HP  830 Series Configuration Manual

HP 830 Series Configuration Manual

Poe+ unified wired-wlan switch switching engine web-based
Hide thumbs Also See for HP 830 Series:
Table of Contents

Advertisement

HP 830 Series PoE+ Unified Wired-WLAN
Switch Switching Engine
Web-Based Configuration Guide
Part number: 5998-3947
Software version: 3308P26
Document version: 6W101-20130628

Advertisement

Table of Contents
loading

Summary of Contents for HP HP 830 Series

  • Page 1 HP 830 Series PoE+ Unified Wired-WLAN Switch Switching Engine Web-Based Configuration Guide Part number: 5998-3947 Software version: 3308P26 Document version: 6W101-20130628...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
  • Page 3: Table Of Contents

    Contents Web overview ······························································································································································ 1   Web interface ··································································································································································· 1   Web user level ·································································································································································· 2   Web-based NM functions ················································································································································ 2   Common items on the Web pages ······························································································································ 10   Logging in to the Web interface ······························································································································· 15  ...
  • Page 4 Managing logs ··························································································································································· 39   Displaying syslogs ·························································································································································· 39   Setting the log host························································································································································· 41   Setting buffer capacity and refresh interval ················································································································ 42   Managing the configuration······································································································································ 43   Backing up the configuration ········································································································································ 43   Restoring the configuration ··········································································································································· 43  ...
  • Page 5 RMON groups ······················································································································································· 79   Recommended configuration procedure······················································································································ 81   Configuring the RMON statistics function ·········································································································· 81   Configuring the RMON alarm function ·············································································································· 81   Displaying RMON running status ························································································································ 82   Configuring a statistics entry ········································································································································· 83   Configuring a history entry ···········································································································································...
  • Page 6 Modifying a VLAN interface ······································································································································· 135   Configuring a voice VLAN ····································································································································· 137   Overview ······································································································································································· 137   OUI addresses ····················································································································································· 137   Voice VLAN assignment modes ························································································································· 137   Security mode and normal mode of voice VLANs ··························································································· 139  ...
  • Page 7 Configuring link aggregation and LACP ··············································································································· 180   Overview ······································································································································································· 180   Basic concepts ····················································································································································· 180   Link aggregation modes ····································································································································· 181   Load sharing mode of an aggregation group ·································································································· 183   Configuration guidelines ············································································································································· 183   Recommended link aggregation and LACP configuration procedures ·································································· 184  ...
  • Page 8 How IGMP snooping works ······························································································································· 238   Protocols and standards ····································································································································· 239   Recommended configuration procedure···················································································································· 239   Enabling IGMP snooping globally ····························································································································· 240   Configuring IGMP snooping in a VLAN ···················································································································· 240   Configuring IGMP snooping port functions ··············································································································· 242  ...
  • Page 9 Traceroute ····································································································································································· 289   Ping operation ······························································································································································ 289   Traceroute operation ··················································································································································· 291   Configuring MAC authentication ··························································································································· 293   Overview ······································································································································································· 293   User account policies ·········································································································································· 293   Authentication procedures ·································································································································· 293   MAC authentication timers ································································································································· 294  ...
  • Page 10 Portal authentication modes ······························································································································· 353   Portal support for EAP ········································································································································· 353   Layer 2 portal authentication process ··············································································································· 354   Layer 3 portal authentication process ··············································································································· 355   Configuring portal authentication ······························································································································ 357   Configuration prerequisites ································································································································ 357   Configuration task list ·········································································································································...
  • Page 11 Configuration procedure for automatic requests ····························································································· 426   Creating a PKI entity ···················································································································································· 427   Creating a PKI domain ················································································································································ 428   Generating an RSA key pair······································································································································· 431   Destroying the RSA key pair ······································································································································· 432   Retrieving and displaying a certificate ······················································································································ 432  ...
  • Page 12 Displaying information about PSE and PoE ports ···························································································· 509   PoE configuration example ········································································································································· 509   Support and other resources ·································································································································· 512   Contacting HP ······························································································································································ 512   Subscription service ············································································································································ 512   Related information ······················································································································································ 512   Documents ···························································································································································· 512  ...
  • Page 13: Web Overview

    Web overview This chapter describes the Web interface, functions available on the Web interface, Web user levels you must have to perform a function, and common icons and buttons on the Web pages. Web interface CAUTION: The Web network management functions not supported by the device are not displayed in the navigation tree.
  • Page 14: Web User Level

    Web user level Web user levels, from low to high, are visitor, monitor, configure, and management. A user with a higher level has all the operating rights of a user with a lower level. Visitor—Users can use the network diagnostic tools ping and Trace Route, but they can neither •...
  • Page 15 Function menu Description User level Upload the configuration file to be used at Restore the next startup from the host of the current Management user to the device. Save the current configuration to the Save configuration file to be used at the next Configure startup.
  • Page 16 Function menu Description User level Display and set the interval for collecting storm constrain statistics. Storm Storm Constrain Configure Constrain Display, create, modify, and remove the port traffic threshold. Display, create, modify, and clear RMON Statistics Configure statistics. Display, create, modify, and clear RMON History Configure history sampling information.
  • Page 17 Function menu Description User level Modify the description and member ports Modify VLAN Configure of a VLAN. Change the VLAN to which a port belongs, Modify Port Configure the connection type and PVID of the port. Remove Remove VLANs. Configure Display information about VLAN interfaces Summary Monitor...
  • Page 18 Function menu Description User level Display the LLDP configuration information, local information, neighbor information, Monitor statistics information, and status Port Setup information of a port. Modify LLDP configuration on a port. Configure Display global LLDP configuration Monitor LLDP information. Global Setup Configure global LLDP parameters.
  • Page 19 Function menu Description User level Summary Display the IPv6 active route table. Monitor IPv6 Create Create an IPv6 static route. Configure Routing Remove Delete the selected IPv6 static routes. Configure IPv6 Manage IPv6 Service Enable or disable IPv6 packet forwarding. Configure ment Display the DHCP service status, the DHCP...
  • Page 20 Function menu Description User level Display port security configuration Monitor Port information. Port Security Security Configure port security. Configure Display configuration information about the portal server and advanced parameters Monitor for portal authentication. Portal Server Add and delete a portal server, and modify advanced parameters for portal Configure Portal...
  • Page 21 Function menu Description User level Display the certificate information of PKI Monitor domains and the contents of a certificate. Certificate Generate a key pair, destroy a key pair, retrieve a certificate, request a certificate, Configure and delete a certificate. Display the contents of the CRL. Monitor Receive the CRL of a domain.
  • Page 22: Common Items On The Web Pages

    Function menu Description User level Add a class. Configure Configure the classification rules for a Setup Configure class. Remove Delete a class or its classification rules. Configure Display traffic behavior configuration Summary Monitor information. Add a traffic behavior. Configure Behavior Setup Configure actions for a traffic behavior.
  • Page 23 Button and icon Function Refreshes the current page. Clears all entries in a list or all statistics. Adds an item. Removes the selected items. Selects all the entries in a list, or selects all ports on the device panel. Clears all the entries in a list, or clears all ports on the device panel. Buffers settings you made and proceeds to the next step without applying the settings.
  • Page 24 Figure 2 Content display by pages Search function On some list pages, the Web interface provides basic and advanced search functions. You can use the search function to display those entries matching certain search criteria. Basic search function—As shown in Figure 2, input the keyword in the text box above the list, select •...
  • Page 25 Figure 4 Advanced search Take the ARP table shown in Figure 2 as an example. If you want to search for the ARP entries with interface being GigabitEthernet1/0/1, and IP address range 192.168.1 1.0 to 192.168.1 1.100, follow these steps: Click the Advanced Search link, specify the search criteria on the advanced search page as shown Figure 5, and click Apply.
  • Page 26 Figure 6 Advanced search function example (2) Figure 7 Advanced search function example (3) Sorting function On some list pages, the Web interface provides the sorting function to display the entries in certain orders. On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected.
  • Page 27: Logging In To The Web Interface

    Logging in to the Web interface You can log in to the Web interface of the switching engine through HTTP or from the controller engine of the switch. Figure 9 Web-based network management environment Restrictions and guidelines To ensure a successful login, verify that your operating system and Web browser meet the requirements, and follow the guidelines in this section.
  • Page 28 Enabling securing settings in a Microsoft Internet Explorer browser Launch the Internet Explorer, and select Tools > Internet Options from the main menu. Select the Security tab, and select the content zone where the target Website resides, as shown Figure Figure 10 Internet Explorer settings (I) Click Custom Level.
  • Page 29 Figure 11 Internet Explorer settings (II) Click OK to save your settings. Enabling JavaScript in a Firefox browser Launch the Firefox browser, and select Tools > Options. In the Options dialog box, click the Content icon, and select Enable JavaScript.
  • Page 30: Others

    Figure 12 Firefox browser settings Click OK to save your settings. Others Make sure the management PC and the device can reach each other. • Do not use the Back, Next, Refresh buttons provided by the browser. Using these buttons might •...
  • Page 31: Logging In From The Controller Engine

    Table 3 Default Web login settings Item Controller engine Switching engine Username admin admin Password admin admin Default IP address 192.168.0.100/24 192.168.0.101/24 To log in to the switching engine through HTTP: Connect the GigabitEthernet interface of the device to a PC by using a crossover Ethernet cable. By default, all interfaces belong to VLAN 1.
  • Page 32: Logging Out Of The Web Interface

    You cannot log out by directly closing the browser. Save the current configuration. Because the system does not save the current configuration automatically, HP recommends that you perform this step to avoid loss of configuration. Click Logout in the upper-right corner of the Web interface.
  • Page 33: Configuration Wizard

    Configuration wizard The configuration wizard guides you through configuring the basic service parameters, including the system name, system location, contact information, and management IP address. Basic service setup Entering the configuration wizard homepage Select Wizard from the navigation tree. Figure 15 Configuration wizard homepage Configuring system parameters On the wizard homepage, click Next.
  • Page 34: Configuring Management Ip Address

    Figure 16 System parameter configuration page Configure the parameters as described in Table Table 4 Configuration items Item Description Specify the system name. The system name appears at the top of the navigation tree. Sysname You can also set the system name in the System Name page you enter by selecting Device >...
  • Page 35 On the system parameter configuration page, click Next. Figure 17 Management IP address configuration page Configure the parameters as described in Table Table 5 Configuration items Item Description Select a VLAN interface. Available VLAN interfaces are those configured in the page that you enter by selecting Network >...
  • Page 36: Finishing Configuration Wizard

    Item Description DHCP Configure how the VLAN interface obtains an IPv4 address: • DHCP—Select this option to obtain an IPv4 address for the VLAN BOOTP interface through DHCP. • BOOTP—Select this option to obtain an IPv4 address for the VLAN interface through BOOTP.
  • Page 37 Figure 18 Configuration complete...
  • Page 38: Accessing The Controller Engine From The Switching Engine

    CLI. From the perspective of SNMP, they are different entities. To access each other's Web interfaces, they must have each other's IP address. To enable automatic toggling between their Web interfaces, HP already specified the default management IP address of the switching engine on the controller engine, and specified the default IP address of the controller engine on the switching engine.
  • Page 39: Accessing The Controller Engine From The Switching Engine's Web Interface

    Accessing the controller engine from the switching engine's Web interface IMPORTANT: Toggle between the Web interfaces of the switching engine and the controller engine only if necessary. Frequent toggling can cause TCP connections to exceed the upper limit. If the connections exceed the upper limit, wait for several minutes (the Web idle timeout), and then log in to the Web interface again.
  • Page 40: Displaying Information Summary

    Displaying information summary Displaying system information Select Summary from the navigation tree to enter the System Information page to view the basic system information, system resource state, and recent system logs. You can also select the interval for refreshing the system information in the Refresh Period list. •...
  • Page 41: System Resource State

    Field Description Device location, which you can configure on the page you enter by Device Location selecting Device > SNMP > Setup. Contact information, which you can configure on the page you enter Contact Information by selecting Device > SNMP > Setup. SerialNum Serial number of the device.
  • Page 42 If you select Manual, the system refreshes the information only when you click the Refresh button • Figure 22 Device information...
  • Page 43: Configuring Basic Device Settings

    Configuring basic device settings The device basic information feature allows you to: Set the system name of the device. The configured system name is displayed at the top of the • navigation bar. Set the idle timeout period for logged-in users. The system logs an idle user off the Web for security •...
  • Page 44: Maintaining Devices

    Maintaining devices Rebooting the device CAUTION: Before rebooting the device, save the configuration. Otherwise, all unsaved configuration will be lost after device reboot. To reboot a device: Select Device > Device Maintenance from the navigation tree. Click the Reboot tab. The device reboot configuration page appears.
  • Page 45: Displaying The Electronic Label Information

    Displaying the electronic label information Electronic label allows you to view information about the device electronic label, which is also known as the permanent configuration data or archive information. The information is written into the storage medium of a device or a card during the debugging and testing processes, and includes card name, product bar code, MAC address, debugging and testing dates, and manufacture name.
  • Page 46 Figure 28 The diagnostic information file is created NOTE: During the generation of the diagnostic file, do not perform any operation on the Web interface. • • To view this file after the diagnostic file is generated successfully, select Device > File Management, or download this file to the local host.
  • Page 47: Configuring The System Time

    Configuring the system time Configure a correct system time so that the device can work with other devices correctly. System time allows you to display and set the device system time on the Web interface. You can set the system time using manual configuration or automatic synchronization of NTP server time. Changing the system clock on each device within a network is time-consuming and does not guarantee clock precision.
  • Page 48: Configuring Network Time

    Figure 30 Calendar page Either enter the system date and time in the field, or select the date and time in the calendar, where you can do one of the following: Click Today to set the current date on the calendar to the current system date of the local host. The time is not changed.
  • Page 49: System Time Configuration Example

    Table 9 Configuration items Item Description Clock status Display the synchronization status of the system clock. Set the source interface for an NTP message. If you do not want the IP address of a specific interface on the local device to become the destination address of response messages, specify the Source Interface source interface for NTP messages so that the source IP address in the NTP...
  • Page 50: Configuration Procedure

    Configuration procedure On Device A, configure the local clock as the reference clock, with the stratum of 2. Enable NTP authentication, set the key ID to 24, and specify the created authentication key aNiceKey is a trusted key. (Details not shown.) On Switch B, configure Device A as the NTP server: Select Device >...
  • Page 51: Managing Logs

    Managing logs System logs contain a large amount of network and device information, including running status and configuration changes. System logs allow administrators to access network and device status. With system logs, administrators can take corresponding actions against network and security problems. The system sends system logs to the following destinations: Console.
  • Page 52 Figure 34 Displaying syslogs Table 10 Field description Field Description Time/Date Time/date when the system log was generated. Source Module that generated the system log.
  • Page 53: Setting The Log Host

    Field Description Severity level of the system log. The information is classified into eight levels depending on severity: • Emergency—The system is unusable. • Alert—Action must be taken immediately. • Critical—Critical condition. Level • Error—Error condition. • Warning—Warning condition. • Notification—Normal but significant condition.
  • Page 54: Setting Buffer Capacity And Refresh Interval

    Click Apply. Table 11 Configuration items Item Description IPv4 Set the IPv4 address of the log host. IPv6 Set the IPv6 address of the log host. Loghost IP Enter the IP address of the log host. IMPORTANT: You can specify a maximum of four log hosts. Setting buffer capacity and refresh interval Select Device >...
  • Page 55: Managing The Configuration

    Managing the configuration Administrators can back up, restore, save, or initialize the device configuration. Backing up the configuration Configuration backup provides the following functions: Open and view the configuration file for the next startup. • • Back up the configuration file for the next startup to the host of the administrator. To back up the configuration: Select Device >...
  • Page 56: Saving The Configuration

    This module allows administrators to save the running configuration to the configuration file to be used at the next startup. IMPORTANT: HP recommends that you do not perform any operation on the Web interface while the configuration is • being saved.
  • Page 57: Initializing The Configuration

    Initializing the configuration This operation restores the device's factory defaults, deletes the current configuration file, and reboots the device. To initialize the configuration: Select Device > Configuration from the navigation tree. Click the Initialize tab. The initialization confirmation page appears. Click Restore Factory-Default Settings to restore the factory defaults.
  • Page 58: Managing Files

    Managing files The file management function allows you to manage the files on the storage media. Displaying files Select Device > File Management from the navigation tree. The page shown in Figure 42 appears. Figure 42 File management page Select a medium from the Please select disk list. Two categories of information are displayed: Medium Information, including the used space, free space, and the capacity of the medium.
  • Page 59: Uploading A File

    Open the file or save the file to a specified path. Uploading a file IMPORTANT: HP recommends that you do not perform any operation on the Web interface during the upgrade procedure. To upload a file: Select Device > File Management from the navigation tree.
  • Page 60: Managing Ports

    Managing ports You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port and an aggregate interface. • For a Layer 2 Ethernet port, these operation parameters include its state, rate, duplex mode, link type, PVID, MDI mode, flow control settings, power saving mode, MAC learning limit, and storm suppression ratios.
  • Page 61 Figure 43 Setup page Set the operation parameters for the port as described in Table Click Apply. Table 13 Configuration items Item Description Enable or disable the port. In some cases, modification to the interface parameters does not take effect immediately. Port State You need to shut down and then bring up the interface to make the modification take effect.
  • Page 62 Item Description Set the transmission rate of the port: • 10—10 Mbps. • 100—100 Mbps. • 1000—1000 Mbps. • Auto—Autonegotiation. • Auto 10—Autonegotiated to 10 Mbps. Speed • Auto 100—Autonegotiated to 100 Mbps. • Auto 1000—Autonegotiated to 1000 Mbps. • Auto 10 100—Autonegotiated to 10 or 100 Mbps.
  • Page 63 Item Description Set the Medium Dependent Interface (MDI) mode for the interface. Two types of Ethernet cables can be used to connect Ethernet devices: crossover and straight-through. To accommodate these two types of cables, an Ethernet interface on the device can operate in one of the following MDI modes: •...
  • Page 64 Item Description Set broadcast suppression on the port. You can suppress broadcast traffic by percentage or by PPS: • ratio—Sets the maximum percentage of broadcast traffic to the total bandwidth of an Ethernet port. When you select this option, you must enter a percentage in the box below this option.
  • Page 65: Displaying Port Operation Parameters

    Item Description Interface or interfaces that you have selected from the chassis front panel and the aggregate interface list below, for which you have set operation parameters. Selected Ports IMPORTANT: You can set only the state and MAC learning limit for an aggregate interface. Displaying port operation parameters Displaying a specified operation parameter for all ports Select Device >...
  • Page 66: Port Management Configuration Example

