1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548
HP 1910 Switch Series
Part number: 5998-2269
Software version: Release 1511
Document version: 6W100-20120528

Advertising

   Related Manuals for HP 1910

   Summary of Contents for HP 1910

  • Page 1: User Guide

    HP 1910 Switch Series User Guide Part number: 5998-2269 Software version: Release 1511 Document version: 6W100-20120528...

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    Contents Overview ······································································································································································ 1   Configuration through the Web interface ·················································································································· 2   Logging in to the Web interface······································································································································ 2   Logging out of the Web interface ··································································································································· 3   Introduction to the Web interface ···································································································································· 3   Web user level ·································································································································································· 4  ...

  • Page 4: Table Of Contents

    Displaying system and device information ················································································································· 1   Displaying system information ········································································································································· 1   Displaying basic system information ······················································································································ 1   Displaying the system resource state ······················································································································ 2   Displaying recent system logs ································································································································· 2   Displaying the refresh period ·································································································································· 2  ...

  • Page 5: Table Of Contents

    Port mirroring implementation ······································································································································ 34   Recommended configuration procedures ···················································································································· 35   Configuring a mirroring group ···························································································································· 35   Configuring ports for a mirroring group ············································································································· 36   Local port mirroring configuration example ················································································································ 38   Network requirements ··········································································································································· 38  ...

  • Page 6: Table Of Contents

    Enabling SNMP agent ·········································································································································· 74   Configuring an SNMP view ·········································································································································· 76   Creating an SNMP view······································································································································· 76   Adding rules to an SNMP view ··························································································································· 77   Configuring an SNMP community ······························································································································· 78   Configuring an SNMP group ········································································································································ 79  ...

  • Page 7: Table Of Contents

    Types of MAC address table entries ················································································································· 139   Displaying and configuring MAC address entries ··································································································· 139   Setting the aging time of MAC address entries ········································································································ 140   MAC address configuration example ························································································································ 141   Configuring MSTP ··················································································································································· 143  ...

  • Page 8: Table Of Contents

    CDP-compatible LLDP configuration example ··································································································· 210   LLDP configuration guidelines ····································································································································· 216   Configuring ARP ······················································································································································ 217   Overview ······································································································································································· 217   ARP message format ··········································································································································· 217   ARP operation ······················································································································································ 217   ARP table ······························································································································································ 218   Introduction to gratuitous ARP ···························································································································· 219  ...

  • Page 9: Table Of Contents

    IPv4 Static route configuration example ···················································································································· 261   IPv6 static route configuration example ····················································································································· 265   Configuration guidelines ············································································································································· 269   DHCP overview ······················································································································································· 270   Introduction to DHCP ··················································································································································· 270   DHCP address allocation ············································································································································ 270   Allocation mechanisms ······································································································································· 270  ...

  • Page 10: Table Of Contents

    Configuring 802.1X ··············································································································································· 302   Overview ······································································································································································· 302   802.1X architecture ············································································································································ 302   Access control methods ······································································································································ 302   Controlled/uncontrolled port and port authorization status ··········································································· 303   802.1X-related protocols ···································································································································· 303   Packet formats ······················································································································································ 304   EAP over RADIUS ················································································································································ 305  ...

  • Page 11: Table Of Contents

    Security and authentication mechanisms ·········································································································· 374   Basic RADIUS message exchange process ······································································································ 375   RADIUS packet format ········································································································································ 376   Extended RADIUS attributes ······························································································································· 378   Protocols and standards ····································································································································· 379   Recommended RADIUS configuration procedure ····································································································· 379   Configuring RADIUS servers ·······································································································································...

  • Page 12: Table Of Contents

    PoE configuration example ········································································································································· 478   Network requirements ········································································································································· 478   Configuration procedure ···································································································································· 479   Support and other resources ·································································································································· 481   Contacting HP ······························································································································································ 481   Subscription service ············································································································································ 481   Related information ······················································································································································ 481   Documents ···························································································································································· 481  ...

  • Page 13: Overview

    Overview The HP 1910 Switch Series can be configured through the command line interface (CLI), Web interface, and SNMP/MIB. These configuration methods are suitable for different application scenarios. • The Web interface supports all 1910 Switch Series configurations. The CLI provides some configuration commands to facilitate your operation. To perform other •...

  • Page 14: Configuration Through The Web Interface, Logging In To The Web Interface

    Configuration through the Web interface The device provides web-based configuration interfaces for visual device management and maintenance. Figure 1 Web-based network management operating environment Logging in to the Web interface You can use the following default settings to log in to the web interface through HTTP: Username—admin •...

  • Page 15: Logging Out Of The Web Interface, Introduction To The Web Interface

    For example, assign the PC an IP address (for example, 169.254.52.1) within 169.254.0.0/16 (except for the default IP address of the device). Open the browser, and input the login information. Type the IP address http:// 169.254.52.86 in the address bar and press Enter. The login page of the web interface (see Figure 3) appears.

  • Page 16: Web User Level

    Figure 4 Web-based configuration interface (1) Navigation tree (2) Body area (3) Title area • Navigation tree—Organizes the Web-based NM functions as a navigation tree, where you can select and configure functions as needed. The result is displayed in the body area. Body area—Allows you to configure and display features.

  • Page 17

    Table 1 Web-based NM function description Function menu Description User level Wizard IP Setup Perform quick configuration of the device. Management Display global settings and port settings of a stack. Configure Setup Configure global parameters and stack ports. Management Topology Stack Display the topology summary of a stack.

  • Page 18

    Function menu Description User level Summary Display port information by features. Monitor Port Detail Display feature information by ports. Monitor Manageme Create, modify, delete, and enable/disable a port, Setup Configure and clear port statistics. Display the configuration information about a port Summary Monitor mirroring group.

  • Page 19

    Function menu Description User level Display and refresh SNMP configuration and Monitor statistics information. Setup Configure SNMP. Configure Display SNMP community information. Monitor Community Create, modify, and delete an SNMP community. Configure Display SNMP group information. Monitor Group Create, modify, and delete an SNMP group. Configure SNMP Display SNMP user information.

  • Page 20

    Function menu Description User level Add the address of an OUI that can be identified OUI Add Configure by voice VLAN. Remove the address of an OUI that can be OUI Remove Configure identified by voice VLAN. Display MAC address information. Monitor Create and remove MAC addresses.

  • Page 21

    Function menu Description User level Display global MLD snooping configuration information or the MLD snooping configuration Monitor information in a VLAN, and the MLD snooping Basic multicast entry information. Configure MLD snooping globally or in a VLAN. Configure Snooping Display the MLD snooping configuration Monitor information on a port.

  • Page 22

    Function menu Description User level Configure gratuitous ARP. Configure Display ARP detection configuration information. Monitor ARP Detection Anti-Attack Configure ARP detection. Configure Display 802.1X configuration information globally Monitor or on a port. 802.1X 802.1X Configure 802.1X globally or on a port. Configure Display configuration information about the portal server and advanced parameters for portal...

  • Page 23

    Function menu Description User level Generate a key pair, destroy a key pair, retrieve a certificate, request a certificate, and delete a Configure certificate. Display the contents of the CRL. Monitor Receive the CRL of a domain. Configure Summary Display port isolation group information. Monitor Port Isolate Group...

  • Page 24

    Function menu Description User level Configure traffic mirroring and traffic redirecting Port Setup Configure for a traffic behavior Remove Delete a traffic behavior. Configure Summary Display QoS policy configuration information. Monitor Create Create a QoS policy. Configure Configure the classifier-behavior associations for a QoS Policy Setup Configure...

  • Page 25

    Button and ico Function Used to se elect all the ent tries on a list, o or all the ports on the device panel. Used to de eselect all the e entries on a list, , or all the ports s on the device panel.

  • Page 26

    Search function On some list pages, the web interface provides basic and advanced search functions. You can use the search function to display those entries matching certain search criteria. • Basic search function—As shown in Figure 5, input the keyword in the text box above the list, select a search item from the drop-down list and click the Search button to display the entries that match the criteria.

  • Page 27

    Figure 8 Advanced search function example (I) Click the Advanced Search link, specify the search criteria on the advanced search page as shown Figure 9, and click Apply. The ARP entries with interface being GigabitEthernet1/0/19 and IP address range being 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure Figure 9 Advanced search function example (II) Figure 10 Advanced search function example (III)

  • Page 28

    As shown in Figure 1 1, you can click the blue heading item of each column to sort the entries based on the heading item you selected. Then, the heading item is displayed with an arrow beside it. The upward arrow indicates the ascending order, and the downward arrow indicates the descending order.

  • Page 29: Troubleshooting Web Console

    Troubleshooting web console Unable to access devices through the web console Symptom You can ping and Telnet to a device, on which the HTTP service is running and the versions of the used operating system and IE browser comply with the requirements of the web console. However, you are unable to access the web console of the device.

  • Page 30

    Click Custom Level. The Security Settings dialog box appears, as shown in Figure Enable Run ActiveX controls and plug-ins, Script ActiveX controls marked safe for scripting, and Active scripting. Figure 13 Internet Explorer settings (II) Click OK to save your settings. For Firefox Browser Launch the Firefox browser, and select Tools >...

  • Page 31

    Figure 14 Firefox browser settings Click OK to save your settings.

  • Page 32: Configuration At The Cli, Getting Started With The Cli, Setting Up The Configuration Environment

    Configuration at the CLI The HP 1910 Switch Series can be configured through the CLI, Web interface, and SNMP/MIB, among which the Web interface supports all 1910 Switch Series configurations. These configuration methods are suitable for different application scenarios. As a supplementary to the Web interface, the CLI provides some configuration commands to facilitate your operation, which are described in this chapter.

  • Page 33: Setting Terminal Parameters

    NOTE: The serial port on a PC does not support hot swapping. When you connect a PC to a powered-on switch, • connect the DB-9 connector of the console cable to the PC before connecting the RJ-45 connector to the switch.

  • Page 34

    Figure 17 Setting the serial port used by the HyperTerminal connection Set Bits per second to 38400, Data bits to 8, Parity to None, Stop bits to 1, and Flow control to None, and click OK. Figure 18 Setting the serial port parameters Select File >...

  • Page 35

    Figure 19 HyperTerminal window Click the Settings tab, set the emulation to VT100, and click OK in the Switch Properties dialog box. Figure 20 Setting terminal emulation in Switch Properties dialog box...

  • Page 36: Logging In To The Cli, Cli Commands

    Username:admin Press Enter. The Password prompt appears. Password: The login information is verified, and the following CLI menu appears: <HP 1910 Switch> If the password is invalid, the following message appears and process restarts. % Login failed! CLI commands This section contains the following commands:...

  • Page 37: Initialize

    initialize Syntax initialize Parameters None Description Use initialize to delete the configuration file to be used at the next startup and reboot the device with the default configuration being used during reboot. Use the command with caution because this command deletes the configuration file to be used at the next startup and restores the factory default settings.

  • Page 38: Ipsetup Ipv6

    # Create VLAN-interface 1 and assign 192.168.1.2 to the interface, and specify 192.168.1.1 as the default gateway. <Sysname> ipsetup ip-address 192.168.1.2 24 default-gateway 192.168.1.1 ipsetup ipv6 Syntax ipsetup ipv6 { auto | address { ipv6-address prefix-length | ipv6-address/prefix-length } [ default-gateway ipv6-address ] } Parameters auto: Enables the stateless address autoconfiguration function.

  • Page 39: Ping Ipv6

    Change password for user: admin Old password: *** Enter new password: ** Retype password: ** The password has been successfully changed. ping Syntax ping host Parameters host: Destination IPv4 address (in dotted decimal notation) or host name (a string of 1 to 255 characters). Description Use ping to ping a specified destination.

  • Page 40: Quit

    Examples # Ping IPv6 address 2001::4. <Sysname> ping ipv6 2001::4 PING 2001::4 : 56 data bytes, press CTRL_C to break Reply from 2001::4 bytes=56 Sequence=1 hop limit=64 time = 15 ms Reply from 2001::4 bytes=56 Sequence=2 hop limit=64 time = 2 ms Reply from 2001::4 bytes=56 Sequence=3 hop limit=64 time = 11 ms...

  • Page 41: Reboot

    reboot Syntax reboot Parameters None Description Use reboot to reboot the device and run the main configuration file. Use the command with caution because reboot results in service interruption. If the main configuration file is corrupted or does not exist, the device cannot be rebooted with the reboot command.

  • Page 42: Upgrade

    Next backup boot app is: NULL HP Comware Platform Software Comware Software, Version 5.20, Copyright (c) 2010-2012 Hewlett-Packard Development Company, L.P. HP 1910-8G-PoE+ (65W) Switch uptime is 0 week, 0 day, 2 hours, 1 minute HP 1910-8G-PoE+ (65W) Switch 128M bytes DRAM...

  • Page 43: Upgrade Ipv6

    To validate the downloaded software package file, reboot the device. NOTE: The HP 1910 Switch Series does not provide an independent Boot ROM image. Instead, it integrates the Boot ROM image with the system software image file together in a software package file with the extension name of .bin.

  • Page 44: Configuration Example For Upgrading The System Software Image At The Cli

    192.168.10.1/24. The gateway and the switch can reach each other. The administrator upgrades the Boot ROM image and the system software image file of the 1910 switch through the PC and sets the IP address of the switch to 192.168.1.2/24.

  • Page 45

    File downloaded successfully. BootRom file updating finished! # Reboot the switch. <Switch> reboot After getting the new image file, reboot the switch to validate the upgraded image.

  • Page 46: Configuration Wizard, Basic Service Setup, Entering The Configuration Wizard Homepage, Configuring System Parameters

    Configuration wizard Overview The configuration wizard guides you through configuring the basic service parameters, including the system name, the system location, the contact information, and the management IP address. Basic service setup Entering the configuration wizard homepage Select Wizard from the navigation tree. Figure 22 Configuration wizard homepage Configuring system parameters On the wizard homepage, click Next.

  • Page 47: Configuring Management Ip Address

    Figure 23 System parameter configuration page Configure the parameters as described in Table Table 3 Configuration items Item Description Specify the system name. The system name appears at the top of the navigation tree. Sysname You can also set the system name in the System Name page you enter by selecting Device >...

  • Page 48

    On the system parameter configuration page, click Next. Figure 24 Management IP address configuration page Configure the parameters as described in Table Table 4 Configuration items Item Description Select a VLAN interface. Available VLAN interfaces are those configured in the page that you enter by selecting Network >...

  • Page 49: Finishing Configuration Wizard

    Item Description DHCP Configure how the VLAN interface obtains an IPv4 address. • DHCP—Specifies the VLAN interface to obtain an IPv4 address by BOOTP DHCP. • BOOTP—Specifies the VLAN interface to obtain an IPv4 address through BOOTP. Manual • Manual—Allows you to specify an IPv4 address and a mask length. Configure IPv4 address IPv4...

  • Page 50

    Figure 25 Configuration finishes...

  • Page 51: Configuring Stack

    Configuring stack Overview The stack management feature enables you to configure and monitor a group of connected switches by logging in to one switch in the stack, as shown in Figure Figure 26 Network diagram To set up a stack for a group of connected switches, you must log in to one switch to create the stack. This switch is the master switch for the stack, and you configure and monitor all other member switches on the master switch.

  • Page 52: Configuring Global Stack Parameters

    Task Remarks Optional. Displaying topology summary of a stack Display stack member information. Optional. Display the control panels of stack members. IMPORTANT: Displaying device summary of a stack To successfully display control panel information, make sure that the user account you are logged in with to the master has also been created on each member device.

  • Page 53

    Figure 27 Setting up a fabric Table 5 Configuration items Item Description Configure a private IP address pool for the stack. The master device automatically picks an IP address from this pool for each member device for intra-stack communication. Private Net IP IMPORTANT: Mask Make sure the number of IP addresses in the address pool is equal to or greater than the...

  • Page 54: Configuring Stack Ports, Displaying Topology Summary Of A Stack, Displaying Device Summary Of A Stack

    Item Description Create the stack. As the result, the device becomes the master device of the stack and automatically adds the devices connected to its stack ports to the stack. Build Stack IMPORTANT: You can delete the stack only on the master device. The Global Settings area is grayed out for stack member devices.

  • Page 55: Logging In To A Member Device From The Master, Stack Configuration Example

    View interfaces and power socket layout on the panel of each stack member by clicking their respective tabs. Figure 29 Device Summary tab (on the master device) Return to Configuration task list. Logging in to a member device from the master Select Stack from the navigation tree.

  • Page 56

    Figure 31 Network diagram Switch A: Master device Eth1/0/1 Eth1/0/2 Stack Eth1/0/1 Eth1/0/3 Switch B: Slave device Eth1/0/1 Eth1/0/1 Switch C: Slave device Switch D: Slave device Configuration procedure Configure global stack parameters on Switch A: Select Stack from the navigation tree of Switch A to enter the page of the Setup tab, and then perform the following configurations, as shown in Figure...

  • Page 57

    Figure 32 Configuring global stack parameters on Switch A Type 192.168.1.1 in the field of Private Net IP. Type 255.255.255.0 in the field of Mask. Select Enable from the Build Stack list. Click Apply. Now, switch A becomes the master device. Configure the stack port on Switch A:...

  • Page 58

    On the Setup tab, select the box before Ethernet1/0/1 in the Port Settings area. Click Enable. Figure 33 Configuring a stack port on Switch A On Switch B, configure ports Ethernet 1/0/2, Ethernet 1/0/1, and Ethernet 1/0/3 as stack ports. Select Stack from the navigation tree of Switch B.

  • Page 59

    Click Enable. Figure 34 Configuring stack ports on Switch B On Switch C, configure port Ethernet 1/0/1 as a stack port. Select Stack from the navigation tree of Switch C. On the Setup tab, select the box before Ethernet1/0/1 in the Port Settings area. Click Enable.

  • Page 60

    Figure 35 Configuring a stack port on Switch C On Switch D, configure port Ethernet 1/0/1 as a stack port. Select Stack from the navigation tree of Switch D. On the Setup tab, select the box before Ethernet1/0/1 in the Port Settings area. Click Enable.

  • Page 61

    Verifying the configuration Select Stack from the navigation tree and click the Topology Summary tab to display the stack topology on Switch A. Figure 36 Verifying the configuration Configuration guidelines If a device is already configured as a stack master device, you cannot modify the private IP address •...

  • Page 62: Displaying System And Device Information, Displaying System Information, Displaying Basic System Information

    Displaying system and device information Displaying system information Select Summary from the navigation tree to enter the System Information tab to view the basic system information, system resource state, and recent system logs. Figure 37 System information Displaying basic system information Table 7 Field description Item Description...

  • Page 63: Displaying The System Resource State, Displaying Recent System Logs, Displaying Device Information

    Item Description Product Information Display the description about the device. Display the device location, which you can configure on the Device Location page you enter by selecting Device > SNMP > Setup Display the contact information, which you can configure on Contact Information the page you enter by selecting Device >...

