendors.
Page 134: Displaying And Maintaining Voice Vlan
To do... Use the command... Remarks voice VLAN VLAN becomes the default Refer to Assigning a Hybrid Hybrid port VLAN of the port automatically. Port to a VLAN. Refer to section Assigning a Optional Configure the Trunk port Trunk Port to a VLAN.
Page 135 Figure 2-1 Network diagram for automatic voice VLAN assignment mode configuration Device A Device B Internet GE1/0/2 GE1/0/1 VLAN 3 IP phone B 010-1002 MAC: 0011-2200-0001 0755-2002 Mask: ffff-ff00-0000 PC B MAC: 0022-2200-0002 Configuration procedure # Create VLAN 3. <DeviceA> system-view [DeviceA] vlan 3 # Set the voice VLAN aging time to 30 minutes.
Page 136: Manual Voice Vlan Assignment Mode Configuration Example
Verification # Display the OUI addresses, OUI address masks, and description strings supported currently. <DeviceA> display voice vlan oui Oui Address Mask Description 0001-e300-0000 ffff-ff00-0000 Siemens phone 0003-6b00-0000 ffff-ff00-0000 Cisco phone 0004-0d00-0000 ffff-ff00-0000 Avaya phone 0011-2200-0000 ffff-ff00-0000 IP phone B 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone...
Page 137 Configuration procedure # Configure the voice VLAN to operate in security mode. (Optional. A voice VLAN operates in security mode by default.) <DeviceA> system-view [DeviceA] voice vlan security enable # Add a recognizable OUI address 0011-2200-0000. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Create VLAN 2.
Page 138 PORT VLAN MODE ----------------------------------------------- GigabitEthernet1/0/1 MANUAL 2-10...
Page 139 Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Introduction to STP ·································································································································1-1 Why STP ·········································································································································1-1 Protocol Packets of STP··················································································································1-1 Basic Concepts in STP····················································································································1-2 How STP works ·······························································································································1-3 Introduction to RSTP·······························································································································1-9 Introduction to MSTP ····························································································································1-10 Why MSTP ····································································································································1-10 Basic Concepts in MSTP···············································································································1-11 How MSTP Works ·························································································································1-14 Implementation of MSTP on Devices ····························································································1-15 Protocols and Standards ···············································································································1-15...
Page 140 Configuration Prerequisites ···········································································································1-32 Configuration Procedure················································································································1-32 Configuration Example ··················································································································1-32 Configuring the VLAN Ignore Feature···································································································1-33 Configuration Procedure················································································································1-33 Configuration Example ··················································································································1-33 Configuring Digest Snooping ················································································································1-34 Configuration Prerequisites ···········································································································1-34 Configuration Procedure················································································································1-34 Configuration Example ··················································································································1-35 Configuring No Agreement Check ········································································································1-36 Configuration Prerequisites ···········································································································1-37 Configuration Procedure················································································································1-37 Configuration Example ··················································································································1-38 Configuring Protection Functions··········································································································1-38 Configuration prerequisites ···········································································································1-39...
Page 141: Mstp Configuration
MSTP Configuration When configuring MSTP, go to these sections for information you are interested in: Overview Introduction to STP Introduction to RSTP Introduction to MSTP MSTP Configuration Task List Configuring the Root Bridge Configuring Leaf Nodes Configuring the VLAN Ignore Feature Configuring Digest Snooping Configuring No Agreement Check Configuring Protection Functions...
Page 142: Basic Concepts In Stp
STP-enabled network devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient information for the network devices to complete spanning tree calculation. In STP, BPDUs come in two types: Configuration BPDUs, used for calculating a spanning tree and maintaining the spanning tree topology.
Page 143: How Stp Works
Figure 1-1 A schematic diagram of designated bridges and designated ports All the ports on the root bridge are designated ports. Path cost Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively robust links and blocks redundant links, and finally prunes the network into a loop-free tree.
Page 144 For simplicity, the descriptions and examples below involve only four fields of configuration BPDUs: Root bridge ID (represented by device priority) Root path cost (related to the rate of the link connected to the port) Designated bridge ID (represented by device priority) Designated port ID (represented by port name) Calculation process of the STP algorithm Initial state...
Page 145 Selection of the root bridge Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge. Selection of the root port and designated ports on a non-root device Table 1-3 describes the process of selecting the root port and designated ports.
Page 146 Figure 1-2 Network diagram for the STP algorithm Device A With priority 0 Device B With priority 1 Device C With priority 2 Initial state of each device Table 1-4 shows the initial state of each device. Table 1-4 Initial state of each device Device Port name BPDU of port...
Page 147 BPDU of port Device Comparison process after comparison Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.
Page 148 BPDU of port Device Comparison process after comparison After comparison: Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU Blocked port CP2: of CP2 is elected as the optimum BPDU, and CP2 is elected...
Page 149: Introduction To Rstp
If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. In this case, the device will generate a configuration BPDU with itself as the root and send out the BPDUs and TCN BPDUs. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity.
Page 150: Introduction To Mstp
Introduction to MSTP Why MSTP Weaknesses of STP and RSTP STP does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment.
Page 151: Basic Concepts In Mstp
Basic Concepts in MSTP Figure 1-4 Basic concepts in MSTP Region A0 VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST BPDU BPDU Region D0 BPDU Region B0 VLAN 1 mapped to instance 1, VLAN 1 mapped to instance 1 B as regional root bridge VLAN 2 mapped to instance 2...
Page 152 VLAN-to-MSTI mapping table As an attribute of an MST region, the VLAN-to-MSTI mapping table describes the mapping relationships between VLANs and MSTIs. In Figure 1-4, for example, the VLAN-to-MSTI mapping table of region A0 is as follows: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-MSTI mapping table.
Page 153 During MSTP calculation, a boundary port’s role on an MSTI is consistent with its role on the CIST. But that is not true with master ports. A master port on MSTIs is a root port on the CIST. Roles of ports MSTP calculation involves these port roles: root port, designated port, master port, alternate port, backup port, and so on.
Page 154: How Mstp Works
Port states In MSTP, port states fall into the following three: Forwarding: the port learns MAC addresses and forwards user traffic; Learning: the port learns MAC addresses but does not forward user traffic; Discarding: the port neither learns MAC addresses nor forwards user traffic. When in different MSTIs, a port can be in different states.
Page 155: Implementation Of Mstp On Devices
Within an MST region, the packet is forwarded along the corresponding MSTI. Between two MST regions, the packet is forwarded along the CST. Implementation of MSTP on Devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation.
Page 156: Configuring The Root Bridge
Task Remarks Enabling the MSTP Feature Required Configuring an MST Region Required Configuring the Work Mode of an MSTP Device Optional Configuring the Timeout Factor Optional Configuring the Maximum Port Rate Optional Configuring Ports as Edge Ports Optional Configuring Leaf Configuring Path Costs of Ports Optional Nodes...
Page 157 To do... Use the command... Remarks Enter system view — system-view Enter MST region view — stp region-configuration Optional Configure the MST region region-name name The MST region name is the name MAC address by default. Optional instance instance-id vlan vlan-list Configure the Use either command.
Page 158: Specifying The Root Bridge Or A Secondary Root Bridge
[Sysname-mst-region] revision-level 1 [Sysname-mst-region] active region-configuration Specifying the Root Bridge or a Secondary Root Bridge MSTP can determine the root bridge of a spanning tree through MSTP calculation. Alternatively, you can specify the current device as the root bridge using the commands provided by the system. Specifying the current device as the root bridge of a specific spanning tree Follow these steps to specify the current device as the root bridge of a specific spanning tree: To do...
Page 159: Configuring The Work Mode Of An Mstp Device
fails, MSTP will select the secondary root bridge with the lowest MAC address as the new root bridge. Alternatively, you can also specify the current device as the root bridge by setting the priority of the device to 0. For the device priority configuration, refer to Configuring the Priority of the Current Device.
Page 160: Configuring The Maximum Hops Of An Mst Region
Configuration procedure Follow these steps to configure the priority of the current device in a specified MSTI: To do... Use the command... Remarks Enter system view — system-view Configure the priority of the Optional stp [ instance instance-id ] current device in a specified priority priority 32768 by default MSTI...
Page 161: Configuring The Network Diameter Of A Switched Network
A larger maximum hops setting means a larger size of the MST region. Only the maximum hops configured on the regional root bridge can restrict the size of the MST region. Configuration example # Set the maximum hops of the MST region to 30. <Sysname>...
Page 162 Configuration procedure Follow these steps to configure the timers of MSTP: To do... Use the command... Remarks Enter system view — system-view Optional Configure the forward delay stp timer forward-delay 1,500 centiseconds (15 timer centi-seconds seconds) by default Optional Configure the hello timer stp timer hello centi-seconds 200 centiseconds (2 seconds) by default...
Page 163: Configuring The Timeout Factor
Configuration example # Set the forward delay to 1,600 centiseconds, hello time to 300 centiseconds, and max age to 2,100 centiseconds. <Sysname> system-view [Sysname] stp timer forward-delay 1600 [Sysname] stp timer hello 300 [Sysname] stp timer max-age 2100 Configuring the Timeout Factor After the network topology is stabilized, each non-root-bridge device forwards configuration BPDUs to the downstream devices at the interval of hello time to check whether any link is faulty.
Page 164: Configuring Ports As Edge Ports
To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view, Use either command. interface interface-type Enter or Layer 2 interface-number Configurations made in interface interface view aggregate view will take effect on the current or port group interface view port only;...
Page 165: Setting The Link Type Of A Port To P2P
To do... Use the command... Remarks Required Configure the port(s) as edge stp edged-port enable All Ethernet ports are non-edge port(s) ports by default. With BPDU guard disabled, when a port set as an edge port receives a BPDU from another port, it will become a non-edge port again.
Page 166: Configuring The Mode A Port Uses To Recognize/Send Mstp Packets
A Layer 2 aggregate interface can be configured to connect to a point-to-point link. If a port works in auto-negotiation mode and the negotiation result is full duplex, this port can be configured as connecting to a point-to-point link. If a port is configured as connecting to a point-to-point link, the setting takes effect for the port in all MSTIs.
Page 167: Enabling The Output Of Port State Transition Information
MSTP provides the MSTP packet format incompatibility guard function. In MSTP mode, if a port is configured to recognize/send MSTP packets in a mode other than auto, and if it receives a packet in a format different from the specified type, the port will become a designated port and remain in the discarding state to prevent the occurrence of a loop.
Page 168: Configuring Leaf Nodes
To do... Use the command... Remarks Enter Ethernet Required interface view, or interface interface-type Use either command. Layer 2 aggregate interface-number Enter Configurations made in interface view interface view interface view will take effect on or port group the current port only; view Enter port group configurations made in port...
Page 169: Configuring Ports As Edge Ports
Configuring Ports as Edge Ports Refer to Configuring Ports as Edge Ports in the section about root bridge configuration. Configuring Path Costs of Ports Path cost is a parameter related to the rate of a port. On an MSTP-enabled device, a port can have different path costs in different MSTIs.
Page 170: Configuring Port Priority
When calculating path cost for an aggregate interface, 802.1d-1998 does not take into account the number of member ports in its aggregation group as 802.1t does. The calculation formula of 802.1t is: Path Cost = 200,000,000/link speed (in 100 kbps), where link speed is the sum of the link speed values of the non-blocked ports in the aggregation group.
Page 171: Setting The Link Type Of A Port To P2P
To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view, or interface interface-type Use either command. Layer 2 aggregate interface-number Enter Configurations made in interface view interface interface view will take effect on view or port the current port only;...
Page 172: Performing Mcheck
Performing mCheck Ports on an MSTP-enabled device have three working modes: STP compatible mode, RSTP mode, and MSTP mode. If a port on a device running MSTP (or RSTP) connects to a device running STP, this port will automatically migrate to the STP-compatible mode. However, it will not be able to migrate automatically back to the MSTP (or RSTP) mode, but will remain working in the STP-compatible mode under the following circumstances: The device running STP is shut down or removed.
Page 173: Configuring The Vlan Ignore Feature
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] stp mcheck Configuring the VLAN Ignore Feature Traffic on a VLAN in a complex network may be blocked by the spanning tree. Figure 1-6 VLAN connectivity blocked by MSTP As shown above, port A on Device A allows the traffic of VLAN 1 to pass through, and port C allows the traffic of VLAN2 to pass through;...
Page 174: Configuring Digest Snooping
Figure 1-7 VLAN Ignore configuration GE1/0/1 GE1/0/1 VLAN 1 VLAN 2 GE1/0/2 GE1/0/2 Device A Device B Configuration procedure Enable VLAN Ignore on Device B # Enable VLAN Ignore on VLAN 2. <DeviceB> system-view [DeviceB] stp ignored vlan 2 Verify the configuration # Display the VLAN Ignore enabled VLAN.
Page 175: Configuration Example
To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view, Use either command. interface interface-type or Layer 2 interface-number Configurations made in Enter interface aggregate interface view will take effect on view or port interface view the current port only;...
Page 176: Configuring No Agreement Check
Figure 1-8 Digest Snooping configuration Configuration procedure Enable Digest Snooping on Device A. # Enable Digest Snooping on GigabitEthernet 1/0/1. <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] stp config-digest-snooping [DeviceA-GigabitEthernet1/0/1] quit # Enable global Digest Snooping. [DeviceA] stp config-digest-snooping Enable Digest Snooping on Device B (the same as above, omitted) Configuring No Agreement Check In RSTP and MSTP, two types of messages are used for rapid state transition on designated ports: Proposal: sent by designated ports to request rapid transition...
Page 177: Configuration Prerequisites
Figure 1-9 Rapid state transition of an MSTP designated port Figure 1-10 shows rapid state transition of an RSTP designated port. Figure 1-10 Rapid state transition of an RSTP designated port Downstream device Upstream device Proposal for rapid transition Root port blocks other non- edge ports, changes to forwarding state and sends Agreement to upstream device...
Page 178: Configuration Example
To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view, Use either command. interface interface-type Enter or Layer 2 interface-number Configurations made in interface interface or aggregate view will take effect on the current interface view port group port only;...
Page 179: Configuration Prerequisites
Among loop guard, root guard and edge port settings, only one function can take effect on the same port at the same time. Configuration prerequisites MSTP has been correctly configured on the device. Enabling BPDU Guard We recommend that you enable BPDU guard on your device. For access layer devices, the access ports generally connect directly with user terminals (such as PCs) or file servers.
Page 180: Enabling Root Guard
Enabling Root Guard We recommend that you enable root guard on your device. The root bridge and secondary root bridge of a panning tree should be located in the same MST region. Especially for the CIST, the root bridge and secondary root bridge are generally put in a high-bandwidth core region during network design.
Page 181: Enabling Tc-Bpdu Guard
By keeping receiving BPDUs from the upstream device, a device can maintain the state of the root port and blocked ports. However, due to link congestion or unidirectional link failures, these ports may fail to receive BPDUs from the upstream devices. In this case, the downstream device will reselect the port roles: those ports in forwarding state that failed to receive upstream BPDUs will become designated ports, and the blocked ports will transition to the forwarding state, resulting in loops in the switched network.
Page 182: Displaying And Maintaining Mstp
We recommend that you keep this feature enabled. Displaying and Maintaining MSTP To do... Use the command... Remarks View information about abnormally Available in any view display stp abnormal-port blocked ports View information about ports blocked Available in any view display stp down-port by STP protection functions View the historical information of port...
Page 183 Figure 1-12 Network diagram for MSTP configuration “Permit:“ beside each link in the figure is followed by the VLANs the packets of which are permitted to pass this link. Configuration procedure Configuration on Device A # Enter MST region view. <DeviceA>...
Page 184 Instance Vlans Mapped 1 to 9, 11 to 19, 21 to 29, 31 to 4094 Configuration on Device B # Enter MST region view. <DeviceB> system-view [DeviceB] stp region-configuration # Configure the region name, VLAN-to-MSTI mappings and revision level of the MST region. [DeviceB-mst-region] region-name example [DeviceB-mst-region] instance 1 vlan 10 [DeviceB-mst-region] instance 2 vlan 20...
Page 185 [DeviceC-mst-region] instance 3 vlan 30 [DeviceC-mst-region] revision-level 0 # Activate MST region configuration manually. [DeviceC-mst-region] active region-configuration [DeviceC-mst-region] quit # Define Device C as the root bridge of MSTI 2. [DeviceC] stp instance 2 root primary # Enable MSTP globally. [DeviceC] stp enable # View the MST region configuration information that has taken effect.
Page 186 Instance Vlans Mapped 1 to 9, 11 to 19, 21 to 29, 31 to 4094 1-46...
Page 187 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ······················································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Assigning an IP Address to an Interface ·························································································1-3 Displaying and Maintaining IP Addressing······························································································1-4...
Page 188: Ip Addressing Configuration
IP Addressing Configuration When assigning IP addresses to interfaces on your device, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying and Maintaining IP Addressing IP Addressing Overview This section covers these topics: IP Address Classes Special IP Addresses IP Address Classes...
Page 189: Special Ip Addresses
Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.
Page 190: Configuring Ip Addresses
In the absence of subnetting, some special addresses such as the addresses with the net ID of all zeros and the addresses with the host ID of all ones, are not assignable to hosts. The same is true for subnetting. When designing your network, you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts.
Page 191: Displaying And Maintaining Ip Addressing
Displaying and Maintaining IP Addressing To do… Use the command… Remarks Display information about a display ip interface [ interface-type Available in any view specified or all Layer 3 interfaces interface-number ] Display brief information about a display ip interface brief Available in any view specified or all Layer 3 interfaces [ interface-type [ interface-number ] ]...
Page 192 Table of Contents 1 IP Performance Optimization Configuration···························································································1-1 IP Performance Optimization Overview ··································································································1-1 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network ············1-1 Enabling Reception of Directed Broadcasts to a Directly Connected Network·······························1-1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network ·····························1-2 Configuring TCP Attributes ·····················································································································1-2 Enabling the SYN Cookie Feature ··································································································1-2 Enabling Protection Against Naptha Attacks···················································································1-3...
Page 193: Ip Performance Optimization Configuration
Enter system view system-view — Optional Enable the device to receive ip forward-broadcast directed broadcasts Enable by default. Currently, this command is ineffective on the S5120-SI series Ethernet switches. That is, the switches cannot be disabled from receiving directed broadcasts.
Page 194: Enabling Forwarding Of Directed Broadcasts To A Directly Connected Network
Enabling Forwarding of Directed Broadcasts to a Directly Connected Network If a device is enabled to receive directed broadcasts, the device will determine whether to forward them according to the configuration on the outgoing interface. Follow these steps to enable the device to forward directed broadcasts: To do…...
Page 195: Enabling Protection Against Naptha Attacks
Follow these steps to enable the SYN Cookie feature: To do... Use the command... Remarks Enter system view system-view — Required Enable the SYN Cookie feature tcp syn-cookie enable Disabled by default. If MD5 authentication is enabled, the SYN Cookie feature will not function after enabled. Then, if you disable MD5 authentication, the SYN Cookie feature will be enabled automatically.
Page 196: Configuring Tcp Optional Parameters
With the protection against Naptha attack enabled, the device will periodically check and record the number of TCP connections in each state. With the protection against Naptha attack enabled, if the device detects that the number of TCP connections in a state exceeds the maximum number, the device will consider that as Naptha attacks and accelerate the aging of these TCP connections.
Page 197: Configuring Icmp To Send Error Packets
Configuring ICMP to Send Error Packets Sending error packets is a major function of ICMP. In case of network abnormalities, ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate control and management. Advantages of sending ICMP error packets Sending ICMP timeout packets If the device received an IP packet with a timeout error, it drops the packet and sends an ICMP timeout...
Page 198: Displaying And Maintaining Ip Performance Optimization
Clear statistics of UDP traffic reset udp statistics Available in user view Currently, the S5120-SI series Ethernet switches do not support the display fib ip-prefix ip-prefix-name command. That is, they do not display FIB entries matching a specified IP prefix list.
Page 199 Table of Contents 1 ARP Configuration·····································································································································1-1 ARP Overview·········································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Operation ································································································································1-2 ARP Table ·······································································································································1-3 Configuring ARP ·····································································································································1-3 Configuring a Static ARP Entry ·······································································································1-3 Configuring the Maximum Number of ARP Entries for an Interface ···············································1-4 Setting the Aging Time for Dynamic ARP Entries ···········································································1-4 Enabling the ARP Entry Check ·······································································································1-5 ARP Configuration Example············································································································1-5...
Page 200: Arp Configuration
ARP Configuration When configuring ARP, go to these sections for information you are interested in: ARP Overview Configuring ARP Configuring Gratuitous ARP Displaying and Maintaining ARP ARP Overview ARP Function The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or physical address).
Page 201: Arp Operation
Sender protocol address: This field specifies the protocol address of the device sending the message. Target hardware address: This field specifies the hardware address of the device the message is being sent to. Target protocol address: This field specifies the protocol address of the device the message is being sent to.
Page 202: Arp Table
ARP Table After obtaining the MAC address for the destination host, the device puts the IP-to-MAC mapping into its own ARP table. This mapping is used for forwarding packets with the same destination in future. An ARP table contains ARP entries, which fall into one of two categories: dynamic or static. Dynamic ARP entry A dynamic entry is automatically created and maintained by ARP.
Page 203: Configuring The Maximum Number Of Arp Entries For An Interface
To do… Use the command… Remarks Required arp static ip-address Configure a permanent mac-address vlan-id No permanent static ARP entry is static ARP entry interface-type interface-number configured by default. Required Configure a arp static ip-address non-permanent static No non-permanent static ARP entry is mac-address ARP entry configured by default.
Page 204: Enabling The Arp Entry Check
Enabling the ARP Entry Check The ARP entry check function disables the device from learning multicast MAC addresses. With the ARP entry check enabled, the device cannot learn any ARP entry with a multicast MAC address, and configuring such a static ARP entry is not allowed; otherwise, the system displays error messages. After the ARP entry check is disabled, the device can learn the ARP entry with a multicast MAC address, and you can also configure such a static ARP entry on the device.
Page 205: Configuring Gratuitous Arp
[Switch] interface GigabitEthernet 1/0/1 [Switch-GigabitEthernet1/0/1] port access vlan 10 [Switch-GigabitEthernet1/0/1] quit # Create interface VLAN-interace 10 and configure its IP address. [Switch] interface vlan-interface 10 [Switch-vlan-interface10] ip address 192.168.1.2 8 [Switch-vlan-interface10] quit # Configure a static ARP entry with IP address 192.168.1.1 and MAC address 00e0-fc01-0000. The outgoing interface corresponding to the static ARP entry is GigabitEthernet 1/0/1 belonging to VLAN 10.
Page 206: Displaying And Maintaining Arp
