3Com WX3000 Series Operation Manual
  1. Manuals
  2. Brands
  3. 3Com Manuals
  4. Switch
  5. WX3000 Series
  6. Operation manual
3Com WX3000 Series Operation Manual

3Com WX3000 Series Operation Manual

Unified switches switching engine
Hide thumbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
Table of Contents

Advertisement

Quick Links

3Com WX3000 Series Unified Switches

Switching Engine

Operation Manual
Manual Version: 6W100
www.3com.com
3Com Corporation
350 Campus Drive, Marlborough,
MA, USA 01752 3064

Advertisement

Table of Contents
loading

Related Manuals for 3Com WX3000 Series

Summary of Contents for 3Com WX3000 Series

  • Page 1: Switching Engine

    3Com WX3000 Series Unified Switches Switching Engine Operation Manual Manual Version: 6W100 www.3com.com 3Com Corporation 350 Campus Drive, Marlborough, MA, USA 01752 3064...
  • Page 2 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

  • Page 3: Table Of Contents

    About This Manual Organization 3Com WX3000 Series Unified Switches consists of three models: the WX3024 , the WX3010 and the WX3008. 3Com WX3000 Series Unified Switches Switching Engine Operation Manual is organized as follows: Part Contents Introduces the command hierarchy, command view...
  • Page 4 Part Contents Introduces the configuration for network management 24 SNMP-RMON through SNMP and RMON Introduces IGMP snooping and the related 25 Multicast configuration. 26 NTP Introduces NTP and the related configuration. 27 SSH Introduces SSH2.0 and the related configuration. Introduces basic configuration for file system 28 File System Management management.

  • Page 5: Login

    Means reader be careful. Improper operation may cause data loss or damage to equipment. Means a complementary description. Related Documentation In addition to this manual, each 3Com WX3000 Series Unified Switches Switching Engine documentation set includes the following: Manual Description...
  • Page 6 Introduces the Web-based functions of the access 3Com WX3000 Series Unified Switches control engine of WX3000 series unified switches Web-Based Configuration Manual access controller engines. Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL: http://www.3com.com.
  • Page 7 Table of Contents 1 CLI Configuration ······································································································································1-1 Introduction to the CLI·····························································································································1-1 Command Hierarchy ·······························································································································1-1 Switching User Levels ·····················································································································1-2 Setting the Level of a Command in a Specific View········································································1-3 CLI Views ················································································································································1-4 CLI Features ···········································································································································1-7 Online Help······································································································································1-7 Terminal Display······························································································································1-8 Command History····························································································································1-8 Error Prompts ··································································································································1-9 Command Edit·································································································································1-9...

  • Page 8: Cli Configuration

    CLI Configuration The sample output information in this manual was created on the WX3024. The output information on your device may vary. Introduction to the CLI A command line interface (CLI) is a user interface to interact with a device. Through the CLI on a device, a user can enter commands to configure the device and check output information to verify the configuration.

  • Page 9: Switching User Levels

    Manage level (level 3): Commands at this level are associated with the basic operation modules and support modules of the system. These commands provide support for services. Commands concerning file system, FTP/TFTP/XModem downloading, user management, and level setting are at this level. Users logged into the device fall into four user levels, which correspond to the four command levels respectively.

  • Page 10: Setting The Level Of A Command In A Specific View

    Configuration example After a general user telnets to the device, his/her user level is 0. Now, the network administrator wants to allow general users to switch to level 3, so that they are able to configure the device. # A level 3 user sets a switching password for user level 3. <device>...

  • Page 11: Cli Views

    # Change the tftp get command in user view (shell) from level 3 to level 0. (Originally, only level 3 users can change the level of a command.) <device> system-view [device] command-privilege level 0 view shell tftp [device] command-privilege level 0 view shell tftp 192.168.0.1 [device] command-privilege level 0 view shell tftp 192.168.0.1 get [device] command-privilege level 0 view shell tftp 192.168.0.1 get bootrom.btm After the above configuration, general Telnet users can use the tftp get command to download file...
  • Page 12 Available View Prompt example Enter method Quit method operation 1000 Mbps Execute the interface Ethernet port view: gigabitethernet command in [device-GigabitEth system view. Configure ernet1/0/1] Ethernet Ethernet port port view 10 Gigabit parameters Execute the interface Ethernet port view: tengigabitethernet [device-TenGigabit command in system view.
  • Page 13 Available View Prompt example Enter method Quit method operation Edit the RSA Execute the [device-rsa-key-co public key for public-key-c Public key SSH users Execute the ode end editing public-key-code begin command to Edit the RSA or view command in public key view. return to [device-peer-key-c DSA public key...

  • Page 14: Cli Features

    Available View Prompt example Enter method Quit method operation Execute the quit command to Execute the vlan-vpn vid return to command in Ethernet port Ethernet port view. Configure QinQ [device-GigabitEth view. QinQ view parameters ernet1/0/1-vid-20] The vlan-vpn enable Execute the command should be first return executed.

  • Page 15: Terminal Display

    timezone Configure time zone If the question mark (?) is at an argument position in the command, the description of the argument will be displayed on your terminal. [device] interface vlan-interface ? <1-4094> VLAN interface number If only <cr> is displayed after you enter a question mark (?), it means no parameter is available at the ? position, and you can enter and execute the command directly.

  • Page 16: Error Prompts

    By default, the CLI can store up to 10 latest executed commands for each user. You can view the command history by performing the operations listed in Table 1-3. Table 1-3 View history commands Purpose Operation Remarks Display the latest executed Execute the display This command displays the history commands...
  • Page 17 Table 1-5 Edit operations Press… To… Insert the corresponding character at the cursor position and move A common key the cursor one character to the right if the command is shorter than 254 characters. Delete the character on the left of the cursor and move the cursor Backspace key one character to the left.
  • Page 18 Table of Contents 1 Logging In to the Switching Engine ········································································································1-1 Logging In to the Switching Engine·········································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 User Interface Index ························································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through OAP··························································································································2-1 OAP Overview·········································································································································2-1 Logging In to the Switching Engine Through OAP ·················································································2-1 Configuring the Management IP Address of the OAP Software System················································2-1 Configuring the Management IP Address of the OAP Software System on the Switching Engine·······2-2...
  • Page 19 Configuring Source IP Address for Telnet Service Packets ···································································6-1 Displaying Source IP Address Configuration··························································································6-2 7 User Control ···············································································································································7-1 Introduction ·············································································································································7-1 Controlling Telnet Users ·························································································································7-1 Prerequisites····································································································································7-1 Controlling Telnet Users by Source IP Addresses ··········································································7-1 Controlling Telnet Users by Source and Destination IP Addresses················································7-2 Controlling Telnet Users by Source MAC Addresses ·····································································7-3 Configuration Example ····················································································································7-3 Controlling Network Management Users by Source IP Addresses ························································7-4...

  • Page 20: Logging In To The Switching Engine

    Logging In to the Switching Engine The sample output information in this manual was created on the WX3024. The output information on your device may vary. Logging In to the Switching Engine You can log in to the switching engine of the device in one of the following ways: Logging in through OAP Logging in locally or remotely through an Ethernet port by means of Telnet or SSH Logging in to the Web-based network management system...

  • Page 21: User Interface Index

    User Interface Index Two kinds of user interface index exist: absolute user interface index and relative user interface index. The absolute user interface indexes are as follows: The absolute AUX user interfaces is numbered 0. VTY user interface indexes follow AUX user interface indexes. The first absolute VTY user interface is numbered 1, the second is 2, and so on.
  • Page 22 To do… Use the command… Remarks Display the information about the current user interface/all display users [ all ] user interfaces Optional Display the physical attributes and configuration display user-interface You can execute the display of the current/a specified [ type number | number ] command in any view.

  • Page 23: Logging In Through Oap

    Logging In Through OAP OAP Overview As an open software and hardware system, Open Application Architecture (OAA) provides a set of complete standard software and hardware interfaces. The third party vendors can develop products with special functions. These products can be compatible with each other as long as they conform to the OAA interface standards.

  • Page 24: Configuring The Management Ip Address Of The Oap Software System On The Switching Engine

    Therefore, when you use the NMS to manage the access control engine and the switching engine on the same interface, you must first obtain the management IP addresses of the two SNMP agents and obtain the link relationship between them, and then you can access the two agents. By default, the management IP address of an OAP module is not configured.

  • Page 25: Resetting The Oap Software System

    Resetting the OAP Software System If the operating system works abnormally or is under other anomalies, you can reset the OAP software system. Follow these steps to reset the OAP software system: To do… Use the command… Remarks Required Reset the OAP software oap reboot slot 0 system Available in user view...

  • Page 26: Logging In Through Telnet

    Logging In Through Telnet Introduction The device supports Telnet. You can manage and maintain the switching engine remotely by Telnetting to the switching engine. To log in to the switching engine through Telnet, the corresponding configuration is required on both the switching engine and the Telnet terminal.

  • Page 27: Telnet Configurations For Different Authentication Modes

    Configuration Description Optional Make terminal services available By default, terminal services are available in all user interfaces Optional Set the maximum number of By default, the screen can contain up to 24 lines the screen can contain VTY terminal lines. configuration Optional Set history command buffer size...

  • Page 28: Telnet Configuration With Authentication Mode Being None

    To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.

  • Page 29: Configuration Example

    To do… Use the command… Remarks Optional The default history command buffer Set the history command history-command size is 10. That is, a history command buffer size max-size value buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.

  • Page 30: Telnet Configuration With Authentication Mode Being Password

    # Specify commands of level 2 are available to users logging in through VTY 0. [device-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported. [device-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [device-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20.

  • Page 31: Configuration Example

    To do… Use the command… Remarks Optional The default history command Set the history command buffer history-command buffer size is 10. That is, a history size max-size value command buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.

  • Page 32: Telnet Configuration With Authentication Mode Being Scheme

    [device-ui-vty0] authentication-mode password # Set the local password to 123456 (in plain text). [device-ui-vty0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to VTY 0. [device-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported. [device-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30.
  • Page 33 To do… Use the command… Remarks Enter one or more VTY user user-interface vty — interface views first-number [ last-number ] Required The specified AAA scheme authentication-mode Configure to authenticate determines whether to authenticate scheme [ command- users locally or remotely users locally or remotely.
  • Page 34 Table 3-4 Determine the command level when users logging in to the switching engine are authenticated in the scheme mode Scenario Command Authentication level User type Command mode The user privilege level level command is not executed, and the service-type Level 0 command does not specify the available command level.

  • Page 35: Configuration Example

    Refer to AAA Operation and SSH Operation of this manual for information about AAA, RADIUS, and SSH. Configuration Example Network requirements As shown in Figure 3-3, assume a current user logs in using the oap connect slot 0 command and the user level is set to the manage level (level 3).

  • Page 36: Telnetting To The Switching Engine

    [device-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [device-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [device-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [device-ui-vty0] idle-timeout 6 Telnetting to the Switching Engine Telnetting to the Switching Engine from a Terminal...
  • Page 37 Perform the following operations in the terminal window to assign IP address 202.38.160.90/24 to VLAN–interface 1 of the access control engine. <device> system-view [device] interface Vlan-interface 1 [device-Vlan-interface1] ip address 202.38.160.90 255.255.255.0 Log in to the switching engine of the device using the oap connect slot 0 command. <device>oap connect slot 0 Connected to OAP! Configure the IP address of VLAN-interface 1 of the switching engine of the device as...

  • Page 38: Telnetting To The Switching Engine From The Access Control Engine

    Figure 3-7 Launch Telnet If the password authentication mode is specified, enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <System_LSW>) appears if the password is correct. If all VTY user interfaces of the switching engine are in use, you will fail to establish the connection and see the message “All user interfaces are used, please try later!”...
  • Page 39 Perform Telnet-related configuration on the switching engine operating as the Telnet server. For details, refer to Telnet Configuration with Authentication Mode Being None, Telnet Configuration with Authentication Mode Being Password, and Telnet Configuration with Authentication Mode Being Scheme. Telnet to the access control engine as the Telnet client. Execute the following command on the access control engine operating as the Telnet client: <device>...

  • Page 40: Introduction

    Logging In from the Web-Based Network Management System When logging in from the Web-based network management system, go to these sections for information you are interested in: Introduction Setting Up a Web Configuration Environment Configuring the Login Banner Enabling/Disabling the WEB Server Introduction The device has a Web server built in.

  • Page 41: Setting Up A Web Configuration Environment

    Setting Up a Web Configuration Environment Your WX series access controller products were delivered with a factory default configuration. This configuration allows you to log into the built-in Web-based management system of the access controller product from a Web browser on a PC by inputting http://192.168.0.101 in the address bar of the browser.

  • Page 42: Configuring The Login Banner

    Figure 4-1 Web interface of the access controller engine Set up a Web configuration environment, as shown in Figure 4-2. Figure 4-2 Set up a Web configuration environment Log in to the switching engine through IE. Launch IE on the Web-based network management terminal (your PC) and enter http://192.168.0.101 in the address bar.

  • Page 43: Configuration Example

    configured by the header command, a user logging in through Web directly enters the user login authentication page. Follow these steps to configure the login banner: To do… Use the command… Remarks Enter system view system-view — Required Configure the banner to be displayed when a user logs in header login text By default, no login banner is...

  • Page 44: Enabling/Disabling The Web Server

    Figure 4-5 Banner page displayed when a user logs in to the switching engine through Web Click Continue to enter user login authentication page. You will enter the main page of the Web-based network management system if the authentication succeeds. Enabling/Disabling the WEB Server Follow these steps to enable/disable the WEB server: To do…...

  • Page 45: Logging In From Nms

    Logging In from NMS Introduction You can also log in to the switching engine from a network management station (NMS), and then configure and manage the switching engine through the agent module on the switch. Simple network management protocol (SNMP) is applied between the NMS and the agent. Refer to the SNMP-RMON part for related information.

  • Page 46: Configuring Source Ip Address For Telnet Service Packets

    Configuring Source IP Address for Telnet Service Packets Overview You can configure source IP address or source interface for the Telnet server and Telnet client. This provides a way to manage services and enhances security. The source IP address specified for Telnet service packets is the IP address of a Loopback interface or VLAN interface.

  • Page 47: Displaying Source Ip Address Configuration

    To do… Use the command… Remarks Specify a source interface for telnet source-interface interface-type Optional Telnet client interface-number When configuring a source IP address for Telnet packets, ensure that: The source IP address must be one on the local device. The source interface must already exist.

  • Page 48: User Control

    User Control Refer to the ACL part for information about ACL. Introduction The switching engine provides ways to control different types of login users, as listed in Table 7-1. Table 7-1 Ways to control different types of login users Login mode Control method Implementation Reference...

  • Page 49: Controlling Telnet Users By Source And Destination Ip Addresses

    To do… Use the command… Remarks Enter system view system-view — As for the acl number command, Create a basic ACL or acl number acl-number the config keyword is specified by enter basic ACL view [ match-order { config | auto } ] default.

  • Page 50: Controlling Telnet Users By Source Mac Addresses

    Controlling Telnet Users by Source MAC Addresses Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs, which are numbered from 4000 to 4999. Follow these steps to control Telnet users by source MAC addresses: To do… Use the command…...

  • Page 51: Controlling Network Management Users By Source Ip Addresses

    Controlling Network Management Users by Source IP Addresses You can manage the device through network management software. Network management users can access switching engines through SNMP. You need to perform the following two operations to control network management users by source IP addresses.

  • Page 52: Configuration Example

    You can specify different ACLs while configuring the SNMP community name, SNMP group name, and SNMP user name. As SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command that configures SNMP community names (the snmp-agent community command) take effect in the network management systems that adopt SNMPv1 or SNMPv2c.

  • Page 53: Prerequisites

    Applying the ACL to control Web users Prerequisites The controlling policy against Web users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying). Controlling Web Users by Source IP Addresses Controlling Web users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999.
  • Page 54 Configuration procedure # Define a basic ACL. <device> system-view [device] acl number 2030 [device-acl-basic-2030] rule 1 permit source 10.110.100.52 0 [device-acl-basic-2030] quit # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switching engine.
  • Page 55 Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Management of Configuration File··········································································································1-2 Saving the Current Configuration ····································································································1-2 Erasing the Startup Configuration File ····························································································1-3 Specifying a Configuration File for Next Startup ·············································································1-4 Displaying and Maintaining Device Configuration···········································································1-5...

  • Page 56: Configuration File Management

    Configuration File Management The sample output information in this manual was created on the WX3024. The output information on your device may vary. Introduction to Configuration File A configuration file records and stores user configurations performed to the device. It also enables users to check device configurations easily.

  • Page 57: Management Of Configuration File

    can configure a file to have both main and backup attribute, but only one file of either main or backup attribute is allowed on a device. The following three situations are concerned with the main/backup attributes: When saving the current configuration, you can specify the file to be a main or backup or normal configuration file.

  • Page 58: Erasing The Startup Configuration File

    Safe mode. This is the mode when you use the save command with the safely keyword. The mode saves the file slower but can retain the original configuration file in the device even if the device reboots or the power fails during the process. The configuration file to be used for next startup may be lost if the device reboots or the power fails during the configuration file saving process.

  • Page 59: Specifying A Configuration File For Next Startup

    To do… Use the command… Remarks Required Erase the startup configuration reset saved-configuration file from the storage device [ backup | main ] Available in user view You may need to erase the configuration file for one of these reasons: After you upgrade software, the old configuration file does not match the new software.

  • Page 60: Vlan

    The configuration file must use “.cfg” as its extension name and the startup configuration file must be saved at the root directory of the device. Displaying and Maintaining Device Configuration To do… Use the command… Remarks Display the initial configuration file display saved-configuration [ unit saved in the storage device unit-id ] [ by-linenum ]...
  • Page 61 Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ·····················································································································1-2 How VLAN Works····························································································································1-2 VLAN Interface ································································································································1-4 VLAN Classification ·························································································································1-4 Port-Based VLAN····································································································································1-4 Protocol-Based VLAN ·····························································································································1-5 Introduction to Protocol-Based VLAN······························································································1-5 Encapsulation Format of Ethernet Data ··························································································1-5 Procedure for the Switch to Judge Packet Protocol········································································1-7 Encapsulation Formats····················································································································1-7 Implementation of Protocol-Based VLAN························································································1-7...

  • Page 62: Vlan Overview

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 63: Advantages Of Vlans

    of network layer devices, such as routers and Layer 3 switches. Figure 1-1 illustrates a VLAN implementation. Figure 1-1 A VLAN implementation Router Switch Switch VLAN A VLANB VLAN A VLANB VLAN A VLAN B Advantages of VLANs Compared with the traditional Ethernet, VLAN enjoys the following advantages. Broadcasts are confined to VLANs.
  • Page 64 TPID is a 16-bit field, indicating that this data frame is VLAN-tagged. By default, it is 0x8100 in the WX3000 series devices. Priority is a 3-bit field, referring to 802.1p priority. Refer to the “QoS-QoS profile” part of this manual for details.

  • Page 65: Vlan Interface

    After VLANs are configured on a switch, the MAC address learning of the switch has the following two modes. Shared VLAN learning (SVL): the switch records all the MAC address entries learnt by ports in all VLANs to a shared MAC address forwarding table. Packets received on any port of any VLAN are forwarded according to this table.

  • Page 66: Protocol-Based Vlan

    The link type of a port on the device can be one of the following: access, trunk, and hybrid. For the three types of ports, the process of being added into a VLAN and the way of forwarding packets are different. For details, refer to the “Port Basic Configuration”...
  • Page 67 The switch identifies whether a packet is an Ethernet II packet or an 802.2/802.3 packet according to the ranges of the two fields. Extended encapsulation formats of 802.2/802.3 packets 802.2/802.3 packets have the following three extended encapsulation formats: 802.3 raw encapsulation: only the length field is encapsulated after the source and destination address field, followed by the upper layer data.

  • Page 68: Procedure For The Switch To Judge Packet Protocol

    Procedure for the Switch to Judge Packet Protocol Figure 1-9 Procedure for the switch to judge packet protocol Receive Receive packets packets Invalid packets Invalid packets Ethernet II Ethernet II Type(Length) Type(Length) that cannot be that cannot be 0x0600 to 0xFFFF 0x0600 to 0xFFFF 0x05DD to 0x05FF 0x05DD to 0x05FF...
  • Page 69 The protocol template is the standard to determine the protocol to which a packet belongs. Protocol templates include standard templates and user-defined templates: The standard template adopts the RFC-defined packet encapsulation formats and values of some specific fields as the matching criteria. The user-defined template adopts the user-defined encapsulation formats and values of some specific fields as the matching criteria.

  • Page 70: Vlan Configuration

    VLAN Configuration VLAN Configuration Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required Basic VLAN Interface Configuration Optional Displaying and Maintaining VLAN Optional Basic VLAN Configuration Follow these steps to make basic VLAN configuration: To do…...

  • Page 71: Basic Vlan Interface Configuration

    Basic VLAN Interface Configuration Configuration prerequisites Before configuring a VLAN interface, create the corresponding VLAN. Configuration procedure Follow these steps to make basic VLAN interface configuration: To do… Use the command… Remarks Enter system view system-view — Required Create a VLAN interface and interface Vlan-interface By default, there is no VLAN interface enter VLAN interface view...

  • Page 72: Configuring A Port-Based Vlan

    Configuring a Port-Based VLAN Configuring a Port-Based VLAN Configuration prerequisites Create a VLAN before configuring a port-based VLAN. Configuration procedure Follow these steps to configure a port-based VLAN: To do… Use the command… Remarks Enter system view system-view — Enter VLAN view —...
  • Page 73 Configuration procedure Configure Switch A. # Create VLAN 101, specify its descriptive string as “DMZ”, and add GigabitEthernet 1/0/1 to VLAN 101. <SwitchA> system-view [SwitchA] vlan 101 [SwitchA-vlan101] description DMZ [SwitchA-vlan101] port GigabitEthernet 1/0/1 [SwitchA-vlan101] quit # Create VLAN 201, and add GigabitEthernet 1/0/2 to VLAN 201. [SwitchA] vlan 201 [SwitchA-vlan201] port GigabitEthernet 1/0/2 [SwitchA-vlan201] quit...

  • Page 74: Configuring A Protocol-Based Vlan

    For the command of configuring a port link type (port link-type) and the command of allowing packets of certain VLANs to pass through a port (port trunk permit), refer to the section of configuring Ethernet ports in the “Port Basic Configuration” part of this document. Configuring a Protocol-Based VLAN Configuration Task List Complete the following tasks to configure protocol-based VLAN:...

  • Page 75: Associating A Port With A Protocol-Based Vlan

    Because the IP protocol is closely associated with the ARP protocol, you are recommended to configure the ARP protocol type when configuring the IP protocol type and associate the two protocol types with the same port to avoid that ARP packets and IP packets are not assigned to the same VLAN, which will cause IP address resolution failure.

  • Page 76: Displaying And Maintaining Protocol-Based Vlan

    For the operation of adding a hybrid port to a VLAN in the untagged way (when forwarding a packet, the port removes the VLAN tag of the packet), refer to the section of configuring Ethernet ports in the “Port Basic Configuration” part of this manual. Displaying and Maintaining Protocol-Based VLAN To do…...
  • Page 77 Configuration procedure # Create VLAN 100 and VLAN 200, and add GigabitEthernet 1/0/11 and GigabitEthernet 1/0/12 to VLAN 100 and VLAN 200 respectively. <device> system-view [device] vlan 100 [device-vlan100] port GigabitEthernet 1/0/11 [device-vlan100] quit [device] vlan 200 [device-vlan200] port GigabitEthernet 1/0/12 # Configure protocol templates for VLAN 200 and VLAN 100, matching AppleTalk protocol and IP protocol respectively.
  • Page 78 VLAN ID Protocol-Index Protocol-Type ethernetii etype 0x0806 The above output information indicates that GigabitEthernet 1/0/10 has already been associated with the corresponding protocol templates of VLAN 100 and VLAN 200. Thus, packets from the IP and AppleTalk workstations can be automatically assigned to VLAN 100 and VLAN 200 respectively for transmission by matching the corresponding protocol templates, so as to realize the normal communication between the workstations and the servers.
  • Page 79 Table of Contents 1 Auto Detect Configuration························································································································1-1 Introduction to the Auto Detect Function·································································································1-1 Auto Detect Configuration·······················································································································1-2 Auto Detect Basic Configuration ·····································································································1-2 Auto Detect Implementation in Static Routing·················································································1-3 Auto Detect Implementation in VLAN Interface Backup··································································1-3 Auto Detect Configuration Examples ······································································································1-4 Configuration Example for Auto Detect Implementation in Static Routing······································1-4 Configuration Example for Auto Detect Implementation in VLAN Interface Backup·······················1-5...

  • Page 80: Auto Detect Configuration

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 81: Auto Detect Configuration

    Auto Detect Configuration Complete the following tasks to configure auto detect: Task Remarks Auto Detect Basic Configuration Required Auto Detect Implementation in Static Routing Optional Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to configure the auto detect function: To do…...

  • Page 82: Auto Detect Implementation In Static Routing

    Auto Detect Implementation in Static Routing You can bind a static route with a detected group. The Auto Detect function will then detect the reachability of the static route through the path specified in the detected group. The static route is valid if the detected group is reachable. The static route is invalid if the detected group is unreachable.

  • Page 83: Auto Detect Configuration Examples

    To do… Use the command… Remarks Enter system view system-view — interface Vlan-interface Enter VLAN interface view — vlan-id Required Enable the auto detect function standby detect-group This operation is only needed to implement VLAN interface group-number on the secondary VLAN backup interface.

  • Page 84: Configuration Example For Auto Detect Implementation In Vlan Interface Backup

    <SwitchC> system-view # Configure a static route to Switch A. [SwitchC] ip route-static 192.168.1.1 24 10.1.1.3 Configuration Example for Auto Detect Implementation in VLAN Interface Backup Network requirements As shown in Figure 1-2, make sure the routes between Switch A, Switch B, and Switch C, and between Switch A, Switch D, and Switch C are reachable.

  • Page 85: Voice Vlan

    Table of Contents 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How the Device Identifies Voice Traffic···························································································1-3 Configuring Operation Mode for Voice VLAN ·················································································1-3 Support for Voice VLAN on Various Ports·······················································································1-4 Security Mode of Voice VLAN ·········································································································1-5 Voice VLAN Configuration ······················································································································1-6 Configuration Prerequisites ·············································································································1-6 Configuring a Voice VLAN to Operate in Automatic Mode······························································1-6...

  • Page 86: Voice Vlan Configuration

    Voice VLAN Configuration The sample output information in this manual was created on the WX3024. The output information on your device may vary. Voice VLAN Overview Voice VLANs are VLANs configured specially for voice traffic. By adding the ports connected with voice devices to voice VLANs, you can have voice traffic transmitted within voice VLANs and perform QoS-related configuration for voice traffic as required, thus ensuring the transmission priority of voice traffic and voice quality.
  • Page 87 Figure 1-1 Network diagram for IP phones DHCP Server2 ② Call agent ③ DHCP Server1 ① IP Phone As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission. An IP phone goes through the following three phases to become capable of transmitting voice data.

  • Page 88: How The Device Identifies Voice Traffic

    OUI address which forms the first 24 bits of a MAC address. The WX3000 supports OUI address mask configuration. You can adjust the matching depth of MAC address by setting different OUI address masks.

  • Page 89: Support For Voice Vlan On Various Ports

    Processing mode of untagged packets sent by IP voice devices Automatic mode. A WX3000 device automatically adds a port connecting an IP voice device to the voice VLAN by learning the source MAC address in the untagged packet sent by the IP voice device when it is powered on.

  • Page 90: Security Mode Of Voice Vlan

    Security Mode of Voice VLAN On the WX3000 devices, a voice VLAN can operate in the security mode. Voice VLANs operating in this mode only permit voice data, enabling you to perform voice traffic-specific priority configuration. With...

  • Page 91: Voice Vlan Configuration

    Voice VLAN Configuration Configuration Prerequisites Create the corresponding VLAN before configuring a voice VLAN. VLAN 1 (the default VLAN) cannot be configured as a voice VLAN. Configuring a Voice VLAN to Operate in Automatic Mode Follow these steps to configure a voice VLAN to operate in automatic mode: To do…...

  • Page 92: Configuring A Voice Vlan To Operate In Manual Mode

    When the voice VLAN is working normally, if the device restarts, in order to make the established voice connections work normally, the system does not need to be triggered by the voice traffic to add the port in automatic mode to the local devices of the voice VLAN but does so immediately after the restart. Configuring a Voice VLAN to Operate in Manual Mode Follow these steps to configure a voice VLAN to operate in manual mode: To do…...
  • Page 93 VLAN is enabled globally and on a port, but it takes effect only after voice VLAN is enabled globally and on the port. To add a Trunk port or a Hybrid port to the voice VLAN, refer to Basic Port Configurations of the 3Com WX3000 Series Unified Switches Switching Engines Command Manual for the related command.

  • Page 94: Displaying And Maintaining Voice Vlan

    Displaying and Maintaining Voice VLAN To do… Use the command… Remarks Display the information about ports on display voice vlan error-info which voice VLAN configuration fails Display the voice VLAN configuration You can execute the display voice vlan status status display command in any view.

  • Page 95: Voice Vlan Configuration Example (Manual Mode)

    [DeviceA] voice vlan aging 100 # Add a user-defined OUI address 0011-2200-000 and set the description string to “test”. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Enable the voice VLAN function globally. [DeviceA] voice vlan 2 enable # Configure the vocie VLAN to operate in automatic mode on GigabitEthernet 1/0/1.
  • Page 96 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the status of the current voice VLAN. <DeviceA> display voice vlan status Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes...
  • Page 97 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-4 Protocol Specifications ····················································································································1-4 GVRP Configuration································································································································1-4 Configuration Task List····················································································································1-4 Enabling GVRP ·······························································································································1-4 Configuring GVRP Timers ···············································································································1-5 Configuring GVRP Port Registration Mode ·····················································································1-6 Displaying and Maintaining GVRP··········································································································1-6 GVRP Configuration Example ················································································································1-7 GVRP Configuration Example·········································································································1-7...

  • Page 98: Gvrp Configuration

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.
  • Page 99 Leave messages, LeaveAll messages, together with Join messages ensure attribute information can be deregistered and re-registered. Through message exchange, all the attribute information to be registered can be propagated to all the GARP-enabled switches in the same LAN. GARP timers Timers determine the intervals of sending different types of GARP messages.
  • Page 100 Figure 1-1 Format of GARP packets Ethernet Frame length DSAP SSAP Ctrl GARP PDU structure Protocol ID Message 1 Message N End Mark Message structure Attribute Type Attribute List Attribute List structure Attribute 1 Attribute N End Mark Attribute structure Attribute Length Attribute Event Attribute Vlaue...

  • Page 101: Gvrp

    GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other devices through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information, including the information about the VLAN members, the ports through which the VLAN members can be reached, and so on.

  • Page 102: Configuring Gvrp Timers

    Configuration procedure Follow these steps to enable GVRP on an Ethernet port: To do… Use the command… Remarks Enter system view system-view — Required Enable GVRP globally gvrp By default, GVRP is disabled globally. interface interface-type Enter Ethernet port view —...

  • Page 103: Configuring Gvrp Port Registration Mode

    Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of the Join timer. You Hold 10 centiseconds can change the threshold by changing the timeout time of the Join timer.

  • Page 104: Gvrp Configuration Example

    GVRP Configuration Example GVRP Configuration Example Network requirements Enable GVRP on all the switches in the network so that the VLAN configurations on Switch C and Switch E can be applied to all switches in the network, thus implementing dynamic VLAN information registration and refresh, as shown in Figure 1-2.
  • Page 105 [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/3. [SwitchA-GigabitEthernet1/0/3] gvrp [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # The configuration procedure of Switch B is similar to that of Switch A and is thus omitted. Configure Switch C # Enable GVRP on Switch C, which is similar to that of Switch A and is thus omitted.
  • Page 106 [SwitchE-GigabitEthernet1/0/1] gvrp registration fixed # Display the VLAN information dynamically registered on Switch A. [SwitchA] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch B. [SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s).
  • Page 107 Table of Contents 1 Basic Port Configuration ··························································································································1-1 Ethernet Port Overview ···························································································································1-1 Types and Numbers of Ethernet Ports ····························································································1-1 Combo Ports Mapping Relations·····································································································1-1 Link Types of Ethernet Ports ···········································································································1-2 Configuring the Default VLAN ID for an Ethernet Port ····································································1-2 Adding an Ethernet Port to Specified VLANs··················································································1-3 Configuring Ethernet Ports······················································································································1-3 Making Basic Port Configuration ·····································································································1-3 Configuring Port Auto-Negotiation Speed ·······················································································1-4...

  • Page 108: Basic Port Configuration

    Ethernet Port Overview Types and Numbers of Ethernet Ports Table 1-1 lists the types and numbers of the Ethernet ports available on the WX3000 series devices. Table 1-1 Description of Ethernet port type and port number 10/100/1000Base-T autosensing 1000Base-X SFP...

  • Page 109: Link Types Of Ethernet Ports

    Link Types of Ethernet Ports An Ethernet port of the device can operate in one of the following three link types: Access: An access port can belong to only one VLAN, and is generally used to connect user PCs. Trunk: A trunk port can belong to more than one VLAN. It can receive/send packets from/to multiple VLANs, and is generally used to connect another device.

  • Page 110: Adding An Ethernet Port To Specified Vlans

    Table 1-3 Processing of incoming/outgoing packets Processing of an incoming packet Port Processing of an outgoing If the packet type packet does not carry If the packet carries a VLAN tag a VLAN tag If the VLAN ID is just the default VLAN ID, receive the packet.

  • Page 111: Configuring Port Auto-Negotiation Speed

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number By default, the port is enabled. Enable the Ethernet port undo shutdown Use the shutdown command to disable the port. Set the description of the By default, no description is defined description text Ethernet port...

  • Page 112: Setting The Ethernet Port Broadcast Suppression Ratio

    To do… Use the command… Remarks Optional Configure the available auto-negotiation speed(s) for speed auto [ 10 | 100 | 1000 ]* By default, the port speed is the port auto-negotiated. Only ports on the front panel of the device support the auto-negotiation speed configuration feature. And ports on the extended interface card do not support this feature currently.

  • Page 113: Configuring Access Port Attribute

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Enable flow control on the flow-control By default, flow control is not Ethernet port enabled on a port. Configuring Access Port Attribute Follow these steps to configure access port attribute: To do…...

  • Page 114: Disabling Up/Down Log Output On A Port

    To do… Use the command… Remarks Enter system view System-view — interface interface-type Enter Ethernet port view — interface-number Set the link type for the port as Required port link-type trunk trunk Optional Set the default VLAN ID for the port trunk pvid vlan vlan-id By default, the VLAN of a trunk port...

  • Page 115: Copying Port Configuration To Other Ports

    <device> system-view [device] interface GigabitEthernet 1/0/1 [device-GigabitEthernet1/0/1] shutdown [device-GigabitEthernet1/0/1] %Apr 2 08:11:14:220 2000 device L2INF/5/PORT LINK STATUS CHANGE:- 1 - GigabitEthernet1/0/1 is DOWN [device-GigabitEthernet1/0/1] undo shutdown [device-GigabitEthernet1/0/1] %Apr 2 08:11:32:253 2000 device L2INF/5/PORT LINK STATUS CHANGE:- 1 - GigabitEthernet1/0/1 is UP # Disable GigabitEthernet 1/0/1 from outputting Up/Down log information, execute the shutdown command or the undo shutdown command on GigabitEthernet 1/0/1, and no Up/Down log information is output for GigabitEthernet 1/0/1.

  • Page 116: Setting Loopback Detection For An Ethernet Port

    configuration command once on one port and that configuration will apply to all ports in the port group. This effectively reduces redundant configurations. A Port group could be manually created by users. Multiple Ethernet ports can be added to the same port group but one Ethernet port can only be added to one port group.

  • Page 117: Link Aggregation

    To do… Use the command… Remarks Optional Configure the system to run By default, the system runs loopback detection on all loopback-detection per-vlan loopback detection only on the VLANs for the trunk and hybrid enable default VLAN for the trunk and ports hybrid ports.

  • Page 118: Enabling The System To Test Connected Cable

    Enabling the System to Test Connected Cable You can enable the system to test the cable connected to a specific port. The test result will be returned in five minutes. The system can test these attributes of the cable: Receive and transmit directions (RX and TX), short circuit/open circuit or not, the length of the faulty cable.

  • Page 119: Displaying And Maintaining Ethernet Ports

    Displaying and Maintaining Ethernet Ports To do… Use the command… Remarks Display port configuration display interface [ interface-type | information interface-type interface-number ] Display information for a display port-group group-id specified port group Display port loopback detection display loopback-detection state display brief interface Available in any view Display brief configuration...

  • Page 120: Troubleshooting Ethernet Port Configuration

    [device] vlan 100 # Configure the default VLAN ID of GigabitEthernet 1/0/1 as 100. [device-GigabitEthernet1/0/1] port trunk pvid vlan 100 Troubleshooting Ethernet Port Configuration Symptom: Default VLAN ID configuration failed. Solution: Take the following steps. Use the display interface or display port command to check if the port is a trunk port or a hybrid port.
  • Page 121 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ·······················································································································1-1 Operation Key··································································································································1-2 Manual Aggregation Group ·············································································································1-2 Static LACP Aggregation Group······································································································1-3 Dynamic LACP Aggregation Group·································································································1-4 Aggregation Group Categories········································································································1-5 Link Aggregation Configuration···············································································································1-6 Configuring a Manual Aggregation Group·······················································································1-6 Configuring a Static LACP Aggregation Group ···············································································1-7 Configuring a Dynamic LACP Aggregation Group ··········································································1-8 Displaying and Maintaining Link Aggregation·························································································1-9...

  • Page 122: Link Aggregation Configuration

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 123: Operation Key

    Operation Key An operation key of an aggregation port is a configuration combination generated by system depending on the configurations of the port (rate, duplex mode, other basic configuration, and management key) when the port is aggregated. The selected ports in a manual/static aggregation group have the same operation key. The management key of an LACP-enabled static aggregation port is equal to its aggregation group The management key of an LACP-enabled dynamic aggregation port is zero by default.

  • Page 124: Static Lacp Aggregation Group

    For an aggregation group: When the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; When the rate of a port decreases, if the port belongs to a manual or static LACP aggregation group, the port will be switched to the unselected state;...

  • Page 125: Dynamic Lacp Aggregation Group

    Dynamic LACP Aggregation Group Introduction to dynamic LACP aggregation group A dynamic LACP aggregation group is automatically created and removed by the system. Users cannot add/remove ports to/from it. A port can participate in dynamic link aggregation only when it is LACP-enabled.

  • Page 126: Aggregation Group Categories

    Changing the system priority of a device may change the preferred device between the two parties, and may further change the states (selected or unselected) of the member ports of dynamic aggregation groups. Configuring port priority LACP determines the selected and unselected states of the dynamic aggregation group members according to the port IDs on the device with the preferred device ID.

  • Page 127: Link Aggregation Configuration

    A load-sharing aggregation group contains at least two selected ports, but a non-load-sharing aggregation group can only have one selected port at most, while others are unselected ports. Link Aggregation Configuration The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time.

  • Page 128: Configuring A Static Lacp Aggregation Group

    To do… Use the command… Remarks Optional Configure a description for link-aggregation group agg-id By default, an aggregation group the aggregation group description agg-name has no description. interface interface-type Enter Ethernet port view — interface-number Add the Ethernet port to the port link-aggregation group Required aggregation group...

  • Page 129: Configuring A Dynamic Lacp Aggregation Group

    To do… Use the command… Remarks Optional Configure a description for the link-aggregation group agg-id By default, an aggregation aggregation group description agg-name group has no description. interface interface-type Enter Ethernet port view — interface-number Add the port to the aggregation port link-aggregation group Required group...

  • Page 130: Displaying And Maintaining Link Aggregation

    To do… Use the command… Remarks Required Enable LACP on the port lacp enable By default, LACP is disabled on a port. Optional Configure the port priority lacp port-priority port-priority By default, the port priority is 32,768. Displaying and Maintaining Link Aggregation To do…...

  • Page 131: Link Aggregation

    Figure 1-1 Network diagram for link aggregation configuration Switch A Link aggregation Switch B Configuration procedure Adopting manual aggregation mode # Create manual aggregation group 1. <device> system-view [device] link-aggregation group 1 mode manual # Add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1. [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] port link-aggregation group 1 [device-GigabitEthernet1/0/1] interface GigabitEthernet1/0/2...
  • Page 132 Note that, the three LACP-enabled ports can be aggregated into a dynamic aggregation group to implement load sharing only when they have the same basic configuration (such as rate and duplex mode and so on). 1-11...

  • Page 133: Port Isolation

    Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Introduction to Port Isolation············································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying and Maintaining Port Isolation ·······························································································1-2 Port Isolation Configuration Example······································································································1-2...

  • Page 134: Port Isolation Configuration

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 135: Displaying And Maintaining Port Isolation

    When a member port of an aggregation group is added to an isolation group, the other ports in the same aggregation group are added to the isolation group automatically. When a member port of an aggregation group is deleted from an isolation group, the other ports in the same aggregation group are deleted from the isolation group automatically.
  • Page 136 <device> system-view System View: return to User View with Ctrl+Z. [device] interface GigabitEthernet1/0/2 [device-GigabitEthernet1/0/2] port isolate [device-GigabitEthernet1/0/2] quit [device] interface GigabitEthernet1/0/3 [device-GigabitEthernet1/0/3] port isolate [device-GigabitEthernet1/0/3] quit [device] interface GigabitEthernet1/0/4 [device-GigabitEthernet1/0/4] port isolate [device-GigabitEthernet1/0/4] quit [device] # Display the information about the ports in the isolation group. [device] display isolate port Isolated port(s) on UNIT 1: GigabitEthernet1/0/2, GigabitEthernet1/0/3, GigabitEthernet1/0/4...
  • Page 137 Table of Contents 1 Port Security Configuration······················································································································1-1 Port Security Overview····························································································································1-1 Introduction······································································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-2 Port Security Configuration ·····················································································································1-4 Enabling Port Security ·····················································································································1-4 Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5 Setting the Port Security Mode········································································································1-5 Configuring Port Security Features ·································································································1-6 Ignoring the Authorization Information from the RADIUS Server····················································1-8 Configuring Security MAC Addresses ·····························································································1-8...

  • Page 138: Port Security Configuration

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 139: Port Security Modes

    Port Security Modes Table 1-1 describes the available port security modes. Table 1-1 Description of port security modes Security mode Description Feature In this mode, neither the NTK nor the Port security is disabled on the port and access to the port is noRestriction intrusion not restricted.
  • Page 140 Security mode Description Feature In this mode, a port performs 802.1x authentication of users userLoginSecure and services only one user passing 802.1x authentication at a time. userLoginSecure In this mode, a port performs 802.1x authentication of users and services users passing 802.1x authentication. Similar to the userLoginSecure mode, a port in this mode performs 802.1x authentication of users and services only one user passing 802.1x authentication.

  • Page 141: Port Security Configuration

    Port Security Configuration Complete the following tasks to configure port security: Task Remarks Enabling Port Security Required Setting the Maximum Number of MAC Addresses Optional Allowed on a Port Setting the Port Security Mode Required Configuring the NTK feature Optional Configuring Port Security Configuring intrusion protection...

  • Page 142: Setting The Maximum Number Of Mac Addresses Allowed On A Port

    Setting the Maximum Number of MAC Addresses Allowed on a Port Port security allows more than one user to be authenticated on a port. The number of authenticated users allowed, however, cannot exceed the configured upper limit. By setting the maximum number of MAC addresses allowed on a port, you can Control the maximum number of users who are allowed to access the network through the port Control the number of Security MAC addresses that can be added with port security This configuration is different from that of the maximum number of MAC addresses that can be leaned...

  • Page 143: Configuring Port Security Features

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number port-security port-mode { autolearn | mac-and-userlogin-secure | Required mac-and-userlogin-secure-e xt | mac-authentication | By default, a port operates in mac-else-userlogin-secure | noRestriction mode. In this Set the port security mode mac-else-userlogin-secure-e mode, access to the port is not xt | secure | userlogin |...
  • Page 144 The WX3000 series devices do not support the ntkonly NTK feature. Configuring intrusion protection Follow these steps to configure the intrusion protection feature: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view —...

  • Page 145: Ignoring The Authorization Information From The Radius Server

    To do… Use the command… Remarks Enter system view system-view — port-security trap { addresslearned | intrusion | Required Enable sending traps for the dot1xlogon | dot1xlogoff | specified type of event By default, no trap is sent. dot1xlogfailure | ralmlogon | ralmlogoff | ralmlogfailure } Ignoring the Authorization Information from the RADIUS Server After an 802.1x user or MAC-authenticated user passes Remote Authentication Dial-In User Service...

  • Page 146: Displaying And Maintaining Port Security Configuration

    The security MAC addresses manually configured are written to the configuration file; they will not get lost when the port is up or down. As long as the configuration file is saved, the security MAC addresses can be restored after the device reboots. Configuration prerequisites Port security is enabled.
  • Page 147 To ensure that Host can access the network, add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1. After the number of security MAC addresses reaches 80, the port stops learning MAC addresses. If any frame with an unknown MAC address arrives, intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds.

  • Page 148: Port Binding Configuration

    Port Binding Configuration Port Binding Overview Introduction Port binding enables the network administrator to bind the MAC address and IP address of a user to a specific port. After the binding, the switch forwards only the packets received on the port whose MAC address and IP address are identical with the bound MAC address and IP address.

  • Page 149: Port Binding Configuration Example

    Port Binding Configuration Example Network requirements As shown in Figure 2-1, it is required to bind the MAC and IP addresses of Host 1 to GigabitEthernet 1/0/1 on switch A, so as to prevent malicious users from using the IP address they steal from Host 1 to access the network.

  • Page 150: Dldp

    Table of Contents 1 DLDP Configuration ··································································································································1-1 DLDP Overview·······································································································································1-1 DLDP Fundamentals ·······················································································································1-2 Precautions During DLDP Configuration·························································································1-6 DLDP Configuration ································································································································1-6 DLDP Configuration Tasks ··············································································································1-6 Resetting DLDP Status····················································································································1-7 DLDP Network Example ·························································································································1-8...

  • Page 151: Dldp Configuration

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 152: Dldp Fundamentals

    Figure 1-2 Fiber correct connection/disconnection in one direction GE1/0/10 SwitchA GE1/0/11 GE1/0/10 SwitchB GE1/0/11 DLDP provides the following features: As a link layer protocol, it works together with the physical layer protocols to monitor the link status of a device. While the auto-negotiation mechanism on the physical layer detects physical signals and faults;...
  • Page 153 Status Description DHCP sends packets to check if it is a unidirectional link. It enables Probe the probe sending timer and an echo waiting timer for each target neighbor. DLDP detects a unidirectional link, or finds (in enhanced mode) that Disable a neighbor disappears.
  • Page 154 Timer Description In enhanced mode, if no packet is received from the neighbor when the entry aging timer expires, DLDP enables the enhanced timer for the neighbor. The timeout time for the enhanced timer is 10 seconds. The enhanced timer then sends one probe packets every one second and totally eight packets continuously to the neighbor.
  • Page 155 Table 1-4 Types of packets sent by DLDP DLDP status Packet types Active Advertisement packets, including those with or without RSY tags Advertisement Advertisement packets Probe Probe packets DLDP analyzes and processes received packets as follows: In authentication mode, DLDP authenticates the packets, and discards those do not pass the authentication.

  • Page 156: Precautions During Dldp Configuration

    DLDP neighbor state A DLDP neighbor can be in one of these two states: two way and unknown. You can check the state of a DLDP neighbor by using the display dldp command. Table 1-7 Description on the two DLDP neighbor states DLDP neighbor state Description two way...

  • Page 157: Resetting Dldp Status

    To do… Use the command… Remarks Optional By default, the dldp delaydown-timer delaydown timer Set the delaydown timer delaydown-time expires after 1 second it is triggered. Optional. By Set the DLDP handling mode when an dldp unidirectional-shutdown default, the unidirectional link is detected { auto | manual } handling mode is auto.

  • Page 158: Dldp Network Example

    To do… Use the command… Remarks Enter system view system-view Reset the DLDP status of the system dldp reset Optional interface interface-type Enter Ethernet port view interface-number Reset the DLDP status of a port dldp reset This command only applies to the ports in DLDP down status. DLDP Network Example Network requirements As shown in...
  • Page 159 [SwitchA-GigabitEthernet1/0/11] duplex full [SwitchA-GigabitEthernet1/0/11] speed 1000 [SwitchA-GigabitEthernet1/0/11] quit # Enable DLDP globally [SwitchA] dldp enable DLDP is enabled on all fiber ports except fabric ports. # Set the interval of sending DLDP packets to 15 seconds [SwitchA] dldp interval 15 # Configure DLDP to work in enhanced mode [SwitchA] dldp work-mode enhance # Set the DLDP handling mode for unidirectional links to auto...

  • Page 160: Mac Address Table Management

    Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to MAC Address Table ································································································1-1 Introduction to MAC Address Learning ···························································································1-1 Managing MAC Address Table ·······································································································1-3 Configuring MAC Address Table Management ······················································································1-4 Configuration Task List····················································································································1-4 Configuring a MAC Address Entry ··································································································1-5 Setting the Aging Time of MAC Address Entries ············································································1-6 Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-6 Disabling MAC Address learning for a VLAN ··················································································1-7...

  • Page 161: Mac Address Table Management

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.
  • Page 162 As shown in Figure 1-1, User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A needs to be transmitted to GigabitEthernet 1/0/1. At this time, the device records the source MAC address of the packet, that is, the address “MAC-A” of User A to the MAC address table of the switch, forming an entry shown in Figure 1-2.

  • Page 163: Managing Mac Address Table

    Figure 1-4 MAC address learning diagram (3) User B User C Geth 1/0/4 Geth 1/0/3 Geth 1/0/1 User A At this time, the MAC address table of the device includes two forwarding entries shown in Figure 1-5. When forwarding the response packet, the device unicasts the packet instead of broadcasting it to User A through GigabitEthernet 1/0/1, because MAC-A is already in the MAC address table.

  • Page 164: Configuring Mac Address Table Management

    Aging timer only takes effect on dynamic MAC address entries. Entries in a MAC address table Entries in a MAC address table fall into the following categories according to their characteristics and configuration methods: Static MAC address entry: Also known as permanent MAC address entry. This type of MAC address entries are added/removed manually and can not age out by themselves.

  • Page 165: Configuring A Mac Address Entry

    Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). You can add a MAC address entry in either system view or Ethernet port view. Adding a MAC address entry in system view Follow these steps to add a MAC address entry in system view: To do…...

  • Page 166: Setting The Aging Time Of Mac Address Entries

    Setting the Aging Time of MAC Address Entries Setting aging time properly helps effective utilization of MAC address aging. The aging time that is too long or too short affects the performance of the device. If the aging time is too long, excessive invalid MAC address entries maintained by the device may fill up the MAC address table.

  • Page 167: Disabling Mac Address Learning For A Vlan

    To do… Use the command… Remarks Required Set the maximum number of mac-address By default, the number of the MAC addresses the port can max-mac-count count MAC addresses a port can learn learn is not limited. Specifying the maximum number of MAC addresses a port can learn disables centralized MAC address authentication and port security on the port.

  • Page 168: Displaying And Maintaining Mac Address Table

    Displaying and Maintaining MAC Address Table To do… Use the command… Remarks Display information about the display mac-address MAC address table [ display-option ] The display command can be Display the aging time of the executed in any view. display mac-address dynamic MAC address entries aging-time in the MAC address table...
  • Page 169 Table of Contents 1 MSTP Configuration ··································································································································1-1 STP Overview ·········································································································································1-1 STP Overview··································································································································1-1 MSTP Overview ······································································································································1-9 Background of MSTP ······················································································································1-9 Basic MSTP Terminologies ···········································································································1-10 Principle of MSTP··························································································································1-13 MSTP Implementation on the Device····························································································1-14 STP-related Standards ··················································································································1-15 Configuring Root Bridge························································································································1-15 Configuration Prerequisites ···········································································································1-16 Configuring an MST Region ··········································································································1-16 Specifying the Current Device as a Root Bridge/Secondary Root Bridge ····································1-17 Configuring the Bridge Priority of the Current Device ···································································1-19...
  • Page 170 Configuring Root Guard·················································································································1-37 Configuring Loop Guard ················································································································1-38 Configuring TC-BPDU Attack Guard ·····························································································1-38 Configuring BPDU Dropping ·········································································································1-39 Configuring Digest Snooping ················································································································1-39 Introduction····································································································································1-39 Configuring Digest Snooping·········································································································1-40 Configuring Rapid Transition ················································································································1-41 Introduction····································································································································1-41 Configuring Rapid Transition·········································································································1-43 Configuring VLAN-VPN Tunnel·············································································································1-44 Introduction····································································································································1-44 Configuring VLAN-VPN tunnel ······································································································1-44 STP Maintenance Configuration ···········································································································1-45 Introduction····································································································································1-45 Enabling Log/Trap Output for Ports of MSTP Instance·································································1-45...

  • Page 171: Mstp Configuration

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.
  • Page 172 Designated port A designated bridge is a device that is directly The port through which the For a device connected to a WX3000 series device and is designated bridge forwards responsible for forwarding BPDUs to the device. BPDUs to this device...
  • Page 173 Path cost Path cost is a value used for measuring link capacity. By comparing the path costs of different links, STP selects the most robust links and blocks the other links to prune the network into a tree. How STP works STP identifies the network topology by transmitting configuration BPDUs between network devices.
  • Page 174 Step Description The device compares the configuration BPDUs of all the ports and chooses the optimum configuration BPDU. Principle for configuration BPDU comparison: The configuration BPDU that has the lowest root bridge ID has the highest priority. If all the configuration BPDUs have the same root bridge ID, they will be compared for their root path costs.
  • Page 175 When the network topology is stable, only the root port and designated ports forward traffic, while other ports are all in the blocked state – they only receive STP packets but do not forward user traffic. Once the root bridge, the root port on each non-root bridge and designated ports have been successfully elected, the entire tree-shaped topology has been constructed.
  • Page 176 Table 1-5 Comparison process and result on each device BPDU of port after Device Comparison process comparison Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}. Device A finds that the configuration BPDU of the local port {0, 0, 0, AP1} is superior to the configuration received message, and discards the received configuration BPDU.
  • Page 177 BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
  • Page 178 Figure 1-3 The final calculated spanning tree Device A With priority 0 AP 1 AP 2 BP 1 BP 2 CP 2 Device B With priority 1 Device C With priority 2 To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated.

