HPE OfficeConnect 1950 Series User Manual

Hide thumbs Also See for OfficeConnect 1950 Series:

Getting started manual (61 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

page of 182

/ 182
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

HPE OfficeConnect 1950 Switch Series

User Guide

Part number: 5998-8111

Document version: 6W103-20160825

Table of Contents

Summary of Contents for HPE OfficeConnect 1950 Series

Page 1: User Guide
HPE OfficeConnect 1950 Switch Series User Guide Part number: 5998-8111 Document version: 6W103-20160825...
Page 2 © Copyright 2015-2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
User account management ······················································································································ 21 Role-based access control ······················································································································· 21 Password control ······································································································································ 22 HPE OfficeConnect 1950 stacking (IRF) ········································································································· 24 Stack member roles ································································································································· 25 Stack port ················································································································································· 25 Stack physical interfaces ·························································································································· 25 ...
Page 4 VLAN ································································································································································ 31 Port-based VLANs ··································································································································· 31 VLAN interface ········································································································································· 32 Voice VLAN ······················································································································································ 32 OUI addresses ········································································································································· 32 QoS priority setting mode for voice traffic ································································································ 32 Voice VLAN assignment modes ··············································································································· 33 ...
Page 5 FTP ·································································································································································· 57 Telnet ······························································································································································· 57 NTP ·································································································································································· 57 SNMP ······························································································································································· 57 MIB ··························································································································································· 57 SNMP versions ········································································································································ 58 SNMP access control ······························································································································· 58 Resources features ······················································································· 60 ACL ·································································································································································· 60 ...
Page 6 Port security ····················································································································································· 79 Overview ·················································································································································· 79 Port security settings ································································································································ 80 Port security features ······························································································································· 82 Secure MAC addresses ··························································································································· 83 Portal ································································································································································ 83 Portal authentication server ····················································································································· 84 Portal Web server ···································································································································· 85 ...
Page 7 PoE configuration example ···························································································································· 137 Network requirements ···························································································································· 137 Configuration procedure ························································································································· 138 Appendix A Managing the device from the CLI ··········································· 139 display poe pse ······································································································································ 140 initialize ·················································································································································· 141 ipsetup dhcp ··········································································································································· 142 ...
Page 8: Overview
Overview This user guide provides the following information: Information Section How to log in to the Web interface for the first time. Logging in to the Web interface for the first time How to use the Web interface. Using the Web interface What features you can configure from the Web interface.
Page 9: Restrictions: Applicable Hardware Platforms And Software Versions
Restrictions: Applicable hardware platforms and software versions Product code HPE description Software version JG960A HPE OfficeConnect 1950 24G 2SFP+ 2XGT Switch JG961A HPE OfficeConnect 1950 48G 2SFP+ 2XGT Switch Release 3111P02 HPE OfficeConnect 1950 24G 2SFP+ 2XGT JG962A Release 3113P05...
Page 10: Logging In To The Web Interface
Logging in to the Web interface Log in to the Web interface through HTTP or HTTPS. Restrictions and guidelines To ensure a successful login, verify that your operating system and Web browser meet the requirements, and follow the guidelines in this section. Web browser requirements As a best practice, use one of the following Web browsers to log in: •...
Page 11: Concurrent Login Users
Concurrent login users The Web interface allows a maximum of 32 concurrent accesses. If this limit is reached, login attempts will fail. Logging in to the Web interface for the first time IMPORTANT: As a best practice, change the login information and assign access permissions immediately after the first successful login for security purposes.
Page 12: Logging Out Of The Web Interface
a. In the address bar, enter the IP address of the device. − HTTP access—Enter the address in the http://ip-address:port or ip-address:port format. − HTTPS access—Enter the address in the https://ip-address:port format. The ip-address argument represents the IP address of the device. The port argument represents the HTTP or HTTPS service port.
