Download  Print this page
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742

Advertisement

3Com Switch 4500 Family

Configuration Guide

Switch 4500 26-Port
Switch 4500 50-Port
Switch 4500 PWR 26-Port
Switch 4500 PWR 50-Port
Product Version: V03.03.00
Manual Version:
6W101-20090811
www.3com.com
3Com Corporation
350 Campus Drive, Marlborough,
MA, USA 01752 3064

Advertisement

   Related Manuals for 3Com 4500

   Summary of Contents for 3Com 4500

  • Page 1: Configuration Guide

    3Com Switch 4500 Family Configuration Guide Switch 4500 26-Port Switch 4500 50-Port Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port Product Version: V03.03.00 Manual Version: 6W101-20090811 www.3com.com 3Com Corporation 350 Campus Drive, Marlborough, MA, USA 01752 3064...
  • Page 2 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
  • Page 3: Table Of Contents

    About This Manual Organization 3Com Switch 4500 Family Configuration Guide is organized as follows: Part Contents Introduces the ways to log into an Ethernet switch and CLI 1 Login related configuration. 2 Configuration File Management Introduces configuration file and the related configuration.
  • Page 4 Part Contents 27 UDP Helper Introduces UDP helper and the related configuration. Introduces the configuration for network management 28 SNMP-RMON through SNMP and RMON 29 NTP Introduces NTP and the related configuration. 30 SSH Introduces SSH2.0 and the related configuration. 31 File System Management Introduces basic configuration for file system management.
  • Page 5: Related Documentation

    3Com Switch 4500 Family Release information in this guide differs from information in the Notes release notes, use the information in the Release Notes. Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL: http://www.3com.com.
  • Page 6: Login

    Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 Relationship Between a User and a User Interface ········································································1-2 User Interface Index ························································································································1-2 Common User Interface Configuration····························································································1-3 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1...
  • Page 7 Switch Configuration························································································································4-2 Modem Connection Establishment ·········································································································4-2 5 CLI Configuration ······································································································································5-1 Introduction to the CLI·····························································································································5-1 Command Hierarchy ·······························································································································5-1 Command Level and User Privilege Level ······················································································5-1 Modifying the Command Level········································································································5-2 Switching User Level ·······················································································································5-3 CLI Views ················································································································································5-5 CLI Features ···········································································································································5-8 Online Help······································································································································5-8 Terminal Display······························································································································5-9 Command History··························································································································5-10 Error Prompts ································································································································5-10...
  • Page 8: Logging In To An Ethernet Switch

    Logging In to an Ethernet Switch Introduction to the User Interface Logging In to an Ethernet Switch To manage or configure a Switch 4500, you can log in to it in one of the following three methods: Command Line Interface Web-based Network Management Interface...
  • Page 9: Relationship Between A User And A User Interface

    VTY user interfaces are numbered VTY0, VTY1, and so on. Switch 4500 supports XRN Fabric. A Fabric can contain up to eight devices. Accordingly, the AUX user interfaces in a Fabric can be numbered from AUX0 to AUX7, through which all the console ports of the...
  • Page 10: Common User Interface Configuration

    Common User Interface Configuration Follow these steps to configure common user interface: To do… Use the command… Remarks Optional Lock the current user Available in user view lock interface A user interface is not locked by default. Specify to send messages Optional to all user interfaces/a send { all | number | type number }...
  • Page 11: Logging In Through The Console Port

    To log in through the console port is the most common way to log in to a switch. It is also the prerequisite to configure other login methods. By default, you can locally log in to Switch 4500 through its console port only.
  • Page 12 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4...
  • Page 13: Console Port Login Configuration

    Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt appears after you press the Enter key. You can then configure the switch or check the information about the switch by executing the corresponding commands.
  • Page 14 Configuration Remarks Set the maximum Optional number of lines the By default, the screen can contain up to 24 lines. screen can contain Optional Set history command buffer By default, the history command buffer can contain up size to 10 commands. Optional Set the timeout time of a user interface...
  • Page 15: Console Port Login Configurations For Different Authentication Modes

    To do… Use the command… Remarks Optional By default, the screen can contain up Set the maximum number of to 24 lines. screen-length lines the screen can contain screen-length You can use the screen-length 0 command to disable the function to display information in pages.
  • Page 16: Console Port Login Configuration With Authentication Mode Being None

    Changes made to the authentication mode for console port login takes effect after you quit the command-line interface and then log in again. Console Port Login Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to configure console port login with the authentication mode being none: To do…...
  • Page 17: Console Port Login Configuration With Authentication Mode Being Password

    Network diagram Figure 2-5 Network diagram for AUX user interface configuration (with the authentication mode being none) GE1/0/1 Ethernet Configuration PC running Telnet Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify not to authenticate users logging in through the console port.
  • Page 18: Configuration Example

    To do… Use the command… Remarks Enter system view — system-view Enter AUX user interface user-interface aux 0 — view Required By default, users logging in to a switch Configure to authenticate through the console port are not authentication-mode users using the local authenticated;...
  • Page 19: Console Port Login Configuration With Authentication Mode Being Scheme

    <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate users logging in through the console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to the AUX user interface.
  • Page 20: Configuration Example

    To do… Use the command… Remarks Enter the Optional default ISP domain domain-name By default, the local AAA scheme domain view is applied. If you specify to apply the local Specify the AAA scheme { local | none | AAA scheme, you need to scheme to be radius-scheme perform the configuration...
  • Page 21 Set the service type of the local user to Terminal and the command level to 2. Configure to authenticate the users in the scheme mode. The baud rate of the console port is 19,200 bps. The screen can contain up to 30 lines. The history command buffer can store up to 20 commands.
  • Page 22 [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2-4 to log in to the switch successfully.
  • Page 23: Logging In Through Telnet

    Telnet Configuration with Authentication Mode Being Password Introduction Switch 4500 supports Telnet. You can manage and maintain a switch remotely by Telnetting to the switch. To log in to a switch through Telnet, the corresponding configuration is required on both the switch and the Telnet terminal.
  • Page 24 Configuration Description Optional Configure the protocols the By default, Telnet and SSH protocol are user interface supports supported. Optional Set the commands to be executed automatically after By default, no command is executed a user log in to the user automatically after a user logs into the VTY user interface successfully interface.
  • Page 25: Telnet Configurations For Different Authentication Modes

    To do… Use the command… Remarks Optional The default history command Set the history command buffer buffer size is 10, that is, the history history-command size command buffer of a user can max-size value store up to 10 commands by default.
  • Page 26: Telnet Configuration With Authentication Mode Being None

    To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.
  • Page 27: Telnet Configuration With Authentication Mode Being Password

    Network diagram Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none) Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0. [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging in to VTY 0.
  • Page 28: Configuration Example

    When the authentication mode is password, the command level available to users logging in to the user interface is determined by the user privilege level command. Configuration Example Network requirements Assume current user logins through the console port and the current user level is set to the administrator level (level 3).
  • Page 29: Telnet Configuration With Authentication Mode Being Scheme

    Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to configure Telnet with the authentication mode being scheme: To do… Use the command… Remarks Enter system view — system-view Enter one or more VTY user user-interface vty —...
  • Page 30: Configuration Example

    Refer to the AAA part of this manual for information about AAA, RADIUS. Configuration Example Network requirements Assume current user logins through the console port and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet. Configure the local user name as guest.
  • Page 31: Telnetting To A Switch

    # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [Sysname-ui-vty0] idle-timeout 6 Telnetting to a Switch Telnetting to a Switch from a Terminal...
  • Page 32 <Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A 3Com switch can accommodate up to five Telnet connections at same time.
  • Page 33: Telnetting To Another Switch From The Current Switch

    Telnetting to another Switch from the Current Switch You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.
  • Page 34: Logging In Using A Modem

    Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.
  • Page 35: Switch Configuration

    You can verify your configuration by executing the AT&V command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
  • Page 36 Figure 4-1 Establish the connection by using modems Modem serial cable Telephone line Modem PSTN Modem Telephone number of the romote end: 82882285 Console port Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 4-2 through...
  • Page 37 Figure 4-3 Set the telephone number Figure 4-4 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <Sysname>) appears. You can then configure or manage the switch.
  • Page 38: Cli Configuration

    Each 3com switch 4500 provides an easy-to-use CLI and a set of configuration commands for the convenience of the user to configure and manage the switch. The CLI on the 3com switch 4500 provides the following features, and so has good manageability and operability.
  • Page 39: Modifying The Command Level

    Monitor level (level 1): Commands at this level are mainly used to maintain the system and diagnose service faults, and they cannot be saved in configuration file. Such commands include debugging and terminal. System level (level 2): Commands at this level are mainly used to configure services. Commands concerning routing and network layers are at this level.
  • Page 40: Switching User Level

    To do… Use the command… Remarks Enter system view — system-view Configure the level of a command in command-privilege level level view Required a specific view view command You are recommended to use the default command level or modify the command level under the guidance of professional staff;...
  • Page 41 To avoid misoperations, the administrators are recommended to log in to the device by using a lower privilege level and view device operating parameters, and when they have to maintain the device, they can switch to a higher level temporarily; when the administrators need to leave for a while or ask someone else to manage the device temporarily, they can switch to a lower privilege level before they leave to restrict the operation by others.
  • Page 42: Cli Views

    After executing the system-view command, the user enters system view, where the user can go to other views by entering corresponding commands. Table 5-1 lists the CLI views provided by the 3com switch 4500, operations that can be performed in different CLI views and the commands used to enter specific CLI views.
  • Page 43 [Sysname-Gigabit command in view. Ethernet1/0/25] system view. The 3com switch Execute the Aux1/0/0 port 4500 does not [Sysname-Aux1/0/ interface aux 1/0/0 (the console support command in port) view configuration on system view port Aux1/0/0 Execute the vlan...
  • Page 44 Available View Prompt example Enter method Quit method operation Execute the ftp FTP client Configure FTP [ftp] command in user view client parameters view. Execute the sftp SFTP client Configure SFTP sftp-client> command in view client parameters system view. Execute the stp MST region Configure MST [Sysname-mst-regi...
  • Page 45: Cli Features

    Available View Prompt example Enter method Quit method operation Configure RADIUS Execute the radius RADIUS [Sysname-radius-1 scheme scheme command scheme view parameters in system view. Execute the ISP domain Configure ISP [Sysname-isp-aaa domain command view domain parameters 123.net] in system view. Execute the Remote-ping Configure...
  • Page 46: Terminal Display

    Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file List files on a file system display Display current system information <Other information is omitted> Enter a command, a space, and a question mark (?).
  • Page 47: Command History

    Table 5-2 Display-related operations Operation Function Stop the display output and execution of the Press <Ctrl+C> command. Press any character except <Space>, <Enter>, /, Stop the display output. +, and - when the display output pauses Press the space key Get to the next page.
  • Page 48: Command Edit

    Table 5-3 Common error messages Error message Remarks The command does not exist. The keyword does not exist. Unrecognized command The parameter type is wrong. The parameter value is out of range. Incomplete command The command entered is incomplete. Too many parameters The parameters entered are too many.
  • Page 49: Introduction

    Enabling/Disabling the WEB Server Introduction Switch 4500 has a Web server built in. It enables you to log in to Switch 4500 through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.
  • Page 50: Configuring The Login Banner

    Establish an HTTP connection between your PC and the switch, as shown in Figure 6-1. Figure 6-1 Establish an HTTP connection between your PC and the switch Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar.
  • Page 51: Configuration Example