    Click the Detail tab. Select a port whose operation parameters you want to view in the chassis front panel. The operation parameter settings of the selected port are displayed on the lower part of the page. Whether the parameter takes effect is displayed in the square brackets. Figure 45 Detail page Port management configuration example Network requirements...
  • Page 67: Configuration Procedure

    Figure 46 Network diagram Configuration procedure Set the rate of GigabitEthernet 1/0/4 to 1000 Mbps: Select Device > Port Management from the navigation tree. Click the Setup tab. Select 1000 from the Speed list. Select 4 on the chassis front panel. 4 represents port GigabitEthernet 1/0/4. Click Apply.
  • Page 68 Figure 47 Configuring the rate of GigabitEthernet 1/0/4 Batch configure the autonegotiation rate range on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as 100 Mbps: On the Setup page, select Auto 100 from the Speed list. Select 1, 2, and 3 on the chassis front panel. 1, 2, and 3 represent ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3.
  • Page 69 Figure 48 Batch configuring port rate Display the rate settings of ports: Click the Summary tab. Select Speed to display the rate information of all ports on the lower part of the page, as shown Figure...
  • Page 70 Figure 49 Displaying the rate settings of ports...
  • Page 71: Configuring Port Mirroring

    According to the locations of the mirroring source and the mirroring destination, port mirroring includes local port mirroring and remote port mirroring. The switching engine of the HP 830 24-port PoE+ unified wired-WLAN switch supports only local port mirroring. In local port mirroring, the mirroring source and the mirroring destination are on the same device. A mirroring group that contains the mirroring source and the mirroring destination on the device is called a local mirroring group.
  • Page 72: Configuration Guidelines

    Figure 50 Local port mirroring implementation Configuration guidelines When you configure port mirroring, follow these guidelines: Layer 2 Ethernet ports can be configured as either mirroring ports or monitor ports. • • You can configure multiple source ports, but only one monitor port for a local mirroring group. To ensure normal operation of mirroring, do not enable the spanning tree feature on the monitor •...
  • Page 73: Creating A Mirroring Group

    Creating a mirroring group Select Device > Port Mirroring from the navigation tree. Click the Create tab. The page for creating a mirroring group appears. Figure 51 Creating a mirroring group Create the mirroring group as described in Table Click Apply. Table 14 Configuration items Item Description...
  • Page 74 Figure 52 Configuring ports for a mirroring group Configure ports for the mirroring group as described in Table Click Apply. A progress dialog box appears. After the success notification appears, click Close. Table 15 Configuration items Item Description Mirroring Group ID ID of the local mirroring group to be configured.
  • Page 75: Local Port Mirroring Configuration Example

    Local port mirroring configuration example Network requirements As shown in Figure 53, configure local port mirroring on Switch C to monitor the packets received and sent by Department 1 and Department 2. To meet the network requirements, perform the following configuration on Switch C: Configure GigabitEthernet 1/0/1 and GigabitEthernet1/0/2 as mirroring ports.
  • Page 76: Configuring The Mirroring Ports

    Figure 54 Creating a local mirroring group Configuring the mirroring ports Click the Modify Port tab. Select 1 – Local from the Mirroring Group ID list, select Mirror Port from the Port Type list, select both from the Stream Orientation list, select 1 (GigabitEthernet 1/0/1) and 2 (GigabitEthernet 1/0/2) on the chassis front panel, and click Apply.
  • Page 77: Configuring The Monitor Port

    Figure 55 Configuring the mirroring ports Configuring the monitor port Click the Modify Port tab. Select 1 – Local from the Mirroring Group ID list, select Monitor Port from the Port Type list, Select 3 (GigabitEthernet 1/0/3) on the chassis front panel, and click Apply. A configuration progress dialog box appears.
  • Page 78 Figure 56 Configuring the monitor port...
  • Page 79: Managing Users

    Managing users The device provides the following user management functions: Creating a local user, and specifying the password, access level, and service types for the user. • Setting the super password for non-management level users to switch to the management level. •...
  • Page 80: Setting The Super Password

    Item Description Select an access level for the user. The following Web user levels, from low to high, are available:. • Visitor—Users of this level can perform the ping and traceroute operations, but they cannot access the device data or configure the device. •...
  • Page 81: Switching To The Management Level

    Figure 58 Setting the super password Configure a super password as described in Table Click Apply. Table 17 Configuration items Item Description Select the operation type: • Create/Remove Create—Configure or change the super password. • Remove—Remove the current super password. Password Set the password for non-management level users to switch to the management level.
  • Page 82 Figure 59 Switching to the management level...
  • Page 83: Configuring A Loopback Test

    Configuring a loopback test You can examine whether an Ethernet port operates properly by performing the Ethernet port loopback test, during which the port cannot forward data packets normally. Ethernet port loopback test can be one of the following types: Internal loopback test—Self loop is established in the switching chip to check whether there is a •...
  • Page 84 Figure 61 Loopback test result When you configure a loopback test, follow these guidelines: You can perform an internal loopback test but not an external loopback test on a port that is • physically down. You can perform neither test on a port that is manually shut down. The system does not allow Rate, Duplex, Cable Type, and Port Status configuration on a port under •...
  • Page 85: Configuring Vct

    Configuring VCT You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the device. The result is returned in less than 5 seconds. The test covers whether short circuit or open circuit occurs on the cable and the length of the faulty cable.
  • Page 86: Configuring The Flow Interval

    Configuring the flow interval With the flow interval module, you can view the number of packets and bytes sent and received by a port over the specified interval. Setting the traffic statistics generating interval Select Device > Flow Interval from the navigation tree. Click the Interval Configuration tab.
  • Page 87 Figure 64 Displaying port traffic statistics...
  • Page 88: Configuring Storm Constrain

    Configuring storm constrain The storm constrain function limits traffic of a port within a predefined upper threshold to suppress packet storms in an Ethernet. With this function enabled on a port, the system detects the amount of broadcast traffic, multicast traffic, and unknown unicast traffic reaching the port periodically. When a type of traffic exceeds the threshold for it, the function, as configured, blocks or shuts down the port.
  • Page 89: Configuring Storm Constrain

    Figure 65 Storm constrain configuration page Configuring storm constrain Select Device > Storm Constrain from the navigation tree. The page shown in Figure 65 appears. In the Port Storm Constrain area, click Add. The page for adding port storm constrain configuration appears. Figure 66 Adding storm constrain settings for ports...
  • Page 90 Set the storm constraint function as described in Table Click Apply. Table 19 Configuration items Item Remarks Specify the action to be performed when a type of traffic exceeds the upper threshold. Available options include: • None—Performs no action. • Block—Blocks the traffic of this type on a port when the type of traffic exceeds the upper threshold.
  • Page 91: Configuring Rmon

    RMON groups Among the RFC 2819 defined RMON groups, HP implements the statistics group, history group, event group, and alarm group supported by the public MIB. HP also implements a private alarm group, which enhances the standard alarm group. Ethernet statistics group...
  • Page 92: Alarm Group

    History group The history group defines that the system periodically collects traffic statistics on interfaces and saves the statistics in the history record table (ethernetHistoryTable). The statistics include bandwidth utilization, number of error packets, and total number of packets. The history statistics table record traffic statistics collected for each sampling interval. The sampling interval is user-configurable.
  • Page 93: Recommended Configuration Procedure

    Recommended configuration procedure Configuring the RMON statistics function The RMON statistics function can be implemented by either the Ethernet statistics group or the history group, but the objects of the statistics are different, as follows: A statistics object of the Ethernet statistics group is a variable defined in the Ethernet statistics table, •...
  • Page 94: Displaying Rmon Running Status

    Table 22 Configuring the RMON alarm function Step Remarks Required. You can create up to 100 statistics entries in a statistics table. As the alarm variables that can be configured through the Web interface are MIB variables that defined in the history group or the statistics group, configure the RMON Ethernet statistics function or the RMON history statistics function on the monitored Ethernet interface.
  • Page 95: Configuring A Statistics Entry

    Task Remarks After you create a history control entry on an interface, the system calculates the information of the interface periodically and saves the Displaying RMON history sampling information to the etherHistoryEntry table. You can perform this task to information view the entries in this table.
  • Page 96: Configuring A History Entry

    Table 24 Configuration items Item Description Select the name of the interface on which the statistics entry is created. Interface Name Only one statistics entry can be created on one interface. Owner Set the owner of the statistics entry. Configuring a history entry Select Device >...
  • Page 97: Configuring An Event Entry

    Table 25 Configuration items Item Description Interface Name Select the name of the interface on which the history entry is created. Set the capacity of the history record list corresponding to this history entry (the maximum number of records that can be saved in the history record list). If the current number of the entries in the table has reached the maximum number, the Buckets Granted system deletes the earliest entry to save the latest one.
  • Page 98: Configuring An Alarm Entry

    Click Apply. Table 26 Configuration items Item Description Description Set the description for the event. Owner Set the entry owner. Set the actions that the system takes when the event is triggered: • Log—The system logs the event. Event Type •...
  • Page 99 Figure 75 Adding an alarm entry Configure an alarm entry as described in Table Click Apply. Table 27 Configuration items Item Description Alarm variable Set the traffic statistics that are collected and monitored. For more Static Item information, see Table Set the name of the interface whose traffic statistics are collected Interface Name and monitored.
  • Page 100: Displaying Rmon Statistics

    Item Description Select whether to create a default event. The description of the default event is default event, the action is log-and-trap, and the owner is default owner. Create Default Event If there is no event, you can create the default event. And when the value of the alarm variable is higher than the alarm rising threshold or lower than the alarm falling threshold, the system adopts the default action, that is, log-and-trap.
  • Page 101 Figure 76 RMON statistics Table 28 Field description Field Description Total number of octets received by the interface, corresponding to the Number of Received Bytes MIB node etherStatsOctets. Total number of packets received by the interface, corresponding to Number of Received Packets the MIB node etherStatsPkts.
  • Page 102: Displaying Rmon History Sampling Information

    Field Description Number of Received Packets Larger Number of oversize packets (longer than 1518 octets) with CRC Than 1518 Bytes And FCS Check errors received by the interface, corresponding to the MIB node Failed etherStatsJabbers. Total number of collisions received on the interface, corresponding to Number of Network Conflicts the MIB node etherStatsCollisions.
  • Page 103: Displaying Rmon Event Logs

    Table 29 Field description Field Description Number of the entry in the system buffer. Statistics are numbered chronologically when they are saved to the system buffer. Time Time at which the information is saved. Dropped packets during the sampling period, corresponding to the MIB node DropEvents etherHistoryDropEvents.
  • Page 104: Rmon Configuration Example

    Figure 78 Log RMON configuration example Network requirements As shown in Figure 79, create an entry in the RMON Ethernet statistics table to gather statistics on GigabitEthernet 1/0/1, and perform corresponding configurations so that the system logs the event when the number of bytes received on the interface exceeds the configured threshold within a specific period.
  • Page 105 Figure 80 Adding a statistics entry Display RMON statistics for GigabitEthernet 1/0/1: Click the icon corresponding to GigabitEthernet 1/0/1. View this information shown in Figure Figure 81 Displaying RMON statistics Create an event to start logging after the event is triggered: Click the Event tab.
  • Page 106 Click Add. The page in Figure 82 appears. Enter 1-rmon in the Owner field and select the box before Log. Click Apply. The page displays the event entry, and you can see that the entry index of the new event is 1, as shown in Figure Figure 82 Configuring an event group...
  • Page 107: Verifying The Configuration

    Figure 84 Configuring an alarm group Verifying the configuration After the above configuration, when the alarm event is triggered, you can view the log information about event 1 on the Web interface. Select Device > RMON from the navigation tree. Click the Log tab.
  • Page 108: Configuring Energy Saving

    Configuring energy saving Energy saving enables a port to work at the lowest transmission speed, disable PoE, or go down during a specific time range on certain days of a week. The port resumes when the effective time period ends. To configure energy saving on a port: Select Device >...
  • Page 109 Item Description Set the port to transmit data at the lowest speed. Lowest Speed If you configure the lowest speed limit on a port that does not support 10 Mbps, the configuration cannot take effect. Shut down the port. Shutdown An energy saving policy can have all the three energy saving schemes configured, of which the shutdown scheme takes the highest priority.
  • Page 110: Configuring Snmp

    Configuring SNMP This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration procedure. Overview SNMP is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.
  • Page 111: Snmp Protocol Versions

    NMS. The difference between these two types of notification is that informs require acknowledgement but traps do not. The device supports only traps. SNMP protocol versions HP devices support SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other. •...
  • Page 112: Enabling Snmp Agent

    Table 32 Configuring SNMPv3 Step Remarks Required. The SNMP agent function is disabled by default. Enabling SNMP agent IMPORTANT: If SNMP agent is disabled, all SNMP agent-related configurations are removed. Optional. Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group.
  • Page 113 Figure 89 Setup page Configure SNMP settings on the upper part of the page as described in Table Click Apply. Table 33 Configuration items Item Description SNMP Specify to enable or disable SNMP agent. Configure the local engine ID. The validity of a user after it is created depends on the engine ID of the SNMP Local Engine ID agent.
  • Page 114: Configuring An Snmp View

    Item Description SNMP Version Set the SNMP version run by the system. Configuring an SNMP view Creating an SNMP view Select Device > SNMP from the navigation tree. Click the View tab. The View page appears. Figure 90 View page Click Add.
  • Page 115: Adding Rules To An Snmp View

    Figure 92 Creating an SNMP view (2) Configure the parameters as described in Table Click Add to add the rule into the list at the lower part of the page. Repeat steps 6 and 7 to add more rules for the SNMP view. Click Apply.
  • Page 116: Configuring An Snmp Community

    Figure 93 Adding rules to an SNMP view Configure the parameters as described in Table Click Apply. NOTE: You can also click the icon corresponding to the specified view on the page shown in Figure 90, and then you can enter the page to modify the view. Configuring an SNMP community Select Device >...
  • Page 117: Configuring An Snmp Group

    Figure 95 Creating an SNMP community Configure the SNMP community as described in Table Click Apply. Table 35 Configuration items Item Description Community Name Set the SNMP community name. Configure the access rights: • Read only—The NMS can perform read-only operations to the MIB objects Access Right when it uses this community name to access the agent.
  • Page 118: Configuring An Snmp User

    The page for creating an SNMP group appears. Figure 97 Creating an SNMP group Configure SNMP group as described in Table Click Apply. Table 36 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group: •...
  • Page 119 Figure 98 SNMP user Click Add. The page for creating an SNMP user appears. Figure 99 Creating an SNMP user Configure the SNMP user as described in Table Click Apply. Table 37 Configuration items Item Description User Name Set the SNMP user name. Select the security level for the SNMP group: •...
  • Page 120: Configuring Snmp Trap Function

    Item Description Select an SNMP group to which the user belongs: • When the security level is NoAuth/NoPriv, you can select an SNMP group with no authentication no privacy. • When the security level is Auth/NoPriv, you can select an SNMP Group Name group with no authentication no privacy or authentication without privacy.
  • Page 121: Displaying Snmp Packet Statistics

    Click Add. The page for adding a target host of SNMP traps appears. Figure 101 Adding a target host of SNMP traps Configure the settings for the target host as described in Table Click Apply. Table 38 Configuration items Item Description Set the destination IP address.
  • Page 122: Snmpv1/V2C Configuration Example

    Figure 102 Displaying SNMP packet statistics SNMPv1/v2c configuration example Network requirements As shown in Figure 103, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the switch (agent) at 1.1.1.1/24, and the switch automatically sends traps to report events to the NMS. Figure 103 Network diagram Configuring the agent Enable SNMP:...
  • Page 123 Figure 104 Configuring the SNMP agent Select the Enable option and select the v1 and v2 options. Click Apply. Configure a read-only community: Click the Community tab. Click Add. The page for adding an SNMP community appears. Figure 105 Configuring an SNMP read-only community Enter public in the Community Name field and select Read only from the Access Right list.
  • Page 124 Figure 106 Configuring an SNMP read and write community Enter private in the Community Name field and select Read and write from the Access Right list. Click Apply. Enable SNMP traps: Click the Trap tab. The Trap page appears. Figure 107 Enabling SNMP traps Select Enable SNMP Trap.
  • Page 125: Snmpv3 Configuration Example

    Figure 108 Adding a trap target host Select the IPv4 option, enter 1.1.1.2 in the subsequent field, enter public in the Security Name field, and select v1 from the Security Model list. Click Apply. Configuring the NMS CAUTION: The configuration on the NMS must be consistent with the configuration on the agent. Otherwise, you cannot perform corresponding operations.
  • Page 126 Figure 109 Network diagram Configuring the agent Enable SNMP agent: Select Device > SNMP from the navigation tree. The SNMP configuration page appears. Figure 110 Configuring the SNMP agent Select the Enable option, and select the v3 option. Click Apply. Configure an SNMP view: Click the View tab.
  • Page 127 Click Apply. A configuration progress dialog box appears. Click Close after the configuration process is complete. Figure 112 Creating an SNMP view (2) Configure an SNMP group: Click the Group tab. Click Add. The page in Figure 113 appears. Enter group1 in the Group Name field, select view1 from the Read View list, and select view1 from the Write View list.
  • Page 128 Enter user1 in the User Name field, select Auth/Priv from the Security Level list, select group1 from the Group Name list, select MD5 from the Authentication Mode list, enter authkey in the Authentication Password and Confirm Authentication Password fields, select DES56 from the Privacy Mode list, and enter prikey in the Privacy Password and Confirm Privacy Password fields.
  • Page 129 Configure a target host SNMP traps: Click Add on the Trap tab page. The page for adding a target host of SNMP traps appears. Figure 116 Adding a trap target host Select the IPv4 option, enter 1.1.1.2 in the subsequent field, enter user1 in the Security Name field, select v3 from the Security Model list, and select Auth/Priv from the Security Level list.
  • Page 130: Displaying Interface Statistics

    Displaying interface statistics The interface statistics module displays statistics about the packets received and sent through interfaces. To display interface statistics, select Device > Interface Statistics from the navigation tree. Figure 117 Displaying interface statistics Table 39 Field description Field Description InOctets Total octets of all packets received on the interface.
  • Page 131: Configuring Vlans

    Configuring VLANs Overview Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. The medium is shared, so collisions and excessive broadcasts are common on an Ethernet. To address this issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs.
  • Page 132: Vlan Types