Displaying and Maintaining ARP To do… Use the command… Remarks display arp [ [ all | dynamic | static ] | vlan vlan-id | Display ARP entries in the interface interface-type interface-number ] [ [ | Available in ARP table any view { begin | exclude | include } regular-expression ] | count ]...
Page 207: Arp Attack Defense Configuration
ARP Attack Defense Configuration Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. Configuring ARP Active Acknowledgement Introduction Typically, the ARP active acknowledgement feature is configured on gateway devices to identify invalid...
Page 208: Configuration Procedure
Configuration Procedure Enabling source MAC address based ARP attack detection After this feature is enabled for a device, if the number of ARP packets it receives from a MAC address within five seconds exceeds the specified value, it generates an alarm and filters out ARP packets sourced from that MAC address (in filter mode), or only generates an alarm (in monitor mode).
Page 209: Displaying And Maintaining Source Mac Address Based Arp Attack Detection
Displaying and Maintaining Source MAC Address Based ARP Attack Detection To do… Use the command… Remarks Display attacking entries display arp anti-attack source-mac Available in any detected [ interface interface-type interface-number ] view A protected MAC address is no longer excluded from detection after the specified aging time expires. Configuring ARP Packet Rate Limit Introduction This feature allows you to limit the rate of ARP packets to be delivered to the CPU.
Page 210 Man-in-the-middle attack According to the ARP design, after receiving an ARP reply, a host adds the IP-to-MAC mapping of the sender to its ARP mapping table. This design reduces the ARP traffic on the network, but also makes ARP spoofing possible. As shown in Figure 2-1, Host A communicates with Host C through a switch.
Page 211: Ip-To-Mac Bindings
MAC addresses, port index, and VLAN ID) are consistent, the ARP packet passes the check; if not, the ARP packet cannot pass the check. Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP packet.
Page 212: Configuring Arp Detection Based On Specified Objects
To do… Use the command… Remarks Return to system view quit — interface interface-type Enter Ethernet interface view — interface-number Optional Configure the port as a arp detection trust trusted port The port is an untrusted port by default. Return to system view quit —...
Page 213: Displaying And Maintaining Arp Detection
Before performing the following configuration, make sure you have configured the arp detection enable command. Follow these steps to configure ARP detection based on specified objects: To do… Use the command… Remarks Enter system view system-view — Required Specify objects for arp detection validate ARP detection { dst-mac | ip | src-mac } *...
Page 214 Figure 2-2 Network diagram for ARP detection configuration Gateway DHCP server VLAN 10 DHCP snooping GE1/0/3 Switch A GE1/0/2 GE1/0/1 Host B Host A 10.1.1.6 DHCP client 0001-0203-0607 Configuration procedure Add all the ports on Switch A to VLAN 10 (the configuration procedure is omitted). Configure DHCP server (the configuration procedure is omitted).
Page 215: Arp Detection Configuration Example Ii
After the preceding configurations are completed, when ARP packets arrive at interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, their MAC and IP addresses are checked, and then the packets are checked against the IP-to-MAC binding and finally DHCP snooping entries. ARP Detection Configuration Example II Network requirements As shown in Figure...
Page 216: Configuring Periodic Sending Of Gratuitous Arp Packets
# Enable ARP detection for VLAN 10. [SwitchA] vlan 10 [SwitchA-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default). [SwitchA-vlan10] interface GigabitEthernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] arp detection trust [SwitchA-GigabitEthernet1/0/3] quit # Enable ARP detection based on 802.1X security entries.
Page 217 Table of Contents 1 DHCP Relay Agent Configuration ············································································································1-1 Introduction to DHCP Relay Agent ·········································································································1-1 Application Environment··················································································································1-1 Fundamentals··································································································································1-1 DHCP Relay Agent Support for Option 82 ······················································································1-2 DHCP Relay Agent Configuration Task List ···························································································1-3 Configuring the DHCP Relay Agent········································································································1-3 Enabling DHCP ·······························································································································1-3 Enabling the DHCP Relay Agent on an Interface ···········································································1-3 Correlating a DHCP Server Group with a Relay Agent Interface····················································1-4 Configuring the DHCP Relay Agent Security Functions ·································································1-5...
Page 218 Displaying and Maintaining BOOTP Client Configuration·······································································4-2 BOOTP Client Configuration Example····································································································4-3...
Page 219: Dhcp Relay Agent Configuration
This document is organized as follows: DHCP Relay Agent Configuration DHCP Client Configuration DHCP Snooping Configuration BOOTP Client Configuration DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent DHCP Relay Agent Configuration Task List Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration...
Page 220: Dhcp Relay Agent Support For Option 82
No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a similar way . The following describes the forwarding process on the DHCP relay agent. Figure 1-2 DHCP relay agent work process As shown in Figure 1-2, the DHCP relay agent works as follows:...
Page 221: Dhcp Relay Agent Configuration Task List
If a client’s Handling requesting Padding format The DHCP relay agent will… strategy message has… Forward the message after adding the — normal Option 82 padded in normal format. Forward the message after adding the no Option 82 — verbose Option 82 padded in verbose format.
Page 222: Correlating A Dhcp Server Group With A Relay Agent Interface
To do… Use the command… Remarks Required Enable the DHCP relay agent dhcp select relay With DHCP enabled, interfaces on the current interface work in the DHCP server mode. If the DHCP client obtains an IP address via the DHCP relay agent, the address pool of the subnet to which the IP address of the DHCP relay agent belongs must be configured on the DHCP server.
Page 223: Configuring The Dhcp Relay Agent Security Functions
Configuring the DHCP Relay Agent Security Functions Creating static bindings and enabling IP address check The DHCP relay agent can dynamically record clients’ IP-to-MAC bindings after clients get IP addresses. It also supports static bindings, that is, you can manually configure IP-to-MAC bindings on the DHCP relay agent, so that users can access external network using fixed IP addresses.
Page 224: Configuring The Dhcp Relay Agent To Send A Dhcp-Release Request
If the server returns a DHCP-ACK message or does not return any message within a specified interval, which means the IP address is assignable now, the DHCP relay agent will age out the client entry with this IP address. If the server returns a DHCP-NAK message, which means the IP address is still in use, the relay agent will not age it out.
Page 225 Follow these steps to configure the DHCP relay agent in system view to send a DHCP-RELEASE request: To do… Use the command… Remarks Enter system view system-view — Configure the DHCP relay agent to send a dhcp relay release ip client-ip Required DHCP-RELEASE request Configuring the DHCP Relay Agent to Support Option 82...
Page 226: Displaying And Maintaining Dhcp Relay Agent Configuration
To do… Use the command… Remarks Optional Configure the By default, the padding padding content dhcp relay information content depends on the for the circuit ID circuit-id string circuit-id padding format of Option sub-option Configure user-defined Optional Option 82 Configure the dhcp relay information By default, the padding padding content...
Page 227: Dhcp Relay Agent Configuration Examples
DHCP Relay Agent Configuration Examples DHCP Relay Agent Configuration Example Network requirements As shown in Figure 1-3, DHCP clients reside on network 10.10.1.0/24. The IP address of the DHCP server is 10.1.1.1/24. Because the DHCP clients reside on a different network with the DHCP server, a DHCP relay agent is deployed to forward messages between DHCP clients and the DHCP server.
Page 228: Dhcp Relay Agent Option 82 Support Configuration Example
Because the DHCP relay agent and server are on different subnets, you need to configure a static route or dynamic routing protocol to make them reachable to each other. DHCP Relay Agent Option 82 Support Configuration Example Network requirements As shown in Figure 1-3, Enable Option 82 on the DHCP relay agent (Switch A).
Page 229: Troubleshooting Dhcp Relay Agent Configuration
Troubleshooting DHCP Relay Agent Configuration Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent. Analysis Some problems may occur with the DHCP relay agent or server configuration. Enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information for locating the problem.
Page 230: Dhcp Client Configuration
DHCP Client Configuration When configuring the DHCP client, go to these sections for information you are interested in: Introduction to DHCP Client Enabling the DHCP Client on an Interface Displaying and Maintaining the DHCP Client DHCP Client Configuration Example When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be a Windows 2000 Server or Windows 2003 Server.
Page 231: Displaying And Maintaining The Dhcp Client
An interface can be configured to acquire an IP address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. After the DHCP client is enabled on an interface, no secondary IP address can be configured for the interface.
Page 232: Dhcp Snooping Configuration
DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Basic Functions Configuring DHCP Snooping to Support Option 82 Displaying and Maintaining DHCP Snooping DHCP Snooping Configuration Examples The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.
Page 233: Application Environment Of Trusted Ports
Recording IP-to-MAC mappings of DHCP clients DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs to which the ports belong. Application Environment of Trusted Ports Configuring a trusted port connected to a DHCP server Figure 3-1 Configure trusted and untrusted ports...
Page 234 Figure 3-2 Configure trusted ports in a cascaded network Table 3-1 describes roles of the ports shown in Figure 3-2. Table 3-1 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GigabitEthernet 1/0/1 GigabitEthernet 1/0/3...
Page 235: Configuring Dhcp Snooping Basic Functions
If a client’s Handling Padding requesting The DHCP snooping device will… strategy format message has… Forward the message after replacing the normal original Option 82 with the Option 82 padded in normal format. Forward the message after replacing the Replace verbose original Option 82 with the Option 82 padded in verbose format.
Page 236: Prerequisites
You need to specify the ports connected to the authorized DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN. Currently, you can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports.
Page 237: Displaying And Maintaining Dhcp Snooping
To do… Use the command… Remarks Optional hex by default. Configure the The code type code type for the dhcp-snooping information configuration remote ID remote-id format-type { ascii | hex } applies to sub-option non-user-defined Option 82 only. Optional Configure the By default, the padding content dhcp-snooping information [ vlan...
Page 238: Dhcp Snooping Configuration Examples
To do… Use the command… Remarks reset dhcp-snooping { all | ip Clear DHCP snooping entries Available in user view ip-address } Clear DHCP packet statistics on the reset dhcp-snooping packet Available in user view DHCP snooping device statistics DHCP Snooping Configuration Examples DHCP Snooping Configuration Example Network requirements As shown in...
Page 239 On GigabitEthernet 1/0/2, configure the padding content for the circuit ID sub-option as company001 and for the remote ID sub-option as device001. On GigabitEthernet 1/0/3, configure the padding format as verbose, access node identifier as sysname, and code type as ascii for Option 82. Switch A forwards DHCP requests to the DHCP server after replacing Option 82 in the requests, so that the DHCP clients can obtain IP addresses.
Page 240: Bootp Client Configuration
BOOTP Client Configuration While configuring a BOOTP client, go to these sections for information you are interested in: Introduction to BOOTP Client Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP Displaying and Maintaining BOOTP Client Configuration If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server.
Page 241: Obtaining An Ip Address Dynamically
Obtaining an IP Address Dynamically A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition. A BOOTP client dynamically obtains an IP address from a BOOTP server in the following steps: The BOOTP client broadcasts a BOOTP request, which contains its own MAC address. The BOOTP server receives the request and searches the configuration file for the corresponding IP address and other information according to the MAC address of the BOOTP client.
Page 242 BOOTP Client Configuration Example Network requirement Switch A’s port belonging to VLAN 1 is connected to the LAN. VLAN-interface 1 obtains an IP address from the DHCP server by using BOOTP. Figure 4-1 Network diagram for BOOTP client configuration example Client WINS server 10.1.1.4/25...
Page 243 Table of Contents 1 FTP Configuration ·····································································································································1-1 FTP Overview ·········································································································································1-1 Introduction to FTP ··························································································································1-1 Operation of FTP ·····························································································································1-1 Configuring the FTP Client······················································································································1-2 Establishing an FTP Connection ·····································································································1-3 Operating the Directories on an FTP Server ···················································································1-4 Operating the Files on an FTP Server·····························································································1-4 Using Another Username to Log In to an FTP Server ····································································1-5 Maintaining and Debugging an FTP Connection ············································································1-6 Terminating an FTP Connection ·····································································································1-6...
Page 244: Ftp Configuration
FTP Configuration When configuring FTP, go to these sections for information you are interested in: FTP Overview Configuring the FTP Client Configuring the FTP Server Displaying and Maintaining FTP FTP Overview Introduction to FTP The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network.
Page 245: Configuring The Ftp Client
Table 1-1 Configuration when the device serves as the FTP client Device Configuration Remarks If the remote FTP server supports Use the ftp command to establish anonymous FTP, the device can log in to Device (FTP client) the connection to the remote FTP it directly;...
Page 246: Establishing An Ftp Connection
Only users with the manage level can use the ftp command to log in to an FTP server, enter FTP client view, and execute directory and file related commands. However, whether the commands can be executed successfully depends on the authorizations of the FTP server. Establishing an FTP Connection To access an FTP server, an FTP client must establish a connection with the FTP server.
Page 247: Operating The Directories On An Ftp Server
To do… Use the command… Remarks ftp [ server-address [ service-port ] Use either approach. Log in to the remote FTP server [ source { interface interface-type directly in user view interface-number | ip The ftp command is source-ip-address } ] ] available in user view;...
Page 248: Using Another Username To Log In To An Ftp Server
download a file from the FTP server under the authorized directory of the FTP server by following these steps: Use the dir or ls command to display the directory and the location of the file on the FTP server. Delete useless files for effective use of the storage space. Set the file transfer mode.
Page 249: Maintaining And Debugging An Ftp Connection
Follow the step below to use another username to log in to the FTP server: To do… Use the command… Remarks Use another username to relog in after user username [ password ] Optional successfully logging in to the FTP server Maintaining and Debugging an FTP Connection After a device serving as the FTP client has established a connection with the FTP server (For how to establish an FTP connection, refer to...
Page 250 Device downloads a startup file from PC for device upgrade, and uploads the configuration file to PC for backup. On PC, an FTP user account has been created for the FTP client, with the username being abc and the password being pwd. Figure 1-2 Network diagram for FTPing a startup file from an FTP server Configuration procedure If the available memory space of the device is not enough, use the fixdisk command to clear the...
Page 251: Configuring The Ftp Server
<Sysname> boot-loader file newest.bin main # Reboot the device, and the startup file is updated at the system reboot. <Sysname> reboot The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium.
Page 252: Configuring Authentication And Authorization On The Ftp Server
To do… Use the command… Remarks Manually release the FTP Optional connection established with the free ftp user username Available in user view specified username Configuring Authentication and Authorization on the FTP Server To allow an FTP user to access certain directories on the FTP server, you need to create an account for the user, authorizing access to the directories and associating the username and password with the account.
Page 253: Ftp Server Configuration Example
FTP Server Configuration Example Network requirements As shown in Figure 1-3, use Device as an FTP server, and the PC as the FTP client. Their IP addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between Device and PC. PC keeps the updated startup file of the device.
Page 254: Displaying And Maintaining Ftp
c:\> ftp 1.1.1.1 Connected to 1.1.1.1. 220 FTP service ready. User(1.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. # Download the configuration file config.cfg of the device to the PC for backup. ftp> get config.cfg back-config.cfg # Upload the configuration file newest.bin to Device. ftp>...
Page 255 1-12...
Page 256: Tftp Configuration
TFTP Configuration When configuring TFTP, go to these sections for information you are interested in: TFTP Overview Configuring the TFTP Client Displaying and Maintaining the TFTP Client TFTP Client Configuration Example TFTP Overview Introduction to TFTP The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is less complex than FTP in interactive access interface and authentication.
Page 257: Configuring The Tftp Client
When the device serves as the TFTP client, you need to perform the following configuration: Table 2-1 Configuration when the device serves as the TFTP client Device Configuration Remarks Configure the IP address and routing function, and ensure that the route between the device and the TFTP server is available.
Page 258: Displaying And Maintaining The Tftp Client
The source address specified with the tftp client source command is valid for all TFTP connections and the source address specified with the tftp command is valid only for the current tftp connection. Follow these steps to configure the TFTP client: To do…...
Page 259 Device downloads a startup file from PC for upgrading and uploads a configuration file named config.cfg to PC for backup. Figure 2-2 Smooth upgrading using the TFTP client function Configuration procedure Configure PC (TFTP Server), the configuration procedure is omitted. On the PC, enable the TFTP server Configure a TFTP working directory Configure Device (TFTP Client)
Page 260 Table of Contents 1 IP Routing Basics Configuration ·············································································································1-1 IP Routing and Routing Table·················································································································1-1 Routing ············································································································································1-1 Routing Table ··································································································································1-1 Displaying and Maintaining a Routing Table···························································································1-3...
Page 261 IP Routing Basics Configuration Go to these sections for information you are interested in: IP Routing and Routing Table Displaying and Maintaining a Routing Table The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. IP Routing and Routing Table Routing Routing in the Internet is achieved through routers.
Page 262 made of a certain number of consecutive 1s. It can be expressed in dotted decimal format or by the number of the 1s. Outbound interface: Specifies the interface through which the IP packets are to be forwarded. IP address of the next hop: Specifies the address of the next router on the path. If only the outbound interface is configured, its address will be the IP address of the next hop.
Page 263 Displaying and Maintaining a Routing Table To do… Use the command… Remarks Display brief information about display ip routing-table [ verbose | the active routes in the routing | { begin | exclude | include } Available in any view table regular-expression ] Display information about...
Page 264 Table of Contents 1 Static Routing Configuration····················································································································1-1 Introduction ·············································································································································1-1 Static Route ·····································································································································1-1 Default Route···································································································································1-1 Application Environment of Static Routing ······················································································1-2 Configuring a Static Route ······················································································································1-2 Configuration Prerequisites ·············································································································1-2 Configuration Procedure··················································································································1-2 Displaying and Maintaining Static Routes·······························································································1-3 Static Route Configuration Example ·······································································································1-3 Basic Static Route Configuration Example······················································································1-3...
Page 265 Static Routing Configuration When configuring a static route, go to these sections for information you are interested in: Introduction Configuring a Static Route Displaying and Maintaining Static Routes Static Route Configuration Example The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. Introduction Static Route A static route is a manually configured.
Page 266 Application Environment of Static Routing Before configuring a static route, you need to know the following concepts: Destination address and mask In the ip route-static command, an IPv4 address is in dotted decimal format and a mask can be either in dotted decimal format or in the form of mask length (the digits of consecutive 1s in the mask).
Page 267 To do… Use the command… Remarks Configure the default Optional ip route-static default-preference preference for static default-preference-value 60 by default routes When configuring a static route, the static route does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface, such as VLAN interface. If you do not specify the preference when configuring a static route, the default preference will be used.
Page 268 Figure 1-1 Network diagram for static route configuration Configuration procedure Configuring IP addresses for interfaces (omitted) Configuring static routes # Configure a default route on Switch A. <SwitchA> system-view [SwitchA] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # Configure two static routes on Switch B. <SwitchB>...
Page 269 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 # Display the IP routing table of Switch B. [SwitchB] display ip routing-table Routing Tables: Public Destinations : 10 Routes : 10 Destination/Mask Proto Cost NextHop Interface 1.1.2.0/24 Static 60 1.1.4.1 Vlan500 1.1.3.0/24 Static 60 1.1.5.6 Vlan600 1.1.4.0/30...
Page 270 Table of Contents 1 Multicast Overview ····································································································································1-1 Introduction to Multicast ··························································································································1-1 Comparison of Information Transmission Techniques··································································· 1-1 Features of Multicast ······················································································································ 1-4 Common Notations in Multicast······································································································ 1-5 Advantages and Applications of Multicast······················································································ 1-5 Multicast Models ·····································································································································1-6 Multicast Architecture······························································································································1-6 Multicast Addresses ······················································································································· 1-7 Multicast Protocols ·························································································································...
Page 271 Configuring IGMP Report Suppression ························································································ 2-17 Configuring Maximum Multicast Groups that Can Be Joined on a Port······································· 2-17 Configuring Multicast Group Replacement··················································································· 2-18 Configuring 802.1p Precedence for IGMP Messages·································································· 2-19 Displaying and Maintaining IGMP Snooping·························································································2-20 IGMP Snooping Configuration Examples ·····························································································2-20 Group Policy and Simulated Joining Configuration Example·······················································...
Page 272: Multicast Overview
Multicast Overview This manual chiefly focuses on the IP multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to IP multicast. Introduction to Multicast As a technique coexisting with unicast and broadcast, the multicast technique effectively addresses the issue of point-to-multipoint data transmission.
Page 273 Figure 1-1 Unicast transmission Host A Receiver Host B Source Host C Receiver Host D IP network Receiver Packets for Host B Host E Packets for Host D Packets for Host E Assume that Host B, Host D and Host E need the information. A separate transmission channel needs to be established from the information source to each of these hosts.
Page 274 Figure 1-2 Broadcast transmission Assume that only Host B, Host D, and Host E need the information. If the information is broadcast to the subnet, Host A and Host C also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet.
Page 275: Features Of Multicast
Figure 1-3 Multicast transmission The multicast source (Source in the figure) sends only one copy of the information to a multicast group. Host B, Host D and Host E, which are receivers of the information, need to join the multicast group. The routers on the network duplicate and forward the information based on the distribution of the group members.
Page 276: Common Notations In Multicast
manage multicast group memberships on stub subnets with attached group members. A multicast router itself can be a multicast group member. For a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of TV programs, as shown in Table 1-1.
Page 277: Multicast Models
Multicast Models Based on how the receivers treat the multicast sources, there are three multicast models: any-source multicast (ASM), source-filtered multicast (SFM), and source-specific multicast (SSM). ASM model In the ASM model, any sender can send information to a multicast group as a multicast source, and numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group.