    Configuration Example Network requirements A user logs in to the switch through Web. The banner page is desired when a user logs into the switch. Network diagram Figure 6-3 Network diagram for login banner configuration Configuration Procedure # Enter system view. <Sysname>...
  • Page 52 To do… Use the command… Remarks Enter system view — system-view Required Enable the Web server By default, the Web server is ip http shutdown enabled. Disable the Web server Required undo ip http shutdown To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration.
  • Page 53: Logging In Through Nms

    Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through a Network Management Station (NMS), and then configure and manage the switch through the agent software on the switch. Simple Network Management Protocol (SNMP) is applied between the NMS and the agent.
  • Page 54: Configuring Source Ip Address For Telnet Service Packets

    Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are interested in: Overview Configuring Source IP Address for Telnet Service Packets Displaying Source IP Address Configuration Overview You can configure source IP address or source interface for the Telnet server and Telnet client. This provides a way to manage services and enhances security.
  • Page 55: Displaying Source Ip Address Configuration

    Operation Command Description Specify a source interface for telnet-server source-interface Optional Telnet server interface-type interface-number Specify source IP address for Optional telnet source-ip ip-address Telnet client Specify a source interface for telnet source-interface interface-type Optional Telnet client interface-number To perform the configurations listed in Table 8-1 Table 8-2, make sure that:...
  • Page 56: User Control

    User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction You can control users logging in through Telnet, SNMP and WEB by defining Access Control List (ACL), as listed in...
  • Page 57: Controlling Telnet Users By Acl

    If no ACL is configured on the VTY user interface, users are not controlled when establishing a Telnet connection using this user interface. If an ACL is configured on the VTY user interface, there will be two possibilities: if the packets for establishing a Telnet connection match the ACL rule configured on the VTY user interface, the connection will be permitted or denied according to the ACL rule;...
  • Page 58: Configuration Example

    [Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses You can manage Switch 4500 through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP...
  • Page 59: Prerequisites

    Defining an ACL Applying the ACL to control users accessing the switch through SNMP To control whether an NMS can manage the switch, you can use this function. Prerequisites The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).
  • Page 60: Controlling Web Users By Source Ip Address

    [Sysname] snmp-agent usm-user v2c usera groupa acl 2000 Controlling Web Users by Source IP Address You can manage Switch 4500 remotely through Web. Web users can access a switch through HTTP connections. You need to perform the following two operations to control Web users by source IP addresses.
  • Page 61: Logging Out A Web User

    To do… Use the command… Remarks Enter system view — system-view As for the acl number Create a basic ACL or enter acl number acl-number command, the config keyword basic ACL view [ match-order { config | auto } ] is specified by default.
  • Page 62 [Sysname-acl-basic-2030] quit # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switch. [Sysname] ip http acl 2030...
  • Page 63 Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Configuration Task List ···························································································································1-2 Saving the Current Configuration ····································································································1-2 Erasing the Startup Configuration File ····························································································1-3 Specifying a Configuration File for Next Startup ·············································································1-4 Displaying Switch Configuration······································································································1-5...
  • Page 64: Configuration File Management

    Configuration File Management When configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List Introduction to Configuration File A configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily.
  • Page 65: Configuration Task List

    When saving the current configuration, you can specify the file to be a main or backup or normal configuration file. When removing a configuration file from a switch, you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attribute of the file.
  • Page 66: Erasing The Startup Configuration File

    When you use the save safely command to save the configuration file, if the switch reboots or the power fails during the saving process, the switch initializes itself in the following two conditions when it starts up next time: If a configuration file with the extension .cfg exists in the Flash, the switch uses the configuration file to initialize itself when it starts up next time.
  • Page 67: Specifying A Configuration File For Next Startup

    To do… Use the command… Remarks Required Erase the startup configuration reset saved-configuration file from the storage switch [ backup | main ] Available in user view You may need to erase the configuration file for one of these reasons: After you upgrade software, the old configuration file does not match the new software.
  • Page 68: Vlan

    The configuration file must use .cfg as its extension name and the startup configuration file must be saved at the root directory of the switch. Displaying Switch Configuration To do… Use the command… Remarks Display the initial configuration display saved-configuration [ unit unit-id ] file saved in the Flash of a [ by-linenum ] switch...
  • Page 69 Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ·····················································································································1-2 VLAN Principles·······························································································································1-2 VLAN Interface ································································································································1-4 VLAN Classification ·························································································································1-4 Port-Based VLAN····································································································································1-4 Link Types of Ethernet Ports ···········································································································1-4 Assigning an Ethernet Port to Specified VLANs ·············································································1-5 Configuring the Default VLAN ID for a Port·····················································································1-5 2 VLAN Configuration ··································································································································2-1 VLAN Configuration ································································································································2-1...
  • Page 70: Vlan Overview

    VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.
  • Page 71: Advantages Of Vlans

    Figure 1-1 A VLAN implementation Advantages of VLANs Compared with the traditional Ethernet, VLAN enjoys the following advantages. Broadcasts are confined to VLANs. This decreases bandwidth consumption and improves network performance. Network security is improved. Because each VLAN forms a broadcast domain, hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 switches are used.
  • Page 72 tag is encapsulated after the destination MAC address and source MAC address to show the information about VLAN. Figure 1-3 Format of VLAN tag As shown in Figure 1-3, a VLAN tag contains four fields, including the tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID.
  • Page 73: Vlan Interface

    VLAN Interface Hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 switches are used to do Layer 3 forwarding. The Switch 4500 series Ethernet switches support VLAN interfaces configuration to forward packets in Layer 3.
  • Page 74: Assigning An Ethernet Port To Specified Vlans

    A hybrid port allows the packets of multiple VLANs to be sent untagged, but a trunk port only allows the packets of the default VLAN to be sent untagged. The three types of ports can coexist on the same device. Assigning an Ethernet Port to Specified VLANs You can assign an Ethernet port to a VLAN to forward packets for the VLAN, thus allowing the VLAN on the current switch to communicate with the same VLAN on the peer switch.
  • Page 75 Table 1-2 Packet processing of a trunk port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the port has already If the VLAN ID is one of the If the VLAN ID is just the been added to its default VLAN IDs allowed to pass default VLAN ID, strip off the...
  • Page 76: Vlan Configuration

    VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required Basic VLAN Interface Configuration Optional Displaying VLAN Configuration...
  • Page 77: Basic Vlan Interface Configuration

    VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.
  • Page 78: Displaying Vlan Configuration

    The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. Displaying VLAN Configuration To do... Use the command... Remarks Display the VLAN interface display interface information Vlan-interface [ vlan-id ] Available in any view.
  • Page 79: Assigning An Ethernet Port To A Vlan

    Assigning an Ethernet Port to a VLAN You can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view. You can assign an access port to a VLAN in either Ethernet port view or VLAN view. You can assign a trunk port or hybrid port to a VLAN only in Ethernet port view.
  • Page 80: Configuring The Default Vlan For A Port

    Configuring the Default VLAN for a Port Because an access port can belong to only one VLAN, its default VLAN is the VLAN it resides in and cannot be configured. This section describes how to configure a default VLAN for a trunk or hybrid port. Follow these steps to configure the default VLAN for a port: To do…...
  • Page 81 Network diagram Figure 2-1 Network diagram for VLAN configuration Server2 Server1 SwitchA GE1/0/12 GE1/0/13 GE1/0/2 GE1/0/10 SwitchB GE1/0/11 GE1/0/1 Configuration procedure Configure Switch A. # Create VLAN 100, specify its descriptive string as Dept1, and add GigabitEthernet 1/0/1 to VLAN 100. <SwitchA>...
  • Page 82 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 100 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 200 # Configure GigabitEthernet 1/0/10 of Switch B. [SwitchB] interface GigabitEthernet 1/0/10 [SwitchB-GigabitEthernet1/0/10] port link-type trunk [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 100 [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 200...
  • Page 83 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ······················································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Configuring IP Addresses················································································································1-3 Configuring Static Domain Name Resolution ··················································································1-4 Displaying IP Addressing Configuration··································································································1-4 IP Address Configuration Examples ·······································································································1-4 IP Address Configuration Example ·································································································1-4 Static Domain Name Resolution Configuration Example································································1-5 2 IP Performance Optimization Configuration···························································································2-1...
  • Page 84: Ip Addressing Configuration

    IP Addressing Configuration The term IP address used throughout this chapter refers to IPv4 address. For details about IPv6 address, refer to IPv6 Management. When configuring IP addressing, go to these sections for information you are interested in: IP Addressing OverviewConfiguring IP Addresses Displaying IP Addressing Configuration IP Address Configuration Examples IP Addressing Overview...
  • Page 85: Special Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test.
  • Page 86: Configuring Ip Addresses

    subnetting. When designing your network, you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts. For example, a Class B network can accommodate 65,534 – 2. Of the two deducted Class B addresses, one with an all-ones host ID is the broadcast address and the other with an all-zero host ID is the network address) hosts before being subnetted.
  • Page 87: Configuring Static Domain Name Resolution

    A newly specified IP address overwrites the previous one if there is any. The IP address of a VLAN interface must not be on the same network segment as that of a loopback interface on a device. Configuring Static Domain Name Resolution Follow these steps to configure static domain name resolution: To do…...
  • Page 88: Static Domain Name Resolution Configuration Example

    Network diagram Figure 1-3 Network diagram for IP address configuration Configuration procedure # Configure an IP address for VLAN-interface 1. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 129.2.2.1 255.255.255.0 Static Domain Name Resolution Configuration Example Network requirements The switch uses static domain name resolution to access host 10.1.1.2 through domain name host.com.
  • Page 89 round-trip min/avg/max = 2/3/5 ms...
  • Page 90: Ip Performance Optimization Configuration

    IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are interested in: IP Performance Overview Configuring IP Performance Optimization Displaying and Maintaining IP Performance Optimization Configuration IP Performance Overview Introduction to IP Performance Configuration In some network environments, you can adjust the IP parameters to achieve best network performance.
  • Page 91: Disabling Sending Of Icmp Error Packets

    synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval, the TCP connection cannot be created. finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started.
  • Page 92: Displaying And Maintaining Ip Performance Optimization Configuration

    If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local device, the device sends a “protocol unreachable” ICMP error packet to the source. When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet’s port number does not match the running process, the device will send the source a “port unreachable”...
  • Page 93 To do… Use the command… Remarks Display ICMP traffic statistics display icmp statistics Display the current socket display ip socket [ socktype sock-type ] information of the system [ task-id socket-id ] Display the forwarding information display fib base (FIB) entries display fib ip_address1 [ { mask1 | Display the FIB entries matching the mask-length1 } [ ip_address2 { mask2 |...
  • Page 94 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How Switch 4500 Series Switches Identify Voice Traffic ································································1-3 Setting the Voice Traffic Transmission Priority ···············································································1-3 Configuring Voice VLAN Assignment Mode of a Port ·····································································1-4 Support for Voice VLAN on Various Ports·······················································································1-4 Security Mode of Voice VLAN ·········································································································1-6...
  • Page 95: Voice Vlan Configuration

    Voice VLAN Configuration When configuring voice VLAN, go to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuration Example Voice VLAN Overview Voice VLANs are allocated specially for voice traffic. After creating a voice VLAN and assigning ports that connect voice devices to the voice VLAN, you can have voice traffic transmitted in the dedicated voice VLAN and configure quality of service (QoS) parameters for the voice traffic to improve its transmission priority and ensure voice quality.
  • Page 96 Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission. An IP phone goes through the following three phases to become capable of transmitting voice data.
  • Page 97: How Switch 4500 Series Switches Identify Voice Traffic