  • Page 64

    Figure 38. For the description about the port number and its color, see Figure 38. Similarly, you can also view the power type and operating status and the fan operating status. Figure 38 Device information Select from the Refresh Period list: If you select a certain period, the system refreshes the information at the specified interval.

  • Page 65: Configuring Basic Device Settings, Configuring System Name, Configuring Idle Timeout Period

    Configuring basic device settings Overview The device basic information feature provides the following functions: Set the system name of the device. The configured system name is displayed on the top of the • navigation bar. Set the idle timeout period for logged-in users. The system logs an idle user off the web for security •...

  • Page 66

    Figure 40 Configuring idle timeout period Set the idle timeout period for logged-in users. Click Apply.

  • Page 67: Maintaining Devices, Software Upgrade

    Maintaining devices Software upgrade A boot file, also known as the system software or device software, is an application file used to boot the device. Software upgrade allows you to obtain a target application file from the local host and set the file as the boot file with the original file name to be used at the next reboot.

  • Page 68: Device Reboot

    Item Description Specify whether to overwrite the file with the same name. If a file with the same name already exists, If you do not select the option, when a file with the same name exists, a dialog box overwrite it without any appears, telling you that the file already exists and you cannot continue the prompt upgrade.

  • Page 69: Electronic Label, Diagnostic Information

    Electronic label You can view information about the device electronic label, which is also known as the permanent configuration data or archive information. The information is written into the storage medium of a device or a card during the debugging and testing processes, and includes card name, product bar code, MAC address, debugging and testing date(s), and vendor name.

  • Page 70

    Click Create Diagnostic Information File. The system begins to generate a diagnostic information file. Click Click to Download. The File Download dialog box appears. Open this file or save it to the local host. Figure 45 Finishing creating the diagnostic information file After the diagnostic file is successfully generated, you can view this file, or download it to the local host on the page you enter by selecting Device >...

  • Page 71: Configuring System Time

    Configuring system time System time overview You must configure a correct system time so that the device can work with other devices properly. System time allows you to display and set the device system time and system zone on the web interface. The device supports setting system time through manual configuration and automatic synchronization of NTP server time.

  • Page 72: Configuring Network Time

    Figure 47 Calendar page Enter the system date and time in the field, or select the date and time in the calendar, where you can: Click Today. The date setting in the calendar is synchronized to the current local date configuration, and the time setting does not change.

  • Page 73: Date And Time Configuration Example

    Table 10 Configuration items Item Description Clock status Display the synchronization status of the system clock. Set the source interface for an NTP message. If you do not want the IP address of a certain interface on the local device to become the destination address of response messages, you can specify Source Interface the source interface for NTP messages, so that the source IP address in the...

  • Page 74: Configuration Guidelines

    Configuring date and time Configure the local clock as the reference clock, with the stratum of 2. Enable NTP authentication, set the key ID to 24, and specify the created authentication key aNiceKey is a trusted key. (Details not shown.) On Switch B, configure Device A as the NTP server.

  • Page 75: Displaying Syslogs

    Configuring syslogs Overview System logs contain a large amount of network and device information, including running status and configuration changes. System logs are an important way for administrators to know network and device running status. With system logs, administrators can take corresponding actions against network problems and security problems.

  • Page 76: Setting The Log Host

    TIP: You can click Reset to clear all system logs saved in the log buffer on the web interface. • You can click Refresh to manually refresh the page, or you can set the refresh interval on the Log Setup •...

  • Page 77: Setting Buffer Capacity And Refresh Interval

    Figure 52 Setting loghost Configure the IPv4 address of the log host. Click Apply. Setting buffer capacity and refresh interval Select Device > Syslog from the navigation tree. Click the Log Setup tab. The syslog configuration page appears. Figure 53 Syslog configuration page Configure buffer capacity and refresh interval as described in Table...

  • Page 78

    Click Apply. Table 12 Configuration items Item Description Buffer Capacity Set the number of logs that can be stored in the log buffer of the web interface. Set the refresh period on the log information displayed on the web interface. You can select manual refresh or automatic refresh: •...

  • Page 79: Managing The Configuration, Backing Up Configuration, Restoring Configuration

    Managing the configuration You can backup, restore, save, and reset the configuration of the device. Backing up configuration With the configuration backup function, you can perform the following tasks: Open and view the configuration file (.cfg file) for the next startup •...

  • Page 80: Saving Configuration

    Figure 55 Restoring the configuration Click the upper Browse button. The file upload dialog box appears. Select the .cfg file to be uploaded, and click Apply. Saving configuration The save configuration module provides the function to save the current configuration to the configuration file (.cfg file) to be used at the next startup.

  • Page 81: Resetting Configuration

    Resetting configuration This operation will restore the system to factory defaults, delete the current configuration file, and reboot the device. To reset the configuration: Select Device > Configuration from the navigation tree. Click the Initialize tab to enter the initialize confirmation page. Click the Restore Factory-D button to restore the system to factory defaults.

  • Page 82: Managing Files, Displaying Files, Downloading A File

    Managing files The device saves files such as the host software file and configuration file on its storage media. The file management function allows you to manage the files on the storage media. Displaying files Select Device > File Management from the navigation tree. Figure 58 File management page Select a medium from the Please select disk list.

  • Page 83: Uploading A File, Removing A File

    Uploading a file NOTE: Uploading a file may take some time. HP does not recommend performing any operation on the web interface during the upgrade. Select Device > File Management from the navigation tree to enter the file management page.

  • Page 84: Managing Ports, Configuring A Port, Setting Operation Parameters For A Port

    Managing ports Overview You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port and an aggregate interface. For a Layer 2 Ethernet port, these operation parameters include its state, rate, duplex mode, link •...

  • Page 85

    Figure 59 The Setup tab Set the operation parameters for the port as described in Table Click Apply. Table 13 Configuration items Item Description Enable or disable the port. Sometimes, after you modify the operation parameters of a Port State port, you need to disable and then enable the port to have the modifications take effect.

  • Page 86

    Item Description Set the transmission rate of the port. Available options include: • 10—10 Mbps. • 100—100 Mbps. • 1000—1000 Mbps. • Auto—Auto-negotiation. • Speed Auto 10—Auto-negotiated to 10 Mbps. • Auto 100—Auto-negotiated to 100 Mbps. • Auto 1000—Auto-negotiated to 1000 Mbps. •...

  • Page 87

    Item Description Set the Medium Dependent Interface (MDI) mode of the port. Two types of Ethernet cables can be used to connect Ethernet devices: crossover cable and straight-through cable. To accommodate these two types of cables, an Ethernet port can operate in one of the following three MDI modes: across, normal, and auto.

  • Page 88

    Item Description Set broadcast suppression on the port. You can suppress broadcast traffic by percentage or by PPS as follows: • ratio—Sets the maximum percentage of broadcast traffic to the total bandwidth of an Ethernet port. When this option is selected, you need to input a percentage in the box below.

  • Page 89: Displaying Port Operation Parameters

    Item Description Interface or interfaces that you have selected from the chassis front panel and the aggregate interface list below, for which you have set operation parameters. Selected Ports IMPORTANT: You can set only the state and MAC learning limit for an aggregate interface. NOTE: If you set operation parameters that a port does not support, you are notified of invalid settings and may fail to set the supported operation parameters for the port or other ports.

  • Page 90: Port Management Configuration Example

    Click the Detail tab. Select a port whose operation parameters you want to view in the chassis front panel, as shown Figure 61. The operation parameter settings of the selected port are displayed on the lower part of the page. Whether the parameter takes effect is displayed in the square brackets. Figure 61 The Detail tab Port management configuration example Network requirements...

  • Page 91

    Figure 62 Network diagram Configuring the switch Set the rate of GigabitEthernet 1/0/4 to 1000 Mbps. Select Device > Port Management from the navigation tree Click the Setup tab to enter the page shown in Figure 63. Select 1000 from the Speed list.

  • Page 92

    Figure 63 Configure the rate of GigabitEthernet 1/0/4 Batch configure the auto-negotiation rate range on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as 100 Mbps. On the Setup tab, select Auto 100 from the Speed list, as shown in Figure Select 1, 2, and 3 on the chassis front panel.

  • Page 93

    Figure 64 Batch configure port rate Display the rate settings of ports. Click the Summary tab. Click the Speed button to display the rate information of all ports on the lower part of the page, as shown in Figure...

  • Page 94

    Figure 65 Display the rate settings of ports...

  • Page 95: Configuring Port Mirroring, Terminologies Of Port Mirroring, Mirroring Source, Mirroring Destination, Mirroring Direction, Mirroring Group

    Port mirroring implementation HP 1910 switch series supports local port mirroring, in which case the mirroring source and the mirroring destination are on the same device. A mirroring group that contains the mirroring source and the...

  • Page 96: Recommended Configuration Procedures, Configuring A Mirroring Group

    Figure 66 Local port mirroring implementation As shown in Figure 66, the source port GigabitEthernet 1/0/1 and monitor port GigabitEthernet 1/0/2 reside on the same device. Packets of GigabitEthernet 1/0/1 are copied to GigabitEthernet 1/0/2, which then forwards the packets to the data monitoring device for analysis. Recommended configuration procedures Step Remarks...

  • Page 97: Configuring Ports For A Mirroring Group

    Figure 67 Adding a mirroring group Configure the mirroring group as described in Table Click Apply. Table 14 Configuration items Item Description ID of the mirroring group to be added. Mirroring Group ID The range of the mirroring group ID varies with devices. Specify the type of the mirroring group to be added: Type Local—Adds a local mirroring group.

  • Page 98

    Figure 68 The Modify Port tab Configure ports for the mirroring group as described in Table Click Apply. A progress dialog box appears. After the success notification appears, click Close. Table 15 Configuration items Item Description ID of the mirroring group to be configured. Mirroring The available groups were added previously.

  • Page 99: Local Port Mirroring Configuration Example

    Local port mirroring configuration example Network requirements As shown in Figure 69, configure local port mirroring on Switch A to monitor the packets received and sent by the Marketing department and Technical department. Figure 69 Network diagram Adding a local mirroring group Select Device >...

  • Page 100: Configuring The Mirroring Ports As Gigabitethernet 1/0/1 And Gigabitethernet 1/0/2

    Figure 70 Adding a local mirroring group Configuring the mirroring ports as GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 Click the Modify Port tab to enter the page, as shown in Figure Select 1 – Local from the Mirroring Group ID list, select Mirror Port from the Port Type list, select both from the Stream Orientation list, and select 1 (GigabitEthernet 1/0/1) and 2 (GigabitEthernet 1/0/2) on the chassis front panel.

  • Page 101: Configuring The Monitor Port As Gigabitethernet 1/0/3

    Figure 71 Configuring the mirroring ports Configuring the monitor port as GigabitEthernet 1/0/3 Click the Modify Port tab to enter the page, as shown in Figure Select 1 – Local from the Mirroring Group ID list, select Monitor Port from the Port Type list, and select 3 (GigabitEthernet 1/0/3) on the chassis front panel.

  • Page 102

    Figure 72 Configuring the monitor port Configuration guidelines Follow these guidelines when you configure port mirroring: You can configure multiple source ports but only one monitor port for a local mirroring group. To ensure normal operation of mirroring, do not enable the spanning tree feature on the monitor port.

  • Page 103: Managing Users, Adding A Local User

    Managing users The device provides the following user management functions: Add a local user, and specify the password, access level, and service types for the user. • Set the super password for non-management level users to switch to the management level. •...

  • Page 104: Setting The Super Password

    Table 16 Configuration items Item Description Username Set a username for the user. Select an access level for the user. Users of different levels can perform different operations. User levels, in order from low to high, are as follows: • Visitor—Users of this level can only perform ping and traceroute operations.

  • Page 105: Switching To The Management Level

    Table 17 Configuration items Item Description Select the operation type: • Create—Configure or modify the super password. Create/Remove • Remove—Remove the current super password. Password Set the password for non-management level users to switch to the management level. Enter the same password again. Otherwise, the system will prompt that the two Confirm Password passwords entered are not consistent when you apply the configuration.

  • Page 106: Configuring A Loopback Test

    Configuring a loopback test Overview You can check whether an Ethernet port works normally by performing the Ethernet port loopback test, during which the port cannot forward data packets normally. Ethernet port loopback test can be an internal loopback test or an external loopback test. •...

  • Page 107

    Figure 77 Loopback test result Configuration guidelines Follow these guidelines when you configure a loopback test: • You can perform an internal loopback test but not an external loopback test on a port that is physically down, while you can perform neither test on a port that is manually shut down. The system does not allow Rate, Duplex, Cable Type and Port Status configuration on a port under •...

  • Page 108: Configuring Vct, Testing Cable Status

    Configuring VCT Overview You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the device. The result is returned in less than 5 seconds. The test covers whether short circuit or open circuit occurs on the cable and the length of the faulty cable.

  • Page 109: Configuring The Flow Interval, Viewing Port Traffic Statistics

    Configuring the flow interval Overview With the flow interval module, you can view the number of packets and bytes sent/received by a port and the bandwidth utilization of the port over the specified interval. Setting the traffic statistics generating interval Select Device >...

  • Page 110

    Figure 80 Port traffic statistics NOTE: When the bandwidth utilization is lower than 1%, 1% is displayed.

  • Page 111: Configuring Storm Constrain

    Configuring storm constrain Overview The storm constrain function limits traffic of a port within a predefined upper threshold to suppress packet storms in an Ethernet. With this function enabled on a port, the system detects the amount of broadcast traffic, multicast traffic, and unknown unicast traffic reaching the port periodically. When a type of traffic exceeds the threshold for it, the function, as configured, blocks or shuts down the port, and optionally, sends trap messages and logs.

  • Page 112

    Figure 81 The storm constrain tab NOTE: For network stability sake, set the traffic statistics generating interval for the storm constrain function to the default or a greater value. Configuring storm constrain Select Device > Storm Constrain from the navigation tree to enter the storm constrain configuration page.

  • Page 113

    Table 19 Configuration items Item Remarks Specify the action to be performed when a type of traffic exceeds the upper threshold. Available options include: • None—Performs no action. • Block—Blocks the traffic of this type on a port when the type of traffic exceeds the upper threshold.

  • Page 114: Configuring Rmon, Working Mechanism, Rmon Groups

    RMON agent implementations only provide four groups of MIB information, alarm, event, history, and statistics. HP devices provide the embedded RMON agent function. You can configure your device to collect and report traffic statistics, error statistics, and performance statistics.

  • Page 115: Alarm Group

    the management device. The statistics data includes bandwidth utilization, number of error packets, and total number of packets. A history group collects statistics on packets received on the interface during each period, which can be configured through the command line interface (CLI). Event group The event group defines event indexes and controls the generation and notifications of the events triggered by the alarms defined in the alarm group.

  • Page 116: Rmon Configuration Task List

    RMON configuration task list Configuring the RMON statistics function RMON statistics function can be implemented by either the statistics group or the history group, but the objects of the statistics are different. You can choose to configure a statistics group or a history group accordingly.

  • Page 117: Displaying Rmon Running Status

    Table 22 RMON alarm configuration task list Task Remarks Required. You can create up to 100 statistics entries in a statistics table. As the alarm variables that can be configured through the web interface are MIB variables that defined in the history group or the statistics group, you must make sure that the RMON Ethernet statistics function or the RMON history statistics function is configured on the monitored Ethernet interface.

  • Page 118: Configuring A Statistics Entry

    Task Remarks If you have configured the system to log an event after the event is triggered when you configure the event group, the event is recorded into Displaying RMON event logs the RMON log. You can perform this task to display the details of the log table.

  • Page 119: Configuring A History Entry

    Item Description Owner Set the owner of the statistics entry. Configuring a history entry Select Device > RMON from the navigation tree. Click the History tab. The History tab page appears. Figure 86 History tab Click Add. The page for adding a history entry appears. Figure 87 Adding a history entry Configure a history entry as described in Table...

  • Page 120: Configuring An Event Entry

    Item Description Set the capacity of the history record list corresponding to this history entry, namely, the maximum number of records that can be saved in the history record list. If the current number of the entries in the table has reached the maximum number, the Buckets Granted system will delete the earliest entry to save the latest one.

  • Page 121: Configuring An Alarm Entry

    Click Apply. Table 26 Configuration items Item Description Description Set the description for the event. Owner Set the owner of the entry. Set the actions that the system will take when the event is triggered: • Log—The system will log the event. Event Type •...

  • Page 122

    Figure 91 Adding an alarm entry Configure an alarm entry as described in Table Click Apply. Table 27 Configuration items Item Description Alarm variable: Set the traffic statistics that will be collected and monitored, see Table 28 Static Item details. Set the name of the interface whose traffic statistics will be collected and Interface Name monitored.

  • Page 123

    Descriptio Select whe ether to create a a default event Description n of the default t event is defau ult event, the ac ction is log-and d-trap, and the ow wner is default owner. Create Default E Event If there is n no event, you ca an select to cre eate the default...

  • Page 124

    Table 28 Field description Field Description Total number of octets received by the interface, Number of Received Bytes corresponding to the MIB node etherStatsOctets. Total number of packets received by the interface, Number of Received Packets corresponding to the MIB node etherStatsPkts. Total number of broadcast packets received by the Number of Received Broadcasting Packets interface, corresponding to the MIB node...

  • Page 125

    ield Descrip ption Total nu umber of receiv ved packets wi th 1024 to 15 Number of Rece eived 1024 to 1 1518 Bytes Pac ckets octets o on the interface e, correspondin ng to the MIB n etherSta atsPkts1024to1 518Octets.

  • Page 126: Displaying Rmon Event Logs, Rmon Configuration Example

    Field Description Number of undersize packets received during the sampling period, UndersizePkts corresponding to the MIB node etherHistoryUndersizePkts. Number of oversize packets received during the sampling period, corresponding OversizePkts to the MIB node etherHistoryOversizePkts. Number of fragments received during the sampling period, corresponding to the Fragments MIB node etherHistoryFragments.

  • Page 127

    gure 95 Netw ork diagram Configuratio on procedure Configure RMON to ga ather statistics for interface GigabitEther rnet 1/0/1: Select D Device > RMO ON from the n navigation tre The Sta atistics tab pa age appears. Click A Add. The pa ge in Figure...

  • Page 128

    Figure 97 Displaying RMON statistics Create an event to start logging after the event is triggered: Click the Event tab. Click Add. The page in Figure 98 appears. Type user1-rmon in the Owner field, select the box before Log, and click Apply. The page displays the event entry, and you can see that the entry index of the new event is 1, as shown in Figure...

  • Page 129

    Figure 99 Displaying the index of a event entry Configure an alarm group to sample received bytes on GigabitEthernet 1/0/1. When the received bytes exceed the rising or falling threshold, logging is enabled: Click the Alarm tab. Click Add. The page in Figure 100 appears.

  • Page 130

    Select Device > RMON from the navigation tree. Click the Log tab. The page displaying log information appears. The displayed information indicates that event 1 has generated one log, which is triggered because the alarm value (22050) exceeds the rising threshold (1000).