    Figure 119 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 120. Figure 120 Position and format of VLAN tag A VLAN tag comprises the following fields: Tag protocol identifier (TPID)—The 16-bit TPID field indicates whether the frame is VLAN-tagged •...
  • Page 133: Port-Based Vlan

    Port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods: Access port—An access port belongs to only one VLAN and sends traffic untagged.
  • Page 134: Configuration Guidelines

    "Configuring a voice VLAN." • HP recommends that you set the same PVID for local and remote ports. Make sure a port permits its PVID. Otherwise, when the port receives frames tagged with the PVID • or untagged frames, the port drops these frames.
  • Page 135: Recommended Vlan Configuration Procedures

    Recommended VLAN configuration procedures You can configure VLANs either of the following procedures. Recommended configuration procedure (modifying ports in a VLAN) Step Remarks Required. Creating VLANs. Create one or multiple VLANs. Required. Specify the range of VLANs available for selection during related operations.
  • Page 136: Selecting Vlans

    Figure 122 Creating VLANs Table 40 Configuration items Item Description VLAN IDs IDs of the VLANs to be created. • ID—Select the ID of the VLAN whose description string is to be modified. Click the ID of the VLAN to be modified in the list in the middle of the page. Modify the description of the •...
  • Page 137: Modifying A Vlan

    Figure 123 Selecting VLANs Select the Display all VLANs option to display all VLANs, or select the Display a subnet of all configured VLANs option to enter the VLAN IDs to be displayed. Click Select. Modifying a VLAN Select Network > VLAN from the navigation tree. Click Modify VLAN to enter the page for modifying a VLAN.
  • Page 138 Figure 124 Modifying a VLAN Configure member ports of a VLAN as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds. Table 41 Configuration items Item Description Select the VLAN to be modified.
  • Page 139: Modifying Ports

    Item Description Set the member type of the port to be modified in the VLAN: • Untagged—Configures the port to send the traffic of the VLAN after removing the VLAN tag. Select membership type • Tagged—Configures the port to send the traffic of the VLAN without removing the VLAN tag.
  • Page 140: Vlan Configuration Example

    Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds. Table 42 Configuration items Item Description Select the ports to be modified on the device panel. You can select multiple ports at a time. Select Ports If aggregation ports are configured, they are displayed below the device panel.
  • Page 141 Select GigabitEthernet 1/0/1 on the chassis front device panel. Click Apply. Figure 127 Configuring GigabitEthernet 1/0/1 as a trunk port and its PVID as 100 Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100: Select Network > VLAN from the navigation tree. Click Create to enter the page for creating VLANs.
  • Page 142 Figure 128 Creating VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member: Click Select VLAN to enter the page for selecting VLANs. Select the option before Display a subnet of all configured VLANs, and enter 1-100 in the field. Click Select.
  • Page 143 Select 100 – VLAN 0100 in the Please select a VLAN to modify: list, select the Untagged option, and select GigabitEthernet 1/0/1 on the chassis front device panel. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Figure 130 Assigning GigabitEthernet 1/0/1 to VLAN 100 as an untagged member Assign GigabitEthernet 1/0/1 to VLAN2, and VLAN 6 through VLAN 50 as a tagged member: Click Modify Port to enter the page for modifying the VLANs to which a port belongs.
  • Page 144 Figure 131 Assigning GigabitEthernet 1/0/1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Configuring Switch B Configure Switch B as you configure Switch A.
  • Page 145: Configuring Vlan Interfaces

    Configuring VLAN interfaces Before creating a VLAN interface, you must create the corresponding VLAN in Network > VLAN. For more information, see "Configuring VLANs." Overview For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform layer 3 forwarding.
  • Page 146 Figure 132 Creating a VLAN interface Configure the VLAN interface as described in Table Click Apply. Table 43 Configuration items Item Description Enter the ID of the VLAN interface to be created. Before creating a VLAN interface, Input a VLAN ID: make sure the corresponding VLAN exists.
  • Page 147: Modifying A Vlan Interface

    Modifying a VLAN interface By modifying a VLAN interface, you can assign an IPv4 address, an IPv6 link-local address, and an IPv6 site-local address, or global unicast address to the VLAN interface, and shut down or bring up the VLAN interface.
  • Page 148 Item Description DHCP Configure the way in which the VLAN interface gets an IPv4 address. Allow the VLAN interface to get an IP address automatically by selecting the DHCP or BOOTP BOOTP option, or manually assign the VLAN interface an IP address by selecting the Manual option.
  • Page 149: Configuring A Voice Vlan

    Configuring a voice VLAN Overview A voice VLAN is dedicated to voice traffic. After the ports connecting to voice devices are assigned to a voice VLAN, the system automatically modifies the QoS parameters for the voice traffic. This improves transmission priority and ensures voice quality. Common voice devices include IP phones and integrated access devices (IADs).
  • Page 150 Assigning ports to and removing ports from a voice VLAN are automatically performed. Automatic mode is suitable for scenarios where PCs and IP phones connected in series access the network through the device and ports on the device transmit both voice traffic and data traffic at the same time, as shown in Figure 134.
  • Page 151: Security Mode And Normal Mode Of Voice Vlans

    MAC addresses checking. HP does not recommend that you transmit both voice packets and non-voice packets in a voice VLAN. If you have to, first make sure the voice VLAN security mode is disabled.
  • Page 152: Configuration Guidelines

    Table 48 How a voice VLAN-enable port processes packets in security/normal mode Voice VLAN operating mode Packet type Packet processing mode Untagged packets If the source MAC address of a packet matches an OUI address configured for the device, it is Packets carrying the voice VLAN forwarded in the voice VLAN.
  • Page 153: Configuring Voice Vlan Globally

    Recommended configuration procedure for a port in automatic voice VLAN assignment mode Step Remarks Optional. Configuring voice VLAN Configure the voice VLAN to operate in security mode, and configure globally. the aging timer. Required. Configure the voice VLAN assignment mode of a port as automatic, Configuring voice VLAN on and enable the voice VLAN function on the port.
  • Page 154: Configuring Voice Vlan On Ports

    Figure 136 Configuring voice VLAN Configure the global voice VLAN settings as described in Table Click Apply. Table 49 Configuration items Item Description Select Enable or Disable in the list to enable or disable the voice VLAN security mode. Voice VLAN security By default, the voice VLANs operate in security mode.
  • Page 155: Adding Oui Addresses To The Oui List

    Figure 137 Configuring voice VLAN on ports Configure the voice VLAN function for ports as described in Table Click Apply. Table 50 Configuration items Item Description Set the voice VLAN assignment mode of a port to: • Voice VLAN port mode Auto—Automatic voice VLAN assignment mode.
  • Page 156: Voice Vlan Configuration Examples

    Figure 138 Adding OUI addresses to the OUI list Add an OUI address to the list as described in Table Click Apply. Table 51 Configuration items Item Description OUI Address Set the source MAC address of voice traffic. Mask Set the mask length of the source MAC address. Description Set the description of the OUI address entry.
  • Page 157 Figure 139 Network diagram Configuring Switch A Create VLAN 2: Select Network > VLAN from the navigation tree. Click the Create tab. Enter VLAN ID 2. Click Create. Figure 140 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port: Select Device >...
  • Page 158 Click Apply. Figure 141 Configuring GigabitEthernet 1/0/1 as a hybrid port Configure the voice VLAN function globally: Select Network > Voice VLAN from the navigation tree. Click the Setup tab. Select Enable from the Voice VLAN security list. Set the voice VLAN aging timer to 30 minutes. Click Apply.
  • Page 159 Figure 142 Configuring the voice VLAN function globally Configure voice VLAN on GigabitEthernet 1/0/1: Click the Port Setup tab. Select Auto from the Voice VLAN port mode list. Select Enable from the Voice VLAN port state list. Enter voice VLAN ID 2. Select GigabitEthernet 1/0/1 from the chassis front panel.
  • Page 160 Figure 144 Adding OUI addresses to the OUI list Verifying the configuration When you complete the preceding configurations, the OUI Summary tab is displayed by default, as shown in Figure 145. You can view the information about the newly-added OUI address. Figure 145 Displaying the current OUI list of the device Click the Summary tab to enter the page shown in Figure...
  • Page 161: Configuring Voice Vlan On A Port In Manual Voice Vlan Assignment Mode

    Figure 146 Displaying voice VLAN information Configuring voice VLAN on a port in manual voice VLAN assignment mode Network requirements As shown in Figure 147: Configure VLAN 2 as a voice VLAN that carries only voice traffic. • • The IP phone connected to hybrid port GigabitEthernet 1/0/1 sends untagged voice traffic. GigabitEthernet 1/0/1 operates in manual voice VLAN assignment mode, and allows voice •...
  • Page 162 Configuring Switch A Create VLAN 2: Select Network > VLAN from the navigation tree. Click the Create tab. Enter VLAN ID 2. Click Create. Figure 148 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port, and configure its default VLAN as VLAN 2: Select Device >...
  • Page 163 Figure 149 Configuring GigabitEthernet 1/0/1 as a hybrid port Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member: Select Network > VLAN from the navigation tree. Click the Modify Port tab. Select GigabitEthernet 1/0/1 from the chassis front panel. Select the Untagged option.
  • Page 164 Figure 150 Assigning GigabitEthernet 1/0/1 to VLAN 2 as an untagged member Configure voice VLAN on GigabitEthernet 1/0/1: Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab. Select Manual from the Voice VLAN port mode list. Select Enable from the Voice VLAN port state list.
  • Page 165 Figure 151 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: Click the OUI Add tab. Enter OUI address 0011-2200-0000. Select FFFF-FF00-0000 as the mask. Enter description string test. Click Apply.
  • Page 166 Figure 152 Adding OUI addresses to the OUI list Verifying the configuration When you complete the preceding configurations, the OUI Summary tab is displayed by default, as shown in Figure 153. You can view the information about the newly-added OUI address. Figure 153 Displaying the current OUI list of the device Click the Summary tab to enter the page shown in Figure...
  • Page 167 Figure 154 Displaying the current voice VLAN information...
  • Page 168: Configuring The Mac Address Table

    Configuring the MAC address table MAC address configurations related to interfaces apply to Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces only. This chapter provides information about the management of static and dynamic MAC address entries. It does not provide information about multicast MAC address entries. Overview To reduce single-destination packet flooding in a switched LAN, an Ethernet device uses a MAC address table for forwarding frames.
  • Page 169: Mac Address Table-Based Frame Forwarding

    Static entries—Manually added and never age out. • • Dynamic entries—Manually added or dynamically learned, and might age out. Blackhole entries—Manually configured and never age out. They are configured for filtering out • frames with specific destination MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a blackhole MAC address entry.
  • Page 170 Figure 155 The MAC tab Click Add in the bottom to enter the page for creating MAC address entries. Figure 156 Creating a MAC address entry Configure a MAC address entry. Click Apply. Table 52 Configuration items Item Description Set the MAC address to be added.
  • Page 171: Setting The Aging Time Of Mac Address Entries

    Item Description Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. • Dynamic—Dynamic MAC address entries that will age out. • Blackhole—Blackhole MAC address entries that never age out. The tab displays the following types of MAC address entries: Type •...
  • Page 172: Mac Address Table Configuration Example

    MAC address table configuration example Network requirements Use the Web-based NMS to configure the MAC address table of the device. Add a static MAC address 00e0-fc35-dc71 under GigabitEthernet 1/0/1 in VLAN 1. Creating a static MAC address entry Select Network > MAC from the navigation tree. By default, the MAC tab is displayed.
  • Page 173: Configuring Mstp

    LAN share the same spanning tree, so redundant links cannot be blocked based on VLAN, and the packets of all VLANs are forwarded along the same spanning tree. For more information about STP and RSTP, see HP 830 Series PoE+ Unified Wired-WLAN Switch Switching Engine Layer 2 Configuration Guide.
  • Page 174: Basic Concepts In Mstp

    Basic concepts in MSTP Assume that all the four devices in Figure 159 are running MSTP. This section explains some basic concepts of MSTP based on the figure. Figure 159 Basic concepts in MSTP MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them.
  • Page 175: Vlan-To-Msti Mapping Table

    The same MSTP revision level (not shown in the figure). • Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region. VLAN-to-MSTI mapping table As an attribute of an MST region, the VLAN-to-MSTI mapping table describes the mapping relationships between VLANs and MSTIs.
  • Page 176: Common Root Bridge

    Common root bridge The common root bridge is the root bridge of the CIST. Figure 159, for example, the common root bridge is a device in region A0. Boundary port A boundary port is a port that connects an MST region to another MST region, or to a single spanning-tree region running STP, or to a single spanning-tree region running RSTP.
  • Page 177: Port States

    Figure 160 Port roles Figure 160, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are connected to the common root bridge, port 5 and port 6 of device C form a loop, and port 3 and port 4 of Device D are connected downstream to the other MST regions.
  • Page 178: How Mstp Works

    How MSTP works MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a calculated CST. Inside an MST region, multiple spanning trees are calculated, each being an MSTI. Among these MSTIs, MSTI 0 is called the CIST. Similar to RSTP, MSTP uses configuration BPDUs to calculate spanning trees.
  • Page 179: Configuration Guidelines

    Configuration guidelines Follow these guidelines when you configure MSTP: Two devices belong to the same MST region only if they are interconnected through physical links, • and share the same region name, the same MSTP revision level, and the same VLAN-to-MSTI mappings.
  • Page 180 Figure 161 MST region Click Modify to enter the page for configuring MST regions. Figure 162 Configuring an MST region Configure the MST region information as described in Table 55, and click Apply. Click Activate. Table 55 Configuration items Item Description MST region name.
  • Page 181: Configuring Mstp Globally

    Configuring MSTP globally Select Network > MSTP from the navigation tree. Click the Global tab to enter the page for configuring MSTP globally. Figure 163 Configuring MSTP globally Configure the global MSTP configuration as described in Table Click Apply. Table 56 Configuration items Item Description Select whether to enable STP globally.
  • Page 182 • The settings of hello time, forward delay and max age must meet a certain formula. Otherwise, the network topology will not be stable. HP recommends that you set the network diameter and then have the device automatically calculate the forward delay, hello time, and max age.
  • Page 183: Configuring Mstp On A Port

    This affects network stability. With the TC-BPDU guard function, you can prevent frequent flushing of forwarding address entries. HP does not recommend that you disable this function. Set the maximum number of immediate forwarding address entry flushes the device tc-protection threshold can perform within a certain period of time after receiving the first TC-BPDU.
  • Page 184 • Transmit Limit—Configure the maximum number of MSTP packets that can be sent during each Hello interval. The larger the transmit limit is, the more network resources will be occupied. HP recommends that you use the default value. • MSTP Mode—Set whether the port migrates to the MSTP mode.
  • Page 185: Displaying Mstp Information For A Port

    BPDUs. You can set these ports as edge ports to achieve fast Edged Port transition for these ports. HP recommends that you enable the BPDU guard function in conjunction with the edged port function to avoid network topology changes when the edge ports receive configuration BPDUs.
  • Page 186 Figure 165 The port summary tab Table 59 Field description Field Description The port is in forwarding state, so the port learns MAC addresses and forwards [FORWARDING] user traffic. The port is in learning state, so the port learns MAC addresses but does not [LEARNING] forward user traffic.
  • Page 187 Field Description Indicates whether the port is an edge port: • Port Edged Config—Indicates the configured value. • Active—Indicates the actual value. Indicates whether the port is connected to a point-to-point link: • Point-to-point Config—Indicates the configured value. • Active—Indicates the actual value. Transmit Limit Maximum number of packets sent within each Hello time.
  • Page 188: Mstp Configuration Example

    MSTP configuration example Network requirements As shown in Figure 166, configure MSTP so that: All devices on the network are in the same MST region. • • Packets of VLAN 10, VLAN 20, VLAN 30, and VLAN 40 are forwarded along MSTI 1, MSTI 2, MSTI 3, and MSTI 0, respectively.
  • Page 189 Select 3 in the Instance ID list. Set the VLAN ID to 10. Click Apply to map VLAN 10 to MSTI 1 and add the VLAN-to-MSTI mapping entry to the VLAN-to-MSTI mapping list. Repeat the preceding three steps to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN-to-MSTI mapping entries to the VLAN-to-MSTI mapping list.
  • Page 190 Figure 169 Configuring MSTP globally (on Switch A) Configuring Switch B Configure an MST region. (The procedure here is the same as that of configuring an MST region on Switch A.) Configure MSTP globally: Select Network > MSTP from the navigation tree. Click the Global tab to enter the page for configuring MSTP globally.
  • Page 191 Click Global to enter the page for configuring MSTP globally. Select Enable from the Enable STP Globally list. Select MSTP from the Mode list. Select the box to the left of Instance. Set the Instance ID field to 3. Set the Root Type field to Primary. Click Apply.
  • Page 192: Configuring Link Aggregation And Lacp

    Configuring link aggregation and LACP Overview Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group. It allows you to increase bandwidth by distributing traffic across the member ports in the aggregation group. In addition, it provides reliable connectivity because these member ports can dynamically back up each other.
  • Page 193: Link Aggregation Modes

    Operational key When aggregating ports, link aggregation control automatically assigns each port an operational key based on port attributes, including the port rate, duplex mode and link state configuration. In an aggregation group, all Selected ports are assigned the same operational key. Class-two configurations The contents of class-two configurations are listed in Table...
  • Page 194 Static aggregation limits the number of Selected ports in an aggregation group. When the number • of the candidate selected ports is under the limit, all the candidate selected ports become Selected ports. When the limit is exceeded, set the candidate selected ports with smaller port numbers in Selected state and those with greater port numbers in Unselected state.
  • Page 195: Load Sharing Mode Of An Aggregation Group

    • Change a port attribute or class-two configuration setting of a port may cause the select state of the port and other member ports to change and affects services. HP recommends that you do that with caution. Load sharing mode of an aggregation group A link aggregation groups operates in load sharing aggregation mode or non-load sharing mode.
  • Page 196: Recommended Link Aggregation And Lacp Configuration Procedures

    HP does not recommend that you add a mirroring reflector to an aggregation group. For more • information about reflectors, see "Configuring port mirroring." Removing a Layer 2 aggregate interface also removes the corresponding aggregation group. • Meanwhile, the member ports of the aggregation group, if any, leave the aggregation group.
  • Page 197: Creating A Link Aggregation Group

    Step Remarks Optional. Displaying information about Perform the task to view detailed information of LACP-enabled ports LACP-enabled ports. and the corresponding remote (partner) ports. Creating a link aggregation group Select Network > Link Aggregation from the navigation tree. Click Create. Figure 171 Creating a link aggregation group Configure a link aggregation group as described in Table...
  • Page 198: Displaying Information About An Aggregate Interface

    Table 61 Configuration items Item Description Assign an ID to the link aggregation group to be created. Enter Link Aggregation Interface ID You can view the result in the Summary area at the bottom of the page. Set the type of the link aggregation interface to be created: •...
  • Page 199: Setting Lacp Priority

    Table 62 Field description Field Description Type and ID of the aggregate interface. Aggregation interface Bridge-Aggregation indicates a Layer 2 aggregate interface. Link Type Type of the aggregate interface, which can be static or dynamic. Partner ID ID of the remote device, including its LACP priority and MAC address. Number of Selected ports in each link aggregation group (Only Selected ports Selected Ports can transmit and receive user data).
  • Page 200: Displaying Information About Lacp-Enabled Ports

    In the Set LACP enabled port(s) parameters area, set the port priority, and select the ports in the chassis front panel. Click Apply in the area. Table 63 Configuration items Item Description Port Priority Set a port LACP priority. Select the ports where the port LACP priority you set will apply on the chassis front panel. Select port(s) to apply Port Priority You can set LACP priority not only on LACP-enabled ports but also on LACP-disabled ports.
  • Page 201 Figure 174 Displaying information about LACP-enabled ports Table 64 Field description Field Description Port Port where LACP is enabled. LACP State State of LACP on the port. Port Priority LACP priority of the port. Active state of the port. If a port is Selected, its state is active and the ID of the State aggregation group it belongs to will be displayed.
  • Page 202: Link Aggregation And Lacp Configuration Example

    Field Description State information of the peer port: • A—Indicates that LACP is enabled. • B—Indicates that LACP short timeout has occurred. If B does not appear, it —Indicates that LACP long timeout has occurred. • C—Indicates that the link is considered aggregatable by the sending system.
  • Page 203 You can create a static or dynamic link aggregation group to achieve load balancing. Approach 1: Create static link aggregation group 1 Select Network > Link Aggregation from the navigation tree. Click Create. Configure static link aggregation group 1: Enter link aggregation interface ID 1. Select the Static (LACP Disabled) option for the aggregate interface type.
  • Page 204 Enter link aggregation interface ID 1. Select the Dynamic (LACP Enabled) option for aggregate interface type. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 on the chassis front panel. Click Apply. Figure 177 Creating dynamic link aggregation group 1...
  • Page 205: Configuring Lldp

    Configuring LLDP Overview In a heterogeneous network, a standard configuration exchange platform makes sure different types of network devices from different vendors can discover one another, and exchange configuration for the sake of interoperability and management. The IETF drafted the Link Layer Discovery Protocol (LLDP) in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.
  • Page 206 Field Description Data LLDP data. Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame. LLDPDUs encapsulated in SNAP Figure 179 LLDPDU encapsulated in SNAP Table 67 Description of the fields in a SNAP-encapsulated LLDPDU Field Description MAC address to which the LLDPDU is advertised.
  • Page 207 LLDPDU TLVs fall into the following categories: basic management TLVs, organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs, and LLDP-MED (media endpoint discovery) TLVs. Basic management TLVs are essential to device management. Organizationally specific TLVs and LLDP-MED TLVs are used for improved device management.
  • Page 208 Layer 3 Ethernet interfaces do not support IEEE 802.1 organizationally specific TLVs. IEEE 802.3 organizationally specific TLVs Table 70 IEEE 802.3 organizationally specific TLVs Type Description Contains the rate and duplex capabilities of the sending port, support for auto MAC/PHY negotiation, enabling status of auto negotiation, and the current rate and duplex Configuration/Status mode.
  • Page 209: Lldp Operating Modes

    For more information about LLDPDU TLVs, see the IEEE standard (LLDP) 802.1AB-2005 and the LLDP-MED standard (ANSI/TIA- 1 057). Management address The management address of a device is used by the network management system to identify and manage the device for topology maintenance and network management. The management address is encapsulated in the management address TLV.
  • Page 210: Protocols And Standards

    cause a requesting Cisco IP phone to send voice traffic untagged to your device, disabling your device to differentiate voice traffic from other types of traffic. CDP compatibility enables LLDP on your device to receive and recognize CDP packets from Cisco IP phones and respond with CDP packets carrying the voice VLAN configuration TLV for the IP phones to configure the voice VLAN automatically.
  • Page 211: Enabling Lldp On Ports

    Step Remarks Optional. LLDP settings include LLDP operating mode, packet encapsulation, CDP compatibility, device information polling, trapping, and advertisable TLVs. By default: Configuring LLDP settings on ports. • The LLDP operating mode is TxRx. • The encapsulation format is Ethernet II. •...
  • Page 212: Configuring Lldp Settings On Ports

    Figure 181 The port setup tab Configuring LLDP settings on ports The Web interface allows you to set LLDP parameters for a single port, and set LLDP parameters for multiple ports in batch. Setting LLDP parameters for a single port Select Network >...
  • Page 213 Figure 182 Modifying LLDP settings on a port Modify the LLDP parameters for the port as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
  • Page 214 Item Description Set the encapsulation for LLDPDUs: • ETHII—Encapsulates outgoing LLDPDUs in Ethernet II frames and processes an incoming LLDPDU only if its encapsulation is Ethernet II. Encapsulation Format • SNAP—Encapsulates outgoing LLDPDUs in Ethernet II frames and processes an incoming LLDPDU only if its encapsulation is Ethernet II. LLDP-CDP PDUs use only SNAP encapsulation.
  • Page 215: Configuring Lldp Settings For Ports In Batch

    Item Description MAC/PHY Select the box to include the MAC/PHY configuration/status TLV in Configuration/Status transmitted LLDPDUs. Select the box to include the maximum frame size TLV in transmitted Maximum Frame Size LLDPDUs. Select the box to include the power via MDI TLV and power stateful Power via MDI control TLV in transmitted LLDPDUs.
  • Page 216: Configuring Global Lldp Setup

    Figure 183 Modifying LLDP settings on ports in batch Set the LLDP settings for these ports as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
  • Page 217 Figure 184 The global setup tab Set the global LLDP setup as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 73 Configuration items Item Description LLDP Enable...
  • Page 218: Displaying Lldp Information For A Port

    Item Description Set the minimum interval for sending traps. With the LLDP trapping function enabled on a port, traps are sent out of the port to Trap Interval advertise the topology changes detected over the trap interval to neighbors. By tuning this interval, you can prevent excessive traps from being sent when topology is instable.
  • Page 219 Table 74 Field description Field Description Port ID type: • Interface alias. • Port component. • MAC address. Port ID subtype • Network address. • Interface name. • Agent circuit ID. • Locally assigned, or the local configuration. Power over Ethernet port class: •...
  • Page 220 Figure 186 The Neighbor Information tab Table 75 Field description Field Description Chassis ID type: • Chassis component. • Interface alias. • Port component. Chassis type • MAC address. • Network address. • Interface name. • Locally assigned, or the local configuration. Chassis ID depending on the chassis type, which can be a MAC address of Chassis ID the device.
  • Page 221 Field Description Auto-negotiation supported Support of the neighbor for auto negotiation. Auto-negotiation enabled Enabling status of auto negotiation on the neighbor. OperMau Current speed and duplex mode of the neighbor. Link aggregation supported Support of the neighbor for link aggregation. Link aggregation enabled Enabling status of link aggregation on the neighbor.
  • Page 222: Displaying Global Lldp Information

    Field Description Asset ID advertised by the neighbor. This ID is used for the purpose of Asset tracking identifier inventory management and asset tracking. Type of PSE power source advertised by the neighbor: • PoE PSE power source Primary. • Backup.
  • Page 223 Table 76 describes the fields. Figure 189 The global summary tab Table 76 Field description Field Description Chassis ID Local chassis ID depending on the chassis type defined. Primary network function advertised by the local device: • Repeater. System capabilities supported •...
  • Page 224: Displaying Lldp Information Received From Lldp Neighbors

    Field Description Device class advertised by the local device: • Connectivity device—An intermediate device that provide network connectivity. • Class I—A generic endpoint device. All endpoints that require the discovery service of LLDP belong to this category. • Class II—A media endpoint device. The class II endpoint devices support the Device class media stream capabilities and the capabilities of generic endpoint devices.
  • Page 225 Figure 191 Network diagram GE1/0/1 GE1/0/2 GE1/0/1 Switch A Switch B Configuring Switch A (Optional.) Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. (By default, LLDP is enabled on Ethernet ports.) Set the LLDP operating mode to Rx on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2: Select Network >...
  • Page 226 Figure 192 The port setup tab Select Rx from the LLDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
  • Page 227 Figure 193 Setting LLDP on multiple ports Enable global LLDP: Click the Global Setup tab, as shown in Figure 194. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
  • Page 228 Figure 194 The global setup tab Configuring Switch B (Optional.) Enable LLDP on port GigabitEthernet 1/0/1. (By default, LLDP is enabled on Ethernet ports.) Set the LLDP operating mode to Tx on GigabitEthernet 1/0/1: Select Network > LLDP from the navigation tree. By default, the Port Setup tab is displayed.
  • Page 229 Figure 195 Setting the LLDP operating mode to Tx Enable global LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
  • Page 230 Figure 196 The status information tab (1) Display the status information of port GigabitEthernet1/0/2 on Switch A: Click the GigabitEthernet1/0/2 port name in the port list. Click the Status Information tab at the lower half of the page. The output shows that port GigabitEthernet 1/0/2 is connected to a non-MED neighbor device (Switch B), as shown in Figure 197.
  • Page 231: Cdp-Compatible Lldp Configuration Example

    Figure 198 The status information tab displaying the updated port status information CDP-compatible LLDP configuration example Network requirements As shown in Figure 199, on Switch A, configure VLAN 2 as a voice VLAN and configure CDP-compatible LLDP to enable the Cisco IP phones to automatically configure the voice VLAN, confining their voice traffic within the voice VLAN to be separate from other types of traffic.
  • Page 232 Figure 200 Creating VLANs Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports: Select Device > Port Management from the navigation tree. Click the Setup tab to enter the page for configuring ports. Select Trunk from the Link Type list. Select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel.
  • Page 233 Figure 201 Configuring ports Configure the voice VLAN function on the two ports: Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab to enter the page for configuring the voice VLAN function on ports. Select Auto from the Voice VLAN port mode list, select Enable from the Voice VLAN port state list, enter the voice VLAN ID 2, and select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel.
  • Page 234 Figure 202 Configuring the voice VLAN function on ports Enable LLDP on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. Skip this step if LLDP is enabled (the default). Set both the LLDP operating mode and the CDP operating mode to TxRx on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2: Select Network >...
  • Page 235 Figure 203 The port setup tab Select TxRx from the LLDP Operating Mode list, and select TxRx from the CDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
  • Page 236 Figure 204 Modifying LLDP settings on ports Enable global LLDP and CDP compatibility of LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Select Enable from the CDP Compatibility list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
  • Page 237 Figure 205 The global setup tab Verifying the configuration Display information about LLDP neighbors on Switch A after completing the configuration. The output shows Switch A has discovered the Cisco IP phones attached to ports GigabitEthernet1/0/1 and GigabitEthernet1/0/2 and obtained their device information.
  • Page 238: Configuring Arp

    Configuring ARP Overview ARP resolves an IP address into a physical address, such as an Ethernet MAC address. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet. ARP message format ARP uses two types of messages, ARP request and ARP reply.
  • Page 239: Arp Table

    If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request comprises the following information: Sender IP address and sender MAC address—Host A's IP address and MAC address Target IP address—Host B's IP address Target MAC address—An all-zero MAC address All hosts on this subnet can receive the broadcast request, but only the requested host (Host B)
  • Page 240: Gratuitous Arp

    Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry. Static ARP entry A static ARP entry is manually configured and maintained.
  • Page 241: Creating A Static Arp Entry

    Creating a static ARP entry Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown in Figure 208. Click Add. Figure 209 Adding a static ARP entry Configure the static ARP entry as described in Table Click Apply.
  • Page 242: Static Arp Configuration Example

    Click the Gratuitous ARP tab. Figure 210 Gratuitous Configuring ARP page Configure gratuitous ARP as described in Table Click Apply. Table 78 Configuration items Item Description Disable learning of ARP entries according to gratuitous ARP packets. Disable gratuitous ARP packets learning function Enabled by default.
  • Page 243 Configuring Switch A Create VLAN 100: Select Network > VLAN from the navigation tree. Click the Add tab. Enter 100 for VLAN ID. Click Create. Figure 212 Creating VLAN 100 Add GigabitEthernet 1/0/1 to VLAN 100: Click the Modify Port tab. Select interface GigabitEthernet 1/0/1 in the Select Ports field.
  • Page 244 Figure 213 Adding GigabitEthernet 1/0/1 to VLAN 100 Create VLAN-interface 100: Select Network > VLAN Interface from the navigation tree. Click the Create tab. Enter 100 for VLAN ID. Select the Configure Primary IPv4 Address box. Select the Manual option. Enter 192.168.1.2 for IPv4 Address.
  • Page 245 Figure 214 Creating VLAN-interface 100 Create a static ARP entry: Select Network > ARP Management from the navigation tree to enter the default ARP Table page. Click Add. Perform the following operations, as shown in Figure 215. Click Add. Enter 192.168.1.1 for IP Address. Enter 00e0-fc01-0000 for MAC Address.
  • Page 246: Configuring Arp Attack Defense

    Configuring ARP attack defense Overview ARP is easy to implement, but it provides no security mechanism. Therefore, it is prone to network attacks. The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the following functions: user validity check and ARP packet validity check.
  • Page 247 Figure 216 Configuring ARP detection Configure ARP detection as described in Table Click Apply. Table 79 Configuration items Item Description Select VLANs on which ARP detection is to be enabled. To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the VLAN Settings Disabled VLANs list box and click the <<...
  • Page 248: Configuring Igmp Snooping

    Configuring IGMP snooping Overview Internet Group Management Protocol (IGMP) snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. By analyzing received IGMP messages, a Layer 2 device running IGMP snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.
  • Page 249 Figure 218 IGMP snooping related ports As shown in Figure 218, IGMP snooping divides the ports on Layer 2 switch into the following types: • Router port—Layer 3 multicast device-side port. Layer 3 multicast devices include designated routers and IGMP queriers. In Figure 218, Ethernet 1/1 of Switch A and Ethernet 1/1 of Switch B are router ports.
  • Page 250: How Igmp Snooping Works

    NOTE: In IGMP snooping, only dynamic ports age out. How IGMP snooping works An IGMP snooping–enabled switch performs different actions when it receives different IGMP messages. The ports in this section are dynamic ports. When receiving a general query The IGMP querier periodically sends IGMP general queries to all hosts and routers (224.0.0.1) on the local subnet to examine whether any active multicast group members exist on the subnet.
  • Page 251: Protocols And Standards

    When the switch receives an IGMP leave message on a dynamic member port, the switch first examines whether a forwarding entry matches the group address in the message, and, if a match is found, whether the forwarding entry for the group contains the dynamic member port. •...
  • Page 252: Enabling Igmp Snooping Globally

    Step Remarks Optional. Configure the maximum number of multicast groups allowed and the fast-leave function for ports in the specified VLAN. Configuring IGMP IMPORTANT: snooping port functions • Multicast routing or IGMP snooping must be enabled globally before IGMP snooping can be enabled on a port. •...
  • Page 253 Figure 220 Configuring IGMP snooping in a VLAN Configure the parameters as described in Table Click Apply. Table 80 Configuration items Item Description VLAN ID This field displays the ID of the VLAN to be configured. Enable or disable IGMP snooping in the VLAN. IGMP snooping You can proceed with the subsequent configurations only if Enable is selected here.
  • Page 254: Configuring Igmp Snooping Port Functions

    Item Description Enable or disable the IGMP snooping querier function. On an IP multicast network that runs IGMP, a Layer 3 device acts as an IGMP querier to send IGMP queries and establish and maintain multicast forwarding entries for correct multicast traffic forwarding at the network layer. Querier On a network without Layer 3 multicast devices, IGMP querier cannot work because a Layer 2 device does not support IGMP.
  • Page 255: Displaying Igmp Snooping Multicast Table Entries

    Table 81 Configuration items Item Description Select the port on which advanced IGMP snooping features will be configured. The port can be an Ethernet port or Layer-2 aggregate port. After a port is selected, advanced features configured on this port are displayed at the lower part of this page.
  • Page 256: Igmp Snooping Configuration Example

    Figure 222 Displaying entry information To display detailed information of an entry, click the icon corresponding to the entry. Figure 223 Information about an IGMP snooping multicast entry Table 82 Field description Field Description VLAN ID ID of the VLAN to which the entry belongs. Source Address Multicast source address, where "0.0.0.0"...
  • Page 257 Figure 224 Network diagram VLAN 100 Host B 1.1.1.1/24 GE1/0/2 Eth1/2 Eth1/1 GE1/0/1 GE1/0/3 1.1.1.2/24 10.1.1.1/24 Router A Switch A Host A Source IGMP querier Receiver Configuring Router A Enable IP multicast routing globally, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1.
  • Page 258 Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: Click the Modify Port tab. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 in the Select Ports field. Select the Untagged option for Select membership type. Enter 100 as the VLAN ID. Click Apply.
  • Page 259 Figure 227 Enabling IGMP snooping globally Enable IGMP snooping and the function of dropping unknown multicast data for VLAN 100: Click the icon corresponding to VLAN 100. Select the Enable option for IGMP snooping. Select the 2 option for Version. Select the Enable option for Drop Unknown.
  • Page 260 Figure 229 Enabling fast leave Verifying the configuration From the navigation tree, select Network > IGMP snooping. Click Show Entries in the basic VLAN configuration page to display information about IGMP snooping multicast entries. Figure 230 IGMP snooping multicast entry list Click the icon corresponding to the multicast entry (0.0.0.0, 224.1.1.1) to display information about this entry.
  • Page 261: Configuring Ipv4 And Ipv6 Routing

    Configuring IPv4 and IPv6 routing Overview A router selects an appropriate route according to the destination address of a received packet and forwards the packet to the next router. The last router on the path is responsible for sending the packet to the destination host.
  • Page 262: Default Route

    Default route A default route is used to forward packets that match no entry in the routing table. Without a default route, a packet that does not match any routing entries is discarded and an Internet Control Message Protocol (ICMP) destination-unreachable packet is sent to the source. You can configure default routes in the Web interface in the following ways: Configure an IPv4 static default route and specify both its destination IP address and mask as •...
  • Page 263: Creating An Ipv4 Static Route

    Table 83 Field description Field Description Destination IP Address Destination IP address and subnet mask of the IPv4 route.. Mask Protocol Protocol that discovered the IPv4 route. Preference value for the IPv4 route. Preference The smaller the number, the higher the preference. Next Hop Next hop IP address of the IPv4 route.
  • Page 264: Displaying The Ipv6 Active Route Table

    Item Description Set a preference value for the static route. The smaller the number, the higher the preference. Preference For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes, while specifying different preferences enables route backup.
  • Page 265: Ipv4 Static Route Configuration Example

    Click the Create tab. The page for configuring IPv6 static route appears. Figure 235 Creating an IPv6 static route Create an IPv6 static route as described in Table Click Apply. Table 86 Configuration items Item Description Enter the destination host or network IP address, in the X:X::X:X format. The 128-bit destination IPv6 address is a hexadecimal address with eight parts Destination IP Address separated by colons (:).
  • Page 266 Figure 236 Network diagram Configuration considerations On Switch A, configure a default route with Switch B as the next hop. On Switch B, configure one static route with Switch A as the next hop and the other with Switch C as the next hop.
  • Page 267 Figure 237 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv4 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop.
  • Page 268 Enter 1.1.3.0 for Destination IP Address, enter 24 for Mask, and enter 1.1.5.6 for Next Hop. Click Apply. Configure a default route to Switch B on Switch C: Select Network > IPv4 Routing from the navigation tree of Switch C. Click the Create tab.
  • Page 269: Ipv6 Static Route Configuration Example

    IPv6 static route configuration example Network requirements The IP addresses of devices are shown in Figure 240. IPv6 static routes need to be configured on Switch A, Switch B and Switch C for any two hosts to communicate with each other. Figure 240 Network diagram Host B 2::2/64...
  • Page 270 Figure 241 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv6 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1:: for Destination IP Address, select 64 from the Prefix Length list, and enter 4::1 for Next Hop.
  • Page 271 Select Network > IPv6 Routing from the navigation tree of Switch C. Click the Create tab. Enter :: for Destination IP Address, select 0 from the Prefix Length list, and enter 5::2 for Next Hop. Click Apply. Figure 243 Configuring a default route Verifying the configuration Display the routing table: Enter the IPv6 route page of Switch A, Switch B, and Switch C to verify that the newly configured...
  • Page 272: Configuring Ipv6 Services

    Configuring IPv6 services Before performing IPv6 configurations, enable IPv6 packet forwarding. Otherwise, IPv6 packets cannot be forwarded even if you configure an IPv6 address on an interface. To configure IPv6 services: Select Network > IPv6 Service from the navigation tree, and you are placed in the IPv6 Service tab.
  • Page 273: Dhcp Overview

    DHCP overview After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server. This facilitates configuration and centralized management. For more information about the DHCP client configuration, see "Configuring VLAN interfaces"...
  • Page 274: Configuring The Dhcp Server

    Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses and network configuration parameters, and cannot normally communicate with other network devices. With DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to obtain IP addresses from authorized DHCP servers.
  • Page 275: Creating A Static Address Pool For The Dhcp Server

    Figure 246 DHCP configuration page Creating a static address pool for the DHCP server Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown Figure 246. Select the Static option in the Address Pool field to view all static address pools. Click Add to enter the static address pool configuration page.
  • Page 276: Creating A Dynamic Address Pool For The Dhcp Server

    Table 87 Configuration items Item Description IP Pool Name Enter the name of a static address pool. IP Address Enter an IP address and select a subnet mask for the static address pool. The IP address cannot be the IP address of any interface on the DHCP server. Otherwise, an IP address conflict may occur and the bound client cannot obtain an Mask IP address correctly.
  • Page 277 Figure 248 Creating a dynamic address pool Configure the dynamic address pool as described in Table 88 Click Apply. Table 88 Configuration items Item Description IP Pool Name Enter the name of a dynamic address pool. Enter an IP address segment for dynamic allocation. IP Address To avoid address conflicts, the DHCP server excludes the IP addresses used by gateways or FTP servers from dynamic...
  • Page 278: Enabling The Dhcp Server On An Interface

    Item Description Enter the DNS server addresses for the client. To allow the client to access a host on the Internet via the host DNS Server Address name, you need to specify DNS server addresses. Up to eight DNS servers can be specified in a DHCP address pool, separated by commas.
  • Page 279: Configuring The Dhcp Relay Agent

    Configuring the DHCP relay agent Recommended configuration procedure Task Remarks Required. Enabling DHCP and configuring advanced parameters for the DHCP Enable DHCP globally and configure advanced DHCP parameters. relay agent By default, global DHCP is disabled. Required. To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface Creating a DHCP server group with the server group.
  • Page 280 Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration field, as shown in Figure 250. Figure 250 DHCP relay agent configuration page Enable DHCP service and configure advanced parameters for DHCP relay agent as shown Table Click Apply. Table 90 Configuration items Item Description...
  • Page 281: Creating A Dhcp Server Group

    Item Description Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses. With this feature enabled, upon receiving a DHCP request, the DHCP relay agent Unauthorized Server records the IP address of any DHCP server that assigned an IP address to the DHCP Detect client and the receiving interface.
  • Page 282: Enabling The Dhcp Relay Agent On An Interface

    Table 91 Configuration items Item Description Enter the ID of a DHCP server group. Server Group ID You can create up to 20 DHCP server groups. Enter the IP address of a server in the DHCP server group. IP Address The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent.
  • Page 283: Configuring And Displaying Clients' Ip-To-Mac Bindings

    Configuring and displaying clients' IP-to-MAC bindings Select Network > DHCP from the navigation tree and click DHCP Relay. In the User Information field, click User Information to view static and dynamic bindings, as shown Figure 253. Figure 253 Displaying clients' IP-to-MAC bindings Click Add to enter the page as shown in Figure 254.
  • Page 284: Configuring Dhcp Snooping

    Configuring DHCP snooping A DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.
  • Page 285: Configuring Dhcp Snooping Functions On An Interface

    Figure 255 DHCP snooping configuration page Configuring DHCP snooping functions on an interface Select Network > DHCP from the navigation tree, Click the DHCP Snooping tab to enter the page shown in Figure 255. Click the icon of a specific interface in the Interface Config field to enter the page shown Figure 256.
  • Page 286: Displaying Clients' Ip-To-Mac Bindings

    Figure 256 DHCP snooping interface configuration page Configure DHCP snooping on the interface as described in Table Click Apply. Table 94 Configuration items Item Description Interface Name This field displays the name of a specific interface. Interface State Configure the interface as trusted or untrusted. Option 82 Support Configure DHCP snooping to support Option 82 or not.
  • Page 287: Dhcp Server Configuration Examples

    Table 95 Field description Item Description IP Address Displays the IP address assigned by the DHCP server to the client. MAC Address Displays the MAC address of the client. Displays the client type: • Dynamic—The IP-to-MAC binding is generated dynamically. Type •...
  • Page 288 Figure 259 Enabling DHCP Configure a static address pool: Click Add to enter the page shown in Figure 260 (the Static option is selected by default). Enter static-pool for IP Pool Name. Enter 10.1.1.5 for IP Address. Enter 255.255.255.128 for Mask. Enter 000f-e200-0002 for Client MAC Address.
  • Page 289: Dynamic Ip Address Assignment Configuration Example

    Figure 260 Configuring a static address pool Enable the DHCP server on VLAN-interface 9 (you can skip this step because the DHCP server is enabled on the interface by default): Click the icon of VLAN-interface 9 in the Interface Configuration field to enter the page as shown in Figure 261.
  • Page 290 10.1.1.0/24. Subnet 10.1.1.0/25 and 10.1.1.128/25 can inherit the configuration of subnet 10.1.1.0/24. HP recommends that you configure up to 122 clients to obtain IP addresses from VLAN-interface 1 and up to 124 clients to obtain IP addresses from VLAN-interface 9.
  • Page 291 Select the Dynamic option in the Address Pool field. Click Add to enter the page as shown in Figure 264. Enter pool0 for IP Pool Name. Enter 10.1.1.0 for IP Address. Enter 255.255.255.0 for Mask. Enter aabbcc.com for Client Domain Name. Enter 10.1.1.2 for DNS Server Address.
  • Page 292 Figure 265 Configuring attributes for pool1 Configure the dynamic DHCP address pool named pool2: Click Add to perform the following configurations, as shown in Figure 266. Enter pool2 for IP Pool Name. Enter 10.1.1.128 for IP Address. Enter 255.255.255.128 for Mask. Enter 5 days 0 hours 0 minutes 0 seconds for Lease Duration.
  • Page 293: Dhcp Relay Agent Configuration Example

    Figure 266 Configuring attributes for pool2 DHCP relay agent configuration example Network requirements As shown in Figure 267, VLAN-interface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of VLAN-interface 2 is 10.1.1.1/24.
  • Page 294 Select Network > DHCP from the navigation tree to enter the default DHCP Relay page. Select Enable for DHCP Service, as shown in Figure 268. Click Apply. Figure 268 Enabling DHCP Configure a DHCP server group: In the Server Group field, click Add. Enter 1 for Server Group ID, and enter 10.1.1.1 for IP Address, as shown in Figure 269.
  • Page 295: Dhcp Snooping Configuration Example

    Enable the DHCP relay agent on VLAN-interface 1: In the Interface Config field, click the icon of VLAN-interface 1. Select the Enable option for DHCP Relay, and select 1 for Server Group ID, as shown in Figure 270. Click Apply. Figure 270 Enabling the DHCP relay agent on an interface and correlate it with a server group NOTE: Because the DHCP relay agent and server are on different subnets, you need to configure a static route or...
  • Page 296 Configuring Switch B Enable DHCP snooping: Select Network > DHCP from the navigation tree. Click the DHCP Snooping tab. Select the Enable option next to DHCP Snooping to enable DHCP snooping. Figure 272 Enabling DHCP snooping Configure DHCP snooping functions on GigabitEthernet 1/0/1: Click the icon of GigabitEthernet 1/0/1 on the interface list.
  • Page 297 Figure 273 Configuring DHCP snooping functions on GigabitEthernet 1/0/1 Configure DHCP snooping functions on GigabitEthernet 1/0/2: Click the icon of GigabitEthernet 1/0/2 on the interface list. Select the Untrust option for Interface State shown in Figure 274. Select the Enable option next to Option 82 Support. Select Replace for Option 82 Strategy.
  • Page 298: Managing Services

    Managing services Overview Service management allows you to manage the following types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services, modify HTTP and HTTPS port numbers, and associate the FTP, HTTP, or HTTPS service with an ACL to block illegal users. FTP service FTP is an application layer protocol for sharing files between server and client over a TCP/IP network.
  • Page 299: Configuring Service Management

    Configuring service management Select Network > Service from the navigation tree to enter the service management configuration page, as shown in Figure 276. Figure 276 Service management Enable or disable various services on the page. Table 96 describes the detailed configuration items.
  • Page 300 Item Description Set the port number for HTTP service. You can view this configuration item by clicking the expanding button in front of HTTP. Port Number IMPORTANT: When you modify a port, make sure the port is not used by any other service. Associate the HTTP service with an ACL.
  • Page 301: Using Diagnostic Tools

    Using diagnostic tools This chapter describes how to use the ping and traceroute facilities. Ping You can ping the IP address or the host name of a device. If the host name cannot be resolved, a prompt appears. If the source device does not receive an ICMP echo reply within the timeout time, it displays a prompt and ping statistics.
  • Page 302 Select Network > Diagnostic Tools from the navigation tree. The IPv4 Ping tab appears. Figure 277 Ping configuration page Type the IP address or the host name of the destination device in the Destination IP address or host name field. Click Start.
  • Page 303: Traceroute Operation

    Traceroute operation This section uses the IPv4 traceroute operation as an example. The IPv6 traceroute operation is the same as IPv4 traceroute operation. Before performing a traceroute operation, execute the ip ttl-expires enable command on intermediate devices to enable the sending of ICMP timeout packets and execute the ip unreachables enable command on the destination device to enable the sending of ICMP destination unreachable packets.
  • Page 304 Figure 280 Traceroute operation result...
  • Page 305: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user is not required to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
  • Page 306: Mac Authentication Timers

    MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval for the device to wait for traffic from a user before it considers • the user as idle. If a user connection has been idle for two consecutive intervals, the device logs out the user and stops accounting for the user.
  • Page 307: Configuration Prerequisites

    A hybrid port is always assigned to an Auth-Fail VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN. Configuration prerequisites Before you configure MAC authentication, complete the following tasks: Disable port security globally.
  • Page 308 Figure 281 MAC authentication configuration page Configure MAC authentication global settings as described in Table Click Apply. Table 97 Configuration items Item Description Enable MAC Authentication Select the box to enable MAC authentication globally. Set the period for the device to wait for traffic from a user before it Offline Detection Period regards the user idle.
  • Page 309: Configuring Mac Authentication On A Port

    Item Description Configure the properties of MAC authentication user accounts. • MAC without hyphen—Uses MAC-based accounts, and excludes hyphens from the MAC address, for example, XXXXXXXXXXXX. • Authentication Information Format MAC with hyphen—Uses MAC-based accounts, and hyphenates the MAC address, for example, XX-XX-XX-XX-XX-XX. •...
  • Page 310: Mac Authentication Configuration Examples

    MAC authentication configuration examples Local MAC authentication configuration example Network requirements As shown in Figure 283, perform local MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. All users belong to the domain aabbcc.net. • • Local users use their MAC addresses as the username and password for MAC authentication. The MAC addresses are hyphenated and in lower case.
  • Page 311 Figure 284 Creating an ISP domain Click the Authentication tab. Select the ISP domain aabbcc.net, the LAN-access AuthN box, and Local from the list. Figure 285 Configuring the authentication method for the ISP domain Click Apply. A configuration progress dialog box appears, as shown in Figure 286.
  • Page 312 Figure 286 Configuration progress dialog box Configuring MAC authentication From the navigation tree, select Authentication > MAC Authentication. The MAC Authentication page appears. Select the Enable MAC Authentication box. Click Advanced to configure advanced MAC authentication settings. Set the offline detection period to 180 seconds, set the quiet timer to 180 seconds, and select aabbcc.net from the Authentication ISP Domain list.
  • Page 313: Acl Assignment Configuration Example

    In the Ports With MAC Authentication Enabled area, click Add. The MAC Authentication page appears. Select GigabitEthernet1/0/1 from the Port list, and click Apply. Figure 288 Enabling MAC authentication for port GigabitEthernet 1/0/1 ACL assignment configuration example Network requirements As shown in Figure 289, a host connects to port GigabitEthernet 1/0/1 on the switch and the switch uses RADIUS servers to perform authentication, authorization, and accounting.
  • Page 314 Select Authentication Server from the Server Type list, enter 10.1.1.1 in the Primary Server IP box and 1812 in the Primary Server UDP Port box, and select active from the Primary Server Status list. Click Apply. Figure 290 Configuring a RADIUS authentication server On the RADIUS Server tab, select Accounting Server from the Server Type list, enter 10.1.1.2 in the Primary Server IP box and 1813 in the Primary Server UDP Port box, and select active from the Primary Server Status list.
  • Page 315 Figure 292 Configuring RADIUS parameters Configuring AAA From the navigation tree, select Authentication > AAA. The Domain Setup tab appears. Enter test in the Domain Name field. Click Apply.
  • Page 316 Figure 293 Creating an ISP domain Click the Authentication tab. Select the ISP domain test, the Default AuthN box, authentication method RADIUS, and authentication scheme system from the Name list. Figure 294 Configuring the authentication method for the ISP domain Click Apply.
  • Page 317 Figure 295 Configuration progress dialog box After the configuration process is complete, click Close. Click the Authorization tab. Select the ISP domain test, the Default AuthZ box, authorization mode RADIUS, and authorization scheme system from the Name list. Figure 296 Configuring the authorization method for the ISP domain Click Apply.
  • Page 318 Figure 297 Configuring the accounting method for the ISP domain Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Configuring an ACL From the navigation tree, select QoS > ACL IPv4. The Create tab appears. Enter the ACL number 3000.
  • Page 319 Select the Destination IP Address box, enter the destination IP address 10.0.0.1, and enter the destination address wildcard 0.0.0.0. Click Add. Figure 299 Configuring an ACL rule Configuring MAC authentication From the navigation tree, select Authentication > MAC Authentication. Select the Enable MAC Authentication box. Click Advanced.
  • Page 320 Figure 300 Configuring global MAC authentication settings In the Ports With MAC Authentication Enabled area, click Add. Select the port GigabitEthernet1/0/1 and click Apply. Figure 301 Enabling MAC authentication for port GigabitEthernet 1/0/1 Verifying the configuration # After the host passes the authentication, ping the FTP server from the host to see whether ACL 3000 assigned by the authentication server takes effect.
  • Page 321 Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),...
  • Page 322: Configuring 802.1X

    802.1X controls network access by authenticating devices connected to the 802.1X-enabled LAN ports. This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port, such as a WLAN.
  • Page 323: 802.1X Timers

    MAC-based access control—Each user is separately authenticated on a port. When a user logs off, • no other online users are affected. 802.1X timers This section describes the timers used on an 802.1X device to guarantee that the client, the device, and the RADIUS server can interact with each other correctly.
  • Page 324: Configuration Procedure

    Configuration procedure Step Description Required. Enable 802.1X authentication globally and configure the Configuring 802.1X globally authentication method and advanced parameters. By default, 802.1X authentication is disabled globally. Required. Enable 802.1X authentication on the specified port and configure Configuring 802.1X on a port 802.1X parameters for the port.
  • Page 325: Configuring 802.1X On A Port

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.
  • Page 326 Figure 305 802.1X configuration on a port Configure 802.1X features on a port as described in Table 100. Click Apply. Table 100 Configuration items Item Description Select a port where you want to enable 802.1X. Only ports not enabled with 802.1X authentication are available.
  • Page 327: Configuring An 802.1X Guest Vlan

    Item Description Select the box to enable the online user handshake function. This function enables the network access device to send handshake messages to online users at the interval set by the Handshake Period setting. If the device does not receive a response from an online user after the maximum number of handshake attempts (set by the Retry Times setting), the network access device sets the user in the Enable Handshake...
  • Page 328: Configuring An Auth-Fail Vlan

    If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port, • enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an untagged member. Configuration guidelines • The 802.1X guest VLANs on different ports can be different. Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port, so •...
  • Page 329: 802.1X Configuration Example

    Feature Relationship description The 802.1X Auth-Fail VLAN function has higher priority Port intrusion protection on a port that performs than the block MAC action but lower priority than the shut MAC-based access control down port action of the port intrusion protection feature. 802.1X configuration example Network requirements As shown in...
  • Page 330 Figure 307 Configuring global 802.1X In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list. Select the Enable Re-Authentication box, and click Apply. Figure 308 802.1X configuration of GigabitEthernet 1/0/1 Configuring a RADIUS scheme From the navigation tree, select Authentication > RADIUS. The RADIUS Server tab appears.
  • Page 331 Click Apply. Figure 309 Configuring RADIUS authentication servers On the RADIUS Server tab, select Accounting Server from the Server Type list, enter 10.1.1.2 in the Primary Server IP box and 1813 in the Primary Server UDP Port box, select active from the Primary Server Status list, enter 10.1.1.1 in the Secondary Server IP box and 1813 in the Secondary Server UDP Port box, and select active from the Secondary Server Status list.
  • Page 332 Figure 311 Configuring RADIUS parameters Configuring AAA From the navigation tree, select Authentication > AAA. The Domain Setup tab appears. Enter test in the Domain Name field and select Enable from the Default Domain list. Click Apply.
  • Page 333 Figure 312 Creating an ISP domain Click the Authentication tab. Select the ISP domain test, the Default AuthN box, authentication method RADIUS, and authentication scheme system from the Name list. Figure 313 Configuring the authentication method for the ISP domain Click Apply.
  • Page 334 Figure 314 Configuration progress dialog box After the configuration process is complete, click Close. Click the Authorization tab. Select the ISP domain test, the Default AuthZ box, authorization method RADIUS, and authorization scheme system from the Name list. Figure 315 Configuring the authorization method for the ISP domain Click Apply.
  • Page 335: Acl Assignment Configuration Example

    Figure 316 Configuring the accounting method for the ISP domain Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. ACL assignment configuration example Network requirements As shown in Figure 317, the host at 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device.
  • Page 336 The RADIUS Server tab appears. Select Authentication Server from the Server Type list, enter 10.1.1.1 in the Primary Server IP box and 1812 in the Primary Server UDP Port box, and select active from the Primary Server Status list. Click Apply. Figure 318 Configuring the RADIUS authentication server On the RADIUS Server tab, select Accounting Server from the Server Type list, enter 10.1.1.2 in the Primary Server IP box and 1813 in the Primary Server UDP Port box, and select active from the...
  • Page 337 Figure 320 Configuring RADIUS parameters Configuring AAA From the navigation tree, select Authentication > AAA. The Domain Setup tab appears. Enter test in the Domain Name field and select Enable from the Default Domain list. Click Apply.
  • Page 338 Figure 321 Creating an ISP domain Click the Authentication tab. Select the ISP domain test, the Default AuthN box, authentication method RADIUS, and authentication scheme system from the Name list. Figure 322 Configuring the authentication method for the ISP domain After the configuration process is complete, click Close.
  • Page 339 Figure 323 Configuration progress dialog box Click the Authorization tab. Select the ISP domain test, the Default AuthZ box, authorization method RADIUS, and authorization scheme system from the Name list. Figure 324 Configuring the AAA authorization method for the ISP domain Click Apply.
  • Page 340 Figure 325 Configuring the AAA accounting method for the ISP domain Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Configuring an ACL From the navigation tree, select QoS > ACL IPv4. Click the Create tab, enter the ACL number 3000, and click Apply. Figure 326 Creating ACL 3000 Click the Advanced Setup tab to configure an ACL rule: Select 3000 from the ACL list.
  • Page 341 Figure 327 ACL rule configuration Configuring 802.1X From the navigation tree, select Authentication > 802.1X. Select the Enable 802.1X box. Select the authentication method CHAP. Click Apply.
  • Page 342 Figure 328 Global 802.1X globally In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list. Click Apply. Figure 329 802.1X configuration of GigabitEthernet 1/0/1 Verifying the configuration After the user passes authentication and is online, use the ping command to test whether ACL 3000 takes effect.
  • Page 343 Figure 330 Ping operation summary...
  • Page 344: Configuring Port Security

    This automatic mechanism enhances network security and reduces the need for human intervention. For scenarios that require only 802.1X authentication or MAC authentication, HP recommends that you configure 802.1X authentication or MAC authentication rather than port security.
  • Page 345 addresses or configured static MAC addresses. When the number of secure MAC addresses reaches the upper limit, no more secure MAC addresses can be added. Advanced mode—Port security supports 802.1X and MAC authentication. Different port security • modes represent different combinations of the two methods. Table 103 describes the advanced security modes.
  • Page 346: Configuration Guidelines

    An OUI, as defined by the IEEE, is the first 24 bits of a MAC address. OUI uniquely identifies a device vendor. Configuration guidelines • Before you enable port security, disable 802.1X and MAC authentication globally. Only one port security mode can be configured on a port. •...
  • Page 347: Configuring Global Settings For Port Security

    Step Remarks Optional. This setting is available only with the 802.1X MAC Based Or OUI mode. You can configure a maximum of 16 permitted OUI values. However, Configuring permitted OUIs a port in 802.1X MAC Based Or OUI mode allows only one 802.1X user and one user whose MAC address contains a specified OUI to pass authentication at the same time.
  • Page 348: Configuring Basic Port Security Control

    Table 104 Configuration items Item Description Select the box to enable the port security feature globally. Enable Port Security Disabled by default. Configure the following advanced port security settings: • Temporarily Disabling Port Time—Set the time length for the port to be Advanced disabled upon receiving illegal frames.
  • Page 349: Configuring Secure Mac Addresses

    Item Description Set the maximum number of secure MAC addresses on the port. The number of authenticated users on the port cannot exceed the specified upper limit. You can set the maximum number of MAC addresses that port security allows on a port for the following purposes: Max Number of MAC •...
  • Page 350: Configuring Advanced Port Security Control

    Figure 335 Secure MAC address list Click Add. Figure 336 Secure MAC address configuration page Configure a secure MAC address as described in Table 104. Click Apply. Table 106 Configuration items Item Description Port Select a port where the secure MAC address is configured. Secure MAC Address Enter the MAC address that you want to configure as a secure MAC address.
  • Page 351 Figure 337 Ports Enabled With Advanced Features area Click Add. Figure 338 Configuring advanced port security control Configure advanced port security control as described in Table 107. Click Apply. Table 107 Configuration items Item Description Select a port where you want to configure port security. Port By default, port security is disabled on all ports and access to the ports is not restricted.
  • Page 352: Configuring Permitted Ouis

    Item Description Select the box to enable the outbound traffic control, and select a control method. Available control methods include: • Only MAC-Known Unicasts—Allows only unicasts frames with their destination MAC addresses being authenticated to pass through. Enable Outbound • Only Broadcasts and MAC-Known Unicasts—Allows only broadcast and unicasts Restriction packets with their destination MAC addresses being authenticated to pass through.
  • Page 353 Figure 340 Network diagram Configuring global port security settings From the navigation tree, select Authentication > Port Security. In the Port Security Configuration area, configure global port security settings: Select the Enable Port Security box. Click Advanced. Specify the system to disable the port temporarily for 30 seconds. Select the Intrusion box.
  • Page 354 Figure 342 Applying the port security feature Verifying the configuration After the configuration is completed, display the secure MAC address entries learned and manually configured on port GigabitEthernet 1/0/1. The Security MAC Address List area displays the learned secure MAC addresses, as shown Figure 343.
  • Page 355 Figure 344 Port management – port inactive Wait approximately 30 seconds, and reselect GigabitEthernet 1/0/1 to view its latest data. Figure 345 shows that the port state is active. Figure 345 Port management – port active If you remove MAC addresses from the secure MAC address list, the port will still continue to learn new MAC addresses.
  • Page 356: Advanced Port Security Mode Configuration Example

    Advanced port security mode configuration example Network requirements As shown in Figure 346, a client is connected to the switch through port GigabitEthernet 1/0/1. The switch authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
  • Page 357 Figure 347 Configuring a RADIUS authentication server On the RADIUS Server tab, select Accounting Server from the Server Type list, enter 192.168.1.2 in the Primary Server IP box and 1813 in the Primary Server UDP Port box, and select active from the Primary Server Status list.
  • Page 358 Figure 349 Configuring RADIUS parameters Configuring AAA From the navigation tree, select Authentication > AAA. Click the Authentication tab. Select the ISP domain system, the Default AuthN box, authentication method RADIUS from the list, and authentication scheme system from the Name list. Figure 350 Configuring AAA authentication Click Apply.
  • Page 359 A configuration progress dialog box appears. When the configuration process is complete, click Close. Figure 351 Configuration progress dialog box Click the Authorization tab. Select the ISP domain system, the Default AuthZ box, authorization method RADIUS from the list, and authorization scheme system from the Name list. Figure 352 Configuring AAA authorization Click Apply.
  • Page 360 Figure 353 Configuring AAA accounting Click Apply. A configuration progress dialog box appears. When the configuration process is complete, click Close. Configuring port security From the navigation tree, select Authentication > Port Security. Select the Enable Port Security box, and click Apply. Figure 354 Configuring global port security settings In the Advanced Port Security Configuration area, click Ports Enabled With Advanced Features, and then click Add.
  • Page 361 Figure 355 Configuring advanced port security control settings on GigabitEthernet 1/0/1 In the Advanced Port Security Configuration area, click Permitted OUIs. Enter 1234-0100-0000 in the OUI Value field and click Add. Figure 356 Configuring permitted OUI values Repeat the previous two steps to add OUI values of the MAC addresses 1234-0200-0000 and 1234-0300-0000 to the permitted OUI list.
  • Page 362: Configuring Portal Authentication

    Configuring portal authentication Overview Portal authentication helps control access to the Internet. It is also called "web authentication." A website implementing portal authentication is called a "portal website." With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website.
  • Page 363 Figure 357 Portal system components Authentication client Security policy server Authentication client Portal server Access device Authentication/accounting Authentication client server Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. The client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.
  • Page 364: Portal System Using The Local Portal Server

    To implement security check, the client must be the HP iNode client. Portal authentication supports NAT traversal whether it is initiated by a web client or an HP iNode client. When the portal authentication client is on a private network, but the portal server is on a public network and the access device is enabled with NAT, network address translations performed on the access device do not affect portal authentication.
  • Page 365: Portal Authentication Modes

    Protocols used for interaction between the client and local portal server HTTP and HTTPS can be used for communication between an authentication client and an access device providing the local portal server function. If HTTP is used, there are potential security problems because HTTP packets are transferred in plain text.
  • Page 366: Layer 2 Portal Authentication Process

    Therefore, no additional configuration is needed on the access device. NOTE: • This function requires the cooperation of the HP IMC portal server and HP iNode portal client. Only Layer 3 portal authentication that uses a remote portal server supports EAP authentication. •...
  • Page 367: Layer 3 Portal Authentication Process

    the access port according to the authorized ACL. You must configure the authorized ACLs on the access device if you specify authorized ACLs on the authentication server. To change the access right of a user, you can specify a different authorized ACL on the authentication server or change the rules of the corresponding authorized ACL on the device.
  • Page 368 Based on the security check result, the security policy server authorizes the user to access certain resources, and sends the authorization information to the access device. The access device then controls access of the user based on the authorization information. Authentication process with the local portal server Figure 362 Authentication process with local portal server With local portal server, the direct/cross-subnet authentication process is as follows:...
  • Page 369: Configuring Portal Authentication

    The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process. The portal server sends a portal authentication request to the access device, and starts a timer to wait for the portal authentication reply. The portal authentication request contains several EAP-Message attributes, which are used to encapsulate the EAP packet sent from the authentication client and carry the certificate information of the client.
  • Page 370: Configuration Task List

    To implement extended portal functions, install and configure IMC EAD, and make sure the ACLs • configured on the access device correspond to those specified for the resources in the quarantined area and for the restricted resources on the security policy server. On the access device, the security policy server address is the same as the authentication server address.
  • Page 371: Configuring The Layer 2 Portal Service

    Step Remarks Optional. Configure a portal-free rule, specifying the source and destination information for packet filtering Configuring a portal-free A portal-free rule allows specified users to access specified external rule websites without portal authentication. Packets matching a portal-free rule will not trigger portal authentication and the users can directly access the specified external websites.
  • Page 372 TIP: The portal service applied on an interface may be in the following states: Running—Indicates that portal authentication has taken effect on the interface. • Enabled—Indicates that portal authentication has been enabled on the interface but has not taken • effect.
  • Page 373: Configuring The Layer 3 Portal Service

    Item Description Set the Layer 2 portal user detection interval. After a Layer 2 portal user gets online, the device starts a detection timer for the user, and checks whether the user's MAC address entry has been aged out or the user's MAC Online Detection address entry has been matched (a match means a packet has been received from the Interval...
  • Page 374 Figure 366 Applying a portal server to a Layer 3 interface Configure Layer 3 portal authentication as described in Table 109. Click Apply. Table 109 Configuration items Item Description Interface Select the Layer 3 interface to be enabled with portal authentication. Select the portal server to be applied on the selected interface.
  • Page 375 Item Description Specify an authentication domain for Layer 3 portal users. After you specify an authentication domain on a Layer 3 interface, the device uses the authentication domain for authentication, authorization, and accounting (AAA) of the Authentication portal users on the interface, ignoring the domain names carried in the usernames. You Domain can specify different authentication domains for different interfaces as needed.
  • Page 376: Configuring Advanced Parameters For Portal Authentication

    Table 111 Configuration items Item Description Server Name Type a name for the local portal server. Type the IP address of the local portal server. You need to specify the IP address of the interface where the local portal server is applied. Specify the protocol to be used for authentication information exchange between the local portal server and the client.
  • Page 377: Configuring A Portal-Free Rule

    Table 112 Configuration items Item Description Configure the web proxy server ports to allow HTTP requests proxied by the specified proxy servers to trigger portal authentication. By default, only HTTP requests that are not proxied can trigger portal authentication. To make sure that a user using a web proxy server can trigger portal authentication, you need to add the port number of the proxy server on the device and the user needs to specify the listening IP address of the local portal server as a proxy exception in the browser.
  • Page 378 Click the Free Rule tab to enter the portal-free rule list page. Figure 370 Portal-free rule list Click Add. The page for adding a new portal-free rule appears. Figure 371 Adding a portal-free rule Configure a portal-free rule as described in Table 113.
  • Page 379: Portal Authentication Configuration Examples

    Item Description Specify a source VLAN for the portal-free rule. IMPORTANT: Source-VLAN If you configure both a source interface and a source VLAN for a portal-free rule, make sure that the source interface is in the source VLAN. Otherwise, the portal-free rule will not take effect.
  • Page 380 Configuration procedure Add Ethernet ports to related VLANs and assign IP addresses to the VLAN interfaces. (Details not shown.) Configure the RADIUS authentication server: Select Authentication > RADIUS from the navigation tree. The RADIUS server configuration page appears, as shown in Figure 373.
  • Page 381 Click the RADIUS Setup tab. Select extended as the server type. Select the Authentication Server Shared Key box, enter the key expert, and then enter the key again in the Confirm Authentication Shared Key field. Select the Accounting Server Shared Key box, enter the key expert, and then enter the key again in the Confirm Accounting Shared Key field.
  • Page 382 Figure 376 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.
  • Page 383 Figure 377 Configuring the authentication method for the ISP domain On the Authorization tab, select the ISP domain test, select the Default AuthZ box, select RADIUS from the Default AuthZ list, select system from the Name list to use it as the authorization scheme, and click Apply.
  • Page 384 Figure 379 Configuring the accounting method for the ISP domain Configure DHCP relay: Select Network > DHCP from the navigation tree. Click the DHCP Relay tab. Select Enable for the DHCP Service field. Click Apply.
  • Page 385 Figure 380 Enabling the DHCP service In the Server Group area, click Add. On the page that appears, enter the server group ID 1 and the IP address 1.1.1.3, and click Apply. Figure 381 Configuring a DHCP server group In the Interface Config area, click the icon of interface VLAN-interface 8.
  • Page 386 Figure 382 Configuring VLAN-interface 8 to work in the DHCP relay mode Configure Layer 2 portal authentication: Select Authentication > Portal from the navigation tree. The Portal Server tab appears. In the Portal Application: Layer 2 Interfaces area, click Add. On the page that appears, select interface GigabitEthernet1/0/1, enter the server IP address 4.4.4.4, select protocol HTTP, and click Apply.
  • Page 387: Configuring Direct Portal Authentication

    When the user tries to access a web page on the external network, the web request is redirected to authentication page http://4.4.4.4/portal/logon.htm. After the user enters the correct username and password, the user passes portal authentication. Then, the user can access external network resources. Configuring direct portal authentication Network requirements As shown in...
  • Page 388 Figure 385 Configuring the RADIUS authentication server Configure a RADIUS accounting server: On the RADIUS server configuration page, select Accounting Server as the server type, and enter the IP address 192.168.0.112 and port number 1813, select active from the Primary Server Status list, and click Apply.
  • Page 389 Figure 387 Configuring the RADIUS scheme Configure AAA: Select Authentication > AAA from the navigation tree. On the Domain Setup tab, enter the domain name test, select Enable for the Default Domain field, and click Apply.
  • Page 390 Figure 388 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.
  • Page 391 Figure 390 Configuration progress dialog box After the configuration process is complete, click Close. Figure 391 Configuring the authorization method for the ISP domain On the Accounting tab, select the ISP domain test, select the Default Accounting box, select RADIUS from Default Accounting list, select system from the Name list to use it as the accounting scheme, and click Apply.
  • Page 392 Figure 392 Configuring the accounting method for the ISP domain Configure Layer 3 portal authentication: From the navigation tree select Authentication > Portal. The portal server configuration page appears. In the Portal Application: Layer 3 Interfaces area, click Add. On the page that appears, select the interface Vlan-interface100, select Add for Portal Server to add a portal server, select the Direct portal authentication mode, enter the portal server name newpt, the portal server IP address 192.168.0.111, the shared key portal, the port number 50100, and the redirection URL http://192.168.0.111:8080/portal for portal...
  • Page 393: Configuring Cross-Subnet Portal Authentication