    NCP is reachable to the IP address to be set. How Switch 4500 Series Switches Identify Voice Traffic Switch 4500 series Ethernet switches determine whether a received packet is a voice packet by checking its source MAC address against an organizationally unique identifier (OUI) list. If a match is found, the packet is considered as a voice packet.
  • Page 98: Configuring Voice Vlan Assignment Mode Of A Port

    Processing mode of untagged packets sent by IP voice devices Automatic voice VLAN assignment mode. An Switch 4500 Ethernet switch automatically adds a port connecting an IP voice device to the voice VLAN by learning the source MAC address in the untagged packet sent by the IP voice device when it is powered on.
  • Page 99 Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice assignment traffic Port type Supported or not mode type Access Not supported Supported Make sure the default VLAN of the port exists and is not Trunk Tagged a voice VLAN, and the access port permits the traffic of...
  • Page 100: Security Mode Of Voice Vlan

    Table 1-3 Matching relationship between port types and voice devices acquiring voice VLAN through manual configuration Voice VLAN Port type Supported or not assignment mode Access Not supported Supported Make sure the default VLAN of the port exists and is not a Trunk voice VLAN, and the access port permits the traffic of the Automatic...
  • Page 101: Voice Vlan Configuration

    Voice VLAN Packet Type Processing Method Mode matches the OUI list, the packet is transmitted in Packet carrying the voice the voice VLAN. Otherwise, the packet is VLAN tag dropped. The packet is forwarded or dropped based on whether the receiving port is assigned to the Packet carrying any other carried VLAN.
  • Page 102: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode

    To do… Use the command… Remarks Optional Set the voice VLAN aging timer The default aging timer is 1440 voice vlan aging minutes minutes. Enable the voice VLAN function Required voice vlan vlan-id enable globally interface interface-type Enter Ethernet port view Required interface-number Required...
  • Page 103 To do… Use the command… Remarks Optional By default, the voice Enable the voice VLAN security mode voice vlan security enable VLAN security mode is enabled. Optional Set the voice VLAN aging timer The default aging timer voice vlan aging minutes is 1,440 minutes.
  • Page 104: Displaying And Maintaining Voice Vlan

    VLAN. If you have to do so, make sure that the voice VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between 3Com device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...
  • Page 105: Voice Vlan Configuration Example

    Voice VLAN Configuration Example Voice VLAN Configuration Example (Automatic Voice VLAN Assignment Mode) Network requirements As shown in Figure 1-2, The MAC address of IP phone A is 0011-1100-0001. The phone connects to a downstream device named PC A whose MAC address is 0022-1100-0002 and to GigabitEthernet 1/0/1 on an upstream device named Device A.
  • Page 106 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the current states of voice VLANs. <DeviceA> display voice vlan state Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes...
  • Page 107: Voice Vlan Configuration Example (manual Voice Vlan Assignment Mode)

    Voice VLAN Configuration Example (Manual Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configure it to operate in manual voice VLAN assignment mode. Add the port to which an IP phone is connected to the voice VLAN to enable voice traffic to be transmitted within the voice VLAN.
  • Page 108 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the status of the current voice VLAN. <DeviceA> display voice vlan status Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes...
  • Page 109 Table of Contents 1 Port Basic Configuration ··························································································································1-1 Ethernet Port Configuration ····················································································································1-1 Combo Port Configuration ···············································································································1-1 Initially Configuring a Port ···············································································································1-1 Configuring Port Auto-Negotiation Speed ·······················································································1-2 Limiting Traffic on individual Ports···································································································1-3 Enabling Flow Control on a Port······································································································1-4 Duplicating the Configuration of a Port to Other Ports ····································································1-4 Configuring Loopback Detection for an Ethernet Port·····································································1-5 Enabling Loopback Test··················································································································1-6 Enabling the System to Test Connected Cable ··············································································1-6...
  • Page 110: Port Basic Configuration

    Port Basic Configuration When performing basic port configuration, go to these sections for information you are interested in: Ethernet Port Configuration Ethernet Port Configuration Example Troubleshooting Ethernet Port Configuration Ethernet Port Configuration Combo Port Configuration Introduction to Combo port A Combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding interface.
  • Page 111: Configuring Port Auto-negotiation Speed

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Optional By default, the port is enabled. Enable the Ethernet port undo shutdown Use the shutdown command to disable the port. Optional Set the description string By default, the description string of an...
  • Page 112: Limiting Traffic On Individual Ports

    Follow these steps to configure auto-negotiation speeds for a port: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet interface interface interface-type — view interface-number Optional By default, the port speed is Configure the available speed auto [ 10 | 100 | determined through auto-negotiation speed(s)
  • Page 113: Enabling Flow Control On A Port

    To do... Use the command... Remarks Optional Limit unknown unicast traffic unicast-suppression { ratio | By default, the switch does not received on the current port pps max-pps } suppress unknown unicast traffic. Enabling Flow Control on a Port Flow control is enabled on both the local and peer switches. If congestion occurs on the local switch: The local switch sends a message to notify the peer switch of stopping sending packets to itself or reducing the sending rate temporarily.
  • Page 114: Configuring Loopback Detection For An Ethernet Port

    If you specify a source aggregation group ID, the system will use the port with the smallest port number in the aggregation group as the source. If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port.
  • Page 115: Enabling Loopback Test

    To enable loopback detection on a specific port, you must use the loopback-detection enable command in both system view and the specific port view. After you use the undo loopback-detection enable command in system view, loopback detection will be disabled on all ports. Enabling Loopback Test You can configure the Ethernet port to run loopback test to check if it operates normally.
  • Page 116: Configuring The Interval To Perform Statistical Analysis On Port Traffic

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Enable the system to test Required virtual-cable-test connected cables Configuring the Interval to Perform Statistical Analysis on Port Traffic By performing the following configuration, you can set the interval to perform statistical analysis on the traffic of a port.
  • Page 117: Displaying And Maintaining Basic Port Configuration

    The port state change delay takes effect when the port goes down but not when the port goes up. Follow these steps to set the port state change delay: To do … Use the command … Remarks Enter system view —...
  • Page 118: Ethernet Port Configuration Example

    To do... Use the command... Remarks Available in user view After 802.1x is reset counters interface [ interface-type | Clear port statistics enabled on a port, interface-type interface-number ] clearing the statistics on the port will not work. Ethernet Port Configuration Example Network requirements Switch A and Switch B are connected to each other through two trunk port (Ethernet 1/0/1).
  • Page 119: Troubleshooting Ethernet Port Configuration

    Troubleshooting Ethernet Port Configuration Symptom: Fail to configure the default VLAN ID of an Ethernet port. Solution: Take the following steps: Use the display interface or display port command to check if the port is a trunk port or a hybrid port.
  • Page 120 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ·······················································································································1-1 Consistency Considerations for the Ports in Aggregation·······························································1-1 Link Aggregation Classification···············································································································1-2 Manual Aggregation Group ·············································································································1-2 Static LACP Aggregation Group······································································································1-3 Dynamic LACP Aggregation Group·································································································1-4 Aggregation Group Categories ···············································································································1-5 Link Aggregation Configuration···············································································································1-6 Configuring a Manual Aggregation Group·······················································································1-6...
  • Page 121: Link Aggregation Configuration

    Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories Link Aggregation Configuration Displaying and Maintaining Link Aggregation Configuration Link Aggregation Configuration Example Overview Introduction to Link Aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group.
  • Page 122: Link Aggregation Classification

    TPID on the ports State of inner-to-outer tag priority replication (enabled or disabled) The Switch 4500 family support cross-device link aggregation if XRN fabric is enabled. Link Aggregation Classification Depending on different aggregation modes, the following three types of link aggregation exist:...
  • Page 123: Static Lacp Aggregation Group

    In a manual aggregation group, the system sets the ports to selected or unselected state according to the following rules. Among the ports in an aggregation group that are in up state, the system determines the mater port with one of the following settings being the highest (in descending order) as the master port: full duplex/high speed, full duplex/low speed, half duplex/high speed, half duplex/low speed.
  • Page 124: Dynamic Lacp Aggregation Group

    There is a limit on the number of selected ports in an aggregation group. Therefore, if the number of the selected ports in an aggregation group exceeds the maximum number supported by the device, those with lower port numbers operate as the selected ports, and others as unselected ports. Dynamic LACP Aggregation Group Introduction to dynamic LACP aggregation group A dynamic LACP aggregation group is automatically created and removed by the system.
  • Page 125: Aggregation Group Categories

    Aggregation Group Categories Depending on whether or not load sharing is implemented, aggregation groups can be load-sharing or non-load-sharing aggregation groups. When load sharing is implemented, For IP packets, the system will implement load-sharing based on source IP address and destination IP address;...
  • Page 126: Link Aggregation Configuration

    Link Aggregation Configuration The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time. The ports where the mac-address max-mac-count command is configured cannot be added to an aggregation group. Contrarily, the mac-address max-mac-count command cannot be configured on a port that has already been added to an aggregation group.
  • Page 127: Configuring A Static Lacp Aggregation Group

    When you change a dynamic/static group to a manual group, the system will automatically disable LACP on the member ports. When you change a dynamic group to a static group, the system will remain the member ports LACP-enabled. When a manual or static aggregation group contains only one port, you cannot remove the port unless you remove the whole aggregation group.
  • Page 128: Configuring A Description For An Aggregation Group

    You need to enable LACP on the ports which you want to participate in dynamic aggregation of the system, because, only when LACP is enabled on those ports at both ends, can the two parties reach agreement in adding/removing ports to/from dynamic aggregation groups. You cannot enable LACP on a port which is already in a manual aggregation group.
  • Page 129: Displaying And Maintaining Link Aggregation Configuration

    If you have saved the current configuration with the save command, after system reboot, the configuration concerning manual and static aggregation groups and their descriptions still exists, but that of dynamic aggregation groups and their descriptions gets lost. Displaying and Maintaining Link Aggregation Configuration To do…...
  • Page 130 Configuration procedure The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation. Adopting manual aggregation mode # Create manual aggregation group 1. <Sysname> system-view [Sysname] link-aggregation group 1 mode manual # Add Ethernet 1/0/1 through Ethernet 1/0/3 to aggregation group 1.
  • Page 131 [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] lacp enable The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration (such as rate, duplex mode, and so on). 1-11...
  • Page 132: Port Isolation

    Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying and Maintaining Port Isolation Configuration ········································································1-2 Port Isolation Configuration Example······································································································1-2...
  • Page 133: Port Isolation Configuration

    The ports in an isolation group must reside on the same switch or different units of an XRN fabric. Currently, you can create only on isolation group on a Switch 4500 series switch. The number of Ethernet ports in an isolation group is not limited.
  • Page 134: Port Isolation Configuration Example

    Switch 4500 series switches support cross-device port isolation if XRN fabric is enabled. For Switch 4500 series switches belonging to the same XRN Fabric, the port isolation configuration performed on a port of a cross-device aggregation group cannot be synchronized to the other ports of the aggregation group if the ports reside on other units.
  • Page 135 Network diagram Figure 1-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/2 [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2] quit [Sysname] interface ethernet1/0/3 [Sysname-Ethernet1/0/3] port isolate [Sysname-Ethernet1/0/3] quit...
  • Page 136 Table of Contents 1 Port Security Configuration······················································································································1-1 Port Security Overview····························································································································1-1 Introduction······································································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-1 Port Security Configuration Task List······································································································1-4 Enabling Port Security ·····················································································································1-5 Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5 Setting the Port Security Mode········································································································1-6 Configuring Port Security Features ·································································································1-7 Ignoring the Authorization Information from the RADIUS Server····················································1-8 Configuring Security MAC Addresses ·····························································································1-9...
  • Page 137: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Port Security Overview Port Security Configuration Task List Displaying and Maintaining Port Security Configuration Port Security Configuration Examples Port Security Overview Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.
  • Page 138 Table 1-1 Description of port security modes Security mode Description Feature In this mode, neither the In this mode, access to the port is not NTK nor the intrusion noRestriction restricted. protection feature is triggered. In this mode, a port can learn a specified number of MAC addresses and save those addresses as security MAC addresses.
  • Page 139 Security mode Description Feature In this mode, neither NTK In this mode, port-based 802.1x authentication nor intrusion protection userlogin is performed for access users. will be triggered. MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds.
  • Page 140: Port Security Configuration Task List

    Security mode Description Feature In this mode, a port performs MAC authentication of an access user first. If the authentication succeeds, the user is authenticated. Otherwise, the port performs macAddressElseUs 802.1x authentication of the user. erLoginSecure In this mode, there can be only one 802.1x-authenticated user on the port, but there can be several MAC-authenticated users.
  • Page 141: Enabling Port Security

    Task Remarks Configuring Security MAC Addresses Optional Enabling Port Security Configuration Prerequisites Before enabling port security, you need to disable 802.1x and MAC authentication globally. Enabling Port Security Follow these steps to enable port security: To do... Use the command... Remarks Enter system view —...
  • Page 142: Setting The Port Security Mode

    This configuration is different from that of the maximum number of MAC addresses that can be leaned by a port in MAC address management. Follow these steps to set the maximum number of MAC addresses allowed on a port: To do... Use the command...
  • Page 143: Configuring Port Security Features

    Before setting the port security mode to autolearn, you need to set the maximum number of MAC addresses allowed on the port with the port-security max-mac-count command. When the port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port.
  • Page 144: Ignoring The Authorization Information From The Radius Server

    To do... Use the command... Remarks Optional Set the timer during which the port-security timer disableport port remains disabled 20 seconds by default timer The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled.
  • Page 145: Configuring Security Mac Addresses

    Configuring Security MAC Addresses Security MAC addresses are special MAC addresses that never age out. One security MAC address can be added to only one port in the same VLAN so that you can bind a MAC address to one port in the same VLAN.
  • Page 146: Displaying And Maintaining Port Security Configuration

    Displaying and Maintaining Port Security Configuration To do... Use the command... Remarks Display information about port display port-security [ interface interface-list ] security configuration Available in Display information about display mac-address security [ interface any view security MAC address interface-type interface-number ] [ vlan vlan-id ] configuration [ count ] Port Security Configuration Examples...
  • Page 147 [Switch-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1 # Configure the port to be silent for 30 seconds after intrusion protection is triggered. [Switch-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-Ethernet1/0/1] quit [Switch] port-security timer disableport 30 1-11...
  • Page 148: Dldp

    Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 DLDP Fundamentals·······························································································································1-2 DLDP packets··································································································································1-2 DLDP Status····································································································································1-4 DLDP Timers ···································································································································1-4 DLDP Operating Mode ····················································································································1-5 DLDP Implementation ·····················································································································1-6 DLDP Neighbor State ······················································································································1-8 Link Auto-recovery Mechanism ·······································································································1-8 DLDP Configuration ································································································································1-9 Performing Basic DLDP Configuration ····························································································1-9 Resetting DLDP State ···················································································································1-10 Displaying and Maintaining DLDP·································································································1-10 DLDP Configuration Example ···············································································································1-11...
  • Page 149: Dldp Configuration

    DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: Overview DLDP Fundamentals DLDP Configuration DLDP Configuration Example Overview Device link detection protocol (DLDP) is an technology for dealing with unidirectional links that may occur in a network. If two switches, A and B, are connected via a pair of optical fiber cables, one used for sending from A to B, the other sending from B to A, it is a bidirectional link (two-way link).
  • Page 150: Dldp Fundamentals

    Figure 1-2 Fiber broken or not connected Device A GE1/0/49 GE1/0/50 GE1/0/49 GE1/0/50 Device B Device link detection protocol (DLDP) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If DLDP finds a unidirectional link, it disables the related port automatically or prompts you to disable it manually according to the configurations, to avoid network problems.
  • Page 151 DLDP packet type Function Advertisement packet with the RSY flag set to 1. RSY advertisement RSY-Advertisement packets are sent to request synchronizing the neighbor information when packets (referred to as neighbor information is not locally available or a neighbor information RSY packets hereafter) entry ages out.
  • Page 152: Dldp Status

    DLDP Status A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 1-2 DLDP status Status Description Initial Initial status before DLDP is enabled. Inactive DLDP is enabled but the corresponding link is down Active DLDP is enabled, and the link is up or an neighbor entry is cleared All neighbors communicate normally in both directions, or DLDP...
  • Page 153: Dldp Operating Mode

    Timer Description When a new neighbor joins, a neighbor entry is created and the corresponding entry aging timer is enabled When an advertisement packet is received from a neighbor, the neighbor entry is updated and the corresponding entry aging timer is updated In the normal mode, if no packet is received from the neighbor when Entry aging timer...
  • Page 154: Dldp Implementation

    Table 1-4 DLDP operating mode and neighbor entry aging Detecting a neighbor Removing the DLDP after the corresponding neighbor entry Triggering the Enhanced timer operating neighbor entry ages immediately after the after an Entry timer expires mode Entry timer expires Normal mode Yes (When the enhanced timer...
  • Page 155 Table 1-5 DLDP state and DLDP packet type DLDP state Type of the DLDP packets sent Active Advertisement packets, with the RSY flag set or not set. Advertisement Advertisement packets Probe Probe packets A DLDP packet received is processed as follows: In authentication mode, the DLDP packet is authenticated and is then dropped if it fails the authentication.
  • Page 156: Dldp Neighbor State

    Table 1-7 Processing procedure when no echo packet is received from the neighbor No echo packet received from the Processing procedure neighbor In normal mode, no echo packet is received DLDP switches to the disable state, outputs log and when the echo waiting timer expires. tracking information, and sends flush packets.
  • Page 157: Dldp Configuration

    DLDP Configuration Performing Basic DLDP Configuration Follow these steps to perform basic DLDP configuration: To do … Use the command … Remarks Enter system view — system-view Enable DLDP on all optical dldp enable ports of the switch Required. Enable DLDP Enter Ethernet interface interface-type Enable...
  • Page 158: Resetting Dldp State

    When connecting two DLDP-enabled devices, make sure the software running on them is of the same version. Otherwise, DLDP may operate improperly. When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently.
  • Page 159: Dldp Configuration Example

    DLDP Configuration Example Network requirements As shown in Figure 1-4, Switch A and Switch B are connected through two pairs of fibers. Both of them support DLDP. All the ports involved operate in mandatory full duplex mode, with their rates all being 1,000 Mbps. Suppose the fibers between Switch A and Switch B are cross-connected.
  • Page 160 # Set the DLDP handling mode for unidirectional links to auto. [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state [SwitchA] display dldp 1 When two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive state.
  • Page 161 Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to the MAC Address Table ··························································································1-1 Introduction to MAC Address Learning ···························································································1-1 Managing MAC Address Table ·······································································································1-3 MAC Address Table Management··········································································································1-4 MAC Address Table Management Configuration Task List ····························································1-4 Configuring a MAC Address Entry ··································································································1-5 Setting the MAC Address Aging Timer····························································································1-6 Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-6...
  • Page 162: Mac Address Table Management

    MAC Address Table Management When MAC address table management functions, go to these sections for information you are interested in: Overview MAC Address Table Management Displaying MAC Address Table Information Configuration Example This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to Multicast Operation.
  • Page 163 Generally, the majority of MAC address entries are created and maintained through MAC address learning. The following describes the MAC address learning process of a switch: As shown in Figure 1-1, User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A comes into the switch on GigabitEthernet 1/0/1.
  • Page 164: Managing Mac Address Table

    Figure 1-4 MAC address learning diagram (3) At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 1-5. When forwarding the response packet from User B to User A, the switch sends the response to User A through GigabitEthernet 1/0/1 (technically called unicast), because MAC-A is already in the MAC address table.
  • Page 165: Mac Address Table Management

    The MAC address aging timer only takes effect on dynamic MAC address entries. With the “destination MAC address triggered update function” enabled, when a switch finds a packet with a destination address matching one MAC address entry within the aging time, it updates the entry and restarts the aging timer.
  • Page 166: Configuring A Mac Address Entry

    Task Remarks Enabling Destination MAC Address Triggered Update Optional Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). Adding a MAC address entry in system view You can add a MAC address entry in either system view or Ethernet port view.
  • Page 167: Setting The Mac Address Aging Timer

    When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherwise, the entry will not be added. If the VLAN specified by the vlan argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN.
  • Page 168: Enabling Destination Mac Address Triggered Update

    By setting the maximum number of MAC addresses that can be learned from individual ports, the administrator can control the number of the MAC address entries the MAC address table can dynamically maintain. When the number of the MAC address entries learnt from a port reaches the set value, the port stops learning MAC addresses.
  • Page 169: Configuration Examples

    To do… Use the command… Remarks Display the aging time of the dynamic MAC address entries in the MAC address display mac-address aging-time table Display the configured start port MAC display port-mac address Configuration Examples Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through GigabitEthernet 1/0/2.
  • Page 170 Table of Contents 1 Auto Detect Configuration························································································································1-1 Introduction to the Auto Detect Function·································································································1-1 Auto Detect Configuration·······················································································································1-1 Auto Detect Basic Configuration ·····································································································1-2 Auto Detect Implementation in Static Routing·················································································1-2 Auto Detect Implementation in VLAN Interface Backup··································································1-3 Auto Detect Configuration Examples ······································································································1-4 Configuration Example for Auto Detect Implementation with Static Routing ··································1-4 Configuration Example for Auto Detect Implementation with VLAN Interface Backup ···················1-5...
  • Page 171: Auto Detect Configuration

    Auto Detect Configuration When configuring the auto detect function, go to these sections for information you are interested in: Introduction to the Auto Detect Function Auto Detect Configuration Auto Detect Configuration Examples Introduction to the Auto Detect Function The Auto Detect function uses Internet Control Message Protocol (ICMP) request/reply packets to test network connectivity regularly between the Auto Detect-enabled switch and the detected object.
  • Page 172: Auto Detect Basic Configuration

    Task Remarks Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to configure the auto detect function: To do… Use the command… Remarks Enter system view — system-view Create a detected group and Required detect-group group-number enter detected group view detect-list list-number ip...
  • Page 173: Auto Detect Implementation In Vlan Interface Backup

    To avoid such problems, you can configure another route to back up the static route and use the Auto Detect function to judge the validity of the static route. If the static route is valid, packets are forwarded according to the static route, and the other route is standby. If the static route is invalid, packets are forwarded according to the backup route.
  • Page 174: Auto Detect Configuration Examples

    Figure 1-1 Schematic diagram for VLAN interface backup Using Auto Detect can help implement VLAN interfaces backup. When data can be transmitted through two VLAN interfaces on the switch to the same destination, configure one of the VLAN interface as the active interface and the other as the standby interface.
  • Page 175: Configuration Example For Auto Detect Implementation With Vlan Interface Backup

    On switch A, configure a static route to Switch C. Enable the static route when the detected group 8 is reachable. To ensure normal operating of the auto detect function, configure a static route to Switch A on Switch C. Network diagram Figure 1-2 Network diagram for implementing the auto detect function in static route Configuration procedure...
  • Page 176 Network diagram Figure 1-3 Network diagram for VLAN interface backup Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1-3. The configuration procedure is omitted. # Enter system view. <SwitchA> system-view # Create auto detected group 10. [SwitchA] detect-group 10 # Add the IP address of 10.1.1.4 to detected group 10 to detect the reachability of the IP address, with the IP address of 192.168.1.2 as the next hop, and the detecting number set to 1.
  • Page 177: Mstp

    Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Spanning Tree Protocol Overview···································································································1-1 Rapid Spanning Tree Protocol Overview ······················································································1-10 Multiple Spanning Tree Protocol Overview ···················································································1-10 MSTP Implementation on Switches ······························································································1-14 Protocols and Standards ···············································································································1-15 MSTP Configuration Task List ··············································································································1-15 Configuring Root Bridge························································································································1-16 Configuring an MST Region ··········································································································1-16 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge·····································1-18 Configuring the Bridge Priority of the Current Switch····································································1-19...
  • Page 178 Configuring Digest Snooping·········································································································1-39 Configuring Rapid Transition ················································································································1-40 Introduction····································································································································1-40 Configuring Rapid Transition·········································································································1-42 MSTP Maintenance Configuration ········································································································1-43 Introduction····································································································································1-43 Enabling Log/Trap Output for Ports of MSTP Instance·································································1-43 Configuration Example ··················································································································1-43 Enabling Trap Messages Conforming to 802.1d Standard···································································1-43 Displaying and Maintaining MSTP ········································································································1-44 MSTP Configuration Example···············································································································1-44...
  • Page 179: Overview

    MSTP Configuration Go to these sections for information you are interested in: Overview MSTP Configuration Task List Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition MSTP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example Overview...
  • Page 180 In STP, BPDUs come in two types: Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology. Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology changes, if any. Basic concepts in STP Root bridge A tree network must have a root;...
  • Page 181 A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the MAC address of the device. The default bridge priority of a 3Com switch 4500 is 32768. You can use a command to configure the bridge priority of a device. For details, see Configuring the Bridge Priority of the Current Switch.
  • Page 182 Port ID A port ID used on a 3Com switch 4500 consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all Ethernet ports on 3Com switches 4500 is 128. You can use commands to configure port priorities.
  • Page 183 Table 1-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.
  • Page 184 Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port whose role is to be determined, and acts as follows based on the comparison result: If the calculated configuration BPDU is superior, this port will serve as the designated port, and the configuration BPDU on the port will be replaced with the calculated configuration BPDU, which will be sent out periodically.
  • Page 185 Device Port name BPDU of port {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 1-5 Comparison process and result on each device BPDU of port after Device...
  • Page 186 BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
  • Page 187 Figure 1-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.
  • Page 188: Rapid Spanning Tree Protocol Overview

    For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout the entire network.
  • Page 189 MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP introduces instances (which integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization.
  • Page 190 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 1-4 contains multiple spanning trees known as MSTIs.
  • Page 191 A region boundary port is located on the boundary of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region. An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or master port being blocked, the alternate port becomes the new root port or master port.
  • Page 192: Mstp Implementation On Switches

    STP and RSTP and use them for their respective spanning tree calculation. The 3com switches 4500 support MSTP. After MSTP is enabled on a switch 4500, the switch operates in MSTP mode by default. If the network contains switches that run the STP/RSTP protocol, you can...
  • Page 193: Protocols And Standards

    In addition to the basic MSTP functions, 3com Switch 4500 also provides the following functions for users to manage their switches. Root bridge hold Root bridge backup Root guard BPDU guard Loop guard TC-BPDU attack guard Protocols and Standards MSTP is documented in: IEEE 802.1D: spanning tree protocol...
  • Page 194: Configuring Root Bridge

    Task Remarks Optional Configuring the Maximum Transmitting Rate on the Current Port The default value is recommended. Configuring the Current Port as an Edge Optional Port Setting the Link Type of a Port to P2P Optional Required To prevent network topology jitter Enabling MSTP caused by other related configurations, you are recommended to enable MSTP...
  • Page 195 802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-instance mapping table, and revision level. The 3Com switches 4500 support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.
  • Page 196: Specifying The Current Switch As A Root Bridge/secondary Root Bridge

    Configuration example # Configure an MST region named info, the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to MSTI 1, and VLAN 20 through VLAN 30 being mapped to MSTI 2. <Sysname> system-view [Sysname] stp region-configuration [Sysname-mst-region] region-name info [Sysname-mst-region] instance 1 vlan 2 to 10 [Sysname-mst-region] instance 2 vlan 20 to 30...
  • Page 197: Configuring The Bridge Priority Of The Current Switch

    Using the stp root primary/stp root secondary command, you can specify the current switch as the root bridge or the secondary root bridge of the MSTI identified by the instance-id argument. If the value of the instance-id argument is set to 0, the stp root primary/stp root secondary command specify the current switch as the root bridge or the secondary root bridge of the CIST.
  • Page 198: Configuring How A Port Recognizes And Sends Mstp Packets

    To do... Use the command... Remarks Required Set the bridge priority for the stp [ instance instance-id ] The default bridge priority of a current switch priority priority switch is 32,768. Once you specify a switch as the root bridge or a secondary root bridge by using the stp root primary or stp root secondary command, the bridge priority of the switch cannot be configured any more.
  • Page 199: Configuring The Mstp Operation Mode

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required By default, a port recognizes and sends Configure how a port stp compliance { auto | MSTP packets in the automatic mode. recognizes and sends dot1s | legacy } That is, it determines the format of...
  • Page 200: Configuring The Maximum Hop Count Of An Mst Region

    <Sysname> system-view [Sysname] stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region. The value of the maximum hop count limits the size of the MST region. A configuration BPDU contains a field that maintains the remaining hops of the configuration BPDU.
  • Page 201: Configuring The Mstp Time-related Parameters

    To do... Use the command... Remarks Enter system view — system-view Required Configure the network diameter stp bridge-diameter The default network diameter of of the switched network bridgenumber a network is 7. The network diameter parameter indicates the size of a network. The bigger the network diameter is, the larger the network size is.
  • Page 202: Configuring The Timeout Time Factor

    The forward delay parameter and the network diameter are correlated. Normally, a large network diameter corresponds to a large forward delay. A too small forward delay parameter may result in temporary redundant paths. And a too large forward delay parameter may cause a network unable to resume the normal state in time after changes occurred to the network.
  • Page 203: Configuring The Maximum Transmitting Rate On The Current Port

    Configuration procedure Follow these steps to configure the timeout time factor: To do... Use the command... Remarks Enter system view — system-view Required Configure the timeout time stp timer-factor number The timeout time factor defaults factor for the switch to 3. For a steady network, the timeout time can be five to seven times of the hello time.
  • Page 204: Configuring The Current Port As An Edge Port

    As the maximum transmitting rate parameter determines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources. The default value is recommended. Configuration example # Set the maximum transmitting rate of Ethernet 1/0/1 to 15.
  • Page 205: Setting The Link Type Of A Port To P2p

    You are recommended to configure the Ethernet ports connected directly to terminals as edge ports and enable the BPDU guard function at the same time. This not only enables these ports to turn to the forwarding state rapidly but also secures your network. Configuration example # Configure Ethernet 1/0/1 as an edge port.
  • Page 206: Enabling Mstp

    To do... Use the command... Remarks Required Specify whether the link stp point-to-point { force-true connected to a port is a The auto keyword is adopted | force-false | auto } point-to-point link by default. If you configure the link connected to a port in an aggregation group as a point-to-point link, the configuration will be synchronized to the rest ports in the same aggregation group.
  • Page 207: Configuring Leaf Nodes

    To do... Use the command... Remarks Enter system view — system-view Required Enable MSTP stp enable MSTP is enabled globally by default. interface interface-type Enter Ethernet port view — interface-number Optional By default, MSTP is enabled on all ports. To enable a switch to operate more Disable MSTP on the flexibly, you can disable MSTP on stp disable...
  • Page 208: Configuring The Path Cost For A Port

    Configuring the Path Cost for a Port The path cost parameter reflects the rate of the link connected to the port. For a port on an MSTP-enabled switch, the path cost may be different in different MSTIs. You can enable flows of different VLANs to travel along different physical links by configuring appropriate path costs on ports, so that VLAN-based load balancing can be implemented.
  • Page 209 When calculating the path cost of an aggregated link, the 802.1D-1998 standard does not take the number of the ports on the aggregated link into account, whereas the 802.1T standard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000,000 / link transmission rate Where, “link transmission rate”...
  • Page 210: Configuring Port Priority

    [Sysname] undo stp interface Ethernet 1/0/1 instance 1 cost [Sysname] stp pathcost-standard dot1d-1998 Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] undo stp instance 1 cost [Sysname-Ethernet1/0/1] quit [Sysname] stp pathcost-standard dot1d-1998 Configuring Port Priority Port priority is an important criterion on determining the root port.
  • Page 211: Setting The Link Type Of A Port To P2p

    Perform this configuration in system view <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 instance 1 port priority 16 Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 1 port priority 16 Setting the Link Type of a Port to P2P Refer to Setting the Link Type of a Port to P2P.
  • Page 212: Configuration Example

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Perform the mCheck operation Required stp mcheck Configuration Example # Perform the mCheck operation on Ethernet 1/0/1. Perform this configuration in system view <Sysname>...
  • Page 213: Configuring Root Guard

    <Sysname> system-view [Sysname] stp bpdu-protection As Gigabit ports of a 3Com switch 4500 cannot be shut down, the BPDU guard function is not applicable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports.
  • Page 214: Configuring Loop Guard

    Configuration procedure Follow these steps to configure the root guard function in system view: To do... Use the command... Remarks Enter system view — system-view Required Enable the root guard function stp interface interface-list The root guard function is on specified ports root-protection disabled by default.
  • Page 215: Configuring Tc-bpdu Attack Guard

    You are recommended to enable loop guard on the root port and alternate port of a non-root bridge. Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functions enabled on a port, any of the other two functions cannot take effect even if you have configured it on the port.
  • Page 216: Configuring Digest Snooping

    MST region. This problem can be overcome by implementing the digest snooping feature. If a port on a 3Com switch 4500 is connected to another manufacturer's switch that has the same MST region-related configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest snooping on the port.
  • Page 217 BPDUs to be sent to the another manufacturer's switch. In this way, the switch 4500 can communicate with another manufacturer’s switches in the same MST region. The digest snooping function is not applicable to edge ports.
  • Page 218: Configuring Rapid Transition

    When the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols.
  • Page 219 MSTP is connected in the upstream direction to another manufacturer's switch running proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the switch 4500 operating as the downstream switch. Among these ports, those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch.
  • Page 220: Configuring Rapid Transition

    Configuration prerequisites As shown in Figure 1-8, a 3Com switch 4500 is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally. The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports.
  • Page 221: Mstp Maintenance Configuration

    The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. MSTP Maintenance Configuration Introduction In a large-scale network with MSTP enabled, there may be many MSTP instances, and so the status of a port may change frequently.
  • Page 222: Displaying And Maintaining Mstp