  • Page 131: Configuring Energy Saving, Configuring Energy Saving On A Port

    Configuring energy saving Energy saving overview Energy saving enables a port to work at the lowest transmission speed, disable PoE, or go down during a specific time range on certain days of a week. The port resumes working normally when the effective time period ends.

  • Page 132

    Item Description Set the port to transmit data at the lowest speed. IMPORTANT: Lowest Speed If you configure the lowest speed limit on a port that does not support 10 Mbps, the configuration cannot take effect. Shut down the port. IMPORTANT: Shutdown An energy saving policy can have all the three energy saving schemes configured, of...

  • Page 133: Configuring Snmp, Snmp Mechanism

    Configuring SNMP Overview Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.

  • Page 134: Snmp Protocol Versions

    The device supports only traps. SNMP protocol versions HP supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other. SNMPv1—Uses community names for authentication. To access an SNMP agent, an NMS must use •...

  • Page 135: Enabling Snmp Agent

    Table 32 SNMPv3 configuration task list Task Remarks Required. By default, the SNMP agent function is disabled. Enabling SNMP agent IMPORTANT: If SNMP agent is disabled, all SNMP agent-related configurations will be removed. Optional. Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group.

  • Page 136

    Figure 105 Setup tab Configure SNMP settings on the upper part of the page as described in Table Click Apply. Table 33 Configuration items Item Description SNMP Specify to enable or disable SNMP agent. Configure the local engine ID. Validity of a user depends on the engine ID of the SNMP agent. If the engine ID Local Engine ID when the user is created is not identical to the current engine ID, the user is invalid.

  • Page 137: Configuring An Snmp View, Creating An Snmp View

    Item Description Set a character string to describe the contact information for system maintenance. Contact If the device is faulty, the maintainer can contact the manufacture factory according to the contact information of the device. Location Set a character string to describe the physical location of the device. SNMP Version Set the SNMP version run by the system.

  • Page 138

    Type the v iew name. Click Appl The page i Figure 108 appears. gure 108 Crea ating an SNM MP view (2) Configure the paramete ers as describ bed in Table 3 Click Add to add the ru le into the list t box at the lo ower part of t the page.

  • Page 139

    The Add ru ule for the vie ew ViewDefau ult window ap ppears. gure 109 Add ding rules to a an SNMP view Configure the paramete ers as describ bed in Table 3 Click Appl modify a view w, click the icon for the e view on the View tab (see...

  • Page 140: Configuring An Snmp Group

    Figure 111 Creating an SNMP Community Configure the SNMP community as described in Table Click Apply. Table 35 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right: • Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access the agent.

  • Page 141

    Figure 112 Group tab Click Add. The Add SNMP Group page appears. Figure 113 Creating an SNMP group Configure SNMP group as described in Table Click Apply. Table 36 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group: •...

  • Page 142: Configuring An Snmp User

    Item Description Select the write view of the SNMP group. Write View If no write view is configured, the NMS cannot perform the write operations to all MIB objects on the device. Select the notify view of the SNMP group, that is, the view that can send trap messages. Notify View If no notify view is configured, the agent does not send traps to the NMS.

  • Page 143

    Figure 115 Creating an SNMP user Configure the SNMP user as described in Table Click Apply. Table 37 Configuration items Item Description User Name Set the SNMP user name. Select the security level for the SNMP group. Available security levels are: •...

  • Page 144: Configuring The Snmp Trap Function

    Item Description Auth/Priv. Confirm Authentication Password Confirm authentication password must be the same with the authentication password. Select a privacy mode (including DES56, AES128, and 3DES) when the Privacy Mode security level is Auth/Priv. Privacy Password Set the privacy password when the security level is Auth/Priv. Confirm Privacy Password Confirm privacy password must be the same with the privacy password.

  • Page 145: Displaying Snmp Packet Statistics

    Figure 117 Adding a target host of SNMP traps Configure the settings for the target host as described in Table Click Apply. Table 38 Configuration items Item Description Destination IP Address Select the IPv4 or IPv6 option, and enter the specific type of destination IP address. Set the security name, which can be an SNMPv1 community name, an SNMPv2c Security Name community name, or an SNMPv3 user name.

  • Page 146: Snmpv1/v2c Configuration Example

    Figure 118 SNMP Statistics SNMPv1/v2c configuration example Network requirements As shown in Figure 1 19, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the switch (agent) at 1.1.1.1/24, and the switch automatically sends traps to report events to the NMS. Figure 119 Network diagram Configuring the agent Enable SNMP:...

  • Page 147

    Figure 120 Configuring the SNMP agent Select the Enable option, and select the v1 and v2 options. Set Hewlett-Packard Development Company,L.P. as the contact person, and HP as the physical location. Click Apply. Configure a read-only community: Click the Community tab.

  • Page 148

    Configure a read and write community: Click Add on the Community tab page. The Add SNMP Community page appears. Figure 122 Configuring an SNMP read and write community Enter private in the Community Name field, and select Read and write from the Access Right list.

  • Page 149: Snmpv3 Configuration Example

    Figure 124 Adding a trap target host Type 1.1.1.2 in the following field, type public in the Security Name field, and select v1 from the Security Model list. Click Apply. Configuring the NMS To avoid communication failures, make sure the NMS use the same SNMP settings as the agent. Configure the SNMP version for the NMS as v1 or v2c.

  • Page 150

    The SNMP configuration page appears. Figure 126 Configuring the SNMP agent Select the Enable option, and select the v3 option. Set Hewlett-Packard Development Company,L.P. as the contact person, and HP as the physical location. Click Apply. Configure an SNMP view: Click the View tab.

  • Page 151

    Figure 127 Creating an SNMP view (1) Type view1 in the View Name field. Click Apply. The page in Figure 128 appears. Select the Included option, type the MIB subtree OID interfaces, and click Add. Click Apply. A configuration progress dialog box appears. Click Close after the configuration process is complete.

  • Page 152

    Figure 129 Creating an SNMP group Configure an SNMP user: Click the User tab. Click Add. The page in Figure 130 appears. Type user1 in the User Name field, select Auth/Priv from the Security Level list, select group1 from the Group Name list, select MD5 from the Authentication Mode list, type authkey in the Authentication Password and Confirm Authentication Password fields, select DES56 from the Privacy Mode list, and type prikey in the Privacy Password and Confirm Privacy Password fields.

  • Page 153

    Figure 130 Creating an SNMP user Enable SNMP traps: Click the Trap tab. The Trap tab page appears. Figure 131 Enabling SNMP traps Select the box of Enable SNMP Trap. Click Apply. Configure a target host SNMP traps: Click Add on the Trap tab page. The page for adding a target host of SNMP traps appears.

  • Page 154

    Figure 132 Adding a trap target host Type 1.1.1.2 in the following field, type user1 in the Security Name field, select v3 from the Security Model list, and select Auth/Priv from the Security Level list. Click Apply. Configuring the NMS To avoid communication failures, make sure the NMS use the same SNMP settings as the agent.

  • Page 155: Displaying Interface Statistics

    Displaying interface statistics Overview The interface statistics module displays statistics about the packets received and sent through interfaces. Displaying interface statistics Select Device > Interface Statistics from the navigation tree to enter the interface statistics display page, as shown in Figure 133.

  • Page 157: Configuring Vlans, Vlan Overview, Vlan Fundamentals

    Configuring VLANs VLAN overview Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on an Ethernet. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs.

  • Page 158: Vlan Types

    Figure 135 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 136. Figure 136 Position and format of VLAN tag A VLAN tag comprises the following fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID.

  • Page 159: Port-based Vlan

    VLAN, see "Configuring a voice VLAN." HP recommends that you set the same PVID for local and remote ports. • Make sure that a port permits its PVID. Otherwise, when the port receives frames tagged with the PVID •...

  • Page 160: Recommended Vlan Configuration Procedures, Assigning An Access Port To A Vlan

    Actions Access Trunk Hybrid • Receives the frame if its VLAN ID is the In the inbound • same as the PVID. Receives the frame if its VLAN is permitted on the port. direction for a • • Drops the frame if its Drops the frame if its VLAN is not permitted on the port.

  • Page 161: Assigning A Trunk Port To A Vlan, Assigning A Hybrid Port To A Vlan

    Assigning a trunk port to a VLAN Step Remarks (Required.) 1. Creating VLANs Create one or multiple VLANs. (Optional.) 2. Configuring the link type of a port Configure the link type of the port as trunk. By default, the link type of a port is access. Configure the PVID of (Required.) 3.

  • Page 162: Creating Vlans

    Step Remarks (Optional.) Configure the link type of the port as hybrid. If you configure multiple untagged VLANs for a trunk 2. Configuring the link type of a port port at the same time, the trunk port automatically becomes a hybrid port. By default, the link type of a port is access.

  • Page 163: Configuring The Link Type Of A Port

    Figure 137 Creating VLANs Table 40 Configuration items Item Description VLAN IDs IDs of the VLANs to be created • Select the ID of the VLAN whose description string is to be modified. Click the ID of the VLAN to be modified in the list in the middle of the page. Modify the description of the •...

  • Page 164: Setting The Pvid For A Port

    Figure 138 Modifying ports NOTE: You can also configure the link type of a port on the Setup tab of Device > Port Management. For more information, see "Managing ports." Setting the PVID for a port Select Network > VLAN from the navigation tree. Click the Modify Port tab.

  • Page 165: Selecting Vlans

    Figure 139 Modifying the PVID for a port NOTE: You can also configure the PVID of a port on the Setup tab of Device > Port Management. For more information, see "Managing ports." Selecting VLANs Select Network > VLAN from the navigation tree. The Select VLAN tab is displayed by default for you to select VLANs.

  • Page 166: Modifying A Vlan

    Figure 140 Selecting VLANs Select the Display all VLANs option to display all VLANs or select the Display a subnet of all configured VLANs option to enter the VLAN IDs to be displayed. Click Select. Modifying a VLAN Select Network > VLAN from the navigation tree. Click Modify VLAN to enter the page for modifying a VLAN.

  • Page 167

    Figure 141 Modifying a VLAN Modify the member ports of a VLAN as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds. Table 41 Configuration items Item Description Select the VLAN to be modified.

  • Page 168: Modifying Ports

    Modifying ports Select Network > VLAN from the navigation tree. Click Modify Port to enter the page for modifying ports. Figure 142 Modifying ports Modify the VLANs of a port as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds.

  • Page 169: Vlan Configuration Example

    Item Description Set the IDs of the VLANs to/from which the selected ports are to be assigned/removed. NOTE: • You cannot configure an access port as an untagged member of a nonexistent VLAN. • When you configure an access port as a tagged member of a VLAN, or configure a trunk VLAN IDs port as an untagged member of multiple VLANs in bulk, the link type of the port is automatically changed into hybrid.

  • Page 170

    Figure 144 Configuring GigabitEthernet 1/0/1 as a trunk port and its PVID as 100 Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100: Select Network > VLAN from the navigation tree. Click Create to enter the page for creating VLANs. Enter VLAN IDs 2, 6-50, 100.

  • Page 171

    Figure 145 Creating VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member: Click Select VLAN to enter the page for selecting VLANs. Select the option before Display a subnet of all configured VLANs and enter 1-100 in the field. Click Select.

  • Page 172

    Click Modify VLAN to enter the page for modifying the ports in a VLAN. Select 100 – VLAN 0100 in the Please select a VLAN to modify: list, select the Untagged option, and select GigabitEthernet 1/0/1 on the chassis front device panel. Click Apply.

  • Page 173

    Figure 148 Assigning GigabitEthernet 1/0/1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Configuring Switch B Configure Switch B as you configure Switch A. Configuration guidelines Follow these guidelines when you configure VLANs: • As the default VLAN, VLAN 1 can be neither created nor removed manually. You cannot manually create or remove VLANs reserved for special purposes.

  • Page 174: Configuring Vlan Interfaces, Creating A Vlan Interface

    Configuring VLAN interfaces Overview For hosts of different VLANs to communicate at Layer 3, you can use VLAN interfaces. VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface. You can assign the VLAN interface an IP address and specify the IP address as the gateway address for the devices in the VLAN, so that traffic can be routed to other IP subnets.

  • Page 175

    Figure 149 Creating a VLAN interface Configure the VLAN interface as described in Table Click Apply. Table 43 Configuration items Item Description Enter the ID of the VLAN interface to be created. Before creating a VLAN interface, Input a VLAN ID: make sure that the corresponding VLAN exists.

  • Page 176: Modifying A Vlan Interface

    Item Description Address box. Configure an IPv6 link-local address for the VLAN interface. IPv6 This field is available after you select the Manual option. The prefix of Address the IPv6 link-local address you enter must be FE80::/64. Modifying a VLAN interface By modifying a VLAN interface, you can assign an IPv4 address, an IPv6 link-local address, and an IPv6 site-local address, or global unicast address to the VLAN interface, and shut down or bring up the VLAN interface.

  • Page 177

    Table 44 Configuration items Item Description Select the VLAN interface to be configured. Select VLAN Interface The VLAN interfaces available for selection in the list are those created on the page for creating VLAN interfaces. DHCP Configure the way in which the VLAN interface gets an IPv4 address. Allow the VLAN interface to obtain an IP address automatically by selecting the DHCP BOOTP or BOOTP option, or manually assign the VLAN interface an IP address by selecting...

  • Page 178

    Item Description Auto Configure the way in which the VLAN interface obtains an IPv6 link-local address. Select the Auto or Manual option: • Auto—Indicates that the device automatically assigns a link-local address for the VLAN interface according to the link-local address prefix (FE80::/64) and the Manual link-layer address of the VLAN interface.

  • Page 179

    For IPv6 link-local address configuration, manual assignment takes precedence over automatic • generation. If you first adopt the manual assignment and then the automatic generation, the automatically generated link-local address will not take effect and the link-local address of the interface is still the manually assigned one.

  • Page 180: Configuring A Voice Vlan, Oui Addresses

    Configuring a voice VLAN Overview The voice technology is developing quickly, and more and more voice devices are in use. In broadband communities, data traffic and voice traffic are usually transmitted in the network at the same time. Usually, voice traffic needs higher priority than data traffic to reduce the transmission delay and packet loss ratio. A voice VLAN is configured for voice traffic.

  • Page 181: Voice Vlan Assignment Modes

    Voice VLAN assignment modes A port connected to a voice device, an IP phone for example, can be assigned to a voice VLAN in one of the following modes: Automatic mode—The system matches the source MAC addresses in the protocol packets •...

  • Page 182: Security Mode And Normal Mode Of Voice Vlans

    Table 46 Required configurations on ports of different link types for them to support tagged voice traffic Voice VLAN assignment mode Port link type Configuration requirements supported for tagged voice traffic Access In automatic mode, the PVID of the port cannot be the voice VLAN.

  • Page 183: Recommended Voice Vlan Configuration Procedure

    MAC addresses checking. HP does not recommend you transmit both voice packets and non-voice packets in a voice VLAN. If you have to, first make sure that the voice VLAN security mode is disabled.

  • Page 184: Configuring Voice Vlan Globally

    Step Remarks (Required.) Configure the voice VLAN assignment mode of a port as automatic 2. Configuring voice VLAN on ports and enable the voice VLAN function on the port. By default, the voice VLAN assignment mode of a port is automatic, and the voice VLAN function is disabled on a port.

  • Page 185: Configuring Voice Vlan On Ports

    Figure 153 Configuring voice VLAN Configure the global voice VLAN settings as described in Table Click Apply. Table 49 Configuration items Item Description Select Enable or Disable in the list to enable or disable the voice VLAN security mode. Voice VLAN security By default, the voice VLANs operate in security mode.

  • Page 186: Adding Oui Addresses To The Oui List

    Configure the voice VLAN function for ports as described in Table Click Apply. Table 50 Configuration items Item Description Set the voice VLAN assignment mode of a port to: • Voice VLAN port mode Auto—Automatic voice VLAN assignment mode • Manual—Manual voice VLAN assignment mode Select Enable or Disable in the list to enable or disable the voice VLAN function Voice VLAN port state...

  • Page 187: Voice Vlan Configuration Examples

    Table 51 Configuration items Item Description OUI Address Set the source MAC address of voice traffic. Mask Set the mask length of the source MAC address. Description Set the description of the OUI address entry. Voice VLAN configuration examples Configuring voice VLAN on a port in automatic voice VLAN assignment mode Network requirements As shown in...

  • Page 188

    Figure 157 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port: Select Device > Port Management from the navigation tree. Click the Setup tab. Select Hybrid from the Link Type list. Select GigabitEthernet 1/0/1 from the chassis front panel. Click Apply.

  • Page 189

    Figure 158 Configuring GigabitEthernet 1/0/1 as a hybrid port Configure the voice VLAN function globally: Select Network > Voice VLAN from the navigation tree. Click the Setup tab. Select Enable in the Voice VLAN security list. Set the voice VLAN aging timer to 30 minutes. Click Apply.

  • Page 190

    Click the Port Setup tab. Select Auto in the Voice VLAN port mode list. Select Enable in the Voice VLAN port state list. Enter voice VLAN ID 2. Select GigabitEthernet 1/0/1 on the chassis front panel. Click Apply. Figure 160 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: Click the OUI Add tab.

  • Page 191

    Figure 161 Adding OUI addresses to the OUI list Verifying the configuration When the preceding configurations are completed, the OUI Summary tab is displayed by default, as shown in Figure 162. You can view the information about the newly-added OUI address. Figure 162 Displaying the current OUI list of the device Click the Summary tab, where you can view the current voice VLAN information.

  • Page 192: Configuring A Voice Vlan On A Port In Manual Voice Vlan Assignment Mode

    Figure 163 Displaying voice VLAN information Configuring a voice VLAN on a port in manual voice VLAN assignment mode Network requirements As shown in Figure 164: Configure VLAN 2 as a voice VLAN that carries only voice traffic. • • The IP phone connected to hybrid port GigabitEthernet 1/0/1 sends untagged voice traffic.

  • Page 193

    Configuring Switch A Create VLAN 2: Select Network > VLAN from the navigation tree. Click the Create tab. Enter VLAN ID 2. Click Create. Figure 165 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port and configure its PVID as VLAN 2: Select Device >...

  • Page 194

    Figure 166 Configuring GigabitEthernet 1/0/1 as a hybrid port Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member: Select Network > VLAN from the navigation tree. Click the Modify Port tab. Select GigabitEthernet 1/0/1 from the chassis front panel. Select the Untagged option.

  • Page 195

    Figure 167 Assigning GigabitEthernet 1/0/1 to VLAN 2 as an untagged member Configure voice VLAN on GigabitEthernet 1/0/1: Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab. Select Manual in the Voice VLAN port mode list. Select Enable in the Voice VLAN port state list.

  • Page 196

    Figure 168 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: Click the OUI Add tab. Enter OUI address 0011-2200-0000. Select FFFF-FF00-0000 as the mask. Enter description string test. Click Apply. Figure 169 Adding OUI addresses to the OUI list...