Page 13: Using The Web Interface
Using the Web interface The Web interface contains the following areas: Area Description Contains the following items: • Basic information, including the Hewlett Packard Enterprise logo, device name, and information about the current login user. • Basic management icons: (1) Banner and auxiliary area Admin icon —Click this icon to change the login password.
Page 14: Types Of Webpages
Types of webpages Webpages include feature, table, and configuration pages. This section provides basic information about these pages. For more information about using the icons and buttons on the pages, see "Icons buttons." Using a feature page As shown in Figure 2, a feature page contains information about a feature module, including its table entry statistics, features, and functions.
Page 15: Using A Configuration Page
Figure 3 Sample table page Using a configuration page As shown in Figure 4, one configuration page contains all parameters for a configuration task. If a parameter must be configured on another page, the configuration page typically provides a link. You do not need to navigate to the destination page.
Page 16: Icons And Buttons
Figure 4 Sample configuration page Icons and buttons Table 2 describes icons and buttons you can use to configure and manage the device. Table 2 Icons and buttons Icon/button Icon/button Task name Help icons Help Obtain help information for a feature. Hint Obtain help information for a function or parameter.
Page 17: Performing Basic Tasks
Icon/button Icon/button Task name Click this icon, and then enter a combination of criteria to Advanced search perform an advanced search. Entry management icons Refresh Refresh table entries manually. • Add a new entry. • Confirm the addition of an entry and continue to add an additional entry.
Page 18: Rebooting The Device
Rebooting the device Reboot is required for some settings (for example, the stack setup) to take effect. To reboot the device: Save the configuration. Select Device > Maintenance > Reboot. On the reboot page, click the reboot button.
Page 19: Feature Navigator
Feature navigator Menu items and icons available to you depend on the user roles you have. By default, you can use any user roles to display information. To configure features, you must have the network-admin user role. This chapter describes all menus available for the network-admin user role. The top-level menu includes Dashboard, Device, Network, Resources, QoS, Security, PoE, and Log.
Page 20: Network Menu
About • Version information. • Electronic label. • Legal statement. Virtualization • Configure the following settings to set up an HPE OfficeConnect 1950 stack: Member ID. Priority. Domain ID. Stack port bindings. • Display the stack topology. Network menu Table 4 to navigate to the tasks you can perform from the Network menu.
Page 21 Menus Tasks • Display interfaces and their attributes, including: Interface status. IP address. Speed and duplex mode. Interfaces Interface description. • Change interface settings. • Delete logical interfaces. Link Aggregation Create, modify, or delete Layer 2 aggregation groups. • Set the statistics polling interval. •...
Page 22 Menus Tasks • Manage dynamic ARP entries and static ARP entries. • Configure ARP proxy. • Configure gratuitous ARP. • Configure ARP attack protection. • Configure IPv4 static domain name resolution. • Configure IPv4 dynamic domain name resolution. • Configure the DNS proxy. •...
Page 23 Menus Tasks • Display IPv4 and IPv6 static route entries. Static Routing • Create, modify, and delete IPv4 and IPv6 static route entries. • Create, modify, and delete IPv4 and IPv6 policies. • Configure interface PBR. Policy-Based Routing • Configure local PBR. Multicast •...
Page 24: Resources Menu
Menus Tasks • Enable or disable Telnet service. • Set the DSCP values for the device to use for outgoing IPv4 or IPv6 Telnet Telnet packets. • Specify Telnet access control ACLs. Configure the device to use the local clock as the reference clock. •...
Page 25: Qos Menu
QoS menu Table 6 to navigate to the tasks you can perform from the QoS menu. Table 6 QoS menu navigator Menus Tasks • Create, modify, or delete interface QoS policies. • Create, modify, or delete VLAN QoS policies. QoS Policies •...
Page 26: Poe Menu
Menus Tasks • Configure a portal authentication server. • Configure a portal Web server. • Configure a local portal Web server. Portal • Create portal-free rules. • Create interface policies. Authentication ISP Domains Configure ISP domains. RADIUS Configure RADIUS schemes. TACACS Configure TACACS schemes.
Page 27: Device Management
Device management Settings Access the Settings page to change the device name, location, and system time. System time sources Correct system time is essential to network management and communication. Configure the system time correctly before you run the device on the network. The device can use the manually set system time, or obtain the UTC time from a time source on the network and calculate the system time.
Page 28: Ntp/Sntp Time Source Authentication
Table 10 NTP/SNTP operating modes Mode Operating process Principle Application scenario A client sends a clock synchronization message to the NTP servers. Upon receiving the message, the servers automatically operate in server mode and send a reply. This mode is intended for A client can synchronize If the client is synchronized scenarios where devices...
Page 29: User Account Management
The service type of an administrator can be SSH, Telnet, FTP, HTTP, HTTPS, PAD, or terminal. A terminal user can access the device through the console, Aux, or Async port. User account management A user account on the device manages attributes for users who log in to the device with the same username.
Page 30: Password Control
Password control Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into device management users and network access users. This feature applies only to device management users.
Page 31 Table 12 Password composition policy Password combination Minimum number of Minimum number of characters level character types for each type Level 1 Level 2 Level 3 Three Level 4 Four When a user sets or changes a password, the system checks if the password meets the combination requirement.
Page 32: Hpe Officeconnect 1950 Stacking (Irf)
You can set the maximum account idle time for user accounts. When an account is idle for this period of time since the last successful login, the account becomes invalid. HPE OfficeConnect 1950 stacking (IRF) Intelligent Resilient Framework (IRF) is true stacking technology that creates a large virtual stack...
Page 33: Stack Member Roles
Stacking and stack are called IRF on the webpages and in online help. Stack member roles HPE OfficeConnect 1950 stacking uses two member roles: master and standby (also called subordinate). When devices form a stack, they elect a master to manage and control the stack. All the other members process services while backing up the master.
Page 34: Member Priority
A stack merge occurs when two split virtual stacks reunite or when two independent stacks are united. Member priority Member priority determines the possibility of a member device to be elected the master. A member with higher priority is more likely to be elected the master. The default member priority is 1.
Page 35: Network Services Features
Network services features Link aggregation Ethernet link aggregation bundles multiple physical Ethernet links into one logical link, called an aggregate link. Link aggregation has the following benefits: • Increased bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed across the member ports.
Page 36: Link Aggregation Modes
Link aggregation modes An aggregation group operates in one of the following modes: • Static—Static aggregation is stable. An aggregation group in static mode is called a static aggregation group. The aggregation states of the member ports in a static aggregation group are not affected by the peer ports.
Page 37 Figure 5 Setting the aggregation state of a member port in a static aggregation group Aggregating links in dynamic mode Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol (LACP). LACP uses LACPDUs to exchange aggregation information between LACP-enabled devices. Each member port in an LACP-enabled aggregation group exchanges information with its peer.
Page 38 b. The system with the smaller system ID chooses the port with the smallest port ID as the reference port. A port ID contains a port priority and a port number. The lower the port priority, the smaller the port ID. −...
Page 39: Storm Control
Meanwhile, the system with the higher system ID is aware of the aggregation state changes on the peer system. The system sets the aggregation state of local member ports the same as their peer ports. Storm control Storm control compares broadcast, multicast, and unknown unicast traffic regularly with their respective traffic thresholds on an Ethernet interface.
Page 40: Vlan Interface
• Trunk—A trunk port can forward packets from multiple VLANs. Except packets from the port VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Assign a trunk port to the untagged port list of the PVID of the port, and to the tagged port lists of other VLANs. •...
Page 41: Voice Vlan Assignment Modes
Voice VLAN assignment modes A port can be assigned to a voice VLAN automatically or manually. Automatic mode When an IP phone is powered on, it sends out protocol packets. After receiving these protocol packets, the device uses the source MAC address of the protocol packets to match its OUI addresses.
Page 42: Aging Timer For Dynamic Mac Address Entries
• Blackhole entries—A blackhole entry is manually configured and never ages out. A blackhole entry is configured for filtering out frames with a specific source or destination MAC address. For example, to block all frames destined for or sourced from a user, you can configure the MAC address of the user as a blackhole MAC address entry.
Page 43: Spanning Tree Modes
• PVST—PVST allows every VLAN to have its own spanning tree, which increases usage of links and bandwidth. • MSTP—Defined in IEEE 802.1s. MSTP overcomes the limitations of STP and RSTP. It supports rapid network convergence and allows data flows of different VLANs to be forwarded along separate paths.
Page 44: Port States
• Backup port—Serves as the backup port of a designated port. When the designated port is invalid, the backup port becomes the new designated port. A loop occurs when two ports of the same spanning tree device are connected, so the device blocks one of the ports. The blocked port acts as the backup.
Page 45: Receiving Lldp Frames
overwhelming the network during times of frequent changes to local device information, LLDP uses the token bucket mechanism to rate limit LLDP frames. LLDP automatically enables the fast LLDP frame transmission mechanism in either of the following cases: • A new LLDP frame is received and carries device information new to the local device. •...
Page 46: Cdp Compatibility
CDP compatibility CDP compatibility enables your device to receive and recognize CDP packets from a Cisco IP phone and respond with CDP packets. DHCP snooping DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent.
Page 47: Ip Address Classes
If a DHCP request Handling DHCP snooping… has… strategy Forwards the message after adding the Option 82 padded No Option 82 according to the configured padding format, padding content, and code type. IP address classes IP addressing uses a 32-bit address to identify each host on an IPv4 network. To make addresses easier to read, they are written in dotted decimal notation, each address being four octets in length.
Page 48: Ip Address Configuration Methods
For example, a Class B network without subnetting can accommodate 1022 more hosts than the same network subnetted into 512 subnets. • Without subnetting—65534 (2 – 2) hosts. (The two deducted addresses are the broadcast address, which has an all-one host ID, and the network address, which has an all-zero host ID.) •...
Page 49: Gratuitous Arp
− Adds the interface that received the ARP reply to the short static ARP entry. − Uses the resolved short static ARP entry to forward IP packets. To communicate with a host by using a fixed IP-to-MAC mapping, configure a short static ARP entry on the device.
Page 50 ARP source suppression. ARP packet source MAC consistency check. ARP active acknowledgement. Source MAC-based ARP attack detection. Authorized ARP. • ARP scanning and fixed ARP. • The access device supports the following features: ARP packet rate limit. ARP gateway protection. ARP filtering.
Page 51 • Filter—Generates log messages and filters out subsequent ARP packets from that MAC address. You can exclude the MAC addresses of some gateways and servers from this detection. This feature does not inspect ARP packets from those devices even if they are attackers. Authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent.
Page 52: Dns
If you only enable ARP detection for a VLAN, ARP detection provides only the user validity check. Upon receiving an ARP packet from an ARP untrusted interface, the device matches the sender IP and MAC addresses with the following entries: Static IP source guard binding entries.
Page 53: Static Domain Name Resolution
You can configure a domain name suffix list so that the resolver can use the list to supply the missing part of an incomplete name. For example, you can configure com as the suffix for aabbcc.com. The user only needs to enter aabbcc to obtain the IP address of aabbcc.com. The resolver adds the suffix and delimiter before passing the name to the DNS server.
Page 54: Ipv6
A DDNS policy contains the DDNS server address, login ID, password, associated SSL client policy, and update time interval. After creating a DDNS policy, you can apply it to multiple interfaces to simplify DDNS configuration. DDNS is supported by only IPv4 DNS, and it is used to update the mappings between domain names and IPv4 addresses.
Page 55: Eui-64 Address-Based Interface Identifiers
Format prefix Type IPv6 prefix ID Remarks (binary) It cannot be assigned to any node. Before acquiring a valid IPv6 address, a node fills this address Unspecified 00...0 (128 bits) ::/128 in the source address field of IPv6 address packets. The unspecified address cannot be used as a destination IPv6 address.
Page 56: Ipv6 Link-Local Address Configuration Methods
• Stateless address autoconfiguration—The IPv6 global unicast address is generated automatically according to the address prefix information contained in the RA message and the EUI-64 address-based interface identifier. • Stateful address autoconfiguration—Enables a host to acquire an IPv6 address from a DHCPv6 server.
Page 57: Neighbor Entries
The IPv6 Neighbor Discovery (ND) protocol uses ICMPv6 messages to provide the following functions: • Address resolution • Neighbor reachability detection • • Router/prefix discovery • Stateless address autoconfiguration • Redirection Table 13 describes the ICMPv6 messages used by ND. Table 13 ICMPv6 messages used by ND ICMPv6 message Type...
Page 58 You can enable an interface to send RA messages, specify the maximum and minimum sending intervals, and configure parameters in RA messages. The device sends RA messages at random intervals between the maximum and minimum intervals. The minimum interval should be less than or equal to 0.75 times the maximum interval.
Page 59: Nd Proxy
ND proxy ND proxy enables a device to answer an NS message requesting the hardware address of a host on another network. With ND proxy, hosts in different broadcast domains can communicate with each other as they would on the same network. ND proxy includes common ND proxy and local ND proxy.
Page 60: Port Mirroring
Port mirroring Port mirroring copies the packets passing through a port to the destination port that connects to a data monitoring device for packet analysis. The copies are called mirrored packets. Port mirroring includes the following terms: • Source port—Monitored port on the device. Packets of the monitored port will be copied and sent to the destination port.
Page 61: Pbr And Track
A policy matches nodes in priority order against packets. If a packet matches the criteria on a node, it is processed by the action on the node. If the packet does not match the criteria on the node, it goes to the next node for a match. If the packet does not match the criteria on any node, it is forwarded according to the routing table.
Page 62 • Lease duration. • Gateway addresses. • Domain name suffix. • DNS server addresses. • WINS server addresses. • NetBIOS node type. • DHCP options. Before assigning an IP address, the DHCP server performs IP address conflict detection to verify that the IP address is not in use.
Page 63: Dhcp Relay Agent
• Add options for which the vendor defines the contents, for example, Option 43. DHCP servers and clients can use vendor-specific options to exchange vendor-specific configuration information. • Add options for which the Web interface does not provide a dedicated configuration page. For example, you can use Option 4 to specify the time server address 1.1.1.1 for DHCP clients.
Page 64: Http/Https
With this feature, the DHCP relay agent uses the following information to periodically send a DHCP-REQUEST message to the DHCP server: • The IP address of a relay entry. • The MAC address of the DHCP relay interface. The relay agent maintains the relay entries depending on what it receives from the DHCP server: •...
Page 65: Ftp
File Transfer Protocol (FTP) is an application layer protocol for transferring files from one host to another over an IP network. It uses TCP port 20 to transfer data and TCP port 21 to transfer control commands. The device can act as the FTP server. Telnet The device can act as a Telnet server to allow Telnet login.
Page 66: Snmp Versions
OID and subtree A MIB stores variables called "nodes" or "objects" in a tree hierarchy and identifies each node with a unique OID. An OID is a dotted numeric string that uniquely identifies the path from the root node to a leaf node.
Page 67 If you grant read-only permission to the community, the NMS can only read the values of the objects in the MIB view. If you grant read-write permission to the community, the NMS can read and set the values of the objects in the MIB view. •...
Page 68: Resources Features
Resources features Resource features are common resources that can be used by multiple features. For example, you can use an ACL both in a packet filter to filter traffic and in a QoS policy to match traffic. The Web interface provides access to the resource creation page for features that might use the resources.
Page 69: Rule Numbering
The following ACL match orders are available: • config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this method, check the rules and their order carefully. •...
Page 70: Time Range
Automatic rule numbering and renumbering The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0. For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15.
Page 71: Managing Local Key Pairs
The device manages both local asymmetric key pairs and peer public keys for data encryption, decryption, and digital signature. Managing local key pairs Generating local key pairs You can generate RSA, DSA, or ECDSA key pairs on the device. Distributing the public key of a local key pair You can distribute the public key of a local key pair to a peer device by using one of the following methods: •...
Page 72: Pki
Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.
Page 73: Managing Certificates
• CA—Certification authority that issues and manages certificates. A CA issues certificates, defines the certificate validity periods, and revokes certificates by publishing CRLs. • RA—Registration authority, which offloads the CA by processing enrollment requests. The RA accepts certificate requests, verifies user identity, and determines whether to forward the certificate requests to the CA.
Page 74: Certificate Access Control
Requesting certificates To request a certificate, a PKI entity must provide its identity information and public key to a CA. You can first generate the certificate request on the device, and then send the request to the CA by using an out-of-band method such as phone and email. Before you submit a certificate request, make sure the CA certificate exists in the PKI domain and a key pair is specified for the PKI domain.
Page 75 Table 18 Combinations of attribute-value pairs and operation keywords Operation FQDN/IP The DN contains the specified Any FQDN or IP address contains the specified attribute attribute value. value. The DN does not contain the None of the FQDNs or IP addresses contains the specified nctn specified attribute value.
Page 76: Qos Features
QoS features QoS policies In data communications, Quality of Service (QoS) provides differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate, all of which can affect QoS. By associating a traffic behavior with a traffic class in a QoS policy, you apply QoS actions in the traffic behavior to the traffic class.
Page 77: Sp Queuing
SP queuing Figure 9 SP queuing SP queuing is designed for mission-critical applications that require preferential service to reduce the response delay when congestion occurs. SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues in the descending order of priority.
Page 78: Wfq Queuing
WRR queuing schedules all the queues in turn to ensure every queue is serviced. For example, a port provides eight output queues. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0). The weight value of a queue decides the proportion of resources assigned to the queue.
Page 79: Queue Scheduling Profile
WFQ is similar to WRR. On an interface with group-based WFQ queuing enabled, you can assign queues to the SP group. Queues in the SP group are scheduled with SP. The SP group has higher scheduling priority than the WFQ groups. The difference is that WFQ enables you to set guaranteed bandwidth that a WFQ queue can get during congestion.
Page 80: Priority Map
Configuring the priority trust mode After you configure a priority trust mode for a port, the device maps the trusted priority in incoming packets to the target priority types and values according to the priority maps. The available priority trust modes include the following types: •...
Page 81: Security Features
Security features Packet filter Packet filter uses ACLs to filter incoming or outgoing packets on interfaces, VLANs, or globally. An interface permits packets that match permit statements to pass through, and denies packets that match deny statements. The default action applies to packets that do not match any ACL rules. IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match...
Page 82: 802.1X Authentication Methods
• Authentication server—Provides authentication services for the access device. The authentication server first authenticates 802.1X clients by using the data sent from the access device. Then, the server returns the authentication results to the access device to make access decisions. The authentication server is typically a RADIUS server. In a small LAN, you can use the access device as the authentication server.
Page 83: Online User Handshake
Online user handshake The online user handshake feature checks the connectivity status of online 802.1X users. The access device sends handshake messages to online users at the handshake interval. If the device does not receive any responses from an online user after it has made the maximum handshake attempts, the device sets the user to offline state.
Page 84: Guest Vlan
Guest VLAN The 802.1X guest VLAN on a port accommodates users who have not performed 802.1X authentication. Once a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources. The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method.
Page 85: Mandatory Authentication Domain
Authentication status VLAN manipulation If an 802.1X Auth-Fail VLAN has been configured, the PVID of A user in the 802.1X critical VLAN fails the port changes to the Auth-Fail VLAN ID, and all 802.1X users authentication for any other reasons on this port are moved to the Auth-Fail VLAN.
Page 86: Mac Authentication Configuration On A Port
Silent MAC address information When a user fails MAC authentication, the device marks the user's MAC address as a silent MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from the silent MAC address within the quiet time. The quiet mechanism avoids repeated authentication during the quiet time.
Page 87: Port Security
Multi-VLAN mode The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN that does not match the existing MAC-VLAN mapping, the device does not logs off the user or reauthenticates the user.
Page 88: Port Security Settings
• The device fails to authorize the specified ACL or user profile to the user. • The server assigns a nonexistent ACL or user profile to the user. If this feature is disabled, the device does not log off users who fail ACL or user profile authorization. Aging timer for secure MAC addresses When secure MAC addresses are aged out, they are removed from the secure MAC address table.
Page 89 Features that can Purpose Security mode be triggered NTK/intrusion Perform MAC authentication: macAddressWithRadius protection macAddressOrUserLoginSecure macAddressOrUserLoginSecureExt Perform a combination of MAC NTK/intrusion authentication and 802.1X macAddressElseUserLoginSecure protection authentication: Else macAddressElseUserLoginSecureE • Control MAC address learning: autoLearn. A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address.
Page 90: Port Security Features
macAddressWithRadius: A port in this mode performs MAC authentication, and services multiple users. • Perform a combination of MAC authentication and 802.1X authentication: macAddressOrUserLoginSecure. This mode is the combination of the macAddressWithRadius and userLoginSecure modes. The mode allows one 802.1X authentication user and multiple MAC authentication users to log in.
Page 91: Secure Mac Addresses
Secure MAC addresses Secure MAC addresses are configured or learned in autoLearn mode. Secure MAC addresses include static, sticky, and dynamic secure MAC addresses. Aging mode for secure MAC addresses Secure MAC addresses can be aged out when you use one of the following aging modes: •...
Page 92: Portal Authentication Server
• Supports multiple authentication modes. For example, re-DHCP authentication implements a flexible address assignment scheme and saves public IP addresses. Cross-subnet authentication can authenticate users who reside in a different subnet than the access device. A typical portal system consists of the following components: •...
Page 93: Portal Web Server
If a user contained in the packet does not exist on the access device, the access device informs the portal authentication server to delete the user. If the user does not appear in any synchronization packet within a synchronization detection interval, the access device determines the user does not exist on the server and logs the user out.
Page 94 Client and local portal Web server interaction protocols HTTP and HTTPS can be used for interaction between an authentication client and a local portal Web server. If HTTP is used, there are potential security problems because HTTP packets are transferred in plain text. If HTTPS is used, secure data transmission is ensured because HTTP packets are secured by SSL.
Page 95 Post request attribute rules Observe the following requirements when editing a form of an authentication page: An authentication page can have multiple forms, but there must be one and only one form whose action is logon.cgi. Otherwise, user information cannot be sent to the local portal Web server.
Page 96: Portal-Free Rules
See the contents in gray: <html> <head> <title>LogonSuccessed</title> <script type="text/javascript" language="javascript" src="pt_private.js"></script> </head> <body onload="pt_init();" onbeforeunload="return pt_unload();"> ..</body> </html> Portal-free rules A portal-free rule allows specified users to access specified external websites without portal authentication. • IP-based portal-free rules The matching items for an IP-based portal-free rule include the IP address and TCP/UDP port.
Page 97: Isp Domains
ARP and ND detections apply only to direct and re-DHCP portal authentication. ICMP detection applies to all portal authentication modes. If the device receives no packets from a portal user within the idle time, the device detects the user's online status as follows: •...
Page 98: Radius
TACACS authentication, and the authorization information is included in the authorization response after successful authentication. You can configure backup methods to be used when the remote server is not available. The device supports the following accounting methods: • No accounting—The device does not perform accounting for the users. •...
Page 99 • Accounting-on—This feature enables the device to automatically send an accounting-on packet to the RADIUS server after a reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device. Without this feature, users cannot log in again after the reboot, because the RADIUS server considers them to be online.
Page 100: Log Features
Log features Log levels Logs are classified into eight severity levels from 0 through 7 in descending order. Table 21 Log levels Severit Level Description y value Emergency The system is unusable. For example, the system authorization has expired. Action must be taken immediately. For example, traffic on an interface exceeds Alert the upper limit.
Page 101: Configuration Examples
Configuration examples Device maintenance examples System time configuration example Network requirements As shown in Figure • Configure the device to obtain the UTC time from the NTP server. • Configure NTP authentication on both the device and NTP server. Figure 12 Network diagram Configuration procedure Configure the NTP client: a.
Page 102: Stack Configuration Example
Figure 13 Network diagram Configuration procedure Configure the VLAN and VLAN interface: a. From the navigation tree, select Network > Links > VLAN. b. Create VLAN 2. c. Access the details page for VLAN 2 to perform the following tasks: −...
Page 103 Figure 14 Network diagram IP network 1950 Stack XGE1/0/49 XGE1/0/49 XGE1/0/50 XGE1/0/50 (IRF-port1) (IRF-port2) Switch A Switch B Configuration procedure IMPORTANT: • When you connect two neighboring stack members, you must connect the physical interfaces of IRF-port 1 on one member to the physical interfaces of IRF-port 2 on the other. •...
Page 104: Ntp Configuration Example
c. Click the IRF port bindings link, and then access the details page for IRF-port 2 to assign XGE 1/0/49 and XGE 1/0/50 to IRF-port 2. d. Click the advanced link to perform the following tasks: − Set the domain ID to be the same as Switch A. The domain ID must be the same across stack member devices.
Page 105: Snmp Configuration Example
Verifying the configuration # Verify that Device B has synchronized to Device A, and the clock stratum level is 3 on Device B and 2 on Device A. (Details not shown.) SNMP configuration example Network requirements As shown in Figure 16, the NMS (1.1.1.2/24) uses SNMPv2c to manage the SNMP agent (1.1.1.1/24), and the agent automatically sends notifications to report events to the NMS.
Page 106: Port Isolation Configuration Example
Figure 17 Network diagram GE1/0/1 GE1/0/1 GE1/0/2 GE1/0/2 Link aggregation 10 Switch A Switch B GE1/0/3 GE1/0/3 GE1/0/4 GE1/0/4 VLAN 10 VLAN 10 Host A Host B Configuration procedure Configure Ethernet link aggregation on Switch A: a. From the navigation tree, select Network > Interfaces > Link Aggregation. b.
Page 107: Vlan Configuration Example
Figure 18 Network diagram Configuration procedure From the navigation tree, select Network > Interfaces > Isolation. Create an isolation group. Access the details page for the isolation group. Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to the isolation group. Verifying the configuration # Verify that Host A, Host B, and Host C cannot ping each other.
Page 108: Voice Vlan Configuration Example
− Add GigabitEthernet 1/0/1 to the untagged port list (Host A cannot recognize VLAN tags). − Add GigabitEthernet 1/0/3 to the tagged port list (Switch B needs to identify the VLAN tags of packets). d. Access the details page for VLAN 200 to perform the following tasks: −...
Page 109: Mac Address Entry Configuration Example
b. Access the advanced settings page, and set the mode to security. c. Access the page for adding an OUI address, and add the OUI address 0011-2200-0000, the mask ffff-ff00-0000, and the description OUI address of IP phone A. Verifying the configuration View the OUI summary to verify that the OUI address 0011-2200-0000 has been added.