    Configuration procedure Follow these steps to enable trap messages conforming to 802.1d standard: To do... Use the command... Remarks Enter system view — system-view Enable trap messages conforming stp [ instance instance-id ] dot1d-trap Required to 802.1d standard in an instance [ newroot | topologychange ] enable Configuration example # Enable a switch to send trap messages conforming to 802.1d standard to the network management...
  • Page 223 Network diagram Figure 1-9 Network diagram for MSTP configuration The word “permit” shown in Figure 1-9 means the corresponding link permits packets of specific VLANs. Configuration procedure Configure Switch A # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region.
  • Page 224 # Activate the settings of the MST region manually. [Sysname-mst-region] active region-configuration # Specify Switch B as the root bridge of MSTI 3. [Sysname] stp instance 3 root primary Configure Switch C. # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the MST region.
  • Page 225 Table of Contents 1 IP Routing Protocol Overview ··················································································································1-1 Introduction to IP Route and Routing Table····························································································1-1 IP Route···········································································································································1-1 Routing Table ··································································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing and Dynamic Routing·······························································································1-3 Classification of Dynamic Routing Protocols···················································································1-3 Routing Protocols and Routing Priority ···························································································1-3 Load Sharing and Route Backup ····································································································1-4 Routing Information Sharing············································································································1-4 Displaying and Maintaining a Routing Table···························································································1-5...
  • Page 226 Filters ···············································································································································4-1 IP Route Policy Configuration Task List··································································································4-2 Route Policy Configuration ·····················································································································4-2 Configuration Prerequisites ·············································································································4-3 Defining a Route Policy ···················································································································4-3 Defining if-match Clauses and apply Clauses·················································································4-3 IP-Prefix Configuration ····························································································································4-5 Configuration Prerequisites ·············································································································4-5 Configuring an ip-prefix list··············································································································4-5 Displaying IP Route Policy······················································································································4-5 IP Route Policy Configuration Example ··································································································4-6 Controlling RIP Packet Cost to Implement Dynamic Route Backup ···············································4-6 Troubleshooting IP Route Policy·············································································································4-9...
  • Page 227: Ip Routing Protocol Overview

    IP Routing Protocol Overview Go to these sections for information you are interested in: Introduction to IP Route and Routing Table Routing Protocol Overview Displaying and Maintaining a Routing Table Introduction to IP Route and Routing Table IP Route Routers are used for route selection on the Internet. As a router receives a packet, it selects an appropriate route (through a network) according to the destination address of the packet and forwards the packet to the next router.
  • Page 228 Preference: There may be multiple routes with different next hops to the same destination. These routes may be discovered by different routing protocols, or be manually configured static routes. The one with the highest preference (the smallest numerical value) will be selected as the current optimal route.
  • Page 229: Multicast

    Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routing configuration again whenever the network topology changes.
  • Page 230: Load Sharing And Route Backup

    each routing protocol (including static routes) is assigned a priority. The route found by the routing protocol with the highest priority is preferred. The following table lists some routing protocols and the default priorities for routes found by them: Table 1-1 Routing protocols and priorities of their default route Routing approach Priority DIRECT...
  • Page 231: Displaying And Maintaining A Routing Table

    routing information. Each routing protocol shares routing information discovered by other routing protocols through a route redistribution mechanism. Displaying and Maintaining a Routing Table To do… Use the command… Remarks Display brief information about display ip routing-table [ | { begin | a routing table exclude | include } regular-expression ] Display detailed information...
  • Page 232: Static Route Configuration

    Static Route Configuration When configuring a static route, go to these sections for information you are interested in: Introduction to Static Route Static Route Configuration Displaying and Maintaining Static Routes Static Route Configuration Example Troubleshooting a Static Route The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.
  • Page 233: Default Route

    Default Route To avoid too large a routing table, you can configure a default route. When the destination address of a packet fails to match any entry in the routing table, If there is default route in the routing table, the default route will be selected to forward the packet. If there is no default route, the packet will be discarded and an ICMP Destination Unreachable or Network Unreachable packet will be returned to the source.
  • Page 234: Static Route Configuration Example

    To do... Use the command... Remarks Display the brief information of a display ip routing-table routing table Display the detailed information of a display ip routing-table verbose routing table Display the information of static display ip routing-table protocol static routes [ inactive | verbose ] Available in Delete all static routes...
  • Page 235: Troubleshooting A Static Route

    Perform the following configurations on the switch. # Approach 1: Configure static routes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # Approach 2: Configure a static route on Switch A. <SwitchA>...
  • Page 236: Rip Configuration

    RIP Configuration When configuring RIP, go to these sections for information you are interested in: RIP Overview RIP Configuration Task List RIP Configuration Example Troubleshooting RIP Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.
  • Page 237: Rip Startup And Operation

    Interface: Outbound interface on this router, through which IP packets should be forwarded to reach the destination. Metric: Cost from the local router to the destination. Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated.
  • Page 238: Basic Rip Configuration

    Task Remarks Enabling RIP on the interfaces attached to a specified Required network segment Configuring Basic RIP Functions Setting the RIP operating status on an interface Optional Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional Configuring RIP route summarization Optional...
  • Page 239: Rip Route Control

    Related RIP commands configured in interface view can take effect only after RIP is enabled. RIP operates on the interfaces attached to a specified network segment. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the interface, nor forwards any interface route.
  • Page 240: Configuration Prerequisites

    Set the preference of RIP to change the preference order of routing protocols. This order makes sense when more than one route to the same destination is discovered by multiple routing protocols. Redistribute external routes in an environment with multiple routing protocols. Configuration Prerequisites Before configuring RIP route control, perform the following tasks: Configuring network layer addresses of interfaces so that adjacent nodes are reachable to each...
  • Page 241 Follow these steps to configure RIP route summarization: To do... Use the command... Remarks Enter system view — system-view Enter RIP view — Required Enable RIP-2 automatic summary route summarization Enabled by default Disabling the router from receiving host routes In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources.
  • Page 242 The filter-policy import command filters the RIP routes received from neighbors, and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors. The filter-policy export command filters all the routes to be advertised, including the routes redistributed with the import-route command and routes learned from neighbors.
  • Page 243: Rip Network Adjustment And Optimization

    RIP Network Adjustment and Optimization In some special network environments, some RIP features need to be configured and RIP network performance needs to be adjusted and optimized. By performing the configuration mentioned in this section, the following can be implemented: Changing the convergence speed of RIP network by adjusting RIP timers;...
  • Page 244 Split horizon cannot be disabled on a point-to-point link. Configuring RIP-1 packet zero field check Follow these steps to configure RIP-1 packet zero field check: To do... Use the command... Remarks Enter system view — system-view Enter RIP view — Required Enable the check of the must be zero checkzero...
  • Page 245: Displaying And Maintaining Rip Configuration

    Configuring RIP to unicast RIP packets Follow these steps to configure RIP to unicast RIP packets: To do... Use the command... Remarks Enter system view — system-view Enter RIP view — Required Configure RIP to When RIP runs on the link that does not support peer ip-address unicast RIP packets broadcast or multicast, you must configure RIP to...
  • Page 246: Troubleshooting Rip Configuration

    Switch C Vlan-int1 110.11.2.3/24 Vlan-int4 117.102.0.1/16 Configuration procedure Only the configuration related to RIP is listed below. Before the following configuration, make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly. Configure Switch A: # Configure RIP.
  • Page 247: Ip Route Policy Configuration

    IP Route Policy Configuration When configuring an IP route policy, go to these sections for information you are interested in: IP Route Policy Overview IP Route Policy Configuration Task List Displaying IP Route Policy IP Route Policy Configuration Example Troubleshooting IP Route Policy The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.
  • Page 248: Ip Route Policy Configuration Task List

    For ACL configuration, refer to the part discussing ACL. IP-prefix list IP-prefix list plays a role similar to ACL. But it is more flexible than ACL and easier to understand. When IP-prefix list is applied to filter routing information, its matching object is the destination address field in routing information.
  • Page 249: Configuration Prerequisites

    if-match clause: Defines matching rules; that is, the filtering conditions that the routing information should satisfy for passing the current route policy. The matching objects are some attributes of the routing information. apply clause: Specifies actions, which are the configuration commands executed after a route satisfies the filtering conditions specified by the if-match clause.
  • Page 250 To do... Use the command... Remarks Enter system view — system-view route-policy Enter the route-policy route-policy-name { permit Required view | deny } node node-number Optional Define a rule to match the if-match { acl acl-number | IP address of routing By default, no matching is performed on ip-prefix ip-prefix-name } information...
  • Page 251: Ip-prefix Configuration

    IP-Prefix Configuration IP-prefix plays a role similar to ACL and but is more flexible and easier to understand. When IP-prefix is applied to filtering routing information, its matching object is the destination address information field of routing information. Configuration Prerequisites Before configuring a filter list, prepare the following data: IP-prefix name Range of addresses to be matched...
  • Page 252: Ip Route Policy Configuration Example

    IP Route Policy Configuration Example Controlling RIP Packet Cost to Implement Dynamic Route Backup Network requirements The required speed of convergence in the small network of a company is not high. The network provides two services. Main and backup links are provided for each service for the purpose of reliability. The main link of one service serves as the backup link of the other.
  • Page 253 For the OA server, the main link is between Switch A and Switch C, while the backup link is between Switch B and Switch C. For the service server, the main link is between Switch B and Switch C, while the backup link is between Switch A and Switch C.
  • Page 254 [SwitchC-route-policy] if-match interface Vlan-interface2 [SwitchC-route-policy] if-match ip-prefix 2 [SwitchC-route-policy] apply cost 6 [SwitchC-route-policy] quit # Create node 30 with the matching mode being permit in the route policy. Define if-match clauses. Apply the cost 6 to routes matching the outgoing interface VLAN-interface 6 and prefix list 1. [SwitchC] route-policy in permit node 30 [SwitchC-route-policy] if-match interface Vlan-interface6 [SwitchC-route-policy] if-match ip-prefix 1...
  • Page 255: Troubleshooting Ip Route Policy

    Display data forwarding paths when the main link of the OA server between Switch A and Switch C is down. <SwitchC> display ip routing-table Routing Table: public net Destination/Mask Protocol Cost Nexthop Interface 1.0.0.0/8 6.6.6.5 Vlan-interface2 3.0.0.0/8 6.6.6.5 Vlan-interface6 6.0.0.0/8 DIRECT 6.6.6.6 Vlan-interface6...
  • Page 256 Table of Contents 1 Multicast Overview ····································································································································1-1 Multicast Overview ··································································································································1-1 Information Transmission in the Unicast Mode ···············································································1-1 Information Transmission in the Broadcast Mode···········································································1-2 Information Transmission in the Multicast Mode·············································································1-3 Roles in Multicast ····························································································································1-3 Common Notations in Multicast·······································································································1-4 Advantages and Applications of Multicast·······················································································1-4 Multicast Models ·····································································································································1-5 Multicast Architecture······························································································································1-6 Multicast Address ····························································································································1-6...
  • Page 257 Configuring IGMP Snooping··········································································································1-17 Configuring Multicast VLAN ··········································································································1-18 Troubleshooting IGMP Snooping··········································································································1-21...
  • Page 258: Multicast Overview

    Multicast Overview In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Multicast Overview With the development of the Internet, more and more interaction services such as data, voice, and video services are running on the network.
  • Page 259: Information Transmission In The Broadcast Mode

    Assume that Hosts B, D and E need this information. The source server establishes transmission channels for the devices of these users respectively. As the transmitted traffic over the network is in direct proportion to the number of users that receive this information, when a large number of users need the same information, the server must send many packets of information with the same content to the users.
  • Page 260: Information Transmission In The Multicast Mode

    Information Transmission in the Multicast Mode As described in the previous sections, unicast is suitable for networks with sparsely distributed users, whereas broadcast is suitable for networks with densely distributed users. When the number of users requiring information is not certain, unicast and broadcast not efficient. Multicast solves this problem.
  • Page 261: Common Notations In Multicast

    All receivers interested in the same information form a multicast group. Multicast groups are not subject to geographic restrictions. A router that supports Layer 3 multicast is called multicast router or Layer 3 multicast device. In addition to providing multicast routing, a multicast router can also manage multicast group members.
  • Page 262: Multicast Models

    Distributive application: Multicast makes multiple-point application possible. Application of multicast The multicast technology effectively addresses the issue of point-to-multipoint data transmission. By enabling high-efficiency point-to-multipoint data transmission, over an IP network, multicast greatly saves network bandwidth and reduces network load. Multicast provides the following applications: Applications of multimedia and flow media, such as Web TV, Web radio, and real-time video/audio conferencing.
  • Page 263: Multicast Architecture

    Multicast Architecture The purpose of IP multicast is to transmit information from a multicast source to receivers in the multicast mode and to satisfy information requirements of receivers. You should be concerned about: Host registration: What receivers reside on the network? Technologies of discovering a multicast source: Which multicast source should the receivers receive information from? Multicast addressing mechanism: Where should the multicast source transports information?
  • Page 264 The membership of a group is dynamic. A host can join and leave a multicast group at any time. A multicast group can be either permanent or temporary. A multicast group whose addresses are assigned by IANA is a permanent multicast group. It is also called reserved multicast group.
  • Page 265 Class D address range Description 224.0.0.13 All Protocol Independent Multicast (PIM) routers Resource Reservation Protocol (RSVP) 224.0.0.14 encapsulation 224.0.0.15 All core-based tree (CBT) routers The specified subnetwork bandwidth 224.0.0.16 management (SBM) 224.0.0.17 All SBMS 224.0.0.18 Virtual Router Redundancy Protocol (VRRP) 224.0.0.19 to 224.0.0.255 Other protocols Like having reserved the private network segment 10.0.0.0/8 for unicast, IANA has also reserved the...
  • Page 266: Multicast Protocols

    Multicast Protocols Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping.
  • Page 267: Multicast Packet Forwarding Mechanism

    Among a variety of mature intra-domain multicast routing protocols, Protocol Independent Multicast (PIM) is a popular one. Based on the forwarding mechanism, PIM comes in two modes – dense mode (often referred to as PIM-DM) and sparse mode (often referred to as PIM-SM). An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs.
  • Page 268: Implementation Of The Rpf Mechanism

    In the network, multicast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast. To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a Reverse Path Forwarding (RPF) check on the incoming interface.
  • Page 269 considers the path along which the packet from the RPF neighbor arrived on the RPF interface to be the shortest path that leads back to the source. Assume that unicast routes exist in the network, as shown in Figure 1-7. Multicast packets travel along the SPT from the multicast source to the receivers.
  • Page 270: Common Multicast Configuration

    Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Common Multicast Configuration Table 2-1 Complete the following tasks to perform common multicast configurations: Task Remarks Configuring Suppression on the Multicast...
  • Page 271: Configuring A Multicast Mac Address Entry

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Optional Configure multicast source port Multicast source port multicast-source-deny suppression suppression is disabled by default. Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast forwarding entries dynamically through a Layer 2 multicast protocol.
  • Page 272: Configuring Dropping Unknown Multicast Packets

    If the multicast MAC address entry to be created already exists, the system gives you a prompt. If you want to add a port to a multicast MAC address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified port to the forwarding ports of this entry.
  • Page 273: Igmp Snooping Configuration

    IGMP Snooping Configuration When configuring IGMP snooping, go to these sections for information you are interested in: IGMP Snooping Overview Configuring IGMP Snooping Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.
  • Page 274: Basic Concepts In Igmp Snooping

    Figure 3-1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast packet transmission Multicast packet transmission without IGMP Snooping when IGMP Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Host A Host C Host C...
  • Page 275: Work Mechanism Of Igmp Snooping

    member ports. The switch records all member ports on the local device in the IGMP Snooping forwarding table. Port aging timers in IGMP Snooping and related messages and actions Table 3-1 Port aging timers in IGMP Snooping and related messages and actions Message before Timer Description...
  • Page 276 A switch will not forward an IGMP report through a non-router port for the following reason: Due to the IGMP report suppression mechanism, if member hosts of that multicast group still exist under non-router ports, the hosts will stop sending reports when they receive the message, and this prevents the switch from knowing if members of that multicast group are still attached to these ports.
  • Page 277: Configuring Igmp Snooping

    Configuring IGMP Snooping Complete the following tasks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snooping Optional Configuring Timers Optional Configuring Fast Leave Processing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Number of Multicast Optional Groups on a Port Configuring IGMP Snooping Querier...
  • Page 278: Configuring The Version Of Igmp Snooping

    Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VLAN interface. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...
  • Page 279: Configuring Timers

    Configuring Timers This section describes how to configure the aging timer of the router port, the aging timer of the multicast member ports, and the query response timer. Follow these steps to configure timers: To do... Use the command... Remarks Enter system view —...
  • Page 280: Configuring A Multicast Group Filter

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Enable fast leave processing igmp-snooping fast-leave By default, the fast leave for specific VLANs [ vlan vlan-list ] processing feature is disabled. The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3.
  • Page 281: Configuring The Maximum Number Of Multicast Groups On A Port

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Optional Configure a multicast group No group filter is configured by igmp-snooping group-policy filter acl-number [ vlan vlan-list ] default, namely hosts can join any multicast group.
  • Page 282: Configuring Igmp Snooping Querier

    To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. When the number of multicast groups exceeds the configured limit, the switch removes its multicast forwarding entries starting from the oldest one.
  • Page 283: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan

    To do... Use the command... Remarks Required Enable IGMP Snooping querier By default, IGMP Snooping igmp-snooping querier querier is disabled. Configuring IGMP query interval Follow these steps to configure IGMP query interval: To do... Use the command... Remarks Enter system view —...
  • Page 284: Configuring Static Member Port For A Multicast Group

    You can configure up to 200 static member ports on an Switch 4500 series switch. If a port has been configured as an XRN fabric port or a reflect port, it cannot be configured as a static member port.
  • Page 285: Configuring A Static Router Port

    Configuring a Static Router Port In a network where the topology is unlikely to change, you can configure a port on the switch as a static router port, so that the switch has a static connection to a multicast router and receives IGMP messages from that router.
  • Page 286: Configuring A Vlan Tag For Query Messages

    Therefore, to ensure that IGMP entries will not age out, the port must receive IGMP general queries periodically. Follow these steps to configure a port as a simulated group member: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view...
  • Page 287: Configuring Multicast Vlan

    Configuring Multicast VLAN In traditional multicast implementations, when users in different VLANs listen to the same multicast group, the multicast data is copied on the multicast router for each VLAN that contains receivers. This is a big waste of network bandwidth. In an IGMP Snooping environment, by configuring a multicast VLAN and adding ports to the multicast VLAN, you can allow users in different VLANs to share the same multicast VLAN.
  • Page 288: Displaying And Maintaining Igmp Snooping

    To do... Use the command... Remarks Enter Ethernet port view for the interface interface-type — Layer 3 switch interface-number Define the port as a trunk or port link-type { trunk | Required hybrid port hybrid } Required port hybrid vlan vlan-list { tagged | untagged } The multicast VLAN must be Specify the VLANs to be...
  • Page 289: Igmp Snooping Configuration Examples

    IGMP Snooping Configuration Examples Configuring IGMP Snooping Network requirements To prevent multicast traffic from being flooded at Layer 2, enable IGMP snooping on Layer 2 switches. As shown in Figure 3-3, Router A connects to a multicast source (Source) through Ethernet 1/0/2, and to Switch A through Ethernet 1/0/1.
  • Page 290 Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping enable Enable IGMP-Snooping ok. # Create VLAN 100, assign Ethernet 1/0/1 through Ethernet 1/0/4 to this VLAN, and enable IGMP Snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 to Ethernet 1/0/4 [SwitchA-vlan100] igmp-snooping enable [SwitchA-vlan100] quit Verify the configuration...
  • Page 291 Table 3-2 Network devices and their configurations Device Device description Networking description The interface IP address of VLAN 20 is 168.10.1.1. Ethernet 1/0/1 is connected to the workstation and belongs to VLAN 20. Switch A Layer 3 switch The interface IP address of VLAN 10 is 168.10.2.1.
  • Page 292 Network diagram Figure 3-4 Network diagram for multicast VLAN configuration Vlan-int20 Vlan-int10 HostA 168.10.1.1 168.10.2.1 Eth1/0/10 Eth1/0/10 Vlan10 Eth1/0/1 WorkStation SwitchA SwitchB HostB Configuration procedure The following configuration is based on the prerequisite that the devices are properly connected and all the required IP addresses are already configured.
  • Page 293: Troubleshooting Igmp Snooping

    # Create VLAN 2, VLAN 3 and VLAN 10, configure VLAN 10 as the multicast VLAN, and then enable IGMP Snooping on it. [SwitchB] vlan 2 to 3 Please wait..Done. [SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Define Ethernet 1/0/10 as a hybrid port, add the port to VLAN 2, VLAN 3, and VLAN 10, and configure the port to forward tagged packets for VLAN 2, VLAN 3, and VLAN 10.
  • Page 294 If the multicast group set up by IGMP Snooping is not correct, contact your technical support personnel. 1-22...
  • Page 295 The Mechanism of an 802.1x Authentication System ·····································································1-3 Encapsulation of EAPoL Messages ································································································1-3 802.1x Authentication Procedure ····································································································1-5 Timers Used in 802.1x·····················································································································1-9 Additional 802.1x Features on Switch 4500 ··················································································1-10 Introduction to 802.1x Configuration ·····································································································1-13 Basic 802.1x Configuration ···················································································································1-14 Configuration Prerequisites ···········································································································1-14 Configuring Basic 802.1x Functions······························································································1-14...
  • Page 296 Layer 3 Error Control ·······················································································································4-1 Configuring System Guard······················································································································4-1 Configuring System Guard Against IP Attacks················································································4-1 Configuring System Guard Against TCN Attacks············································································4-2 Enabling Layer 3 Error Control········································································································4-3 Displaying and Maintaining System Guard Configuration ······································································4-3...
  • Page 297: 802.1x Configuration

    802.1x Configuration When configuring 802.1x, go to these sections for information you are interested in: Introduction to 802.1x Introduction to 802.1x Configuration Basic 802.1x Configuration Advanced 802.1x Configuration Displaying and Maintaining 802.1x Configuration Configuration Example Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs.
  • Page 298 Figure 1-1 Architecture of 802.1x authentication The supplicant system is the entity seeking access to the LAN. It resides at one end of a LAN segment and is authenticated by the authenticator system at the other end of the LAN segment. The supplicant system is usually a user terminal device.
  • Page 299: The Mechanism Of An 802.1x Authentication System

    The controlled port can be used to pass service packets when it is in authorized state. It is blocked when not in authorized state. In this case, no packets can pass through it. Controlled port and uncontrolled port are two properties of a port. Packets reaching a port are visible to both the controlled port and uncontrolled port of the port.
  • Page 300 Figure 1-3 The format of an EAPoL packet In an EAPoL packet: The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. The Protocol version field holds the version of the protocol supported by the sender of the EAPoL packet.
  • Page 301: 802.1x Authentication Procedure

    EAP-message field must also have the Message-authenticator field. Otherwise, the packet is regarded as invalid and is discarded. Figure 1-7 The format of an Message-authenticator field 802.1x Authentication Procedure Switch 4500 can authenticate supplicant systems in EAP terminating mode or EAP relay mode.
  • Page 302 EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the RADIUS server support the two newly-added fields: the EAP-message field (with a value of 79) and the Message-authenticator field (with a value of 80).
  • Page 303 Figure 1-8 802.1x authentication procedure (in EAP relay mode) EAPOL EAPOR Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Request / Identity RADIUS Access - Request EAP- Response / Identity (EAP- Response / Identity) RADIUS Access -Challenge EAP- Request / MD5 challenge ( EAP- Request / MD5 challenge) RADIUS Access - Request EAP- Response / MD5 challenge...
  • Page 304 feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authenticated. The switch changes the state of the corresponding port to accepted state to allow the supplicant system to access the network. The supplicant system can also terminate the authenticated state by sending EAPoL-Logoff packets to the switch.
  • Page 305: Timers Used In 802.1x

    Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL- Start EAP- Request /Identity EAP- Response/Identity EAP- Request/ MD5 Challenge EAP- Response/MD5 Challenge RADIUS Access-Request ( CHAP- Response/MD5 Challenge) RADIUS Access - Accept ( CHAP-Success) EAP- Success Port...
  • Page 306: Additional 802.1x Features On Switch 4500

    Additional 802.1x Features on Switch 4500 In addition to the earlier mentioned 802.1x features, Switch 4500 is also capable of the following: Checking supplicant systems for proxies, multiple network adapters, etc. (This function needs the cooperation of a CAMS server.)
  • Page 307 Only disconnects the supplicant system but sends no Trap packets. Sends Trap packets without disconnecting the supplicant system. This function needs the cooperation of 802.1x client and a CAMS server. The 802.1x client needs to be capable of detecting multiple network adapters, proxies, and IE proxies.
  • Page 308 After the maximum number retries have been made and there are still ports that have not sent any response back, the switch will then add these ports to the guest VLAN. Users belonging to the guest VLAN can access the resources of the guest VLAN without being authenticated.
  • Page 309: Introduction To 802.1x Configuration

    The RADIUS server has the switch perform 802.1x re-authentication of users. The RADIUS server sends the switch an Access-Accept packet with the Termination-Action attribute field of 1. Upon receiving the packet, the switch re-authenticates the user periodically. You enable 802.1x re-authentication on the switch. With 802.1x re-authentication enabled, the switch re-authenticates users periodically.
  • Page 310: Basic 802.1x Configuration

    Basic 802.1x Configuration Configuration Prerequisites Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS scheme or a local scheme. Ensure that the service type is configured as lan-access (by using the service-type command) if local authentication scheme is adopted.
  • Page 311: Timer And Maximum User Number Configuration

    To do… Use the command… Remarks Optional Enable online user By default, online user handshaking dot1x handshake enable handshaking is enabled. 802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. The settings of 802.1x and MAC address learning limit are mutually exclusive. Enabling 802.1x on a port will prevent you from setting the limit on MAC address learning on the port and vice versa.
  • Page 312: Advanced 802.1x Configuration

    To do… Use the command... Remarks Optional The settings of 802.1x timers are as follows. dot1x timer { handshake-period handshake-period-value: handshake-period-value | 15 seconds quiet-period quiet-period-value | quiet-period-value: seconds server-timeout Set 802.1x timers server-timeout-value | server-timeout-value: supp-timeout seconds supp-timeout-value | tx-period supp-timeout-value: tx-period-value | ver-period seconds...
  • Page 313: Configuring Client Version Checking

    To do... Use the command... Remarks Required Enable proxy checking function By default, the 802.1x proxy dot1x supp-proxy-check globally { logoff | trap } checking function is globally disabled. dot1x supp-proxy-check In system { logoff | trap } [ interface view interface-list ] Enable proxy...
  • Page 314: Enabling Dhcp-triggered Authentication

    As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also execute this command in port view. In this case, this command applies to the current port only and the interface-list argument is not needed.
  • Page 315: Configuring 802.1x Re-authentication

    The guest VLAN function is available only when the switch operates in the port-based access control mode. Only one guest VLAN can be configured for each switch. The guest VLAN function cannot be implemented if you configure the dot1x dhcp-launch command on the switch to enable DHCP-triggered authentication.
  • Page 316: Displaying And Maintaining 802.1x Configuration

    During re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned two ways is used to determine the re-authentication interval. For example, if you configure a re-authentication interval on the switch and the switch receives an Access-Accept packet whose Termination-Action attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute field as the re-authentication interval.
  • Page 317 a real-time accounting packet to the RADIUS servers once in every 15 minutes. A user name is sent to the RADIUS servers with the domain name truncated. The user name and password for local 802.1x authentication are “localuser” and “localpass” (in plain text) respectively.
  • Page 318 [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages. [Sysname-radius-radius1] key authentication name # Set the password for the switch and the accounting RADIUS servers to exchange messages. [Sysname-radius-radius1] key accounting money # Set the interval and the number of the retries for the switch to send packets to the RADIUS servers.
  • Page 319: Quick Ead Deployment Configuration

    In real applications, however, deploying EAD clients proves to be time consuming and inconvenient. To address the issue, the Switch 4500 provides the forcible deployment of EAD clients with 802.1x authentication, easing the work of EAD client deployment.
  • Page 320: Mac Address Authentication

    Configuring Quick EAD Deployment Configuration Prerequisites Enable 802.1x on the switch. Set the port authorization mode to auto for 802.1x-enabled ports using the dot1x port-control command. Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do...
  • Page 321: Displaying And Maintaining Quick Ead Deployment

    large number of users log in but cannot pass authentication, the switch may run out of ACL resources, preventing other users from logging in. A timer called ACL timer is designed to solve this problem. You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online.
  • Page 322: Troubleshooting

    Configuration procedure Before enabling quick EAD deployment, make sure sure that: The Web server is configured properly. The default gateway of the PC is configured as the IP address of the Layer-3 virtual interface of the VLAN to which the port that is directly connected with the PC belongs. # Configure the URL for HTTP redirection.
  • Page 323: Habp Configuration

    HABP Configuration When configuring HABP, go to these sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration Introduction to HABP When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets.
  • Page 324: Habp Client Configuration

    To do... Use the command... Remarks Required By default, a switch operates as an HABP client after you Configure the current switch enable HABP on the switch. If habp server vlan vlan-id to be an HABP server you want to use the switch as a management switch, you need to configure the switch to be an HABP server.
  • Page 325: System Guard Configuration

    System Guard Configuration When configuring System Guard, go to these sections for information you are interested in: System Guard Overview Configuring System Guard Displaying and Maintaining System Guard Configuration System Guard Overview Guard Against IP Attacks System-guard operates to inspect the IP packets over 10-second intervals for the CPU for suspicious source IP addresses.
  • Page 326: Configuring System Guard Against Tcn Attacks

    To do... Use the command... Remarks Set the maximum number of Optional system-guard ip infected hosts that can be 30 by default detect-maxnum number concurrently monitored Set the maximum number of addresses that the system can learn, the maximum number of system-guard ip Optional times an address can be hit...
  • Page 327: Enabling Layer 3 Error Control

    Enabling Layer 3 Error Control Follow these steps to enable Layer 3 error control: To do... Use the command... Remarks Enter system view — system-view Required Enable Layer 3 error control system-guard l3err enable Enabled by default Displaying and Maintaining System Guard Configuration To do...
  • Page 328 Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization····································································································································1-1 Accounting·······································································································································1-1 Introduction to ISP Domain ·············································································································1-2 Introduction to AAA Services ··················································································································1-2 Introduction to RADIUS ···················································································································1-2 2 AAA Configuration ····································································································································2-1 AAA Configuration Task List ···················································································································2-1 Creating an ISP Domain and Configuring Its Attributes ··································································2-2 Configuring an AAA Scheme for an ISP Domain ············································································2-3 Configuring Dynamic VLAN Assignment·························································································2-5 Configuring the Attributes of a Local User·······················································································2-6...
  • Page 329: Aaa Overview

    Remote authentication: Users are authenticated remotely through RADIUS protocol. This device (for example, a 3Com switch) acts as the client to communicate with the RADIUS or TACACS server. Remote authentication allows convenient centralized management and is feature-rich.
  • Page 330: Introduction To Isp Domain

    Introduction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a username in the format of userid@isp-name or userid.isp-name, the isp-name following the "@" character is the ISP domain name. The access device uses userid as the username for authentication, and isp-name as the domain name.
  • Page 331 Figure 1-1 Databases in a RADIUS server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service. Basic message exchange procedure in RADIUS The messages exchanged between a RADIUS client (a switch, for example) and a RADIUS server are verified through a shared key.
  • Page 332 The RADIUS client accepts or denies the user depending on the received authentication result. If it accepts the user, the RADIUS client sends a start-accounting request (Accounting-Request, with the Status-Type attribute value = start) to the RADIUS server. The RADIUS server returns a start-accounting response (Accounting-Response). The user starts to access network resources.
  • Page 333 Code Message type Message description Direction: client->server. The client transmits this message to the server to request the server to start or end the accounting Accounting-Request (whether to start or to end the accounting is determined by the Acct-Status-Type attribute in the message). This message carries almost the same attributes as those carried in the Access-Request message.
  • Page 334 Type field Type field Attribute type Attribute type value value Framed-Routing NAS-Identifier Filter-ID Proxy-State Framed-MTU Login-LAT-Service Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-ID NAS-Port-Type (unassigned) Port-Limit Framed-Route Login-LAT-Port The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS.
  • Page 335: Aaa Configuration

    AAA Configuration AAA Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure AAA (configuring a combined AAA scheme for an ISP domain): Task Remarks...
  • Page 336 Task Remarks Creating an ISP Domain and Configuring Its Required Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you can specify authentication, Configuring an AAA Scheme for an ISP authorization and accounting Domain schemes respectively. configuration You need to configure RADIUS or HWATACACS before performing RADIUS authentication.
  • Page 337 Note that: On a Switch 4500, each access user belongs to an ISP domain. You can configure up to 16 ISP domains on the switch. When a user logs in, if no ISP domain name is carried in the username, the switch assumes that the user belongs to the default ISP domain.
  • Page 338 To do… Use the command… Remarks Required Configure an AAA scheme for scheme { local | none | radius-scheme By default, an ISP the ISP domain radius-scheme-name [ local ] } domain uses the local AAA scheme. You can execute the scheme radius-scheme radius-scheme-name command to adopt an already configured RADIUS scheme to implement all the three AAA functions.
  • Page 339: Configuring Dynamic Vlan Assignment

    To do… Use the command… Remarks Optional authentication Configure an authentication { radius-scheme By default, no separate scheme for the ISP domain radius-scheme-name [ local ] | authentication scheme is local | none } configured. Optional Configure an authorization By default, no separate authorization { none } scheme for the ISP domain authorization scheme is...
  • Page 340: Configuring The Attributes Of A Local User

    Currently, the switch supports the following two types of assigned VLAN IDs: integer and string. Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, you can set the VLAN assignment mode to integer on the switch (this is also the default mode on the switch). Then, upon receiving an integer ID assigned by the RADIUS authentication server, the switch adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID.
  • Page 341 The local users are users set on the switch, with each user uniquely identified by a username. To make a user who is requesting network service pass local authentication, you should add an entry in the local user database on the switch for the user. Follow these steps to configure the attributes of a local user: To do…...
  • Page 342: Cutting Down User Connections Forcibly

    RADIUS Configuration Task List 3Com’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. Complete the following tasks to configure RADIUS (the switch functions as a RADIUS client):...
  • Page 343 Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Optional Transmission Attempts Configuring the Configuring the Type of RADIUS Servers to be Supported Optional RADIUS client Configuring the Status of RADIUS Servers...
  • Page 344: Creating A Radius Scheme

    creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting. And for each type of server, you can configure two servers in a RADIUS scheme: primary server and secondary server.
  • Page 345: Configuring Radius Accounting Servers

    To do… Use the command… Remarks Required Create a RADIUS scheme and By default, a RADIUS scheme radius scheme enter its view named "system" has already radius-scheme-name been created in the system. Required Set the IP address and port By default, the IP address and number of the primary RADIUS UDP port number of the primary authentication...
  • <