  • Page 197

    Verifying the configuration When the preceding configurations are complete, the OUI Summary tab is displayed by default, as shown in Figure 170. You can view the information about the newly-added OUI address. Figure 170 Displaying the current OUI list of the device Click the Summary tab, where you can view the current voice VLAN information.

  • Page 198

    Only one VLAN is supported and only an existing static VLAN can be configured as the voice • VLAN. Do not enable the voice VLAN function on a link aggregation group member port. • After you assign a port operating in manual voice VLAN assignment mode to the voice VLAN, the •...

  • Page 199: Configuring Mac Address Tables, How A Mac Address Table Entry Is Created

    Configuring MAC address tables NOTE: MAC address configurations related to interfaces apply only to Layer 2 Ethernet interfaces. • This document covers only the management of static, dynamic, and blackhole MAC address entries, not • multicast MAC address entries. Overview To reduce single-destination packet floodings in a switched LAN, an Ethernet device uses a MAC address table for forwarding frames.

  • Page 200: Types Of Mac Address Table Entries, Displaying And Configuring Mac Address Entries

    Types of MAC address table entries A MAC address table can contain the following types of entries: Static entries—Manually added and never age out. • Dynamic entries—Manually added or dynamically learned, and might age out. • Blackhole entries—Manually configured and never age out. Blackhole entries are configured for •...

  • Page 201: Setting The Aging Time Of Mac Address Entries

    Figure 173 Create a MAC address entry Configure a MAC address entry. Click Apply. Table 52 Configuration items Item Description Set the MAC address to be added. Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. •...

  • Page 202: Mac Address Configuration Example

    Figure 174 Set the aging time for MAC address entries Configure the aging time for MAC address entries. Click Apply. Table 53 Configuration items Item Description No-aging Specify that the MAC address entry never ages out. Aging time Set the aging time for the MAC address entry MAC address configuration example Network requirements Use the Web-based NMS to configure the MAC address table of the device.

  • Page 203

    Figure 175 Create a static MAC address entry...

  • Page 204: Configuring Mstp, Stp Protocol Packets, Basic Concepts In Stp

    Configuring MSTP As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and in the mean time, allows for link redundancy. Like many other protocols, STP evolves as the network grows. The later versions of STP are Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP).

  • Page 205: How Stp Works

    Designated bridge and designated port Table 54 Description of designated bridges and designated ports: Classification Designated bridge Designated port A device directly connected to the local The port through which the designated For a device device and responsible for forwarding bridge forwards BPDUs to the local BPDUs to the local device.

  • Page 206

    Designated bridge ID—Consisting of the priority and MAC address of the designated bridge. • • Designated port ID—Designated port priority plus port name. Message age—Age of the configuration BPDU while it propagates in the network. • Max age—Maximum age of the configuration BPDU can be maintained on a device. •...

  • Page 207

    NOTE: Configuration BPDU comparison uses the following principles: The configuration BPDU that has the lowest root bridge ID has the highest priority. • If all the configuration BPDUs have the same root bridge ID, their root path costs are compared. For •...

  • Page 208

    Figure 177 STP network Initial state of each device • Table 57 Initial state of each device Device Port name BPDU of port {0, 0, 0, AP1} Device A {0, 0, 0, AP2} {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2}...

  • Page 209

    BPDU of port after Device Comparison process comparison • Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.

  • Page 210

    BPDU of port after Device Comparison process comparison After comparison: • Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU of CP2 is Blocked port CP2: elected as the optimum BPDU, and CP2 is elected as the root...

  • Page 211: Why Mstp

    If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs • and the old configuration BPDUs will be discarded due to timeout. The device will generate configuration BPDUs with itself as the root. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity.

  • Page 212: Basic Concepts In Mstp

    point-to-point link or an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment. Although RSTP supports rapid network convergence, it has the same drawback as STP—All bridges within a LAN share the same spanning tree, so redundant links cannot be blocked based on VLAN, and the packets of all VLANs are forwarded along the same spanning tree.

  • Page 213

    Figure 179 Basic concepts in MSTP   Figure 180 Network diagram and topology of MST region 3   MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. All these devices have the following characteristics: A spanning tree protocol enabled •...

  • Page 214

    Same VLAN-to-instance mapping configuration • • Same MSTP revision level Physically linked together • Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region. In Figure 179, the switched network comprises four MST regions, MST region 1 through MST region 4, and all devices in each MST region have the same MST region configuration.

  • Page 215

    Port roles A port can play different roles in different MSTIs. As shown in Figure 181, an MST region comprises Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the common root bridge.

  • Page 216: How Mstp Works

    Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user • traffic. Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward user • traffic. Learning is an intermediate port state. Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or forward •...

  • Page 217: Implementation Of Mstp On Devices, Recommended Mstp Configuration Procedure, Configuring An Mst Region

    Implementation of MSTP on devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation. In addition to basic MSTP functions, the device provides the following functions for ease of management: •...

  • Page 218

    Figure 182 MST region Click Modify to enter the page for configuring MST regions. Figure 183 Configuring an MST region Configure the MST region information as described in Table 60, and click Apply. Click Activate. Table 60 Configuration items Item Description MST region name.

  • Page 219: Configuring Mstp Globally

    Configuring MSTP globally Select Network > MSTP from the navigation tree. Click the Global tab to enter the page for configuring MSTP globally. Figure 184 Configuring MSTP globally Configure the global MSTP configuration as described in Table Click Apply. Table 61 Configuration items Item Description Select whether to enable STP globally.

  • Page 220

    • The settings of hello time, forward delay and max age must meet a certain formula. Otherwise, the network topology will not be stable. HP recommends you to set the network diameter and then have the device automatically calculate the forward delay, hello time, and max age.

  • Page 221: Configuring Mstp On A Port

    With the TC-BPDU guard function, you can prevent frequent flushing of forwarding address entries. NOTE: HP does not recommend you to disable this function. Set the maximum number of immediate forwarding address entry flushes the device tc-protection threshold can perform within a certain period of time after receiving the first TC-BPDU.

  • Page 222

    Transmit Limit Configure the maximum number of MSTP packets that can be sent during each Hello interval. The larger the transmit limit is, the more network resources will be occupied. HP recommends that you use the default value. • MSTP Mode Set whether the port migrates to the MSTP mode.

  • Page 223: Displaying Mstp Information Of A Port

    BPDUs. You can set these ports as edge ports to achieve fast Edged Port transition for these ports. HP recommends that you enable the BPDU guard function in conjunction with the edged port function to avoid network topology changes when the edge ports receive configuration BPDUs.

  • Page 224

    Figure 186 The port summary tab Table 64 Field description Field Description The port is in forwarding state, so the port learns MAC addresses and forwards [FORWARDING] user traffic. The port is in learning state, so the port learns MAC addresses but does not [LEARNING] forward user traffic.

  • Page 225: Mstp Configuration Example

    Field Description Whether the port is connected to a point-to-point link: • Point-to-point Config—Indicates the configured value. • Active—Indicates the actual value. Transmit Limit The maximum number of packets sent within each Hello time. Protection type on the port,: • Root—Root guard •...

  • Page 226

    Packets of VLAN 10, VLAN 20, VLAN 30, and VLAN 40 are forwarded along MSTI 1, MSTI 2, • MSTI 3, and MSTI 0, respectively. Switch A and Switch B operate at the distribution layer; Switch C and Switch D operate at the •...

  • Page 227

    Click Apply to map VLAN 10 to MSTI 1 and add the VLAN-to-MSTI mapping entry to the VLAN-to-MSTI mapping list. Repeat the preceding three steps to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN-to-MSTI mapping entries to the VLAN-to-MSTI mapping list.

  • Page 228

    Figure 190 Configuring MSTP globally (on Switch A) Configuring Switch B Configure an MST region. (The procedure here is the same as that of configuring an MST region on Switch A.) Configure MSTP globally: Select Network > MSTP from the navigation tree. Click the Global tab to enter the page for configuring MSTP globally.

  • Page 229

    Configuring Switch C Configure an MST region. (The procedure here is the same as that of configuring an MST region on Switch A.) Configure MSTP globally: Select Network > MSTP from the navigation tree. Click Global to enter the page for configuring MSTP globally. Select Enable in the Enable STP Globally list.

  • Page 230

    Figure 191 Configuring MSTP globally (on Switch D) Configuration guidelines Follow these guidelines when you configure MSTP: Two devices belong to the same MST region only if they are interconnected through physical links, • and share the same region name, the same MSTP revision level, and the same VLAN-to-MSTI mappings.

  • Page 231: Configuring Link Aggregation And Lacp

    Configuring link aggregation and LACP Overview Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group. It allows you to increase bandwidth by distributing traffic across the member ports in the aggregation group. In addition, it provides reliable connectivity because these member ports can dynamically back up each other.

  • Page 232: Link Aggregation Modes

    Class-two configurations The contents of class-two configurations are listed in Table 65. In an aggregation group, a member port different from the aggregate interface in the class-two configurations cannot be a Selected port. Table 65 Class-two configurations Type Considerations Whether a port has joined an isolation group, and the isolation group that the port Port isolation belongs to Permitted VLAN IDs, default VLAN, link type (trunk, hybrid, or access), IP...

  • Page 233

    Changing a port attribute or class-two configuration setting of a port may cause the select state of the • port and other member ports to change and affect services. HP recommends that you do that with caution.

  • Page 234: Configuration Procedures, Creating A Link Aggregation Group

    Recommended link aggregation and LACP configuration procedures Recommended static aggregation group configuration procedure Step Remarks Required. Create a static aggregate interface and configure member Creating a link aggregation group ports for the static aggregation group automatically created by the system when you create the aggregate interface. By default, no link aggregation group exists.

  • Page 235: Displaying Information Of An Aggregate Interface

    Configure a link aggregation group. Click Apply. Table 66 Configuration items Item Description Assign an ID to the link aggregation group to be created. Enter Link Aggregation Interface ID You can view the result in the Summary area at the bottom of the page. Set the type of the link aggregation interface to be created: •...

  • Page 236

    The list on the lower part of the page displays the detailed information about the member ports of the corresponding link aggregation group. Figure 193 Displaying information of an aggregate interface Table 67 Field description Field Description Type and ID of the aggregate interface. Aggregation interface Bridge-Aggregation indicates a Layer 2 aggregate interface.

  • Page 237: Setting Lacp Priority

    Setting LACP priority Select Network > LACP from the navigation tree. Click Setup to enter the page shown in Figure 194. Figure 194 The Setup tab In the Set LACP enabled port(s) parameters area, set the port priority, and select the ports in the chassis front panel.

  • Page 238

    Click View Details. Detailed information about the peer port will be displayed on the lower part of the page. Table 70 describes the fields. Figure 195 Displaying the information of LACP-enabled ports Table 69 Field description Field Description Unit ID of a device in an IRF. Port Port where LACP is enabled.

  • Page 239: Link Aggregation And Lacp Configuration Example

    Field Description Partner Port Name of the peer port. State information of the peer port, represented by letters A through H. • A indicates that LACP is enabled. • B indicates that LACP short timeout has occurred. If B does not appear, it indicates that LACP long timeout has occurred.

  • Page 240

    You can create a static or dynamic link aggregation group to achieve load balancing. Approach 1: Create static link aggregation group 1 Select Network > Link Aggregation from the navigation tree. Click Create to enter the page as shown in Figure 197.

  • Page 241

    Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 on the chassis front panel. Click Apply. Figure 198 Creating dynamic link aggregation group 1 Configuration guidelines Follow these guidelines when you configure a link aggregation group: • In an aggregation group, the port to be a Selected port must be the same as the reference port in port attributes, and class-two configurations.

  • Page 242

    aggregation, make sure that the peer ports of the ports aggregated at one end are also aggregated. The two ends can automatically negotiate the Selected state of the ports. Removing a Layer 2 aggregate interface also removes the corresponding aggregation group. •...

  • Page 243: Configuring Lldp, Basic Concepts

    Configuring LLDP Overview Background In a heterogeneous network, a standard configuration exchange platform ensures that different types of network devices from different vendors can discover one another and exchange configuration for the sake of interoperability and management. The IETF drafted the Link Layer Discovery Protocol (LLDP) in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.

  • Page 244

    Field Description Type Ethernet type for the upper layer protocol. It is 0x88CC for LLDP. Data LLDP data. Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame. LLDPDUs encapsulated in SNAP Figure 200 LLDPDU encapsulated in SNAP Table 72 Description of the fields in a SNAP-encapsulated LLDPDU Field Description...

  • Page 245

    TLVs TLVs are type, length, and value sequences that carry information elements, where the type field identifies the type of information, the length field indicates the length of the information field in octets, and the value field contains the information itself. LLDPDU TLVs fall into the following categories: basic management TLVs, organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs, and LLDP-MED (media endpoint discovery) TLVs.

  • Page 246

    NOTE: The Power Stateful Control TLV is defined in IEEE P802.3at D1.0. The later versions no longer support this TLV. HP devices send this type of TLVs only after receiving them. LLDP-MED TLVs LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic configuration, network policy configuration, and address and directory management.

  • Page 247: Operating Modes Of Lldp, How Lldp Works

    Type Description Extended Allows a network device or terminal device to advertise power supply capability. Power-via-MDI This TLV is an extension of the Power Via MDI TLV. Hardware Revision Allows a terminal device to advertise its hardware version. Firmware Revision Allows a terminal device to advertise its firmware version.

  • Page 248: Compatibility Of Lldp With Cdp, Recommended Lldp Configuration Procedure

    A new neighbor is discovered. A new LLDPDU is received carrying device information new to the • local device. The LLDP operating mode of the port changes from Disable/Rx to TxRx or Tx. • This is the fast sending mechanism of LLDP. With this mechanism, a specific number of LLDPDUs are sent successively at the 1-second interval to help LLDP neighbors discover the local device as soon as possible.

  • Page 249: Enabling Lldp On Ports

    Step Remarks (Optional.) LLDP settings include LLDP operating mode, packet encapsulation, CDP compatibility, device information polling, trapping, and advertisable TLVs. The default settings are as follows: 2. Configuring LLDP settings on ports • The LLDP operating mode is TxRx. • The encapsulation format is Ethernet II.

  • Page 250

    gure 202 The Port Setup ta Config guring g LLDP setting gs on p ports e web interfa ace allows yo ou to set LLDP P parameters for a single port and set LLDP parame eters for ultiple ports in n batch.

  • Page 251

    Figure 203 Modifying LLDP settings on a port Modify the LLDP parameters for the port as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 252

    Item Description Set the LLDP operating mode on the port or ports you are configuring. Available options include: • TxRx—Sends and receives LLDPDUs. LLDP Operating Mode • Tx—Sends but not receives LLDPDUs. • Rx—Receives but not sends LLDPDUs. • Disable—Neither sends nor receives LLDPDUs. Set the encapsulation for LLDPDUs.

  • Page 253: Configuring Lldp Settings For Ports In Batch

    Item Description Port VLAN ID Select to include the PVID TLV in transmitted LLDPDUs. Select to include port and protocol VLAN ID TLVs in transmitted LLDPDUs and specify the VLAN IDs to be advertised. Protocol VLAN ID DOT1 TLV If no VLAN is specified, the lowest protocol VLAN ID is transmitted. Setting Select to include VLAN name TLVs in transmitted LLDPDUs and specify the VLAN IDs to be advertised.

  • Page 254: Configuring Global Lldp Setup

    Figure 204 Modifying LLDP settings on ports in batch Set the LLDP settings for these ports as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 255

    Figure 205 The Global Setup tab Set the global LLDP setup as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 78 Configuration items Item Description LLDP Enable...

  • Page 256: Displaying Lldp Information For A Port

    Item Description Set the TTL multiplier. The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device. You can configure the TTL of locally sent LLDPDUs to determine how long information about the local device can be saved on a neighbor device by setting the TTL multiplier.

  • Page 257

    By default, the Local Information tab is displayed, as shown in Figure 206. Table 79 describes the fields. Figure 206 The Local Information tab Table 79 Field description Field Description Port ID type: • Interface alias • Port component • MAC address Port ID subtype •...

  • Page 258

    Field Description Power supply priority on a PSE: • Unknown—Unknown priority • Critical—Priority 1 Power priority • High—Priority 2 • Low—Priority 3 Media policy type: • Unknown • Voice • Voice signaling • Guest voice Media policy type • Guest voice signaling •...

  • Page 259

    Table 80 Field description Field Description Chassis ID type: • Chassis component • Interface alias • Port component Chassis type • MAC address • Network address • Interface name • Locally assigned, or the local configuration Chassis ID depending on the chassis type, which can be a MAC address of Chassis ID the device Port ID type:...

  • Page 260

    Field Description Power supply priority on a PD: • Unknown—Unknown priority. • Critical—Priority 1. Power priority • High—Priority 2. • Low—Priority 3. PD requested power value Power (in watts) required by the PD that connects to the port. PSE allocated power value Power (in watts) supplied by the PSE to the connecting port.

  • Page 261

    Field Description SerialNum The serial number advertised by the neighbor. Manufacturer name The manufacturer name advertised by the neighbor. Model name The model name advertised by the neighbor. Asset ID advertised by the neighbor. This ID is used for the purpose of Asset tracking identifier inventory management and asset tracking.

  • Page 262: Displaying Global Lldp Information

    Figure 209 The Status Information tab Displaying global LLDP information Select Network > LLDP from the navigation tree. Click the Global Summary tab to display global local LLDP information and statistics, as shown Figure 210. Table 81 describes the fields.

  • Page 263

    Figure 210 The Global Summary tab Table 81 Field description Field Description Chassis ID The local chassis ID depending on the chassis type defined. The primary network function advertised by the local device: • Repeater System capabilities supported • Bridge •...

  • Page 264: Displaying Lldp Information Received From Lldp Neighbors

    Field Description The device class advertised by the local device: • Connectivity device—An intermediate device that provide network connectivity. • Class I—a generic endpoint device. All endpoints that require the discovery service of LLDP belong to this category. • Class II—A media endpoint device. The class II endpoint devices support the Device class media stream capabilities in addition to the capabilities of generic endpoint devices.

  • Page 265: Lldp Configuration Examples, Lldp Basic Settings Configuration Example

    LLDP configuration examples LLDP basic settings configuration example Network requirements As shown in Figure 212, configure LLDP on Switch A and Switch B so that the network management station (NMS) can determine the status of the link between Switch A and MED and the link between Switch A and Switch B.

  • Page 266

    Figure 213 The Port Setup tab Select Rx from the LLDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 267

    Figure 214 Setting LLDP on multiple ports Enable global LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 268

    gure 215 Enab bling global L LLDP Configuring Switch B Enable LLD DP on port Gig gabitEthernet 1/0/1. (Op tional. By def fault, LLDP is e enabled on E Ethernet ports.) Set the LLD DP operating m mode to Tx on n GigabitEthe ernet 1/0/1: Select N...