Page 110 Figure 22 Network diagram Permit: all VLAN GE1/0/3 GE1/0/3 Switch A Switch B GE1/0/1 GE1/0/1 Permit: VLAN 30 Permit: VLAN 10 GE1/0/1 GE1/0/1 Switch C Switch D Configuration procedure Configure VLANs: a. Configure VLANs on Switch A: − From the navigation tree, select Network > Links > VLAN. −...
Page 111: Lldp Configuration Example
Verifying the configuration # Verify that the port roles and port states in the spanning tree status are as expected. (Details not shown.) LLDP configuration example Network requirements As shown in Figure 23, configure LLDP on Switch A and Switch B to meet the following requirements: •...
Page 112: Static Arp Entry Configuration Example
• Record the client IP-MAC binding information in DHCP-REQUEST packets and in DHCP-ACK packets received by GigabitEthernet 1/0/1. • Save the bindings to the FTP server. Figure 24 Network diagram Configuration procedure Configure the DHCP server. (Details not shown.) Configure the FTP server: Enable the FTP service, and configure the login username and password.
Page 113: Static Dns Configuration Example
Figure 25 Network diagram Configuration procedure Configure the VLAN and the VLAN interface: a. From the navigation tree, select Network > Links > VLAN. b. Create VLAN 10. c. Access the details page for VLAN 10 to perform the following tasks: −...
Page 114: Dynamic Dns Configuration Example
Configuration procedure Configure the VLAN and VLAN interface: a. From the navigation tree, select Network > Links > VLAN. b. Create VLAN 10. c. Access the details page for VLAN 10 to perform the following tasks: − Add GigabitEthernet 1/0/1 to the tagged port list. −...
Page 115: Ddns Configuration Example With Www.3322.Org
a. From the navigation tree, select Network > IP > DNS. b. Configure the IP address of the DNS server as 2.1.1.2. c. On the advanced settings page, configure the domain name suffix as com. Verifying the configuration # Use the ping host command on the switch to verify the following items: •...
Page 116: Static Ipv6 Address Configuration Example
c. Access the details page for VLAN 10 to perform the following tasks: − Add GigabitEthernet 1/0/1 to the tagged port list. − Create VLAN-interface 10. − Assign the IP address 2.1.1.1/24 to VLAN-interface 10. On the switch, configure DDNS: a.
Page 117: Nd Configuration Example
Configure an IPv6 address for VLAN-interface 10: a. From the navigation tree, select Network > IPv6 > IPv6. b. Access the details page for VLAN-interface 10 to perform the following tasks: − Configure the IPv6 address of the interface as 2001::. −...
Page 118: Port Mirroring Configuration Example
− Set the minimum interval to 200 seconds for sending RA messages. − Set the router lifetime to 1800 seconds. Configure Switch A: a. From the navigation tree, select Network > Links > VLAN. b. Create VLAN 10. c. Access the details page for VLAN 10 to perform the following tasks: −...
Page 119: Ipv4 Static Route Configuration Example
Verifying the configuration # Verify that the server can monitor the incoming and outgoing traffic of the marketing department and the technical department. (Details not shown.) IPv4 static route configuration example Network requirements As shown in Figure 32, configure IPv4 static routes on the switches for the hosts to communicate with each other.
Page 120: Ipv4 Local Pbr Configuration Example
On Switch C, configure a default route: Set the destination address to 0.0.0.0. Set the mask length to 0. Set the next hop address to 1.1.5.5 (Switch B). Verifying the configuration # Verify that the hosts can ping each other. (Details not shown.) IPv4 local PBR configuration example Network requirements As shown in...
Page 121 • The network is a Layer 2-only network. • Host A and Host B are receivers of multicast group 224.1.1.1. • All host receivers run IGMPv2, and all switches run IGMPv2 snooping. Switch A (which is close to the multicast source) acts as the IGMP querier. Configure the switches to meet the following requirements: •...
Page 122: Mld Snooping Configuration Example
a. From the navigation tree, select Network > Multicast > IGMP Snooping. b. Enable IGMP snooping for VLAN 1. c. Specify the IGMP snooping version as 2. d. Enable dropping unknown multicast data. Verifying the configuration Send IGMP reports from Host A and Host B to join the multicast group 224.1.1.1. Send multicast data from the source to the multicast group.
Page 123: Dhcp Configuration Example
d. Enable dropping unknown IPv6 multicast data. e. Enable the switch to act as the MLD querier. Configure Switch B: a. From the navigation tree, select Network > Multicast > MLD Snooping. b. Enable MLD snooping for VLAN 1. c. Specify the MLD snooping version as 1. d.
Page 124 − Specify the pool name as pool1. − Specify the subnet as 10.10.1.0/24 for dynamic allocation. − Specify the gateway IP address as 10.10.1.1. g. Access the advanced settings page to perform the following tasks: − Configure the conflict detection feature to send a maximum of one ping packet. −...
Page 125: Password Authentication Enabled Stelnet Server Configuration Example
Password authentication enabled Stelnet server configuration example Network requirements As shown in Figure 37, the switch acts as the Stelnet server and uses password authentication. The username (client) and password (aabbcc) of the client are saved on the switch. Establish an Stelnet connection between the host and the switch, so the client can log in to the switch to configure and manage the switch as a network administrator.
Page 126: Qos Configuration Example
To establish a connection to the Stelnet server: Launch PuTTY.exe to enter the interface. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username and password.
Page 127: Security Configuration Examples
− Create IPv4 ACL 2002, and add a rule to permit packets with source IP address 192.168.2.0 and mask 0.0.0.255. − Configure the ACL as a match criterion of a class, and specify the associated behavior to mark the matched packets with 802.1p priority 1. f.
Page 128 Figure 39 Network diagram Configuration procedure From the navigation tree, select Security > Packet Filter > Packet Filter. Create a packet filter policy: a. Select VLAN-interface 10. b. Select the outbound application direction. c. Select the IPv4 ACL type for packet filter. Create an advanced IPv4 ACL and configure the following rules in the order they are described: Protocol Action...
Page 129: Static Ipv4 Source Guard Configuration Example
Static IPv4 source guard configuration example Network requirements As shown in Figure 40, all hosts use static IP addresses. Configure static IPv4 source guard entries on Device A and Device B to meet the following requirements: • GigabitEthernet 1/0/2 of Device A allows only IP packets from Host C to pass. •...
Page 130: 802.1X Radius Authentication Configuration Example
Repeat step 1 and 2 on Device B to verify that the static IPv4 source guard entries are configured successfully. 802.1X RADIUS authentication configuration example Network requirements As shown in Figure 41, configure the switch to meet the following requirements: •...
Page 131: 802.1X Local Authentication Configuration Example
e. Configure the switch to not include domain names in the usernames sent to the RADIUS server. Configure an ISP domain on the switch: a. From the navigation tree, select Security > Authentication > ISP Domains. b. Add ISP domain dm1X, and set the domain state to Active. c.
Page 132: Radius-Based Mac Authentication Configuration Example
a. From the navigation tree, select Security > Authentication > Local Users. b. Add user account dotuser and set the password to 12345. c. Set the service type to LAN access. Configure the ISP domain: a. From the navigation tree, select Security > Authentication > ISP Domains. b.
Page 133 Figure 43 Network diagram RADIUS server 10.1.1.1/24 GE1/0/1 GE1/0/2 Vlan-int2 Vlan-int3 192.168.1.1/24 10.1.1.10/24 Internet Host Switch 192.168.1.2/24 Configuration procedure Configure IP addresses for the interfaces, as shown in Figure 43. (Details not shown.) Configure a RADIUS scheme on the switch: a.
Page 134: Radius-Based Port Security Configuration Example
a. Add a user account on the server. (Details not shown.) b. Configure the authentication, authorization, and accounting settings. (Details not shown.) Verifying the configuration From the navigation tree, select Security > Authentication > RADIUS. Verify the configuration of RADIUS scheme macauth. From the navigation tree, select Security >...
Page 135 Configure a RADIUS scheme on the switch: a. From the navigation tree, select Security > Authentication > RADIUS. b. Add RADIUS scheme portsec. c. Configure the primary authentication server: − Set the IP address to 10.1.1.1. − Set the authentication port number to 1812. −...
Page 136: Direct Portal Authentication Configuration Example
Direct portal authentication configuration example Network requirements As shown in Figure 45, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server portal...
Page 137 d. Configure the ISP domain to use RADIUS scheme rs1 for authentication, authorization, and accounting of portal users. e. Click the Advanced settings icon on the ISP Domain page. f. Specify dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
Page 138: Re-Dhcp Portal Authentication Configuration Example
Re-DHCP portal authentication configuration example Network requirements As shown in Figure 46, the host is directly connected to the switch (the access device). The host obtains an IP address through the DHCP server. A portal server acts as both a portal authentication server and a portal Web server.
Page 139 b. Add ISP domain dm1, and set the domain state to Active. c. Set the access service to Portal. d. Configure the ISP domain to use RADIUS scheme rs1 for authentication, authorization, and accounting of portal users. e. Click the Advanced settings icon on the ISP Domain page.
Page 140: Cross-Subnet Portal Authentication Configuration Example
Configure the RADIUS server: a. Add a user account on the server. (Details not shown.) b. Configure the authentication, authorization, and accounting settings. (Details not shown.) Verifying the configuration From the navigation tree, select Security > Authentication > RADIUS. Verify the configuration of RADIUS scheme rs1. From the navigation tree, select Security >...
Page 141 − Set the IP address to 192.168.0.112. − Set the accounting port number to 1813. − Set the shared key to radius. − Set the server state to Active. e. Configure the switch to not include domain names in the usernames sent to the RADIUS server.
Page 142: Direct Portal Authentication Using Local Portal Web Server Configuration Example
Verifying the configuration From the navigation tree, select Security > Authentication > RADIUS. Verify the configuration of RADIUS scheme rs1. From the navigation tree, select Security > Authentication > ISP Domains. Verify the configuration of ISP domain dm1. Use the configured user account to pass portal authentication. From the navigation tree, select Security >...
Page 143 g. Enable the session-control feature. Configure an ISP domain on the switch: a. From the navigation tree, select Security > Authentication > ISP Domains. b. Add ISP domain dm1, and set the domain state to Active. c. Set the access service to Portal. d.
Page 144: Aaa For Ssh Users By A Tacacs Server Configuration Example
Verify that the number of online users is not 0 on VLAN-interface 100. AAA for SSH users by a TACACS server configuration example Network requirements As shown in Figure 49, configure the switch to meet the following requirements: • Use the TACACS server for SSH user authentication, authorization, and accounting. •...
Page 145: Poe Configuration Example
− In advanced settings, configure the switch to exclude domain names in the user names sent to the TACACS server. − Configure an ISP domain on the switch: − From the navigation tree, select Security > Authentication > ISP Domains. −...
Page 146: Configuration Procedure
Configuration procedure From the navigation tree, select PoE > PoE. Enable PoE for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, set the power supply priority to critical. Enable PoE for GigabitEthernet 1/0/3 and set the maximum PoE power for the interface to 9000 milliwatts.
Page 147: Appendix A Managing The Device From The Cli
Appendix A Managing the device from the Commands are available for you to perform basic device management when the Web interface is not available. To manage the device from the CLI, access the device through the console port or Telnet. You are placed in user view immediately after you log in to the CLI.
Page 148: Display Poe Pse
Command Description upgrade { tftp-server | ipv6 ipv6-tftp-server } bootrom bootrom-filename upgrade { tftp-server | ipv6 ipv6-tftp-server } Downloads the specified file from a TFTP server and runtime boot boot-package system specify the file as the file to be used at the next startup. If system-package [ feature the device is a stack member device, the setting of this feature-package&<1-30>]...
Page 149: Initialize
PSE Hardware Version : 57633 Legacy PD Detection : Disabled Power Utilization Threshold : 80 PD Power Policy : Disabled PD Disconnect-Detection Mode : AC Table 23 Command output Field Description PSE ID ID of the PSE. Slot No. Slot number of the PSE. SSlot No.
Page 150: Ipsetup Dhcp
Usage guidelines This command deletes the next-startup configuration file from the storage medium, and then reboots the device with the factory-default configuration. Make sure you understand the impact on the network when you use this command. Examples # Initialize the device. <Sysname>...
Page 151: Ipsetup Ipv6 Address
Views User view Predefined user roles network-admin Parameters ip-address: Specifies an IPv4 address for the interface, in dotted decimal notation. mask-length: Specifies the subnet mask length, the number of consecutive 1s in the mask. The value range for this argument is 1 to 31. mask: Specifies the subnet mask in dotted decimal notation.
Page 152: Ipsetup Ipv6 Auto
default-gateway ipv6-gateway-address: Specifies the IPv6 address of the default gateway. If you specify this option, the command not only assigns an IPv6 gateway address to the interface, but also specifies a default route for the device. For this option to take effect, make sure the ipv6-gateway-address setting is in the same segment with the ipv6-address setting.
Page 153: Password
Related commands ipsetup ipv6 address password Use password to modify the login password for a user. Syntax password Views User view Predefined user roles network-admin Examples # Modify the login password for user aaa. <Sysname> password Change password for user: aaa Old password: Enter new password: Confirm:...
Page 154: Ping Ipv6
56 bytes from 1.1.2.2: icmp_seq=3 ttl=254 time=1.963 ms 56 bytes from 1.1.2.2: icmp_seq=4 ttl=254 time=1.991 ms --- Ping statistics for 1.1.2.2 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.963/2.028/2.137/0.062 ms The output shows that IP address 1.1.2.2 is reachable and the echo replies are all returned from the destination.
Page 155: Quit
Syntax poe update { full | refresh } filename [ pse pse-id ] Views User view Predefined user roles network-admin Parameters full: Upgrades the PSE firmware in full mode. refresh: Upgrades the PSE firmware in refresh mode. filename: Specifies the name of the upgrade file, a case-sensitive string of 1 to 64 characters. The specified file must be in the root directory of the file system of the device.
Page 156: Summary
Syntax reboot [ slot slot-number ] [ force ] Views User view Predefined user roles network-admin Parameters slot slot-number: Specifies a stack member device by its member ID. If you do not specify a member ID, this command reboots all member devices in the stack. force: Reboots the device immediately without performing software or hard disk check.
Page 157 Backup startup software images: flash:/1950-cmw710-boot-a0007-ft.bin flash:/1950-cmw710-system-a0007-ft.bin flash:/1950-cmw710-manufacture-a0007-ft.bin HPE Comware Platform Software HPE Comware Software, Version 7.1.045, Release 3111P02 Copyright (c) 2010-2015 Hewlett Packard Enterprise Development LP HPE OfficeConnect 1950-24G-2SFP+-2XGT-PoE+ uptime is 0 weeks, 0 days, 0 hours, 1...
Page 158: Telnet
0 minutes Slot 1: Uptime is 0 weeks,0 days,0 hours,10 minutes HPE OfficeConnect 1950-24G-2SFP+-2XGT-PoE+ JG962A with 1 Processor BOARD TYPE: 1950-24G-2SFP+-2XGT-PoE+ DRAM: 1024M bytes FLASH: 512M bytes PCB 1 Version: VER.B Bootrom Version: CPLD 1 Version: Release Version: HPE OfficeConnect 1950-24G-2SFP+-2XGT-PoE+ JG962A-3111P02...
Page 159: Telnet Ipv6
This command is not available in Release 3111P02. The device regularly checks transceiver modules for their vendor names. If a transceiver module does not have a vendor name or the vendor name is not HPE, the device repeatedly outputs traps and log messages.
Page 160: Upgrade
Transceiver module source alarm is disabled by default. If you want to view the traps and log messages, execute the undo transceiver phony-alarm-disable command. Examples # Disable transceiver module source alarm. <Sysname> system-view [Sysname] transceiver phony-alarm-disable upgrade Use upgrade to download the specified file from a TFTP server and specify the file as the file to be used at the next startup.
Page 161 Verifying server file... Downloading file all.ipe from remote TFTP server, please wait................Done. Verifying the file flash:/all.ipe on slot 1....Done. HPE OfficeConnect 1950-24G-2SFP+-2XGT-PoE+ images in IPE: boot.bin system.bin This command will set the main startup software images. Continue? [Y/N]:y Add images to slot 1.
Page 162: Xtd-Cli-Mode
Do you want to delete flash:/all.ipe now? [Y/N]:y # Download files boot.bin and system.bin from the root directory of the TFTP server and use these files at the next startup. <Sysname>upgrade 192.168.8.2 runtime boot boot.bin system system.bin The file flash:/boot.bin already exists.Overwrite?[Y/N]y Verifying server file...
Page 163 Warning: Extended CLI mode is intended for developers to test the system. Before using commands in extended CLI mode, contact the Technical Support and make sure you know the potential impact on the device and the network.
Page 164: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Page 165: Network Topology Icons
Convention Description An alert that provides helpful information. TIP: Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 166: Support And Other Resources
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Page 167: Websites
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 168 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 169: Index
Index Numerics administrator configuration, password control, 20, 802.1 LLDPDU TLV types, RBAC, 20, 802.3 LLDPDU TLV types, user account, 20, 802.1X aggregating architecture, link. See Ethernet link aggregation authentication method, aging authentication trigger, MAC address table timer, Auth-Fail VLAN, allocating critical VLAN, DHCP IP address allocation sequence, EAD assistant,...
Page 170 Auth-Fail VLAN ARP static entry, 802.1X authentication, DDNS, authorization DDNS (www.3322.org), ISP domain, device maintenance, RADIUS, DHCP, DHCP snooping, direct security portal authentication (local portal backing up Web server), MST backup port, Ethernet link aggregation, 27, bandwidth examples, QoS overview, interface storm control, QoS policy configuration, basic management LLDPDU TLV types,...
Page 171 configuration, relay agent entry periodic refresh, configuration (www.3322.org), relay agent relay entry recording, designated snooping. See DHCP snooping MST port, DHCP snooping destination configuration, information center system logs, discarding portal authentication portal-free rule, MST discarding port state, detecting displaying DHCP IP address conflict detection, settings of table entry, detection DNS, 45, See also...
Page 172 VLAN interface, voice VLAN assignment mode, hardware congestion management voice VLAN assignment mode (automatic), queue scheduling profile, voice VLAN assignment mode (manual), hardware queuing voice VLAN configuration, configuration, voice VLAN normal mode, SP queuing, voice VLAN OUI address, WFQ queuing, voice VLAN QoS priority setting mode, WRR queuing, voice VLAN security mode,...
Page 173 interface IP address configuration, IPv4 IP services ARP dynamic table entry, IP services ARP static table entry, IP address classes, IP services gratuitous ARP packet IP addressing masking, learning, IP addressing subnetting, IP services gratuitous ARP periodic packet IPv4 local PBR send, configuration, IPv6,...
Page 174 voice VLAN QoS priority setting mode, voice VLAN security mode, 802.1X MAC-based access control, Layer 2 LAN switching MAC address entry port isolation configuration, configuration, spanning tree configuration, MAC address table Layer 3 address learning, DHCP, configuration, DHCP relay agent, dynamic aging timer, DHCP server, entry types,...
Page 175 ARP, network menu, gratuitous ARP, PoE menu, IP services gratuitous ARP packet QoS menu, learning, resources menu, IP services gratuitous ARP periodic packet security menu, send, neighbor discovery IPv6 ND protocol, IPv6 ND neighbor entry, MLD snooping, IPv6 ND protocol, network LLDP configuration, 802.1X architecture,...
Page 176 MSTP configuration, gratuitous ARP, NTP configuration, HTTP, PBR policy, HTTPS, PBR-Track collaboration, IGMP snooping, PoE configuration, port isolation configuration, IPv4 local PBR configuration, port mirroring configuration, IPv4 static routing configuration, portal authentication portal-free rule, IPv6, port-based VLAN configuration, Layer 2 LAN switching port isolation configuration, QoS hardware congestion management queue scheduling profile,...
Page 177 node portal authentication post request rules, PBR apply clause, parameter PBR if-match clause, IPv6 RA message parameter, PBR policy, password PBR-Track collaboration, SSH Secure Telnet server configuration (password authentication-enabled), overview, policy, numbering Track collaboration, ACL rule numbering, performing saving configuration, online Web basic tasks, 802.1X online user handshake,...
Page 178 portal authentication server, configuring ND, portal authentication server detection, configuring network services, portal Web server, configuring NTP, portal authentication configuring PoE, authenticated user redirection, configuring port isolation, direct configuration (local portal Web configuring port mirroring, server), configuring QoS, file name rules, configuring RADIUS-based MAC local portal Web server page authentication,...
Page 179 portal authentication post request rules, Rapid Spanning Tree Protocol. Use RSTP rate limiting scheduling QoS rate limiting, QoS hardware congestion management queue rebooting scheduling profile, device, Secure Telnet receiving server configuration (password LLDP frames, authentication-enabled), reinitialization delay (LLDP), 37, security relay agent 802.1X, DHCP, 53,...
Page 180 DHCP, interface storm control, portal authentication server, portal authentication server detection, mode set, SSH, subnetting server-client IP addressing, RADIUS, suppressing service interface storm control configuration, QoS overview, switch QoS policy configuration, IPv4 local PBR configuration, session-control(RADIUS), IPv4 static routing configuration, setting system spanning tree mode,...
Page 181 QoS hardware congestion management DHCP relay agent, queue scheduling profile, DHCP server, QoS hardware queuing, 68, See IGMP snooping, also hardware queuing interface configuration, QoS hardware queuing configuration, IP source guard (IPSG) configuration, QoS overview, IPv4 source guard static binding QoS policy application, configuration, QoS policy configuration,...
Page 182 log out, login, 1, login user, network services, NTP operating mode, NTP time source authentication, Overview, password control, portal authentication configuration, portal authentication local portal Web server page customization, portal authentication local portal Web server+client interaction protocols, portal Web server, RBAC, resources features, security features,...

HPE OfficeConnect 1950 Series User Manual

Overview

Restrictions: Applicable Hardware Platforms and Software Versions

Logging in to the Web Interface

Using the Web Interface

Feature Navigator

Device Management

Network Services Features

Resources Features

Qos Features

Security Features

Log Features

Configuration Examples

Appendix A Managing the Device from the CLI

Document Conventions and Icons

Support and Other Resources

Index

Quick Links

User Guide

Related Manuals for HPE OfficeConnect 1950 Series

Summary of Contents for HPE OfficeConnect 1950 Series