    Figure 393 Applying the portal server to a Layer 3 interface Configuring cross-subnet portal authentication Network requirements As shown in Figure 394, configure Switch A to perform cross-subnet portal authentication for users. Before passing portal authentication, the host can access only the portal server. After passing portal authentication, the host can access Internet resources.
  • Page 394 Configuration procedure Make sure that the IP address of the access device added on the portal server is the IP address of the interface connected to the host (20.20.20.1 in this example), and the IP address group associated with the access device is the subnet where the host resides (8.8.8.0/24 in this example). Assign IP addresses to the host, switches, and servers as shown in Figure 394 and make sure that they...
  • Page 395 Figure 396 Configuring a RADIUS accounting server Configure RADIUS scheme system for exchanges between the device and the RADIUS servers: Click the RADIUS Setup tab. Select extended as the server type. Select the Authentication Server Shared Key box, enter the key expert, and then enter the key again in the Confirm Authentication Shared Key field.
  • Page 396 Figure 397 Configuring the RADIUS scheme Configure AAA: Select Authentication > AAA from the navigation tree. On the Domain Setup tab, enter the domain name test, select Enable for the Default Domain field, and click Apply.
  • Page 397 Figure 398 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.
  • Page 398 Figure 400 Configuration progress dialog box After the configuration process is complete, click Close. Figure 401 Configuring the authorization method for the ISP domain On the Accounting tab, select the ISP domain test, select the Default Accounting box, select RADIUS from Default Accounting list, select system from the Name list to use it as the accounting scheme, and click Apply.
  • Page 399 Figure 402 Configuring the accounting method for the ISP domain Configure Layer 3 portal authentication: Select Authentication > Portal from the navigation tree. The portal server configuration page appears. In the Portal Application: Layer 3 Interfaces area, click Add. On the page that appears, select the interface Vlan-interface4, select Add for Portal Server to add a portal server, select the Layer3 portal authentication mode, enter the portal server name newpt, the portal server IP address 192.168.0.111, the shared key portal, the port number 50100, and the redirection URL http://192.168.0.111:8080/portal for portal authentication,...
  • Page 400 Figure 403 Applying the portal server to a Layer 3 interface On Switch B, you must configure a default route to subnet 192.168.0.0/24 with the next hop as 20.20.20.1. (Details not shown.)
  • Page 401: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, •...
  • Page 402: Domain-Based User Management

    AAA can be implemented through multiple protocols, such as RADIUS, HWTACACS, and LDAP. The device supports RADIUS, which is most commonly used. For more information about RADIUS, see "Configuring RADIUS." Domain-based user management A NAS manages users based on ISP domains. On a NAS, each user belongs to one ISP domain. A NAS determines the ISP domain for a user by the username entered by the user at login, as shown in Figure 405.
  • Page 403: Configuration Procedure

    Configuration procedure Step Remarks Optional. Create ISP domains and specify one as the default ISP domain. Configuring an ISP domain By default, there is an ISP domain named system, which is the default ISP domain. Optional. Configuring authentication Configure authentication methods for different types of users. methods for the ISP domain By default, all types of users use local authentication.
  • Page 404: Configuring Authentication Methods For The Isp Domain

    Create an ISP domain, as described in Table 115. Click Apply. Table 115 Configuration items Item Description Enter the ISP domain name to identify the domain. Domain Name You can enter a new domain name to create a domain or specify an existing domain as the default domain.
  • Page 405 Default AuthN • Local—Local authentication (default setting). Name • None—No authentication. This method trusts all users and HP does not Secondary Method recommend it for general use. • RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used. •...
  • Page 406: Configuring Authorization Methods For The Isp Domain

    Configuring authorization methods for the ISP domain Select Authentication > AAA from the navigation tree. Click the Authorization tab. Figure 408 Authorization method configuration page Select an ISP domain and specify authorization methods for the ISP domain, as described in Table 117.
  • Page 407: Configuring Accounting Methods For The Isp Domain

    Item Description Configure the authorization method and secondary authorization method for login users by using one of the following options: • HWTACACS—HWTACACS authorization. You must specify the HWTACACS Login AuthZ scheme to be used. Name • Local—Local authorization. Secondary Method •...
  • Page 408 Figure 409 Accounting method configuration page Select an ISP domain and specify accounting methods for the ISP domain, as described in Table 118. Click Apply. Table 118 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods. Specify whether to enable the accounting optional feature.
  • Page 409: Aaa Configuration Example

    Item Description Configure the accounting method and secondary accounting method for login users by using one of the following options: • HWTACACS—HWTACACS accounting. You must specify the HWTACACS Login Accounting scheme to be used. • Local—Local accounting. Name • None—No accounting. Secondary Method •...
  • Page 410 Click the Create tab. Enter the username telnet. Select the access level Management, enter the password abc, confirm the password, and select the service type Telnet Service. Click Apply. Figure 411 Configuring a local user Configure ISP domain test: Select Authentication > AAA from the navigation tree. The Domain Setup tab appears.
  • Page 411 Figure 412 Configuring ISP domain test Configure the ISP domain to use local authentication: Click the Authentication tab. Select the domain test, the Login AuthN box, and authentication method Local. Figure 413 Configuring the ISP domain to use local authentication Click Apply.
  • Page 412 Figure 414 Configuration progress dialog box Configure the ISP domain to use local authorization: Click the Authorization tab. Select the domain test, the Login AuthZ box, and authorization method Local. Click Apply. A configuration progress dialog box appears. After the configuration progress is complete, click Close. Figure 415 Configuring the ISP domain to use local authorization Configure the ISP domain to use local accounting: Click the Accounting tab.
  • Page 413 Figure 416 Configuring the ISP domain to use local accounting Verifying the configuration Telnet to the switch and enter the username telnet@test and password abc. You are serviced as a user in domain test.
  • Page 414: Configuring Radius

    Configuring RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model to implement AAA. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. For more information about AAA, see "Configuring AAA."...
  • Page 415: Basic Radius Message Exchange Process

    RADIUS servers support multiple authentication protocols, including PPP PAP and CHAP. A RADIUS server can act as the client of another AAA server to provide authentication proxy services. Basic RADIUS message exchange process Figure 418 illustrates the interactions between the host, the RADIUS client, and the RADIUS server. Figure 418 Basic RADIUS message exchange process RADIUS uses the following workflow: The host initiates a connection request that carries the user's username and password to the...
  • Page 416: Radius Packet Format

    RADIUS packet format RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS server and the client, RADIUS uses a timer management mechanism, a retransmission mechanism, and a backup server mechanism. Figure 419 shows the RADIUS packet format. Figure 419 RADIUS packet format Code Identifier...
  • Page 417 The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and to • encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field, variable in length, carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response.
  • Page 418: Extended Radius Attributes

    420, a sub-attribute encapsulated in Attribute 26 has the following parts: Vendor-ID—ID of the vendor. Its most significant byte is 0. The other three bytes contains a code • that is compliant to RFC 1700. The vendor ID of HP is 201 1. Vendor-Type—Type of the sub-attribute. •...
  • Page 419: Protocols And Standards

    Figure 420 Format of attribute 26 Protocols and standards RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS Accounting • • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868, RADIUS Attributes for Tunnel Protocol Support •...
  • Page 420: Configuring Radius

    If you remove an authentication or accounting server in use, the communication of the device with the server will soon time out, and the device will look for a server in the active state by checking any primary server first and then the secondary servers in the order they are configured.
  • Page 421 Figure 421 RADIUS server configuration Configure RADIUS servers as described in Table 122. Click Apply. Table 122 Configuration items Item Description Select the type of the server to be configured: Authentication Server or Server Type Accounting Sever. Specify the IP address of the primary server. If no primary server is specified, this field displays 0.0.0.0.
  • Page 422: Configuring Radius Parameters

    Item Description Set the status of the secondary server. Options are: • active—The server is normally operating. Secondary Server Status • blocked—The server is down. If the IP address of the secondary server is not specified or the specified IP address is to be removed, the status is blocked.
  • Page 423 RADIUS server. NAS-IP HP recommends using a loopback interface address instead of a physical interface address as the source IP address. If the physical interface is down, the response packets from the server cannot reach the device.
  • Page 424: Radius Configuration Example

    Item Description Select the format of usernames to be sent to the RADIUS server. Typically, a username is in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain for the user. If a RADIUS server (such as old RADIUS servers) does not accept a username that contains an ISP domain name, you can configure the device to remove the domain name of a username before sending it to the RADIUS server.
  • Page 425 Configuring a RADIUS scheme Select Authentication > RADIUS from the navigation tree. The RADIUS Server tab appears. Select Authentication Server from the Server Type list, enter 10.110.91.146 in the Primary Server IP box and 1812 in the Primary Server UDP Port box, and select active from the Primary Server Status list.
  • Page 426 Figure 426 Configuring RADIUS parameters Configuring AAA From the navigation tree, select Authentication > AAA. The Domain Setup tab appears. Enter test in the Domain Name field and select Enable from the Default Domain list. Click Apply.
  • Page 427 Figure 427 Creating an ISP domain Click the Authentication tab. Select the ISP domain test, the Default AuthN box, authentication method RADIUS, and authentication scheme system from the Name list. Figure 428 Configuring the authentication method for the ISP domain Click Apply.
  • Page 428 Figure 429 Configuration progress dialog box After the configuration process is complete, click Close. Click the Authorization tab. Select the ISP domain test, the Default AuthZ box, authorization method RADIUS, and authorization scheme system from the Name list. Figure 430 Configuring the authorization method for the ISP domain Click Apply.
  • Page 429 Figure 431 Configuring the accounting method for the ISP domain Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close.
  • Page 430: Configuring Users

    Configuring users This chapter describes how to configure local users and user groups. A local user represents a set of user attributes configured on a device (such as the user password, use type, service type, and authorization attribute), and is uniquely identified by the username. For a user to pass local authentication, you must add an entry for the user in the local user database of the device.
  • Page 431 Figure 433 Local user configuration page Configure the local user as described in Table 124. Click Apply. Table 124 Configuration items Item Description Username Specify a name for the local user. Specify and confirm the password of the local user. Password The settings of these two fields must be the same.
  • Page 432: Configuring A User Group

    Item Description Select an authorization level for the local user: Visitor, Monitor, Configure, or Management, in ascending order of priority. A local user has the rights of the specified level and all levels lower than any specified level. • Visitor—A user can perform ping and trace route operations but cannot read any data from the device or configure the device.
  • Page 433 Figure 435 User group configuration page Configure the user group as described in Table 125. Click Apply. Table 125 Configuration items Item Description Group-name Specify a name for the user group. Select an authorization level for the user group: Visitor, Monitor, Configure, or Level Management, in ascending order of priority.
  • Page 434: Managing Pki

    Managing PKI Overview The Public Key Infrastructure (PKI) offers an infrastructure for securing network services through public key technologies and digital certificates, and for verifying the identities of the digital certificate owners. A digital certificate is a binding of certificate owner identity information and a public key. Users can obtain certificates, use certificates, and revoke certificates.
  • Page 435: Pki Operation

    Figure 436 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device such as a router or a switch, or a process running on a computer. A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs.
  • Page 436: Pki Applications

    The entity retrieves the certificate. The entity can use the certificate to communicate with other entities safely through encryption and digital signature. The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the request, updates the CRLs and publishes the CRLs on the LDAP server.
  • Page 437: Configuration Procedure For Manual Requests

    Configuration procedure for manual requests Step Remarks Required. Create a PKI entity and configure the identity information. A certificate is the binding of a public key and the identity information of an entity, where the distinguished name (DN) shows the identity information of Creating a PKI entity the entity.
  • Page 438: Configuration Procedure For Automatic Requests

    Step Remarks Required. When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key. The identity information and public key are the major components of the certificate. A certificate request can be submitted to a CA in online mode or offline mode.
  • Page 439: Creating A Pki Entity

    Task Remarks Optional. Delete the existing RSA key pair and the corresponding local certificate. Destroying the RSA key pair If the certificate to be retrieved contains an RSA key pair, you must delete the existing key pair. Otherwise, the retrieving operation will fail. Optional.
  • Page 440: Creating A Pki Domain

    Table 126 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity. Enter the FQDN for the entity. An FQDN is a unique identifier of an entity on the network. It consists of a host FQDN name and a domain name and can be resolved to an IP address.
  • Page 441 Figure 440 PKI domain configuration page Configure the parameters, as described in Table 127. Click Apply. Table 127 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility CA Identifier of certificate registration, distribution, and revocation, and query.
  • Page 442 Item Description Enter the URL of the RA. The entity will submit the certificate request to the server at this URL through the SCEP protocol. The SCEP protocol is intended for communication between an entity and an authentication authority. Requesting URL In offline mode, this item is optional.
  • Page 443: Generating An Rsa Key Pair

    Item Description Enter the URL of the CRL distribution point. The URL can be an IP address or a domain name. This item is available after you click the Enable CRL Checking box. If the URL of the CRL distribution point is not set, you should receive the CA certificate and CRL URL a local certificate, and then receive a CRL through SCEP.
  • Page 444: Destroying The Rsa Key Pair

    Figure 442 Key pair parameter configuration page Destroying the RSA key pair From the navigation tree, select Authentication > PKI. Click the Certificate tab. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 443 Key pair destruction page Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally in...
  • Page 445 Figure 444 PKI certificate retrieval page Configure the parameters, as described in Table 128. Click Apply. Table 128 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Certificate Type Select the type of the certificate to be retrieved: CA or Local. Click this box to retrieve a certificate in offline mode (using an out-of-band means such as FTP, disk, or email), and then import the certificate into the local PKI system.
  • Page 446: Requesting A Local Certificate

    Figure 445 Certificate information Requesting a local certificate From the navigation tree, select Authentication > PKI. Click the Certificate tab. Click Request Cert. Figure 446 Local certificate request page...
  • Page 447: Retrieving And Displaying A Crl

    Configure the parameters, as described in Table 129. Table 129 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Select this box to request a certificate in offline mode, that is, by an out-of-band Enable Offline Mode means like FTP, disk, or email.
  • Page 448 Figure 449 CRL information Table 130 Field description Field Description Version CRL version number. Signature Algorithm Signature algorithm that the CRL uses. Issuer CA that issued the CRL. Last Update Last update time. Next Update Next update time. Identifier of the CA that issued the certificate and the certificate version X509v3 Authority Key Identifier (X509v3).
  • Page 449: Pki Configuration Example

    PKI configuration example Network requirements As shown in Figure 450, configure the switch working as the PKI entity, so that: The switch submits a local certificate request to the CA server, which runs the RSA Keon software. • • The switch retrieves CRLs for certificate verification. Figure 450 Network diagram Configuring the CA server Create a CA server named myca:...
  • Page 450 Figure 451 Creating a PKI entity Create a PKI domain: Click the Domain tab. Click Add. The page in Figure 452 appears. Enter torsa as the PKI domain name, enter myca as the CA identifier, select aaa as the local entity, select CA as the authority for certificate request, enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request (the URL must be in the format of http://host:port/Issuing Jurisdiction ID,...
  • Page 451 Figure 452 Creating a PKI domain Generate an RSA key pair: Click the Certificate tab. Click Create Key. Enter 1024 as the key length, and click Apply to generate an RSA key pair. Figure 453 Generating an RSA key pair Retrieve the CA certificate: Click Retrieve Cert on the Certificate tab.
  • Page 452 Figure 454 Retrieving the CA certificate Request a local certificate: Click Request Cert on the Certificate tab. Select torsa as the PKI domain, select Password, and enter challenge-word as the password. Click Apply. The system displays Certificate request has been submitted. Click OK to finish the operation.
  • Page 453: Configuring Port Isolation

    Configuring port isolation Overview Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs. To save VLAN resources, port isolation isolates ports within a VLAN, allowing for great flexibility and security. The device supports multiple isolation groups that can be configured manually. There is no restriction on the number of ports assigned to an isolation group.
  • Page 454: Configuring Member Ports For A Port Isolation Group

    Figure 457 Group setup Add port isolation groups as described in Table 131. Click Apply. Table 131 Configuration item Item Description Isolate group ID Enter the IDs of the port isolation groups you want to add. Configuring member ports for a port isolation group Select Security >...
  • Page 455 Figure 458 Port setup Configure member ports for a port isolation group as described in Table 132. Click Apply. When the success notification appears, click Close. Table 132 Configuration items Item Description Isolate group ID Select the ID of the port isolation group to be configured. Specify the role of the port or ports in the isolation group.
  • Page 456: Port Isolation Configuration Example

    On an HP 830 8-port PoE+ unified wired-WLAN switch switching engine, ports GE 1/0/10 and GE 1/0/1 1 are aggregated into interface BAGG1. • On an HP 830 series PoE+ unified wired-WLAN switch controller engine, ports GE 1/0/1 and GE 1/0/2 are aggregated into interface BAGG1. Port isolation configuration example...
  • Page 457 Figure 460 Adding a port isolation group Assign GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 to port isolation group 1: Click the Port Setup tab. Select 1 from the Isolate group ID list. Select Isolated port for Config Type. Select 2, 3, 4 on the chassis front panel. 2, 3, 4 represent ports GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4, respectively.
  • Page 458: Viewing Information About The Isolation Group

    Figure 461 Configuring isolated ports for port isolation group 1 Viewing information about the isolation group Click Summary. Display port isolation group 1, which contains isolated ports GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4. Figure 462 Information about port isolation group 1...
  • Page 459: Configuring Authorized Ip

    Configuring authorized IP The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients. Only the clients that pass the ACL filtering can access the device. Configuration procedure Select Security > Authorized IP from the navigation tree. Click the Setup tab to enter the authorized IP configuration page.
  • Page 460: Authorized Ip Configuration Example

    Authorized IP configuration example Network requirements Figure 464, configure Switch to deny Telnet and HTTP requests from Host A, and permit Telnet and HTTP requests from Host B. Figure 464 Network diagram Configuration procedure Create an ACL: Select QoS > ACL IPv4 from the navigation tree. Click the Create tab.
  • Page 461 Select 2001 from the ACL list, select Permit from the Action list, select the Source IP Address box and enter 10.1.1.3, and then enter 0.0.0.0 in the Source Wildcard field. Click Add. Figure 466 Configuring an ACL rule to permit Host B Configure authorized IP: Select Security >...
  • Page 462 Figure 467 Configuring authorized IP...
  • Page 463: Configuring Acls

    Configuring ACLs Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are essentially used for packet filtering.
  • Page 464: Acl Rule Numbering

    ACL category Sequence of tie breakers Specific protocol type rather than IP (IP represents any protocol over IP). More 0s in the source IP address wildcard mask. More 0s in the destination IP address wildcard. IPv4 advanced ACL Narrower TCP/UDP service port number range. Smaller ID.
  • Page 465: Implementing Time-Based Acl Rules

    Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks. To avoid risks, the HP ACL implementation filters all fragments based on Layer 3 attributes. Configuration guidelines When you configure an ACL, follow these guidelines: •...
  • Page 466: Configuring A Time Range

    IPv6 ACL configuration procedure Step Remarks Optional. Configuring a time range. Add a time range. A rule referencing a time range takes effect only during the specified time range. Required. Adding an IPv6 ACL. Add an IPv6 ACL. The category of the added IPv6 ACL depends on the ACL number that you specify.
  • Page 467: Adding An Ipv4 Acl

    Table 135 Configuration items Item Description Time Range Name Set the name for the time range. • Start Time—Set the start time of the periodic time range. • End Time—Set the end time of the periodic time range. The end time must be later than the start time.
  • Page 468: Configuring A Rule For A Basic Ipv4 Acl

    Table 136 Configuration items Item Description ACL Number Set the number of the IPv4 ACL. Set the match order of the ACL. Available values are: • Config—Packets are compared against ACL rules in the order that the rules are Match Order configured.
  • Page 469: Configuring A Rule For An Advanced Ipv4 Acl

    Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system assigns one automatically. Rule ID If the rule number you specify already exists, this procedure modifies the configuration of the existing rule.
  • Page 470 Figure 471 Configuring an advanced IPv4 ACL Configure a rule for an advanced IPv4 ACL as described in Table 138. Click Add. Table 138 Configuration items Item Description Select the advanced IPv4 ACL for which you want to configure rules. Available ACLs are advanced IPv4 ACLs.
  • Page 471 Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign Rule ID one automatically. If the rule number you specify already exists, this procedure modifies the configuration of the existing rule.
  • Page 472: Configuring A Rule For An Ethernet Frame Header Acl

    Item Description • Not Check—The following port number fields cannot be configured. • Range—The following port number fields must be configured to define a port range. • Other values—The first port number field must be configured and the second port number field must not. DSCP Specify the DSCP value.
  • Page 473 Figure 472 Configuring a rule for an Ethernet frame header ACL Configure a rule for an Ethernet frame header ACL as described in Table 139. Click Add. Table 139 Configuration items Item Description Select the Ethernet frame header ACL for which you want to configure rules. Available ACLs are Ethernet frame header ACLs.
  • Page 474: Adding An Ipv6 Acl

    Item Description Select the action to be performed for packets matching the rule: • Action Permit—Allows matched packets to pass. • Deny—Drops matched packets. Source MAC Select the Source MAC Address box and enter a source MAC address and Address a mask.
  • Page 475: Configuring A Rule For A Basic Ipv6 Acl

    Click Apply. Table 140 Configuration items Item Description ACL Number Enter a number for the IPv6 ACL. Select a match order for the ACL. Available values are: • Config—Packets are compared against ACL rules in the order the rules are Match Order configured.
  • Page 476: Configuring A Rule For An Advanced Ipv6 Acl

    Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one Rule ID automatically. If the rule number you specify already exists, this procedure modifies the configuration of the existing rule.
  • Page 477 Figure 475 Configuring a rule for an advanced IPv6 ACL Add a rule for an advanced IPv6 ACL as described in Table 142. Click Add. Table 142 Configuration items Item Description Select Access Control List (ACL) Select the advanced IPv6 ACL for which you want to configure rules. Select the Rule ID box and enter a number for the rule.
  • Page 478 Item Description Select this box to apply the rule to only non-first fragments. Check Fragment If you do no select this box, the rule applies to all fragments and non-fragments. Select this box to keep a log of matched IPv6 packets. A log entry contains the ACL rule number, operation for the matched Check Logging packets, protocol that the IP carries, source/destination address,...
  • Page 479: Configuring Qos

    Configuring QoS Overview Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an internet, QoS evaluates the ability of the network to forward packets of different services. The evaluation can be based on different criteria because the network may provide various services. Generally, QoS performance is measured with respect to bandwidth, delay, jitter, and packet loss ratio during packet forwarding process.
  • Page 480 Figure 476 Traffic congestion causes The traffic enters a device from a high speed link and is forwarded over a low speed link. • The packet flows enter a device from several incoming interfaces and are forwarded out of an •...
  • Page 481: End-To-End Qos

    End-to-end QoS Figure 477 End-to-end QoS model As shown in Figure 477, traffic classification and congestion management provide the foundation for a network to provide differentiated services: • Traffic classification—Uses specific match criteria to organize packets with different characteristics into different classes. Traffic classification is typically applied to the inbound direction of a port. Congestion management—Provides a resource scheduling policy to arrange the forwarding •...
  • Page 482: Packet Precedences

    Packet precedences IP precedence and DSCP values Figure 478 ToS field and DS field As shown in Figure 478, the ToS field of the IP header contains eight bits: the first three bits (0 to 2) represent IP precedence from 0 to 7. The subsequent four bits (3 to 6) represent a ToS value from 0 to 15. According to RFC 2474, the ToS field of the IP header is redefined as the differentiated services (DS) field, where a differentiated services code point (DSCP) value is represented by the first six bits (0 to 5) and is in the range 0 to 63.
  • Page 483 DSCP value (decimal) DSCP value (binary) Description 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be (default) 802.1p priority 802.1p priority lies in Layer 2 packet headers and applies to situations where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
  • Page 484: Queue Scheduling

    Table 145 Description on 802.1p priority 802.1p priority (decimal) 802.1p priority (binary) Description best-effort background spare excellent-effort controlled-load video voice network-management Queue scheduling In general, congestion management uses queuing technology. The system uses a queuing algorithm for traffic classification, and then uses a precedence algorithm to send the traffic. Each queuing algorithm handles a particular network traffic problem and has significant impacts on bandwidth resource assignment, delay, and jitter.
  • Page 485: Rate Limit

    packets in the queue with the second highest priority, and so on. You can assign mission-critical packets to the high priority queue to make sure the high priority queue packets are always served first and assign common service (such as Email) packets to the low priority queues so they are sent when the high priority queues are empty.
  • Page 486 Figure 483 Evaluate traffic with the token bucket The evaluation for the traffic specification is based on whether the number of tokens in the bucket can meet the needs of packet forwarding. If the number of tokens in the bucket is enough to forward the packets (typically, one token is associated with a 1-bit forwarding authority), the traffic conforms to the specification, and the traffic is called "conforming traffic."...
  • Page 487: Priority Mapping

    Figure 484 Rate limit implementation When a token bucket is used for traffic control, the bursty packets can be transmitted when the token bucket has tokens. When no tokens are available, packets cannot be transmitted until new tokens are generated in the token bucket. In this way, the traffic rate is restricted to the rate for generating tokens, the traffic rate is limited, and bursty traffic is allowed.
  • Page 488: Introduction To Priority Mapping Tables

    Figure 485 Priority mapping process Introduction to priority mapping tables The device provides the following types of priority mapping tables: CoS to DSCP—802.1p--to-DSCP mapping table. • • CoS to Queue—802.1p--to-local mapping table. DSCP to CoS—DSCP-to-802.1p mapping table, which applies to only IP packets. •...
  • Page 489: Configuration Guidelines

    Input DSCP value Local precedence (Queue) 40 to 47 48 to 55 56 to 63 In the default DSCP to DSCP mapping table, an input value yields a target value equal to it. Configuration guidelines When you configure QoS, follow these guidelines: When you configure rate limit and traffic policing for a behavior, make sure the ratio of CBS to CIR •...
  • Page 490: Queue Scheduling Configuration Procedure

    or—The device considers a packet belongs to a class as long as the packet matches one of the criteria in the class. Traffic behavior: A traffic behavior, identified by a name, defines a set of QoS actions for packets. Policy: You can apply a QoS policy to a VLAN or a port.
  • Page 491: Rate Limit Configuration Procedure

    Rate limit configuration procedure Step Remarks Required. Configuring rate limit on a port Limit the rate of incoming packets or outgoing packets of a physical port. Priority mapping table configuration procedure Step Remarks Required. Configuring priority mapping tables Set priority mapping tables. Priority trust mode configuration procedure Step Remarks...
  • Page 492: Configuring Classification Rules

    Add a class as described in Table 149. Click Create. Table 149 Configuration items Item Description Specify a name for the classifier to be added. Some devices have their own system-defined classifiers. The classifier name you specify cannot overlap with system-defined ones. The system-defined classifiers Classifier Name include: default-class, ef, af1, af2, af3, af4, ip-prec0, ip-prec1, ip-prec2, ip-prec3, ip-prec4, ip-prec5, ip-prec6, ip-prec7, mpls-exp0, mpls-exp1, mpls-exp2, mpls-exp3,...
  • Page 493 Figure 487 Configuring classification rules Configure classification rules for a class as described in Table 150. Click Apply. Table 150 Configuration items Item Description Please select a classifier Select an existing classifier in the list. Define a rule to match all packets. Select the box to match all packets.
  • Page 494 Item Description Define a rule to match IP precedence values. If multiple rules are configured for a class, the new configuration does not overwrite the previous. You can configure up to eight IP precedence values at a time. If multiple IP Precedence identical IP precedence values are specified, the system considers them as a single value.
  • Page 495: Adding A Traffic Behavior

    Item Description Define a rule to match service VLAN IDs. If multiple rules are configured for a class, the new configuration does not overwrite the previous. You can configure multiple VLAN IDs at a time. If the same VLAN ID is specified multiple times, the system considers them as a single value.
  • Page 496: Configuring Traffic Mirroring And Traffic Redirecting For A Traffic Behavior

    Add a traffic behavior as described in Table 151. Click Create. Table 151 Configuration items Item Description Specify a name for the behavior to be added. Some devices have their own system-defined behaviors. The behavior name you Behavior name specify cannot overlap with system-defined behaviors. The system-defined behaviors include ef, af, and be.
  • Page 497: Configuring Other Actions For A Traffic Behavior

    Item Description Set the action of mirroring traffic to the specified destination port. Mirror To Traffic can be mirrored to only one destination port. The most recent configuration overwrites the previous. Redirect Set the action of redirecting traffic to the specified destination port. Specify the port to be configured as the destination port of traffic mirroring or Please select a port traffic directing on the chassis front panel.
  • Page 498 Figure 490 Setting a traffic behavior Configure other actions for a traffic behavior as described in Table 153. Click Apply.
  • Page 499 Table 153 Configuration items Item Description Please select a behavior Select an existing behavior in the list. Enable/Disable Enable or disable CAR. Set the committed information rate (CIR), the average traffic rate. Set the committed burst size (CBS), number of bytes that can be sent in each interval.
  • Page 500: Adding A Policy

    Item Description Configure the traffic accounting action. Accounting Select the Accounting box and select Enable or Disable in the following list to enable/disable the traffic accounting action. Adding a policy Select QoS > QoS Policy from the navigation tree. Click the Create tab to enter the page for adding a policy. Figure 491 Adding a policy Add a policy as described in Table...
  • Page 501: Applying A Policy To A Port

    Figure 492 Setting a policy Configure a classifier-behavior association for a policy as described in Table 155. Click Apply. Table 155 Configuration items Item Description Please select a policy Select an existing policy in the list. Classifier Name Select an existing classifier in the list. Behavior Name Select an existing behavior in the list.
  • Page 502: Configuring Queue Scheduling On A Port

    Apply a policy to a port as described in Table 156. Click Apply. Table 156 Configuration items Item Description Please select a policy Select an existing policy in the list. Set the direction in which the policy is to be applied. •...
  • Page 503: Configuring Rate Limit On A Port

    Table 157 Configuration items Item Description Enable or disable the WRR queue scheduling mechanism on selected ports. The following options are available: • Enable—Enables WRR on selected ports. • Not Set—Restores the default queuing algorithm on selected ports. Select the queue to be configured. Queue A queue ID ranges from 0 to n-1 (n is the maximum number of queues on an interface and varies by device).
  • Page 504 Figure 495 Configuring rate limit on a port Configure rate limit on a port as described in Table 158. Click Apply. Table 158 Configuration items Item Description Please select an interface type Select the types of interfaces to be configured with rate limit. Rate Limit Enable or disable rate limit on the specified port.
  • Page 505: Configuring Priority Mapping Tables

    Item Description Specify the ports to be configured with rate limit. Please select port(s) Click the ports to be configured with rate limit in the port list. You can select one or more ports. Configuring priority mapping tables Select QoS > Priority Mapping from the navigation tree. Figure 496 Configuring priority mapping tables Configure a priority mapping table as described in Table...
  • Page 506 Figure 497 Configuring port priority Click the icon for a port. Figure 498 The page for modifying port priority Configure the port priority for a port as described in Table 160. Click Apply. Table 160 Configuration items Item Description Interface Interface to be configured.
  • Page 507 Item Description Select a priority trust mode for the port: • Untrust—Packet priority is not trusted. Trust Mode • CoS—802.1p priority of the incoming packets is trusted and used for priority mapping. • DSCP—DSCP value of the incoming packets is trusted and used for priority mapping.
  • Page 508: Acl And Qos Configuration Example

    ACL and QoS configuration example Network requirements As shown in Figure 499, the FTP server (10.1.1.1/24) is connected to the Switch, and the clients access the FTP server through GigabitEthernet 1/0/1 of the Switch. Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8:00 to 18:00 every day: Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
  • Page 509 Figure 500 Defining a time range covering 8:00 to 18:00 every day Add an advanced IPv4 ACL: Select QoS > ACL IPv4 from the navigation tree. Click the Create tab. Enter the ACL number 3000. Click Apply.
  • Page 510 Figure 501 Adding an advanced IPv4 ACL Define an ACL rule for traffic to the FTP server: Click the Advanced Setup tab. Select 3000 in the ACL list. Select the Rule ID box, and enter rule ID 2. Select Permit in the Action list. Select the Destination IP Address box, and enter IP address 10.1.1.1 and destination wildcard 0.0.0.0.
  • Page 511 Figure 502 Defining an ACL rule for traffic to the FTP server Add a class: Select QoS > Classifier from the navigation tree. Click the Create tab. Enter the class name class1. Click Create.
  • Page 512 Figure 503 Adding a class Define classification rules: Click the Setup tab. Select the class name class1 in the list. Select the ACL IPv4 box, and select ACL 3000 in the following list.
  • Page 513 Figure 504 Defining classification rules Click Apply. A progress dialog box appears, as shown in Figure 505. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
  • Page 514 Figure 505 Configuration progress dialog box Add a traffic behavior: Select QoS > Behavior from the navigation tree. Click the Create tab. Enter the behavior name behavior1. Click Create. Figure 506 Adding a traffic behavior Configure actions for the traffic behavior: Click the Setup tab.
  • Page 515 Figure 507 Configuring actions for the behavior Add a policy: Select QoS > QoS Policy from the navigation tree. Click the Create tab. Enter the policy name policy1. Click Create.
  • Page 516 Figure 508 Adding a policy Configure classifier-behavior associations for the policy: Click the Setup tab. Select policy1. Select class1 from the Classifier Name list. Select behavior1 from the Behavior Name list. Click Apply. Figure 509 Configuring classifier-behavior associations for the policy Apply the QoS policy in the inbound direction of interface GigabitEthernet 1/0/1: Select QoS >...
  • Page 517 Select port GigabitEthernet 1/0/1. Click Apply. A configuration progress dialog box appears. Click Close when the progress dialog box prompts that the configuration succeeds. Figure 510 Applying the QoS policy in the inbound direction of GigabitEthernet 1/0/1...
  • Page 518: Configuring Poe

    Over spare wires—The PSE uses spare pairs (pins 4, 5 and 7, 8) to supply DC power to PDs. • NOTE: The switching engine of the HP 830 switch supports only power over signal wires. Figure 511 PoE system diagram Configuring PoE Before configuring PoE, make sure the PoE power supply and PSE are operating correctly.
  • Page 519: Configuring Poe Ports

    Configuring PoE ports Select PoE > PoE from the navigation tree. Click the Port Setup tab. Figure 512 Port Setup tab Configure the PoE ports as described in Table 161. Click Apply. Table 161 Configuration items Item Description Select Port Select ports to be configured and they are displayed in the Selected Ports area.
  • Page 520: Configuring Non-Standard Pd Detection

    Item Description Set the power supply priority for a PoE port. In descending order, the power-supply priority levels of a PoE port are critical, high, and low. • When the PoE power is insufficient, power is first supplied to PoE ports with a higher priority level.
  • Page 521: Displaying Information About Pse And Poe Ports

    Click Apply. Disabling the non-standard PD detection function for a PSE Select Disable in the corresponding Non-Standard PD Compatibility column. Click Apply. Enabling the non-standard PD detection for all PSEs Click Enable All. Disabling the non-standard PD detection for all PSEs Click Disable All.
  • Page 522 GigabitEthernet 1/0/1 1 is connected to AP whose maximum power does not exceed 12950 • milliwatts. The IP telephones have a higher power supply priority than the AP so the PSE supplies power to the • IP telephones first if the PSE power is overloaded. Figure 515 Network diagram Configuring PoE Enable PoE on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, and set their power supply...
  • Page 523 Enable PoE on GigabitEthernet 1/0/11 and set the maximum power of the port to 12950 milliwatts: Click the Setup tab. On the tab, click to select port GigabitEthernet 1/0/11 from the chassis front panel, select Enable from the Power State list, and select the box before Power Max and enter 12950. Click Apply.
  • Page 524: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
  • Page 525: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 526 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
  • Page 527: Index

    Index A B C D E G H I L M N O P Q R S T U V W Configuration procedure,391 Configuration procedure,447 AAA configuration example,397 Configuration procedure,295 Accessing the controller engine from the switching Configuration procedure,312 engine's Web interface,27 Configuration procedures,334...
  • Page 528 Displaying the system time,35 Configuring voice VLAN globally,141 Downloading a file,46 Configuring voice VLAN on ports,142 Configuring Web idle timeout period,31 Contacting HP,512 Enabling DHCP,262 Conventions,513 Enabling IGMP snooping globally,240 Creating a link aggregation group,185 Enabling LLDP on ports,199 Creating a mirroring...
  • Page 529 Link aggregation and LACP configuration Ping operation,289 example,190 PKI configuration example,437 LLDP configuration examples,212 PoE configuration example,509 Local port mirroring configuration example,63 Port isolation configuration example,444 Logging out of the Web interface,20 Port management configuration example,54 Port security configuration examples,340 Portal authentication configuration examples,367 MAC address table configuration...
  • Page 530 Setting the log host,41 Setting the super password,68 Uploading a file,47 Setting the traffic statistics generating interval,74 Using MAC authentication with other features,294 Setting the traffic statistics generating interval,76 SNMPv1/v2c configuration example,1 10 VLAN configuration example,128 SNMPv3 configuration example,1 13 Voice VLAN configuration examples,144 Specifying management IP addresses at the...

Table of Contents