  • Page 269

    Figure 216 Setting the LLDP operating mode to Tx Enable global LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 270

    Figure 217 Viewing the status of port GigabitEthernet 1/0/1 Display the status information of port GigabitEthernet1/0/2 on Switch A: Click the GigabitEthernet1/0/2 port name in the port list. Click the Status Information tab at the lower half of the page. The output shows that port GigabitEthernet 1/0/2 is connected to a non-MED neighbor device (Switch B).

  • Page 271: Cdp-compatible Lldp Configuration Example

    Figure 219 Viewing the updated port status information CDP-compatible LLDP configuration example Network requirements As shown in Figure 220, on Switch A, configure VLAN 2 as a voice VLAN and configure CDP-compatible LLDP to enable the Cisco IP phones to automatically configure the voice VLAN, confining their voice traffic within the voice VLAN to be separate from other types of traffic.

  • Page 272

    Figure 221 Creating VLANs Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports: Select Device > Port Management from the navigation tree. Click the Setup tab to enter the page for configuring ports. Select Trunk in the Link Type list. Select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel.

  • Page 273

    Figure 222 Configuring ports Configure the voice VLAN function on the two ports: Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab to enter the page for configuring the voice VLAN function on ports. Select Auto in the Voice VLAN port mode list, select Enable in the Voice VLAN port state list, enter the voice VLAN ID 2, and select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel.

  • Page 274

    Figure 223 Configuring the voice VLAN function on ports Enable LLDP on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. Skip this step if LLDP is enabled (the default). Set both the LLDP operating mode and the CDP operating mode to TxRx on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2: Select Network >...

  • Page 275

    Figure 224 Selecting ports Select TxRx from the LLDP Operating Mode list, and select TxRx from the CDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 276

    Figure 225 Modifying LLDP settings on ports Enable global LLDP and CDP compatibility of LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Select Enable from the CDP Compatibility list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 277: Lldp Configuration Guidelines

    Figure 226 Enabling global LLDP and CDP compatibility Verifying the configuration Display information about LLDP neighbors on Switch A after completing the configuration. You can see that Switch A has discovered the Cisco IP phones attached to ports GigabitEthernet1/0/1 and GigabitEthernet1/0/2 and obtained their device information.

  • Page 278: Configuring Arp, Arp Message Format, Arp Operation

    Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP messages are classified into ARP requests and ARP replies. Figure 227 shows the format of the ARP request/reply.

  • Page 279: Arp Table

    If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request using the following information: Source IP address and source MAC address—Host A’s own IP address and the MAC address Target IP address—Host B’s IP address Target MAC address—An all-zero MAC address Because the ARP request is a broadcast, all hosts on this subnet can receive the request, but only the requested host (Host B) will process the request.

  • Page 280: Introduction To Gratuitous Arp, Configuring Arp Entries, Displaying Arp Entries

    Static ARP entry A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. Using static ARP entries enhances communication security. After a static ARP entry is specified, only a specific MAC address is associated with the specified IP address.

  • Page 281: Creating A Static Arp Entry

    Figure 229 ARP table configuration page Creating a static ARP entry Select Network > ARP Management from the navigation tree to enter the ARP Table page shown Figure 229. Click Add to enter the New Static ARP Entry page. Figure 230 Adding a static ARP entry Configure the static ARP entry as described in Table Click Apply.

  • Page 282: Removing Arp Entries, Configuring Gratuitous Arp

    Table 82 Configuration items Item Description IP Address Enter an IP address for the static ARP entry. MAC Address Enter a MAC address for the static ARP entry. Enter a VLAN ID and specify a port for the static ARP entry. VLAN ID Advanced IMPORTANT:...

  • Page 283: Static Arp Configuration Example

    Static ARP configuration example Network Requirements As shown in Figure 232, hosts are connected to Switch A, which is connected to Router B through interface GigabitEthernet 1/0/1 belonging to VLAN 100. Configure static ARP entries on Switch A to enhance communication security between Switch A and Router B.

  • Page 284

    Figure 233 Creating VLAN 100 Add GigabitEthernet 1/0/1 to VLAN 100: Click the Modify Port tab Select interface GigabitEthernet 1/0/1 in the Select Ports area, select the Untagged option in the Select membership type area, enter 100 for VLAN Ids, and, click Apply. After the configuration process is complete, click Close.

  • Page 285

    Figure 234 Adding GigabitEthernet 1/0/1 to VLAN 100 Create VLAN-interface 100: Select Network > VLAN Interface from the navigation tree. Click the Create tab. On the page that appears, enter 100 for VLAN ID, select the Configure Primary IPv4 Address box, select the Manual option, enter 192.168.1.2 for IPv4 Address, and enter 24 or 255.255.255.0 for Mask Length.

  • Page 286

    Figure 235 Creating VLAN-interface 100 Create a static ARP entry: Select Network > ARP Management from the navigation tree to enter the ARP Table page. Click Add. On the page that appears, enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC Address, select the Advanced Options box, enter 100 for VLAN ID, and select GigabitEthernet1/0/1 for Port.

  • Page 287: Configuring Arp Attack Defense, User Validity Check, Arp Packet Validity Check, Configuring Arp Detection

    Configuring ARP attack defense Overview Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the following functions: user validity check and ARP packet validity check.

  • Page 288

    Select Network > ARP Anti-Attack from the navigation tree to enter the ARP detection configuration page. Figure 237 ARP detection configuration page Configure ARP detection as described in Table 84. Click Apply. Table 84 Configuration items Item Description Select VLANs on which ARP detection is to be enabled. To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the VLAN Settings Disabled VLANs list box and click the <<...

  • Page 289: Configuring Igmp Snooping, Basic Concepts In Igmp Snooping

    Configuring IGMP snooping Overview Internet Group Management Protocol (IGMP) snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. By analyzing received IGMP messages, a Layer 2 device running IGMP snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.

  • Page 290

    Figure 239 IGMP snooping related ports IGMP snooping related ports include the following types: Router port—Port on an Ethernet switch that leads the switch toward a Layer 3 multicast device • (designated router or IGMP querier). In Figure 239, GigabitEthernet 1/0/1 of Switch A and Ethernet 1/0/1 of Switch B are router ports.

  • Page 291: How Igmp Snooping Operates

    Timer Description Message before expiry Action after expiry When a port dynamically joins a multicast group, The switch removes this the switch sets an aging Dynamic member port port from the IGMP timer for the port. When IGMP membership report aging timer snooping forwarding the timer expires, the...

  • Page 292: Protocols And Standards

    receiving this report. This makes the switch unable to know whether the reported multicast group still has active members attached to that port. When receiving a leave group message When an IGMPv1 host leaves a multicast group, the host does not send an IGMP leave message, so the switch cannot know immediately that the host has left the multicast group.

  • Page 293: Enabling Igmp Snooping Globally

    Step Remarks (Required.) Enable IGMP snooping for the VLAN and configure the IGMP snooping version and querier. By default, IGMP snooping is disabled in a VLAN. Configuring IGMP snooping in a VLAN IMPORTANT: • IGMP snooping must be enabled globally before you enable it for a VLAN.

  • Page 294: Configuring Igmp Snooping In A Vlan

    Configuring IGMP snooping in a VLAN Select Network > IGMP snooping from the navigation tree. Click the icon corresponding to the VLAN. Figure 241 VLAN configuration Configure the parameters as described in Table Click Apply. Table 85 Configuration items Item Description Enable or disable IGMP snooping in the VLAN.

  • Page 295: Configuring Igmp Snooping On A Port

    Item Description Enable or disable the function of dropping unknown multicast packets. Unknown multicast data refers to multicast data for which no entries exist in the IGMP snooping forwarding table. • If the function of dropping unknown multicast data is enabled, the switch forwards the unknown multicast packets to the router ports instead of flooding Drop Unknown them in the VLAN.

  • Page 296

    Figure 242 Advanced configuration Configure the parameters as described in Table Click Apply. Table 86 Configuration items Item Description Select the port on which advanced IGMP snooping features will be configured. The port can be an Ethernet port or Layer-2 aggregate port. After a port is selected, advanced features configured on this port are displayed at the lower part of this page.

  • Page 297: Displaying Igmp Snooping Multicast Table Entries

    Item Description Enable or disable the fast-leave function for the port. With the fast-leave function enabled on a port, when the switch receives an IGMP leave message on the port, it immediately deletes that port from the outgoing port list of the corresponding forwarding table entry.

  • Page 298: Igmp Snooping Configuration Example

    IGMP snooping configuration example Network requirements As shown in Figure 245, IGMPv2 runs on Router A and IGMPv2 snooping runs on Switch A. Router A acts as the IGMP querier. Perform the configuration so that Host A can receive the multicast data destined for the multicast group (224.1.1.1), and Switch A drops the unknown multicast data rather than flooding it in the VLAN.

  • Page 299

    Figure 246 Creating VLAN 100 Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: Click the Modify Port tab. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 in the Select Ports field. Select the Untagged option for Select membership type. Enter 100 as the VLAN ID.

  • Page 300

    Figure 247 Assigning a port to the VLAN Enable IGMP snooping globally: Select Network > IGMP snooping from the navigation tree. Select the Enable option. Click Apply.

  • Page 301

    Figure 248 Enabling IGMP snooping globally Enable IGMP snooping and the function of dropping unknown multicast data for VLAN 100: Click the icon corresponding to VLAN 100. Select the Enable option for IGMP snooping. Select the 2 option for Version. Select the Enable option for Drop Unknown.

  • Page 302

    Verifying th e configurat tion Select Netw work > IGMP P snooping fro om the naviga ation tree. Click Show w Entries in th e basic VLAN N configuratio on page to di splay informa ation about IG snooping m multicast entri ies.

  • Page 303: Configuring Mld Snooping, Basic Concepts In Mld Snooping

    Configuring MLD snooping Overview Multicast Listener Discovery (MLD) snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups. By analyzing received MLD messages, a Layer 2 device running MLD snooping establishes mappings between ports and multicast MAC addresses and forwards IPv6 multicast data based on these mappings.

  • Page 304

    Figure 253 MLD snooping related ports MLD snooping related ports include the following types: Router port—Port on an Ethernet switch that leads the switch toward a Layer 3 multicast device • (designated router or MLD querier). As shown in Figure 253, GigabitEthernet 1/0/1 of Switch A and Ethernet 1/0/1 of Switch B are router ports.

  • Page 305: How Mld Snooping Operates

    Timer Description Message before expiry Action after expiry When a port dynamically joins an IPv6 multicast The switch removes this group, the switch sets an Dynamic member port port from the MLD aging timer for the port. MLD membership report aging timer snooping forwarding When the timer expires,...

  • Page 306

    receiving this report. This makes the switch unable to know whether the reported IPv6 multicast group still has active members attached to that port. When receiving a done message When a host leaves an IPv6 multicast group, the host sends an MLD done message to the multicast router. When the switch receives an MLD done message on a member port, it first checks whether a forwarding entry matches the IPv6 group address in the message, and, if a match is found, whether the forwarding entry contains the dynamic member port.

  • Page 307: Enabling Mld Snooping Globally

    Step Remarks (Required.) Enable MLD snooping for the VLAN and configure the MLD snooping version and querier. By default, MLD snooping is disabled in a VLAN. Configuring MLD snooping in a VLAN IMPORTANT: • MLD snooping must be enabled globally before you enable it for a VLAN.

  • Page 308: Configuring Mld Snooping In A Vlan

    Configuring MLD snooping in a VLAN Select Network > MLD snooping from the navigation tree. Click the icon corresponding to the VLAN. Figure 255 VLAN configuration Configure the parameters as described in Table Click Apply. Table 88 Configuration items Item Description Enable or disable MLD snooping in the VLAN.

  • Page 309: Configuring Mld Snooping On A Port

    Item Description Enable or disable the function of dropping unknown IPv6 multicast packets. Unknown IPv6 multicast data refers to IPv6 multicast data for which no entries exist in the MLD snooping forwarding table. • If the function of dropping unknown IPv6 multicast data is enabled, the switch forwards the unknown IPv6 multicast packets to the router ports instead of Drop Unknown flooding them in the VLAN.

  • Page 310

    Figure 256 Advanced configuration Configure the parameters as described in Table Click Apply. Table 89 Configuration items Item Description Select the port on which advanced MLD snooping features will be configured. The port can be an Ethernet port or Layer-2 aggregate port. After a port is selected, advanced features configured on this port are displayed at the lower part of this page.

  • Page 311: Displaying Mld Snooping Multicast Table Entries

    Item Description Enable or disable the fast-leave function for the port. With the fast-leave function enabled on a port, when the switch receives an MLD done message on the port, it immediately deletes that port from the outgoing port list of the corresponding IPv6 forwarding table entry.

  • Page 312: Mld Snooping Configuration Example

    Field Description Group Address Multicast group address. Router Ports All router ports. Member Ports All member ports. MLD snooping configuration example Network requirements As shown in Figure 259, MLDv1 runs on Router A and MLDv1 snooping runs on Switch A. Router A acts as the MLD querier.

  • Page 313

    Figure 260 Creating VLAN 100 Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: Click the Modify Port tab. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 in the Select Ports field. Select the Untagged option for Select membership type. Enter 100 as the VLAN ID.

  • Page 314

    Figure 261 Assigning a port to the VLAN Enable MLD snooping globally: Select Network > MLD snooping from the navigation tree. Select the Enable option. Click Apply. Figure 262 Enabling MLD snooping globally...

  • Page 315

    Enable ML LD snooping a and the functio on of droppin ng unknown I Pv6 multicast data for VLA AN 100: Click th icon co orresponding to VLAN 100 Select t the Enable op ption for MLD snooping. Select t the 1 option f for Version.

  • Page 316

    Figure 265 MLD snooping multicast entry information The output shows that GigabitEthernet 1/0/3 of Switch A is listening to multicast streams destined for IPv6 multicast group (FF1E::101).

  • Page 317: Configuring Ipv4 And Ipv6 Routing, Routing Table, Static Route

    Configuring IPv4 and IPv6 routing NOTE: router The term in this document refers to both routers and Layer 3 switches. Overview A router selects an appropriate route according to the destination address of a received packet and forwards the packet to the next router. The last router on the path is responsible for sending the packet to the destination host.

  • Page 318: Default Route, Displaying The Ipv4 Active Route Table

    Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must modify the static routes manually. Default route A default route is used to forward packets that match no entry in the routing table. Without a default route, a packet that does not match any routing entries is discarded and an Internet Control Message Protocol (ICMP) destination-unreachable packet is sent to the source.

  • Page 319: Creating An Ipv4 Static Route

    Field Description Next Hop Next hop IP address of the IPv4 route. Outgoing interface of the IPv4 route. Packets destined for the specified Interface network segment will be sent out of the interface. Creating an IPv4 static route Select Network > IPv4 Routing from the navigation tree. Click the Create tab.

  • Page 320: Displaying The Ipv6 Active Route Table

    Item Description Enter the mask of the destination IP address. Mask You can enter a mask length or a mask in dotted decimal notation. Set a preference value for the static route. The smaller the number, the higher the preference. Preference For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes, while specifying different...

  • Page 321: Creating An Ipv6 Static Route

    Field Description Next Hop Next hop IP address of the IPv6 route Outgoing interface of the IPv6 route. Packets destined for the specified Interface network segment will be sent out of the interface. Creating an IPv6 static route Select Network > IPv6 Routing from the navigation tree. Click the Create tab.

  • Page 322: Ipv4 Static Route Configuration Example

    Item Description Set a preference value for the static route. The smaller the number, the higher the preference. Preference For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes, while specifying different priorities for them enables route backup.

  • Page 323

    Figure 271 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv4 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop.

  • Page 324

    Figure 272 Configuring a static route Enter 1.1.3.0 for Destination IP Address, enter 24 for Mask, and enter 1.1.5.6 for Next Hop. Click Apply. Configure a default route to Switch B on Switch C: Select Network > IPv4 Routing from the navigation tree of Switch C. Click the Create tab.

  • Page 325

    Figure 273 Configuring a default route Verifying the configuration Display the routing table: Enter the IPv4 route page of Switch A, Switch B, and Switch C to verify that the newly configured static routes are displayed as active routes on the page. Ping Host C from Host A (assuming both hosts run Windows XP): C:\Documents and Settings\Administrator>ping 1.1.3.2 Pinging 1.1.3.2 with 32 bytes of data:...

  • Page 326: Ipv6 Static Route Configuration Example

    IPv6 static route configuration example Network requirements The IP addresses of devices are shown in Figure 274. Configure IPv6 static routes on Switch A, Switch B and Switch C for any two hosts to communicate with each other. Figure 274 Network diagram Host B 2::2/64 Vlan-int400...

  • Page 327

    Figure 275 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv6 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1:: for Destination IP Address, select 64 from the Prefix Length list, and enter 4::1 for Next Hop.

  • Page 328

    Figure 276 Configuring a static route Enter 3:: for Destination IP Address, select 64 from the Prefix Length list, and enter 5::1 for Next Hop. Click Apply. Configure a default route to Switch B on Switch C: Select Network > IPv6 Routing from the navigation tree of Switch C. Click the Create tab.

  • Page 329

    Figure 277 Configuring a default route Verifying the configuration Display the routing table: Enter the IPv6 route page of Switch A, Switch B, and Switch C respectively to verify that the newly configured static routes are displayed as active routes on the page. Ping Host C from Switch A: <SwitchA>...

  • Page 330

    0.00% packet loss round-trip min/avg/max = 62/62/63 ms Configuration guidelines When you configure a static route, follow these guidelines: If you do not specify the preference, the default preference will be used. Reconfiguration of the • default preference applies only to newly created static routes. Currently, the Web interface does not support configuration of the default preference.

  • Page 331: Dhcp Overview, Introduction To Dhcp, Dhcp Address Allocation, Allocation Mechanisms

    DHCP overview NOTE: After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server. This facilitates configuration and centralized management. For more information about the DHCP client configuration, see "Configuring VLAN interfaces"...

  • Page 332: Dynamic Ip Address Allocation Process, Ip Address Lease Extension

    Dynamic IP address allocation process Figure 279 Dynamic IP address allocation process The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. A DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.

  • Page 333: Dhcp Message Format

    DHCP message format Figure 280 gives the DHCP message format, which is based on the BOOTP message format and involves eight types. These types of messages have the same format except that some fields have different values. The numbers in parentheses indicate the size of each field in bytes. Figure 280 DHCP message format op (1) htype (1)

  • Page 334: Dhcp Options, Dhcp Options Overview, Introduction To Dhcp Options, Introduction To Option 82

    DHCP options DHCP options overview DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients. Figure 281 DHCP option format Introduction to DHCP options Common DHCP options: Option 3—Router option.

  • Page 335

    The administrator can locate the DHCP client to further implement security control and accounting. The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients. Option 82 involves at most 255 sub-options. At least one sub-option is defined. Currently the DHCP relay agent supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID).