Page 278: Multicast Addresses
Multicast Addresses To allow communication between multicast sources and multicast group members, network-layer multicast addresses, namely, multicast IP addresses must be provided. In addition, a technique must be available to map multicast IP addresses to link-layer multicast MAC addresses. IP multicast addresses Internet Assigned Numbers Authority (IANA) assigned the Class D address space (224.0.0.0 to 239.255.255.255) for IPv4 multicast.
Page 279: Multicast Protocols
Address Description 224.0.0.7 Shared Tree (ST) routers 224.0.0.8 ST hosts 224.0.0.9 Routing Information Protocol version 2 (RIPv2) routers 224.0.0.11 Mobile agents 224.0.0.12 Dynamic Host Configuration Protocol (DHCP) server/relay agent 224.0.0.13 All Protocol Independent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All Core-Based Tree (CBT) routers 224.0.0.16...
Page 280 Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, MSDP, and MBGP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping, and multicast VLAN.
Page 281: Multicast Packet Forwarding Mechanism
An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs. So far, mature solutions include multicast source discovery protocol (MSDP) and multicast border gateway protocol (MBGP). MSDP is used to propagate multicast source information among different ASs, while MBGP, an extension of the Multi-protocol Border Gateway Protocol (MP-BGP), is used for exchanging multicast routing information among different ASs.
Page 282 To ensure multicast packet transmission in the network, unicast routing tables or multicast routing tables (for example, the MBGP routing table) specially provided for multicast must be used as guidance for multicast forwarding. To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a reverse path forwarding (RPF) check on the incoming interface.
Page 283: Igmp Snooping Configuration
IGMP Snooping Configuration When configuring IGMP snooping, go to the following sections for information you are interested in: IGMP Snooping Overview IGMP Snooping Configuration Task List Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups.
Page 284: Basic Concepts In Igmp Snooping
Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in IGMP Snooping IGMP Snooping related ports As shown in Figure 2-2, Router A connects to the multicast source, IGMP snooping runs on Switch A and Switch B, and Host A and Host C are receiver hosts (namely, multicast group members).
Page 285: How Igmp Snooping Works
Aging timers for dynamic ports in IGMP Snooping and related messages and actions Table 2-1 Aging timers for dynamic ports in IGMP snooping and related messages and actions Message before Timer Description Action after expiry expiry For each dynamic IGMP general query of router port, the switch The switch removes Dynamic router port...
Page 286 When receiving a membership report A host sends an IGMP report to the IGMP querier in the following circumstances: Upon receiving an IGMP query, a multicast group member host responds with an IGMP report. When intended to join a multicast group, a host sends an IGMP report to the IGMP querier to announce that it is interested in the multicast information addressed to that group.
Page 287: Igmp Snooping Proxying
does not immediately remove the port from the outgoing port list of the forwarding table entry for that group; instead, it resets the aging timer for the port. Upon receiving the IGMP leave message from a host, the IGMP querier resolves the multicast group address in the message and sends an IGMP group-specific query to that multicast group through the port that received the leave message.
Page 288: Igmp Snooping Configuration Task List
Table 2-2 describes how an IGMP snooping proxy processes IGMP messages. Table 2-2 IGMP message processing on an IGMP snooping proxy IGMP message Actions When receiving an IGMP general query, the proxy forwards it to all ports but the General query receiving port.
Page 289: Configuring Basic Functions Of Igmp Snooping
Task Remarks Proxying Configuring a Source IP Address for the IGMP Optional Messages Sent by the Proxy Configuring a Multicast Group Filter Optional Configuring the Function of Dropping Unknown Optional Multicast Data Configuring IGMP Report Suppression Optional Configuring an IGMP Configuring Maximum Multicast Groups that Can Snooping Policy Optional...
Page 290: Configuring The Version Of Igmp Snooping
To do... Use the command... Remarks Enter system view — system-view Required Enable IGMP snooping globally and igmp-snooping enter IGMP-Snooping view Disabled by default Return to system view quit — Enter VLAN view vlan vlan-id — Required Enable IGMP snooping in the VLAN igmp-snooping enable Disabled by default IGMP snooping must be enabled globally before it can be enabled in a VLAN.
Page 291: Configuring Igmp Snooping Port Functions
Configuring IGMP Snooping Port Functions Configuration Prerequisites Before configuring IGMP snooping port functions, complete the following tasks: Enable IGMP snooping in the VLAN Configure the corresponding port groups. Before configuring IGMP snooping port functions, prepare the following data: Aging time of dynamic router ports, Aging time of dynamic member ports, and Multicast group and multicast source addresses Configuring Aging Timers for Dynamic Ports...
Page 292: Configuring Static Ports
Configuring Static Ports If all the hosts attached to a port are interested in the multicast data addressed to a particular multicast group or the multicast data that a particular multicast source sends to a particular group, you can configure static (*, G) or (S, G) joining on that port, namely configure the port as a group-specific or source-and-group-specific static member port.
Page 293: Configuring Fast Leave Processing
After a port is configured as a simulated member host, the switch responds to IGMP general queries by sending IGMP reports through that port. When the simulated joining function is disabled on a port, the switch sends an IGMP leave message through that port.
Page 294: Configuring Igmp Snooping Querier
To do... Use the command... Remarks Enter system view system-view — Enter Ethernet interface interface-type interface-number Required interface/Layer 2 aggregate interface view or port group Use either approach port-group manual port-group-name view Required Enable fast leave processing igmp-snooping fast-leave [ vlan vlan-list ] Disabled by default If fast leave processing is enabled on a port to which more than one host is attached, when one host leaves a multicast group, the other hosts attached to the port and interested in the same multicast group...
Page 295: Configuring Igmp Queries And Responses
To do... Use the command... Remarks Enter VLAN view — vlan vlan-id Required Enable IGMP snooping querier igmp-snooping querier Disabled by default It is meaningless to configure an IGMP snooping querier in a multicast network running IGMP. Although an IGMP snooping querier does not take part in IGMP querier elections, it may affect IGMP querier elections because it sends IGMP general queries with a low source IP address.
Page 296: Configuring Source Ip Address Of Igmp Queries
Configuring IGMP queries and responses in a VLAN Follow these steps to configure IGMP queries and responses in a VLAN: To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Optional Configure IGMP general query igmp-snooping query-interval interval interval...
Page 297: Configuring Igmp Snooping Proxying
Configuring IGMP Snooping Proxying Configuration Prerequisites Before configuring IGMP snooping Proxying in a VLAN, enable IGMP snooping in the VLAN and prepare the following data: Source IP address for the IGMP reports sent by the proxy Source IP address for the IGMP leave messages sent by the proxy Enabling IGMP Snooping Proxying The IGMP snooping Proxying function works on a per-VLAN basis.
Page 298: Configuring A Multicast Group Filter
ACL rule for multicast group filtering The maximum number of multicast groups that can pass the ports 802.1p precedence for IGMP messages Configuring a Multicast Group Filter On an IGMP snooping–enabled switch, the configuration of a multicast group allows the service provider to define restrictions on multicast programs available to different users.
Page 299: Configuring Igmp Report Suppression
With the function of dropping unknown multicast data disabled, the switch floods unknown multicast data in the VLAN which the unknown multicast data belongs to. Follow these steps to configure the function of dropping unknown multicast data in a VLAN: To do...
Page 300: Configuring Multicast Group Replacement
To do... Use the command... Remarks port group view Use either approach port-group manual port-group-name Optional Configure the maximum igmp-snooping group-limit By default, the maximum number of multicast groups limit [ vlan vlan-list ] number of multicast groups allowed on the port(s) allowed on the port(s) is 256.
Page 301: Configuring 802.1P Precedence For Igmp Messages
Configuring multicast group replacement on a port or a group of ports Follow these steps to configure multicast group replacement on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet interface/Layer interface-number Required...
Page 302: Displaying And Maintaining Igmp Snooping
Displaying and Maintaining IGMP Snooping To do... Use the command... Remarks Display IGMP snooping multicast display igmp-snooping group [ vlan Available in group information (on a centralized vlan-id ] [ verbose ] any view device) Display the statistics information of Available in IGMP messages learned by IGMP display igmp-snooping statistics...
Page 303 Figure 2-4 Network diagram for group policy simulated joining configuration Configuration procedure Configure IP addresses Configure an IP address and subnet mask for each interface as per Figure 2-4. The detailed configuration steps are omitted. Configure Router A # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on GigabitEthernet 1/0/1.
Page 304 # Configure a multicast group filter so that the hosts in VLAN 100 can join only the multicast group 224.1.1.1. [SwitchA] acl number 2001 [SwitchA-acl-basic-2001] rule permit source 224.1.1.1 0 [SwitchA-acl-basic-2001] quit [SwitchA] igmp-snooping [SwitchA-igmp-snooping] group-policy 2001 vlan 100 [SwitchA-igmp-snooping] quit # Configure GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 as simulated hosts for multicast group 224.1.1.1.
Page 305: Static Port Configuration Example
Static Port Configuration Example Network requirements As shown in Figure 2-5, Router A connects to a multicast source (Source) through GigabitEthernet 1/0/2, and to Switch A through GigabitEthernet 1/0/1. IGMPv2 is to run on Router A, and IGMPv2 Snooping is to run on Switch A, Switch B and Switch C, with Router A acting as the IGMP querier.
Page 306 Configure an IP address and subnet mask for each interface as per Figure 2-5. The detailed configuration steps are omitted. Configure Router A # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on GigabitEthernet 1/0/1. <RouterA> system-view [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] igmp enable...
Page 307 [SwitchC] igmp-snooping [SwitchC-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 to this VLAN, and enable IGMP snooping in the VLAN. [SwitchC] vlan 100 [SwitchC-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/5 [SwitchC-vlan100] igmp-snooping enable [SwitchC-vlan100] quit # Configure GigabitEthernet 1/0/3 and GigabitEthernet 1/0/5 as static member ports for multicast group 224.1.1.1.
Page 308: Igmp Snooping Querier Configuration Example
Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/2 (D) ( 00:01:23 ) IP group(s):the following ip group(s) match to one mac group.
Page 309 Figure 2-6 Network diagram for IGMP snooping querier configuration Configuration procedure Configure switch A # Enable IGMP snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 100 and assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/3 # Enable IGMP snooping and the function of dropping unknown multicast traffic in VLAN 100.
Page 310: Igmp Snooping Proxying Configuration Example
[SwitchB-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 # Enable IGMP snooping and the function of dropping unknown multicast traffic in VLAN 100. [SwitchB-vlan100] igmp-snooping enable [SwitchB-vlan100] igmp-snooping drop-unknown [SwitchB-vlan100] quit Configurations on Switch C and Switch D are similar to the configuration on Switch B. Verify the configuration After the IGMP snooping querier starts to work, all the switches but the querier can receive IGMP general queries.
Page 311 Figure 2-7 Network diagram for IGMP snooping proxying configuration Receiver Host A Source Receiver GE1/0/4 GE1/0/2 GE1/0/1 1.1.1.2/24 10.1.1.1/24 GE1/0/1 GE1/0/3 Switch A Host B Router A GE1/0/2 1.1.1.1/24 Proxy & Querier IGMP querier Host C Configuration procedure Configure IP addresses for interfaces Configure an IP address and subnet mask for each interface as per Figure 2-7.
Page 312 Verify the configuration After the configuration is completed, Host A and Host B send IGMP join messages for group 224.1.1.1. Receiving the messages, Switch A sends a join message for the group out port GigabitEthernet 1/0/1 (a router port) to Router A. Use the display igmp-snooping group command and the display igmp group command to display information about IGMP snooping multicast groups and IGMP multicast groups.
Page 313: Troubleshooting Igmp Snooping Configuration
Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/1 (D) ( 00:01:23 ) IP group(s):the following ip group(s) match to one mac group.
Page 314 The function of dropping unknown multicast data is not enabled, so unknown multicast data is flooded. Solution Use the display acl command to check the configured ACL rule. Make sure that the ACL rule conforms to the multicast group policy to be implemented. Use the display this command in IGMP snooping view or in the corresponding interface view to check whether the correct multicast group policy has been applied.
Page 315: Multicast Vlan Configuration
Multicast VLAN Configuration When configuring multicast VLAN, go to these sections for information you are interested in: Introduction to Multicast VLAN Multicast VLAN Configuration Task List Configuring Multicast VLAN Displaying and Maintaining Multicast VLAN Multicast VLAN Configuration ExampleMulticast VLAN Configuration Examples Introduction to Multicast VLAN As shown in Figure...
Page 316: Multicast Vlan Configuration Task List
Figure 3-2 Port-based multicast VLAN After the configuration, upon receiving an IGMP message on a user port, Switch A tags the message with the multicast VLAN ID and relays it to the IGMP querier, so that IGMP Snooping can uniformly manage the router ports and member ports in the multicast VLAN.
Page 317: Configuration Prerequisites
A user port can be configured as a multicast VLAN port only if it is of the Ethernet, or Layer 2 aggregate interface type. Configurations made in Ethernet interface view are effective only for the current port; configurations made in Layer 2 aggregate interface view are effective only for the current interface; configurations made in port group view are effective for all the ports in the current port group.
Page 318: Configuring Multicast Vlan Ports
For details about the port link-type, port hybrid pvid vlan, and port hybrid vlan commands, refer to VLAN Commands. Configuring Multicast VLAN Ports In this approach, you need to configure a VLAN as a multicast VLAN and then assign user ports to this multicast VLAN by either adding the user ports in the multicast VLAN or specifying the multicast VLAN on the user ports.
Page 319: Displaying And Maintaining Multicast Vlan
The VLAN to be configured as a multicast VLAN must exist. A port can belong to only one multicast VLAN. Displaying and Maintaining Multicast VLAN To do… Use the command… Remarks Display information about a display multicast-vlan Available in any view multicast VLAN [ vlan-id ] Multicast VLAN Configuration Examples...
Page 320 Network diagram Figure 3-3 Network diagram for port-based multicast VLAN configuration Configuration procedure Configure IP addresses Configure the IP address and subnet mask for each interface as per Figure 3-3. The detailed configuration steps are omitted here. Configure Router A # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on the host-side interface GigabitEthernet 1/0/2.
Page 321 # Create VLAN 2 and enable IGMP Snooping in the VLAN. [SwitchA] vlan 2 [SwitchA-vlan2] igmp-snooping enable [SwitchA-vlan2] quit The configuration for VLAN 3 and VLAN 4 is similar. The detailed configuration steps are omitted. # Configure GigabitEthernet 1/0/2 as a hybrid port. Configure VLAN 2 as the default VLAN. Configure GigabitEthernet 1/0/2 to permit packets of VLAN 2 and VLAN 10 to pass and untag the packets when forwarding them.
Page 322 Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Host port(s):total 3 port. GE1/0/2 GE1/0/3 GE1/0/4 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 3 port.
Page 323 Table of Contents 1 QoS Overview ············································································································································1-1 Introduction to QoS ·································································································································1-1 Networks Without QoS Guarantee··········································································································1-1 QoS Requirements of New Applications·································································································1-1 Congestion: Causes, Impacts, and Countermeasures ···········································································1-2 Causes ············································································································································1-2 Impacts ············································································································································1-2 Countermeasures ····························································································································1-3 QoS Technology Implementations··········································································································1-3 End-to-End QoS ······························································································································1-3 Traffic Classification ························································································································1-4 Packet Precedences························································································································1-4 2 QoS Policy Configuration ·························································································································2-1 QoS Policy Overview ······························································································································2-1...
Page 324 4 Line Rate Configuration ····························································································································4-1 Line Rate·················································································································································4-1 Line Rate Configuration ··························································································································4-2 Configuration procedure ··················································································································4-2 Line rate configuration example ······································································································4-2 5 Congestion Management Configuration ·································································································5-1 Overview ·················································································································································5-1 Congestion Management Policies···································································································5-1 Congestion Management Configuration Methods ··················································································5-3 Configuring SP Queuing··················································································································5-4 Configure WRR Queuing·················································································································5-4 Configuring SP+WRR Queuing ·······································································································5-5...
Page 325: Qos Overview
QoS Overview This chapter covers the following topics: Introduction to QoS Networks Without QoS Guarantee QoS Requirements of New Applications Congestion: Causes, Impacts, and Countermeasures QoS Technology Implementations Introduction to QoS Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an internet, QoS evaluates the ability of the network to forward packets of different services.
Page 326: Congestion: Causes, Impacts, And Countermeasures
The emerging applications demand higher service performance of IP networks. Better network services during packets forwarding are required, such as providing dedicated bandwidth, reducing packet loss ratio, managing and avoiding congestion, and regulating network traffic. To meet these requirements, networks must provide more improved services. Congestion: Causes, Impacts, and Countermeasures Network congestion is a major factor contributed to service quality degrading on a traditional network.
Page 327: Countermeasures
Countermeasures A simple solution for congestion is to increase network bandwidth, however, it cannot solve all the problems that cause congestion because you cannot increase network bandwidth infinitely. A more effective solution is to provide differentiated services for different applications through traffic control and resource allocation.
Page 328: Traffic Classification
Congestion avoidance monitors the usage status of network resources and is usually applied in the outbound direction of a port. As congestion becomes worse, it actively reduces the amount of traffic by dropping packets. Among these QoS technologies, traffic classification is the basis for providing differentiated services. Traffic policing, traffic shaping, congestion management, and congestion avoidance manage network traffic and resources in different ways to realize differentiated services.
Page 329 As shown in Figure 1-3, the ToS field of the IP header contains eight bits: the first three bits (0 to 2) represent IP precedence from 0 to 7; the subsequent four bits (3 to 6) represent a ToS value from 0 to 15. According to RFC 2474, the ToS field of the IP header is redefined as the differentiated services (DS) field, where a DSCP value is represented by the first six bits (0 to 5) and is in the range 0 to 63.
Page 330 DSCP value (decimal) DSCP value (binary) Description 011010 af31 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be (default) 802.1p precedence 802.1p precedence lies in Layer 2 packet headers and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
Page 331 The priority in the 802.1Q tag header is called 802.1p precedence, because its use is defined in IEEE 802.1p. Table 1-3 presents the values for 802.1p precedence. Table 1-3 Description on 802.1p precedence 802.1p precedence (decimal) 802.1p precedence (binary) Description best-effort background spare...
Page 332: Qos Policy Configuration
QoS Policy Configuration When configuring a QoS policy, go to these sections for information you are interested in: QoS Policy Overview Configuring a QoS Policy Applying the QoS Policy Displaying and Maintaining QoS Policies QoS Policy Overview A QoS policy involves three components: class, traffic behavior, and policy. You can associate a class with a traffic behavior using a QoS policy.
Page 333 Follow these steps to define a class: To do… Use the command… Remarks Enter system view system-view — Required Create a class and enter class traffic classifier tcl-name By default, the relation between view [ operator { and | or } ] match criteria is and.
Page 334: Defining A Traffic Behavior
Form Description Specifies to match the packets with a specified source MAC source-mac mac-address address. The matching criteria listed below must be unique in a traffic class with the operator being AND. Therefore, even though you can define multiple if-match clauses for these matching criteria or input multiple values for a list argument (such as the 8021p-list argument) listed below in a traffic class, avoid doing that.
Page 335 In a policy, multiple class-to-traffic-behavior mappings can be configured, and these mappings are executed according to the order configured. Follow these steps to define a policy: To do… Use the command… Remarks Enter system view — system-view Create a policy and enter policy qos policy policy-name Required view...
Page 336: Applying The Qos Policy
Applying the QoS Policy You can apply the QoS policy to an interface. You can modify the classification rules, traffic behaviors, and classifier-behavior associations of a QoS policy already applied. Applying the QoS Policy to an Interface A policy can be applied to multiple interfaces. Only one policy can be applied in inbound direction of an interface.
Page 337 To do… Use the command… Remarks display traffic behavior Display traffic behavior user-defined Available in any view configuration information [ behavior-name ] display qos policy Display the configuration of user-defined [ policy-name Available in any view user-defined QoS policies [ classifier tcl-name ] ] Display QoS policy display qos policy interface configuration on the specified...
Page 338: Priority Mapping Configuration
Priority Mapping Configuration When configuring priority mapping, go to these sections for information you are interested in: Priority Mapping Overview Configuring a Priority Mapping Table Configuring the Priority for a Port Configuring the Trusted Precedence Type for a Port Displaying and Maintaining Priority Mapping Priority Mapping Overview Introduction to Priority Mapping When a packet enters a network, it will be marked with a certain value, which indicates the scheduling...
Page 339: Introduction To Priority Mapping Tables
An S5120-SI series switch can trust one of the following two priority types: Trusting the DSCP precedence of received packets. In this mode, the switch searches the dscp-dot1p/dscp mapping table based on the DSCP precedence of the received packet for the 802.1p precedence/DSCP precedence to be used to mark the packet.
Page 340: Configuring A Priority Mapping Table
Table 3-1 The default dot1p-lp and dot1p-dscp mappings Input priority value dot1p-lp mapping dot1p-dscp mapping 802.1p precedence (dot1p) Local precedence (lp) DSCP value (dscp) Table 3-2 The default dscp-lp and dscp-dot1p mappings Input priority value dscp-lp mapping dscp-dot1p mapping dscp Local precedence (lp) 802.1p precedence (dot1p) 0 to 7...
Page 341: Configuration Prerequisites
Configuration Prerequisites You need to decide on the new mapping values. Configuration Procedure Follow these steps to configure a priority mapping table: To do… Use the command… Remarks Enter system view — system-view Required qos map-table { dot1p-dot1p | Enter priority mapping table dot1p-dscp | dot1p-lp | You can enter the dscp-dot1p | dscp-dscp |...
Page 342: Configuring The Priority For A Port
# Enter the dot1p-lp priority mapping table view. [Sysname] qos map-table dot1p-lp # Modify dot1p-lp priority mapping parameters. [Sysname-maptbl-dot1p-lp] import 0 1 export 0 [Sysname-maptbl-dot1p-lp] import 2 3 export 1 [Sysname-maptbl-dot1p-lp] import 4 5 export 2 [Sysname-maptbl-dot1p-lp] import 6 7 export 3 Configuring the Priority for a Port Port priority is in the range of 0 to 7.
Page 343: Configuring The Trusted Precedence Type For A Port
Configuring the Trusted Precedence Type for a Port You can configure whether to trust the priority of packets. On a device supporting port trusted precedence type, the priority mapping process for packets is shown in Priority Mapping Overview. You can configure one of the following trusted precedence types for a port: dot1p: Trusts the 802.1p precedence of the received packets and uses the 802.1p precedence for mapping.
Page 344: Displaying And Maintaining Priority Mapping
[Sysname] interface gigabitethernet 1/0/1 # Configure port GigabitEthernet 1/0/1 to trust the 802.1p precedence of received packets. [Sysname-GigabitEthernet1/0/1] qos trust dot1p Displaying and Maintaining Priority Mapping To do… Use the command… Remarks display qos map-table Display priority mapping table [ dot1p-dot1p | dot1p-dscp | Available in any view configuration information dot1p-lp | dscp-dot1p |...
Page 345: Line Rate Configuration
Line Rate Configuration When configuring traffic classification, traffic policing, and traffic shaping, go to these sections for information you are interested in: Line Rate Line Rate Configuration Line Rate The line rate of a physical interface specifies the maximum rate for forwarding packets (including critical packets).
Page 346: Line Rate Configuration
Line Rate Configuration Configuration procedure The line rate of a physical interface specifies the maximum rate of incoming packets or outgoing packets. Follow these steps to configure the line rate: To do… Use the command… Remarks Enter system view system-view —...
Page 347: Congestion Management Configuration
Congestion Management Configuration When configuring congestion management, go to these sections for information you are interested in: Overview Congestion Management Configuration Methods Overview Congestion occurs on the interface where the arrival rate of packets is faster than the sending rate. If there is no enough buffer capacity to store these packets, a part of them will be lost, which may cause the sending device to retransmit these packets because of timeout, deteriorating the congestion.
Page 348 Figure 5-1 Schematic diagram for SP queuing As shown in Figure 5-1, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues strictly according to the descending order of priority. It sends packets in the queue with the highest priority first.
Page 349: Congestion Management Configuration Methods
Figure 5-2 Schematic diagram for WRR queuing Assume there are eight output queues on a port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 Mbps port, you can configure the weight values of WRR queuing to 50, 30, 10, 10, 50, 30, 10, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 respectively).
Page 350: Configuring Sp Queuing