  • Page 179: Mstp Overview

    For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout the entire network.

  • Page 180: Basic Mstp Terminologies

    MSTP supports mapping VLANs to MST instances by means of a VLAN-to-instance mapping table. MSTP introduces “instance” (integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization. MSTP divides a switched network into multiple regions, each containing multiple spanning trees that are independent of one another.
  • Page 181 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 1-4 contains multiple spanning trees known as MSTIs.
  • Page 182 A region edge port is located on the edge of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or master port being blocked, the alternate port becomes the new root port or master port.

  • Page 183: Principle Of Mstp

    Forwarding state. Ports in this state can forward user packets and receive/send BPDU packets. Learning state. Ports in this state can receive/send BPDU packets. Discarding state. Ports in this state can only receive BPDU packets. Port roles and port states are not mutually dependent. Table 1-6 lists possible combinations of port states and port roles.

  • Page 184: Mstp Implementation On The Device

    For MSTP, CIST configuration information is generally expressed as follows: (Root bridge ID, External path cost, Master bridge ID, Internal path cost, Designated bridge ID, ID of sending port, ID of receiving port), so the compared as follows The smaller the Root bridge ID of the configuration BPDU is, the higher the priority of the configuration BPDU is.

  • Page 185: Stp-Related Standards

    BPDU guard Loop guard TC-BPDU attack guard BPDU packet drop STP-related Standards STP-related standards include the following. IEEE 802.1D: spanning tree protocol IEEE 802.1w: rapid spanning tree protocol IEEE 802.1s: multiple spanning tree protocol Configuring Root Bridge Complete the following tasks to configure a root bridge: Task Remarks Required...
  • Page 186 In a network containing devices with both GVRP and MSTP enabled, GVRP packets are forwarded along the CIST. If you want to advertise packets of a specific VLAN through GVRP, be sure to map the VLAN to the CIST when configuring the MSTP VLAN mapping table (the CIST of a network is spanning tree instance 0).

  • Page 187: Specifying The Current Device As A Root Bridge/Secondary Root Bridge

    Configuring MST region-related parameters (especially the VLAN mapping table) results in spanning tree recalculation and network topology jitter. To reduce network topology jitter caused by the configuration, MSTP does not recalculate spanning trees immediately after the configuration; it does this only after you perform one of the following operations, and then the configuration can really takes effect: Activate the new MST region-related settings by using the active region-configuration command Enable MSTP by using the stp enable command...
  • Page 188 To do… Use the command… Remarks Enter system view — system-view stp [ instance instance-id ] root primary Specify the current device as the [ bridge-diameter bridgenumber [ hello-time Required root bridge of a spanning tree centi-seconds ] ] Specify the current device as the secondary root bridge of a spanning tree Follow these steps to specify the current device as the secondary root bridge of a spanning tree: To do…...

  • Page 189: Configuring The Bridge Priority Of The Current Device

    You can configure a device as the root bridges of multiple spanning tree instances. But you cannot configure two or more root bridges for one spanning tree instance. So, do not configure root bridges for the same spanning tree instance on two or more devices using the stp root primary command.

  • Page 190: Configuring The Mode A Port Recognizes And Sends Mstp Packets

    Configuration example # Set the bridge priority of the current device to 4,096 in spanning tree instance 1. <device> system-view [device] stp instance 1 priority 4096 Configuring the Mode a Port Recognizes and Sends MSTP Packets A port can be configured to recognize and send MSTP packets in the following modes. Automatic mode.

  • Page 191: Configuring The Mstp Operation Mode

    To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required By default, a port recognizes and sends MSTP packets in the Configure the mode a port stp compliance { auto | dot1s automatic mode.

  • Page 192: Configuring The Maximum Hop Count Of An Mst Region

    Configuration example # Specify the MSTP operation mode as STP-compatible. <device> system-view [device] stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region. The value of the maximum hop count limits the size of the MST region.

  • Page 193: Configuring The Mstp Time-Related Parameters

    To do… Use the command… Remarks Enter system view — system-view Required Configure the network diameter stp bridge-diameter The default network diameter of of the switched network bridgenumber a network is 7. The network diameter parameter indicates the size of a network. The bigger the network diameter is, the larger the network size is.

  • Page 194: Configuring The Timeout Time Factor

    The forward delay parameter and the network diameter are correlated. Normally, a large network diameter corresponds to a large forward delay. A too small forward delay parameter may result in temporary redundant paths. And a too large forward delay parameter may cause a network unable to resume the normal state in time after changes occurred to the network.

  • Page 195: Configuring The Maximum Transmitting Speed On The Current Port

    Configuration procedure Follow these steps to configure the timeout time factor: To do… Use the command… Remarks Enter system view — system-view Required Configure the timeout time stp timer-factor number factor for the device The timeout time factor defaults to 3. For a steady network, the timeout time can be five to seven times of the hello time.

  • Page 196: Configuring The Current Port As An Edge Port

    Configuration example # Set the maximum transmitting speed of GigabitEthernet 1/0/1 to 15. Configure the maximum transmitting speed in system view <device> system-view [device] stp interface GigabitEthernet1/0/1 transmit-limit 15 Configure the maximum transmitting speed in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] stp transmit-limit 15 Configuring the Current Port as an Edge Port...

  • Page 197: Specifying Whether The Link Connected To A Port Is Point-To-Point Link

    You are recommended to configure the Ethernet ports connected directly to terminals as edge ports and enable the BPDU guard function at the same time. This not only enables these ports to turn to the forwarding state rapidly but also secures your network. Configuration example # Configure GigabitEthernet 1/0/1 as an edge port.

  • Page 198: Enabling Mstp

    To do… Use the command… Remarks Required Specify whether the link stp point-to-point { force-true connected to a port is a The auto keyword is adopted | force-false | auto } point-to-point link by default. Among aggregated ports, you can only configure the links of master ports as point-to-point links. If an auto-negotiating port operates in full duplex mode after negotiation, you can configure the link of the port as a point-to-point link.

  • Page 199: Configuring Leaf Nodes

    To do… Use the command… Remarks Enter system view — system-view Required Enable MSTP stp enable MSTP is disabled by default. interface interface-type Enter Ethernet port view — interface-number Optional By default, MSTP is enabled on all ports after you enable MSTP in system view. Disable MSTP on the To enable a device to operate more flexibly, stp disable...

  • Page 200: Configuration Prerequisites

    Task Remarks Configuring the Mode a Port Recognizes Optional and Sends MSTP Packets Configuring the Timeout Time Factor Optional Optional Configuring the Maximum Transmitting Speed on the Current Port The default value is recommended. Configuring the Current Port as an Edge Optional Port Configuring the Path Cost for a Port...
  • Page 201 Configuring the Path Cost for a Port The path cost parameter reflects the rate of the link connected to the port. For a port on an MSTP-enabled device, the path cost may be different in different spanning tree instances. You can enable flows of different VLANs to travel along different physical links by configuring appropriate path costs on ports, so that VLAN-based load balancing can be implemented.
  • Page 202 When calculating the path cost of an aggregated link, the 802.1D-1998 standard does not take the number of the ports on the aggregated link into account, whereas the 802.1T standard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000/ link transmission speed, where ‘link transmission speed”...

  • Page 203: Configuring Port Priority

    [device] stp pathcost-standard dot1d-1998 Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] undo stp instance 1 cost [device-GigabitEthernet1/0/1] quit [device] stp pathcost-standard dot1d-1998 Configuring Port Priority Port priority is an important criterion on determining the root port. In the same condition, the port with the smallest port priority value becomes the root port.

  • Page 204: Specifying Whether The Link Connected To A Port Is A Point-To-Point Link

    [device] stp interface GigabitEthernet1/0/1 instance 1 port priority 16 Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] stp instance 1 port priority 16 Specifying Whether the Link Connected to a Port Is a Point-to-point Link Refer to Specifying Whether the Link Connected to a Port Is Point-to-point Link.

  • Page 205: Configuration Example

    To do… Use the command… Remarks Enter system view — system-view Enter Ethernet port view — interface interface-type interface-number Perform the mCheck operation Required stp mcheck Configuration Example # Perform the mCheck operation on GigabitEthernet 1/0/1. Perform this configuration in system view <device>...
  • Page 206 Loop guard A device maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream device. These BPDUs may get lost because of network congestions or unidirectional link failures. If a device does not receive BPDUs from the upstream device for certain period, the device selects a new root port;...

  • Page 207: Configuration Prerequisites

    Configuration Prerequisites MSTP runs normally on the device. Configuring BPDU Guard Configuration procedure Follow these steps to configure BPDU guard: To do… Use the command… Remarks Enter system view — system-view Required Enable the BPDU guard stp bpdu-protection function The BPDU guard function is disabled by default. Configuration example # Enable the BPDU guard function.

  • Page 208: Configuring Loop Guard

    Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] stp root-protection Configuring Loop Guard Configuration procedure Follow these steps to configure loop guard: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter Ethernet port view —...

  • Page 209: Configuring Bpdu Dropping

    # Set the maximum times for the device to remove the MAC address table within 10 seconds to 5. <device> system-view [device] stp tc-protection threshold 5 Configuring BPDU Dropping Follow these steps to configure BPDU dropping: To do… Use the command… Remarks Enter system view —...

  • Page 210: Configuring Digest Snooping

    Configuring Digest Snooping Configure the digest snooping feature on a device to enable it to communicate with other devices adopting proprietary protocols to calculate configuration digests in the same MST region through MSTIs. Configuration prerequisites The device to be configured is connected to a device of another vendor adopting a proprietary spanning tree protocol.

  • Page 211: Configuring Rapid Transition

    When the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. The digest snooping feature is needed only when your device is connected to a device of another vendor adopting proprietary spanning tree protocols.
  • Page 212 MSTP is connected in the upstream direction to a device of another vendor running proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the WX3000 series device operating as the downstream device. Among these ports, those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream device.

  • Page 213: Configuring Rapid Transition

    Configuration prerequisites As shown in Figure 1-8, a WX3000 series device is connected to a device of another vendor. The former operates as the downstream device, and the latter operates as the upstream device. The network operates normally. The upstream device is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports.

  • Page 214: Configuring Vlan-Vpn Tunnel

    The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Introduction The VLAN-VPN Tunnel function enables STP packets to be transparently transmitted between geographically dispersed user networks through specified VLAN VPNs in operator’s networks, through which spanning trees can be generated across these user networks and are independent of those of the operator’s network.

  • Page 215: Stp Maintenance Configuration

    To do… Use the command… Remarks Make sure that you enter the Ethernet port interface interface-type Enter Ethernet port view view of the port for which you want to enable interface-number the VLAN-VPN tunnel function. Required Enable the VLAN VPN function for the Ethernet vlan-vpn enable By default, the VLAN VPN function is...

  • Page 216: Enabling Trap Messages Conforming To 802.1D Standard

    [device] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard The device sends trap messages conforming to 802.1d standard to the network management device in the following two cases: The device becomes the root bridge of an instance. Network topology changes are detected. Configuration procedure Follow these steps to enable trap messages conforming to 802.1d standard: To do…...

  • Page 217: Mstp Configuration Example

    MSTP Configuration Example Network requirements Implement MSTP in the network shown in Figure 1-10 to enable packets of different VLANs to be forwarded along different spanning tree instances. The detailed configurations are as follows: All switches in the network belong to the same MST region. Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along spanning tree instance 1, instance 3, instance 4, and instance 0 respectively.
  • Page 218 [SwitchA] stp instance 1 root primary Configure Switch B # Enter MST region view. <SwitchB> system-view [SwitchB] stp region-configuration # Configure the region name, VLAN-to-MSTI mapping table, and revision level for the MST region. [SwitchB-mst-region] region-name example [SwitchB-mst-region] instance 1 vlan 10 [SwitchB-mst-region] instance 3 vlan 30 [SwitchB-mst-region] instance 4 vlan 40 [SwitchB-mst-region] revision-level 0...

  • Page 219: Vlan-Vpn Tunnel Configuration Example

    Figure 1-11: The WX3000 series devices operate as the access devices of the operator’s network, that is, Switch C and Switch D in the network diagram. Devices of other series operate as the access devices of the user’s network, that is, Switch A and Switch B in the network diagram.
  • Page 220 [SwitchC] stp enable # Enable the VLAN-VPN tunnel function. [SwitchC] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [SwitchC] vlan 10 [SwitchC-Vlan10] port GigabitEthernet1/0/1 [SwitchC-Vlan10] quit # Disable STP on GigabitEthernet 1/0/1 and then enable the VLAN VPN function on it. [SwitchC] interface GigabitEthernet1/0/1 [SwitchC-GigabitEthernet1/0/1] port access vlan 10 [SwitchC-GigabitEthernet1/0/1] vlan-vpn enable...
  • Page 221 Table of Contents 1 802.1x Configuration ·································································································································1-1 Introduction to 802.1x······························································································································1-1 Architecture of 802.1x Authentication······························································································1-1 The Mechanism of an 802.1x Authentication System ·····································································1-3 Encapsulation of EAPoL Messages ································································································1-3 802.1x Authentication Procedure ····································································································1-5 Timers Used in 802.1x·····················································································································1-8 Additional 802.1x Features Implemented························································································1-9 Introduction to 802.1x Configuration ·····································································································1-11 Basic 802.1x Configuration ···················································································································1-12 Configuration Prerequisites ···········································································································1-12 Configuring Basic 802.1x Functions······························································································1-12...

  • Page 222: X Configuration

    802.1x Configuration The sample output information in this manual was created on the WX3024. The output information on your device may vary. Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs. It was then used in Ethernet as a common access control mechanism for LAN ports to address mainly authentication and security problems.
  • Page 223 The authenticator system, residing at the other end of the LAN segment link, is the entity that authenticates the connected supplicant system. The authenticator system is usually an 802.1x-supported network device. It provides ports (physical or logical) for the supplicant system to access the LAN.

  • Page 224: The Mechanism Of An 802.1X Authentication System

    The Mechanism of an 802.1x Authentication System IEEE 802.1x authentication uses the extensible authentication protocol (EAP) to exchange information between supplicant systems and the authentication servers. To be compatible with 802.1X in a LAN environment, the client program must support the Extensible Authentication Protocol over LAN (EAPoL).
  • Page 225 03: Indicates that the packet is an EAPoL-key packet, which carries key information. 04: Indicates that the packet is an EAPoL-encapsulated-ASF-Alert packet, which is used to support the alerting messages of ASF (alerting standards forum). The Length field indicates the size of the Packet body field. A value of 0 indicates that the Packet Body field does not exist.

  • Page 226: 802.1X Authentication Procedure

    Fields added for EAP authentication Two fields, EAP-message and Message-authenticator, are added to a RADIUS protocol packet for EAP authentication. (Refer to the Introduction to RADIUS protocol section in the AAA Operation Manual for information about the format of a RADIUS protocol packet.) The EAP-message field, whose format is shown in Figure 1-6, is used to encapsulate EAP packets.
  • Page 227 EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional authentication between the client and authentication server. EAP-TTLS transmit message using a tunnel established using TLS. PEAP creates and uses TLS security channels to ensure data integrity and then performs new EAP negotiations to verify supplicant systems.
  • Page 228 password using a randomly-generated key, and sends the key to the device through an RADIUS access-challenge packet. The device then sends the key to the iNode client. Upon receiving the key (encapsulated in an EAP-request/MD5 challenge packet) from the device, the client program encrypts the password of the supplicant system with the key and sends the encrypted password (contained in an EAP-response/MD5 challenge packet) to the RADIUS server through the device.

  • Page 229: Timers Used In 802.1X

    Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL - Start EAP- Request /Identity EAP- Response /Identity EAP- Request / MD5 Challenge EAP- Response /MD5 Challenge RADIUS Access-Request ( CHAP- Response /MD5 Challenge) RADIUS Access - Accept ( CHAP - Success ) EAP- Success...

  • Page 230: Additional 802.1X Features Implemented

    Server is a service management system used to manage networks and to secure networks and user information. With the cooperation of other networking devices (such as the WX3000 series devices) in the network, a iMC server can implement the AAA functions and rights management.
  • Page 231 This function needs the cooperation of iNode client and a iMC server. The iNode client needs to capable of detecting multiple network adapters, proxies, and IE proxies. The iMC server is configured to disable the use of multiple network adapters, proxies, or IE proxies. By default, an iNode client program allows use of multiple network adapters, proxies, and IE proxies.

  • Page 232: Introduction To 802.1X Configuration

    Refer to AAA Operation Manual for detailed information about the dynamic VLAN delivery function. Enabling 802.1x re-authentication 802.1x re-authentication is timer-triggered or packet-triggered. It re-authenticates users who have passed authentication. With 802.1x re-authentication enabled, the device can monitor the connection status of users periodically.

  • Page 233: Basic 802.1X Configuration

    Figure 1-11 802.1x configuration Local Local authentication authentication ISP domain ISP domain 802.1x 802.1x AAA scheme AAA scheme configuration configuration configuration configuration RADIUS RADIUS scheme scheme An 802.1x user uses the domain name to associate with the ISP domain configured on the device. Configure the AAA scheme (a local authentication scheme, a RADIUS scheme or a HWTACACS scheme) to be adopted in the ISP domain.
  • Page 234 To do… Use the command… Remarks In system dot1x [ interface interface-list ] view Enable Required 802.1x for interface interface-type interface-number By default, 802.1x is specified In port disabled on all ports. dot1x ports view quit Optional Set port authorization dot1x port-control { authorized-force | By default, an mode for specified...

  • Page 235: Timer And Maximum User Number Configuration

    802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. If you enable 802.1x for a port, you cannot set the maximum number of MAC addresses that can be learnt for the port. Meanwhile, if you set the maximum number of MAC addresses that can be learnt for a port, it is prohibited to enable 802.1x for the port.

  • Page 236: Advanced 802.1X Configuration

    To do… Use the command… Remarks Optional The settings of 802.1x timers are as dot1x timer { handshake-period follows. handshake-period-value | handshake-period-value: quiet-period quiet-period-value | seconds server-timeout Set 802.1x timers quiet-period-value: 60 seconds server-timeout-value | server-timeout-value: supp-timeout supp-timeout-value seconds | tx-period tx-period-value | ver-period ver-period-value } supp-timeout-value: 30 seconds tx-period-value: 30 seconds...

  • Page 237: Configuring Client Version Checking

    To do… Use the command… Remarks dot1x supp-proxy-check In system { logoff | trap } [ interface view interface-list ] Enable proxy Required interface interface-type checking for a interface-number By default, the 802.1x proxy port/specified checking is disabled on a port. ports In port view dot1x supp-proxy-check...

  • Page 238: Enabling Dhcp-Triggered Authentication

    As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also execute this command in port view. In this case, this command applies to the current port only and the interface-list argument is not needed.

  • Page 239: Configuring 802.1X Re-Authentication

    Configuring 802.1x Re-Authentication Follow these steps to enable 802.1x re-authentication: To do… Use the command… Remarks Enter system view system-view — Required Enable 802.1x globally dot1x By default, 802.1x is disabled globally. Enable In system view dot1x [ interface interface-list ] Required 802.1x for By default, 802.1x is disabled...

  • Page 240: Displaying And Maintaining 802.1X

    Follow these steps to configure the re-authentication interval: To do… Use the command… Remarks Enter system view system-view — Optional Configure a re-authentication dot1x timer reauth-period By default, the interval reauth-period-value re-authentication interval is 3,600 seconds. Displaying and Maintaining 802.1x To do…...
  • Page 241 Figure 1-12 Network diagram for AAA configuration with 802.1x and RADIUS enabled Configuration procedure Following configuration covers the major AAA/RADIUS configuration commands. Refer to AAA Operation Manual for the information about these commands. Configuration on the client and the RADIUS servers is omitted. # Enable 802.1x globally.
  • Page 242 [device-radius-radius1] key accounting money # Set the interval and the number of the retries for the switch to send packets to the RADIUS servers. [device-radius-radius1] timer 5 [device-radius-radius1] retry 5 # Set the timer for the switch to send real-time accounting packets to the RADIUS servers. [device-radius-radius1] timer realtime-accounting 15 # Configure to send the user name to the RADIUS server with the domain name truncated.

  • Page 243: Quick Ead Deployment Configuration

    Quick EAD Deployment Configuration Introduction to Quick EAD Deployment Quick EAD Deployment Overview As an integrated solution, an endpoint admission defense (EAD) solution can improve the overall defense power of a network. In real applications, however, deploying EAD clients proves to be time-consuming and inconvenient.

  • Page 244: Configuration Procedure

    Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do… Use the command… Remarks Enter system view system-view —...

  • Page 245: Displaying And Maintaining Quick Ead Deployment

    Follow these steps to configure the ACL timer: To do… Use the command… Remarks — Enter system view system-view Required dot1x timer acl-timeout Set the ACL timer By default, the ACL timeout acl-timeout-value period is 30 minutes. Displaying and Maintaining Quick EAD Deployment To do…...

  • Page 246: Troubleshooting

    Configuration procedure Before enabling quick EAD deployment, make sure that: The Web server is configured properly. The default gateway of the PC is configured as the IP address of the Layer-3 virtual interface of the VLAN to which the port that is directly connected with the PC belongs. # Configure the URL for HTTP redirection.

  • Page 247: System-Guard Configuration

    System-Guard Configuration System-Guard Overview At first, you must determine whether the CPU is under attack to implement system guard for the CPU. You should not determine whether the CPU is under attack just according to whether congestion occurs in a queue. Instead, you must do that in the following ways: According to the number of packets processed in the CPU in a time range.

  • Page 248: Displaying And Maintaining System-Guard

    Displaying and Maintaining System-Guard To do… Use the command… Remarks Display the record of detected display system-guard Available in any view attacks attack-record Display the state of the display system-guard state Available in any view system-guard feature...
  • Page 249 Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization····································································································································1-1 Accounting·······································································································································1-2 Introduction to ISP Domain ·············································································································1-2 Introduction to AAA Services ··················································································································1-2 Introduction to RADIUS ···················································································································1-2 Introduction to HWTACACS ············································································································1-6 2 AAA Configuration ····································································································································2-1 AAA Configuration Task List ···················································································································2-1 Configuration Introduction ···············································································································2-1 Creating an ISP Domain and Configuring Its Attributes ··································································2-2 Configuring an AAA Scheme for an ISP Domain ············································································2-3...
  • Page 250 Troubleshooting AAA ····························································································································2-30 Troubleshooting RADIUS Configuration························································································2-30 Troubleshooting HWTACACS Configuration ················································································2-30 3 EAD Configuration·····································································································································3-1 Introduction to EAD ·································································································································3-1 Typical Network Application of EAD ·······································································································3-1 EAD Configuration ··································································································································3-2 EAD Configuration Example ···················································································································3-2...

  • Page 251: Aaa Overview

    AAA Overview The sample output information in this manual was created on the WX3024. The output information on your device may vary. Introduction to AAA AAA is the acronym for the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure these three functions to implement network security management.

  • Page 252: Accounting

    Local authorization: Users are authorized according to the related attributes configured for their local accounts on this device. RADIUS authorization: Users are authorized after they pass RADIUS authentication. In RADIUS protocol, authentication and authorization are combined together, and authorization cannot be performed alone without authentication.
  • Page 253 The RADIUS server receives user connection requests, authenticates users, and returns all required information to the device. Generally, a RADIUS server maintains the following three databases (see Figure 1-1): Users: This database stores information about users (such as user name, password, protocol adopted and IP address).
  • Page 254 The RADIUS client receives the user name and password, and then sends an authentication request (Access-Request) to the RADIUS server. The RADIUS server compares the received user information with that in the Users database to authenticate the user. If the authentication succeeds, the RADIUS server sends back to the RADIUS client an authentication response (Access-Accept), which contains the user’s authorization information.
  • Page 255 Code Message type Message description Direction: server->client. The server transmits this message to the client if any attribute Access-Reject value carried in the Access-Request message is unacceptable (that is, the user fails the authentication). Direction: client->server. The client transmits this message to the server to request the server to start or end the accounting (whether to start or to end the Accounting-Requ accounting is determined by the Acct-Status-Type attribute in the...

  • Page 256: Introduction To Hwtacacs

    Type field value Attribute type Type field value Attribute type Framed-IP-Address Called-Station-Id Framed-IP-Netmask Calling-Station-Id Framed-Routing NAS-Identifier Filter-ID Proxy-State Framed-MTU Login-LAT-Service Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-ID NAS-Port-Type (unassigned) Port-Limit Framed-Route Login-LAT-Port...
  • Page 257 Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and therefore is more suitable for security control. Table 1-3 lists the primary differences between HWTACACS and RADIUS. Table 1-3 Differences between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP, providing more reliable network Adopts UDP.
  • Page 258 Figure 1-6 AAA implementation procedure for a telnet user User TACACS client TACACS server Requests to log in Authentication start request Authentication response , requesting username Requests username Enters username Authentication continuous message , carrying username Authentication response , requesting password Requests password Enters password Authentication continuous message ,...
  • Page 259 After receiving the response indicating an authorization success, the TACACS client pushes the configuration interface of the device to the user. 10) The TACACS client sends an accounting start request to the TACACS server. 11) The TACACS server returns an accounting response, indicating that it has received the accounting start request.

  • Page 260: Aaa Configuration

    AAA Configuration AAA Configuration Task List Configuration Introduction You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure a combined AAA scheme for an ISP domain: Task Remarks Creating an ISP Domain and Configuring Its...

  • Page 261: Creating An Isp Domain And Configuring Its Attributes

    Task Remarks Creating an ISP Domain and Configuring Required Its Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you specify authentication, authorization accounting Configuring an AAA Scheme for an ISP schemes respectively. Domain configuration You need to configure RADIUS or HWATACACS before performing...

  • Page 262: Configuring An Aaa Scheme For An Isp Domain

    To do… Use the command… Remarks Optional Set the accounting-optional By default, the accounting optional switch accounting-optional switch is off. Optional messenger time { enable limit Set the messenger function By default, the messenger interval | disable } function is disabled. Optional Set the self-service server self-service-url { disable |...
  • Page 263 this way, you cannot specify different schemes for authentication, authorization and accounting respectively. Follow these steps to configure a combined AAA scheme: To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter its view, or enter the view domain isp-name Required of an existing ISP domain...

  • Page 264: Configuring Dynamic Vlan Assignment

    You can use an arbitrary combination of the above implementations for your AAA scheme configuration. For FTP users Only authentication is supported for FTP users. Authentication: RADIUS, local, or HWTACACS. Follow these steps to configure separate AAA schemes: To do… Use the command…...

  • Page 265: Configuring The Attributes Of A Local User

    upon receiving an integer ID assigned by the RADIUS authentication server, the device adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID. If no such a VLAN exists, the device first creates a VLAN with the assigned ID, and then adds the port to the newly created VLAN.
  • Page 266 Follow these steps to configure the attributes of a local user To do… Use the command… Remarks Enter system view system-view — Optional By default, the password local-user display mode of all access Set the password display mode password-display-mode users is auto, indicating the of all local users { cipher-force | auto } passwords of access users are...