  • Page 336: Configuring Dhcp Relay Agent, Introduction To Dhcp Relay Agent, Application Environment

    Configuring DHCP relay agent Introduction to DHCP relay agent Application environment Since DHCP clients request IP addresses via broadcast messages, the DHCP server and clients must be on the same subnet. Therefore, a DHCP server must be available on each subnet, which is not practical. DHCP relay agent solves the problem.

  • Page 337: Recommended Configuration Procedure

    Figure 285 DHCP relay agent work process As shown in Figure 285, the DHCP relay agent works as follows: After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode.

  • Page 338: Enabling Dhcp And Configuring Advanced Parameters For The Dhcp Relay Agent

    Step Remarks (Optional) Create a static IP-to-MAC binding, and view static and dynamic bindings. The DHCP relay agent can dynamically record clients’ IP-to-MAC Configuring and displaying bindings after clients get IP addresses. It also supports static bindings, clients' IP-to-MAC bindings that is, you can manually configure IP-to-MAC bindings on the DHCP relay agent, so that users can access external network using fixed IP addresses.

  • Page 339

    Figure 286 DHCP relay agent configuration page Enable DHCP service and configure advanced parameters for DHCP relay agent as described Table 95. Click Apply.

  • Page 340: Creating A Dhcp Server Group

    Table 95 Configuration items Item Description DHCP Service Enable or disable global DHCP. Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses. With this feature enabled, upon receiving a DHCP request, the DHCP relay agent will Unauthorized Server record the IP address of any DHCP server that assigned an IP address to the DHCP Detect...

  • Page 341: Enabling The Dhcp Relay Agent On An Interface

    Click Apply. Table 96 Configuration items Item Description Enter the ID of a DHCP server group. Server Group ID You can create up to 20 DHCP server groups. Enter the IP address of a server in the DHCP server group. IP Address The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent;...

  • Page 342: Configuring And Displaying Clients' Ip-to-mac Bindings

    Configuring and displaying clients' IP-to-MAC bindings Select Network > DHCP from the navigation tree to enter the DHCP Relay page shown in Figure 286. In the User Information area, click User Information to view static and dynamic bindings. Figure 289 Displaying clients' IP-to-MAC bindings Click Add to enter the page for creating a static IP-to-MAC binding.

  • Page 343: Dhcp Relay Agent Configuration Example

    DHCP relay agent configuration example Network requirements As shown in Figure 291, VLAN-interface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients reside. VLAN-interface 2 is connected to the DHCP server whose IP address is 10.1.1.1/24.

  • Page 344

    Figure 292 Enabling DHCP Configure a DHCP server group: In the Server Group area, click Add. On the page that appears, enter 1 for Server Group ID, and enter 10.1.1.1 for IP Address. Click Apply. Figure 293 Adding a DHCP server group Enable the DHCP relay agent on VLAN-interface 1:...

  • Page 345

    In the I nterface Conf fig field, click k the icon for VLAN-inte erface 1. On tha t page that ap ppears, select t the Enable o ption next to D DHCP Relay a and select 1 fo or Server Group Click A Apply.

  • Page 346: Configuring Dhcp Snooping

    Configuring DHCP snooping NOTE: A DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.

  • Page 347: Application Of Trusted Ports

    Application of trusted ports Configuring a trusted port connected to a DHCP server Figure 295 Configuring trusted and untrusted ports As shown in Figure 295, a DHCP snooping device’s port that is connected to an authorized DHCP server should be configured as a trusted port to forward reply messages from the DHCP server, so that the DHCP client can obtain an IP address from the authorized DHCP server.

  • Page 348: Dhcp Snooping Support For Option 82

    Table 99 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GigabitEthernet 1/0/1 GigabitEthernet 1/0/3 GigabitEthernet 1/0/2 GigabitEthernet 1/0/3 and Switch B GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 GigabitEthernet 1/0/4 GigabitEthernet 1/0/3 and Switch C GigabitEthernet 1/0/1...

  • Page 349: Enabling Dhcp Snooping

    Step Remarks (Required) Specify an interface as trusted and configure DHCP snooping to support Option 82. By default, an interface is untrusted and DHCP snooping does not support Configuring DHCP snooping Option 82. functions on an interface IMPORTANT: You need to specify the ports connected to the authorized DHCP servers as trusted to make sure that DHCP clients can obtain valid IP addresses.

  • Page 350: Configuring Dhcp Snooping Functions On An Interface

    Configuring DHCP snooping functions on an interface Select Network > DHCP from the navigation tree. Click the DHCP Snooping tab to enter the page shown in Figure 297. Click the icon for a specific interface in the Interface Config area. Figure 298 DHCP snooping interface configuration page Configure DHCP snooping on the interface as described in Table 101.

  • Page 351: Dhcp Snooping Configuration Example

    Figure 299 DHCP snooping user information Table 102 Field description Field Description IP Address Displays the IP address assigned by the DHCP server to the client. MAC Address Displays the MAC address of the client. Displays the client type, which can be: •...

  • Page 352: Configuring Switch B

    Figure 300 Network diagram Configuring Switch B Enable DHCP snooping: Select Network > DHCP from the navigation tree. Click the DHCP Snooping tab. Select the Enable option next to DHCP Snooping to enable DHCP snooping. Figure 301 Enabling DHCP snooping Configure DHCP snooping functions on GigabitEthernet 1/0/1: Click the icon for GigabitEthernet 1/0/1 on the interface list.

  • Page 353

    Select the Trust option next to Interface State. Click Apply. Figure 302 Configuring DHCP snooping functions on GigabitEthernet 1/0/1 Configure DHCP snooping functions on GigabitEthernet 1/0/2: Click the icon for GigabitEthernet 1/0/2 on the interface list. Select the Untrust option for Interface State, select the Enable option next to Option 82 Support, and select Replace for Option 82 Strategy.

  • Page 354: Managing Services

    Managing services Overview The service management module provides six types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services as needed. In this way, the performance and security of the system can be enhanced, thus secure management of the device can be achieved. The service management module also provides the function to modify HTTP and HTTPS port numbers, and the function to associate the FTP, HTTP, or HTTPS service with an ACL, thus reducing attacks of illegal users on these services.

  • Page 355

    Defines certificate attribute-based access control policy for the device to control the access right of • the client, in order to further avoid attacks from illegal clients. Managing services Select Network > Service from the navigation tree. The service management configuration page appears. Figure 305 Service management Manage services as described in Table...

  • Page 356

    Item Description Enable or disable the HTTP service. Enable HTTP service The HTTP service is enabled by default. Set the port number for HTTP service. You can view this configuration item by clicking the expanding button in front of HTTP. Port Number IMPORTANT: HTTP...

  • Page 357: Using Diagnostic Tools

    Using diagnostic tools Overview Ping Use ping to test connectivity to a specified address. Ping operates as follows: The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device. The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source device after receiving the ICMP echo request.

  • Page 358: Ping Operation, Ipv4 Ping Operation

    Ping operation IPv4 ping operation Select Network > Diagnostic Tools from the navigation tree. The IPv4 ping configuration page appears. Figure 306 IPv4 ping configuration page Type the IPv4 address or the host name of the destination device in the Destination IP address or host name field.

  • Page 359: Ipv6 Ping Operation, Traceroute Operation

    IPv6 ping operation Select Network > Diagnostic Tools from the navigation tree. Click the IPv6 Ping tab. The IPv6 ping configuration page appears. Figure 308 IPv6 ping configuration page Type the IPv6 address or the host name of the destination device in the Destination IPv6 address or host name field.

  • Page 360: Ipv4 Traceroute Operation

    NOTE: Before performing the traceroute operation, execute the ip ttl-expires enable command on intermediate devices to enable the sending of ICMP timeout packets, and execute the ip unreachables enable command on the destination device to enable the sending of ICMP destination unreachable packets. IPv4 traceroute operation Select Network >...

  • Page 361: Ipv6 Traceroute Operation

    Figure 311 IPv4 traceroute operation result IPv6 traceroute operation Select Network > Diagnostic Tools from the navigation tree. Click the IPv6 Traceroute tab. The IPv6 traceroute configuration page appears. Figure 312 IPv6 traceroute configuration page Type the IPv6 address or host name of the destination device in the Destination IPv6 address or host name field.

  • Page 362

    Figure 313 IPv6 traceroute operation result...

  • Page 363: Access Control Methods

    LAN, you can also use the network access device as the authentication server. Access control methods HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control. Port-based access control—once an 802.1X user passes authentication on a port, any subsequent •...

  • Page 364: Controlled/uncontrolled Port And Port Authorization Status

    Controlled/uncontrolled port and port authorization status 802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any packet arriving at the network access port is visible to both logical ports. The controlled port allows incoming and outgoing traffic to pass through when it is in the authorized •...

  • Page 365: Packet Formats

    Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • Type—Type of the EAPOL packet. Table 104 lists the types of EAPOL packets that the HP • implementation of 802.1X supports. Table 104 Types of EAPOL packets Value...

  • Page 366: Eap Over Radius

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL-Start packets.

  • Page 367: X Authentication Procedures

    Access device as the initiator The access device initiates authentication, if a client, the 802.1X client available with Windows XP for example, cannot send EAPOL-Start packets. The access device supports the following modes: Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically •...

  • Page 368

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP • authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.

  • Page 369

    Figure 322 802.1X authentication procedure in EAP relay mode When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. The network access device responds with an Identity EAP-Request packet to ask for the client username.

  • Page 370

    The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.

  • Page 371: X Timers

    Figure 323 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 372: Using 802.1x Authentication With Other Features

    Handshake timer—Sets the interval at which the access device sends client handshake requests to • check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.

  • Page 373

    Authentication status VLAN manipulation Assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on No 802.1X user has this port can access only resources in the guest VLAN. performed authentication within 90 seconds after If no 802.1X guest VLAN is configured, the access device does not perform 802.1X is enabled any VLAN operation.

  • Page 374: Configuration Prerequisites

    NOTE: The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member. ACL assignment You can specify an ACL for an 802.1X user to control its access to network resources. After the user passes 802.1X authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the port to filter the traffic from this user.

  • Page 375

    Figure 324 802.1X global configuration In the 802.1X Configuration area, select the Enable 802.1X box. Select an authentication method. Options include CHAP, PAP, and EAP. For more information about EAP relay and EAP termination, see "A comparison of EAP relay and EAP termination."...

  • Page 376: Configuring 802.1x On A Port

    Table 105 Configuration items Item Description Specify whether to enable the quiet timer. The quiet timer enables the network access device to wait a period of time Quiet defined by the Quiet Period option before it can process any authentication request from a client that has failed an 802.1X authentication.

  • Page 377

    In the Ports With 802.1X Enabled area, click Add. Figure 326 802.1X configuration on a port Configure the 802.1X feature on a port as described in Table 106. Click Apply. Table 106 Configuration items Item Description Select a port where you want to enable 802.1X. Only 802.1X-disabled ports are Port available.

  • Page 378: Configuring An 802.1x Guest Vlan

    Item Description Select the box to enable the online user handshake function. The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online Enable Handshake users at the interval specified by the Handshake Period option. If no response is received from an online user after the maximum number of handshake attempts (set by the Retry Times option) has been made, the network access device sets the user in the offline state.

  • Page 379: Configuration Examples, X Configuration Example

    Configuration examples 802.1X configuration example Network requirements As shown in Figure 327, the access device performs 802.1X authentication for users that connect to port GigabitEthernet 1/0/1. Implement MAC-based access control on the port, so the logoff of one user does not affect other online 802.1X users.

  • Page 380

    Figure 328 Global 802.1X configuration In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list. Select the Enable Re-Authentication box, and click Apply. Figure 329 802.1X configuration of GigabitEthernet 1/0/1 Configuring a RADIUS scheme From the navigation tree, select Authentication > RADIUS. The RADIUS server configuration page appears.

  • Page 381

    Select the server type Authentication Server. Enter the IP address 10.1.1.1, enter the port number 1812, and select the primary server status active. Enter the IP address 10.1.1.2, enter the port number 1813, and select the secondary server status active. Click Apply.

  • Page 382

    Figure 331 Configuring a RADIUS scheme Configuring AAA From the navigation tree, select Authentication > AAA. The domain setup page appears. Enter test in the Domain Name field, and select Enable from the Default Domain list. Click Apply.

  • Page 383

    Figure 332 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select the authentication method RADIUS, select the authentication scheme system from the Name list, and click Apply. A configuration progress dialog box appears, as shown in Figure 334.

  • Page 384

    Figure 334 Configuration progress dialog box On the Authorization tab, select the ISP domain test, select the Default AuthZ box, select the authorization method RADIUS, select the authorization scheme system from the Name list, and click Apply. After the configuration process is complete, click Close. Figure 335 Configuring the AAA authorization method for the ISP domain On the Accounting tab, select the domain name test, select the Default Accounting box, select the accounting method RADIUS, select the accounting scheme system from the Name list, and click...

  • Page 385: Acl Assignment Configuration Example

    Figure 336 Configuring the AAA accounting method for the ISP domain ACL assignment configuration example Network requirements As shown in Figure 337, the host at 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.

  • Page 386

    Enter the IP address 10.1.1.1, enter the port number 1812, and select the primary server status active. Click Apply. Figure 338 Configuring the RADIUS primary authentication server Configure the RADIUS primary accounting server: Select the server type Accounting Server. Enter the IP address 10.1.1.2, enter the port number 1813, and select the primary server status active.

  • Page 387

    Select the Accounting Server Shared Key box, enter abc in the field next to the box and the Confirm Accounting Shared Key field. Select with-domain from the Username Format list. Click Apply. Figure 340 Configuring a RADIUS scheme Configuring AAA From the navigation tree, select Authentication >...

  • Page 388

    Figure 341 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select the authentication method RADIUS as mode, select the authentication scheme system from the Name list, and click Apply. A configuration progress dialog box appears, as shown in Figure 343.

  • Page 389

    Figure 343 Configuration progress dialog box On the Authorization tab, select the ISP domain test, Select the Default AuthZ box, select the authorization method RADIUS, select the authorization scheme system from the Name list, and click Apply. After the configuration process is complete, click Close. Figure 344 Configuring the AAA authorization method for the ISP domain On the Accounting tab, select the domain name test, select the Accounting Optional box, select Enable from the list, select the Default Accounting box, select the accounting method RADIUS,...

  • Page 390

    Figure 345 Configuring the AAA accounting method for the ISP domain Configuring an ACL From the navigation tree, select QoS > ACL IPv4. On the Add tab, enter the ACL number 3000, and click Apply. Figure 346 Creating ACL 3000 On the Advanced Setup tab, configure an ACL rule: Select 3000 from the ACL list.

  • Page 391

    Figure 347 ACL rule configuration Configuring the 802.1X feature From the navigation tree, select Authentication > 802.1X. Select the Enable 802.1X box. Select the authentication method CHAP. Click Apply.

  • Page 392

    Figure 348 Global 802.1X globally In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list. Click Apply. Figure 349 802.1X configuration of GigabitEthernet 1/0/1 Verifying the configuration After the user passes authentication and gets online, use the ping command to test whether ACL 3000 takes effect.

  • Page 393

    The ping page appears. Enter the destination IP address 10.0.0.1. Click Start to start the ping operation. Figure 350 shows the ping operation summary. Figure 350 Ping operation summary...

  • Page 394: Configuring Aaa, Aaa Overview

    Configuring AAA AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants different users different rights and controls their access to resources and •...

  • Page 395: Recommended Aaa Configuration Procedure

    Figure 352 Determining the ISP domain of a user by the username The authentication, authorization, and accounting of a user depends on the AAA methods configured for the domain that the user belongs to. If no specific AAA methods are configured for the domain, the default methods are used.

  • Page 396: Configuring An Isp Domain

    Step Remarks (Optional.) Configuring authorization Specify the authorization methods for various types of users. methods for the ISP domain By default, all types of users use local authorization. (Optional.) Configuring accounting methods Specify the accounting methods for various types of users. for the ISP domain By default, all types of users use local accounting.

  • Page 397: Configuring Authentication Methods For The Isp Domain

    Item Description Specify whether to use the ISP domain as the default domain. Options include: • Enable—Uses the domain as the default domain. Default Domain • Disable—Uses the domain as a non-default domain. There can only be one default domain at a time. If you specify a second domain as the default domain, the original default domain becomes a non-default domain.

  • Page 398: Configuring Authorization Methods For The Isp Domain

    Item Description Configure the default authentication method and secondary authentication method for all types of users. Options include: • HWTACACS—Performs HWTACACS authentication based on an HWTACACS scheme. The switch series does not support this option. Default AuthN • Local—Performs local authentication. Name •...

  • Page 399

    Figure 355 Authorization method configuration page Select the ISP domain and specify authorization methods for the ISP domain as described in Table 109. Click Apply. Click Close in the success message dialog box that appears. Table 109 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods.

  • Page 400: Configuring Accounting Methods For The Isp Domain

    Item Description Configure the authorization method and secondary authorization method for login users. Options include: • HWTACACS—Performs authorization based on an HWTACACS scheme. The switch series does not support this option. Login AuthZ • Local—Performs local authorization. Name • None—All users are trusted and authorized. A user gets the default rights of the Secondary Method system.

  • Page 401: Aaa Configuration Example

    Item Description Specify whether to enable the accounting optional feature. With the feature enabled, a user who would otherwise be disconnected can use the network resources even when there is no accounting server available or when Accounting Optional communication with the current accounting server fails. If accounting for such a user fails, the switch no longer sends real-time accounting updates for the user.

  • Page 402

    Figure 357 Network diagram Configuration procedure Enable the Telnet server function, and configure the switch to use AAA for Telnet users. (Details not shown.) Configure IP addresses for the interfaces. (Details not shown.) Configure a local user: Select Device > Users from the navigation tree. Click the Create tab.

  • Page 403

    Figure 359 Configuring an ISP domain Configure the ISP domain to use local authentication: Select Authentication > AAA from the navigation tree. Click the Authentication tab. Select the domain test. Select Login AuthN and select the authentication method Local. Figure 360 Configuring the ISP domain to use local authentication Click Apply.

  • Page 404

    Figure 361 Configuration progress dialog box Configure the ISP domain to use local authorization: Select Authentication > AAA from the navigation tree. Click the Authorization tab. Select the domain test. Select Login AuthZ and select the authorization method Local. Click Apply. A configuration progress dialog box appears.

  • Page 405

    After the configuration process is complete, click Close. Figure 363 Configuring the ISP domain to use local accounting Verifying the configuration Telnet to the switch and enter the username telnet@test and password abcd. You should be serviced as a user in domain test.

  • Page 406: Configuring Portal Authentication

    Configuring portal authentication Overview Portal authentication helps control access to the Internet. It is also called "web authentication." A website implementing portal authentication is called a "portal website." With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website.

  • Page 407

    Figure 364 Portal system components Authentication client Security policy server Authentication client Portal server Access device Authentication/accounting Authentication client server Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. The client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.

  • Page 408: Portal System Using The Local Portal Server

    To implement security check, the client must be the HP iNode client. Portal authentication supports NAT traversal whether it is initiated by a web client or an HP iNode client. When the portal authentication client is on a private network, but the portal server is on a public network and the access device is enabled with NAT, network address translations performed on the access device do not affect portal authentication.