Configuring SP Queuing Configuration procedure Follow these steps to configure SP queuing: To do… Use the command… Remarks Enter system view system-view — Enter Use either command interface interface-type Enter interface interface-number Settings in interface view take effect interface view on the current interface;...
Page 351: Configuring Sp+Wrr Queuing
To do… Use the command… Remarks Display WRR queuing display qos wrr interface Optional configuration information [ interface-type Available in any view on interface(s) interface-number ] Configuration example Network requirements Enable WRR queuing on the interface. Assign queue 0 and queue 1 to the WRR group 1, with the weight of 10 and 20 respectively. Assign queue 2 and queue 3 to the WRR group 2, with the weight of 30 and 50 respectively.
Page 352 Configure queue 1 on GigabitEthernet1/0/1 to be in WRR queue scheduling group 1, with the weight being 20. Configure queue 2 and queue 3 on GigabitEthernet1/0/1 to be in WRR queue scheduling group 2, with the weight being 10 and 50 respectively. Configuration procedure # Enter system view.
Page 353 Table of Contents 1 802.1X Configuration·································································································································1-1 802.1X Overview·····································································································································1-1 Architecture of 802.1X ·····················································································································1-1 Authentication Modes of 802.1X ·····································································································1-2 Basic Concepts of 802.1X ···············································································································1-2 EAP over LAN ·································································································································1-3 EAP over RADIUS···························································································································1-5 802.1X Authentication Triggering ····································································································1-5 Authentication Process of 802.1X ···································································································1-6 802.1X Access Control Method·······································································································1-9 802.1X Timers ·································································································································1-9 Features Working Together with 802.1X·······················································································1-10 802.1X Configuration Task List·············································································································1-12...
Page 354: 802.1X Overview
802.1X Configuration When configuring 802.1X, go to these sections for information you are interested in: 802.1X Overview 802.1X Configuration Task List 802.1X Configuration Example Guest VLAN and VLAN Assignment Configuration Example ACL Assignment Configuration Example 802.1X Overview The 802.1X protocol was proposed by IEEE 802 LAN/WAN committee for security of wireless LANs (WLAN).
Page 355: Authentication Modes
launched on Client. The client program must support Extensible Authentication Protocol over LAN (EAPOL). Device, residing at the other end of the LAN segment, is the entity that authenticates connected clients. Device is usually an 802.1X-enabled network device and provides access ports for clients to the LAN.
Page 356: Eap Over Lan
Figure 1-2 Authorized/unauthorized status of a controlled port You can set the authorization mode of a specified port to control the port authorization status. The authorization modes include: authorized-force: Places the port in the authorized state, allowing users of the ports to access the network without authentication.
Page 357 Figure 1-3 EAPOL packet format PAE Ethernet type: Protocol type. It takes the value 0x888E. Protocol version: Version of the EAPOL protocol supported by the EAPOL packet sender. Type: Type of the EAPOL packet. Table 1-1 lists the types that the device currently supports. Table 1-1 Types of EAPOL packets Type Description...
Page 358: Eap Over Radius
An EAP packet of the type of Request or Response has a Data field in the format shown in Figure 1-5. The Type field indicates the EAP authentication type. A value of 1 represents Identity, indicating that the packet is for querying the identity of the client. A value of 4 represents MD5-Challenge, which corresponds closely to the PPP CHAP protocol.
Page 359: Authentication Process
To solve the problem, the device also supports EAPOL-Start packets whose destination address is a broadcast MAC address. In this case, the H3C iNode 802.1X client is required. Unsolicited triggering of the device The device can trigger authentication by sending EAP-Request/Identity packets to unauthenticated clients periodically (every 30 seconds by default).
Page 360 Figure 1-8 802.1X authentication procedure in EAP relay mode Client Device Server EAPOR EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity RADIUS Access-Request (EAP-Response / Identity) RADIUS Access-Challenge (EAP-Request / MD5 challenge) EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (EAP-Response / MD5 challenge) RADIUS Access-Accept...
Page 361 After receiving the EAP-Response/MD5 Challenge packet, the device relays the packet in a RADIUS Access-Request packet to the authentication server. 10) When receiving the RADIUS Access-Request packet, the RADIUS server compares the password information encapsulated in the packet with that generated by itself. If the two are identical, the authentication server considers the user valid and sends to the device a RADIUS Access-Accept packet.
Page 362: 802.1X Access Control Method
RADIUS server for authentication. 802.1X Access Control Method H3C devices not only implement the port-based access control method defined in the 802.1X protocol, but also extend and optimize the protocol by supporting the MAC-based access control method.
Page 363: Features Working Together With 802.1X
Username request timeout timer (tx-period): This timer is triggered by the device in two cases. The first case is when the client requests for authentication. The device starts this timer when it sends an EAP-Request/Identity packet to a client. If it receives no response before this timer expires, the device retransmits the request.
Page 364 The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after a user passes authentication. After the user goes offline, the port returns to the initial VLAN of the port. For details about VLAN configuration, refer to VLAN Configuration.
Page 365: 802.1X Configuration Task List
Similar to a guest VLAN, an Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or a MAC-based Auth-Fail VLAN (MAFV), depending on the port access control method. Currently, on the switch, An Auth-Fail VLAN can be only a port-based Auth-Fail VLAN (PAFV). PAFV refers to the Auth-Fail VLAN configured on a port that uses the port-based access control method.
Page 366: 802.1X Basic Configuration
Task Remarks Enabling the Quiet Timer Function Optional Enabling the Re-Authentication Function Optional Configuring a Guest VLAN Optional Configuring an Auth-Fail VLAN Optional 802.1X Basic Configuration Configuration Prerequisites 802.1X provides a method for implementing user identity authentication. However, 802.1X cannot implement the authentication scheme solely by itself.
Page 367: Configuring 802.1X For A Port
To do… Use the command… Remarks Set the maximum number of Optional attempts to send an dot1x retry max-retry-value authentication request to a 2 by default client Optional The defaults are as follows: dot1x timer { handshake-period 15 seconds for the handshake handshake-period-value | timer, quiet-period...
Page 368: Enabling The Online User Handshake Function
To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet interface view — interface-number dot1x port-control Optional Specify the port authorization { authorized-force | auto | mode for the port auto by default unauthorized-force } Optional Specify the port access control dot1x port-method...
Page 369: Enabling The Multicast Trigger Function
You need to disable proxy detection before disabling the online user handshake function. Some 802.1X clients do not support exchanging handshake packets with the device. In this case, you need to disable the online user handshake function on the device; otherwise the device will tear down the connections with such online users for not receiving handshake responses.
Page 370: Enabling The Re-Authentication Function
To do… Use the command… Remarks Enter system view system-view — Required Enable the quiet timer dot1x quiet-period Disabled by default Enabling the Re-Authentication Function If periodic re-authentication is enabled on a port, the device will re-authenticate online users on the port at the interval specified by the periodic re-authentication timer.
Page 371: Configuring An Auth-Fail Vlan
Configuration procedure Follow these steps to configure a guest VLAN: To do… Use the command… Remarks Enter system view system-view — In system dot1x guest-vlan guest-vlan-id view [ interface interface-list ] Required Configure the guest VLAN interface interface-type Use either approach. for one or interface-number By default, a port is configured...
Page 372: Displaying And Maintaining 802.1X
To do… Use the command… Remarks Required Configure the Auth-Fail VLAN dot1x auth-fail vlan By default, a port is configured for the port authfail-vlan-id with no Auth-Fail VLAN. Different ports can be configured with different Auth-Fail VLANs, but a port can be configured with only one Auth-Fail VLAN.
Page 373 Figure 1-10 Network diagram for 802.1X configuration Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands for the device, while configuration on the 802.1X client and RADIUS server are omitted. For information about AAA/RADIUS configuration commands, refer to AAA Configuration. # Configure the IP addresses for each interface.
Page 374 # Set the interval for the device to retransmit packets to the RADIUS server and the maximum number of transmission attempts. [Switch-radius-radius1] timer response-timeout 5 [Switch-radius-radius1] retry 5 # Set the interval for the device to send real time accounting packets to the RADIUS server. [Switch-radius-radius1] timer realtime-accounting 15 # Specify the device to remove the domain name of any username before passing the username to the RADIUS server.
Page 375 Guest VLAN and VLAN Assignment Configuration Example Network requirements As shown in Figure 1-11: A host is connected to port GigabitEthernet 1/0/2 of the device and must pass 802.1X authentication to access the Internet. GigabitEthernet 1/0/2 is in VLAN 1. The authentication server runs RADIUS and is in VLAN 2.
Page 376 Figure 1-12 Network diagram with the port in the guest VLAN Figure 1-13 Network diagram when the client passes authentication Configuration procedure The following configuration procedure uses many AAA/RADIUS commands. For detailed configuration of these commands, refer to AAA Configuration. Configurations on the 802.1X client and RADIUS server are omitted.
Page 377: Acl Assignment Configuration Example
[Switch-radius-2000] primary authentication 10.11.1.1 1812 [Switch-radius-2000] primary accounting 10.11.1.1 1813 [Switch-radius-2000] key authentication abc [Switch-radius-2000] key accounting abc [Switch-radius-2000] user-name-format without-domain [Switch-radius-2000] quit # Configure authentication domain system and specify to use RADIUS scheme 2000 for users of the domain. [Switch] domain system [Switch-isp-system] authentication default radius-scheme 2000 [Switch-isp-system] authorization default radius-scheme 2000...
Page 378 Configure the RADIUS server to assign ACL 3000. Enable 802.1X authentication on port GigabitEthernet 1/0/1 of the switch, and configure ACL 3000. After the host passes 802.1X authentication, the RADIUS server assigns ACL 3000 to port GigabitEthernet 1/0/1. As a result, the host can access the Internet but cannot access the FTP server, whose IP address is 10.0.0.1.
Page 379 After logging in successfully, a user can use the ping command to verify whether the ACL 3000 assigned by the RADIUS server functions. [Switch] ping 10.0.0.1 PING 10.0.0.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out...
Page 380 Table of Contents 1 AAA Configuration ····································································································································1-1 Introduction to AAA ·································································································································1-1 Introduction to RADIUS···························································································································1-2 Client/Server Model ·························································································································1-2 Security and Authentication Mechanisms ·······················································································1-3 Basic Message Exchange Process of RADIUS ··············································································1-3 RADIUS Packet Format···················································································································1-4 Extended RADIUS Attributes ··········································································································1-7 Protocols and Standards·························································································································1-7 AAA Configuration Task List ···················································································································1-8 AAA Configuration Task List ···········································································································1-8 RADIUS Configuration Task List ·····································································································1-9 Configuring AAA······································································································································1-9...
Page 381 Troubleshooting RADIUS ··············································································································1-32...
Page 382: Aaa Configuration
AAA Configuration When configuring AAA, go to these sections for information you are interested in: Introduction to AAA Introduction to RADIUS Protocols and Standards AAA Configuration Task List Configuring AAA Configuring RADIUS AAA Configuration Examples Troubleshooting AAA Introduction to AAA Authentication, Authorization, and Accounting (AAA) provides a uniform framework for configuring these three security functions to implement network security management.
Page 383: Introduction To Radius
Authorization: Grants different users different rights. For example, a user logging into the server can be granted the permission to access and print the files in the server. Accounting: Records all network service usage information of users, including the service type, start and end time, and traffic.
Page 384: Security And Authentication Mechanisms
Figure 1-2 RADIUS server components Users: Stores user information such as the usernames, passwords, applied protocols, and IP addresses. Clients: Stores information about RADIUS clients, such as the shared keys and IP addresses. Dictionary: Stores information about the meanings of RADIUS protocol attributes and their values. Security and Authentication Mechanisms Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network.
Page 385: Radius Packet Format
The host initiates a connection request carrying the username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
Page 386 Code Packet type Description From the server to the client. If all the attribute values carried in the Access-Request are Access-Accept acceptable, that is, the authentication succeeds, the server sends an Access-Accept response. From the server to the client. If any attribute value carried in the Access-Request is unacceptable, the Access-Reject server rejects the user and sends an...
Page 387 Attribute Attribute Service-Type Acct-Multi-Session-Id Framed-Protocol Acct-Link-Count Framed-IP-Address Acct-Input-Gigawords Framed-IP-Netmask Acct-Output-Gigawords Framed-Routing (unassigned) Filter-ID Event-Timestamp Framed-MTU 56-59 (unassigned) Framed-Compression CHAP-Challenge Login-IP-Host NAS-Port-Type Login-Service Port-Limit Login-TCP-Port Login-LAT-Port (unassigned) Tunnel-Type Reply_Message Tunnel-Medium-Type Callback-Number Tunnel-Client-Endpoint Callback-ID Tunnel-Server-Endpoint (unassigned) Acct-Tunnel-Connection Framed-Route Tunnel-Password Framed-IPX-Network ARAP-Password State ARAP-Features Class ARAP-Zone-Access...
Page 388: Protocols And Standards
Vendor-ID (four bytes): Indicates the ID of the vendor. Its most significant byte is 0 and the other three bytes contain a code complying with RFC 1700. The vendor ID of H3C is 2011. Vendor-Type: Indicates the type of the sub-attribute.
Page 389: Aaa Configuration Task List
AAA Configuration Task List The basic procedure to configure AAA is as follows: Configure the required AAA schemes. Local authentication: Configure local users and related attributes, including usernames and passwords of the users to be authenticated. Remote authentication: Configure the required RADIUS schemes, and configure user attributes on the servers accordingly.
Page 390: Radius Configuration Task List
RADIUS Configuration Task List Task Remarks Creating a RADIUS Scheme Required Specifying the RADIUS Authentication/Authorization Servers Required Specifying the RADIUS Accounting Servers and Relevant Parameters Optional Setting the Shared Key for RADIUS Packets Required Setting the Upper Limit of RADIUS Request Retransmission Attempts Optional Setting the Supported RADIUS Server Type Optional...
Page 391: Configuring Isp Domain Attributes
For the NAS, each user belongs to an ISP domain. Up to 16 ISP domains can be configured on a NAS. If a user does not provide the ISP domain name, the system considers that the user belongs to the default ISP domain.
Page 392: Configuring Aaa Authentication Methods For An Isp Domain
A self-service RADIUS server, for example Intelligent Management Center (iMC), is required for the self-service server localization function to work. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server.
Page 393: Configuring Aaa Authorization Methods For An Isp Domain
To do… Use the command… Remarks Optional authentication lan-access Specify the authentication { local | none | radius-scheme The default authentication method for LAN users radius-scheme-name [ local ] } method is used by default. Optional authentication login { local | Specify the authentication none | radius-scheme The default authentication...
Page 394: Configuring Aaa Accounting Methods For An Isp Domain
Determine the access mode or service type to be configured. With AAA, you can configure an authorization scheme specifically for each access mode and service type, limiting the authorization protocols that can be used for access. Determine whether to configure an authorization method for all access modes or service types. Follow these steps to configure AAA authorization methods for an ISP domain: To do…...
Page 395 AAA supports the following accounting methods: No accounting: The system does not perform accounting for the users. Local accounting: Local accounting is implemented on the access device. It is for collecting statistics on the number of users and controlling the number of local user connections; it does not provide statistics for user charge.
Page 396: Configuring Local User Attributes
With the accounting optional command configured, a user that would be otherwise disconnected can still use the network resources even when no accounting server is available or communication with the current accounting server fails. The local accounting is not used for accounting implementation, but together with the attribute access-limit command for limiting the number of local user connections.
Page 397 To do… Use the command… Remarks Optional When created, a local user Place the local user to the state of state { active | block } is in the state of active by active or blocked default, and the user can request network services.
Page 398: Configuring User Group Attributes
depends on the level of the user interface. For an SSH user using public key authentication, the commands that can be used depend on the level configured on the user interface. For details about authentication method and commands accessible to user interface, refer to Login Configuration. Binding attributes are checked upon authentication of a local user.
Page 399: Displaying And Maintaining Aaa
access device can obtain the NAS ID by the access VLAN of the user and then send the NAS ID to the RADIUS server through the NAS-identifier attribute. Follow these steps to configure a NAS ID-VLAN binding: To do… Use the command… Remarks Enter system view system-view...
Page 400: Creating A Radius Scheme
When there are users online, you cannot modify RADIUS parameters other than the number of retransmission attempts and the timers. Creating a RADIUS Scheme Before performing other RADIUS configurations, follow these steps to create a RADIUS scheme and enter RADIUS scheme view: To do…...
Page 401: Specifying The Radius Accounting Servers And Relevant Parameters
It is recommended to specify only the primary RADIUS authentication/authorization server if backup is not required. If both the primary and secondary authentication/authorization servers are specified, the secondary one is used when the primary one is unreachable. In practice, you may specify two RADIUS servers as the primary and secondary authentication/authorization servers respectively.
Page 402: Setting The Shared Key For Radius Packets
It is recommended to specify only the primary RADIUS accounting server if backup is not required. If both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. In practice, you can specify two RADIUS servers as the primary and secondary accounting servers respectively, or specify one server to function as the primary accounting server in a scheme and the secondary accounting server in another scheme.
Page 403: Setting The Supported Radius Server Type
to retransmit the RADIUS request. If the number of transmission attempts exceeds the specified limit but it still receives no response, it considers that the authentication has failed. Follow these steps to set the upper limit of RADIUS request retransmission attempts: To do…...
Page 404: Configuring Attributes Related To Data To Be Sent To The Radius Server
When both the primary and secondary servers are available, the device sends request packets to the primary server. Once the primary server fails, the primary server turns into the state of block, and the device turns to the secondary server. In this case: If the secondary server is available, the device triggers the primary server quiet timer.
Page 405: Enabling The Radius Trap Function
To do… Use the command… Remarks Enter system view system-view — radius scheme Enter RADIUS scheme view — radius-scheme-name Optional Specify the format of the user-name-format By default, the ISP domain username to be sent to a { keep-original with-domain | name is included in the RADIUS server without-domain }...
Page 406: Setting Timers Regarding Radius Servers
Follow these steps to specify the source IP address for RADIUS packets to be sent: To do… Use the command… Remarks Enter system view system-view — Required radius nas-ip ip-address Use either approach By default, there is no source IP address specified for RADIUS Specify the source IP address radius scheme...
Page 407: Configuring Radius Accounting
To do… Use the command… Remarks Optional Set the quiet timer for the timer quiet minutes primary server 5 minutes by default Optional Set the real-time accounting timer realtime-accounting interval minutes 12 minutes by default The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75.
Page 408: Enabling The Listening Port Of The Radius Client
3 seconds by default The accounting-on feature needs to cooperate with the H3C iMC network management system. Enabling the Listening Port of the RADIUS Client Follow these steps to enable the listening port of the RADIUS client: To do…...
Page 409: Aaa Configuration Examples
AAA Configuration Examples AAA for Telnet Users by Separate Servers Network requirements As shown in Figure 1-6, configure the switch to provide local authentication, local authorization, and RADIUS accounting services to Telnet users. The user name and the password for Telnet users are both hello.
Page 410: Aaa For Ssh Users By A Radius Server
[Switch-radius-rd] quit # Create a local user named hello. [Switch] local-user hello [Switch-luser-hello] service-type telnet [Switch-luser-hello] password simple hello [Switch-luser-hello] authorization-attribute level 3 [Switch-luser-hello] quit [Switch] domain default enable bbb # Configure the AAA methods for the ISP domain. [Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login local [Switch-isp-bbb] accounting login radius-scheme rd...
Page 411 Specify the ports for authentication and accounting as 1812 and 1813 respectively Select Device Management Service as the service type Select H3C as the access device type Select the access device from the device list or manually add the device with the IP address of 10.1.1.2...
Page 412 Figure 1-9 Add an account for device management Configure the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.
Page 413: Troubleshooting Aaa
[Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create RADIUS scheme rad. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Specify the primary accounting server. [Switch-radius-rad] primary accounting 10.1.1.1 1813 # Set the shared key for authentication packets to expert. [Switch-radius-rad] key authentication expert # Set the shared key for accounting packets to expert.
Page 414 The RADIUS server and the NAS are configured with different shared key. Solution: Check that: The NAS and the RADIUS server can ping each other. The username is in the userid@isp-name format and a default ISP domain is specified on the NAS. The user is configured on the RADIUS server.
Page 415 Table of Contents 1 PKI Configuration ······································································································································1-1 Introduction to PKI···································································································································1-1 PKI Overview···································································································································1-1 PKI Terms········································································································································1-1 Architecture of PKI···························································································································1-2 Applications of PKI ··························································································································1-3 Operation of PKI ······························································································································1-3 PKI Configuration Task List ····················································································································1-4 Configuring an Entity DN ························································································································1-4 Configuring a PKI Domain ······················································································································1-6 Submitting a PKI Certificate Request······································································································1-7 Submitting a Certificate Request in Auto Mode ··············································································1-7 Submitting a Certificate Request in Manual Mode ··········································································1-8...
Page 416: Pki Configuration
With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. Currently, H3C's PKI system provides certificate management for Secure Sockets Layer (SSL). PKI Terms Digital certificate A digital certificate is a file signed by a certificate authority (CA) for an entity.
Page 417: Architecture Of Pki
CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificate signed by the CA at the next higher level.
Page 418: Applications Of Pki
A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs. A registration authority (RA) is an extended part of a CA or an independent authority. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup.
Page 419: Pki Configuration Task List
The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued.
Page 420 The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity DN: To do…...
Page 421: Configuring A Pki Domain
Configuring a PKI Domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance. A PKI domain is defined by these parameters: Trusted CA An entity requests a certificate from a trusted CA.
Page 422: Submitting A Pki Certificate Request
To do… Use the command… Remarks Required Specify the entity for certificate certificate request entity No entity is specified by default. request entity-name The specified entity must exist. Required Specify the authority for certificate request from { ca | No authority is specified by certificate request ra } default.
Page 423: Submitting A Certificate Request In Manual Mode
Follow these steps to configure an entity to submit a certificate request in auto mode: To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view pki domain domain-name — certificate request mode auto Required Set the certificate request [ key-length key-length | mode to auto password { cipher | simple }...
Page 424: Retrieving A Certificate Manually
If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then issue the public-key local create command. For information about the public-key local create command, refer to Public Key Commands.
Page 425: Configuring Pki Certificate Verification
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and local certificate first.
Page 426: Destroying A Local Rsa Key Pair
To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view — pki domain domain-name Required Disable CRL checking crl check disable Enabled by default Return to system view quit — Refer to Retrieving a Certificate Retrieve the CA certificate Required Manually...
Page 427: Configuring An Access Control Policy
To do… Use the command… Remarks Enter system view system-view — pki delete-certificate { ca | Delete certificates Required local } domain domain-name Configuring an Access Control Policy By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server.
Page 428: Pki Configuration Examples
To do… Use the command… Remarks display pki certificate Display information about one attribute-group { group-name | Available in any view or all certificate attribute groups all } Display information about one display pki certificate or all certificate attribute-based access-control-policy Available in any view access control policies { policy-name | all }...
Page 429 In this example, you need to configure these basic attributes on the CA server at first: Nickname: Name of the trusted CA. Subject DN: DN information of the CA, including the Common Name (CN), Organization Unit (OU), Organization (O), and Country (C). The other attributes may be left using the default values.
Page 430 It will take a few minutes. Press CTRL+C to abort. Input the bits in the modulus [default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates.
Page 431: Requesting A Certificate From A Ca Running Windows 2003 Server
OU=test CN=myca Validity Not Before: Jan 8 09:26:53 2007 GMT Not After : Jan 8 09:26:53 2008 GMT Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61...
Page 432 Network requirements Configure PKI entity Switch to request a local certificate from the CA server. Figure 1-3 Request a certificate from a CA running Windows 2003 server Configuration procedure Configure the CA server Install the certificate server suites From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components >...
Page 433 # Configure the name of the trusted CA as myca. [Switch-pki-domain-torsa] ca identifier myca # Configure the URL of the registration server in the format of http://host:port/ certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server. [Switch-pki-domain-torsa] certificate request...
Page 434 # Use the following command to view information about the local certificate acquired. <Switch> display pki certificate local domain torsa Certificate: Data: Version: 3 (0x2) Serial Number: 48FA0FD9 00000000 000C Signature Algorithm: sha1WithRSAEncryption Issuer: CN=CA server Validity Not Before: Nov 21 12:32:16 2007 GMT Not After : Nov 21 12:42:16 2008 GMT Subject: CN=switch...
Page 435: Configuring A Certificate Attribute-Based Access Control Policy
(Omitted) You can also use some other display commands to view detailed information about the CA certificate. Refer to the display pki certificate ca domain command in PKI Commands. Configuring a Certificate Attribute-Based Access Control Policy Network requirements The client accesses the remote HTTP Security (HTTPS) server through the HTTPS protocol. SSL is configured to ensure that only legal clients log into the HTTPS server.
Page 436 [Switch-pki-cert-attribute-group-mygroup1] quit # Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the FQDN of the alternative subject name does not include the string of apple, and the second rule defines that the DN of the certificate issuer name includes the string aabbcc. [Switch] pki certificate attribute-group mygroup2 [Switch-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple [Switch-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc...
Page 437: Failed To Request A Local Certificate
Failed to Request a Local Certificate Symptom Failed to request a local certificate. Analysis Possible reasons include these: The network connection is not proper. For example, the network cable may be damaged or loose. No CA certificate has been retrieved. The current key pair has been bound to a certificate.
Page 438 Table of Contents 1 SSL Configuration ·····································································································································1-1 SSL Overview ·········································································································································1-1 SSL Security Mechanism ················································································································1-1 SSL Protocol Stack··························································································································1-2 SSL Configuration Task List ···················································································································1-2 Configuring an SSL Server Policy···········································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 SSL Server Policy Configuration Example ······················································································1-4 Configuring an SSL Client Policy ············································································································1-5 Configuration Prerequisites ·············································································································1-6 Configuration Procedure··················································································································1-6 Displaying and Maintaining SSL ·············································································································1-6...
Page 439: Ssl Configuration
SSL Configuration When configuring SSL, go to these sections for information you are interested in: SSL Overview SSL Configuration Task List Displaying and Maintaining SSL Troubleshooting SSL SSL Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols, for example, HTTP protocol.
Page 440: Ssl Configuration Task List
For details about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, refer to Public Key Configuration. For details about PKI, certificate, and CA, refer to PKI Configuration. SSL Protocol Stack As shown in Figure 1-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer.
Page 441: Configuring An Ssl Server Policy
Configuring an SSL Server Policy An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for example.
Page 442: Ssl Server Policy Configuration Example
If you enable client authentication here, you must request a local certificate for the client. Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0.
Page 443: Configuring An Ssl Client Policy
# Create a PKI domain and configure it. [Device] pki domain 1 [Device-pki-domain-1] ca identifier ca1 [Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Device-pki-domain-1] certificate request from ra [Device-pki-domain-1] certificate request entity en [Device-pki-domain-1] quit # Create the local RSA key pairs. [Device] public-key local create rsa # Retrieve the CA certificate.
Page 444: Configuration Prerequisites
Configuration Prerequisites If the SSL server is configured to authenticate the SSL client, when configuring the SSL client policy, you need to specify the PKI domain to be used for obtaining the certificate of the client. Therefore, before configuring an SSL client policy, you must configure a PKI domain. For details about PKI domain configuration, refer to PKI Configuration.
Page 445 Analysis SSL handshake failure may result from the following causes: No SSL server certificate exists, or the certificate is not trusted. The server is expected to authenticate the client, but the SSL client has no certificate or the certificate is not trusted. The cipher suites used by the server and the client do not match.
Page 446 Table of Contents 1 SSH2.0 Configuration································································································································2-1 SSH2.0 Overview····································································································································2-1 Introduction to SSH2.0 ····················································································································2-1 Operation of SSH ····························································································································2-1 Configuring the Device as an SSH Server······························································································2-4 SSH Server Configuration Task List································································································2-4 Generating a DSA or RSA Key Pair ································································································2-4 Enabling SSH Server·······················································································································2-5 Configuring the User Interfaces for SSH Clients·············································································2-5 Configuring a Client Public Key·······································································································2-6 Configuring an SSH User ················································································································2-7 Setting the SSH Management Parameters ·····················································································2-9...
Page 447: Ssh2.0 Configuration
SSH2.0 Configuration When configuring SSH2.0, go to these sections for information you are interested in: SSH2.0 Overview Configuring the Device as an SSH Server Configuring the Device as an SSH Client Displaying and Maintaining SSH SSH Server Configuration Examples SSH Client Configuration Examples SSH2.0 Overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to logging into a remote device securely.
Page 448 Stages Description After passing authentication, the client sends a session request to Session request the server. After the server grants the request, the client and server start to Interaction communicate with each other. Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server.
Page 449 Before the negotiation, the server must have already generated a DSA or RSA key pair, which is not only used for generating the session key, but also used by the client to authenticate the identity of the server. For details about DSA and RSA key pairs, refer to Public Key Configuration. Authentication SSH provides two authentication methods: password authentication and publickey authentication.
Page 450: Configuring The Device As An Ssh Server
Session request After passing authentication, the client sends a session request to the server, while the server listens to and processes the request from the client. After successfully processing the request, the server sends back to the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client.
Page 451: Enabling Ssh Server
Follow these steps to generate a DSA or RSA key pair on the SSH server: To do… Use the command… Remarks Enter system view system-view — Required Generate the local DSA or RSA public-key local create { dsa | By default, there is neither DSA key pair rsa } key pair nor RSA key pair.
Page 452: Configuring A Client Public Key
To do… Use the command… Remarks Enter system view system-view — Enter user interface view of one user-interface vty number — or more user interfaces [ ending-number ] Required Set the login authentication authentication-mode scheme By default, the authentication mode to scheme [ command-authorization ] mode is password.
Page 453: Configuring An Ssh User
You are recommended to configure a client public key by importing it from a public key file. You can configure at most 20 client pubic keys on an SSH server. Configuring a client public key manually Follow these steps to configure the client public key manually: To do…...
Page 454 To do… Use the command… Remarks Enter system view system-view — ssh user username service-type stelnet For Stelnet authentication-type { password | { any | Create an users password-publickey | publickey } assign SSH user, and publickey keyname } specify the service type Required ssh user username service-type { all |...
Page 455: Setting The Ssh Management Parameters
Setting the SSH Management Parameters SSH management includes: Enabling the SSH server to be compatible with SSH1 client Setting the server key pair update interval, applicable to users using SSH1 client Setting the SSH user authentication timeout period Setting the maximum number of SSH authentication attempts Setting the above parameters can help avoid malicious guess at and cracking of the keys and usernames, securing your SSH connections.
Page 456: Specifying A Source Ip Address/Interface For The Ssh Client
Specifying a Source IP address/Interface for the SSH client This configuration task allows you to specify a source IP address or interface for the client to access the SSH server, improving service manageability. To do… Use the command… Remarks Enter system view system-view —...
Page 457: Establishing A Connection Between The Ssh Client And The Server
To do... Use the command… Remarks Required The method of configuring Refer to Configuring a Client Configure the server public key server public key on the client is Public Key similar to that of configuring client public key on the server. ssh client authentication Specify the host public key Required...
Page 458: Ssh Server Configuration Examples
For information about the display public-key local and display public-key peer commands, refer to Public Key Commands. SSH Server Configuration Examples When Switch Acts as Server for Password Authentication Network requirements As shown in Figure 1-1, a local SSH connection is established between the host (the SSH client) and the switch (the SSH server) for secure data exchange.
Page 459 [Switch-luser-client001] service-type ssh [Switch-luser-client001] authorization-attribute level 3 [Switch-luser-client001] quit # Specify the service type for user client001 as Stelnet, and the authentication mode as password. This step is optional. [Switch] ssh user client001 service-type stelnet authentication-type password Configure the SSH client There are many kinds of SSH client software, such as PuTTY, and OpenSSH.
Page 460: When Switch Acts As Server For Publickey Authentication
When Switch Acts as Server for Publickey Authentication Network requirements As shown in Figure 1-3, a local SSH connection is established between the host (the SSH client) and the switch (the SSH server) for secure data exchange. Publickey authentication is used, the algorithm is RSA. Figure 1-3 Switch acts as server for publickey authentication SSH client SSH server...
Page 461 # Specify the authentication type for user client002 as publickey, and assign the public key Switch001 to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Configure the SSH client # Generate an RSA key pair. Run PuTTYGen.exe, select SSH-2 RSA and click Generate.
Page 462 Figure 1-5 Generate a client key pair 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 1-6 Generate a client key pair 3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection.
Page 463 Figure 1-7 Generate a client key pair 4) After generating a key pair on a client, you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of the client.
Page 464: Ssh Client Configuration Examples
Figure 1-9 SSH client configuration interface 2) In the window shown in Figure 1-9, click Open. If the connection is normal, you will be prompted to enter the username. After entering the correct username (client002), you can enter the configuration interface.
Page 465 [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Create an IP address for VLAN interface 1, which the SSH client will use as the destination for SSH connection. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA.
Page 466 If the client does not support first-time authentication, you need to perform the following configurations. # Disable first-time authentication. [SwitchA] undo ssh client first-time # Configure the host public key of the SSH server. You can get the server host public key by using the display public-key local dsa public command on the server.
Page 467: When Switch Acts As Client For Publickey Authentication
When Switch Acts as Client for Publickey Authentication Network requirements As shown in Figure 1-11, Switch A (the SSH client) needs to log into Switch B (the SSH server) through the SSH protocol. Publickey authentication is used, and the public key algorithm is DSA. Figure 1-11 Switch acts as client for publickey authentication Configuration procedure Configure the SSH server...
Page 468 # Specify the authentication type for user client002 as publickey, and assign the public key Switch001 to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Configure the SSH client # Configure an IP address for Vlan interface 1. <SwitchA>...
Page 469: Sftp Service
SFTP Service When configuring SFTP, go to these sections for information you are interested in: SFTP Overview Configuring an SFTP Server Configuring an SFTP Client SFTP Client Configuration Example SFTP Server Configuration Example SFTP Overview The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer.
Page 470: Configuring The Sftp Connection Idle Timeout Period
When the device functions as the SFTP server, only one client can access the SFTP server at a time. If the SFTP client uses WinSCP, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server. Configuring the SFTP Connection Idle Timeout Period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down, so that a user cannot occupy a connection for nothing.
Page 471: Working With The Sftp Directories
To do… Use the command… Remarks sftp server [ port-number ] [ identity-key { dsa | Establish a rsa } | prefer-ctos-cipher { 3des | aes128 | des } Required connection to the | prefer-ctos-hmac { md5 | md5-96 | sha1 | remote SFTP server sha1-96 } | prefer-kex { dh-group-exchange | Use either command in...
Page 472: Working With Sftp Files
Working with SFTP Files SFTP file operations include: Changing the name of a file Downloading a file Uploading a file Displaying a list of the files Deleting a file Follow these steps to work with SFTP files: To do… Use the command… Remarks sftp server [ port-number ] [ identity-key { dsa | rsa } |...
Page 473: Terminating The Connection To The Remote Sftp Server
To do… Use the command… Remarks sftp server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | Required md5-96 | sha1 | sha1-96 } | Enter SFTP client view prefer-kex Execute the command in user...
Page 474 Figure 2-1 Network diagram for SFTP client configuration (on a switch) Configuration procedure Configure the SFTP server (Switch B) # Generate RSA and DSA key pairs and enable the SSH server. <SwitchB> system-view [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Enable the SFTP server.
Page 475 # Configure an IP address for VLAN interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface1] quit # Generate RSA key pairs. [SwitchA] public-key local create rsa # Export the host public key to file pubkey. [SwitchA] public-key local export rsa ssh2 pubkey [SwitchA] quit After generating key pairs on a client, you need to transmit the saved public key file to the server...
Page 476 sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub # Add a directory named new1 and check if it has been created successfully.
Page 477: Sftp Server Configuration Example
sftp-client> quit Connection closed. <SwitchA> SFTP Server Configuration Example Network requirements As shown in Figure 2-2, an SSH connection is established between the host and the switch. The host, an SFTP client, logs into the switch for file management and file transfer. An SSH user uses password authentication with the username being client002 and the password being aabbcc.
Page 478 [Switch-luser-client002] quit # Configure the user authentication type as password and service type as SFTP. [Switch] ssh user client002 service-type sftp authentication-type password Configure the SFTP client There are many kinds of SFTP client software. The following takes the PSFTP of Putty Version 0.58 as an example.
Page 479 Table of Contents 1 Public Key Configuration··························································································································1-1 Public Key Algorithm Overview···············································································································1-1 Basic Concepts································································································································1-1 Key Algorithm Types ·······················································································································1-1 Asymmetric Key Algorithm Applications··························································································1-1 Configuring the Local Asymmetric Key Pair····························································································1-2 Creating an Asymmetric Key Pair ···································································································1-2 Displaying or Exporting the Local RSA or DSA Host Public Key ····················································1-3 Destroying an Asymmetric Key Pair································································································1-3 Configuring the Public Key of a Peer ······································································································1-3 Displaying and Maintaining Public Keys ·································································································1-4...
Page 480: Public Key Configuration
Public Key Configuration When configuring public keys, go to these sections for information you are interested in: Public Key Algorithm Overview Configuring the Local Asymmetric Key Pair Configuring the Public Key of a Peer Displaying and Maintaining Public Keys Public Key Configuration Examples Public Key Algorithm Overview Basic Concepts Algorithm: A set of transformation rules for encryption and decryption.
Page 481: Configuring The Local Asymmetric Key Pair
Encryption: The information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to ensure confidentiality. Digital signature: The information encrypted with a sender's private key can be decrypted by anyone who has access to the sender's public key, thereby proving that the information is from the sender and has not been tampered with.
Page 482: Displaying Or Exporting The Local Rsa Or Dsa Host Public Key
Configuration of the public-key local create command can survive a reboot. The public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key. The length of an RSA key modulus is in the range 512 to 2048 bits.
Page 483: Displaying And Maintaining Public Keys
To configure the public key of the peer, you can: Configure it manually: You can input on or copy the public key of the peer to the local host. The copied public key must have not been converted and be in the distinguished encoding rules (DER) encoding format.
Page 484: Public Key Configuration Examples
Public Key Configuration Examples Configuring the Public Key of a Peer Manually Network requirements Device A is authenticated by Device B when accessing Device B, so the public key of Device A should be configured on Device B in advance. In this example: RSA is used.
Page 485: Importing The Public Key Of A Peer From A Public Key File
4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E 35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E8 4B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Configure Device B # Configure the host public key of Device A on Device B. In public key code view, input the host public key of Device A.
Page 486 In this example: RSA is used. The host public key of Device A is imported from the public key file to Device B. Figure 1-3 Network diagram for importing the public key of a peer from a public key file Configurtion procedure Create key pairs on Device A and export the host public key # Create RSA key pairs on Device A.
Page 487 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E 35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E8 4B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 # Export the RSA host public key to a file named devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub [DeviceA] quit Enable the FTP server function on Device B # Enable the FTP server function, create an FTP user with the username ftp and password 123. <DeviceB>...
Page 488 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A78 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001...
Page 489 Table of Contents 1 HABP Configuration ··································································································································1-1 Introduction to HABP·······························································································································1-1 Configuring HABP ···································································································································1-2 Configuring the HABP Server··········································································································1-2 Configuring an HABP Client ············································································································1-2 Displaying and Maintaining HABP ··········································································································1-3 HABP Configuration Example·················································································································1-3...
Page 490: Habp Configuration
HABP Configuration When configuring HABP, go to these sections for the information you are interested in: Introduction to HABP Configuring HABP Displaying and Maintaining HABP HABP Configuration Example Introduction to HABP The HW Authentication Bypass Protocol (HABP) is used to enable the downstream network devices of an 802.1X enabled access device to bypass 802.1X authentication.
Page 491: Configuring The Habp Server
HABP is a link layer protocol that works above the MAC layer. It is built on the client-server model. Generally, the HABP server is assumed by the management device (such as Switch A in the above example), and the attached switches function as the HABP clients, such as Switch B through Switch E in the example.
Page 492: Displaying And Maintaining Habp
To do… Use the command… Remarks Optional Configure HABP to work in undo habp server HABP works in client mode by client mode default. Displaying and Maintaining HABP To do… Use the command… Remarks Display HABP configuration information display habp Available in any view Display HABP MAC address table entries display habp table...
Page 493 # Configure the IP addresses of the involved interfaces. (Omitted) # Enable HABP. <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, allowing HABP packets to be transmitted in VLAN 2. [SwitchA] habp server vlan 2 # Set the interval to send HABP request packets to 50 seconds.
Page 494 Table of Contents 1 ACL Overview ············································································································································1-1 Introduction to ACL ·································································································································1-1 ACL Classification ···························································································································1-1 ACL Naming ····································································································································1-1 ACL Match Order·····························································································································1-2 ACL Step ·········································································································································1-3 Effective Period of an ACL ··············································································································1-3 IP Fragments Filtering with ACL······································································································1-4 ACL Application·······································································································································1-4 2 ACL Configuration·····································································································································2-1 Creating a Time Range ···························································································································2-1 Configuration Procedure··················································································································2-1 Configuring a Basic ACL ·························································································································2-2 Configuration Prerequisites ·············································································································2-2...
Page 495: Acl Overview
ACL Overview An access control list (ACL) is a set of rules (that is, a set of permit or deny statements) for identifying traffic based on matching criteria such as source address, destination address, and port number. The selected traffic will then be permitted or rejected by predefined security policies. ACLs are widely used in technologies where traffic identification is desired, such as packet filtering and QoS.
Page 496: Acl Match Order
An ACL can have only one name. Whether to specify a name for an ACL is up to you. After creating an ACL, you cannot specify a name for it, nor can you change or remove its name. The name of an ACL must be unique among ACLs. ACL Match Order An ACL may consist of multiple rules, which specify different matching criteria.
Page 497: Acl Step
If the numbers of zeros in the source IP address wildcards are the same, look at the destination IP address wildcards. Then, compare packets against the rule configured with more zeros in the destination IP address wildcard. If the numbers of zeros in the destination IP address wildcards are the same, look at the Layer 4 port number ranges, namely the TCP/UDP port number ranges.
Page 498: Ip Fragments Filtering With Acl
A referenced time range can be one that has not been created yet. The rule, however, can take effect only after the time range is defined and becomes active. IP Fragments Filtering with ACL Traditional packet filtering performs match operation on, rather than all IP fragments, the first ones only. All subsequent non-first fragments are handled in the way the first fragments are handled.
Page 499: Acl Configuration
ACL Configuration When configuring an ACL, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic ACL Configuring an Advanced ACL Configuring an Ethernet Frame Header ACL Copying an ACL Displaying and Maintaining ACLs Creating a Time Range Two types of time ranges are available: Periodic time range, which recurs periodically on the day or days of the week.
Page 500: Configuring A Basic Acl
that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command. You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones.
Page 501: Configuring An Advanced Acl
You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
Page 502: Configuring An Ethernet Frame Header Acl
To do… Use the command… Remarks rule [ rule-id ] { deny | permit } protocol [ { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | destination Required { dest-addr dest-wildcard | any } | destination-port operator To create or modify multiple...
Page 503: Configuration Prerequisites
Configuration Prerequisites If you want to reference a time range in a rule, define it with the time-range command first. Configuration Procedure Follow these steps to configure an Ethernet frame header ACL: To do… Use the command… Remarks Enter system view system-view ––...
Page 504: Copying An Acl
You can modify the match order of an ACL with the acl number acl-number [ name acl-name ] match-order { auto | config } command, but only when the ACL does not contain any rules. The rule specified in the rule comment command must already exist. Copying an ACL This feature allows you to copy an existing ACL to generate a new one, which is of the same type and has the same match order, rules, rule numbering step and descriptions as the source ACL.
Page 505: Acl Application For Packet Filtering
ACL Application for Packet Filtering When applying an ACL for packet filtering, go to these sections for information you are interested in: Filtering Ethernet Frames Filtering IPv4 Packets ACL Application Example You can apply an ACL to the inbound direction of an interface to filter received packets such as Ethernet frames and IPv4 packets.
Page 506 Figure 3-1 Network diagram for applying an ACL to an interface for filtering Configuration procedure # Create a time range named study, setting it to become active from 08:00 to 18:00 everyday. <DeviceA> system-view [DeviceA] time-range study 8:00 to 18:00 daily # Create basic ACL 2009.
Page 507 Table of Contents 1 Device Management ··································································································································1-1 Device Management Overview ···············································································································1-1 Device Management Configuration Task List ·························································································1-1 Configuring the Exception Handling Method ··························································································1-1 Rebooting a Device·································································································································1-2 Configuring the Scheduled Automatic Execution Function·····································································1-3 Upgrading Device Software ····················································································································1-4 Device Software Overview ··············································································································1-4 Upgrading the Boot ROM Program Through Command Lines ·······················································1-4 Upgrading the Boot File Through Command Lines·········································································1-5 Clearing the 16-bit Interface Indexes Not Used in the Current System··················································1-5...
Page 508: Device Management Overview
Device Management When configuring device management, go to these sections for information you are interested in: Device Management Overview Device Management Configuration Task List Configuring the Exception Handling Method Rebooting a Device Configuring the Scheduled Automatic Execution Function Upgrading Device Software Clearing the 16-bit Interface Indexes Not Used in the Current System Identifying and Diagnosing Pluggable Transceivers Displaying and Maintaining Device Management Configuration...
Page 509 Follow these steps to configure the exception handling method: To do… Use the command… Remarks Enter system view system-view — Optional Configure the exception system-failure { maintain | By default, the system adopts handling method reboot } the reboot method to handle exceptions.
Page 510: Configuring The Scheduled Automatic Execution Function
Device reboot may result in the interruption of the ongoing services. Use these commands with caution. Before device reboot, use the save command to save the current configurations. For details about the save command, refer to File System Configuration. Before device reboot, use the commands of display startup and display boot-loader to check if the configuration file and boot file for the next boot are configured.
Page 511: Upgrading Device Software
The system does not require any interactive information when it is executing the specified command. If there is information for you to confirm, the system automatically inputs Y or Yes; if characters need to be input, the system automatically inputs a default character string, or inputs an empty character string when there is no default character string.
Page 512: Upgrading The Boot File Through Command Lines
Copy the Boot ROM program to the root directory of the device's storage medium using FTP or TFTP. Use a command to specify the Boot ROM program for the next boot. Reboot the device to make the specified Boot ROM program take effect. Follow these steps to upgrade the Boot ROM program: To do…...
Page 513: Identifying And Diagnosing Pluggable Transceivers
For the purpose of the stability of an interface index, the system will save the 16-bit interface index when a logical interface is removed. If you repeatedly to create or delete a large number of logical interfaces, the interface indexes will be used up, which will result in interface creation failures.
Page 514: Identifying Pluggable Transceivers
H3C You can use the Vendor Name field in the prompt information of the display transceiver command to identify an anti-spoofing pluggable transceiver customized by H3C. If the field is H3C, it is considered an H3C-customized pluggable transceiver.
Page 515: Device Management Configuration Examples
To do… Use the command… Remarks Display the statistics of the display cpu-usage [ entry-number Available in any view CPU usage [ offset ] [ verbose ] [ from-device ] ] Display history statistics of the display cpu-usage history [ task Available in any view CPU usage in a chart task-id ]...
Page 516 Figure 1-2 Network diagram for remote scheduled automatic upgrade FTP Server 2.2.2.2/24 Internet Telnet FTP Client Device User 1.1.1.1/24 Configuration procedure Configuration on the FTP server (Note that configurations may vary with different types of servers) Set the access parameters for the FTP client (including enabling the FTP server function, setting the FTP username to aaa and password to hello, and setting the user to have access to the flash:/aaa directory).
Page 517 [ftp] get auto-update.txt # Download file new-config.cfg on the FTP server. [ftp]get new-config.cfg # Download file soft-version2.bin on the FTP server. [ftp] binary [ftp] get soft-version2.bin [ftp] bye <Device> # Modify the extension of file auto-update.txt as .bat. <Device> rename auto-update.txt auto-update.bat To ensure correctness of the file, you can use the more command to view the content of the file.
Page 518 Table of Contents 1 NTP Configuration ·····································································································································1-1 NTP Overview ·········································································································································1-1 Applications of NTP ·························································································································1-1 Advantages of NTP ·························································································································1-1 How NTP Works ······························································································································1-2 NTP Message Format ·····················································································································1-3 Operation Modes of NTP·················································································································1-4 NTP Configuration Task List ···················································································································1-6 Configuring the Operation Modes of NTP·······························································································1-6 Configuring NTP Client/Server Mode ······························································································1-7 Configuring the NTP Symmetric Peers Mode ·················································································1-8 Configuring NTP Broadcast Mode···································································································1-9...
Page 519: Ntp Overview
NTP Configuration When configuring NTP, go to these sections for information you are interested in: NTP Overview NTP Configuration Task List Configuring the Operation Modes of NTP Configuring Optional Parameters of NTP Configuring Access-Control Rights Configuring NTP Authentication Displaying and Maintaining NTP NTP Configuration Examples NTP Overview Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed...
Page 520: How Ntp Works
NTP can unicast, multicast or broadcast protocol messages. How NTP Works Figure 1-1 shows the basic workflow of NTP. Device A and Device B are interconnected over a network. They have their own independent system clocks, which need to be automatically synchronized through NTP.
Page 521: Ntp Message Format
This is only a rough description of the work mechanism of NTP. For details, refer to RFC 1305. NTP Message Format NTP uses two types of messages, clock synchronization message and NTP control message. An NTP control message is used in environments where network management is needed. As it is not a must for clock synchronization, it will not be discussed in this document.
Page 522: Operation Modes Of Ntp
Poll: 8-bit signed integer indicating the poll interval, namely the maximum interval between successive messages. Precision: an 8-bit signed integer indicating the precision of the local clock. Root Delay: roundtrip delay to the primary reference source. Root Dispersion: the maximum error of the local clock relative to the primary reference source. Reference Identifier: Identifier of the particular reference source.
Page 523 Figure 1-4 Symmetric peers mode A device working in the symmetric active mode periodically sends clock synchronization messages, with the Mode field in the message set to 1 (symmetric active); the device that receives this message automatically enters the symmetric passive mode and sends a reply, with the Mode field in the message set to 2 (symmetric passive).
Page 524: Ntp Configuration Task List
Figure 1-6 Multicast mode Server Client Network After receiving the first multicast message, the Periodically multicasts clock client sends a request synchronization messages (Mode 5) Calculates the network delay Clock synchronization message between client and the server exchange (Mode 3 and Mode 4) and enters the multicast client mode Periodically multicasts clock...
Page 525: Configuring Ntp Client/Server Mode
Client/server mode Symmetric mode Broadcast mode Multicast mode For the client/server mode or symmetric mode, you need to configure only clients or symmetric-active peers; for the broadcast or multicast mode, you need to configure both servers and clients. A single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations.
Page 526: Configuring The Ntp Symmetric Peers Mode
In the ntp-service unicast-server command, ip-address must be a unicast address, rather than a broadcast address, a multicast address or the IP address of the local clock. A device can act as a server to synchronize the clock of other devices only after its clock has been synchronized.
Page 527: Configuring Ntp Broadcast Mode
Configuring NTP Broadcast Mode The broadcast server periodically sends NTP broadcast messages to the broadcast address 255.255.255.255. After receiving the messages, the device working in NTP broadcast client mode sends a reply and synchronizes its local clock. For devices working in the broadcast mode, you need to configure both the server and clients. Because an interface needs to be specified on the broadcast server for sending NTP broadcast messages and an interface also needs to be specified on each broadcast client for receiving broadcast messages, the NTP broadcast mode can be configured only in the specific interface view.
Page 528: Configuring Optional Parameters Of Ntp
Configuring a multicast client To do… Use the command… Remarks Enter system view — system-view Enter the interface used to interface interface-type Enter interface view receive NTP multicast interface-number messages. Configure the device to work in ntp-service multicast-client Required the NTP multicast client mode [ ip-address ] Configuring the multicast server To do…...
Page 529: Disabling An Interface From Receiving Ntp Messages
To do… Use the command… Remarks Required By default, no source interface is specified for NTP messages, Specify the source interface for ntp-service source-interface and the system uses the IP NTP messages interface-type interface-number address of the interface determined by the matching route as the source IP address of NTP messages.
Page 530: Configuring Access-Control Rights
Configuring Access-Control Rights With the following command, you can configure the NTP service access-control right to the local device. There are four access-control rights, as follows: query: control query permitted. This level of right permits the peer devices to perform control query to the NTP service on the local device but does not permit a peer device to synchronize its clock to that of the local device.
Page 531: Configuring Ntp Authentication
Configuring NTP Authentication The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication. Configuration Prerequisites The configuration of NTP authentication involves configuration tasks to be implemented on the client and on the server.
Page 532 To do… Use the command… Remarks Client/server mode: Required ntp-service unicast-server You can associate a { ip-address | server-name } non-existing key with an NTP authentication-keyid keyid server. To enable NTP Associate the specified key authentication, you must with an NTP server Symmetric peers mode: configure the key and specify it as a trusted key after...
Page 533: Displaying And Maintaining Ntp
The procedure of configuring NTP authentication on a server is the same as that on a client, and the same authentication key must be configured on both the server and client sides. Displaying and Maintaining NTP To do… Use the command… Remarks View the information of NTP display ntp-service status...
Page 534: Configuring The Ntp Symmetric Mode
Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000) # Specify Device A as the NTP server of Device B so that Device B is synchronized to Device A. <DeviceB> system-view [DeviceB] ntp-service unicast-server 1.0.1.11 # View the NTP status of Device B after clock synchronization.
Page 535 Figure 1-8 Network diagram for NTP symmetric peers mode configuration Configuration procedure Configuration on Device B: # Specify Device A as the NTP server of Device B. <DeviceB> system-view [DeviceB] ntp-service unicast-server 3.0.1.31 View the NTP status of Device B after clock synchronization. [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3...
Page 536: Configuring Ntp Broadcast Mode
Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: -21.1982 ms Root delay: 15.00 ms Root dispersion: 775.15 ms Peer dispersion: 34.29 ms Reference time: 15:22:47.083 UTC Sep 19 2005 (C6D95647.153F7CED) As shown above, Device C has been synchronized to Device B and the clock stratum level of Device C is 4, while that of Device C is 1.
Page 537: Configuring Ntp Multicast Mode
[SwitchC] interface vlan-interface 2 [SwitchC-Vlan-interface2] ntp-service broadcast-server Configuration on Switch D: # Configure Switch D to work in the broadcast client mode and receive broadcast messages on VLAN-interface 2. <SwitchD> system-view [SwitchD] interface vlan-interface 2 [SwitchD-Vlan-interface2] ntp-service broadcast-client Configuration on Switch A: # Configure Switch A to work in the broadcast client mode and receive broadcast messages on VLAN-interface 3.
Page 538 Switch C works in the multicast server mode and sends out multicast messages from VLAN-interface 2. Switch A and Switch D work in the multicast client mode and receive multicast messages through VLAN-interface 3 and VLAN-interface 2 respectively. In this example, Switch B is a L3 switch and it must support the multicast function. Figure 1-10 Network diagram for NTP multicast mode configuration Configuration procedure Configuration on Switch C:...
Page 539 Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion: 34.30 ms Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02) As shown above, Switch D has been synchronized to Switch C, and the clock stratum level of Switch D is 3, while that of Switch C is 2.
Page 540: Configuring Ntp Client/Server Mode With Authentication
Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.0000 ms Root delay: 40.00 ms Root dispersion: 10.83 ms Peer dispersion: 34.30 ms Reference time: 16:02:49.713 UTC Sep 19 2005 (C6D95F6F.B6872B02) As shown above, Switch A has been synchronized to Switch C, and the clock stratum level of Switch A is 3, while that of Switch C is 2.
Page 541: Configuring Ntp Broadcast Mode With Authentication
# Specify Device A as the NTP server. [DeviceB] ntp-service unicast-server 1.0.1.11 authentication-keyid 42 Before Device B can synchronize its clock to that of Device A, you need to enable NTP authentication for Device A. Perform the following configuration on Device A: # Enable NTP authentication.
Page 542 Figure 1-12 Network diagram for configuration of NTP broadcast mode with authentication Configuration procedure Configuration on Switch C: # Configure NTP authentication. [SwitchC] ntp-service authentication enable [SwitchC] ntp-service authentication-keyid 88 authentication-mode md5 123456 [SwitchC] ntp-service reliable authentication-keyid 88 # Specify Switch C as an NTP broadcast server, and specify an authentication key. [SwitchC] interface vlan-interface 2 [SwitchC-Vlan-interface2] ntp-service broadcast-server authentication-keyid 88 Configuration on Switch D:...
Page 543 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion: 34.30 ms Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02) As shown above, Switch D has been synchronized to Switch C, and the clock stratum level of Switch D is 4, while that of Switch C is 3.
Page 544 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Mechanism···························································································································1-1 SNMP Protocol Version···················································································································1-2 MIB Overview ··································································································································1-2 SNMP Configuration ·······························································································································1-3 Configuring SNMP Logging ····················································································································1-5 Introduction to SNMP Logging ········································································································1-5 Enabling SNMP Logging ·················································································································1-5 Configuring SNMP Trap ··························································································································1-6 Enabling the Trap Function ·············································································································1-6 Configuring Trap Parameters ··········································································································1-7 Displaying and Maintaining SNMP··········································································································1-8 SNMPv1/SNMPv2c Configuration Example ···························································································1-8...
Page 545: Snmp Configuration
SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview SNMP Configuration Configuring SNMP Logging Configuring SNMP Trap Displaying and Maintaining SNMP SNMPv1/SNMPv2c Configuration Example SNMPv3 Configuration Example SNMP Logging Configuration Example SNMP Overview Simple Network Management Protocol (SNMP) offers the communication rules between a management device and the managed devices on the network;...
Page 546: Snmp Protocol Version
Inform operation: The NMS sends traps to other NMSs through this operation. SNMP Protocol Version Currently, SNMP agents support SNMPv3 and are compatible with SNMPv1 and SNMPv2c. SNMPv1 uses community names for authentication, which defines the relationship between an SNMP NMS and an SNMP agent. SNMP packets with community names that did not pass the authentication on the device will simply be discarded.
Page 547: Snmp Configuration
The defaults are as follows: Configure SNMP agent system { contact sys-contact | Hangzhou H3C Technologies information location sys-location | version Co., Ltd. for contact; Hangzhou { all | { v1 | v2c | v3 }* } } China for location, and SNMP v3 for the version.
Page 548 The defaults are as follows: Configure SNMP agent system { contact sys-contact | Hangzhou H3C Technologies information location sys-location | version Co., Ltd. for contact; Hangzhou { { v1 | v2c | v3 }* | all } } China for location and SNMP v3 for the version.
Page 549: Configuring Snmp Logging
To do… Use the command… Remarks Configure the maximum size of Optional an SNMP packet that can be snmp-agent packet max-size received or sent by an SNMP byte-count 1,500 bytes by default. agent The validity of a USM user depends on the engine ID of the SNMP agent. If the engine ID generated when the USM user is created is not identical to the current engine ID, the USM user is invalid.
Page 550: Configuring Snmp Trap
A large number of logs occupy storage space of the device, thus affecting the performance of the device. Therefore, it is recommended to disable SNMP logging. The size of SNMP logs cannot exceed that allowed by the information center, and the total length of the node field and value field of each log record cannot exceed 1K bytes;...
Page 551: Configuring Trap Parameters
To enable an interface to send linkUp/linkDown traps when its state changes, you need to enable the trap function of interface state changes on an interface and globally. Use the enable snmp trap updown command to enable the trap function on an interface, and use the snmp-agent trap enable [ standard [ linkdown | linkup ] * ] command to enable this function globally.
Page 552: Displaying And Maintaining Snmp
An extended linkUp/linkDown trap is the standard linkUp/linkDown trap (defined in RFC) appended with interface description and interface type information. If the extended messages are not supported on the NMS, disable this function to let the device send standard linkUp/linkDown traps. If the sending queue of traps is full, the system will automatically delete some oldest traps to receive new traps.
Page 553 Figure 1-3 Network diagram for SNMPv1/v2c Configuration procedure Configuring the SNMP agent # Configure the IP address of the agent as 1.1.1.1/24 and make sure that there is a route between the agent and the NMS. (The configuration procedure is omitted here) # Configure the SNMP basic information, including the version and community name.
Page 554: Snmpv3 Configuration Example
SNMPv3 Configuration Example Network requirements As shown in Figure 1-4, the NMS connects to the agent through an Ethernet. The IP address of the NMS is 1.1.1.2/24. The IP address of the agent is 1.1.1.1/24. The NMS monitors and manages the interface status of the agent using SNMPv3. The agent reports errors or faults to the NMS.
Page 555: Snmp Logging Configuration Example
The configurations on the agent and the NMS must match. Verify the configuration After the above configuration, an SNMP connection is established between the NMS and the agent. The NMS can get and configure the values of some parameters on the agent through MIB nodes. Execute the shutdown or undo shutdown command to an idle interface on the agent, and the NMS receives the corresponding trap.
Page 556 <Sysname> system-view [Sysname] info-center source snmp channel console log level informational # Enable SNMP logging on the agent to log the GET and SET operations of the NMS. [Sysname] snmp-agent log get-operation [Sysname] snmp-agent log set-operation The following log information is displayed on the terminal when the NMS performs the Get operation to the agent.
Page 557: Mib Style Configuration
MIB style, the device sysOID is under the H3C’s enterprise ID 25506, and the private MIB is under the enterprise ID 2011. In the H3C new MIB style, both the device sysOID and the private MIB are under the H3C’s enterprise ID 25506. These two styles of MIBs implement the same management function except for their root nodes.
Page 558 Table of Contents 1 RMON Configuration ·································································································································1-1 RMON Overview ·····································································································································1-1 Introduction······································································································································1-1 Working Mechanism ························································································································1-2 RMON Groups·································································································································1-2 Configuring the RMON Statistics Function ·····························································································1-3 Configuring the RMON Ethernet Statistics Function ·······································································1-4 Configuring the RMON History Statistics Function ·········································································1-4 Configuring the RMON Alarm Function ··································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuration Procedure··················································································································1-5 Displaying and Maintaining RMON ·········································································································1-6...
Page 559: Rmon Configuration
RMON Configuration When configuring RMON, go to these sections for information you are interested in: RMON Overview Configuring the RMON Statistics Function Configuring the RMON Alarm Function Displaying and Maintaining RMON RMON Configuration Example (Logging Information) RMON Configuration Example (Sending Traps) RMON Overview This section covers these topics: Introduction...
Page 560: Working Mechanism
Among the RMON groups defined by RMON specifications (RFC 2819), the realized public MIB of the device supports the event group, alarm group, history group and statistics group. Besides, H3C also defines and implements the private alarm group, which enhances the functions of the alarm group. This section describes the five kinds of groups in general.
Page 561: Configuring The Rmon Statistics Function
If the value of a sampled alarm variable overpasses the same threshold multiple times, only the first one can cause an alarm event. That is, the rising alarm and falling alarm are alternate. Private alarm group The private alarm group calculates the values of alarm variables and compares the result with the defined threshold, thereby realizing a more comprehensive alarming function.
Page 562: Configuring The Rmon Ethernet Statistics Function
A statistics object of the Ethernet statistics group is a variable defined in the Ethernet statistics table, and the recorded content is a cumulative sum of the variable from the time the statistics entry is created to the current time. For detailed configuration, refer to Configuring the RMON Ethernet Statistics Function.
Page 563: Configuring The Rmon Alarm Function
The entry-number must be globally unique and cannot be used on another interface; otherwise, the operation fails. You can configure multiple history entries on one interface, but the values of the entry-number arguments must be different, and the values of the sampling-interval arguments must be different too;...
Page 564: Displaying And Maintaining Rmon
A new entry cannot be created if its parameters are identical with the corresponding parameters of an existing entry Refer to Table 1-1 for the parameters to be compared for different entries. The system limits the total number of each type of entries (Refer to Table 1-1 for the detailed numbers).
Page 565 RMON Configuration Example (Logging Information) Network requirements As shown in Figure 1-1, Agent is connected to a configuration terminal through its console port and to Server through Ethernet cables. Create an entry in the RMON Ethernet statistics table to gather statistics on GigabitEthernet 1/0/1, and enable logging after received bytes exceed the specified threshold.
Page 566: Rmon Configuration Example (Sending Traps)
[Sysname] display rmon alarm 1 Alarm table 1 owned by 1-rmon is VALID. Samples type : delta Variable formula : 1.3.6.1.2.1.16.1.1.1.4.1<etherStatsOctets.1> Sampling interval : 10(sec) Rising threshold : 1000(linked with event 1) Falling threshold : 100(linked with event 1) When startup enables : risingOrFallingAlarm Latest value : 2552...
Page 567 [Sysname-GigabitEthernet1/0/1] quit # Create an RMON alarm entry that when the delta sampling value of node 1.3.6.1.2.1.16.1.1.1.4.1 exceeds 100, event 1 is triggered to send traps; when the delta sampling value of the node is lower than 50, event 2 is triggered to send traps. [Sysname] rmon event 1 description rising trap router1 owner user1-rmon [Sysname] rmon event 2 description falling trap router1 owner user1-rmon [Sysname]...
Page 568 Table of Contents 1 File System Management··························································································································1-1 File System ·············································································································································1-1 File System Overview······················································································································1-1 Filename Formats····························································································································1-1 Directory Operations ·······························································································································1-2 Displaying Directory Information ·····································································································1-2 Displaying the Current Working Directory ·······················································································1-2 Changing the Current Working Directory ························································································1-2 Creating a Directory·························································································································1-2 Removing a Directory ······················································································································1-2 File Operations········································································································································1-3 Displaying File Information ··············································································································1-3 Displaying the Contents of a File·····································································································1-3...
Page 569 Backing Up the Startup Configuration File······························································································2-7 Deleting the Startup Configuration File for the Next Startup ··································································2-8 Restoring the Startup Configuration File·································································································2-9 Displaying and Maintaining Device Configuration ··················································································2-9...
Page 570: File System Management
File System Management When managing a file system, go to these sections for information you are interested in: File System Directory Operations File Operations Batch Operations Storage Medium Operations Setting File System Prompt Modes File System Operations Example File System File System Overview A major function of the file system is to manage storage media.
Page 571: Displaying Directory Information
Directory Operations Directory operations include creating/removing a directory, displaying the current working directory, displaying the specified directory or file information, and so on. Displaying Directory Information To do… Use the command… Remarks Required Display directory or file dir [ /all ] [ file-url ] information Available in user view Displaying the Current Working Directory...
Page 572: File Operations
The directory to be removed must be empty, meaning that before you remove a directory, you must delete all the files and the subdirectory under this directory. For file deletion, refer to the delete command; for subdirectory deletion, refer to the rmdir command. After you execute the rmdir command successfully, the files in the recycle bin under the directory will be automatically deleted.
Page 573: Copying A File
Copying a File To do… Use the command… Remarks Required Copy a file copy fileurl-source fileurl-dest Available in user view Moving a File To do… Use the command… Remarks Required Move a file move fileurl-source fileurl-dest Available in user view Deleting a File To do…...
Page 574: Emptying The Recycle Bin
Emptying the Recycle Bin To do… Use the command… Remarks Optional If the original directory of the file Enter the original working to be deleted is not the current directory of the file to be cd { directory | .. | / } working directory, this deleted command is required.
Page 575: Displaying And Maintaining The Nand Flash Memory
To do… Use the command… Remarks Optional Restore the space of a storage fixdisk device medium Available in user view Optional Format a storage medium format device Available in user view When you format a storage medium, all the files stored on it are erased and cannot be restored. In particular, if there is a startup configuration file on the storage medium, formatting the storage medium results in loss of the startup configuration file.
Page 576: Setting File System Prompt Modes
To do… Use the command… Remarks Display data on the specified display nandflash page-data physical page page-value Setting File System Prompt Modes The file system provides the following two prompt modes: alert: In this mode, the system warns you about operations that may bring undesirable consequences such as file corruption or data loss.
Page 577 # Return to the upper directory. <Sysname> cd .. # Display the current working directory. <Sysname> pwd flash:...
Page 578: Configuration File Management
Configuration File Management The device provides the configuration file management function with a user-friendly command line interface (CLI) for you to manage the configuration files conveniently. This section covers these topics: Configuration File Overview Saving the Current Configuration Setting Configuration Rollback Specifying a Startup Configuration File for the Next System Startup Backing Up the Startup Configuration File Deleting the Startup Configuration File...
Page 579: Coexistence Of Multiple Configuration Files
Coexistence of Multiple Configuration Files Multiple configuration files can be stored on a storage medium of a device. You can save the configuration used in different environments as different configuration files. In this case, when the device moves between these networking environments, you just need to specify the corresponding configuration file as the startup configuration file for the next boot of the device and restart the device, so that the device can adapt to the network rapidly, saving the configuration workload.
Page 580: Setting Configuration Rollback
Safe mode. This is the mode when you use the save command with the safely keyword. The mode saves the file more slowly but can retain the configuration file in the device even if the device reboots or the power fails during the process. The fast saving mode is suitable for environments where power supply is stable.
Page 581: Configuration Task List
The application environment has changed and the device has to run in a configuration state based on a previous configuration file without being rebooted. Set configuration rollback following these steps: Specify the filename prefix and path for saving the current configuration. Save the current running configuration with the specified filename (filename prefix + serial number) to the specified path.
Page 582: Saving The Current Running Configuration Automatically
The number of saved configuration files has an upper limit. After the maximum number of files is saved, the system deletes the oldest files when the next configuration file is saved. Follow these steps to configure parameters for saving the current running configuration: To do…...
Page 583: Saving The Current Running Configuration Manually
To do… Use the command… Remarks Enable the automatic saving of Optional the current running archive configuration configuration, and set the interval minutes Disabled by default interval The path and filename prefix of a saved configuration file must be specified before you configure the automatic saving period.
Page 584: Specifying A Startup Configuration File For The Next System Startup
Do not unplug and plug during configuration rollback (that is, the system is executing the configuration replace file command). In addition, configuration rollback may fail if one of the following situations is present (if a command cannot be rolled back, the system skips it and processes the next one): The complete undo form of a command is not supported, namely, you cannot get the actual undo form of the command by simply putting the keyword undo in front of the command, so the complete undo form of the command cannot be recognized by the device.
Page 585: Deleting The Startup Configuration File For The Next Startup
The backup operation backs up the startup configuration file to the TFTP server for devices supporting main/backup startup configuration file. Follow the step below to back up the startup configuration file to be used at the next system startup: To do… Use the command…...
Page 586: Restoring The Startup Configuration File
This command will permanently delete the configuration file from the device. Use it with caution. Restoring the Startup Configuration File The restore function allows you to copy a configuration file from a TFTP server to the device and specify the file as the startup configuration file to be used at the next system startup. Follow the step below to restore the startup configuration file to be used at the next system startup: To do…...
Page 587 To do… Use the command… Remarks display current-configuration [ [ configuration [ configuration ] | interface Display the current [ interface-type ] Available in any view configuration [ interface-number ] ] [ by-linenum ] [ | { begin | include | exclude } text ] ] 2-10...
Page 588 Table of Contents 1 System Maintaining and Debugging········································································································1-1 System Maintaining and Debugging ·······································································································1-1 Ping ·························································································································································1-1 Introduction······································································································································1-1 Configuring Ping ······························································································································1-1 Ping Configuration Example············································································································1-2 Tracert·····················································································································································1-4 Introduction······································································································································1-4 Configuring Tracert··························································································································1-4 System Debugging··································································································································1-5 Introduction to System Debugging ··································································································1-5 Configuring System Debugging·······································································································1-6 Ping and Tracert Configuration Example ································································································1-6...
Page 589: System Maintaining And Debugging
System Maintaining and Debugging When maintaining and debugging the system, go to these sections for information you are interested in: System Maintaining and Debugging Ping Tracert System Debugging Ping and Tracert Configuration Example System Maintaining and Debugging You can use the ping command and the tracert command to verify the current network connectivity, and use the debug command to enable debugging and thus to diagnose system faults based on the debugging information.
Page 590: Ping Configuration Example
For a low-speed network, you are recommended to set a larger value for the timeout timer (indicated by the -t parameter in the command) when configuring the ping command. Only the directly connected segment address can be pinged if the outgoing interface is specified with the -i argument Ping Configuration Example Network requirements...
Page 591 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Reply from 1.1.2.2: bytes=56 Sequence=1 ttl=254 time=53 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2...
Page 592: Tracert
Upon receiving the reply, the source device adds the IP address (1.1.1.1) of its inbound interface to the RR option. Finally, you can get the detailed information of routes from Device A to Device C: 1.1.1.1 <-> {1.1.1.2; 1.1.2.1} <-> 1.1.2.2. Tracert Introduction By using the tracert command, you can trace the Layer 3 devices involved in delivering an IP packet...
Page 593: System Debugging
To do… Use the command… Remarks Enable sending of Required ICMP timeout ip ttl-expires enable Disabled by default. packets Enable sending of Required ICMP destination ip unreachables enable Disabled by default. unreachable packets Display the routes tracert [ -a source-ip | -f first-ttl | -m max-ttl | Required from source to -p port | -q packet-numbe | -w timeout ] *...
Page 594: Configuring System Debugging
Configuring System Debugging Output of the debugging information may reduce system efficiency. The debugging commands are usually used by administrators in diagnosing network failure. After completing the debugging, disable the corresponding debugging function, or use the undo debugging all command to disable all the debugging functions.
Page 595 Figure 1-4 Ping and tracert network diagram Configuration procedure # Use the ping command to display whether an available route exists between Device A and Device C. <DeviceA> ping 1.1.2.2 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out...
Page 596 Table of Contents 1 Basic Configurations·································································································································1-1 Configuration Display ······························································································································1-1 Basic Configurations ·······························································································································1-2 Entering System View ·····················································································································1-2 Exiting the Current View ··················································································································1-2 Exiting to User View ························································································································1-2 Configuring the Device Name ·········································································································1-3 Configuring the System Clock ·········································································································1-3 Enabling/Disabling the Display of Copyright Information ································································1-6 Configuring a Banner·······················································································································1-7 Configuring CLI Hotkeys··················································································································1-8 Configuring User Privilege Levels and Command Levels ·······························································1-9...
Page 597: Basic Configurations
Basic Configurations While performing basic configurations of the system, go to these sections for information you are interested in: Configuration Display Basic Configurations CLI Features Configuration Display To avoid duplicate configuration, you can use the display commands to view the current configuration of the device before configuring the device.
Page 598: Basic Configurations
Basic Configurations This section covers the following topics: Entering System View Configuring the Device Name Configuring the System Clock Enabling/Disabling the Display of Copyright Information Configuring a Banner Configuring CLI Hotkeys Configuring User Privilege Levels and Command Levels Displaying and Maintaining Basic Configurations Entering System View After you log in to the device, you will automatically enter user view.
Page 599: Configuring The Device Name
— Optional Configure the device name sysname sysname The device name is H3C by default. Configuring the System Clock Configuring the system clock The system clock, displayed by system time stamp, is decided by the configured relative time, time zone, and daylight saving time.
Page 600 displayed in the ways shown in Table 1-1. The meanings of the parameters in the configuration column are as follows: 1 indicates date-time has been configured with the clock datetime. 2 indicates time-zone has been configured with the clock timezone command and the offset time is zone-offset.
Page 601 System clock displayed by Configuration Example the display clock command Configure: clock datetime 8:00 2007/1/1 and clock If date-time is in the daylight summer-time ss one-off 1:00 saving time range, “date-time” 2007/1/1 1:00 2007/8/8 2 + “summer-offset” is displayed. Display: 10:00:00 ss Mon 01/01/2007 Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00...
Page 602 The copyright information will not be displayed under other circumstances. The display format of copyright information is as shown below: **************************************************************************** * Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.
Page 603: Configuring A Banner
Configuring a Banner Introduction to banners Banners are prompt information displayed by the system when users are connected to the device, perform login authentication, and start interactive configuration. The administrator can set corresponding banners as needed. At present, the system supports the following five kinds of welcome information. shell banner, also called session banner.
Page 604: Configuring Cli Hotkeys
To do… Use the command… Remarks Configure the authorization header legal text Optional information before login Configure the banner to be displayed when a user enters header shell text Optional user view (non Modem login users) Configure the banner to be Optional header motd text displayed before login...
Page 605: Configuring User Privilege Levels And Command Levels
Hotkey Function Ctrl+N Displays the next command in the history command buffer. Displays the previous command in the history command Ctrl+P buffer. Ctrl+R Redisplays the current line information. Ctrl+V Pastes the content in the clipboard. Deletes all the characters in a continuous string to the left of Ctrl+W the cursor.
Page 606 Table 1-3 Default command levels Level Privilege Description Involves commands for network diagnosis and commands for accessing an external device. Commands at this level are not allowed to be saved after being configured. After Visit the device is restarted, the commands at this level will be restored to the default settings.
Page 607 To do… Use the command… Remarks local-user User either approach command to create a local user and enter local user For local authentication, if view. Using local you do not configure the authentication user level, the user level is Use the level keyword in the Configure the 0, that is, users of this level authorization-attribute...
Page 608 Follow these steps to configure the user privilege level under a user interface (SSH publickey authentication type): To do… Use the command… Remarks Required if users adopt the SSH login mode, and only username, instead of password Configure the authentication is needed at authentication.
Page 609 Perform no authentication to the users telnetting to the device, and specify the user privilege level as 1. (This configuration brings potential security problem. Therefore, you are recommended to use it only in a lab environment.) <Sysname> system-view [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode none [Sysname-ui-vty0-4] user privilege level 1 By default, when users telnet to the device, they can only use the following commands after passing the...
Page 610 log in to the device through Telnet, they need to input password 123, and then they can use commands of levels 0, 1, and 2. Switching user privilege level Users can switch their user privilege level temporarily without logging out and disconnecting the current connection;...
Page 611: Displaying And Maintaining Basic Configurations
Modifying command level All the commands in a view are defaulted to different levels, as shown in Table 1-3. The administrator can modify the command level based on users’ needs to make users of a lower level use commands with a higher level or improve device security. Follow these steps to modify the command level: To do…...
Page 612: Cli Features
For the detailed description of the display users command, refer to Login Commands. The display commands discussed above are for the global configuration. Refer to the corresponding section for the display command for specific protocol and interface. CLI Features This section covers the following topics: Introduction to CLI Online Help with Command Lines Synchronous Information Output...
Page 613 <Sysname> ? User view commands: backup Backup next startup-configuration file to TFTP server boot-loader Set boot loader bootrom Update/read/backup/restore bootrom Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file...
Page 614: Synchronous Information Output
Synchronous Information Output Synchronous information output refers to the feature that if the user’s input is interrupted by system output, then after the completion of system output the system will display a command line prompt and your input so far, and you can continue your operations from where you were stopped. You can use the info-center synchronous command to enable synchronous information output.
Page 615: Cli Display
When editing the command line, you can use other shortcut keys (For details, see Table 1-2) besides the shortcut keys defined in Table 1-4, or you can define shortcut keys by yourself. (For details, see Configuring CLI Hotkeys.) CLI Display With the output information filtering function, you can quickly find the information you are interested in.
Page 616 Character Meaning Remarks Vertical bar, used to match the For example, “def|int” can only match a whole string on the left or right character string containing “def” or “int”. of it Underline. If it is at the beginning or the end of a For example, “a_b”...
Page 617 Character Meaning Remarks Used to match character1character2. For example, \ba can match -a, with - character1 can be any represents character1, and a represents \bcharacter2 character except number, letter character2; while \ba cannot match “2a” or underline, and \b equals or “ba”.
Page 618: Saving Commands In The History Buffer
When the information displayed exceeds one screen, you can pause using one of the methods shown Table 1-6. Table 1-6 Display functions Action Function Continues to display information of the next Press Space when information display pauses screen page. Press Enter when information display pauses Continues to display information of the next line.
Page 619: Command Line Error Information
You may use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet. However, the up-arrow and down-arrow keys are invalid in Windows 9X HyperTerminal, because they are defined in a different way. You can press Ctrl+P or Ctrl+N instead. Command Line Error Information The commands are executed only if they have no syntax error.
Page 620 Table of Contents 1 Information Center Configuration············································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 Classification of System Information ·······························································································1-2 Eight Levels of System Information·································································································1-2 Seven Output Destinations and Ten Channels of System Information···········································1-3 Outputting System Information by Source Module··········································································1-4 Default Output Rules of System Information ···················································································1-4 System Information Format ·············································································································1-5 Configuring Information Center···············································································································1-7...
Page 621: Information Center Configuration
Information Center Configuration When configuring information center, go to these sections for information you are interested in: Information Center Configuration Configuring Information Center Displaying and Maintaining Information Center Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information, offering a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
Page 622: Classification Of System Information
Figure 1-1 Information center diagram (default) System Information Output information channel destination information console console monitor Trap monitor information Log host loghost Trap buffer trapbuffer Debug information Log buffer logbuffer Snmp agent snmpagent Syslog channel6 channel7 channel8 channel9 By default, the information center is enabled. An enabled information center affects the system performance in some degree due to information classification and output.
Page 623: Seven Output Destinations And Ten Channels Of System Information
Table 1-1 Severity description Severity Severity value Description Emergency The system is unusable. Alert Action must be taken immediately Critical Critical conditions Error Error conditions Warning Warning conditions Notice Normal but significant condition Informational Informational messages Debug Debug-level messages Seven Output Destinations and Ten Channels of System Information The system supports seven information output destinations, including the console, monitor terminal (monitor), log buffer, log host, trap buffer, SNMP module and Web interface (syslog).
Page 624: Outputting System Information By Source Module
Information Default channel Default output destination Description channel name number debugging information. Receives log, trap, and channel9 Not specified debugging information. Configurations for the seven output destinations function independently and take effect only after the information center is enabled. Outputting System Information by Source Module The system is composed of a variety of protocol modules, board drivers, and configuration modules.
Page 625: System Information Format
TRAP DEBUG Output Modules destinati allowed Enabled/ Enabled/ Enabled/ Severity Severity Severity disabled disabled disabled default Informatio Log host (all Enabled Enabled Debug Disabled Debug modules) default Trap Informatio (all Disabled Enabled Warning Disabled Debug buffer modules) default Log buffer (all Enabled Warning...
Page 626 Int_16 (priority) The priority is calculated using the following formula: facility*8+severity, in which facility represents the logging facility name and can be configured when you set the log host parameters. The facility ranges from local0 to local7 (16 to 23 in decimal integers) and defaults to local7. The facility is mainly used to mark different log sources on the log host, query and filter the logs of the corresponding log source.
Page 627: Configuring Information Center
If the timestamp starts with a *, the information is debugging information source This field indicates the source of the information, such as the source IP address of the log sender. This field is optional and is displayed only when the output destination is the log host. content This field provides the content of the system information.
Page 628: Outputting System Information To A Monitor Terminal
To do… Use the command… Remarks state } * ] * Optional info-center timestamp Configure the format of the time The time stamp format for log, { debugging | log | trap } stamp trap and debugging information { boot | date | none } is date by default.
Page 629: Outputting System Information To A Log Host
To do… Use the command… Remarks channel-name } [ debug { level of System severity | state state } * | log { level severity | state state } * | trap { level severity | state state } * ] * Optional info-center timestamp Configure the format of the time...
Page 630: Outputting System Information To The Trap Buffer
To do… Use the command… Remarks argument should be the same as the value configured on the log host, otherwise, the log host cannot receive system information. info-center source { module-name | default } channel { channel-number | Optional Configure the output rules of channel-name } [ debug { level Refer to Default Output Rules...
Page 631: Outputting System Information To The Log Buffer
To do… Use the command… Remarks channel-name } [ debug { level of System severity | state state } * | log { level severity | state state } * | trap { level severity | state state } * ] * Optional info-center timestamp Configure the format of the time...
Page 632: Outputting System Information To The Snmp Module
Outputting System Information to the SNMP Module The SNMP module receives the trap information only, and discards the log and debugging information even if you have configured to output them to the SNMP module. To monitor the device running status, trap information is usually sent to the SNMP network management station (NMS).
Page 633: Configuring Synchronous Information Output
Use this feature to control whether to output system information to the Web interface and which system information can be output to the Web interface. The Web interface provides abundant search and sorting functions, therefore, if you configure to output the system information to the Web interface, you can view system information by clicking corresponding tabs after logging in to the device through the Web interface.
Page 634: Disabling A Port From Generating Link Up/Down Logging Information
Follow these steps to enable synchronous information output: To do… Use the command… Remarks Enter system view system-view — Required Enable synchronous info-center synchronous information output Disabled by default If system information, such as log information, is output before you input any information under the current command line prompt, the system will not display the command line prompt after the system information output.
Page 635: Displaying And Maintaining Information Center
Displaying and Maintaining Information Center To do… Use the command… Remarks display channel Display information about [ channel-number | Available in any view information channels channel-name ] Display the information of each display info-center Available in any view output destination display logbuffer [ reverse ] Display the state of the log [ level severity | size...
Page 636 # Specify the host with IP address 1.2.0.1/16 as the log host, use channel loghost to output log information (optional, loghost by default), and use local4 as the logging facility. [Sysname] info-center loghost 1.2.0.1 channel loghost facility local4 # Disable the output of log, trap, and debugging information of all modules on channel loghost. [Sysname] info-center source default channel loghost debug state off log state off trap state As the default system configurations for different channels are different, you need to disable the output of log, trap, and debugging information of all modules on the specified channel (loghost in this example)
Page 637: Outputting Log Information To A Linux Log Host
Be aware of the following issues while editing file /etc/syslog.conf: Comments must be on a separate line and begin with the # sign. No redundant spaces are allowed after the file name. The logging facility name and the information level specified in the /etc/syslog.conf file must be identical to those configured on the device using the info-center loghost and info-center source commands;...
Page 638 As the default system configurations for different channels are different, you need to disable the output of log, trap, and debugging information of all modules on the specified channel (loghost in this example) first and then configure the output rule as needed so that unnecessary information will not be output. # Configure the information output rule: allow log information of all modules with severity equal to or higher than informational to be output to the log host.
Page 639: Outputting Log Information To The Console
Ensure that the syslogd process is started with the -r option on a Linux log host. After the above configurations, the system will be able to record log information into the log file. Outputting Log Information to the Console Network requirements Log information with a severity higher than informational will be output to the console;...
Page 640 <Sysname> terminal monitor Info: Current terminal monitor is on. <Sysname> terminal logging Info: Current terminal logging is on. After the above configuration takes effect, if the specified module generates log information, the information center automatically sends the log information to the console, which then displays the information.
Page 641 Table of Contents 1 MAC Address Table Configuration ··········································································································1-1 Overview ·················································································································································1-1 How a MAC Address Table Entry Is Created ··················································································1-1 Types of MAC Address Table Entries ·····························································································1-2 MAC Address Table-Based Frame Forwarding ··············································································1-2 Configuring a MAC Address Table ·········································································································1-3 Configuring MAC Address Table Entries·························································································1-3 Configuring the Aging Timer for Dynamic MAC Address Entries····················································1-4 Configuring the MAC Learning Limit ·······························································································1-5 Displaying and Maintaining MAC Address Tables··················································································1-6...
Page 642: Mac Address Table Configuration
MAC Address Table Configuration When configuring MAC address tables, go to these sections for information you are interested in: Overview Configuring a MAC Address Table Displaying and Maintaining MAC Address Table MAC Address Table Configuration Example Currently, interfaces involved in MAC address table configuration can only be Layer 2 Ethernet ports and Layer 2 aggregate interfaces.
Page 643: Types Of Mac Address Table Entries
To adapt to network changes, MAC address table entries need to be constantly updated. Each dynamically learned MAC address table entry has a life time, that is, an aging timer. If an entry has not updated when the aging timer expires, it is deleted. If it updates before the aging timer expires, the aging timer restarts.
Page 644: Configuring A Mac Address Table
Figure 1-1 Forward frames using the MAC address table Configuring a MAC Address Table The MAC address table configuration tasks include: Configuring MAC Address Table Entries Configuring the Aging Timer for Dynamic MAC Address Entries Configuring the MAC Learning Limit These configuration tasks are all optional and order independent.
Page 645: Configuring The Aging Timer For Dynamic Mac Address Entries
When using the mac-address command to add a MAC address entry, the interface specified by the interface keyword must belong to the VLAN specified by the vlan keyword, and the VLAN must already exist. Otherwise, you will fail to add this MAC address entry. Follow these steps to add, modify, or remove entries in the MAC address table on an interface: To do…...
Page 646: Configuring The Mac Learning Limit
The MAC address aging timer takes effect globally on dynamic MAC address entries (learned or administratively configured) only. In a stable network, when there has been no traffic activity for a long time, all the dynamic entries in the MAC address table maintained by the device will be deleted. When it happens, the device broadcasts a large amount of data packets, which may be listened to by unwanted users, resulting in security hazards.
Page 647: Displaying And Maintaining Mac Address Tables
Displaying and Maintaining MAC Address Tables To do… Use the command… Remarks display mac-address [ mac-address [ vlan vlan-id ] | Display MAC address table [ [ dynamic | static ] [ interface information interface-type interface-number ] ] [ vlan vlan-id ] [ count ] ] Available in any view Display the aging timer for...
Page 648 1 mac address(es) found # View the aging time of dynamic MAC address entries. [Sysname] display mac-address aging-time Mac address aging time: 500s...
Page 649 Table of Contents 1 Cluster Management Configuration·········································································································1-1 Cluster Management Overview···············································································································1-1 Cluster Management Definition ·······································································································1-1 Roles in a Cluster ····························································································································1-1 How a Cluster Works·······················································································································1-2 Cluster Configuration Task List···············································································································1-5 Configuring the Management Device······································································································1-7 Enabling NDP Globally and for Specific Ports ················································································1-7 Configuring NDP Parameters··········································································································1-7 Enabling NTDP Globally and for Specific Ports ··············································································1-8 Configuring NTDP Parameters········································································································1-8 Manually Collecting Topology Information ······················································································1-9...
Page 650: Cluster Management Configuration
Cluster Management Configuration When configuring cluster management, go to these sections for information you are interested in: Cluster Management Overview Cluster Configuration Task List Configuring the Management Device Configuring the Member Devices Configuring Access Between the Management Device and Its Member Devices Adding a Candidate Device to a Cluster Configuring Advanced Cluster Functions Displaying and Maintaining Cluster Management...
Page 651: How A Cluster Works
cluster. Different from a member device, its topology information has been collected by the management device but it has not been added to the cluster. Figure 1-1 Network diagram for a cluster As shown in Figure 1-1, the device configured with a public IP address and performing the management function is the management device, the other managed devices are member devices, and the device that does not belong to any cluster but can be added to a cluster is a candidate device.
Page 652 configuration according to the candidate device information collected through NTDP. Introduction to NDP NDP is used to discover the information about directly connected neighbors, including the device name, software version, and connecting port of the adjacent devices. NDP works in the following ways: A device running NDP periodically sends NDP packets to its neighbors.
Page 653 On the same device, except the first port, each NTDP-enabled port waits for a period of time and then forwards the NTDP topology collection request after its prior port forwards the NTDP topology collection request. Cluster management maintenance Adding a candidate device to a cluster You should specify the management device before creating a cluster.
Page 654: Cluster Configuration Task List
information holdtime, it changes its state to Active; otherwise, it changes its state to Disconnect. If the communication between the management device and a member device is recovered, the member device which is in Disconnect state will be added to the cluster. After that, the state of the member device locally and on the management device will be changed to Active.
Page 655 Task Remarks Management Device Configuring NDP Parameters Optional Enabling NTDP Globally and for Specific Ports Optional Configuring NTDP Parameters Optional Manually Collecting Topology Information Optional Enabling the Cluster Function Optional Establishing a Cluster Required Configuring Communication Between the Management Device and the Member Devices Optional Within a Cluster Cluster Member Management...
Page 656: Configuring The Management Device
Configuring the Management Device Enabling NDP Globally and for Specific Ports For NDP to work normally, you must enable NTDP both globally and on specific ports. Follow these steps to enable NDP globally and for specific ports: To do… Use the command… Remarks Enter system view system-view...
Page 657: Enabling Ntdp Globally And For Specific Ports
Enabling NTDP Globally and for Specific Ports For NTDP to work normally, you must enable NTDP both globally and on specific ports. Follow these steps to enable NTDP globally and for specific ports: To do… Use the command… Remarks Enter system view system-view —...
Page 658: Manually Collecting Topology Information
To do… Use the command… Remarks Optional Configure the interval to collect ntdp timer interval topology information 1 minute by default. Configure the delay to forward Optional ntdp timer hop-delay topology-collection request delay-time 200 ms by default. packets on the first port Configure the port delay to Optional ntdp timer port-delay...
Page 659: Cluster
You can establish a cluster in two ways: manually and automatically. With the latter, you can establish a cluster according to the prompt information. The system: Prompts you to enter a name for the cluster you want to establish; Lists all the candidate devices within your predefined hop count; Starts to automatically add them to the cluster.
Page 660: Cluster Member Management
Cluster Member Management You can manually add a candidate device to a cluster, or remove a member device from a cluster. If a member device needs to be rebooted for software upgrade or configuration update, you can remotely reboot it through the management device. Adding a member device To do…...
Page 661: Manually Collecting Topology Information
Manually Collecting Topology Information Refer to Manually Collecting Topology Information. Enabling the Cluster Function Refer to Enabling the Cluster Function. Deleting a Member Device from a Cluster To do… Use the command… Remarks Enter system view system-view — Enter cluster view —...
Page 662: Adding A Candidate Device To A Cluster
may fail because of an authentication failure. If the member specified in this command does not exist, the system prompts error when you execute the command; if the switching succeeds, your user level on the management device is retained. If the Telnet users on the device to be logged in reach the maximum number, the switching fails. To prevent resource waste, avoid ring switching when configuring access between cluster members.
Page 663: Configuring Interaction For A Cluster
You can back up and restore the whitelist in the following two ways: Backing them up on the FTP server shared by the cluster. You can manually restore the whitelist and blacklist from the FTP server. Backing them up in the Flash of the management device. When the management device restarts, the whitelist and blacklist will be automatically restored from the Flash.
Page 664: Displaying And Maintaining Cluster Management
To do… Use the command… Remarks Enter cluster view cluster — ftp-server ip-address Required Configure the FTP server [ user-name username By default, no FTP server is shared by the cluster password { simple | cipher } configured for a cluster. password ] Required Configure the TFTP server...
Page 665: Cluster Management Configuration Example
To do… Use the command… Remarks Display the current blacklist of display cluster black-list the cluster display cluster candidates Display the information of [ mac-address mac-address | candidate devices verbose ] display cluster current-topology [ mac-address mac-address Display the current topology [ to-mac-address information mac-address ] | member-id...
Page 666 Figure 1-4 Network diagram for cluster management configuration Configuration procedure Configure the member device Switch A # Enable NDP globally and for port GigabitEthernet 1/0/1. <SwitchA> system-view [SwitchA] ndp enable [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] ndp enable [SwitchA-GigabitEthernet1/0/1] quit # Enable NTDP globally and for port GigabitEthernet 1/0/1. [SwitchA] ntdp enable [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] ntdp enable...
Page 667 [SwitchB-GigabitEthernet1/0/3] ndp enable [SwitchB-GigabitEthernet1/0/3] quit # Configure the period for the receiving device to keep NDP packets as 200 seconds. [SwitchB] ndp timer aging 200 # Configure the interval to send NDP packets as 70 seconds. [SwitchB] ndp timer hello 70 # Enable NTDP globally and for ports GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3.
Page 668 [abc_0.SwitchB-cluster] holdtime 100 # Configure the interval to send handshake packets as 10 seconds. [abc_0.SwitchB-cluster] timer 10 # Configure the FTP Server, TFTP Server, Log host and SNMP host for the cluster. [abc_0.SwitchB-cluster] ftp-server 63.172.55.1 [abc_0.SwitchB-cluster] tftp-server 63.172.55.1 [abc_0.SwitchB-cluster] logging-host 69.172.55.4 [abc_0.SwitchB-cluster] snmp-host 69.172.55.4 # Add the device whose MAC address is 000f-e201-0013 to the blacklist.
Page 669 Table of Contents 1 HTTP Configuration···································································································································1-1 HTTP Overview·······································································································································1-1 How HTTP Works····························································································································1-1 Logging In to the Device Through HTTP·························································································1-1 Protocols and Standards ·················································································································1-1 Enabling the HTTP Service·····················································································································1-1 Configuring the Port Number of the HTTP Service·················································································1-2 Associating the HTTP Service with an ACL····························································································1-2 Displaying and Maintaining HTTP···········································································································1-3 2 HTTPS Configuration ································································································································2-1 HTTPS Overview ····································································································································2-1...
Page 670: Http Overview
HTTP Configuration When configuring HTTP, go to these sections for information you are interested in: HTTP Overview Enabling the HTTP Service HTTP Configuration Associating the HTTP Service with an ACL Displaying and Maintaining HTTP HTTP Overview The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet.
Page 671: Configuring The Port Number Of The Http Service
Follow these steps to enable the HTTP service: To do… Use the command… Remarks Enter system view system-view — Required Enable the HTTP service ip http enable Enabled by default Configuring the Port Number of the HTTP Service Configuration of the port number of the HTTP service can reduce the attacks from illegal users on the HTTP service.
Page 672: Displaying And Maintaining Http
Displaying and Maintaining HTTP To do… Use the command… Remarks Display information about HTTP display ip http Available in any view...
Page 673: Https Configuration
HTTPS Configuration When configuring HTTPS, go to these sections for information you are interested in: HTTPS Overview HTTPS Configuration Task List Associating the HTTPS Service with an SSL Server Policy Enabling the HTTPS Service Associating the HTTPS Service with a Certificate Attribute Access Control Policy Configuring the Port Number of the HTTPS Service Associating the HTTPS Service with an ACL Displaying and Maintaining HTTPS...
Page 674: Associating The Https Service With An Ssl Server Policy
Associating the HTTPS Service with an SSL Server Policy You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service. Follow these steps to associate the HTTPS service with an SSL server policy: To do…...
Page 675: Associating The Https Service With A Certificate Attribute Access Control Policy
After the HTTPS service is enabled, you can use the display ip https command to view the state of the HTTPS service and verify the configuration. Enabling of the HTTPS service will trigger an SSL handshake negotiation process. During the process, if the local certificate of the device already exists, the SSL negotiation is successfully performed, and the HTTPS service can be started normally.
Page 676: Associating The Https Service With An Acl
To do… Use the command… Remarks Enter system view system-view — Optional Configure the port number of ip https port port-number By default, the port number of the HTTPS service the HTTPS service is 443. If you execute the ip https port command for multiple times, the last configured port number is used. Associating the HTTPS Service with an ACL Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering.
Page 677 In this configuration example, Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol (SCEP) component. Figure 2-1 Network diagram for HTTPS configuration Configuration procedure Perform the following configurations on Device: Apply for a certificate for Device # Configure a PKI entity.
Page 678 [Device-ssl-server-policy-myssl] pki-domain 1 [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit Configure a certificate access control policy # Configure a certificate attribute group. [Device] pki certificate attribute-group mygroup1 [Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca [Device-pki-cert-attribute-group-mygroup1] quit # Configure certificate access control policy myacp and create a control rule. [Device] pki certificate access-control-policy myacp [Device-pki-cert-acp-myacp] rule 1 permit mygroup1 [Device-pki-cert-acp-myacp] quit...
Page 679 Table of Contents 1 Stack Configuration···································································································································1-1 Stack Configuration Overview·················································································································1-1 Introduction to Stack························································································································1-1 Establishing a Stack ························································································································1-2 Stack Configuration Task List ·················································································································1-2 Configuring the Master Device of a Stack·······························································································1-2 Configuring a Private IP Address Pool for a Stack··········································································1-2 Configuring Stack Ports···················································································································1-3 Creating a Stack ······························································································································1-3 Configuring Stack Ports of a Slave Device ·····························································································1-3 Logging In to the CLI of a Slave from the Master ···················································································1-4...
Page 680: Stack Configuration Overview
Stack Configuration When configuring stack, go to these sections for information you are interested in: Stack Configuration Overview Stack Configuration Task List Configuring the Master Device of a Stack Configuring Stack Ports of a Slave Device Logging In to the CLI of a Slave from the Master Displaying and Maintaining Stack Configuration Stack Configuration Example Stack Configuration Overview...
Page 681: Establishing A Stack
Establishing a Stack An administrator can establish a stack as follows: Configure a private IP address pool for a stack and create the stack on the network device which is desired to be the master device. Configure ports between the stack devices as stack ports. The master device automatically adds the slave devices into the stack, and assigns a number for each stack member.
Page 682: Creating A Stack
If a device is already configured as the master device of a stack or is already a slave device of a stack, you cannot configure a private IP address pool on the device. When you configure a private IP address pool for a stack, the number of IP addresses in the address pool needs to be equal to or greater than the number of devices to be added to the stack.
Page 683: Logging In To The Cli Of A Slave From The Master
To do… Use the command… Remarks Enter system view system-view — Required stack stack-port Configure the specified ports as stack-port-num port By default, a port is not a stack stack ports interface-list port. After a device joins a stack and becomes a slave device of the stack, the prompt changes to <stack_n.Sysname>, where n is the stack number assigned by the master device, and Sysname is the system name of the device.
Page 684 Create a stack, where Switch A is the master device, Switch B, Switch C, and Switch D are slave devices. An administrator can log in to Switch B, Switch C and Switch D through Switch A to perform remote configurations. Figure 1-2 Network diagram for stack management SwitchA: Master device GE1/0/1...
Page 685 Switch type: H3C S5120 MAC address: 000f-e200-1000 Number Role : Slave Sysname : stack_1. SwitchB Device type: H3C S5120 MAC address: 000f-e200-1001 Number Role : Slave Sysname : stack_2. DeviceC Device type: H3C S5120 MAC address: 000f-e200-1002 Number Role : Slave Sysname : stack_3.
Page 686 Appendix A Acronyms # A B C D E F G H I K L M N O P Q R S T U V W X Z Acronyms Full spelling Return 10GE Ten-GigabitEthernet Return Authentication, Authorization and Accounting Activity Based Costing Area Border Router Alternating Current ACKnowledgement...
Page 687 Acronyms Full spelling Border Gateway Protocol BIMS Branch Intelligent Management System BOOTP Bootstrap Protocol BPDU Bridge Protocol Data Unit Basic Rate Interface Bootstrap Router BitTorrent Burst Tolerance Return Call Appearance Certificate Authority Committed Access Rate Committed Burst Size Class Based Queuing Constant Bit Rate Core-Based Tree International Telephone and Telegraph Consultative...
Page 688 Acronyms Full spelling Connectivity Verification Return Deeper Application Recognition Data Circuit-terminal Equipment Database Description Digital Data Network DHCP Dynamic Host Configuration Protocol Designated IS DLCI Data Link Connection Identifier DLDP Device Link Detection Protocol Domain Name System Downstream on Demand Denial of Service Designated Router DSCP...
Page 689 Acronyms Full spelling Forward Defect Indication Forwarding Equivalence Class Fast Failure Detection Forwarding Group Forwarding information base FIFO First In First Out FQDN Full Qualified Domain Name Frame Relay Fast ReRoute FRTT Fairness Round Trip Time Functional Test File Transfer Protocol Return GARP Generic Attribute Registration Protocol...
Page 690 Acronyms Full spelling International Business Machines ICMP Internet Control Message Protocol ICMPv6 Internet Control Message Protocol for IPv6 IDentification/IDentity IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IGMP Internet Group Management Protocol IGMP-Snooping Internet Group Management Protocol Snooping Interior Gateway Protocol Incoming Label Map Internet Locator Service...
Page 691 Acronyms Full spelling LACPDU Link Aggregation Control Protocol Data Unit Local Area Network Link Control Protocol LDAP Lightweight Directory Access Protocol Label Distribution Protocol Label Edge Router LFIB Label Forwarding Information Base Label Information Base Link Layer Control LLDP Link Layer Discovery Protocol Loss of continuity Call Logging Line Rate...
Page 692 Acronyms Full spelling MLD-Snooping Multicast Listener Discovery Snooping Meet-Me Conference MODEM MOdulator-DEModulator Multilink PPP MP-BGP Multiprotocol extensions for BGP-4 Middle-level PE MP-group Multilink Point to Point Protocol group MPLS Multiprotocol Label Switching MPLSFW Multi-protocol Label Switch Forward Multicast Port Management Mobile Switching Center MSDP Multicast Source Discovery Protocol...
Page 693 Acronyms Full spelling NPDU Network Protocol Data Unit Network Provider Edge Network Quality Analyzer NSAP Network Service Access Point NetStream Collector N-SEL NSAP Selector NSSA Not-So-Stubby Area NTDP Neighbor Topology Discovery Protocol Network Time Protocol Return Operation Administration and Maintenance OAMPDU OAM Protocol Data Units OC-3...
Page 694 Acronyms Full spelling Point Of Presence Packet Over SDH Point-to-Point Protocol PPTP Point to Point Tunneling Protocol PPVPN Provider-provisioned Virtual Private Network Priority Queuing Primary Reference Clock Primary Rate Interface Protection Switching Power Sourcing Equipment PSNP Partial SNP Permanent Virtual Channel Pseudo wires Return QACL...
Page 695 Acronyms Full spelling Rendezvous Point Tree RRPP Rapid Ring Protection Protocol Reservation State Block RSOH Regenerator Section Overhead RSTP Rapid Spanning Tree Protocol RSVP Resource ReserVation Protocol RTCP Real-time Transport Control Protocol Route Table Entry Real-time Transport Protocol Real-time Transport Protocol Return Source Active Subnetwork Bandwidth Management...
Page 696 Acronyms Full spelling Shortest Path Tree Secure Shell Synchronization Status Marker Source-Specific Multicast Shared Tree STM-1 SDH Transport Module -1 STM-16 SDH Transport Module -16 STM-16c SDH Transport Module -16c STM-4c SDH Transport Module -4c Spanning Tree Protocol Signalling Virtual Connection Switch-MDT Switch-Multicast Distribution Tree Return...
Page 697 Acronyms Full spelling Virtual Channel Identifier Virtual Ethernet Virtual File System VLAN Virtual Local Area Network Virtual Leased Lines Video On Demand VoIP Voice over IP Virtual Operate System VPDN Virtual Private Dial-up Network VPDN Virtual Private Data Network Virtual Path Identifier VPLS Virtual Private Local Switch Virtual Private Network...

H3C S5120-SI Series Operation Manual

Table of Contents

1 Obtaining the Documentation

2 Correspondence between Documentation and Software

3 Product Features

4 Networking Applications

Table of Contents

1 Logging in to an Ethernet Switch

2 Logging in through the Console Port

3 Logging in through Telnet/Ssh

5 Logging in through NMS

6 Specifying Source for Telnet Packets

7 Controlling Login Users

Ethernet Port Configuration

Table of Contents

Link Aggregation Configuration

Port Mirroring Configuration

Lldp Configuration

VLAN Configuration/Voice VLAN Configuration

1 VLAN Configuration

2 Voice VLAN Configuration

Mstp Configuration

IP Addressing Configuration

IP Performance Optimization Configuration

Arp Configuration/Arp Attack Defense Configuration

1 ARP Configuration

2 ARP Attack Defense Configuration

Quick Links

Chapters

Troubleshooting

Related Manuals for H3C S5120-SI Series

Summary of Contents for H3C S5120-SI Series