  • Page 267: Mac Address Authentication

    The following characters are not allowed in the user-name string: /:*?<>. And you cannot input more than one “@” in the string. After the local-user password-display-mode cipher-force command is executed, any password will be displayed in cipher mode even though you specify to display a user password in plain text by using the password command.
  • Page 268 Complete the following tasks configure RADIUS for the device functioning as a RADIUS client: Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Optional Transmission Attempts Configuring the...

  • Page 269: Creating A Radius Scheme

    secondary servers with the same configuration but different IP addresses) in a RADIUS scheme. After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting.

  • Page 270: Configuring Radius Accounting Servers

    To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Required Set the IP address and port By default, the IP address and number of the primary RADIUS primary authentication...

  • Page 271: Configuring Shared Keys For Radius Messages

    To do… Use the command… Remarks Optional By default, the IP address and Set the IP address and port UDP port number of the secondary accounting number of the secondary secondary accounting server ip-address [ port-number ] RADIUS accounting server are 0.0.0.0 and 1813 for a newly created RADIUS scheme.

  • Page 272: Configuring The Maximum Number Of Radius Request Transmission Attempts

    received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key. Follow these steps to configure shared keys for RADIUS messages: To do…...

  • Page 273: Configuring The Status Of Radius Servers

    To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Configure the type of RADIUS server-type { extended | Optional servers to be supported...

  • Page 274: Configuring The Attributes Of Data To Be Sent To Radius Servers

    To do… Use the command… Remarks Set the status of the primary RADIUS state primary authentication Optional authentication/authorization { block | active } server By default, the primary RADIUS servers in the default RADIUS Set the status of the primary state primary accounting scheme "system"...

  • Page 275: Configuring The Local Radius Authentication Server Function

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the user names that carry ISP domain names.

  • Page 276: Configuring Timers For Radius Servers

    If you adopt the local RADIUS authentication server function, the UDP port number of the authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this device. The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified...

  • Page 277: Enabling Sending Trap Message When A Radius Server Goes Down

    To do… Use the command… Remarks Optional Set the response timeout time timer response-timeout By default, the response of RADIUS servers seconds timeout time of RADIUS servers is three seconds. Optional Set the time that the device waits before it try to By default, the device waits five re-communicate with primary timer quiet minutes...

  • Page 278: Hwtacacs Configuration Task List

    online when the user re-logs into the switching engine before the iMC performs online user detection, and the user cannot get authenticated. In this case, the user can access the network again only when the iMC administrator manually removes the user's online information. The user re-authentication at restart function is designed to resolve this problem.

  • Page 279: Creating A Hwtacacs Scheme

    Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers Required Configuring TACACS Accounting Servers Optional Configuring the Configuring Shared Keys for RADIUS TACACS client Optional Messages Configuring the Attributes of Data to be Sent to Optional TACACS Servers Configuring the Timers Regarding TACACS...

  • Page 280: Configuring Tacacs Authorization Servers

    To do… Use the command… Remarks Required Set the IP address and port By default, the IP address of primary authentication number of the primary the primary authentication ip-address [ port ] TACACS authentication server server is 0.0.0.0, and the port number is 0.

  • Page 281: Configuring Tacacs Accounting Servers

    You are not allowed to configure the same IP address for both primary and secondary authorization servers. If you do this, the system will prompt that the configuration fails. You can remove a server only when it is not used by any active TCP connection for sending authorization messages.

  • Page 282: Configuring The Attributes Of Data To Be Sent To Tacacs Servers

    The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are exchanged between the two parties. The two parties verify the validity of the HWTACACS messages received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key.

  • Page 283: Configuring The Timers Regarding Tacacs Servers

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Where, isp-name after the “@” or “.” character represents the ISP domain name. If the TACACS server does not accept the user names that carry ISP domain names, it is necessary to remove domain names from user names before they are sent to TACACS server.

  • Page 284: Displaying And Maintaining Aaa

    Displaying and Maintaining AAA Displaying and maintaining AAA information To do… Use the command… Remarks Display configuration information about one specific display domain [ isp-name ] or all ISP domains display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number | ip ip-address | mac Display information about user...

  • Page 285: Aaa Configuration Examples

    Displaying and maintaining HWTACACS protocol information To do… Use the command… Remarks Display the configuration or statistic information about one display hwtacacs specific or all HWTACACS [ hwtacacs-scheme-name [ statistics ] ] schemes Available in any view. display stop-accounting-buffer Display buffered non-response hwtacacs-scheme stop-accounting requests hwtacacs-scheme-name...
  • Page 286 Figure 2-1 Remote RADIUS authentication of Telnet users Authentication server 10. 110.91. 164 Internet Telnet user Configuration procedure # Enter system view. <device> system-view # Adopt AAA authentication for Telnet users. [device] user-interface vty 0 4 [device-ui-vty0-4] authentication-mode scheme [device-ui-vty0-4] quit # Configure an ISP domain.

  • Page 287: Local Authentication Of Ftp/Telnet Users

    Local Authentication of FTP/Telnet Users The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication. Network requirements In the network environment shown in Figure 2-2, you are required to configure the device so that the...

  • Page 288: Hwtacacs Authentication And Authorization Of Telnet Users

    Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1, and 1645 respectively in the configuration step "Configure a RADIUS scheme" in Remote RADIUS Authentication of Telnet/SSH Users Enable the local RADIUS server function, set the IP address and shared key for the network access server to 127.0.0.1 and aabbcc, respectively.

  • Page 289: Troubleshooting Aaa

    Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol prescribes how the device and the RADIUS server of the ISP exchange user information with each other. Symptom 1: User authentication/authorization always fails. Possible reasons and solutions: The user name is not in the userid@isp-name or userid.isp-name format, or the default ISP domain is not correctly specified on the device —...

  • Page 290: Ead Configuration

    EAD Configuration Introduction to EAD Endpoint admission defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints. With the cooperation of device, AAA sever, security policy server and security client, EAD is able to evaluate the security compliance of network endpoints and dynamically control their access rights.

  • Page 291: Ead Configuration Example

    After the client is patched and compliant with the required security standard, the security policy server reissues an ACL to the device, which then assigns access right to the client so that the client can access more network resources. EAD Configuration The EAD configuration includes: Configuring the attributes of access users (such as user name, user type, and password).
  • Page 292 Figure 3-2 EAD configuration Authentication Servers 10 .110 .91.164 GE 1/0 /1 Internet User Virus Patch Servers Security Policy Servers 10.110.91.166 10.110.91.168 Configuration procedure # Configure 802.1x on the device. Refer to the section ”Configuring 802.1x” of 802.1x Configuration. # Configure a domain. <device>...
  • Page 293 Table of Contents 1 MAC Authentication Configuration··········································································································1-1 MAC Authentication Overview ················································································································1-1 Performing MAC Authentication on a RADIUS Server····································································1-1 Performing MAC Authentication Locally··························································································1-1 Related Concepts····································································································································1-2 MAC Authentication Timers·············································································································1-2 Quiet MAC Address·························································································································1-2 Configuring Basic MAC Authentication Functions ··················································································1-2 MAC Address Authentication Enhanced Function Configuration ···························································1-4 MAC Address Authentication Enhanced Function Configuration Tasks ·········································1-4 Configuring a Guest VLAN ··············································································································1-4 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a...

  • Page 294: Mac Authentication Configuration

    MAC Authentication Configuration The sample output information in this manual was created on the WX3024. The output information on your device may vary. MAC Authentication Overview MAC authentication provides a way for authenticating users based on ports and MAC addresses, without requiring any client software to be installed on the hosts.

  • Page 295: Related Concepts

    included depending on the format configured with the mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail. If the username type is fixed username, you need to configure the fixed username and password on the device, which are used by the device to authenticate all users. The service type of a local user needs to be configured as lan-access.
  • Page 296 To do… Use the command… Remarks In system mac-authentication interface view interface-list Enable MAC authentication for interface interface-type Use either method the specified interface-number Disabled by default In interface port(s) or the view mac-authentication current port quit Optional Set the username mac-authentication authmode By default, the MAC in MAC address...

  • Page 297: Mac Address Authentication Enhanced Function Configuration

    MAC Address Authentication Enhanced Function Configuration MAC Address Authentication Enhanced Function Configuration Tasks Complete the following tasks to configure MAC address authentication enhanced function: Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Number of MAC Address Optional Authentication Users Allowed to Access a Port Configuring a Guest VLAN Different from Guest VLANs described in the 802.1x and System-Guard manual, Guest VLANs mentioned in this section refer to Guests VLANs dedicated to MAC address authentication.
  • Page 298 Guest VLANs are implemented in the mode of adding a port to a VLAN. For example, when multiple users are connected to a port, if the first user fails in the authentication, the other users can access only the contents of the Guest VLAN. The device will re-authenticate only the first user accessing this port, and the other users cannot be authenticated again.

  • Page 299: Port

    If more than one client is connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.

  • Page 300: Displaying And Maintaining Mac Authentication

    If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port.
  • Page 301 # Add a local user. Specify the username and password. [device] local-user 00-0d-88-f6-44-c1 [device-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 Set the service type to “lan-access”. [device-luser-00-0d-88-f6-44-c1] service-type lan-access [device-luser-00-0d-88-f6-44-c1] quit # Add an ISP domain named aabbcc.net. [device] domain aabbcc.net New Domain added. # Specify to perform local authentication.
  • Page 302 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special Case IP Addresses·············································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Displaying and Maintaining IP Addressing······························································································1-4 IP Address Configuration Examples ·······································································································1-4 IP Address Configuration Example I ·······························································································1-4 IP Address Configuration Example II ······························································································1-5 2 IP Performance Configuration··················································································································2-1 IP Performance Overview ·······················································································································2-1...

  • Page 303: Ip Addressing Configuration

    The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 304: Special Case Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Remarks Address 0.0.0.0 means this host no this network. This address is used by a host at bootstrap when it does not know its IP address. This address is never a valid destination address.

  • Page 305: Dhcp

    adds an additional level, subnet ID, to the two-level hierarchy with IP addressing, IP routing now involves three steps: delivery to the site, delivery to the subnet, and delivery to the host. In the absence of subnetting, some special addresses such as the addresses with the net ID of all zeros and the addresses with the host ID of all ones, are not assignable to hosts.

  • Page 306: Displaying And Maintaining Ip Addressing

    You can assign at most two IP address to an interface, among which one is the primary IP address and another is secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any. The primary and secondary IP addresses of an interface cannot reside on the same network segment;...

  • Page 307: Ip Address Configuration Example Ii

    IP Address Configuration Example II Network requirements As shown in Figure 1-4, VLAN-interface 1 on Switch is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. To enable the hosts on the two network segments to communicate with the external network through Switch, and the hosts on the LAN can communicate with each other, do the following: Assign two IP addresses to VLAN-interface 1 on Switch.
  • Page 308 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms The output information shows that Switch can communicate with the hosts on the subnet 172.16.1.0/24. # Ping a host on the subnet 172.16.2.0/24 from Switch to check the connectivity. <Switch>...

  • Page 309: Ip Performance Configuration

    IP Performance Configuration IP Performance Overview Introduction to IP Performance Configuration In some network environments, you need to adjust the IP parameters to achieve best network performance. The IP performance configuration supported by the device includes: Configuring TCP attributes Disabling sending of ICMP error packets Introduction to FIB Every device stores a forwarding information base (FIB).

  • Page 310: Disabling Sending Of Icmp Error Packets

    To do… Use the command… Remarks Enter system view system-view — Optional Configure TCP synwait tcp timer syn-timeout By default, the timeout value is 75 timer’s timeout value time-value seconds. Optional Configure TCP finwait timer’s tcp timer fin-timeout By default, the timeout value is timeout value time-value 675 seconds.

  • Page 311: Displaying And Maintaining Ip Performance Configuration

    Displaying and Maintaining IP Performance Configuration To do… Use the command… Remarks Display TCP connection status display tcp status Display TCP connection statistics display tcp statistics Display UDP traffic statistics display udp statistics Display IP traffic statistics display ip statistics Display ICMP traffic statistics display icmp statistics Display the current socket information of...
  • Page 312 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP IP Address Assignment ···············································································································1-1 IP Address Assignment Policy ········································································································1-1 Obtaining IP Addresses Dynamically ······························································································1-2 Updating IP Address Lease·············································································································1-3 DHCP Packet Format······························································································································1-3 Protocols and Standards·························································································································1-4 2 DHCP Relay Agent Configuration ············································································································2-1 Introduction to DHCP Relay Agent ·········································································································2-1 Usage of DHCP Relay Agent ··········································································································2-1 DHCP Relay Agent Fundamentals··································································································2-1...

  • Page 313: Dhcp Overview

    The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 314: Obtaining Ip Addresses Dynamically

    Manual assignment. The administrator configures static IP-to-MAC bindings for some special clients, such as a WWW server. Then the DHCP server assigns these fixed IP addresses to the clients. Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be occupied by the DHCP clients permanently.

  • Page 315: Updating Ip Address Lease

    Updating IP Address Lease After a DHCP server dynamically assigns an IP address to a DHCP client, the IP address keeps valid only within a specified lease time and will be reclaimed by the DHCP server when the lease expires. If the DHCP client wants to use the IP address for a longer time, it must update the IP lease.

  • Page 316: Protocols And Standards

    siaddr: IP address of the DHCP server. giaddr: IP address of the first DHCP relay agent that the DHCP client passes after it sent the request packet. chaddr: Hardware address of the DHCP client. sname: Name of the DHCP server. file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client.

  • Page 317: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Example Troubleshooting DHCP Relay Agent Configuration Currently, the interface-related DHCP relay agent configurations can only be made on VLAN interfaces.

  • Page 318: Dhcp Relay Agent Support For Option

    Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding process of the DHCP relay agent.
  • Page 319 Figure 2-2 Padding contents for sub-option 1 of Option 82 Figure 2-3 Padding contents for sub-option 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly.

  • Page 320: Configuring The Dhcp Relay Agent

    Configuring the DHCP Relay Agent If a device belongs to an IRF fabric, you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent. DHCP Relay Agent Configuration Task List Complete the following tasks to configure the DHCP relay agent: Task Remarks Correlating a DHCP Server Group with a Relay Agent Interface...

  • Page 321: Configuring Dhcp Relay Agent Security Functions

    To improve security and avoid malicious attack to the unused SOCKETs, the device provides the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: When a VLAN interface is mapped to a DHCP server group with the dhcp-server command, the DHCP relay agent is enabled.
  • Page 322 To do… Use the command… Remarks Enter system view system-view — Optional Create a static dhcp-security static ip-address IP-to-MAC binding mac-address Not created by default. Enter interface view interface interface-type interface-number — Required Enable the address address-check enable checking function Disabled by default.

  • Page 323: Configuring The Dhcp Relay Agent To Support Option

    To do… Use the command… Remarks Optional Set the interval at which the DHCP relay agent dynamically dhcp-security tracker By default, auto is adopted, that updates the client address { interval | auto } is, the interval is automatically entries calculated.

  • Page 324: Displaying And Maintaining Dhcp Relay Agent Configuration

    To do… Use the command… Remarks Enter system view system-view — Required Enable Option 82 support on the dhcp relay information DHCP relay agent enable Disabled by default. Optional Configure the strategy for the DHCP dhcp relay information relay agent to process request strategy { drop | keep | By default, the replace packets containing Option 82...

  • Page 325: Troubleshooting Dhcp Relay Agent Configuration

    Figure 2-4 Network diagram for DHCP relay agent Configuration procedure # Create DHCP server group 1 and configure an IP address of 10.1.1.1 for it. <SwitchA> system-view [SwitchA] dhcp-server 1 ip 10.1.1.1 # Map VLAN-interface 1 to DHCP server group 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp-server 1 You need to perform corresponding configurations on the DHCP server to enable the DHCP clients...
  • Page 326 Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server. Check if a reachable route is configured between the DHCP relay agent and the DHCP server. Check the DHCP relay agent. Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides.

  • Page 327: Dhcp Snooping Configuration

    Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK or DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from receiving invalid IP addresses. Figure 3-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is a WX3000 series device.

  • Page 328: Overview Of Dhcp Snooping Option

    Figure 3-1 Typical network diagram for DHCP snooping application DHCP Server DHCP Client DHCP Client Internet GE1/0/1 GE1/0/2 Switch A Switch B (DHCP Snooping) (DHCP Relay) DHCP Client DHCP Client DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: DHCP-REQUEST packet DHCP-ACK packet...
  • Page 329 contents). That is, the circuit ID or remote ID sub-option defines the type and length of a circuit ID or remote ID. The remote ID type field and circuit ID type field are determined by the option storage format. They are both set to “0”...

  • Page 330: Overview Of Ip Filtering

    Table 3-1 Ways of handling a DHCP packet with Option 82 Handling Sub-option The DHCP snooping device will… policy configuration Drop — Drop the packet. Keep — Forward the packet without changing Option 82. Forward the packet after replacing the original Option 82 with the default content.

  • Page 331: Dhcp Snooping Configuration

    The resources on the server are exhausted, so the server does not respond to other requests. After receiving such type of packets, a device needs to send them to the CPU for processing. Too many request packets cause high CPU usage rate. As a result, the CPU cannot work normally. The device can filter invalid IP packets through the DHCP-snooping table and IP static binding table.

  • Page 332: Configuring Dhcp Snooping To Support Option

    To do… Use the command… Remarks Required Specify the current port as a By default, after DHCP dhcp-snooping trust trusted port snooping is enabled, all ports of a device are untrusted ports. You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses.
  • Page 333 To do… Use the command… Remarks Enter system view system-view — Required Enable DHCP-snooping Option dhcp-snooping information By default, DHCP snooping 82 support enable Option 82 support is disabled. Configure a handling policy for DHCP packets with Option 82 Follow these steps to configure a handling policy for DHCP packets with Option 82: To do…...
  • Page 334 The dhcp-snooping information format command applies only to the default content of the Option 82 field. If you have configured the circuit ID or remote ID sub-option, the format of the sub-option is ASCII, instead of the one specified with the dhcp-snooping information format command. Configure the circuit ID sub-option Follow these steps to configure the circuit ID sub-option: To do…...

  • Page 335: Configuring Ip Filtering

    To do… Use the command… Remarks Enter system view system-view — Optional By default, the remote ID dhcp-snooping information Configure the remote ID sub-option is the MAC address of remote-id { sysname | string sub-option in system view the DHCP snooping device that string } received the DHCP client’s request.

  • Page 336: Dhcp Snooping Configuration Example

    To do… Use the command… Remarks Required ip check source ip-address Enable IP filtering By default, this function is [ mac-address ] disabled. Optional ip source static binding Create an IP static binding ip-address ip-address By default, no static binding entry [ mac-address mac-address ] entry is created.

  • Page 337: Ip Filtering Configuration Example

    Configuration procedure # Enable DHCP snooping on Switch. <Switch> system-view [Switch] dhcp-snooping # Specify GigabitEthernet 1/0/5 as the trusted port. [Switch] interface gigabitethernet 1/0/5 [Switch-GigabitEthernet1/0/5] dhcp-snooping trust [Switch-GigabitEthernet1/0/5] quit # Enable DHCP-snooping Option 82 support. [Switch] dhcp-snooping information enable # Set the remote ID sub-option in Option 82 to the system name (sysname) of the DHCP snooping device.
  • Page 338 Figure 3-7 Network diagram for IP filtering configuration DHCP Server GE1/0/1 Switch DHCP Snooping GE1/0/2 GE1/0/4 GE1/0/3 Host A Client B Client C IP:1.1.1.1 MAC:0001-0001-0001 Configuration procedure # Enable DHCP snooping on Switch. <Switch> system-view [Switch] dhcp-snooping # Specify GigabitEthernet 1/0/1 as the trusted port. [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] dhcp-snooping trust [Switch-GigabitEthernet1/0/1] quit...

  • Page 339: Displaying And Maintaining Dhcp Snooping Configuration

    Displaying and Maintaining DHCP Snooping Configuration To do… Use the command… Remarks Display the user IP-MAC address display dhcp-snooping mapping entries recorded by the DHCP [ unit unit-id ] snooping function Display the (enabled/disabled) state of display dhcp-snooping the DHCP snooping function and the Available in any view trust trusted ports...

  • Page 340: Dhcp/Bootp Client Configuration

    DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and management. Refer to Obtaining IP Addresses Dynamically for the process of how a DHCP client dynamically obtains...

  • Page 341: Dhcp Client Configuration Example

    To do… Use the command… Remarks Required Configure the VLAN interface to obtain IP ip address { bootp-alloc | By default, no IP address is address through DHCP or dhcp-alloc } configured for the VLAN BOOTP interface. Currently, the device operating as a DHCP client can use an IP address for no more than 24 days; that is, it can obtain a lease with 24 days at most even if the DHCP server assigns a lease with more than 24 days.

  • Page 342: Displaying And Maintaining Dhcp/Bootp Client Configuration

    Displaying and Maintaining DHCP/BOOTP Client Configuration To do… Use the command… Remarks Display related information on a display dhcp client [ verbose ] DHCP client Available in any view Display related information on a display bootp client [ interface BOOTP client vlan-interface vlan-id ]...
  • Page 343 Table of Contents 1 ACL Configuration·····································································································································1-1 ACL Overview ·········································································································································1-1 ACL Matching Order························································································································1-1 Ways to Apply an ACL on a Device ································································································1-2 Types of ACLs Supported by Devices·····························································································1-3 ACL Configuration···································································································································1-3 Configuring Time Range··················································································································1-3 Configuring Basic ACL ····················································································································1-5 Configuring Advanced ACL ·············································································································1-6 Configuring Layer 2 ACL ·················································································································1-7 ACL Assignment ·····································································································································1-8 Assigning an ACL Globally··············································································································1-9...

  • Page 344: Acl Configuration

    ACL Configuration The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a WX3000. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 345: Ways To Apply An Acl On A Device

    auto: where rules in an ACL are matched in the order determined by the system, namely the “depth-first” rule. For depth-first rule, there are two cases: Depth-first match order for rules of a basic ACL Range of source IP address: The smaller the source IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority.

  • Page 346: Types Of Acls Supported By Devices

    When applying an ACL in this way, you can specify the order in which the rules in the ACL are matched. The match order cannot be modified once it is determined, unless you delete all the rules in the ACL and define the match order.
  • Page 347 Configuration Procedure Follow these steps to configure a time range: To do… Use the command… Remarks Enter system view system-view — time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to Create a time range Required end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date } Note that:...

  • Page 348: Configuring Basic Acl

    Configuring Basic ACL A basic ACL filters packets based on their source IP addresses. A basic ACL can be numbered from 2000 to 2999. Configuration Prerequisites To configure a time range-based basic ACL rule, you need to create the corresponding time range first.

  • Page 349: Configuring Advanced Acl

    rule 0 deny source 192.168.0.1 0 Configuring Advanced ACL An advanced ACL can filter packets by their source and destination IP addresses, the protocols carried by IP, and protocol-specific features such as TCP/UDP source and destination ports, ICMP message type and message code. An advanced ACL can be numbered from 3000 to 3999.

  • Page 350: Configuring Layer 2 Acl

    If the ACL is created with the auto keyword specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered. Configuration Example # Configure ACL 3000 to permit the TCP packets sourced from the network 129.9.0.0/16 and destined for the network 202.38.160.0/24 and with the destination port number being 80.

  • Page 351: Acl Assignment

    Note that: You can modify any existent rule of the Layer 2 ACL and the unmodified part of the ACL remains. If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, it is the maximum rule number plus one.

  • Page 352: Assigning An Acl Globally

    ACLs assigned globally take precedence over those that are assigned to VLANs. That is, when a packet matches a rule of a globally assigned ACL and a rule of an ACL assigned to a VLAN, the device will perform the action defined in the rule of the globally assigned ACL if the actions defined in the two rules conflict.

  • Page 353: Assigning An Acl To A Port Group

    To do… Use the command… Remarks — Enter system view system-view Required packet-filter vlan vlan-id Apply an ACL to a VLAN For description on the acl-rule inbound acl-rule argument, refer to ACL Command. Configuration example # Apply ACL 2000 to VLAN 10 to filter the inbound packets of VLAN 10 on all the ports. <device>...

  • Page 354: Assigning An Acl To A Port

    Assigning an ACL to a Port Configuration prerequisites Before applying ACL rules to a VLAN, you need to define the related ACLs. For information about defining an ACL, refer to Configuring Basic ACL, Configuring Advanced ACL, Configuring Layer 2 ACL. Configuration procedure Follow these steps to apply an ACL to a port: To do…...

  • Page 355: Examples For Upper-Layer Software Referencing Acls

    Examples for Upper-layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP Network requirements As shown in Figure 1-1, apply an ACL to permit users with the source IP address of 10.110.100.52 to telnet to the switching engine. Figure 1-1 Network diagram for controlling Telnet login users by source IP Internet Switch...

  • Page 356: Examples For Applying Acls To Hardware

    Configuration procedure # Define ACL 2001. <device> system-view [device] acl number 2001 [device-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [device-acl-basic-2001] quit # Reference ACL 2001 to control users logging in to the Web server. [device] ip http acl 2001 Examples for Applying ACLs to Hardware Basic ACL Configuration Example Network requirements As shown in...

  • Page 357: Layer 2 Acl Configuration Example

    GigabitEthernet 1/0/1 of Switch. Apply an ACL to deny requests from the R&D department and destined for the wage server during the working hours (8:00 to 18:00). Figure 1-4 Network diagram for advanced ACL configuration To the router Wage query server 192.168.1 .2 GEth 1/0/1 GEth 1/0/2...

  • Page 358: Example For Applying An Acl To A Vlan

    <device> system-view [device] time-range test 8:00 to 18:00 daily # Define ACL 4000 to filter packets with the source MAC address of 000f-e20f-0101 and the destination MAC address of 000f-e20f-0303. [device] acl number 4000 [device-acl-ethernetframe-4000] rule 1 deny source 000f-e20f-0101 ffff-ffff-ffff dest 000f-e20f-0303 ffff-ffff-ffff time-range test [device-acl-ethernetframe-4000] quit # Apply ACL 4000 on GigabitEthernet 1/0/1.
  • Page 359 # Apply ACL 3000 to VLAN 10. [device] packet-filter vlan 10 inbound ip-group 3000 1-16...
  • Page 360 Table of Contents 1 QoS Configuration·····································································································································1-1 Overview ·················································································································································1-1 Introduction to QoS··························································································································1-1 Traditional Packet Forwarding Service····························································································1-1 New Applications and New Requirements ······················································································1-1 Major Traffic Control Techniques ····································································································1-2 QoS Supported by Devices·····················································································································1-2 Traffic Classification ························································································································1-2 Precedence ·····································································································································1-3 Priority Trust Mode ··························································································································1-5 Protocol Priority ·······························································································································1-8 Priority Marking································································································································1-8 Traffic Policing and Traffic Shaping·································································································1-8 Traffic Redirecting ·························································································································1-10...
  • Page 361 Applying a QoS Profile ····················································································································2-2 Displaying and Maintaining QoS Profile ··························································································2-3 Configuration Example····························································································································2-4 QoS Profile Configuration Example·································································································2-4...

  • Page 362: Overview

    QoS Configuration The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 363: Major Traffic Control Techniques

    Video-on-Demand (VoD). Enterprise users expect to connect their regional branches together using VPN techniques for coping with daily business, for instance, accessing databases or manage remote equipments through Telnet. All these new applications have one thing in common, that is, they have special requirements for bandwidth, delay, and jitter.

  • Page 364: Precedence

    information carried in packet header. Packet payload is rarely adopted for traffic classification. The identifying rule is unlimited in range. It can be a quintuplet consisting of source address, source port number, protocol number, destination address, and destination port number. It can also be simply a network segment.
  • Page 365 Class selector (CS) class: This class comes from the IP ToS field and includes eight subclasses; Best Effort (BE) class: This class is a special class without any assurance in the CS class. The AF class can be degraded to the BE class if it exceeds the limit. Current IP network traffic belongs to this class by default.

  • Page 366: Priority Trust Mode

    As shown in the figure above, each host supporting 802.1Q protocol adds a 4-byte 802.1Q tag header after the source address of the former Ethernet frame header when sending packets. The 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length).
  • Page 367 The device does not support marking drop precedence for packets. A device can operate in one of the following two priority trust modes when assigning precedence to received packets: Packet priority trusted mode Port priority trusted mode In terms of priority trust mode, the priority mapping process is shown in Figure 1-4.
  • Page 368 The devices provide COS-precedence-to-other-precedence, DSCP-precedence-to-other-precedence, and DSCP-precedence-to-DSCP- precedence mapping tables for priority mapping. Table 1-4 through Table 1-6 list the default settings of these tables. Table 1-4 The default COS-precedence-to-other-precedence mapping table of the devices Target local Target drop Target DSCP 802.1p precedence precedence precedence...

  • Page 369: Protocol Priority

    Protocol Priority Protocol packets carry their own priority. You can modify the priority of a protocol packet to implement QoS. Priority Marking The priority marking function is to use ACL rules in traffic classification and reassign the priority for the packets matching the ACL rules.
  • Page 370 Evaluating the traffic with the token bucket When token bucket is used for traffic evaluation, the number of the tokens in the token bucket determines the amount of the packets that can be forwarded. If the number of tokens in the bucket is enough to forward the packets, the traffic is conforming to the specification;...

  • Page 371: Traffic Redirecting

    Figure 1-6 Diagram for traffic shaping Put tokens in the bucket at the set rate Packets to be sent through this port Continue to send Packet classification Queue Token bucket Drop For example, if the device A sends packets to the device B. The device B will perform traffic policing on packets from the device A to drop the packets beyond the specification.
  • Page 372 SP queuing Figure 1-7 Diagram for SP queuing Queue 7 High priority Packets to be sent through this port Sent packets Queue 6 Queue 2 weight 2 Interface …… Queue 1 Queue N - 1 weight N -1 Sending queue Queue scheduling Packet...
  • Page 373 Figure 1-8 Diagram for WRR queuing Queue 1 Weight 1 Packets to be sent Sent packets through this port Queue 2 Weight 2 Queue 2 weight 2 Interface …… Queue N-1 Weight N-1 Queue N - 1 weight N -1 Queue Sending queue Packet...

  • Page 374: Flow-Based Traffic Accounting

    Table 1-7 Queue-scheduling sequence of SDWRR Scheduling Queue-scheduling sequence Description algorithm 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1 0 indicates packets in queue0 1 indicates packets in SDWRR 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0 queue1 Flow-based Traffic Accounting The function of flow-based traffic accounting is to use ACL rules in traffic classification and perform...

  • Page 375: Configuring Priority Trust Mode

    Task Remarks Enabling the Burst Function Optional Configuring Traffic Mirroring Optional Configuring Priority Trust Mode Refer to Priority Trust Mode for introduction to priority trust mode. Configuration prerequisites The priority trust mode to be adopted is determined. The port where priority trust mode is to be configured is determined. The port priority value is determined.

  • Page 376: Configuring Priority Mapping

    Configuration example Configure to trust port priority on GigabitEthernet 1/0/1 and set the priority of GigabitEthernet 1/0/1 to 7. Configuration procedure: <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] priority 7 Configure to trust 802.1p precedence on GigabitEthernet 1/0/1. Configuration procedure: <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] priority-trust cos Configure to trust DSCP precedence on GigabitEthernet 1/0/1.
  • Page 377 To do… Use the command… Remarks qos cos-dscp-map cos0-map-dscp Configure cos1-map-dscp cos2-map-dscp COS-precedence-to-DSCP cos3-map-dscp cos4-map-dscp Required -precedence mapping table cos5-map-dscp cos6-map-dscp cos7-map-dscp Follow these steps to configure the DSCP-precedence-to-other-precedence mapping table: To do… Use the command… Remarks Enter system view system-view —...
  • Page 378 [device] qos dscp-local-precedence-map 8 9 10 11 12 13 14 15 : 3 [device] qos dscp-local-precedence-map 16 17 18 19 20 21 22 23 : 4 [device] qos dscp-local-precedence-map 24 25 26 27 28 29 30 31 : 1 [device] qos dscp-local-precedence-map 32 33 34 35 36 37 38 39 : 7 [device] qos dscp-local-precedence-map 40 41 42 43 44 45 46 47 : 0 [device] qos dscp-local-precedence-map 48 49 50 51 52 53 54 55 : 5 [device] qos dscp-local-precedence-map 56 57 58 59 60 61 62 63 : 6...

  • Page 379: Setting The Priority Of Protocol Packets

    37 : 38 : 39 : 40 : 41 : 42 : 43 : 44 : 45 : 46 : 47 : 48 : 49 : 50 : 51 : 52 : 53 : 54 : 55 : 56 : 57 : 58 : 59 :...

  • Page 380: Marking Packet Priority

    Configuration example Set the IP precedence of ICMP packets to 3. Display the configuration. Configuration procedure: <device> system-view [device] protocol-priority protocol-type icmp ip-precedence 3 [device] display protocol-priority Protocol: icmp IP-Precedence: flash(3) Marking Packet Priority Refer to Priority Marking for information about marking packet priority. Marking packet priority can be implemented in the following two ways: Through traffic policing When configuring traffic policing, you can define the action of marking the 802.1p priority and DSCP...

  • Page 381: Configuring Traffic Policing

    Follow these steps to mark the priority for packets that are of a port group and match specific ACL rules: To do… Use the command… Remarks Enter system view system-view — Enter port group view port-group group-id — Mark the priorities for packets traffic-priority inbound acl-rule { dscp Required matching specific ACL rules...
  • Page 382 Configuration prerequisites The ACL rules used for traffic classification are defined. Refer to the ACL module of this manual for information about defining ACL rules. The rate limit for traffic policing, and the actions for the packets exceeding the rate limit are determined.

  • Page 383: Configuring Traffic Shaping

    To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port interface interface-type interface-number — view Required traffic-limit inbound acl-rule target-rate Configure traffic [ conform con-action ] [ exceed By default, traffic policing is policing exceed-action ] [ meter-statistic ] disabled.

  • Page 384: Configuring Traffic Redirecting

    Configuration procedure Follow these steps to configure traffic shaping: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Traffic shaping is not enabled by default. Traffic shaping can be performed in one of the following two modes: traffic-shape [ queue With the queue queue-id keyword...
  • Page 385 Follow these steps to redirect packets that are of a VLAN and match specific ACL rules: To do… Use the command… Remarks Enter system view system-view — traffic-redirect vlan vlan-id inbound acl-rule Configure traffic redirecting Required interface interface-type interface-number Follow these steps to redirect packets that are of a port group and match specific ACL rules: To do…...

  • Page 386: Configuring Vlan Mapping

    [device-acl-basic-2000] quit [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] traffic-redirect inbound ip-group 2000 interface GigabitEthernet1/0/7 Method II <device> system-view [device] acl number 2000 [device-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [device-acl-basic-2000] quit [device] traffic-redirect vlan 2 inbound ip-group 2000 interface GigabitEthernet1/0/7 Configuring VLAN Mapping Refer to VLAN Mapping for information about VLAN mapping.
  • Page 387 Configuration prerequisites The algorithm for queue scheduling to be used and the related parameters are determined. Configuration procedure Follow these steps to configure SP queue scheduling algorithm: To do… Use the command… Remarks Enter system view system-view — Optional Configure SP queue undo queue-scheduler [ queue-id ] By default, SP queue scheduling scheduling algorithm...

  • Page 388: Collecting/Clearing Traffic Statistics

    Configuration example # Configure a device to adopt SP+SDWRR combination for queue scheduling, assigning queue 3, queue 4, and queue 5 to WRR scheduling group 1, with the weigh of 20, 20 and 30; assigning queue 0, queue 1, and queue 2 to WRR scheduling group 2, with the weight 20, 20, and 40; using SP for scheduling queue 6 and queue 7.
  • Page 389 To do… Use the command… Remarks Collect the statistics on the traffic-statistic vlan vlan-id packets matching specific ACL Required inbound acl-rule rules Clear the statistics on the packets reset traffic-statistic vlan vlan-id Optional matching specific ACL rules inbound acl-rule Follow these steps to collect traffic statistics on packets that are of a port group and match specific ACL rules: To do…...

  • Page 390: Enabling The Burst Function

    [device] acl number 2000 [device-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [device-acl-basic-2000] quit [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] traffic-statistic inbound ip-group 2000 [device-GigabitEthernet1/0/1] reset traffic-statistic inbound ip-group 2000 Method II <device> system-view [device] acl number 2000 [device-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [device-acl-basic-2000] quit [device] traffic-statistic vlan 2 inbound ip-group 2000 [device] reset traffic-statistic vlan 2 inbound ip-group 2000...
  • Page 391 Configuration procedure You can configure traffic mirroring on all the packets matching specific ACL rules, or on packets that match specific ACL rules and are of a VLAN, of a port group, or pass a port. Follow these steps to configure traffic mirroring globally: To do…...
  • Page 392 Follow these steps to configure traffic mirroring for a port: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view of the interface interface-type — destination port interface-number Define the current port as the monitor-port Required destination port Exit current view...

  • Page 393: Displaying And Maintaining Qos

    [device] mirrored-to vlan 2 inbound ip-group 2000 monitor-interface Displaying and Maintaining QoS To do… Use the command… Remarks Display the protocol packet priority display protocol-priority configuration Display the display qos COS-precedence-to-Drop-precedence cos-drop-precedence-map mapping relationship Display the COS-precedence-to-DSCP-precedence display qos cos-dscp-map mapping relationship Display the display qos...

  • Page 394: Qos Configuration Example

    To do… Use the command… Remarks display qos-interface Display VLAN mapping configuration of a { interface-type interface-number | port or all the ports unit-id } traffic-remark-vlanid display qos-interface Display traffic mirroring configuration of a { interface-type interface-number | port or all the ports unit-id } mirrored-to Display the configuration of traffic display qos-global { all |...
  • Page 395 # Create ACL 2000 and enter basic ACL view to classify packets sourced from the 192.168.1.0/24 network segment. <device> system-view [device] acl number 2000 [device-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [device-acl-basic-2000] quit # Create ACL 2001 and enter basic ACL view to classify packets sourced from the 192.168.2.0/24 network segment.

  • Page 396: Qos Profile Configuration

    QoS Profile Configuration Overview Introduction to QoS Profile QoS profile is a set of QoS configurations. It provides an easy way for performing and managing QoS configuration. A QoS profile can contain one or multiple QoS functions. In networks where hosts change their positions frequently, you can define QoS policies for the hosts and add the QoS policies to a QoS profile.

  • Page 397: Qos Profile Configuration

    QoS Profile Configuration QoS Profile Configuration Task List Complete the following tasks to configure a QoS profile: Task Remarks Configuring a QoS Profile Required Applying a QoS Profile Optional Applying a QoS Profile Optional Configuring a QoS Profile Configuration prerequisites The ACL rules used for traffic classification are defined.

  • Page 398: Displaying And Maintaining Qos Profile

    Configuration procedure Follow these steps to configure to apply a QoS profile dynamically: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Configure the Optional mode to apply a By default, the mode to apply qos-profile port-based QoS profile as a QoS profile is user-based.

  • Page 399: Configuration Example

    Configuration Example QoS Profile Configuration Example Network requirements As shown in Figure 2-1, the user name is “someone”, and the authentication password is “hello”. It is connected to GigabitEthernet 1/0/1 of the switch and belongs to the test.net domain. It is required to configure a QoS profile to limit the rate of all the outbound IP packets of the user to 128 kbps and configuring to drop the packets exceeding the target packet rate.
  • Page 400 # Create the user domain test.net and specify radius1 as your RADIUS server group. [device] domain test.net [device-isp-test.net] radius-scheme radius1 [device-isp-test.net] quit # Create ACL 3000 to permit IP packets destined for any IP address. [device] acl number 3000 [device-acl-adv-3000] rule 1 permit ip destination any [device-acl-adv-3000] quit # Define a QoS profile named “example”...
  • Page 401 Table of Contents 1 Mirroring Configuration ····························································································································1-1 Mirroring Overview ··································································································································1-1 Local Port Mirroring ·························································································································1-2 Remote Port Mirroring ·····················································································································1-2 MAC-Based Mirroring ······················································································································1-3 VLAN-Based Mirroring·····················································································································1-3 Mirroring Configuration····························································································································1-4 Configuring Local Port Mirroring······································································································1-4 Configuring Remote Port Mirroring··································································································1-5 Configuring MAC-Based Mirroring ··································································································1-7 Configuring VLAN-Based Mirroring ·································································································1-8 Displaying and Maintaining Port Mirroring·······················································································1-9 Mirroring Configuration Example ············································································································1-9 Local Port Mirroring Configuration Example····················································································1-9...

  • Page 402: Mirroring Configuration

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 403: Local Port Mirroring

    VLAN-based mirroring: a device copies packets of a specified VLAN to the destination port. Local Port Mirroring In local port mirroring, packets passing through one or more source ports of a device are copied to the destination port on the same device for packet analysis and monitoring. In this case, the source ports and the destination port must be located on the same device.

  • Page 404: Mac-Based Mirroring

    Table 1-1 Ports involved in the mirroring operation Switch Ports involved Function Port monitored. It copies packets to the reflector port Source port through local port mirroring. There can be more than one source port. Source switch Receives packets from the source port and Reflector port broadcasts the packets in the remote-probe VLAN.

  • Page 405: Configuring Local Port Mirroring

    Mirroring Configuration Complete the following tasks to configure mirroring: Task Remarks Configuring Local Port Mirroring Optional Configuring Remote Port Mirroring Optional Configuring MAC-Based Mirroring Optional Configuring VLAN-Based Mirroring Optional Configuring Local Port Mirroring Configuration prerequisites The source port is determined and the direction in which the packets are to be mirrored is determined.

  • Page 406: Configuring Remote Port Mirroring

    Configuring Remote Port Mirroring The device can serve as a source switch, an intermediate switch, or a destination switch in a remote port mirroring networking environment. Configuration on the device acting as a source switch Configuration prerequisites The source port, the reflector port, and the remote-probe VLAN are determined. Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN.
  • Page 407 When configuring the source switch, note that: All ports of a remote source mirroring group are on the same device. Each remote source mirroring group can be configured with only one reflector port. The reflector port cannot be a member port of an existing mirroring group, a member port of an aggregation group, or a port enabled with LACP or STP.

  • Page 408: Configuring Mac-Based Mirroring

    Follow these steps to configure remote port mirroring on the destination switch: To do… Use the command… Remarks Enter system view system-view — Create a VLAN and enter VLAN vlan-id is the ID of the vlan vlan-id view remote-probe VLAN. Configure the current VLAN as remote-probe vlan enable Required...

  • Page 409: Configuring Vlan-Based Mirroring

    Configuration prerequisites The MAC address to be matched is determined. The destination port is determined. Configuration procedure Follow these steps to configure MAC-based mirroring: To do… Use the command… Remarks Enter system view system-view — Create a local or remote source mirroring-group group-id Required mirroring group...

  • Page 410: Displaying And Maintaining Port Mirroring

    Configuration procedure Follow these steps to configure VLAN-based mirroring: To do… Use the command… Remarks Enter system view system-view — Create a local or remote source mirroring-group group-id Required mirroring group { local | remote-source } mirroring-group group-id Configuring VLAN-Based mirroring-vlan vlan-id Required Mirroring...

  • Page 411: Remote Port Mirroring Configuration Example

    Remote Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through switches, as shown in Figure 1-4: Switch A, Switch B, and Switch C are WX3000 series devices. 1-10...
  • Page 412 Department 1 is connected to GigabitEthernet 1/0/1 of Switch A. Department 2 is connected to GigabitEthernet 1/0/2 of Switch A. GigabitEthernet 1/0/3 of Switch A connects to GigabitEthernet 1/0/1 of Switch B. GigabitEthernet 1/0/2 of Switch B connects to GigabitEthernet 1/0/1 of Switch C. The data detection device is connected to GigabitEthernet 1/0/2 of Switch C.
  • Page 413 [device] mirroring-group 1 mirroring-port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 inbound [device] mirroring-group 1 reflector-port GigabitEthernet 1/0/4 [device] mirroring-group 1 remote-probe vlan 10 # Configure GigabitEthernet 1/0/3 as trunk port, allowing packets of VLAN 10 to pass. [device] interface GigabitEthernet 1/0/3 [device-GigabitEthernet1/0/3] port link-type trunk [device-GigabitEthernet1/0/3] port trunk permit vlan 10 [device-GigabitEthernet1/0/3] quit # Display configuration information about remote source mirroring group 1.
  • Page 414 # Configure the destination port and remote-probe VLAN for the remote destination mirroring group. [device] mirroring-group 1 monitor-port GigabitEthernet 1/0/2 [device] mirroring-group 1 remote-probe vlan 10 # Configure GigabitEthernet 1/0/1 as the trunk port, allowing packets of VLAN 10 to pass. [device] interface GigabitEthernet 1/0/1 [device-GigabitEthernet1/0/1] port link-type trunk [device-GigabitEthernet1/0/1] port trunk permit vlan 10...
  • Page 415 Table of Contents 1 ARP Configuration·····································································································································1-1 Introduction to ARP ·································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Table ·······································································································································1-3 ARP Process ···································································································································1-3 Introduction to ARP Attack Detection ······························································································1-4 Introduction to Gratuitous ARP········································································································1-5 Configuring ARP ·····································································································································1-5 Configuring ARP Basic Functions ···································································································1-5 Configuring ARP Attack Detection ··································································································1-6 Configuring Gratuitous ARP····················································································································1-7 Displaying and Maintaining ARP·············································································································1-8...

  • Page 416: Arp Configuration

    ARP Configuration The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.
  • Page 417 Figure 1-1 ARP message format Hardware type (16 bits) Hardware type (16 bits) Hardware type (16 bits) Protocol type (16 bits) Protocol type (16 bits) Length of hardware address Length of protocol address Length of hardware address Length of protocol address Operator (16 bits) Operator (16 bits) Hardware address of the sender...

  • Page 418: Arp Table

    Value Description Chaos IEEE802.X ARC network ARP Table In an Ethernet, the MAC addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an Ethernet maintains an ARP table, where the latest used IP address-to-MAC address mapping entries are stored.

  • Page 419: Introduction To Arp Attack Detection

    mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request. Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.

  • Page 420: Introduction To Gratuitous Arp

    After you enable the ARP attack detection function, the device will check the following items of an ARP packet: the source MAC address, source IP address, port number of the port receiving the ARP packet, and the ID of the VLAN the port resides. If these items match the entries of the DHCP snooping table or the manual configured IP binding table, the device will forward the ARP packet;...

  • Page 421: Configuring Arp Attack Detection

    To do… Use the command… Remarks Enable the ARP entry checking function (that Optional is, disable the device arp check enable By default, the ARP entry checking from learning ARP function is enabled. entries with multicast MAC addresses) Static ARP entries are valid as long as the device operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically.

  • Page 422: Configuring Gratuitous Arp

    To do… Use the command… Remarks Quit to system view quit — Enter VLAN view — vlan vlan-id Optional By default, the ARP restricted Enable ARP restricted arp restricted-forwarding forwarding function is disabled. forwarding enable The device forwards legal ARP packets through all its ports.

  • Page 423: Displaying And Maintaining Arp

    Displaying and Maintaining ARP To do… Use the command… Remarks Display specific ARP mapping table display arp [ static | dynamic | entries ip-address ] Display the ARP mapping entries display arp [ dynamic | static ] | related to a specified string in a { begin | include | exclude } text specified way display arp count [ [ dynamic |...
  • Page 424 Figure 1-4 ARP attack detection configuration DHCP Server GE1/0/1 Switch A DHCP Snooping GE1/0/3 GE1/0/2 Client A Client B Configuration procedure # Enable DHCP snooping on Switch A. <SwitchA> system-view [SwitchA] dhcp-snooping # Specify GigabitEthernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchA-GigabitEthernet1/0/1] arp detection trust...
  • Page 425 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Operation Mechanism··········································································································1-1 SNMP Versions ·······························································································································1-1 Supported MIBs·······························································································································1-2 Configuring Basic SNMP Functions········································································································1-3 Configuring Trap Parameters··················································································································1-5 Configuring Basic Trap ····················································································································1-5 Configuring Extended Trap ·············································································································1-6 Enabling Logging for Network Management···························································································1-7 Displaying and Maintaining SNMP··········································································································1-7 SNMP Configuration Examples ··············································································································1-7 SNMP Configuration Examples·······································································································1-7 2 RMON Configuration ·································································································································2-1...

  • Page 426: Snmp Configuration

    SNMP Configuration The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of a WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 427: Supported Mibs

    SNMP NMS and SNMP agent. Community name functions as password. It can limit accesses made by SNMP NMS to SNMP agent. You can perform the following community name-related configuration. Specifying MIB view that a community can access. Set the permission for a community to access an MIB object to be read-only or read-write. Communities with read-only permissions can only query the device information, while those with read-write permission can configure the device as well.

  • Page 428: Configuring Basic Snmp Functions

    By default, the contact snmp-agent sys-info information for system Set system information, and specify { contact sys-contact | maintenance is "3Com to enable SNMPv1 or SNMPv2c on location sys-location | Corporation.", the system the device version { { v1 | v2c | v3 }* | location is "Marlborough,...
  • Page 429 By default, the contact snmp-agent sys-info information for system Set system information and { contact sys-contact | maintenance is "3Com specify to enable SNMPv3 on location sys-location | version Corporation", the system the device { { v1 | v2c | v3 }* | all } } location is "Marlborough, MA...

  • Page 430: Configuring Trap Parameters

    To do… Use the command… Remarks snmp-agent group v3 group-name [ authentication | privacy ] [ read-view Set an SNMP group Required read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] snmp-agent Optional calculate-password Encrypt a plain-text password This command is used if plain-password mode { md5 | to generate a cipher-text one...

  • Page 431: Configuring Extended Trap

    To do… Use the command… Remarks Enter system view system-view — snmp-agent trap enable [ configuration | Enable the device to send flash | standard [ authentication | coldstart Trap messages to NMS | linkdown | linkup | warmstart ]* | system | ] Enter port view interface interface-type interface-number Optional...

  • Page 432: Enabling Logging For Network Management

    Enabling Logging for Network Management Follow these steps to enable logging for network management: To do… Use the command… Remarks Enter system view system-view — Optional Enable logging for network snmp-agent log { set-operation | management get-operation | all } Disabled by default.
  • Page 433 Perform the following configuration on Switch A: setting the community name and access permission, administrator ID, contact and location of Switch A, and enabling the device to sent trap messages. Thus, the NMS is able to access Switch A and receive the trap messages sent by Switch A. Figure 1-2 Network diagram for SNMP configuration 10 .10 .10 .2 10.10.10.1...
  • Page 434 [device] snmp-agent trap enable standard linkdown [device] snmp-agent target-host trap address udp-domain 10.10.10.1 udp-port 5000 params securityname public Configuring the NMS The device supports iMC NMS. SNMPv3 adopts user name and password authentication. When you use the iMC, you need to set user names and choose the security level in. For each security level, you need to set authorization mode, authorization password, encryption mode, encryption password, and so on.

  • Page 435: Rmon Configuration

    RMON Configuration Introduction to RMON Remote monitoring (RMON) is a kind of management information base (MIB) defined by Internet Engineering Task Force (IETF). It is an important enhancement made to MIB II standards. RMON is mainly used to monitor the data traffic across a network segment or even the entire network, and is currently a commonly used network management standard.

  • Page 436: Commonly Used Rmon Groups

    Commonly Used RMON Groups Event group Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms.
  • Page 437 The statistics include the number of the following items: collisions, packets with cyclic redundancy check (CRC) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets. With the RMON statistics management function, you can monitor the use of a port and make statistics on the errors occurred when the ports are being used.

  • Page 438: Displaying And Maintaining Rmon

    Displaying and Maintaining RMON To do… Use the command… Remarks display rmon statistics [ interface-type Display RMON statistics interface-number | unit unit-number ] Display RMON history display rmon history [ interface-type information interface-number | unit unit-number ] Display RMON alarm display rmon alarm [ entry-number ] Available in any view information...
  • Page 439 [device] rmon prialarm 2 (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1 # Display the RMON extended alarm entry numbered 2. [device] display rmon prialarm 2 Prialarm table 2 owned by user1 is VALID. Samples type : changeratio Variable formula : (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1)
  • Page 440 Table of Contents 1 Multicast Overview ····································································································································1-1 Multicast Overview ··································································································································1-1 Information Transmission in the Unicast Mode ···············································································1-1 Information Transmission in the Broadcast Mode···········································································1-2 Information Transmission in the Multicast Mode·············································································1-3 Roles in Multicast ····························································································································1-4 Advantages and Applications of Multicast·······················································································1-5 Multicast Models ·····································································································································1-5 Multicast Architecture······························································································································1-6 Multicast Protocols ··························································································································1-9 Multicast Packet Forwarding Mechanism ·····························································································1-11...

  • Page 441: Information Transmission In The Unicast Mode

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of the WX3000 series devices. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 442: Information Transmission In The Broadcast Mode

    Figure 1-1 Information transmission in the unicast mode Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for Host B Packets for Host D Host E Packets for Host E Assume that Hosts B, D and E need this information. The source server establishes transmission channels for the devices of these users respectively.

  • Page 443: Information Transmission In The Multicast Mode

    Figure 1-2 Information transmission in the broadcast mode Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for all the network Host E Assume that Hosts B, D, and E need the information. The source server broadcasts this information through routers, and Hosts A and C on the network also receive this information.

  • Page 444: Roles In Multicast

    Figure 1-3 Information transmission in the multicast mode Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for the multicast group Host E Assume that Hosts B, D and E need the information. To transmit the information to the right users, it is necessary to group Hosts B, D and E into a receiver set.

  • Page 445: Multicast Models

    Table 1-1 An analogy between TV transmission and multicast transmission Step TV transmission Multicast transmission A TV station transmits a TV program A multicast source sends multicast data to through a television channel. a multicast group. A user tunes the TV set to the channel. A receiver joins the multicast group.

  • Page 446: Multicast Architecture

    ASM model In the ASM model, any sender can become a multicast source and send information to a multicast group; numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of the position of a multicast source in advance.
  • Page 447 As receivers are multiple hosts in a multicast group, you should be concerned about the following questions: What destination should the information source send the information to in the multicast mode? How to select the destination address? These questions are about multicast addressing. To enable the communication between the information source and members of a multicast group (a group of information receivers), network-layer multicast addresses, namely, IP multicast addresses must be provided.
  • Page 448 Class D address range Description Administratively scoped multicast addresses, which are for 239.0.0.0 to 239.255.255.255 specific local use only. As specified by IANA, the IP addresses ranging from 224.0.0.0 to 224.0.0.255 are reserved for network protocols on local networks. The following table lists commonly used reserved IP multicast addresses: Table 1-3 Reserved IP multicast addresses Class D address range Description...

  • Page 449: Multicast Protocols

    multicast MAC address is used as the destination address because the destination is a group with an uncertain number of members. As stipulated by IANA, the high-order 24 bits of a multicast MAC address are 0x01005e, while the low-order 23 bits of a MAC address are the low-order 23 bits of the multicast IP address. Figure 1-4 describes the mapping relationship: Figure 1-4 Multicast address mapping...
  • Page 450 Figure 1-5 Positions of Layer 3 multicast protocols AS 1 Receiver AS 2 Receiver IGMP IGMP MSDP IGMP Receiver Source Multicast management protocols Typically, the Internet Group Management Protocol (IGMP) is used between hosts and Layer 3 multicast devices directly connected with the hosts. These protocols define the mechanism of establishing and maintaining group memberships between hosts and Layer 3 multicast devices.

  • Page 451: Multicast Packet Forwarding Mechanism

    Figure 1-6 Positions of Layer 2 multicast protocols Source IGMP Snooping Receiver Receiver multicast packets IGMP Snooping Running on Layer 2 devices, Internet Group Management Protocol Snooping (IGMP Snooping) are multicast constraining mechanisms that manage and control multicast groups by listening to and analyzing IGMP messages exchanged between the hosts and Layer 3 multicast devices, thus effectively controlling the flooding of multicast data in a Layer 2 network.

  • Page 452: Rpf Check

    If the corresponding (S, G) entry exists, but the interface on which the packet actually arrived is not the incoming interface in the multicast forwarding table, the multicast packet is subject to an RPF check. If the result of the RPF check shows that the RPF interface is the incoming interface of the existing (S, G) entry, this means that the (S, G) entry is correct but the packet arrived from a wrong path and is to be discarded.
  • Page 453 A multicast packet from Source arrives to VLAN-interface 1 of Switch C, and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C. Switch C performs an RPF check, and finds in its unicast routing table that the outgoing interface to 192.168.0.0/24 is VLAN-interface 2.

  • Page 454: Igmp Snooping Configuration

    IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. Principle of IGMP Snooping By analyzing received IGMP messages, a Layer 2 device running IGMP Snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.

  • Page 455: Work Mechanism Of Igmp Snooping

    Figure 2-2 IGMP Snooping related ports Receiver Router A Switch A Eth1/0/1 Eth1/0 /2 Host A Eth 1/0/3 Host B Receiver Eth 1/0/1 Source Eth1/0 /2 Host C Switch B Router port Member port Multicast packets Host D Ports involved in IGMP Snooping, as shown in Figure 2-2, are described as follows: Router port: A router port is a port on the Layer 3 multicast device (DR or IGMP querier) side of the...
  • Page 456 When receiving a general query The IGMP querier periodically sends IGMP general queries to all hosts and routers on the local subnet to find out whether active multicast group members exist on the subnet. Upon receiving an IGMP general query, the device forwards it through all ports in the VLAN except the receiving port and performs the following to the receiving port: If the receiving port is a router port existing in its router port list, the device resets the aging timer of this router port.

  • Page 457: Igmp Snooping Configuration

    immediately delete the forwarding entry corresponding to that port from the forwarding table; instead, it resets the aging timer of the member port. Upon receiving the IGMP leave message from a host, the IGMP querier resolves from the message the address of the multicast group that the host just left and sends an IGMP group-specific query to that multicast group through the port that received the leave message.

  • Page 458: Enabling Igmp Snooping

    Operation Remarks Configuring a VLAN Tag for Query Messages Optional Configuring Multicast VLAN Optional Enabling IGMP Snooping Follow these steps to enable IGMP Snooping: To do… Use the command… Remarks Enter system view system-view — Required Enable IGMP Snooping igmp-snooping enable By default, IGMP Snooping is globally disabled globally.

  • Page 459: Configuring Timers

    Before configuring related IGMP Snooping functions, you must enable IGMP Snooping in the specified VLAN. Different multicast group addresses should be configured for different multicast sources because IGMPv3 Snooping cannot distinguish multicast data from different sources to the same multicast group.

  • Page 460: Configuring A Multicast Group Filter

    Enabling fast leave processing in Ethernet port view Follow these steps to enable fast leave processing in Ethernet view: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Enable fast leave processing igmp-snooping fast-leave By default, the fast leave for specific VLANs...

  • Page 461: Configuring The Maximum Number Of Multicast Groups On A Port

    Configuring a multicast group filter in system view Follow these steps to configure a multicast group filter in system view: To do… Use the command… Remarks Enter system view system-view — Required Configure a multicast group igmp-snooping group-policy No group filter is configured by filter acl-number [ vlan vlan-list ] default, namely hosts can join...

  • Page 462: Configuring Igmp Querier

    Follow these steps to configure the maximum number of multicast groups on a port: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Limit the number of multicast igmp-snooping group-limit limit The system default for groups on a port [ vlan vlan-list [ overflow-replace ] ]...

  • Page 463: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan

    To do… Use the command… Remarks Required Enable IGMP Snooping querier igmp-snooping querier By default, IGMP Snooping querier is disabled. Optional Configure the interval of igmp-snooping By default, the interval of sending general queries query-interval seconds sending general queries is 60 seconds.

  • Page 464: Configuring A Static Router Port

    In Ethernet port view Follow these steps to configure a static multicast group member port in Ethernet port view: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Configure the current port as a multicast static-group By default, no port is configured static member port for a...

  • Page 465: Configuring A Port As A Simulated Group Member

    In VLAN view Follow these steps to configure a static router port in VLAN view: To do… Use the command… Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Required Configure a specified port as a multicast static-router-port By default, no static router port static router port interface-type interface-number...

  • Page 466: Qos-Qos Profile

    Before configuring a simulated host, enable IGMP Snooping in VLAN view first. The port to be configured must belong to the specified VLAN; otherwise the configuration does not take effect. You can use the source-ip source-address command to specify a multicast source address that the port will join as a simulated host.
  • Page 467 To do… Use the command… Remarks interface Vlan-interface Enter VLAN interface view — vlan-id Required Enable IGMP igmp enable By default, the IGMP feature is disabled. Return to system view quit — Enter Ethernet port view for the interface interface-type —...

  • Page 468: Displaying And Maintaining Igmp Snooping

    One port can belong to only one multicast VLAN. The port connected to a user terminal must be a hybrid port. The multicast member ports must be in the same VLAN with the router port. Otherwise, the multicast member port cannot receive multicast packets. If a router port is in a multicast VLAN, the router port must be configured as a trunk port or a hybrid port that allows tagged packets to pass for the multicast VLAN.
  • Page 469 Figure 2-3 Network diagram for IGMP Snooping configuration Receiver Host A Source Receiver VLAN100 GE1/0/4 GE1/0/2 GE 1/0/1 1 .1.1.2/24 10 .1 .1.1/24 GE1 /0/1 GE 1/0/3 Router A Switch A Host B GE1/0/2 1.1.1.1/24 IGMP querier Multicast packets Host C Configuration procedure Configure the IP address of each interface Configure an IP address and subnet mask for each interface as per...
  • Page 470 Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): GigabitEthernet1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address: 224.1.1.1 Static host port(s): Dynamic host port(s): GigabitEthernet1/0/3 GigabitEthernet1/0/4...
  • Page 471 Configure a multicast VLAN, so that users in VLAN 2 and VLAN 3 can receive multicast streams through the multicast VLAN. Figure 2-4 Network diagram for multicast VLAN configuration Vlan-int 10 Vlan-int20 HostA 168.10.2.1 GE1/0/10 168.10. 1.1 GE1/0/10 Vlan10 GE1/0/1 WorkStation SwitchA SwitchB...

  • Page 472: Troubleshooting Igmp Snooping

    # Configure VLAN 10 as the multicast VLAN and enable IGMP Snooping on it. [SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Define GigabitEthernet 1/0/10 as a hybrid port, add the port to VLAN 2, VLAN 3, and VLAN 10, and configure the port to forward tagged packets for VLAN 2, VLAN 3, and VLAN 10.

  • Page 473: Common Multicast Configuration

    Common Multicast Configuration Common Multicast Configuration Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast forwarding entries dynamically through a Layer 2 multicast protocol. Alternatively, you can statically bind a port to a multicast MAC address entry by configuring a multicast MAC address entry manually.

  • Page 474: Configuring Dropping Unknown Multicast Packets

    Configuring Dropping Unknown Multicast Packets Generally, if the multicast address of the multicast packet received on the device is not registered on the local device, the packet will be flooded in the VLAN. When the function of dropping unknown multicast packets is enabled, the device will drop any multicast packets whose multicast address is not registered.
  • Page 475 Table of Contents 1 NTP Configuration ·····································································································································1-1 Introduction to NTP ·································································································································1-1 Applications of NTP ·························································································································1-1 Implementation Principle of NTP·····································································································1-2 NTP Implementation Modes············································································································1-3 NTP Configuration Task List ···················································································································1-6 Configuring NTP Implementation Modes ································································································1-6 Configuring NTP Server/Client Mode ······························································································1-6 Configuring the NTP Symmetric Peer Mode ···················································································1-7 Configuring NTP Broadcast Mode···································································································1-8 Configuring NTP Multicast Mode·····································································································1-9 Configuring Access Control Right ·········································································································1-10...

  • Page 476: Ntp Configuration

    NTP Configuration Examples The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of a WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 477: Implementation Principle Of Ntp

    In network management, the analysis of the log information and debugging information collected from different devices is meaningful and valid only when network devices that generate the information adopts the same time. The billing system requires that the clocks of all network devices be consistent. Some functions, such as restarting all network devices in a network simultaneously require that they adopt the same time.

  • Page 478: Ntp Implementation Modes

    Figure 1-1 Implementation principle of NTP NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am 11:00:02 am IP network Device B Device A NTP message received at 10:00:03 am IP network...
  • Page 479 Server/client mode Figure 1-2 Server/client mode Client Server Network Clock synchronization Works in server mode request automatically and sends a response packet Filters and selects a clock Response and synchronizes the local clock to that of the preferred server Symmetric peer mode Figure 1-3 Symmetric peer mode Active peer Passive peer...
  • Page 480 Multicast mode Figure 1-5 Multicast mode Server Client Network Multicast clock synchronization Initiates a client/server mode packets periodically request after receiving the first multicast packet Client/server mode request Works in the server mode automatically and sends Obtains the delay between the Response responses client and server and works in...

  • Page 481: Ntp Configuration Task List

    NTP Configuration Task List Complete the following tasks to configure NTP: Task Remarks Configuring NTP Implementation Modes Required Configuring Access Control Right Optional Configuring NTP Authentication Optional Configuring Optional NTP Parameters Optional Displaying and Maintaining NTP Configuration Optional Configuring NTP Implementation Modes The device can work in one of the following NTP modes: Configuring NTP Server/Client Mode Configuring the NTP Symmetric Peer Mode...

  • Page 482: Configuring The Ntp Symmetric Peer Mode

    To do… Use the command… Remarks Enter system view system-view — ntp-service unicast-server { remote-ip | Required server-name } [ authentication-keyid By default, the device is Configure an NTP client key-id | priority | source-interface not configured to work in Vlan-interface vlan-id | version the NTP client mode.

  • Page 483: Configuring Ntp Broadcast Mode

    In the symmetric peer mode, you need to execute the related NTP configuration commands (refer Configuring NTP Implementation Modes for details) to enable NTP on a symmetric-passive peer; otherwise, the symmetric-passive peer will not process NTP messages from the symmetric-active peer.

  • Page 484: Configuring Ntp Multicast Mode

    Configuring the device to work in the NTP broadcast client mode To do… Use the command… Remarks Enter system view system-view — interface Vlan-interface Enter VLAN interface view — vlan-id Required Configure the device to work in ntp-service broadcast-client the NTP broadcast client mode Not configured by default.

  • Page 485: Configuring Access Control Right

    Configuring Access Control Right With the following command, you can configure the NTP service access-control right to the local device for a peer device. There are four access-control rights, as follows: query: Control query right. This level of right permits the peer device to perform control query to the NTP service on the local device but does not permit the peer device to synchronize its clock to the local device.
  • Page 486 synchronized only to that of the server that passes the authentication. This improves network security. Table 1-2 shows the roles of devices in the NTP authentication function. Table 1-2 Description on the roles of devices in NTP authentication function Role of device Working mode Client in the server/client mode Client in the broadcast mode...
  • Page 487 To do… Use the command… Remarks Required ntp-service Configure the NTP By default, no NTP authentication-keyid key-id authentication key authentication key is authentication-model md5 value configured. Required Configure the specified key as ntp-service reliable By default, no trusted key is a trusted key authentication-keyid key-id configured.

  • Page 488: Configuring Optional Ntp Parameters

    To do… Use the command… Remarks In NTP broadcast server Configure on mode and NTP multicast the NTP ntp-service broadcast-server server mode, you need to broadcast authentication-keyid key-id associate specified server with Associate corresponding the specified broadcast/multicast client key with the correspondi You can associate an NTP broadcast/multicast client...

  • Page 489: Configuring The Number Of Dynamic Sessions Allowed On The Local Device

    1-6, the local clock of Device A is to be used as a master clock, with the stratum level of 2. Device A is used as the NTP server of Device B (a WX3000 series device) Configure Device B to work in the client mode, and then Device A will automatically work in the server mode.
  • Page 490 Figure 1-6 Network diagram for the NTP server/client mode configuration 1.0.1.11/24 1 .0.1.12/24 Device A Device B Configuration procedure Perform the following configurations on Device B. # View the NTP status of Device B before synchronization. <DeviceB> display ntp-service status Clock status: unsynchronized Clock stratum: 16 Reference clock ID: none...

  • Page 491: Configuring Ntp Symmetric Peer Mode

    1-7, the local clock of Device A is set as the NTP master clock, with the clock stratum level of 2. Device C (a WX3000 series device) uses Device A as the NTP server, and Device A works in server mode automatically.

  • Page 492: Configuring Ntp Broadcast Mode

    2. Configure Device C to work in the NTP broadcast server mode and send NTP broadcast messages through Vlan-interface2. Device A and Device D are two WX3000 series devices. Configure Device A and Device D to work in the NTP broadcast client mode and listen to broadcast messages through their own Vlan-interface2.
  • Page 493 Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as the broadcast server, which sends broadcast messages through Vlan-interface2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service broadcast-server Configure Device A. (perform the same configuration on Device D) # Enter system view.

  • Page 494: Configuring Ntp Multicast Mode

    2. Configure Device C to work in the NTP multicast server mode and advertise multicast NTP messages through Vlan-interface2. Device A and Device D are two WX3000 series devices. Configure Device A and Device D to work in the NTP multicast client mode and listen to multicast messages through their own Vlan-interface2.

  • Page 495: Configuring Ntp Server/Client Mode With Authentication

    1-10, the local clock of Device A is set as the NTP master clock, with a clock stratum level of 2. Device B is a WX3000 series device and uses Device A as the NTP server. Device B is set to work in client mode, while Device A works in server mode automatically.
  • Page 496 # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [DeviceB] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key 42 as a trusted key. [DeviceB] ntp-service reliable authentication-keyid 42 [DeviceB] ntp-service unicast-server 1.0.1.11 authentication-keyid 42 After the above configurations, Device B is ready to synchronize with Device A.
  • Page 497 Table of Contents 1 SSH Configuration·····································································································································1-1 SSH Overview·········································································································································1-1 Introduction to SSH ·························································································································1-1 Algorithm and Key ···························································································································1-1 Asymmetric Key Algorithm ··············································································································1-2 SSH Operating Process ··················································································································1-2 Configuring the SSH Server····················································································································1-4 SSH Server Configuration Tasks ····································································································1-5 Configuring the Protocol Support for the User Interface ·································································1-5 Generating/Destroying a RSA or DSA Key Pair··············································································1-6 Exporting the RSA or DSA Public Key ····························································································1-7 Creating an SSH User and Specify an Authentication Type ···························································1-7...

  • Page 498: Ssh Configuration

    SSH Configuration The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of a WX3000 series. The sample output information in this manual was created on the WX3024. The output information...

  • Page 499: Asymmetric Key Algorithm

    Figure 1-1 Encryption and decryption Cipher text Cipher text Decryption Decryption Encryption Encryption Plain text Plain text Plain text Plain text Key-based algorithm is usually classified into symmetric key algorithm and asymmetric key algorithm. Asymmetric Key Algorithm Asymmetric key algorithm means that a key pair exists at both ends. The key pair consists of a private key and a public key.
  • Page 500 Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server. After the TCP connection is established, the server sends the first packet to the client, which includes a version identification string in the format “SSH-<primary protocol...

  • Page 501: Configuring The Ssh Server

    In password authentication, the client encrypts the username and password, encapsulates them into a password authentication request, and sends the request to the server. Upon receiving the request, the server decrypts the username and password, compares them with those it maintains, and then informs the client of the authentication result.

  • Page 502: Ssh Server Configuration Tasks

    SSH Server Configuration Tasks Complete the following tasks to configure SSH server: Task Remark Configuring the Protocol Support for the Required User Interface Generating/Destroying a RSA or DSA Required Key Pair Exporting the RSA or DSA Public Key Optional Creating an SSH User and Specify an Required Authentication Type Specifying a Service Type for an SSH...

  • Page 503: Generating/Destroying A Rsa Or Dsa Key Pair

    If you have configured a user interface to support SSH protocol, you must configure AAA authentication for the user interface by using the authentication-mode scheme command to ensure successful login. On a user interface, if the authentication-mode password or authentication-mode none command has been executed, the protocol inbound ssh command is not available.

  • Page 504: Exporting The Rsa Or Dsa Public Key

    Exporting the RSA or DSA Public Key You can display the generated RSA or DSA key pair on the screen in a specified format, or export it to a specified file for configuring the key at a remote end. Follow these steps to export the RSA public key: To do…...

  • Page 505: Specifying A Service Type For An Ssh User

    For password authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authentication, the username argument is the SSH local user name, so that there is no need to configure a local user in AAA. If the default authentication type for SSH users is password and local AAA authentication is adopted, you need not use the ssh user command to create an SSH user.

  • Page 506: Configuring The Client Public Key On The Server

    To do… Use the command… Remarks Enter system view system-view — Optional Set SSH authentication timeout ssh server timeout seconds By default, the timeout time is time 60 seconds. Optional Set SSH authentication retry ssh server By default, the number of retry times authentication-retries times times is 3.
  • Page 507 To do… Use the command… Remarks — Enter public key edit view public-key-code begin When you input the key data, spaces are allowed between the characters you input (because the system can remove the spaces Configure a public key for the Enter the content of the public automatically);...

  • Page 508: Assigning A Public Key To An Ssh User

    Follow these steps to import the RSA public key from a public key file: To do… Use the command… Remarks Enter system view system-view — Import the RSA public key from rsa peer-public-key keyname Required a public key file import sshkey filename The result of the display rsa local-key-pair public command or the public key converted with the SSHKEY tool contains no information such as the authentication type, so they cannot be directly used as parameters in the public-key peer command.

  • Page 509: Configuring The Ssh Client

    Follow these steps to specify a source IP address/interface for the SSH server: To do… Use the command… Remarks Enter system view system-view — Required Specify a source IP address for ssh-server source-ip By default, the system the SSH server ip-address determines the IP address for clients to access.
  • Page 510 Selecting the protocol for remote connection as SSH. Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlogin, and SSH. To establish an SSH connection, you must select SSH Selecting the SSH version. Since the device supports SSH Server 2.0 now, select 2.0 or lower for the client.
  • Page 511 Figure 1-3 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key. Figure 1-4 Generate the client keys (3) 1-14...
  • Page 512 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private” in this case) to save the private key. Figure 1-5 Generate the client keys (4) To generate RSA public key in PKCS format, run SSHKEY.exe, click Browse and select the public key file, and then click Convert.
  • Page 513 Figure 1-7 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Select a protocol for remote connection As shown in Figure...
  • Page 514 Figure 1-8 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2. Open an SSH connection with publickey authentication If a user needs to be authenticated with a public key, the corresponding private key file must be specified.
  • Page 515 Figure 1-9 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open to enter the following SSH client interface. If the connection is normal, a user will be prompted for a username.

  • Page 516: Configuring The Ssh Client On An Ssh2-Capable Device

    Open an SSH connection with password authentication From the window shown in Figure 1-9, click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 1-11.
  • Page 517 Follow these steps to enable the device to support first-time authentication: To do… Use the command… Remarks Enter system view system-view — Optional Enable the device to support ssh client first-time enable By default, the client is enabled first-time authentication to run initial authentication.

  • Page 518: Specifying A Source Ip Address/Interface For The Ssh Client

    When logging into the SSH server using public key authentication, an SSH client needs to read the local private key for authentication. As two algorithms (RSA or DSA) are available, the identity-key keyword must be used to specify one algorithm in order to get the correct private key. Specifying a Source IP address/Interface for the SSH client This configuration task allows you to specify a source IP address or interface for the client to access the SSH server, improving service manageability.

  • Page 519: Ssh Configuration Examples

    SSH Configuration Examples When the Device Acts as the SSH Server and the Authentication Type is Password Network requirements As shown in Figure 1-12, establish an SSH connection between the host (SSH Client) and the device (SSH Server) for secure data exchange. The host runs SSH2.0 client software. Password authentication is required.
  • Page 520 Take SSH client software “Putty” (version 0.58) as an example: Run PuTTY.exe to enter the following configuration interface. Figure 1-13 SSH client configuration interface In the Host Name (or IP address) text box, enter the IP address of the SSH server. As shown in Figure 1-13, click Open to enter the following interface.

  • Page 521: When The Device Acts As An Ssh Server And The Authentication Type Is Publickey

    Figure 1-14 SSH client interface When the Device Acts as an SSH Server and the Authentication Type is Publickey Network requirements As shown in Figure 1-15, establish an SSH connection between the host (SSH client) and the device (SSH Server) for secure data exchange. The host runs SSH2.0 client software. Publickey authentication is required.
  • Page 522 <device> system-view [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [device-Vlan-interface1] quit # Generate RSA and DSA key pairs. [device] public-key local create rsa [device] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [device] user-interface vty 0 4 [device-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 523 Figure 1-16 Generate a client key pair (1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-17. Otherwise, the process bar stops moving and the key pair generating process is stopped.
  • Page 524 Figure 1-17 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (“public” in this case). Figure 1-18 Generate a client key pair (3) 1-27...
  • Page 525 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key (“private” in this case). Figure 1-19 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client.
  • Page 526 Figure 1-21 SSH client configuration interface (2) Click Browse… to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 1-21, click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 1-22.

  • Page 527: When The Switch Acts As An Ssh Client And The Authentication Type Is Password

    When the Switch Acts as an SSH Client and the Authentication Type is Password Network requirements As shown in Figure 1-23, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. The user name for login is client001 and the SSH server’s IP address is 10.165.87.136.

  • Page 528: When The Device Acts As An Ssh Client And The Authentication Type Is Publickey

    The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n Enter password: ******************************************************************************** Copyright(c) 2004-2009 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ******************************************************************************** <device>...
  • Page 529 <device> system-view [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [device-Vlan-interface1] quit # Generate RSA and DSA key pairs. [device] public-key local create rsa [device] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [device] user-interface vty 0 4 [device-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.

  • Page 530: When The Device Acts As An Ssh Client And First-Time Authentication Is Not Supported

    The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n ******************************************************************************** Copyright(c) 2004-2009 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed.
  • Page 531 [device-Vlan-interface1] quit # Generate RSA and DSA key pairs. [device] public-key local create rsa [device] public-key local create dsa # Set AAA authentication on user interfaces. [device] user-interface vty 0 4 [device-ui-vty0-4] authentication-mode scheme # Configure the user interfaces to support SSH. [device-ui-vty0-4] protocol inbound ssh # Set the user command privilege level to 3.
  • Page 532 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... ******************************************************************************** Copyright(c) 2004-2009 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ******************************************************************************** <device> 1-35...
  • Page 533 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Configuration·······················································································································1-1 Introduction to File System ··············································································································1-1 File System Configuration Tasks·····································································································1-1 Directory Operations························································································································1-1 File Operations ································································································································1-2 Flash Memory Operations ···············································································································1-3 Prompt Mode Configuration ············································································································1-3 File System Configuration Example ································································································1-4 File Attribute Configuration ·····················································································································1-5 Introduction to File Attributes···········································································································1-5 Configuring File Attributes ···············································································································1-6...

  • Page 534: File System Management Configuration

    File System Management Configuration The sample output information in this manual was created on the WX3024. The output information on your device may vary. File System Configuration Introduction to File System To facilitate management on the device memory, the device provides the file system function, allowing you to access and manage the files and directories.

  • Page 535: File Operations

    Displaying the current work directory, or contents in a specified directory Follow these steps to perform directory-related operations in user view: To do… Use the command… Remarks Create a directory Optional mkdir directory Delete a directory rmdir directory Optional Display the current work directory Optional Display the information about specific dir [ /all ] [ file-url ]...

  • Page 536: Flash Memory Operations

    To do… Use the command… Remarks Enter system view system-view — Optional Execute the specified execute filename This command should be batch file executed in system view. For deleted files whose names are the same, only the latest deleted file is kept in the recycle bin and can be restored.

  • Page 537: File System Configuration Example

    Follow these steps to perform configuration on prompt mode of file system: To do… Use the command… Remarks Enter system view system-view — Required Configure the prompt mode of file prompt { alert | quiet } By default, the prompt mode of the file system the file system is alert.

  • Page 538: File Attribute Configuration

    <device> dir unit1>flash:/test/ Directory of unit1>flash:/test/ -rw- 1443 Apr 02 2000 02:45:13 1.cfg 6858 KB total (6841 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute File Attribute Configuration Introduction to File Attributes The following two startup files support file attribute configuration: Configuration files: A configuration file is used to store and restore configuration, with .cfg as the extension.

  • Page 539: Configuring File Attributes

    attribute. If you download a valid file with the same name as the deleted file to the flash memory, the file will possess the main attribute. Configuring File Attributes You can configure and view the main attribute or backup attribute of the startup file used for the next startup of a switch, and change the main or backup attribute of the file.
  • Page 540 Table of Contents 1 FTP and SFTP Configuration····················································································································1-1 Introduction to FTP and SFTP ················································································································1-1 Introduction to FTP ··························································································································1-1 Introduction to SFTP························································································································1-2 FTP Configuration ···································································································································1-2 FTP Configuration: The Device Operating as an FTP Server·························································1-2 FTP Configuration: The Device Operating as an FTP Client ··························································1-6 Configuration Example: The Device Operating as an FTP Server ·················································1-8 FTP Banner Display Configuration Example·················································································1-10 FTP Configuration: The Device Operating as an FTP Client ························································1-11...

  • Page 541: Introduction To Ftp And Sftp

    FTP and SFTP Configuration The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of a WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 542: Introduction To Sftp

    Introduction to SFTP Secure FTP (SFTP) is established based on an SSH2 connection. It allows a remote user to log in to the switching engine to manage and transmit files, providing a securer guarantee for data transmission. In addition, since the device can be used as a client, you can log in to remote devices to transfer files securely.
  • Page 543 Enabling an FTP server Follow these steps to enable an FTP server: To do… Use the command… Remarks Enter system view system-view — Required Enable the FTP server function ftp server enable Disabled by default. Only one user can access the device at a given time when the latter operates as an FTP server. Operating as an FTP server, the device cannot receive a file whose size exceeds its storage space.
  • Page 544 Source interface refers to the existing VLAN interface or Loopback interface on the device. Source IP address refers to the IP address configured for the interface on the device. Each source interface corresponds to a source IP address. Therefore, specifying a source interface for the FTP server is the same as specifying the IP address of this interface as the source IP address.
  • Page 545 With the device acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the device will disconnect the user after the data transmission is completed. Configuring the banner for an FTP server Displaying a banner: With a banner configured on the FTP server, when you access the FTP server through FTP, the configured banner is displayed on the FTP client.

  • Page 546: Ftp Configuration: The Device Operating As An Ftp Client

    To do… Use the command… Remarks Use either command or both. Configure a shell banner header shell text By default, no banner is configured. For details about the header command, refer to the Login part of the manual. Displaying FTP server information To do…...
  • Page 547 To do… Use the command… Remarks Change the working directory cd pathname on the remote FTP server Change the working directory cdup to be the parent directory Get the local working path on the FTP client Optional Display the working directory on the FTP server Create a directory on the mkdir pathname...

  • Page 548: Configuration Example: The Device Operating As An Ftp Server

    Specifying the source interface and source IP address for an FTP client You can specify the source interface and source IP address for the device acting as an FTP client, so that it can connect to a remote FTP server. Follow these steps to specify the source interface and source IP address for an FTP client: To do…...
  • Page 549 saved-configuration command to specify config.cfg as the main configuration file for next startup and then reboot the device. Create a user account on the FTP server with the user name “switch” and password “hello”. The IP addresses 1.1.1.1 for a VLAN interface on the switching engine and 2.2.2.2 for the PC have been configured.

  • Page 550: Ftp Banner Display Configuration Example

    200 Port command okay. 150 Opening ASCII mode data connection for config.cfg. 226 Transfer complete. This example uses the command line window tool provided by Windows. When you log in to the FTP server through another FTP client, refer to the corresponding instructions for operation description. If available space on the flash memory of the device is not enough to hold the file to be uploaded, you need to delete files not in use from the flash memory to make room for the file, and then upload the file again.

  • Page 551: Ftp Configuration: The Device Operating As An Ftp Client

    Figure 1-4 Network diagram for FTP banner display configuration FTP Client FTP Server 2.2 .2.2/8 Vlan-Int1 Network 1.1.1.1 /8 Switch Configuration procedure Configure the switch (FTP server) # Configure the login banner of the switching engine as “login banner appears” and the shell banner as “shell banner appears”.
  • Page 552 Figure 1-5 Network diagram for FTP configurations: the device operating as an FTP client FTP Client FTP Server 2.2.2 .2/8 Network Vlan -Int1 1.1.1.1/8 Switch A Configuration procedure Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a user account on the FTP server with user name “switch”...

  • Page 553: Sftp Configuration: The Device Operating As An Sftp Server

    <device> # After downloading the file, use the startup saved-configuration command to specify the downloaded configuration file as the main configuration file for next startup, and then restart the device. <device>startup saved-configuration config.cfg main Please wait........Done! For information about the startup saved-configuration command and how to specify the startup file for the device, refer to the “System Maintenance and Debugging”...

  • Page 554: Sftp Configuration: The Device Operating As An Sftp Client

    To do… Use the command… Remarks Enter system view system-view — Optional Configure the connection idle ftp timeout time-out-value time for the SFTP server 10 minutes by default Supported SFTP client software The device operating as an SFTP server can interoperate with SFTP client software, including SSH Tectia Client v4.2.0 (SFTP), v5.0, and WINSCP.
  • Page 555 To do… Use the command… Remarks sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | Enter SFTP client view Required aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } |...

  • Page 556: Sftp Configuration Example

    If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key;...
  • Page 557 # Create a VLAN interface on the device and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server. [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [device-Vlan-interface1] quit # Specify the SSH authentication mode as AAA.
  • Page 558 sftp-client> # Display the current directory of the server. Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx...
  • Page 559 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server and rename it as public.

  • Page 560: Tftp Configuration

    TFTP Configuration Introduction to TFTP Compared with FTP, TFTP (trivial file transfer protocol) features simple interactive access interface and no authentication control. Therefore, TFTP is applicable in the networks where client-server interactions are relatively simple. TFTP is implemented based on UDP. It transfers data through UDP port 69. Basic TFTP operations are described in RFC 1986.

  • Page 561: Tftp Configuration: The Device Operating As A Tftp Client

    Task Remarks For details, see the corresponding TFTP server configuration — manual TFTP Configuration: The Device Operating as a TFTP Client Basic configurations on a TFTP client By default the device can operate as a TFTP client. In this case you can connect the device to the TFTP server to perform TFTP-related operations (such as creating/removing a directory) by executing commands on the device.

  • Page 562: Tftp Configuration Example

    To do… Use the command… Remarks Specify an interface as the source interface a TFTP client tftp source-interface uses every time it connects to a interface-type interface-number TFTP server Use either command Not specified by default Specify an IP address as the source IP address a TFTP tftp source-ip ip-address client uses every time it...
  • Page 563 Configuration procedure Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switching engine. (You can log in to the switching engine through the console port or by telnetting the device.
  • Page 564 Table of Contents 1 Information Center·····································································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ·············································································································1-4 Information Center Configuration············································································································1-6 Introduction to the Information Center Configuration Tasks····························································1-6 Configuring Synchronous Information Output ·················································································1-7 Configuring to Display the Time Stamp with the UTC Time Zone ··················································1-7 Setting to Output System Information to the Console ·····································································1-8 Setting to Output System Information to a Monitor Terminal ························································1-10 Setting to Output System Information to a Log Host·····································································1-11...

  • Page 565: Information Center Overview

    Information Center The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of a WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.
  • Page 566 Severity Severity value Description informational Informational information to be recorded debugging Information generated during debugging Information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering. If the threshold is set to 1, only information with the severity being emergencies will be output; If the threshold is set to 8, information of all severities will be output.
  • Page 567 Configurations for the six output directions function independently and take effect only after the information center is enabled. Outputting system information by source module The system information can be classified by source module and then filtered. Some module names and description are shown in Table 1-3.

  • Page 568: System Information Format

    Module name Description Network time protocol module Public key infrastructure module Radius module RMON Remote monitor module Revest, Shamir and Adleman encryption module SHELL User interface module SNMP Simple network management protocol module SOCKET Socket module Secure shell module SYSMIB System MIB module HWTACACS module TELNET...
  • Page 569 Priority The priority is calculated using the following formula: facility*8+severity-1, in which facility (the device name) defaults to local7 with the value being 23 (the value of local6 is 22, that of local5 is 21, and so on). severity (the information level) ranges from 1 to 8. Table 1-1 details the value and meaning associated with each severity.

  • Page 570: Information Center Configuration

    You can use the sysname command to modify the system name. Refer to the System Maintenance and Debugging part of this manual for details) Note that there is a space between the sysname and module fields. Module The module field represents the name of the module that generates system information. You can enter the info-center source ? command in system view to view the module list.

  • Page 571: Configuring Synchronous Information Output

    Task Remarks Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system information such as log, trap, or debugging information is output when the user is inputting commands, the command line prompt (in command editing mode a prompt, or a [Y/N] string in interaction mode) and the input information are echoed after the output.

  • Page 572: Setting To Output System Information To The Console

    To do… Use the command… Remarks Set the time Log host info-center timestamp stamp format direction loghost date in the output Required direction of Use either command Non log host info-center timestamp { log | information direction trap | debugging } date center to date Required...
  • Page 573 Table 1-4 Default output rules for different output directions TRAP DEBUG Output Modules Enable Severit Enabled/ Enabled/ direction allowed d/disab Severity Severity disabled disabled default (all Enable warning debuggin debuggin Console Enabled Enabled modules) Monitor default (all Enable warning debuggin debuggin Enabled Enabled...

  • Page 574: Setting To Output System Information To A Monitor Terminal

    Setting to Output System Information to a Monitor Terminal System information can also be output to a monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY user interface. Setting to output system information to a monitor terminal Follow these steps to set to output system information to a monitor terminal: To do…...

  • Page 575: Setting To Output System Information To A Log Host

    Follow these steps to enable the display of system information on a monitor terminal: To do… Use the command… Remarks Enable the debugging/log/trap Optional information terminal display terminal monitor Enabled by default function Optional Enable debugging information terminal debugging terminal display function Disabled by default Optional Enable log information terminal...

  • Page 576: Setting To Output System Information To The Trap Buffer

    To do… Use the command… Remarks Optional info-center timestamp Set the format of the time By default, the time stamp loghost { date | no-year-date | stamp to be sent to the log host format of the information output none } to the log host is date.

  • Page 577: Setting To Output System Information To The Snmp Nms

    To do… Use the command… Remarks Optional info-center logbuffer By default, the device uses Enable information output to [ channel { channel-number | information channel 4 to output the log buffer channel-name } | size log information to the log buffer, buffersize ]* which can holds up to 512 items by default.

  • Page 578: Displaying And Maintaining Information Center

    Displaying and Maintaining Information Center To do… Use the command… Remarks display channel Display information on an information [ channel-number | channel channel-name ] Display the operation status of information center, the configuration of display info-center [ unit unit-id ] information channels, the format of time stamp Available in any view...
  • Page 579 # Configure the host whose IP address is 202.38.1.10 as the log host. Permit ARP and IP modules to output information with severity level higher than informational to the log host. [Switch] info-center loghost 202.38.1.10 facility local4 [Switch] info-center source arp channel loghost log level informational debug state off trap state off [Switch] info-center source ip channel loghost log level informational debug state off trap state off...

  • Page 580: Log Output To A Linux Log Host

    Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file “syslog.conf”, you can sort information precisely for filtering. Log Output to a Linux Log Host Network requirements As shown in Figure 1-2, Switch sends the following log information to the Linux log host whose IP address is 202.38.1.10: All modules' log information, with severity higher than “errors”.

  • Page 581: Log Output To The Console

    Note the following items when you edit file “/etc/syslog.conf”. A note must start in a new line, starting with a “#" sign. In each pair, a tab should be used as a separator instead of a space. No space is permitted at the end of the file name. The device name (facility) and received log information severity specified in file “/etc/syslog.conf”...
  • Page 582 [Switch] info-center enable # Disable the function of outputting information to the console channels. [Switch] undo info-center source default channel console # Enable log information output to the console. Permit ARP and IP modules to output log information with severity level higher than informational to the console. [Switch] info-center console channel console [Switch] info-center source arp channel console log level informational debug state off trap state off...
  • Page 583 Table of Contents 1 Host Configuration File Loading··············································································································1-1 Introduction to Loading Approaches ·······································································································1-1 Remote Loading Using FTP ············································································································1-1 Remote Loading Using TFTP··········································································································1-5 2 Basic System Configuration and Debugging ·························································································2-1 Basic System Configuration····················································································································2-1 Displaying the System Status ·················································································································2-2 Debugging the System····························································································································2-2 Enabling/Disabling System Debugging ···························································································2-2 Displaying Debugging Status ··········································································································2-3 Displaying Operating Information about Modules in System ··························································2-3...

  • Page 584: Introduction To Loading Approaches

    Host Configuration File Loading The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of a WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.
  • Page 585 Connected to OAP! <device_LSW> ftp 192.168.0.100 Trying ... Press CTRL+K to abort Connected. 220 3Com 3CDaemon FTP Server Version 2.0 User(none):admin 331 User name ok, need password Password: 230 User logged in [ftp]get config.cfg config.cfg 227 Entering passive mode (192,168,0,100,5,95) 125 Using existing data connection ..226 Closing data connection;...
  • Page 586 Figure 1-2 Remote loading using FTP server Switch Internet Ethernet port FTP Server FTP Serve 192 .168 .0.51 10 .1 .1.1 Step 1: As shown in Figure 1-2, connect Switch through an Ethernet port to the PC (whose IP address is 10.1.1.1) Step 2: Configure the IP address of VLAN-interface 1 on Switch to 192.168.0.51, and subnet mask to 255.255.255.0.
  • Page 587 Step 6: Enter ftp 192.168.0.51 and enter the user name test, password pass to log on to the FTP server. C:\Documents and Settings\Administrator>d: D:\>cd update D:\Update>ftp 192.168.0.51 Connected to 192.168.0.51. 220 FTP service ready. User (192.168.0.51:(none)): test 331 Password required for test. Password: 230 User logged in.

  • Page 588: Remote Loading Using Tftp

    The steps listed above are performed in the Windows operating system, if you use other FTP client software, refer to the corresponding user guide before operation. Only the configuration steps concerning loading are listed here. For detailed description on the corresponding configuration commands, refer to the “FTP-SFTP-TFTP”...

  • Page 589: Basic System Configuration And Debugging

    Basic System Configuration and Debugging Basic System Configuration Follow these steps to perform basic system configuration: To do… Use the command… Remarks Required clock datetime Set the current date and HH:MM:SS Execute this command in user view. time of the system { YYYY/MM/DD | The default value is 23:55:00 04/01/2000 MM/DD/YYYY }...

  • Page 590: Displaying The System Status

    Displaying the System Status To do… Use the command… Remarks Display the current date and time of the display clock system Available in any view Display the version of the system display version Display the information about users display users [ all ] logging onto the device Debugging the System Enabling/Disabling System Debugging...

  • Page 591: Displaying Debugging Status

    You can use the following commands to enable the two settings. Follow these steps to enable debugging and terminal display for a specific module: To do… Use the command… Remarks Required Enable system debugging for debugging module-name Disabled for all modules by specific module [ debugging-option ] default.

  • Page 592: Network Connectivity Test

    Network Connectivity Test Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. Follow these steps to execute the ping command: To do… Use the command… Remarks ping [ -a ip-address ] [-c count ] [ -d ] [ -f ] Check the IP network [ -h ttl ] [ -i interface-type You can execute this...

  • Page 593: Introduction To Device Management

    Device Management Introduction to Device Management Device Management includes the following: Reboot the device Configure real-time monitoring of the running status of the system Specify the main configuration file to be used at the next reboot Device Management Configuration Device Management Configuration Tasks Complete the following tasks to configure device management: Task Remarks...

  • Page 594: Scheduling A Reboot On The Device

    Scheduling a Reboot on the Device After you schedule a reboot on the device, the device will reboot at the specified time. Follow these steps to schedule a reboot on the device: To do… Use the command… Remarks Schedule a reboot on the device, and set schedule reboot at hh:mm Optional the reboot date and time...

  • Page 595: Identifying And Diagnosing Pluggable Transceivers

    EtherNet Transceiver 10G Ethernet Package) interfaces For pluggable transceivers supported by the device, refer to 3Com WX3000 Series Unified Switches Installation Manual. Identifying pluggable transceivers As pluggable transceivers are of various types and from different vendors, you can perform the...

  • Page 596: Displaying And Maintaining The Device Management Configuration

    Follow these steps to identify pluggable transceivers: To do… Use the command… Remarks display transceiver interface Display main parameters of the Available for all pluggable [ interface-type pluggable transceiver(s) transceivers interface-number ] Diagnosing pluggable transceivers The system outputs alarm information for you to diagnose and troubleshoot faults of pluggable transceivers.
  • Page 597 Table of Contents 1 VLAN-VPN Configuration··························································································································1-1 VLAN-VPN Overview ······························································································································1-1 Introduction to VLAN-VPN···············································································································1-1 Implementation of VLAN-VPN·········································································································1-2 Adjusting the TPID Values of VLAN-VPN Packets ·········································································1-2 VLAN-VPN Configuration························································································································1-3 Configuration Task List····················································································································1-3 Enabling the VLAN-VPN Feature for a Port ····················································································1-3 TPID Adjusting Configuration ··········································································································1-4 Displaying and Maintaining VLAN-VPN ··································································································1-4 VLAN-VPN Configuration Example·········································································································1-5 Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN·············1-5...

  • Page 598: Vlan-Vpn Configuration

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 599: Implementation Of Vlan-Vpn

    Figure 1-2 Structure of packets with double-layer VLAN tags Destination MAC address Source MAC address Outer VLAN Tag Inner VLAN Tag Data Compared with MPLS-based Layer 2 VPN, VLAN-VPN has the following features: It provides Layer 2 VPN tunnels that are simpler. VLAN-VPN can be implemented through manual configuration.

  • Page 600: Vlan-Vpn Configuration

    As the position of the TPID field in an Ethernet packet is the same as that of the upper-layer protocol type field in a packet without VLAN Tag, to avoid confusion in the process of receiving/forwarding a packet, the TPID value cannot be any of the protocol type value listed in Table 1-1.

  • Page 601: Tpid Adjusting Configuration

    TPID Adjusting Configuration Configuration Prerequisites To change the global TPID value 0x8100, you need to specify a port on the device as a VLAN VPN uplink port. Before the configuration, make sure that VLAN VPN is disabled on the port. For proper packet transmission, confirm the TPID value of the peer device in the public network before adjusting the TPID value.

  • Page 602: Vlan-Vpn Configuration Example

    As shown in Figure 1-4, both Switch A and Switch B are the WX3000 series devices. They connect the users to the servers through the public network. PC users and PC servers are in VLAN 100 created in the private network, while terminal users and terminal servers are in VLAN 200, which is also created in the private network.
  • Page 603 # Set the global TPID value of Switch A to 0x9200 and configure GigabitEthernet 1/0/12 as a VLAN VPN uplink port, so that Switch A can intercommunicate with devices in the public network. [SwitchA] vlan-vpn tpid 9200 [SwitchA] interface GigabitEthernet1/0/12 [SwitchA-GigabitEthernet1/0/12] port link-type trunk [SwitchA-GigabitEthernet1/0/12] port trunk permit vlan 1040 [SwitchA-GigabitEthernet1/0/12] vlan-vpn uplink enable...
  • Page 604 As GigabitEthernet 1/0/11 of Switch A is a VLAN-VPN port, when a packet from the customer’s network side reaches this port, it is tagged with the default VLAN tag of the port (VLAN 1040). The device sets the TPID value for the outer VLAN tags of packets to user-defined value 0x9200 and then forwards these packets to the public network through the VLAN-VPN uplink port GigabitEthernet 1/0/12.

  • Page 605: Selective Qinq Configuration

    Selective QinQ Configuration Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced application of the VLAN-VPN feature. With the selective QinQ feature, you can configure inner-to-outer VLAN tag mapping, according to which you can add different outer VLAN tags to the packets with different inner VLAN tags. The selective QinQ feature makes the service provider network structure more flexible.

  • Page 606: Inner-To-Outer Tag Priority Mapping

    In this way, you can configure different forwarding policies for data of different type of users, thus improving the flexibility of network management. On the other hand, network resources are well utilized, and users of the same type are also isolated by their inner VLAN tags. This helps to improve network security.

  • Page 607: Configuring The Inner-To-Outer Tag Priority Mapping Feature

    You are recommended not to configure both the DHCP snooping and selective Q-in-Q function on the device, which may result in the DHCP snooping to function abnormally. Configuring the Inner-to-Outer Tag Priority Mapping Feature Configuration Prerequisites Enabling the VLAN-VPN feature on the current port Configuration Procedure Follow these steps to configure the inner-to-outer tag priority mapping feature: To do…...
  • Page 608 Figure 2-2 Network diagram for selective QinQ configuration For PC User VLAN100~108 GE1/0/12 Public Network SwitchB VLAN1000/VLAN1200 GE1/0/11 GE1/0/13 GE1/0/5 SwitchA For IP Phone VLAN200~230 GE1/0/3 PC User IP Phone User VLAN100~108 VLAN200~230 Configuration procedure Configure Switch A. # Create VLAN 1000, VLAN 1200 and VLAN 5 (the default VLAN of GigabitEthernet 1/0/3) on SwitchA. <SwitchA>...
  • Page 609 [SwitchA-GigabitEthernet1/0/3] vlan-vpn enable # Enable the selective QinQ feature on GigabitEthernet 1/0/3 to tag packets of VLAN 100 through VLAN 108 with the tag of VLAN 1000 as the outer VLAN tag, and tag packets of VLAN 200 through VLAN 230 with the tag of VLAN 1200 as the outer VLAN tag.
  • Page 610 To make the packets from the servers be transmitted to the clients in the same way, you need to configure the selective QinQ feature on GigabitEthernet 1/0/12 and GigabitEthernet 1/0/13. The configuration on Switch B is similar to that on Switch A and is thus omitted. The port configuration on Switch B is only an example for a specific network requirement.
  • Page 611 Table of Contents 1 HWPing Configuration ······························································································································1-1 HWPing Overview ···································································································································1-1 Introduction to HWPing····················································································································1-1 Test Types Supported by HWPing ··································································································1-2 HWPing Test Parameters················································································································1-2 HWPing Configuration·····························································································································1-4 Configuration on a HWPing Server ·································································································1-4 HWPing Client Configuration···········································································································1-5 Displaying and Maintaining HWPing ·····························································································1-17 HWPing Configuration Example ···········································································································1-17 ICMP Test······································································································································1-17 DHCP Test ····································································································································1-18 FTP Test········································································································································1-20...

  • Page 612: Introduction To Hwping

    HWPing Configuration The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a WX3000. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 613: Test Types Supported By Hwping

    Figure 1-1 HWPing illustration IP network Switch A Switch B HWPing Client HWPing Server Test Types Supported by HWPing Table 1-1 Test types supported by HWPing Supported test types Description ICMP test DHCP test FTP test For these types of tests, you need to configure HWPing client and corresponding servers.
  • Page 614 Test parameter Description For DHCP test, you must specify a source interface, which will be used by HWPing client to send DHCP requests. If no source interface is specified for a DHCP test, the test will not succeed. Source interface (source-interface) After a source interface is specified, HWPing client uses this source interface to send DHCP requests during a DHCP test.

  • Page 615: Hwping Configuration

    Test parameter Description File name for FTP operation Name of a file to be transferred between HWPing client (filename) and FTP server Jitter test is used to collect statistics about delay jitter in UDP packet transmission In a jitter probe, the HWPing client sends a series of packets to the HWPing server at regular intervals (you can set the interval).

  • Page 616: Hwping Client Configuration

    HWPing server configuration The following table describes the configuration on HWPing server, which is the same for HWPing test types that need to configure HWPing server. Follow these steps to configure the HWPing server: To do… Use the command… Remarks Enter system view system-view —...
  • Page 617 To do… Use the command… Remarks Optional Configure the number of count times By default, each test makes probes per test one probe. Optional Configure the packet size datasize size By default, the packet size is 56 bytes. Optional Configure the maximum number of history records that history-records number By default, the maximum...
  • Page 618 To do… Use the command… Remarks Required You can only configure a VLAN source-interface Configure the source interface-type interface as the source interface. interface interface-number By default, no source interface is configured. Required Configure the test type test-type dhcp By default, the test type is ICMP. Optional Configure the number of count times...
  • Page 619 To do… Use the command… Remarks Optional Configure the number of count times By default, each test makes one probes per test probe. Optional Configure the maximum number of history records that history-records number By default, the maximum number can be saved is 50.
  • Page 620 To do… Use the command… Remarks Required You can configure an IP Configure the destination IP destination-ip ip-address address or a host name. address By default, no destination address is configured. Required when you use the destination-ip command to configure the destination Configure dns-server dns-server ip-address address as the host name.
  • Page 621 Configuring jitter test on HWPing client Follow these steps to configure jitter test on HWPing client: To do… Use the command… Remarks Enter system view system-view — Required Enable the HWPing client hwping-agent enable By default, the HWPing client function function is disabled.
  • Page 622 To do… Use the command… Remarks Optional Configure the probe timeout timeout time By default, a probe times out in time three seconds. Optional Configure the type of service tos value By default, the service type is zero. Optional Configure the number of test packets that will be sent in each jitter-packetnum number By default, each jitter probe will...
  • Page 623 To do… Use the command… Remarks Optional Configure the maximum number of history records that history-records number By default, the maximum can be saved number is 50. Optional By default, the automatic test Configure the automatic test frequency interval interval is zero seconds, interval indicating no automatic test will be made.
  • Page 624 To do… Use the command… Remarks Required in a Tcpprivate test A Tcppublic test is a TCP connection test on port 7. Use the hwping-server tcpconnect ip-address 7 command on the server to configure the listening service destination-port Configure the destination port port;...
  • Page 625 To do… Use the command… Remarks Enter system view system-view — Required Enable the HWPing client hwping-agent enable By default, the HWPing client function function is disabled. Required Create a HWPing test group hwping administrator-name By default, no test group is and enter its view operation- tag configured.
  • Page 626 To do… Use the command… Remarks Optional By default, the automatic test Configure the automatic test frequency interval interval is zero seconds, interval indicating no automatic test will be made. Optional Configure the probe timeout timeout time By default, a probe times out in time three seconds.
  • Page 627 To do… Use the command… Remarks Optional Configure the probe timeout timeout time By default, a probe times out in time three seconds. Optional Configure the type of service tos value By default, the service type is zero. Required Configure the domain name to dns resolve-targetdomai By default, the domain name to be resolved...

  • Page 628: Displaying And Maintaining Hwping

    Displaying and Maintaining HWPing To do… Use the command… Remarks display hwping history Display test history [ administrator-name operation-tag ] Available in any view Display the results of the latest display hwping results test [ administrator-name operation-tag ] HWPing Configuration Example ICMP Test Network requirements As shown in...

  • Page 629: Dhcp Test

    # Display test results. [device-hwping-administrator-icmp] display hwping results administrator icmp HWPing entry(admin administrator, tag icmp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 3/6/3 Square-Sum of Round Trip Time: 145 Last succeeded test time: 2000-4-2 20:55:12.3 Extend result: SD Maximal delay: 0 DS Maximal delay: 0...
  • Page 630 # Create a HWPing test group, setting the administrator name to "administrator" and test tag to "DHCP". [device] Hwping administrator dhcp # Configure the test type as dhcp. [device-hwping-administrator-dhcp] test-type dhcp # Configure the source interface, which must be a VLAN interface. Make sure the DHCP server resides on the network connected to this interface.

  • Page 631: Ftp Test

    As shown in Figure 1-4, both the HWPing client and the FTP server are WX3000 series devices. Perform a HWPing FTP test between the two devices to test the connectivity to the specified FTP server and the time required to upload a file to the server after the connection is established. Both the username and password used to log in to the FTP server are “admin”.
  • Page 632 [device-hwping-administrator-ftp] count 10 # Set the probe timeout time to 30 seconds. [device-hwping-administrator-ftp] timeout 30 # Configure the source IP address [device-hwping-administrator-ftp] source-ip 10.1.1.1 # Start the test. [device-hwping-administrator-ftp] test-enable # Display test results [device-hwping-administrator-ftp] display hwping results administrator ftp HWPing entry(admin administrator, tag ftp) test result: Destination ip address:10.2.2.2 Send operation times: 10...

  • Page 633: Http Test

    HTTP Test Network requirements As shown in Figure 1-5, Switch serves as the HWPing client, and a PC serves as the HTTP server. Perform a HWPing HTTP test between Switch and the HTTP server to test the connectivity and the time required to download a file from the HTTP server after the connection to the server is established.

  • Page 634: Jitter Test

    Jitter Test Network requirements Both the HWPing client and the HWPing server are WX3000 series devices. Perform a HWPing jitter test between the two devices to test the delay jitter of the UDP packets exchanged between this end (HWPing client) and the specified destination end (HWPing server), with the port number set to 9000.

  • Page 635: Network Diagram

    Network diagram Figure 1-6 Network diagram for the Jitter test IP network 10.1.1.1/8 10.2.2.2/8 Switch A Switch B HWPing Client HWPing Server Configuration procedure Configure HWPing Server (Switch B): # Enable the HWPing server and configure the IP address and port to listen on. <device>...

  • Page 636: Snmp Test

    SNMP Test Network requirements Both the HWPing client and the SNMP Agent are WX3000 series devices. Perform HWPing SNMP tests between the two devices to test the time required from Switch A sends an SNMP query message to Switch B (SNMP Agent) to it receives a response from Switch B.
  • Page 637 Network diagram Figure 1-7 Network diagram for the SNMP test IP n etwork 10.1.1.1/8 10.2.2.2/8 Switch A Switch B HWPing Client SNMP Agent Configuration procedure Configure SNMP Agent (Switch B): # Start SNMP agent and set SNMP version to V2C, read-only community name to "public", and read-write community name to "private".

  • Page 638: Tcp Test (Tcpprivate Test) On The Specified Ports

    TCP Test (Tcpprivate Test) on the Specified Ports Network requirements Both the HWPing client and the HWPing server are WX3000 series devices. Perform a HWPing Tcpprivate test to test time required to establish a TCP connection between this end (Switch A) and the specified destination end (Switch B), with the port number set to 8000.
  • Page 639 Configuration procedure Configure HWPing Server (Switch B): # Enable the HWPing server and configure the IP address and port to listen on. <device> system-view [device] hwping-server enable [device] hwping-server tcpconnect 10.2.2.2 8000 Configure HWPing Client (Switch A): # Enable the HWPing client. <device>...

  • Page 640: Udp Test (Udpprivate Test) On The Specified Ports

    UDP Test (Udpprivate Test) on the Specified Ports Network requirements Both the HWPing client and the HWPing server are WX3000 series devices. Perform a HWPing Udpprivate test on the specified ports between the two devices to test the RTT of UDP packets between this end (HWPing client) and the specified destination end (HWPing server), with the port number set to 8000.

  • Page 641: Dns Test

    [device-hwping-administrator-udpprivate] destination-ip 10.2.2.2 # Configure the destination port on the HWPing server. [device-hwping-administrator-udpprivate] destination-port 8000 # Configure to make 10 probes per test. [device-hwping-administrator-udpprivate] count 10 # Set the probe timeout time to 5 seconds. [device-hwping-administrator-udpprivate] timeout 5 # Start the test. [device-hwping-administrator-udpprivate] test-enable # Display test results.
  • Page 642 Network diagram Figure 1-10 Network diagram for the DNS test IP network 10.1.1.1/8 10.2.2.2/8 Switch DNS Server HWPing Client Configuration procedure Configure DNS Server: Use Windows 2003 Server as the DNS server. For DNS server configuration, refer to the related instruction on Windows 2003 Server configuration.
  • Page 643 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Dns result: DNS Resolve Current Time: 10 DNS Resolve Min Time: 6 DNS Resolve Times: 10 DNS Resolve Max Time: 10 DNS Resolve Timeout Times: 0 DNS Resolve Failed Times: 0 [device-hwping-administrator-dns] display hwping history administrator dns...
  • Page 644 Table of Contents 1 DNS Configuration·····································································································································1-1 DNS Overview·········································································································································1-1 Static Domain Name Resolution ·····································································································1-1 Dynamic Domain Name Resolution ································································································1-1 Configuring Domain Name Resolution····································································································1-2 Configuring Static Domain Name Resolution ··················································································1-2 Configuring Dynamic Domain Name Resolution·············································································1-3 DNS Configuration Example ···················································································································1-3 Static Domain Name Resolution Configuration Example································································1-3 Dynamic Domain Name Resolution Configuration Example···························································1-4 Displaying and Maintaining DNS ············································································································1-6 Troubleshooting DNS Configuration ·······································································································1-6...

  • Page 645: Dns Configuration

    DNS Configuration The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.

  • Page 646: Configuring Domain Name Resolution

    Figure 1-1 Dynamic domain name resolution Request Request User Resolver program Response Response DNS server Read Save Cache DNS client Figure 1-1 shows the relationship between user program, DNS client, and DNS server. The resolver and cache comprise the DNS client. The user program and DNS client run on the same device, while the DNS server and the DNS client usually run on different devices.

  • Page 647: Configuring Dynamic Domain Name Resolution

    To do… Use the command… Remarks Enter system view system-view — Required Configure a mapping between a host name and ip host hostname ip-address No IP address is assigned to a an IP address host name by default. The IP address you assign to a host name last time will overwrite the previous one if there is any. You may create up to 50 static mappings between domain names and IP addresses.

  • Page 648: Dynamic Domain Name Resolution Configuration Example

    Figure 1-2 Network diagram for static DNS configuration 10 .1.1. 2/ 24 10.1 .1.1/24 host.com Switch Host Configuration procedure # Configure a mapping between host name host.com and IP address 10.1.1.2. <device> system-view [device] ip host host.com 10.1.1.2 # Execute the ping host.com command to verify that the device can use static domain name resolution to get the IP address 10.1.1.2 corresponding to host.com.
  • Page 649 Configuration procedure Before doing the following configuration, make sure that: The routes between the DNS server, Switch, and Host are reachable. Necessary configurations are done on the devices. For the IP addresses of the interfaces, see the figure above. There is a mapping between domain name host and IP address 3.1.1.1/16 on the DNS server. The DNS server works normally.

  • Page 650: Displaying And Maintaining Dns

    Displaying and Maintaining DNS To do… Use the command… Remarks Display static DNS database display ip host Display the DNS server display dns server [ dynamic ] information Available in any view Display the DNS suffixes display dns domain [ dynamic ] Display the information in the display dns dynamic-host dynamic domain name cache...
  • Page 651 Table of Contents 1 Smart Link Configuration ·························································································································1-1 Smart Link Overview ·······························································································································1-1 Basic Concepts in Smart Link ·········································································································1-1 Operating Mechanism of Smart Link ·······························································································1-3 Configuring Smart Link····························································································································1-3 Configuration Task List····················································································································1-3 Configuring a Smart Link Device·····································································································1-4 Configuring Associated Devices······································································································1-5 Precautions······································································································································1-5 Displaying and Maintaining Smart Link···································································································1-6 Smart Link Configuration Example ·········································································································1-6 Implementing Link Redundancy Backup ·························································································1-6 2 Monitor Link Configuration ······················································································································2-1...

  • Page 652: Smart Link Configuration

    The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. The sample output information in this manual was created on the WX3024. The output information on your device may vary.
  • Page 653 Master port The master port can be either an Ethernet port or a manually-configured or static LACP aggregation group. For example, you can configure GigabitEthernet 1/0/1 of switch A in Figure 1-1 as the master port through the command line. Slave port The slave port can be either an Ethernet port or a manually-configured or static LACP aggregation group.

  • Page 654: Operating Mechanism Of Smart Link

    Operating Mechanism of Smart Link Figure 1-2 Network diagram of Smart Link operating mechanism GE 1/0/12 GE 1/0/11 Switch E Switch C Switch D GE 1/0/1 GE1 /0/1 GE1 /0/2 GE 1/0/2 GE 1/0 /3 GE1/0/3 GE 1/0 /1 BLOCK GE1 /0/2 Switch A Switch B...

  • Page 655: Configuring A Smart Link Device

    Task Remarks Create a Smart Link group Configuring a Add member ports to the Smart Link group Smart Link Required Device Enable the function of sending flush messages in the specified control VLAN Configuring Enable the function of processing flush messages Associated Required received from the specified control VLAN...

  • Page 656: Mirroring

    To do… Use the command… Remarks Optional Enable the function of sending flush enable control-vlan By default, no control VLAN for flush messages in the specified vlan-id sending flush messages is control VLAN specified. Configuring Associated Devices An associated device mentioned in this document refers to a device that supports Smart Link and locally configured to process flush messages received from the specified control VLAN so as to work with the corresponding Smart Link device.

  • Page 657: Displaying And Maintaining Smart Link

    Implementing Link Redundancy Backup Network requirements As shown in Figure 1-3, Switch A is a WX3000 series device. Switch C, Switch D and Switch E support Smart Link. Configure Smart Link feature to provide remote PCs with reliable access to the server.
  • Page 658 Figure 1-3 Network diagram for Smart Link configuration Server GE 1/0/2 GE 1/0/3 Switch E GE1/0/1 GE 1/0 /1 Switch C Switch D GE1/0/2 GE 1/0/2 GE 1/0/1 GE 1/0/2 Switch A Configuration procedure Configure a Smart Link group on Switch A and configure member ports for it. Enable the function of sending flush messages in Control VLAN 1.
  • Page 659 # Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1/0/2. <SwitchC> smart-link flush enable control-vlan 1 port GigabitEthernet 1/0/2 Enable the function of processing flush messages received from VLAN 1 on Switch D. # Enter system view. <SwitchD>...

  • Page 660: Monitor Link Configuration

    Monitor Link Configuration Introduction to Monitor Link Monitor Link is a collaboration scheme introduced to complement for Smart Link. It is used to monitor uplink and to perfect the backup function of Smart Link. A monitor Link consists of an uplink port and one or multiple downlink ports. When the link for the uplink port of a Monitor Link group fails, all the downlink ports in the Monitor Link group are forced down.

  • Page 661: How Monitor Link Works

    How Monitor Link Works Figure 2-2 Network diagram for a Monitor Link group implementation GE 1/0/12 GE 1/0/11 Switch E Switch C Switch D GE 1/0/1 GE1 /0/1 GE1 /0/2 GE 1/0/2 GE 1/0 /3 GE1/0/3 GE 1/0 /1 BLOCK GE1 /0/2 Switch A Switch B...

  • Page 662: Configuring Monitor Link

    Configuring Monitor Link Before configuring a Monitor Link group, you must create a Monitor Link group and configure member ports for it. A Monitor Link group consists of an uplink port and one or multiple downlink ports. The uplink port can be a manually-configured or static LACP link aggregation group, an Ethernet port, or a Smart Link group.

  • Page 663: Configuring A Downlink Port

    To do… Use the command… Remarks Configure the specified link aggregation group as the link-aggregation group uplink port of the Monitor group-id uplink Link group Configure the specified Smart Link group as the smart-link group group-id uplink port of the Monitor uplink Link group Configure the...

  • Page 664: Displaying And Maintaining Monitor Link

    A Smart Link/Monitor Link group with members cannot be deleted. A Smart Link group as a Monitor Link group member cannot be deleted. The Smart Link/Monitor Link function and the remote port mirroring function are incompatible with each other. If a single port is specified as a Smart Link/Monitor Link group member, do not use the lacp enable command on the port or add the port to another dynamic link aggregation group because doing so will cause the port to become an aggregation group member.
  • Page 665 Figure 2-3 Network diagram for Monitor Link configuration Server GE1/0/10 GE 1/0/11 Switch E GE1/0 /1 GE 1/0/1 Switch C Switch D GE1/0 /2 GE 1/0/2 GE1 /0/3 GE1 /0/3 GE1 /0/1 BLOCK GE1 /0/1 GE1/0 /2 GE 1/0/2 Switch A Switch B PC 1 PC 2...
  • Page 666 Enable Monitor Link on Switch C and Switch D and enable the function of processing flush messages received from VLAN 1. Perform the following configuration on Switch C. The operation procedure on Switch D is the same as that performed on Switch C. # Enter system view.
  • Page 667 Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Introduction to PoE ··························································································································1-1 PoE Features Supported by the Device ··························································································1-2 PoE Configuration ···································································································································1-2 PoE Configuration Task List············································································································1-2 Enabling the PoE Feature on a Port································································································1-3 Setting the Maximum Output Power on a Port················································································1-3 Setting PoE Management Mode and PoE Priority of a Port····························································1-4 Setting the PoE Mode on a Port······································································································1-4 Configuring the PD Compatibility Detection Function ·····································································1-5...

  • Page 668: Poe Configuration

    PoE Configuration Example The terms switching engine and Ethernet switch used throughout this documentation refer to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. PoE Overview Introduction to PoE...

  • Page 669: Poe Features Supported By The Device

    PoE Features Supported by the Device Table 1-1 Power supply parameters of PoE device Maximum Number of power Total Input power electrical ports Maximum provided by Maximum Device supply PoE distance each supplying PoE output power electrical power port DC input 600 W 100 m (328.08 WX3024...

  • Page 670: Enabling The Poe Feature On A Port

    Task Remarks Enabling the PoE Feature on a Port Required Setting the Maximum Output Power on a Port Optional Setting PoE Management Mode and PoE Priority of a Port Optional Setting the PoE Mode on a Port Optional Optional Configuring the PD Compatibility Detection Function Upgrading the PSE Processing Software Online Optional...

  • Page 671: Setting Poe Management Mode And Poe Priority Of A Port

    Setting PoE Management Mode and PoE Priority of a Port When the device is close to its full load in supplying power, you can adjust the power supply of the device through the cooperation of the PoE management mode and the port PoE priority settings. The device supports two PoE management modes, auto and manual.

  • Page 672: Configuring The Pd Compatibility Detection Function

    To do… Use the command… Remarks Optional Set the PoE mode on the port poe mode signal to signal signal by default. Configuring the PD Compatibility Detection Function After the PD compatibility detection function is enabled, the device can detect the PDs that do not conform to the 802.3af standard and supply power to them.

  • Page 673: Displaying And Maintaining Poe Configuration

    In the case that the PSE processing software is damaged (that is, no PoE command can be executed successfully), use the full update mode to upgrade and thus restore the software. The refresh update mode is to upgrade the original processing software in the PSE through refreshing the software, while the full update mode is to delete the original processing software in PSE completely and then reload the software.
  • Page 674 Figure 1-1 Network diagram for PoE Network Switch A GE1 /0/1 GE1 /0/8 GE1/0/2 Switch B Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on GigabitEthernet 1/0/1, and set the PoE maximum output power of GigabitEthernet 1/0/1 to 12,000 mW.

  • Page 675: Poe Profile Configuration

    PoE Profile Configuration Introduction to PoE Profile On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the device, the device provides the PoE profile features. A PoE profile is a set of PoE configurations, including multiple PoE features.

  • Page 676: Displaying And Maintaining Poe Profile Configuration

    To do… Use the command… Remarks apply poe-profile profile-name interface interface-type In system view interface-number [ to interface-type interface-number ] Apply the Enter existing PoE interface interface-type Ethernet Use either profile to the interface-number port view approach. specified Ethernet port Apply the Ethernet existing...

  • Page 677: Poe Profile Configuration Example

    PoE Profile Configuration Example PoE Profile Application Example Network requirements As shown in Figure 2-1, Switch A supports PoE. GigabitEthernet 1/0/1 through GigabitEthernet 1/0/10 of Switch A are used by users of group A, who have the following requirements: The PoE function can be enabled on all ports in use. Signal mode is used to supply power.
  • Page 678 [SwitchA-poe-profile-Profile1] poe enable [SwitchA-poe-profile-Profile1] poe mode signal [SwitchA-poe-profile-Profile1] poe priority critical [SwitchA-poe-profile-Profile1] poe max-power 3000 [SwitchA-poe-profile-Profile1] quit # Display detailed configuration information for Profile1. [SwitchA] display poe-profile name Profile1 Poe-profile: Profile1, 3 action poe enable poe max-power 3000 poe priority critical # Create Profile2, and enter PoE profile view.
  • Page 679 Table of Contents 1 IP Routing Protocol Overview ··················································································································1-1 Introduction to IP Route and Routing Table····························································································1-1 IP Route···········································································································································1-1 Routing Table ··································································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing and Dynamic Routing·······························································································1-3 Classification of Dynamic Routing Protocols···················································································1-3 Routing Protocols and Routing Priority ···························································································1-3 Load Sharing and Route Backup ····································································································1-4 Routing Information Sharing············································································································1-4 Displaying and Maintaining a Routing Table···························································································1-5...
  • Page 680 Filters ···············································································································································4-1 IP Route Policy Configuration Task List··································································································4-2 Route Policy Configuration ·····················································································································4-2 Configuration Prerequisites ·············································································································4-2 Defining a Route Policy ···················································································································4-3 Defining if-match Clauses and apply Clauses·················································································4-3 Displaying and Maintaining IP Route Policy ···························································································4-4 IP Route Policy Configuration Example ··································································································4-4 Controlling RIP Packet Cost to Implement Dynamic Route Backup ···············································4-4 Troubleshooting IP Route Policy·············································································································4-8...

  • Page 681: Ip Routing Protocol Overview

    Introduction to IP Route and Routing Table Routing Protocol Overview Displaying and Maintaining a Routing Table The term router in this chapter refers to a router in a generic sense or a WX3000 series device running a routing protocol. Introduction to IP Route and Routing Table IP Route Routers are used for route selection on the Internet.
  • Page 682 host or router resides. For example, if the destination address is 129.102.8.10 and the mask is 255.255.0.0, the address of the network segment where the destination host or router resides is 129.102.0.0. A mask consists of some consecutive 1s, represented either in dotted decimal notation or by the number of the consecutive 1s in the mask.

  • Page 683: Routing Protocol Overview

    Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routing configuration again whenever the network topology changes.

  • Page 684: Load Sharing And Route Backup

    each routing protocol (including static routes) is assigned a priority. The route found by the routing protocol with the highest priority is preferred. The following table lists some routing protocols and the default priorities for routes found by them: Table 1-1 Routing protocols and priorities of their default route Routing approach Priority DIRECT...

  • Page 685: Displaying And Maintaining A Routing Table

    routing information. Each routing protocol shares routing information discovered by other routing protocols through a route redistribution mechanism. Displaying and Maintaining a Routing Table To do… Use the command… Remarks Display brief information about display ip routing-table [ | { begin | a routing table exclude | include } regular-expression ] Display detailed information...

  • Page 686: Static Route Configuration

    Displaying and Maintaining Static Routes Static Route Configuration Example Troubleshooting a Static Route The term router in this chapter refers to a router in a generic sense or a WX3000 series device running a routing protocol. Introduction to Static Route Static Route Static routes are special routes.

  • Page 687: Static Route Configuration

    Default Route To avoid too large a routing table, you can configure a default route. When the destination address of a packet fails to match any entry in the routing table, If there is default route in the routing table, the default route will be selected to forward the packet. If there is no default route, the packet will be discarded and an ICMP Destination Unreachable or Network Unreachable packet will be returned to the source.

  • Page 688: Displaying And Maintaining Static Routes

    Displaying and Maintaining Static Routes To do... Use the command... Remarks Display the current configuration information display current-configuration Display the brief information of a routing table display ip routing-table Display the detailed information of a routing Available in display ip routing-table verbose table any view display ip routing-table...

  • Page 689: Troubleshooting A Static Route

    Configuration procedure When only one interface of the device is interconnected with another network segment, you can implement network communication by configuring either a static route or default route. Perform the following configurations on the device. # Approach 1: Configure static routes on Switch A. <SwitchA>...

  • Page 690: Rip Configuration

    RIP Configuration Task List RIP Configuration Example Troubleshooting RIP Configuration The term router in this chapter refers to a router in a generic sense or a WX3000 series device running a routing protocol. RIP Overview Routing information protocol (RIP) is a simple interior gateway protocol (IGP) suitable for small-sized networks.

  • Page 691: Rip Startup And Operation

    Interface: Outbound interface on this router, through which IP packets should be forwarded to reach the destination. Metric: Cost from the local router to the destination. Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated.

  • Page 692: Rip Configuration Task List

    RIP Configuration Task List Complete the following tasks to configure RIP: Task Remarks Enabling RIP on the interfaces attached to a specified Required network segment Configuring Basic RIP Functions Setting the RIP operating status on an interface Optional Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional...

  • Page 693: Rip Route Control

    Related RIP commands configured in interface view can take effect only after RIP is enabled. RIP operates on the interfaces attached to a specified network segment. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the interface, nor forwards any interface route.

  • Page 694: Configuring Rip Route Control

    Set the preference of RIP to change the preference order of routing protocols. This order makes sense when more than one route to the same destination is discovered by multiple routing protocols. Redistribute external routes in an environment with multiple routing protocols. Configuration Prerequisites Before configuring RIP route control, perform the following tasks: Configuring network layer addresses of interfaces so that adjacent nodes are reachable to each...
  • Page 695 Follow these steps to configure RIP route summarization: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable RIP-2 automatic summary route summarization Enabled by default Disabling the router from receiving host routes In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources.

  • Page 696: Rip Network Adjustment And Optimization

    The filter-policy import command filters the RIP routes received from neighbors, and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors. The filter-policy export command filters all the routes to be advertised, including the routes redistributed with the import-route command and routes learned from neighbors.

  • Page 697: Configuration Tasks

    Configuration Prerequisites Before adjusting RIP, perform the following tasks: Configuring the network layer addresses of interfaces so that adjacent nodes are reachable to each other at the network layer Configuring basic RIP functions Configuration Tasks Configuring RIP timers Follow these steps to configure RIP timers: To do...
  • Page 698 To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable the check of the must be zero checkzero field in RIP-1 packets Enabled by default Some fields in a RIP-1 packet must be 0, and they are known as must be zero field. For RIP-1, the must be zero field is checked for incoming packets, and those RIP-1 packets with this field being nonzero will not be processed.

  • Page 699: Displaying And Maintaining Rip Configuration

    To do... Use the command... Remarks Required Configure RIP to When RIP runs on the link that does not peer ip-address unicast RIP packets support broadcast or multicast, you must configure RIP to unicast RIP packets. Displaying and Maintaining RIP Configuration To do...

  • Page 700: Troubleshooting Rip Configuration

    Configuration procedure Only the configuration related to RIP is listed below. Before the following configuration, make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly. Configure Switch A: # Configure RIP. <SwitchA> system-view [SwitchA] rip [SwitchA-rip] network 110.11.2.0 [SwitchA-rip] network 155.10.1.0...

  • Page 701: Ip Route Policy Configuration

    Displaying and Maintaining IP Route Policy IP Route Policy Configuration Example Troubleshooting IP Route Policy The term router in this chapter refers to a router in a generic sense or a WX3000 series device running a routing protocol. IP Route Policy Overview...

  • Page 702: Ip Route Policy Configuration Task List

    For ACL configuration, refer to the part discussing ACL. Route policy A route policy is used to match some attributes with given routing information and the attributes of the information will be set if the conditions are satisfied. A route policy can comprise multiple nodes. Each node is a unit for matching test, and the nodes will be matched in ascending order of their node numbers.
  • Page 703 Match conditions Route attributes to be changed Defining a Route Policy Follow these steps to define a route policy: To do... Use the command... Remarks Enter system view system-view — Required Define a route policy and enter route-policy route-policy-name { permit the route policy view | deny } node node-number Not defined by default...

  • Page 704: Displaying And Maintaining Ip Route Policy

    To do... Use the command... Remarks Optional Define a rule to match the if-match ip next-hop acl By default, no matching is performed on next-hop address of acl-number the next-hop address of routing routing information information. Optional Apply a cost to routes apply cost value By default, no cost is applied to routes satisfying matching rules...
  • Page 705 Figure 4-1 Network diagram Device Interface IP address Switch A Vlan-int 2 2.2.2.1/8 Vlan-int 3 3.3.3.254/8 Vlan-int 10 1.1.1.254/8 Switch B Vlan-int 3 3.3.3.253/8 Vlan-int 6 6.6.6.5/8 Vlan-int 10 1.1.1.253/8 Switch C Vlan-int 1 192.168.0.39/24 Vlan-int 2 2.2.2.2/8 Vlan-int 6 6.6.6.6/8 OA Server 1.1.1.1/32...
  • Page 706 [SwitchA-rip] network 2.0.0.0 [SwitchA-rip] network 3.0.0.0 Configure Switch B. # Create VLANs and configure IP addresses for the VLAN interfaces. The configuration procedure is omitted. # Configure RIP. <SwitchB> system-view [SwitchB] rip [SwitchB-rip] network 1.0.0.0 [SwitchB-rip] network 3.0.0.0 [SwitchB-rip] network 6.0.0.0 Configure Switch C.
  • Page 707 # Create node 40 with the matching mode being permit in the route policy. Define if-match clauses. Apply the cost 5 to routes matching the outgoing interface VLAN-interface 6 and ACL 2001. [SwitchC] route-policy in permit node 40 [SwitchC-route-policy] if-match interface Vlan-interface6 [SwitchC-route-policy] if-match acl 2001 [SwitchC-route-policy] apply cost 5 [SwitchC-route-policy] quit...

  • Page 708: Troubleshooting Ip Route Policy

    Precautions When you configure the apply cost command in a route policy: The new cost should be greater than the original one to prevent RIP from generating routing loop in the case that a loop exists in the topology. The cost will become 16 if you try to set it to a value greater than 16. The cost will become the original one if you try to set it to 0.
  • Page 709 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-2 Displaying and Maintaining UDP Helper·································································································1-3 UDP Helper Configuration Example ·······································································································1-3 Cross-Network Computer Search Through UDP Helper·································································1-3...

  • Page 710: Udp Helper Configuration

    UDP Helper Configuration When configuring UDP helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Example Introduction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.

  • Page 711: Configuring Udp Helper

    Protocol UDP port number Time Service Configuring UDP Helper Follow these steps to configure UDP Helper: To do… Use the command… Remarks Enter system view system-view — Required Enable UDP Helper udp-helper enable Disabled by default. Optional By default, the device enabled udp-helper port { port-number with UDP Helper forwards the Specify a UDP port number...

  • Page 712: Displaying And Maintaining Udp Helper

    Displaying and Maintaining UDP Helper To do… Use the command… Remarks Display the UDP broadcast relay display udp-helper server forwarding information of a specified Available in any view [ interface vlan-interface vlan-id ] VLAN interface on the device Clear statistics about packets reset udp-helper packet Available in user view forwarded by UDP Helper...
  • Page 713 Table of Contents Appendix A Acronyms ································································································································ A-1...
  • Page 714 Appendix A Acronyms Authentication, Authorization and Accounting Area Border Router Access Control List Address Resolution Protocol Autonomous System ASBR Autonomous System Border Router Backup Designated Router Committed Access Rate Command Line Interface Class of Service Distributed Device Management Distributed Link Aggregation Distributed Resilient Routing DHCP Dynamic Host Configuration Protocol...
  • Page 715 Link State Advertisement LSDB Link State DataBase Medium Access Control Management Information Base NBMA Non Broadcast MultiAccess Network Information Center Network Management System NVRAM Nonvolatile RAM Protocol Independent Multicast PIM-DM Protocol Independent Multicast-Dense Mode PIM-SM Protocol Independent Multicast-Sparse Mode Quality of Service RMON Remote Network Monitoring RSTP...

This manual is also suitable for:

Wx3024Wx3010Wx3008

Table of Contents