  • Page 409: Portal Authentication Modes, Portal Support For Eap

    Protocols used for interaction between the client and local portal server HTTP and HTTPS can be used for communication between an authentication client and an access device providing the local portal server function. If HTTP is used, there are potential security problems because HTTP packets are transferred in plain text.

  • Page 410: Layer 2 Portal Authentication Process

    Therefore, no additional configuration is needed on the access device. NOTE: • This function requires the cooperation of the HP IMC portal server and HP iNode portal client. Only Layer 3 portal authentication that uses a remote portal server supports EAP authentication. •...

  • Page 411: Layer 3 Portal Authentication Process

    the access port according to the authorized ACL. You must configure the authorized ACLs on the access device if you specify authorized ACLs on the authentication server. To change the access right of a user, you can specify a different authorized ACL on the authentication server or change the rules of the corresponding authorized ACL on the device.

  • Page 412

    Based on the security check result, the security policy server authorizes the user to access certain resources, and sends the authorization information to the access device. The access device then controls access of the user based on the authorization information. Authentication process with the local portal server Figure 369 Authentication process with local portal server With local portal server, the direct/cross-subnet authentication process is as follows:...

  • Page 413

    The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process. The portal server sends a portal authentication request to the access device, and starts a timer to wait for the portal authentication reply. The portal authentication request contains several EAP-Message attributes, which are used to encapsulate the EAP packet sent from the authentication client and carry the certificate information of the client.

  • Page 414: Configuration Task List

    To implement extended portal functions, install and configure IMC EAD, and make sure the ACLs • configured on the access device correspond to those specified for the resources in the quarantined area and for the restricted resources on the security policy server. On the access device, the security policy server address is the same as the authentication server address.

  • Page 415: Configuring The Layer 2 Portal Service

    Step Remarks Optional. Configure a portal-free rule, specifying the source and destination information for packet filtering Configuring a portal-free A portal-free rule allows specified users to access specified external rule websites without portal authentication. Packets matching a portal-free rule will not trigger portal authentication and the users can directly access the specified external websites.

  • Page 416

    TIP: The portal service applied on an interface may be in the following states: Running—Indicates that portal authentication has taken effect on the interface. • Enabled—Indicates that portal authentication has been enabled on the interface but has not taken • effect.

  • Page 417: Configuring The Layer 3 Portal Service

    Item Description Set the Layer 2 portal user detection interval. After a Layer 2 portal user gets online, the device starts a detection timer for the user, and checks whether the user's MAC address entry has been aged out or the user's MAC Online Detection address entry has been matched (a match means a packet has been received from the Interval...

  • Page 418

    Figure 373 Applying a portal server to a Layer 3 interface Configure Layer 3 portal authentication as described in Table 112. Click Apply. Table 112 Configuration items Item Description Interface Select the Layer 3 interface to be enabled with portal authentication. Select the portal server to be applied on the selected interface.

  • Page 419

    Item Description Auth Network IP Enter the IP address and mask of the authentication subnet. This field is configurable when you select the Layer3 mode (cross-subnet portal authentication). By configuring an authentication subnet, you specify that only HTTP packets from users on the authentication subnet can trigger portal authentication.

  • Page 420: Configuring Advanced Parameters For Portal Authentication

    Figure 375 Configuring the local portal server Table 114 Configuration items Item Description Server Name Type a name for the local portal server. Type the IP address of the local portal server. You need to specify the IP address of the interface where the local portal server is applied.

  • Page 421

    Table 115 Configuration items Item Description Configure the web proxy server ports to allow HTTP requests proxied by the specified proxy servers to trigger portal authentication. By default, only HTTP requests that are not proxied can trigger portal authentication. To make sure that a user using a web proxy server can trigger portal authentication, you need to add the port number of the proxy server on the device and the user needs to specify the listening IP address of the local portal server as a proxy exception in the browser.

  • Page 422: Configuring A Portal-free Rule

    Configuring a portal-free rule Select Authentication > Portal from the navigation tree Click the Free Rule tab to enter the portal-free rule list page. Figure 377 Portal-free rule list Click Add. The page for adding a new portal-free rule appears. Figure 378 Adding a portal-free rule Configure a portal-free rule as described in Table...

  • Page 423: Portal Authentication Configuration Examples, Configuring Direct Portal Authentication

    Item Description Specify a source MAC address for the portal-free rule. IMPORTANT: Source MAC If you configure both the source IP address and the source MAC address, make sure that the mask of the specified source IP address is 255.255.255.255. Otherwise, the specified source MAC address will not take effect.

  • Page 424

    Configure the RADIUS server properly to provide authentication and accounting functions for users. Perform the following configuration on the switch to implement direct portal authentication: Configure the RADIUS authentication server: Select Authentication > RADIUS from the navigation tree. The RADIUS server configuration page appears, as shown in Figure 380.

  • Page 425

    Configure RADIUS scheme system for exchanges between the device and the RADIUS servers: Click the RADIUS Setup tab. Select extended as the server type. Select the Authentication Server Shared Key box, enter the key expert, and then enter the key again in the Confirm Authentication Shared Key field.

  • Page 426

    Figure 383 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.

  • Page 427

    A configuration progress dialog box appears. After the configuration process is complete, click Close. Figure 385 Configuring the authorization method for the ISP domain On the Accounting tab, select the ISP domain test, select the Default Accounting box, select RADIUS from Default Accounting list, select system from the Name list to use it as the accounting scheme, and click Apply.

  • Page 428: Configuring Cross-subnet Portal Authentication

    number 50100, and the redirection URL http://192.168.0.111:8080/portal for portal authentication, and click Apply. Figure 387 Applying the portal server to a Layer 3 interface Configuring cross-subnet portal authentication Network requirements As shown in Figure 388, configure Switch A to perform cross-subnet portal authentication for users. Before passing portal authentication, the host can access only the portal server.

  • Page 429

    Figure 388 Network diagram Switch A Vlan-int2 192.168.0.100/24 Portal server 192.168.0.111/24 Vlan-int4 20.20.20.1/24 Vlan-int4 20.20.20.2/24 Vlan-int2 8.8.8.1/24 Switch B Host 8.8.8.2/24 RADIUS server 192.168.0.112/24 Configuration procedure Make sure that the IP address of the access device added on the portal server is the IP address of the interface connected to the host (20.20.20.1 in this example), and the IP address group associated with the access device is the subnet where the host resides (8.8.8.0/24 in this example).

  • Page 430

    On the RADIUS server configuration page, select Accounting Server as the server type, and enter the IP address 192.168.0.112 and port number 1813, select active from the Primary Server Status list, and click Apply. Figure 390 Configuring a RADIUS accounting server Configure RADIUS scheme system for exchanges between the device and the RADIUS servers: Click the RADIUS Setup tab.

  • Page 431

    Figure 391 Configuring the RADIUS scheme Configure AAA: Select Authentication > AAA from the navigation tree. On the Domain Setup tab, enter the domain name test, select Enable for the Default Domain field, and click Apply.

  • Page 432

    Figure 392 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.

  • Page 433

    A configuration progress dialog box appears. After the configuration process is complete, click Close. Figure 394 Configuring the authorization method for the ISP domain On the Accounting tab, select the ISP domain test, select the Default Accounting box, select RADIUS from Default Accounting list, select system from the Name list to use it as the accounting scheme, and click Apply.

  • Page 434

    50100, and the redirection URL http://192.168.0.111:8080/portal for portal authentication, and click Apply. Figure 396 Applying the portal server to a Layer 3 interface On Switch B, you must configure a default route to subnet 192.168.0.0/24 with the next hop as 20.20.20.1.

  • Page 435: Configuring Radius, Security And Authentication Mechanisms

    Configuring RADIUS RADIUS is a protocol for implementing Authentication, Authorization, and Accounting (AAA). For more information about AAA, see "Configuring AAA." Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments with requirements for both high security and remote user access.

  • Page 436: Basic Radius Message Exchange Process

    security mechanism improves the security of RADIUS communication and prevents user passwords from being intercepted on insecure networks. A RADIUS server supports multiple user authentication methods. A RADIUS server can also act as the client of another AAA server to provide authentication proxy services. Basic RADIUS message exchange process Figure 398 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.

  • Page 437: Radius Packet Format

    RADIUS packet format RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer management mechanism, the retransmission mechanism, and the backup server mechanism. Figure 399 shows the RADIUS packet format.

  • Page 438

    The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and • to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field (variable in length) carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response.

  • Page 439: Extended Radius Attributes

    Attribute Attribute Class ARAP-Zone-Access Vendor-Specific ARAP-Security Session-Timeout ARAP-Security-Data Idle-Timeout Password-Retry Termination-Action Prompt Called-Station-Id Connect-Info Calling-Station-Id Configuration-Token NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes...

  • Page 440: Recommended Radius Configuration Procedure, Configuring Radius Servers

    Figure 400 Format of attribute 26 Protocols and standards RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support • RFC 2868, RADIUS Attributes for Tunnel Protocol Support •...

  • Page 441

    Figure 401 RADIUS Server page Configure the RADIUS server parameters as described in Table 119. Click Apply. Table 119 Configuration items Item Description Specify the type of the server to be configured, which can be Authentication Server Type Server and Accounting Sever. Specify the IP address of the primary server.

  • Page 442: Configuring Radius Communication Parameters

    Item Description Status of the secondary server, including: • Active—The server is working normally. Secondary Server Status • Blocked—The server is down. If the IP address of the secondary server is not specified or the specified IP address is to be removed, the status is Blocked. Configuring RADIUS communication parameters Select Authentication >...

  • Page 443

    Table 120 Configuration items Item Description Specify the type of the RADIUS server supported by the switch, including: • Extended—Specifies an extended RADIUS server (offered by IMC). The RADIUS client and RADIUS server communicate using the proprietary RADIUS protocol and packet format. Server Type •...

  • Page 444: Radius Configuration Example

    Item Description Set the format of username sent to the RADIUS server. A username is generally in the format of userid@isp-name, of which isp-name is used by the switch to determine the ISP domain to which a user belongs. If a RADIUS server does not accept a username including an ISP domain name, you can configure the switch to remove the domain name of a username before sending it to the Username Format...

  • Page 445

    Figure 403 Network diagram Configuration procedure Enable the Telnet server function, and configure the switch to use AAA for Telnet users. (Details not shown.) Configure IP addresses for the interfaces. (Details not shown.) Configure RADIUS scheme system: # Configure the RADIUS authentication server. Select Authentication >...

  • Page 446

    Select active as the primary server status. Click Apply. Figure 405 Configuring the RADIUS accounting server # Configure the RADIUS communication parameters. Select Authentication > RADIUS from the navigation tree and then click the RADIUS Setup tab. The RADIUS parameter configuration page appears. Configure the following parameters, as shown in Figure 406.

  • Page 447

    Figure 406 Configuring RADIUS communication parameters Configure AAA: # Create an ISP domain. Select Authentication > AAA from the navigation tree. The domain setup page appears. Configure the following parameters, as shown in Figure 407. Enter test in the Domain Name field. Select Enable to use the domain as the default domain.

  • Page 448

    Figure 407 Adding an ISP domain # Configure the authentication method for the ISP domain. Select Authentication > AAA from the navigation tree, and then click the Authentication tab. Configure the following parameters, as shown in Figure 408. Select the domain name test. Select the Default AuthN box and then select RADIUS as the authentication mode.

  • Page 449

    Figure 409 Configuration progress dialog box # Configure the authorization method for the ISP domain. Select Authentication > AAA from the navigation tree, and then click the Authorization tab. Configure the following parameters, as shown in Figure 410. Select the domain name test. Select the Default AuthZ box and then select RADIUS as the authorization mode.

  • Page 450

    Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Figure 411 Configuring the accounting method for the ISP domain Configuration guidelines When you configure the RADIUS client, follow these guidelines: The specified server status is dynamic information, which cannot be saved in the configuration file. •...

  • Page 451

    communication, you need to manually change the status of the secondary server to active; otherwise, no primary/secondary server switchover will take place.

  • Page 452: Configuring Users And User Groups, Configuring A Local User

    Configuring users and user groups Overview You can configure local users and user groups on the switch series. A local user represents a set of user attributes configured on a switch (such as the user password, use type, service type, and authorization attribute), and is uniquely identified by the username. For a user requesting a network service to pass local authentication, you must add an entry as required in the local user database of the switch.

  • Page 453

    Password IMPORTANT: Confirm HP recommends that you do not specify a password starting with spaces because spaces at the beginning of the password string will be ignored, but they count at the user login page. Select a user group for the local user.

  • Page 454: Configuring A User Group

    Item Description Select an authorization level for the local user, which can be Visitor, Monitor, Configure, or Management, in ascending order of priority. Level This option is effective only for FTP, Telnet, and SSH users. Specify the VLAN to be authorized to the local user after the user passes authentication. VLAN This option is effective only for LAN-access and portal users.

  • Page 455

    Figure 415 User group configuration page Configure the user group as described in Table 123. Click Apply. Table 123 Configuration items Item Description Group-name Specify a name for the user group. Select an authorization level for the user group, which can be Visitor, Monitor, Level Configure, or Management, in ascending order of priority.

  • Page 456: Configuring Pki

    Configuring PKI PKI overview The Public Key Infrastructure (PKI) is a hierarchical framework designed for providing information security through public key technologies and digital certificates and verifying the identities of the digital certificate owners. PKI employs digital certificates, which are bindings of certificate owner identity information and public keys.

  • Page 457: Pki Applications

    Figure 416 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device like a router or a switch, or a process running on a computer. A certificate authority (CA) is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs.

  • Page 458: How Pki Operates

    Secure email Emails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs. The secure email protocol that is developing rapidly is Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with signature. Web security For Web security, two peers can establish a Secure Sockets Layer (SSL) connection first for transparent and secure communications at the application layer.

  • Page 459

    Step Remarks (Required.) Create a PKI entity and configure the identity information. A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished Creating a PKI entity name (DN).

  • Page 460: Recommended Configuration Procedure For Automatic Request

    Step Remarks (Required.) When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in online mode or offline mode.

  • Page 461: Creating A Pki Entity

    Task Remarks (Optional.) Destroy the existing RSA key pair and the corresponding local certificate. Destroying the RSA key pair If the certificate to be retrieved contains an RSA key pair, you need to destroy the existing key pair. Otherwise, the retrieving operation will fail. (Optional.) Retrieving and displaying a certificate...

  • Page 462: Creating A Pki Domain

    Figure 418 PKI entity configuration page Configure the parameters as described in Table 124. Click Apply. Table 124 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity.

  • Page 463

    Figure 419 PKI domain list Click Add. Click Advanced Configuration to display the advanced configuration items. Figure 420 PKI domain configuration page Configure the parameters as described in Table 125. Click Apply.

  • Page 464

    Table 125 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility CA Identifier of certificate registration, distribution, and revocation, and query. In offline mode, this item is optional.

  • Page 465: Generating An Rsa Key Pair

    Item Description After an entity makes a certificate request, the CA might need a long period of time if it verifies the certificate request in manual mode. During this period, the applicant needs to Polling Interval query the status of the request periodically to get the certificate as soon as possible after the certificate is signed.

  • Page 466: Destroying The Rsa Key Pair, Retrieving And Displaying A Certificate

    Figure 422 Key pair parameter configuration page Destroying the RSA key pair Select Authentication > PKI from the navigation tree. Click the Certificate tab. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 423 Key pair destruction page Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.

  • Page 467

    Figure 424 PKI certificate retrieval page Configure the parameters as described in Table 126. Click Apply. Table 126 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Certificate Type Select the type of the certificate to be retrieved, which can be CA or local. Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means like Enable Offline FTP, disk, or email) and then import the certificate into the local PKI system.

  • Page 468: Requesting A Local Certificate

    Figure 425 Certificate information Requesting a local certificate Select Authentication > PKI from the navigation tree. Click the Certificate tab. Click Request Cert. Figure 426 Local certificate request page...

  • Page 469: Retrieving And Displaying A Crl

    Configure the parameters as described in Table 127. Table 127 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Select this box to request a certificate in offline mode, that is, by an out-of-band Enable Offline Mode means like FTP, disk, or email.

  • Page 470

    Figure 429 CRL information Table 128 Field description Field Description Version CRL version number Signature Algorithm Signature algorithm that the CRL uses Issuer CA that issued the CRL Last Update Last update time Next Update Next update time Identifier of the CA that issued the certificate and the certificate version X509v3 Authority Key Identifier (X509v3).

  • Page 471: Pki Configuration Example

    PKI configuration example Network requirements As shown in Figure 430, configure the switch that acts as the PKI entity, so that: The switch submits a local certificate request to the CA server, which runs the RSA Keon software. • • The switch retrieves CRLs for certificate verification.

  • Page 472

    Figure 431 Creating a PKI entity Create a PKI domain: Click the Domain tab. Click Add. The page in Figure 432 appears. Enter torsa as the PKI domain name, enter myca as the CA identifier, select aaa as the local entity, select CA as the authority for certificate request, enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request (the URL must be in the format of http://host:port/Issuing Jurisdiction ID,...

  • Page 473

    Figure 432 Creating a PKI domain Generate an RSA key pair: Click the Certificate tab. Click Create Key. Enter 1024 as the key length, and click Apply to generate an RSA key pair. Figure 433 Generating an RSA key pair Retrieve the CA certificate: Click the Certificate tab.

  • Page 474

    Figure 434 Retrieving the CA certificate Request a local certificate: Click the Certificate tab. Click Request Cert. Select torsa as the PKI domain, select Password , and enter challenge-word as the password. Click Apply. The system displays "Certificate request has been submitted." Click OK to finish the operation.

  • Page 475

    Verifying the configuration After the configuration, select Authentication > PKI > Certificate from the navigation tree to view detailed information about the retrieved CA certificate and local certificate, or select Authentication > PKI > CRL from the navigation tree to view detailed information about the retrieved CRL. Configuration guidelines When you configure PKI, follow these guidelines: Make sure the clocks of entities and the CA are synchronous.

  • Page 476: Configuring Authorized Ip

    Configuring authorized IP Overview The authorized IP function is to associate the HTTP or Telnet service with an ACL to filter the requests of clients. Only the clients that pass the ACL filtering can access the device. Configuring authorized IP Select Security >...

  • Page 477: Authorized Ip Configuration Example

    Table 129 Configuration items Item Description Associate the Telnet service with an IPv4 ACL. IPv4 ACL You can configure the IPv4 ACL to be selected by selecting QoS > ACL IPv4. Telnet Associate the Telnet service with an IPv6 ACL. IPv6 ACL You can configure the IPv6 ACL to be selected by selecting QoS >...

  • Page 478

    Figure 439 Creating an ACL Configure an ACL rule to permit Host B: Click the Basic Setup tab The page for configuring an ACL rule appears. Select 2001 from the ACL list, select Permit from the Action list, select the Source IP Address box and then enter 10.1.1.3, and enter 0.0.0.0 in the Source Wildcard field.

  • Page 479

    Select 2001 for IPv4 ACL in the Telnet field, and select 2001 for IPv4 ACL in the Web (HTTP) field. Click Apply. Figure 441 Configuring authorized IP...

  • Page 480: Configuring Port Isolation, Configuring The Isolation Group

    Configuring port isolation Overview Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs. To save VLAN resources, port isolation is introduced to isolate ports within a VLAN, allowing for great flexibility and security. The switch series supports only one isolation group that is created automatically by the system as isolation group 1.

  • Page 481: Port Isolation Configuration Example

    Table 130 Configuration items Item Description Specify the role of the port or ports in the isolation group. • Isolated port—Assign the port or ports to the isolation group as an isolated port or ports. Config type • Uplink port—Assign the port to the isolation group as the uplink port. This option is not available for the switch series.

  • Page 482

    Select 2, 3, and 4 on the chassis front panel. The numbers represent ports GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 respectively. Figure 444 Configure isolated ports for the isolation group Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Viewing information about the isolation group Click Summary.

  • Page 483: Configuring Acls, Acl Overview, Acl Categories, Match Order

    Configuring ACLs NOTE: Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. ACL overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are essentially used for packet filtering.

  • Page 484: Acl Rule Numbering

    Table 132 Depth-first match for ACLs ACL category Sequence of tie breakers More 0s in the source IP address wildcard (more 0s means a narrower IP address range) IPv4 basic ACL Smaller rule ID Specific protocol type rather than IP (IP represents any protocol over IP) More 0s in the source IP address wildcard mask More 0s in the destination IP address wildcard IPv4 advanced ACL...

  • Page 485: Ipv4 Fragments Filtering With Acls

    Attackers can fabricate non-first fragments to attack networks. To avoid the risks, the HP ACL implementation filters unfragmented packets and all fragments (including non-first fragments) by default. To improve the match efficiency, you can change the default packet matching policy.

  • Page 486: Configuring A Time Range

    Step Remarks Required 2. Adding an IPv6 ACL Add an IPv6 ACL. The category of the added IPv6 ACL depends on the ACL number that you specify. 3. Configuring a rule for a basic IPv6 ACL Required 4. Configuring a rule for an advanced IPv6 Complete one of the tasks according to the ACL category.

  • Page 487: Adding An Ipv4 Acl

    Item Description Start Time Set the start time of the periodic time range. Set the end time of the periodic time range. The end End Time time must be greater than the start time. Periodic You can define both a Time Range Sun, Mon, Select the day or days of the week on which the...

  • Page 488: Configuring A Rule For A Basic Ipv4 Acl

    Item Description Set the match order of the ACL. Available values are: • Config—Packets are compared against ACL rules in the order that the rules are Match Order configured. • Auto—Packets are compared against ACL rules in the depth-first match order. Configuring a rule for a basic IPv4 ACL Select QoS >...

  • Page 489: Configuring A Rule For An Advanced Ipv4 Acl

    Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one automatically. Rule ID NOTE: If the rule number you specify already exists, the following operations modify the configuration of the rule.

  • Page 490

    Figure 449 Configuring an advanced IPv4 ACL Configure a rule for an advanced IPv4 ACL as described in Table 136. Click Add. Table 136 Configuration items Item Description Select the advanced IPv4 ACL for which you want to configure rules. Available ACLs are advanced IPv4 ACLs.

  • Page 491

    Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one automatically. Rule ID NOTE: If the rule number you specify already exists, the following operations modify the configuration of the rule.

  • Page 492: Configuring A Rule For An Ethernet Frame Header Acl

    Item Description • Not Check—The following port number fields cannot be configured. • Range—The following port number fields must be configured to define a port range. • Other values—The first port number field must be configured and the second must not. IMPORTANT: DSCP Specify the DSCP value.

  • Page 493

    Figure 450 Configuring a rule for an Ethernet frame header ACL Configure a rule for an Ethernet frame header IPv4 ACL as described in Table 137. Click Add. Table 137 Configuration items Item Description Select the Ethernet frame header IPv4 ACL for which you want to configure rules.

  • Page 494: Adding An Ipv6 Acl

    Item Description Select the action to be performed for packets matching the rule. • Action Permit—Allows matched packets to pass. • Deny—Drops matched packets. Source MAC Select the Source MAC Address box and enter a source MAC address and Address a mask.

  • Page 495: Configuring A Rule For A Basic Ipv6 Acl

    Click Apply. Table 138 Configuration items Item Description ACL Number Enter a number for the IPv6 ACL. Select a match order for the ACL. Available values are: • Config—Packets are compared against ACL rules in the order the rules are Match Order configured.

  • Page 496: Configuring A Rule For An Advanced Ipv6 Acl

    Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one automatically. Rule ID IMPORTANT: If the rule number you specify already exists, the following operations modify the configuration of the rule.

  • Page 497

    Figure 453 Configuring a rule for an advanced IPv6 ACL Add a rule for an advanced IPv6 ACL. Click Add. Table 140 Configuration items Item Description Select Access Control List (ACL) Select the advanced IPv6 ACL for which you want to configure rules. Select the Rule ID box and enter a number for the rule.

  • Page 498

    Item Description Select the operation to be performed for IPv6 packets matching the rule. Operation • Permit—Allows matched packets to pass. • Deny—Drops matched packets. Select this box to apply the rule to only non-first fragments. Check Fragment If you do no select this box, the rule applies to all fragments and non-fragments.

  • Page 499

    Configuration guidelines When you configure an ACL, follow these guidelines: You cannot add a rule with, or modify a rule to have, the same permit/deny statement as an • existing rule in the ACL. You can only modify the existing rules of an ACL that uses the match order of config. When •...

  • Page 500: Configuring Qos, Introduction To Qos, Networks Without Qos Guarantee, Qos Requirements Of New Applications

    Configuring QoS Introduction to QoS Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an internet, QoS evaluates the ability of the network to forward packets of different services. The evaluation can be based on different criteria because the network may provide various services. Generally, QoS performance is measured with respect to bandwidth, delay, jitter, and packet loss ratio during packet forwarding process.

  • Page 501

    Causes Congestion easily occurs in complex packet switching circumstances in the Internet. Figure 454 shows two common cases: Figure 454 Traffic congestion causes • The traffic enters a device from a high speed link and is forwarded over a low speed link. The packet flows enter a device from several incoming interfaces and are forwarded out of an •...

  • Page 502: Traffic Classification

    End-to-end QoS Figure 455 End-to-end QoS model Traffic classification Traffic classification Traffic policing Traffic policing Traffic policing Traffic policing Congestion management Congestion management Congestion management Congestion management Congestion avoidance Congestion avoidance Congestion avoidance Congestion avoidance Traffic shaping Traffic shaping Traffic shaping Traffic shaping As shown in Figure...

  • Page 503: Packet Precedences

    When packets are classified on the network boundary, the precedence bits in the ToS field of the IP packet header are generally re-set. In this way, IP precedence can be directly used to classify the packets in the network. IP precedence can also be used in queuing to prioritize traffic. The downstream network can either use the classification results from its upstream network or classify the packets again according to its own criteria.

  • Page 504

    Table 142 Description on DSCP values DSCP value (decimal) DSCP value (binary) Description 101110 001010 af11 001100 af12 001110 af13 010010 af21 010100 af22 010110 af23 011010 af31 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000...

  • Page 505: Queue Scheduling

    Figure 458 802.1Q tag header Byte 1 Byte 2 Byte 3 Byte 4 TPID (Tag protocol identifier) TCI (Tag control information) 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID 5 4 3 2 1 0 7 5 4 3 2 1 0 5 4 3 2 1 0 7 5 4 3 2 1 0...

  • Page 506

    Figure 459 SP queuing A typical switch provides eight queues per port. As shown in Figure 459, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues strictly according to the descending order of priority. It sends packets in the queue with the highest priority first.

  • Page 507: Line Rate

    A typical switch provides eight output queues per port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 Mbps port, you can set the weight values of WRR queuing to 50, 30, 10, 10, 50, 30, 10, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0, respectively).

  • Page 508: Priority Mapping

    A token bucket has the following configurable parameters: • Mean rate—Rate at which tokens are put into the bucket, or the permitted average rate of traffic. It is usually set to the committed information rate (CIR). Burst size—The capacity of the token bucket, or the maximum traffic size permitted in each burst. It •...

  • Page 509: Introduction To Priority Mapping Tables

    Local precedence is a locally significant precedence that the device assigns to a packet. A local • precedence value corresponds to an output queue. Packets with the highest local precedence are processed preferentially. The device provides the following priority trust modes on a port: Trust packet priority—The device assigns to the packet the priority parameters corresponding to the •...

  • Page 510: Recommended Qos Configuration Procedures

    Input CoS value Local precedence (Queue) DSCP Table 145 The default DSCP to CoS/DSCP to Queue mapping table Input DSCP value Local precedence (Queue) 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63 NOTE:...

  • Page 511

    Table 146 Recommended QoS policy configuration procedure Step Remarks (Required) 1. Adding a class Add a class and specify the logical relationship between the match criteria in the class. (Required) 2. Configuring classification rules Configure match criteria for the class. (Required) 3.

  • Page 512: Adding A Class

    Recommended priority trust mode configuration procedure Step Remarks (Required) 1. Configuring priority trust mode on a port Set the priority trust mode of a port. Adding a class Select QoS > Classifier from the navigation tree. Click the Create tab to enter the page for adding a class. Figure 464 Adding a class Add a class as described in Table...

  • Page 513: Configuring Classification Rules

    Configuring classification rules Select QoS > Classifier from the navigation tree. Click Setup to enter the page for setting a class. Figure 465 Configuring classification rules Configure classification rules for a class as described in Table 148. Click Apply.

  • Page 514

    Table 148 Configuration items Item Description Please select a classifier Select an existing classifier from the list. Define a rule to match all packets. Select the box to match all packets. Define a rule to match DSCP values. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.

  • Page 515: Adding A Traffic Behavior

    Item Description Define a rule to match service VLAN IDs. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one. You can configure multiple VLAN IDs each time. If the same VLAN ID is specified multiple times, the system considers them as one.

  • Page 516: Configuring Traffic Redirecting For A Traffic Behavior

    Add a traffic behavior as described in Table 149. Click Create. Table 149 Configuration items Item Description Behavior name Specify a name for the behavior to be added. Configuring traffic redirecting for a traffic behavior Select QoS > Behavior from the navigation tree. Click Port Setup to enter the port setup page for a traffic behavior.

  • Page 517: Configuring Other Actions For A Traffic Behavior

    Configuring other actions for a traffic behavior Select QoS > Behavior from the navigation tree. Click Setup to enter the page for setting a traffic behavior. Figure 468 Setting a traffic behavior Configure other actions for a traffic behavior as described in Table 151.

  • Page 518: Adding A Policy

    Table 151 Configuration items Item Description Please select a behavior Select an existing behavior in the list. Configure the action of marking IP precedence for packets. Select the IP Precedence box and then select the IP precedence IP Precedence value to be marked for packets in the following list. Select Not Set to cancel the action of marking IP precedence.

  • Page 519: Configuring Classifier-behavior Associations For The Policy

    Figure 469 Adding a policy Add a policy as described in Table 152. Click Create. Table 152 Configuration items Item Description Policy Name Specify a name for the policy to be added. Configuring classifier-behavior associations for the policy Select QoS > QoS Policy from the navigation tree. Click Setup to enter the page for setting a policy.

  • Page 520: Applying A Policy To A Port, Configuring Queue Scheduling On A Port

    Configure a classifier-behavior association for a policy as described in Table 153. Click Apply. Table 153 Configuration items Item Description Please select a policy Select an existing policy in the list. Classifier Name Select an existing classifier in the list. Behavior Name Select an existing behavior in the list.

  • Page 521: Configuring Line Rate On A Port

    Figure 472 Configuring queue scheduling Configure queue scheduling on a port as described in Table 155. Click Apply. Table 155 Configuration items Item Description Enable or disable the WRR queue scheduling mechanism on selected ports. The following options are available: •...

  • Page 522: Configuring Priority Mapping Tables

    Figure 473 Configuring line rate on a port Configure line rate on a port as described in Table 156. Click Apply. Table 156 Configuration items Item Description Please select an interface type Select the types of interfaces to be configured with line rate. Rate Limit Enable or disable line rate on the specified port.

  • Page 523: Configuring Priority Trust Mode On A Port

    Figure 474 Configuring priority mapping tables Configure a priority mapping table as described in Table 157. Click Apply. Table 157 Configuration items Item Description Select the priority mapping table to be configured, which can be CoS to Mapping Type DSCP, CoS to Queue, DSCP to CoS, DSCP to DSCP, or DSCP to Queue. Input Priority Value Set the output priority value for an input priority value.

  • Page 524

    gure 475 Conf figuring port priority Click the icon for a port to enter the page for modifying po ort priority. gure 476 The page for mod difying port p priority Configure the port prior rity for a port as described d in Table 158 Click Appl...

  • Page 525

    Configuration guidelines If an ACL is referenced by a QoS policy for defining traffic classification rules, packets matching the referenced ACL rule are organized as a class and the behavior defined in the QoS policy applies to the class regardless of whether the referenced ACL rule is a deny or permit clause.

  • Page 526: Acl And Qos Configuration Example

    ACL and QoS configuration example Network requirements As shown in Figure 477, the FTP server (10.1.1.1/24) is connected to the Switch, and the clients access the FTP server through GigabitEthernet 1/0/1 of the Switch. Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8:00 to 18:00 every day: Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.

  • Page 527

    Figure 478 Defining a time range covering 8:00 to 18:00 every day Add an advanced IPv4 ACL: Select QoS > ACL IPv4 from the navigation tree. Click the Create tab. Enter the ACL number 3000. Click Apply.

  • Page 528

    Figure 479 Adding an advanced IPv4 ACL Define an ACL rule for traffic to the FTP server: Click the Advanced Setup tab. Select 3000 from the ACL list. Select the Rule ID box, and enter rule ID 2. Select Permit from the Action list. Select the Destination IP Address box, and enter IP address 10.1.1.1 and destination wildcard 0.0.0.0.

  • Page 529

    Figure 480 Defining an ACL rule for traffic to the FTP server Add a class: Select QoS > Classifier from the navigation tree. Click the Create tab. Enter the class name class1. Click Add.

  • Page 530

    Figure 481 Adding a class Define classification rules: Click the Setup tab. Select the class name class1 from the list. Select the ACL IPv4 box, and select ACL 3000 from the following list.

  • Page 531

    Figure 482 Defining classification rules Click Apply. A progress dialog box appears, as shown in Figure 483. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 532

    Figure 483 Configuration progress dialog box Add a traffic behavior: Select QoS > Behavior from the navigation tree. Click the Create tab. Enter the behavior name behavior1. Click Create. Figure 484 Adding a traffic behavior Configure actions for the traffic behavior: Click the Setup tab.

  • Page 533

    Click Close when the progress dialog box prompts that the configuration succeeds. Figure 485 Configuring actions for the behavior Add a policy: Select QoS > QoS Policy from the navigation tree. Click the Add tab. Enter the policy name policy1. Click Add.

  • Page 534

    Figure 486 Adding a policy Configure classifier-behavior associations for the policy: Click the Setup tab. Select policy1. Select class1 from the Classifier Name list. Select behavior1 from the Behavior Name list. Click Apply. Figure 487 Configuring classifier-behavior associations for the policy Apply the QoS policy in the inbound direction of interface GigabitEthernet 1/0/1: Select QoS >...

  • Page 535

    Select port GigabitEthernet 1/0/1. Click Apply. A configuration progress dialog box appears. Click Close when the progress dialog box prompts that the configuration succeeds. Figure 488 Applying the QoS policy in the inbound direction of GigabitEthernet 1/0/1...

  • Page 536: Configuring Poe, Restrictions And Prerequisites, Configuring Poe Ports

    A PD can also use a different power source from the PSE at the same time for power redundancy. A 1910 switch has a build-in PSE to supply DC power to PDs over the data pairs (pins 1, 2 and 3, 6) of...

  • Page 537

    Figure 490 Port Setup tab Configure the PoE ports as described in Table 159. Click Apply. Table 159 Configuration items Item Description Select Port Select ports to be configured. They will be displayed in the Selected Ports area. Enable or disable PoE on the selected ports. •...

  • Page 538: Configuring Non-standard Pd Detection

    Item Description Set the power supply priority for a PoE port. The priority levels of a PoE port include low, high, and critical in ascending order. • When the PoE power is insufficient, power is first supplied to PoE ports with a higher priority level.

  • Page 539: Displaying Information About Pse And Poe Ports, Poe Configuration Example

    Disabling the non-standard PD detection function for a PSE Perform one of the following tasks on the PSE Setup tab to disable the non-standard PD detection function: • Select Disable in the Non-Standard PD Compatibility column, and click Apply. Click Disable All. •...

  • Page 540: Configuration Procedure

    Figure 493 Network diagram Configuration procedure Enable PoE on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, and set their power supply priority to critical: Select PoE > PoE from the navigation tree. Click the Setup tab. On the tab, click to select ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel, select Enable from the Power State list, and select Critical from the Power Priority list.

  • Page 541

    On the tab, click to select port GigabitEthernet 1/0/3 from the chassis front panel, select Enable from the Power State list, and select the box before Power Max and enter 9000. Click Apply. Figure 495 Configuring the PoE port supplying power to AP After the configuration takes effect, the IP telephones and the AP are powered and can work properly.

  • Page 542: Support And Other Resources, Subscription Service, Related Information

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 543: Command Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 544

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 545: Index

    Index A B C D E G I L M O P R S T U V W Configuring 802.1X globally,313 Configuring 802.1X on a port,315 AAA configuration example,340 Configuring a local user,391 overview,333 Configuring a loopback test,45 overview,422 Configuring a port,23 Adding a class,451...

  • Page 546

    Configuring voice VLAN globally,123 parameters for the DHCP relay agent,277 Configuring voice VLAN on ports,124 Enabling DHCP snooping,288 Contacting HP,481 Enabling LLDP on ports,188 Conventions,482 Enabling the DHCP relay agent on an interface,280 Creating a DHCP server group,279 Energy saving...

  • Page 547

    Logging out of the Web interface,3 Ping operation,297 PKI configuration example,410 MAC address configuration example,141 overview,395 Managing services,294 PoE configuration example,478 Manually configuring the system date and time,10 Port isolation configuration example,420 MLD snooping configuration example,251 Port management configuration example,29 Modifying a VLAN,105 Port mirroring...

  • Page 548

    Setting LACP priority,176 Terminologies of port mirroring,34 Setting the aging time of MAC address entries,140 Testing cable status,47 Setting the log host,15 Traceroute operation,298 Setting the PVID for a port,103 Troubleshooting web console,17 Setting the super password,43 Setting the traffic statistics generating interval,50 Uploading a file,22...

Comments to this Manuals

Symbols: 0
Latest comments: