HP 1910 User Manual

Hp 1910 gigabit ethernet switch series.
Hide thumbs
   
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578
HP 1910 Gigabit Ethernet Switch Series
Part number: 5998-2269
Software version: Release 1513
Document version: 6W100-20130830

Advertising

   Related Manuals for HP 1910

   Summary of Contents for HP 1910

  • Page 1: User Guide

    HP 1910 Gigabit Ethernet Switch Series User Guide Part number: 5998-2269 Software version: Release 1513 Document version: 6W100-20130830...

  • Page 2

    HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

  • Page 3: Table Of Contents

    Contents Overview ······································································································································································ 1   Configuring the switch in the Web interface ············································································································· 2   Restrictions and guidelines ··············································································································································· 2   Operating system requirements ······························································································································ 2   Web browser requirements ····································································································································· 2   Others ········································································································································································ 5   Logging in to the Web interface for the first time ·········································································································· 5  ...

  • Page 4: Table Of Contents

    Displaying topology summary of a stack ···················································································································· 45   Displaying device summary of a stack ························································································································ 45   Logging in to a member device from the master ········································································································ 46   Stack configuration example ········································································································································ 46   Configuration guidelines ··············································································································································· 52  ...

  • Page 5: Table Of Contents

    Displaying port operation parameters ························································································································· 80   Displaying a specified operation parameter for all ports ················································································· 80   Displaying all the operation parameters for a port ··························································································· 80   Port management configuration example ···················································································································· 81   Network requirements ··········································································································································· 81  ...

  • Page 6: Table Of Contents

    Displaying RMON event logs ···························································································································· 116   RMON configuration example ··································································································································· 117   Configuring energy saving ····································································································································· 121   Configuring energy saving on a port ························································································································ 121   Configuring SNMP ·················································································································································· 123   Overview ······································································································································································· 123   SNMP mechanism ··············································································································································· 123  ...

  • Page 7: Table Of Contents

    Voice VLAN assignment modes ························································································································· 169   Security mode and normal mode of voice VLANs ··························································································· 170   Recommended voice VLAN configuration procedure ······························································································ 171   Configuring voice VLAN globally ······························································································································ 172   Configuring voice VLAN on ports ······························································································································ 173  ...

  • Page 8: Table Of Contents

    Operating modes of LLDP ··································································································································· 234   How LLDP works ·················································································································································· 234   Compatibility of LLDP with CDP ·································································································································· 235   Protocols and standards ·············································································································································· 235   Recommended LLDP configuration procedure ··········································································································· 235   Enabling LLDP on ports ················································································································································ 236  ...

  • Page 9: Table Of Contents

    How MLD snooping works ································································································································· 289   Protocols and standards ····································································································································· 290   Recommended configuration procedure···················································································································· 290   Enabling MLD snooping globally ······················································································································ 291   Configuring MLD snooping in a VLAN ············································································································· 292   Configuring MLD snooping port functions ········································································································ 293  ...

  • Page 10: Table Of Contents

    DHCP snooping support for Option 82 ············································································································ 331   Recommended configuration procedure···················································································································· 332   Enabling DHCP snooping ··········································································································································· 332   Configuring DHCP snooping functions on an interface ··························································································· 333   Displaying DHCP snooping entries ···························································································································· 334   DHCP snooping configuration example ···················································································································· 335  ...

  • Page 11: Table Of Contents

    Configuration procedure ···································································································································· 386   Verifying the configuration ································································································································· 389   Configuring portal authentication ·························································································································· 390   Overview ······································································································································································· 390   Extended portal functions ··································································································································· 390   Portal system components ··································································································································· 390   Portal system using the local portal server ········································································································ 392  ...

  • Page 12: Table Of Contents

    Creating a PKI domain ······································································································································· 455   Creating an RSA key pair ·································································································································· 458   Destroying the RSA key pair ······························································································································ 459   Retrieving and displaying a certificate ············································································································· 459   Requesting a local certificate ····························································································································· 461   Retrieving and displaying a CRL ························································································································ 462  ...

  • Page 13: Table Of Contents

    Adding a traffic behavior ············································································································································ 507   Configuring traffic redirecting for a traffic behavior ································································································ 508   Configuring other actions for a traffic behavior ······································································································· 509   Adding a policy ··························································································································································· 510   Configuring classifier-behavior associations for the policy ····················································································· 511  ...

  • Page 14: Overview

    Overview The HP 1910 Switch Series can be configured through the command line interface (CLI), Web interface, and SNMP/MIB. These configuration methods are suitable for different application scenarios. • The Web interface supports all 1910 Switch Series configurations. The CLI provides configuration commands to facilitate your operation. To perform other •...

  • Page 15: Configuring The Switch In The Web Interface, Restrictions And Guidelines, Operating System Requirements

    Configuring the switch in the Web interface The device provides web-based configuration interfaces for visual device management and maintenance. Figure 1 Web-based network management operating environment Restrictions and guidelines To ensure a successful login, verify that your operating system and Web browser meet the requirements, and follow the guidelines in this section.

  • Page 16

    Click the Security tab, and select the content zone where the target Website resides, as shown Figure Figure 2 Internet Explorer settings (1) Click Custom Level. In the Security Settings dialog box, enable Run ActiveX controls and plug-ins, Script ActiveX controls marked safe for scripting, and Active scripting.

  • Page 17

    Figure 3 Internet Explorer settings (2) Click OK to save your settings. Enabling JavaScript in a Firefox browser Launch the Firefox browser, and select Tools > Options. In the Options dialog box, click the Content icon, and select Enable JavaScript.

  • Page 18: Others, Logging In To The Web Interface For The First Time

    Figure 4 Firefox browser settings Click OK to save your settings. Others Make sure the management PC and the device can reach each other. • Do not use the Back, Next, Refresh buttons provided by the browser. Using these buttons might •...

  • Page 19: Logging In To The Web Interface By Using The Default Username

    Creating an admin user Deleting the default username Logging in to the Web interface by using the default username You can use the following default settings to log in to the web interface through HTTP: • Username—admin. Password—None. • IP address of VLAN-interface 1 on the device—Default IP address of the device, depending on the •...

  • Page 20: Creating An Admin User

    Figure 6 Login page of the Web interface Creating an admin user Select Device > Users from the navigation tree. Click the Create tab. Figure 7 Creating an admin user Set a username and password. Select Management from the access level list. Select at least one service type.

  • Page 21: Deleting The Default Username, Logging In To The Web Interface

    Deleting the default username For security purposes, delete the default username after you create and save the new admin user. To delete the default user name: Log in to the Web interface as an admin. Select Device > Users from the navigation tree, and click the Remove tab. Figure 8 Deleting the default username Select the default username admin, and click Remove.

  • Page 22: Web Interface, Web User Level

    Because the system does not save the current configuration automatically, HP recommends that you perform this step to avoid loss of configuration. Click Logout in the upper-right corner of the Web interface, as shown in Figure Web interface The Web interface includes these parts: navigation area, title area, and body area. Figure 9 Web-based configuration interface (1) Navigation tree (2) Body area...

  • Page 23: Web-based Nm Functions

    Configure—Users of this level can access device data and configure the device, but they cannot • upgrade the host software, add/delete/modify users, or backup/restore configuration files. Management—Users of this level can perform any operations to the device. • Web-based NM functions User level in Table 1 indicates that users of this level or users of a higher level can perform the...

  • Page 24

    Function menu Description User level Upload the configuration file to be used at the next Restore startup from the host of the current user to the Management device. Save the current configuration to the configuration Save Configure file to be used at the next startup. Initialize Restore the factory default settings.

  • Page 25

    Function menu Description User level Display, create, modify, and clear RMON history History Configure sampling information. Alarm Display, create, modify, and clear alarm entries. Configure Event Display, create, modify, and clear event entries. Configure Display log information about RMON events. Configure Energy Display and configure the energy saving settings of...

  • Page 26

    Function menu Description User level Create Create VLANs. Configure Port Detail Display the VLAN-related details of a port. Monitor Display the member port information about a Detail Monitor VLAN. Modify the description and member ports of a Modify VLAN Configure VLAN.

  • Page 27

    Function menu Description User level Display information about LACP-enabled ports and Summary Monitor their partner ports. LACP Setup Set LACP priorities. Configure Display the LLDP configuration information, local information, neighbor information, statistics Monitor Port Setup information, and status information about a port. Modify LLDP configuration on a port.

  • Page 28

    Function menu Description User level Remove Delete the selected IPv6 static routes. Configure IPv6 Manageme IPv6 Service Enable or disable IPv6 service. Configure Display information about the DHCP status, advanced configuration information about the DHCP relay agent, DHCP server group Monitor configuration, DHCP relay agent interface configuration, and the DHCP client information.

  • Page 29

    Function menu Description User level Display the portal-free rule configuration Monitor information. Free Rule Add and delete a portal-free rule. Configure Display ISP domain configuration information. Monitor Domain Setup Add and remove ISP domains. Management Display the authentication configuration Monitor information about an ISP domain.

  • Page 30

    Function menu Description User level Summary Display time range configuration information. Monitor Time Range Create Create a time range. Configure Remove Delete a time range. Configure Summary Display IPv4 ACL configuration information. Monitor Create Create an IPv4 ACL. Configure Basic Setup Configure a rule for a basic IPv4 ACL.

  • Page 31: Common Items On The Web Pages

    Function menu Description User level Setup Apply a QoS policy to a port. Configure Remove Remove the QoS policy from the port. Configure Display priority mapping table information. Monitor Priority Priority Mapping Mapping Modify the priority mapping entries. Configure Display port priority and trust mode information. Monitor Port Priority Port Priority...

  • Page 32

    Button and icon Function Accesses a configuration page to modify settings. This icon is typically present in the Operation column in a list. Deletes an entry. This icon is typically present in the Operation column in a list. Page display The Web interface can display contents by pages, as shown in Figure 10.

  • Page 33

    Figure 11 Basic search function example • Advanced search—As shown in Figure 10, you can click the Advanced Search link to open the advanced search page, as shown in Figure 12. Specify the search criteria, and click Apply to display the entries that match the criteria. Figure 12 Advanced search Take the ARP table shown in Figure 10...

  • Page 34

    Figure 14 Advanced search function example (II) Figure 15 Advanced search function example (III) Sort function The Web interface provides you with the basic functions to display entries in certain orders. On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected.

  • Page 35

    Figure 16 Sort display (based on MAC address in the ascending order)

  • Page 36: Configuring The Switch At The Cli, Getting Started With The Cli

    Configuring the switch at the CLI The HP 1910 Switch Series can be configured through the CLI, Web interface, and SNMP/MIB. The Web interface supports all 1910 Switch Series configurations. These configuration methods are suitable for different application scenarios. The CLI provides configuration commands to facilitate your operation, which are described in this chapter.

  • Page 37: Setting Terminal Parameters

    NOTE: The serial port on a PC does not support hot swapping. When you connect a PC to a powered-on switch, • connect the DB-9 connector of the console cable to the PC before connecting the RJ-45 connector to the switch.

  • Page 38

    Figure 19 Setting the serial port used by the HyperTerminal connection Set Bits per second to 38400, Data bits to 8, Parity to None, Stop bits to 1, and Flow control to None, and click OK. Figure 20 Setting the serial port parameters Select File >...

  • Page 39

    Figure 21 HyperTerminal window Click the Settings tab, set the emulation to VT100, and click OK in the Switch Properties dialog box. Figure 22 Setting terminal emulation in Switch Properties dialog box...

  • Page 40: Logging In To The Cli, Cli Commands

    Username:admin Press Enter. The Password prompt appears. Password: The login information is verified, and the following CLI menu appears: <HP 1910 Switch> If the password is invalid, the following message appears and process restarts. % Login failed! CLI commands This section contains the following commands:...

  • Page 41: Initialize, Ipsetup

    initialize Syntax initialize Parameters None Description Use initialize to delete the configuration file to be used at the next startup and reboot the device with the default configuration being used during reboot. Use the command with caution because this command deletes the configuration file to be used at the next startup and restores the factory default settings.

  • Page 42: Ipsetup Ipv6, Password

    # Create VLAN-interface 1 and assign 192.168.1.2 to the interface, and specify 192.168.1.1 as the default gateway. <Sysname> ipsetup ip-address 192.168.1.2 24 default-gateway 192.168.1.1 ipsetup ipv6 Syntax ipsetup ipv6 { auto | address { ipv6-address prefix-length | ipv6-address/prefix-length } [ default-gateway ipv6-address ] } Parameters auto: Enables the stateless address autoconfiguration function.

  • Page 43: Ping, Ping Ipv6

    Change password for user: admin Old password: *** Enter new password: ** Retype password: ** The password has been successfully changed. ping Syntax ping host Parameters host: Specifies a destination IPv4 address (in dotted decimal notation) or host name (a string of 1 to 255 characters).

  • Page 44: Quit

    Use quit to log out of the system. Examples # Log out of the system. <Sysname> quit ****************************************************************************** * Copyright (c) 2004-2012 Hewlett-Packard Development Company, L.P. * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** <Sysname>...

  • Page 45: Reboot, Summary

    reboot Syntax reboot Parameters None Description Use reboot to reboot the device and run the main configuration file. Use the command with caution because reboot results in service interruption. If the main configuration file is corrupted or does not exist, the device cannot be rebooted with the reboot command.

  • Page 46: Telnet

    Next backup boot app is: NULL HP Comware Platform Software Comware Software, Version 5.20, Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P. HP 1910-8G-PoE+ (65W) Switch uptime is 0 week, 0 day, 2 hours, 1 minute HP 1910-8G-PoE+ (65W) Switch 128M bytes DRAM...

  • Page 47: Upgrade

    To validate the downloaded software package file, reboot the device. NOTE: The HP 1910 Switch Series does not provide an independent Boot ROM image. It integrates the Boot ROM image with the system software image file together in a software package file with the extension name of .bin.

  • Page 48: Upgrade Ipv6, Configuration Example For Upgrading The System Software Image At The Cli

    To validate the downloaded software package file, reboot the device. NOTE: The HP 1910 Switch Series does not provide an independent Boot ROM image. It integrates the Boot ROM image with the system software image file together in a software package file with the extension name of .bin.

  • Page 49: Configuration Procedure

    The administrator upgrades the Boot ROM image and the system software image file of the 1910 switch through the PC and sets the IP address of the switch to 192.168.1.2/24. Figure 23 Network diagram Configuration procedure Run the TFTP server program on the TFTP server, and specify the path of the file to be loaded.

  • Page 50: Configuration Wizard, Overview, Basic Service Setup, Entering The Configuration Wizard Homepage, Configuring System Parameters

    Configuration wizard Overview The configuration wizard guides you through configuring the basic service parameters, including the system name, the system location, the contact information, and the management IP address. Basic service setup Entering the configuration wizard homepage Select Wizard from the navigation tree. Figure 24 Configuration wizard homepage Configuring system parameters On the wizard homepage, click Next.

  • Page 51: Configuring Management Ip Address

    Figure 25 System parameter configuration page Configure the parameters as described in Table Table 3 Configuration items Item Description Specify the system name. The system name appears at the top of the navigation tree. Sysname You can also set the system name in the System Name page you enter by selecting Device >...

  • Page 52

    On the system parameter configuration page, click Next. Figure 26 Management IP address configuration page Configure the parameters as described in Table Table 4 Configuration items Item Description Select a VLAN interface. Available VLAN interfaces are those configured in the page that you enter by selecting Network >...

  • Page 53: Finishing Configuration Wizard

    Item Description DHCP Configure how the VLAN interface obtains an IPv4 address. • DHCP—Specifies the VLAN interface to obtain an IPv4 address by BOOTP DHCP. • BOOTP—Specifies the VLAN interface to obtain an IPv4 address Manual through BOOTP. • Manual—Allows you to specify an IPv4 address and a mask length. Configure IPv4 address IPv4...

  • Page 54

    Figure 27 Configuration finishes...

  • Page 55: Configuring Stack, Overview, Configuration Task List

    Configuring stack Overview The stack management feature enables you to configure and monitor a group of connected switches by logging in to one switch in the stack, as shown in Figure Figure 28 Network diagram To set up a stack for a group of connected switches, you must log in to one switch to create the stack. This switch is the master switch for the stack, and you configure and monitor all other member switches on the master switch.

  • Page 56: Configuring Global Stack Parameters

    Task Remarks Optional. Displaying topology summary of a stack Display stack member information. Optional. Display the control panels of stack members. IMPORTANT: Displaying device summary of a stack To successfully display control panel information, make sure the user account you are logged in with to the master has also been created on each member device.

  • Page 57

    Figure 29 Setting up a fabric Table 5 Configuration items Item Description Configure a private IP address pool for the stack. The master device automatically picks an IP address from this pool for each member device for intra-stack communication. Private Net IP IMPORTANT: Mask Make sure the number of IP addresses in the address pool is equal to or greater than the...

  • Page 58: Configuring Stack Ports, Displaying Topology Summary Of A Stack, Displaying Device Summary Of A Stack

    Item Description Create the stack. As the result, the device becomes the master device of the stack and automatically adds the devices connected to its stack ports to the stack. Build Stack IMPORTANT: You can delete the stack only on the master device. The Global Settings area is grayed out for stack member devices.

  • Page 59: Logging In To A Member Device From The Master, Stack Configuration Example

    View interfaces and power socket layout on the panel of each stack member by clicking their respective tabs. Figure 31 Device Summary tab (on the master device) Return to Configuration task list. Logging in to a member device from the master Select Stack from the navigation tree.

  • Page 60

    Figure 33 Network diagram Switch A: Master device Eth1/0/1 Eth1/0/2 Stack Eth1/0/1 Eth1/0/3 Switch B: Slave device Eth1/0/1 Eth1/0/1 Switch C: Slave device Switch D: Slave device Configuration procedure Configure global stack parameters on Switch A: Select Stack from the navigation tree of Switch A to enter the page of the Setup tab, and then perform the following configurations, as shown in Figure Type 192.168.1.1 in the field of Private Net IP.

  • Page 61

    Figure 34 Configuring global stack parameters on Switch A Switch A becomes the master device. Configure the stack port on Switch A: On the Setup tab, select GigabitEthernet1/0/1 in the Port Settings area. Click Enable.

  • Page 62

    Figure 35 Configuring a stack port on Switch A On Switch B, configure GigabitEthernet 1/0/2 (connected to Switch A), GigabitEthernet 1/0/1 (connected to Switch C), and GigabitEthernet 1/0/3 (connected to Switch D) as stack ports. Select Stack from the navigation tree of Switch B. On the Setup tab, select GigabitEthernet1/0/1, GigabitEthernet1/0/2, and GigabitEthernet1/0/3 in the Port Settings area.

  • Page 63

    Figure 36 Configuring stack ports on Switch B On Switch C, configure port GigabitEthernet 1/0/1 as a stack port. Select Stack from the navigation tree of Switch C. On the Setup tab, select GigabitEthernet1/0/1 in the Port Settings area. Click Enable.

  • Page 64

    Figure 37 Configuring a stack port on Switch C On Switch D, configure port GigabitEthernet 1/0/1 as a stack port. Select Stack from the navigation tree of Switch D. On the Setup tab, select GigabitEthernet1/0/1 in the Port Settings area. Click Enable.

  • Page 65: Configuration Guidelines

    Figure 38 Verifying the configuration Configuration guidelines If a device is already configured as a stack master device, you cannot modify the private IP address pool on the device. If a device is already configured as a stack member device, the Global Settings area on the member device is not available.

  • Page 66: Displaying System And Device Information, Displaying System Information, Displaying Basic System Information

    Displaying system and device information Displaying system information Select Summary from the navigation tree to enter the System Information page to view the basic system information, system resource state, and recent system logs. Figure 39 System information Displaying basic system information Table 7 Field description Item Description...

  • Page 67: Displaying The System Resource State, Displaying Recent System Logs, Setting The Refresh Period

    Item Description Display the contact information, which you can configure on Contact Information the page you enter by selecting Device > SNMP > Setup SerialNum Display the serial number of the device. Software Version Display the software version of the device. Hardware Version Display the hardware version of the device.

  • Page 68: Displaying Device Information

    Displaying device information Select Summary from the navigation tree, and click the Device Information tab to enter the page displaying the device ports, power supplies, and fans. Hover the cursor over a port and the port details appear, including the port name, type, speed, usage, and status, as shown in Figure 40.

  • Page 69: Configuring Basic Device Settings, Overview, Configuring System Name, Configuring Idle Timeout Period

    Configuring basic device settings Overview The device basic information feature provides the following functions: • Set the system name of the device. The configured system name is displayed on the top of the navigation bar. Set the idle timeout period for logged-in users. The system logs an idle user off the Web for security •...

  • Page 70

    Figure 42 Configuring idle timeout period Set the idle timeout period for logged-in users. Click Apply.

  • Page 71: Maintaining Devices, Upgrading Software

    Maintaining devices Upgrading software CAUTION: Software upgrade takes a period of time. Avoid performing any operation on the Web interface during the upgrading procedure. Otherwise, the upgrade operation might be interrupted. A boot file, also known as the system software or device software, is an application file used to boot the device.

  • Page 72: Rebooting The Device

    Item Description Specify whether to overwrite the file with the same name. If a file with the same name already exists, If you do not select the option, when a file with the same name exists, a dialog box overwrite it without any appears, telling you that the file already exists and you cannot continue the prompt upgrade.

  • Page 73: Displaying The Electronic Label, Displaying Diagnostic Information

    Displaying the electronic label You can view information about the device electronic label, which is also known as the permanent configuration data or archive information. The information is written into the storage medium of a device or a card during the debugging and testing processes, and includes card name, product bar code, MAC address, debugging and testing dates, and vendor name.

  • Page 74

    Click Create Diagnostic Information File. The system begins to generate a diagnostic information file. After the diagnostic information file is generated, a page as shown in Figure 47 appears. Click Click to Download. The File Download dialog box appears. Figure 47 Downloading the diagnostic information file Open this file to display diagnostic information or save it to the local host.

  • Page 75: Configuring System Time, Overview, Displaying The Current System Time, Manually Configuring The System Time

    Configuring system time Overview You must configure a correct system time so that the device can operate correctly with other devices. The system time module allows you to display and set the device system time and system zone on the web interface.

  • Page 76: Configuring The System Time By Using Ntp

    Figure 49 Calendar page Enter the system date and time in the Time field, or select the date and time in the calendar. To set the time on the calendar page, select one of the following methods: Click Today. The date setting in the calendar is synchronized to the current local date configuration, and the time setting does not change.

  • Page 77: System Time Configuration Example, Network Requirements

    Table 10 Configuration items Item Description Clock status Display the synchronization status of the system clock. Set the source interface for an NTP message. This configuration uses the IP address of an interface as the source IP address in the NTP messages. If the specified source interface is down, the source IP address is the IP address of the egress interface.

  • Page 78: Configuring The System Time, Verifying The Configuration, Configuration Guidelines

    Figure 51 Network diagram Configuring the system time Configure the local clock as the reference clock, with the stratum of 2. Enable NTP authentication, set the key ID to 24, and specify the created authentication key aNiceKey as a trusted key. (Details not shown.) On Switch B, configure Device A as the NTP server: Select Device >...

  • Page 79

    The synchronization process takes a period of time. The clock status might be displayed as • unsynchronized after your configuration. In this case, you can refresh the page to view the clock status and system time later on. • If the system time of the NTP server is ahead of the system time of the device, and the time gap exceeds the web idle time specified on the device, all online web users are logged out because of timeout after the synchronization finishes.

  • Page 80: Configuring Syslog, Overview, Displaying Syslogs

    Configuring syslog Overview System logs contain a large amount of network and device information, including running status and configuration changes. System logs are an important way for administrators to know network and device running status. With system logs, administrators can take corresponding actions against network problems and security problems.

  • Page 81: Setting The Log Host

    TIP: You can click Reset to clear all system logs saved in the log buffer on the Web interface. • You can click Refresh to manually refresh the page, or you can set the refresh interval on the Log Setup •...

  • Page 82: Setting Buffer Capacity And Refresh Interval

    Figure 54 Setting loghost Configure the IPv4/IPv6 address of the log host. Click Apply. Setting buffer capacity and refresh interval Select Device > Syslog from the navigation tree. Click the Log Setup tab. The syslog configuration page appears. Figure 55 Syslog configuration page...

  • Page 83

    Configure buffer capacity and refresh interval as described in Table Click Apply. Table 12 Configuration items Item Description Buffer Capacity Set the number of logs that can be stored in the log buffer of the Web interface. Set the refresh period on the log information displayed on the Web interface. You can select manual refresh or automatic refresh: •...

  • Page 84: Managing The Configuration, Backing Up The Configuration, Restoring The Configuration

    Managing the configuration You can back up, restore, save, and reset the configuration of the device. Backing up the configuration The configuration backup function allows you to perform the following tasks: View the configuration file (.cfg file) for the next startup, or the next-startup configuration file. •...

  • Page 85: Saving The Configuration, Operation Guidelines, Operation Procedure

    Figure 57 Restoring the configuration Click the upper Browse button. The file upload dialog box appears. Select the .cfg file to be uploaded, and click Apply. Saving the configuration You can save the running configuration to the next-startup configuration file (.cfg file). Operation guidelines Saving the configuration takes some time.

  • Page 86: Resetting The Configuration

    Figure 58 Saving the configuration To save the configuration in common mode: Select Device > Configuration from the navigation tree. Click the Save tab. Click Save Current Settings. Resetting the configuration Resetting the configuration restores the system to the factory defaults, deletes the current configuration file, and reboots the device.

  • Page 87: Managing Files, Displaying Files, Downloading A File

    Managing files The device saves files such as the host software file and configuration file on its storage media. The file management function allows you to manage the files on the storage media. Displaying files Select Device > File Management from the navigation tree. Figure 60 File management page Select a medium from the Please select disk list.

  • Page 88: Uploading A File, Removing A File

    Select the file from the list. Only one file can be downloaded at a time. Click Download File. The File Download dialog box appears. Open the file or save the file to a specified path. Uploading a file Uploading a file takes some time. HP recommends not performing any operation in the Web interface during the upgrade.

  • Page 89: Managing Ports, Setting Operation Parameters For A Port

    Managing ports You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port and an aggregate interface. • For a Layer 2 Ethernet port, these operation parameters include its state, rate, duplex mode, link type, PVID, MDI mode, flow control settings, MAC learning limit, and storm suppression ratios.

  • Page 90

    Click Apply. Table 13 Configuration items Item Description Enable or disable the port. Port State After you modify the operation parameters of a port, you might need to disable and then enable the port to make the modifications take effect. Set the transmission rate of the port: •...

  • Page 91

    Item Description Set the Medium Dependent Interface (MDI) mode of the port. You can use two types of Ethernet cables to connect Ethernet devices: crossover cable and straight-through cable. To accommodate these two types of cables, an Ethernet port can operate in one of the following MDI modes: across, normal, and auto.

  • Page 92

    Item Description Set broadcast suppression on the port: • ratio—Sets the maximum percentage of broadcast traffic to the total bandwidth of an Ethernet port. When you select this option, you must enter a percentage in the box below. • pps—Sets the maximum number of broadcast packets that can be forwarded on an Ethernet port per second.

  • Page 93: Displaying Port Operation Parameters, Displaying A Specified Operation Parameter For All Ports

    NOTE: If you set operation parameters that a port does not support, you are notified of invalid settings and might fail to set the supported operation parameters for the port or other ports. Displaying port operation parameters Displaying a specified operation parameter for all ports Select Device >...

  • Page 94: Port Management Configuration Example, Network Requirements

    The operation parameter settings of the selected port are displayed on the lower part of the page. Whether the parameter takes effect is displayed in the square brackets. Figure 63 The Detail tab Port management configuration example Network requirements As shown in Figure Server A, Server B, and Server C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, •...

  • Page 95: Configuring The Switch

    Figure 64 Network diagram Configuring the switch Set the rate of GigabitEthernet 1/0/4 to 1000 Mbps: Select Device > Port Management from the navigation tree Click the Setup tab to enter the page, as shown in Figure Select 1000 from the Speed list. Select 4 on the chassis front panel.

  • Page 96

    Figure 65 Configuring the rate of GigabitEthernet 1/0/4 Batch configure the autonegotiation rate range on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as 100 Mbps: On the Setup tab, select Auto 100 from the Speed list, as shown in Figure Select 1, 2, and 3 on the chassis front panel.

  • Page 97

    Figure 66 Batch configuring the port rate Display the rate settings of ports: Click the Summary tab. Click the Speed button to display the rate information of all ports on the lower part of the page, as shown in Figure...

  • Page 98

    Figure 67 Displaying the rate settings of ports...

  • Page 99: Configuring Port Mirroring, Terminology, Mirroring Source, Mirroring Destination, Mirroring Direction, Mirroring Group, Port Mirroring Implementation

    Port mirroring implementation HP 1910 switch series supports local port mirroring, in which case the mirroring source and the mirroring destination are on the same device. A mirroring group that contains the mirroring source and the...

  • Page 100: Configuration Restrictions And Guidelines, Recommended Configuration Procedures, Configuring A Mirroring Group

    Figure 68 Local port mirroring implementation As shown in Figure 68, the source port GigabitEthernet 1/0/1 and monitor port GigabitEthernet 1/0/2 reside on the same device. Packets of GigabitEthernet 1/0/1 are copied to GigabitEthernet 1/0/2, which then forwards the packets to the data monitoring device for analysis. Configuration restrictions and guidelines When you configure port mirroring, follow these restrictions and guidelines: A local mirroring group can contain multiple source ports, but only one monitor port.

  • Page 101: Configuring Ports For The Mirroring Group

    Figure 69 Adding a mirroring group Configure the mirroring group as described in Table Click Apply. Table 14 Configuration items Item Description ID of the mirroring group to be added. Mirroring Group ID The range of the mirroring group ID varies with devices. Specify the type of the mirroring group to be added as Local, which indicates Type adding a local mirroring group.

  • Page 102

    Figure 70 Modifing ports Configure ports for the mirroring group as described in Table Click Apply. A progress dialog box appears. After the success notification appears, click Close. Table 15 Configuration items Item Description ID of the mirroring group to be configured. Mirroring The available groups were added previously.

  • Page 103: Local Port Mirroring Configuration Example, Network Requirements, Configuration Procedure

    Local port mirroring configuration example Network requirements As shown in Figure 71, configure local port mirroring on Switch A so the server can monitor the packets received and sent by the Marketing department and Technical department. Figure 71 Network diagram Configuration procedure Adding a local mirroring group From the navigation tree, select Device >...

  • Page 104

    Figure 72 Adding a local mirroring group Enter 1 for Mirroring Group ID, and select Local from the Type list. Click Apply. Configuring GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as the source ports Click Modify Port. Select 1 – Local from the Mirroring Group ID list. Select Mirror Port from the Port Type list.

  • Page 105

    Figure 73 Configuring the mirroring ports Click Apply. A configuration progress dialog box appears. After the success notification appears, click Close. Configuring GigabitEthernet 1/0/3 as the monitor port Click Modify Port. Select 1 – Local from the Mirroring Group ID list. Select Monitor Port from the Port Type list.

  • Page 106

    Figure 74 Configuring the monitor port Click Apply. A configuration progress dialog box appears. After the success notification appears, click Close.

  • Page 107: Managing Users, Adding A Local User

    Managing users The device provides the following user management functions: Add a local user, and specify the password, access level, and service types for the user. • Set the super password for non-management-level users to switch to the management level. •...

  • Page 108: Setting The Super Password

    Item Description Select an access level for the user. Users of different levels can perform different operations. User levels, in order from low to high, are as follows: • Visitor—Visitor-level users can perform only ping and traceroute operations. They cannot access the data on the device or configure the device. Access Level •...

  • Page 109: Switching To The Management Level

    Configure the super password as described in Table Click Apply. Table 17 Configuration items Item Description Select the operation type: • Create/Remove Create—Configures or modifies the super password. • Remove—Removes the current super password. Password Set the password for non-management-level users to switch to the management level. Confirm Password Enter the same password again.

  • Page 110: Configuring A Loopback Test, Overview, Configuration Restrictions And Guidelines, Configuration Procedure

    Configuring a loopback test Overview You can check whether an Ethernet port operates correctly by performing Ethernet port loopback test. During the test time, the port cannot forward data packets correctly. Ethernet port loopback test has the following types: Internal loopback test—Establishes self loop in the switching chip and checks whether there is a •...

  • Page 111

    Figure 78 Loopback test page Select External or Internal for loopback test type. Select an Ethernet interface from the chassis front panel. Click Test. After the test is complete, the system displays the loopback test result, as shown in Figure Figure 79 Loopback test result...

  • Page 112: Configuring Vct, Overview, Testing Cable Status

    Configuring VCT Overview You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the device. The result is returned in less than 5 seconds. The test covers whether short circuit or open circuit occurs on the cable and the length of the faulty cable.

  • Page 113: Configuring The Flow Interval, Overview, Setting The Traffic Statistics Generating Interval, Viewing Port Traffic Statistics

    Configuring the flow interval Overview With the flow interval module, you can view the number of packets and bytes sent/received by a port and the bandwidth utilization of the port over the specified interval. Setting the traffic statistics generating interval Select Device >...

  • Page 114

    Figure 82 Port traffic statistics NOTE: When the bandwidth utilization is lower than 1%, 1% is displayed.

  • Page 115: Configuring Storm Constrain, Overview, Setting The Traffic Statistics Generating Interval

    Configuring storm constrain Overview The storm constrain function suppresses packet storms in an Ethernet. This function compares broadcast, multicast, and unknown unicast traffic regularly with their respective traffic thresholds on an Ethernet port. For each type of traffic, storm constrain provides a lower threshold and a higher threshold. For management purposes, you can configure the port to output threshold event traps and log messages when monitored traffic exceeds the upper threshold or falls below the lower threshold from the upper threshold.

  • Page 116

    Figure 83 The storm constrain tab NOTE: For network stability sake, set the traffic statistics generating interval for the storm constrain function to the default or a greater value. Configuring storm constrain Select Device > Storm Constrain from the navigation tree. In the Port Storm Constrain area, click Add.

  • Page 117

    Table 19 Configuration items Item Remarks Specify the action to be performed when a type of traffic exceeds the upper threshold: • None—Performs no action. • Block—Blocks the traffic of this type on a port when the type of traffic exceeds the upper threshold.

  • Page 118: Configuring Rmon, Overview, Working Mechanism, Rmon Groups

    Configuring RMON Overview Remote Monitoring (RMON) is an enhancement to SNMP for remote device management and traffic monitoring. An RMON monitor, typically the RMON agent embedded in a network device, periodically or continuously collects traffic statistics for the network attached to a port, and when a statistic crosses a threshold, logs the crossing event and sends a trap to the management station.

  • Page 119: Alarm Group

    History group The history group defines that the system periodically collects statistics on traffic information at an interface and saves the statistics in the history record table (etherHistoryTable) for query convenience of the management device. The statistics data includes bandwidth utilization, number of error packets, and total number of packets.

  • Page 120: Rmon Configuration Task List

    RMON configuration task list Configuring the RMON statistics function RMON statistics function can be implemented by either the statistics group or the history group, but the objects of the statistics are different. You can choose to configure a statistics group or a history group accordingly.

  • Page 121: Displaying Rmon Running Status

    Table 22 RMON alarm configuration task list Task Remarks Required. You can create up to 100 statistics entries in a statistics table. As the alarm variables that can be configured through the web interface are MIB variables that defined in the history group or the statistics group, you must make sure the RMON Ethernet statistics function or the RMON history statistics function is configured on the monitored Ethernet interface.

  • Page 122: Configuring A Statistics Entry

    Task Remarks If you have configured the system to log an event after the event is triggered when you configure the event group, the event is recorded into Displaying RMON event logs the RMON log. You can perform this task to display the details of the log table.

  • Page 123: Configuring A History Entry

    Configuring a history entry Select Device > RMON from the navigation tree. Click the History tab. Figure 88 History tab Click Add. Figure 89 Adding a history entry Configure a history entry as described in Table Click Apply. Table 25 Configuration items Item Description Interface Name...

  • Page 124: Configuring An Event Entry

    Configuring an event entry Select Device > RMON from the navigation tree. Click the Event tab. Figure 90 Event tab Click Add. Figure 91 Adding an event entry Configure an event entry as described in Table Click Apply. Table 26 Configuration items Item Description Description...

  • Page 125: Configuring An Alarm Entry

    Configuring an alarm entry Select Device > RMON from the navigation tree. Click the Alarm tab. Figure 92 Alarm tab Click Add. Figure 93 Adding an alarm entry Configure an alarm entry as described in Table Click Apply. Table 27 Configuration items Item Description Alarm variable:...

  • Page 126: Displaying Rmon Statistics

    Item Description Set the name of the interface whose traffic statistics will be collected and Interface Name monitored. Sample Item: Interval Set the sampling interval. Set the sampling type: • Absolute—Absolute sampling, namely, to obtain the value of the variable Sample Type when the sampling time is reached.

  • Page 127

    Figure 94 Statistics tab Table 28 Field description Field Description Total number of octets received by the interface, Number of Received Bytes corresponding to the MIB node etherStatsOctets. Total number of packets received by the interface, Number of Received Packets corresponding to the MIB node etherStatsPkts.

  • Page 128: Displaying Rmon History Sampling Information

    Field Description Total number of collisions received on the interface, Number of Network Conflicts corresponding to the MIB node etherStatsCollisions. Total number of drop events received on the interface, Number of Packet Discarding Events corresponding to the MIB node etherStatsDropEvents. Total number of received packets with 64 octets on the Number of Received 64 Bytes Packets interface, corresponding to the MIB node...

  • Page 129: Displaying Rmon Event Logs

    Table 29 Field description Field Description Number of the entry in the system buffer. Statistics are numbered chronologically when they are saved to the system buffer. Time Time at which the information is saved. Dropped packets during the sampling period, corresponding to the MIB DropEvents node etherHistoryDropEvents.

  • Page 130: Rmon Configuration Example

    Figure 96 Log tab In this example, event 1 has generated one log, which is triggered because the alarm value (11779194) exceeds the rising threshold (10000000). The sampling type is absolute. RMON configuration example Network requirements As shown in Figure 97, Agent is connected to a remote NMS across the Internet.

  • Page 131

    Figure 98 Adding a statistics entry Display RMON statistics for interface GigabitEthernet 1/0/1: Click the icon corresponding to GigabitEthernet 1/0/1. View the information as shown in Figure Figure 99 Displaying RMON statistics Create an event to start logging after the event is triggered: Click the Event tab.

  • Page 132

    Figure 100 Configuring an event group Figure 101 Displaying the index of a event entry Configure an alarm group to sample received bytes on GigabitEthernet 1/0/1. When the received bytes exceed the rising or falling threshold, logging is enabled: Click the Alarm tab. Click Add.

  • Page 133

    Figure 102 Configuring an alarm group Verifying the configuration After the above configuration, when the alarm event is triggered, you can view the log information about event 1 on the web interface. Select Device > RMON from the navigation tree. Click the Log tab.

  • Page 134: Configuring Energy Saving, Configuring Energy Saving On A Port

    Configuring energy saving Energy saving enables a port to operate at the lowest transmission speed, disable PoE, or go down during a specific time range on certain days of a week. The port resumes working normally when the effective time period ends. Configuring energy saving on a port Select Device >...

  • Page 135

    Item Description Set the port to transmit data at the lowest speed. IMPORTANT: Lowest Speed If you configure the lowest speed limit on a port that does not support 10 Mbps, the configuration cannot take effect. Shut down the port. IMPORTANT: Shutdown An energy saving policy can have all the three energy saving schemes configured, of...

  • Page 136: Configuring Snmp, Overview, Snmp Mechanism

    Configuring SNMP Overview Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.

  • Page 137: Snmp Protocol Versions, Recommended Configuration Procedure

    Notifications—Includes traps and informs. SNMP agent sends traps or informs to report events to • the NMS. The difference between these two types of notification is that informs require acknowledgement but traps do not. The device supports only traps. SNMP protocol versions HP supports SNMPv1, SNMPv2c, and SNMPv3.

  • Page 138: Enabling Snmp Agent

    Table 32 SNMPv3 configuration task list Task Remarks Required. By default, the SNMP agent function is disabled. Enabling SNMP agent IMPORTANT: If SNMP agent is disabled, all SNMP agent-related configurations will be removed. Optional. Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group.

  • Page 139

    Figure 107 Setup tab Configure SNMP settings on the upper part of the page as described in Table Click Apply. Table 33 Configuration items Item Description SNMP Specify to enable or disable SNMP agent. Configure the local engine ID. Validity of a user depends on the engine ID of the SNMP agent. If the engine ID Local Engine ID when the user is created is not identical to the current engine ID, the user is invalid.

  • Page 140: Configuring An Snmp View, Creating An Snmp View

    Configuring an SNMP view Perform the tasks in this section to configure an SNMP view. Creating an SNMP view Select Device > SNMP from the navigation tree. Click the View tab. The View tab appears. Figure 108 View tab Click Add. The Add View window appears.

  • Page 141: Adding Rules To An Snmp View

    Figure 110 Creating an SNMP view (2) Configure the parameters as described in Table Click Add to add the rule into the list box at the lower part of the page. Repeat steps 6 and 7 to add more rules for the SNMP view. Click Apply.

  • Page 142: Configuring An Snmp Community

    Figure 111 Adding rules to an SNMP view Configure the parameters as described in Table Click Apply. To modify a view, click the icon for the view on the View tab (see Figure 108). Configuring an SNMP community Select Device > SNMP from the navigation tree. Click the Community tab.

  • Page 143: Configuring An Snmp Group

    Figure 113 Creating an SNMP Community Configure the SNMP community as described in Table Click Apply. Table 35 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right: • Read only—The NMS can perform read-only operations to the MIB objects when Access Right it uses this community name to access the agent.

  • Page 144

    Click Add. The Add SNMP Group page appears. Figure 115 Creating an SNMP group Configure SNMP group as described in Table Click Apply. Table 36 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group: •...

  • Page 145: Configuring An Snmp User

    Configuring an SNMP user Select Device > SNMP from the navigation tree. Click the User tab. The User tab appears. Figure 116 User tab Click Add. The Add SNMP User page appears. Figure 117 Creating an SNMP user Configure the SNMP user as described in Table Click Apply.

  • Page 146: Configuring The Snmp Trap Function

    Table 37 Configuration items Item Description User Name Set the SNMP user name. Select the security level for the SNMP group. Available security levels are: • NoAuth/NoPriv—No authentication no privacy. Security Level • Auth/NoPriv—Authentication without privacy. • Auth/Priv—Authentication and privacy. Select an SNMP group to which the user belongs: •...

  • Page 147

    Figure 118 Trap tab Select Enable SNMP Trap. Click Apply to enable the SNMP trap function. Click Add. The page for adding a target host of SNMP traps appears. Figure 119 Adding a target host of SNMP traps Configure the settings for the target host as described in Table Click Apply.

  • Page 148: Displaying Snmp Packet Statistics

    Item Description Set UDP port number. IMPORTANT: UDP Port Default port number is 162, which is the SNMP-specified port used for receiving traps on the NMS. Generally (such as using IMC or MIB Browser as the NMS), you can use the default port number.

  • Page 149: Snmpv1/v2c Configuration Example

    Select Device > SNMP from the navigation tree. The SNMP configuration page appears. Select the Enable option, and select the v1 and v2c options. Set Hewlett-Packard Development Company,L.P. as the contact person, and HP as the physical location. Click Apply.

  • Page 150

    Enter public in the Community Name field, and select Read only from the Access Right list. Click Apply. Figure 123 Configuring an SNMP read-only community Configure a read and write community: Click Add on the Community tab page. The Add SNMP Community page appears. Enter private in the Community Name field, and select Read and write from the Access Right list.

  • Page 151

    Figure 125 Enabling SNMP traps Configure a target host SNMP traps: Click Add on the Trap tab page. The page for adding a target host of SNMP traps appears. Type 1.1.1.2 in the following field, type public in the Security Name field, and select v1 from the Security Model list.

  • Page 152: Snmpv3 Configuration Example

    Enable SNMP agent: Select Device > SNMP from the navigation tree. The SNMP configuration page appears. Select the Enable option, and select the v3 option. Set Hewlett-Packard Development Company,L.P. as the contact person, and HP as the physical location. Click Apply.

  • Page 153

    Figure 128 Configuring the SNMP agent Configure an SNMP view: Click the View tab. Click Add. The page for creating an SNMP view appears. Type view1 in the View Name field. Click Apply. The page in Figure 130 appears. Select the Included option, type the MIB subtree OID interfaces, and click Add. Click Apply.

  • Page 154

    Figure 130 Creating an SNMP view (2) Configure an SNMP group: Click the Group tab. Click Add. The page in Figure 131 appears. Type group1 in the Group Name field, select view1 from the Read View list, select view1 from the Write View list.

  • Page 155

    Authentication Password and Confirm Authentication Password fields, select DES56 from the Privacy Mode list, and type prikey in the Privacy Password and Confirm Privacy Password fields. Click Apply. Figure 132 Creating an SNMP user Enable SNMP traps: Click the Trap tab. The Trap tab page appears.

  • Page 156

    Configure a target host SNMP traps: Click Add on the Trap tab page. The page for adding a target host of SNMP traps appears. Type 1.1.1.2 in the following field, type user1 in the Security Name field, select v3 from the Security Model list, and select Auth/Priv from the Security Level list.

  • Page 157: Displaying Interface Statistics, Overview, Configuration Procedure

    Displaying interface statistics Overview The interface statistics module displays statistics about the packets received and sent through interfaces. Configuration procedure From the navigation tree, select Device > Interface Statistics to enter the interface statistics display page, as shown in Figure 135.

  • Page 158

    Field Description OutErrors Number of invalid packets sent through the interface...

  • Page 159: Configuring Vlans, Overview, Vlan Fundamentals

    Configuring VLANs Overview Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on an Ethernet. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs.

  • Page 160: Vlan Types

    Figure 137 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 138. Figure 138 Position and format of VLAN tag A VLAN tag comprises the following fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID.

  • Page 161: Port-based Vlan

    Port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods: Access—An access port can forward packets from only one specific VLAN and send these packets •...

  • Page 162: Recommended Vlan Configuration Procedures, Assigning An Access Port To A Vlan

    Actions Access Trunk Hybrid • Removes the tag and sends Sends the frame if its VLAN the frame if the frame carries is permitted on the port. The the PVID tag and the port frame is sent with the VLAN belongs to the PVID.

  • Page 163: Assigning A Trunk Port To A Vlan, Assigning A Hybrid Port To A Vlan

    Assigning a trunk port to a VLAN Step Remarks Required. Creating VLANs Create one or multiple VLANs. Optional. Configuring the link type of a port Configure the link type of the port as trunk. By default, the link type of a port is access. Configure the PVID of Required.

  • Page 164: Creating Vlans

    Step Remarks Optional. Configure the link type of the port as hybrid. If you configure multiple untagged VLANs for a trunk Configuring the link type of a port port at the same time, the trunk port automatically becomes a hybrid port. By default, the link type of a port is access.

  • Page 165: Configuring The Link Type Of A Port

    Figure 139 Creating VLANs Table 40 Configuration items Item Description VLAN IDs IDs of the VLANs to be created • ID—Select the ID of the VLAN whose description string is to be modified. Click the ID of the VLAN to be modified in the list in the middle of the page. Modify the description of the •...

  • Page 166: Setting The Pvid For A Port

    Figure 140 Modifying ports You can also configure the link type of a port on the Setup tab of Device > Port Management. For more information, see "Managing ports." Setting the PVID for a port Select Network > VLAN from the navigation tree. Click the Modify Port tab.

  • Page 167: Selecting Vlans

    Figure 141 Modifying the PVID for a port You can also configure the PVID of a port on the Setup tab of Device > Port Management. For more information, see "Managing ports." Selecting VLANs Select Network > VLAN from the navigation tree. The Select VLAN tab is displayed by default for you to select VLANs.

  • Page 168: Modifying A Vlan

    Select the Display all VLANs option to display all VLANs or select the Display a subnet of all configured VLANs option to enter the VLAN IDs to be displayed. Click Select. Modifying a VLAN Select Network > VLAN from the navigation tree. Click Modify VLAN to enter the page for modifying a VLAN.

  • Page 169: Modifying Ports

    Item Description Set the member type of the port to be modified in the VLAN: • Untagged—Configure the port to send the traffic of the VLAN after removing the VLAN tag. Select membership type • Tagged—Configure the port to send the traffic of the VLAN without removing the VLAN tag.

  • Page 170: Vlan Configuration Example, Network Requirements, Configuring Switch A

    Table 42 Configuration items Item Description Select Ports Select the ports to be modified. Set the member types of the selected ports to be modified in the specified VLANs: • Untagged—Configure the ports to send the traffic of the VLANs after removing the VLAN Select tags.

  • Page 171

    Figure 146 Configuring GigabitEthernet 1/0/1 as a trunk port and its PVID as 100 Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100: Select Network > VLAN from the navigation tree. Click Create to enter the page for creating VLANs. Enter VLAN IDs 2, 6-50, 100.

  • Page 172

    Figure 147 Creating VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member: Click Select VLAN to enter the page for selecting VLANs. Select the option before Display a subnet of all configured VLANs and enter 1-100 in the field. Click Select.

  • Page 173

    A configuration progress dialog box appears. After the configuration process is complete, click Close. Figure 149 Assigning GigabitEthernet 1/0/1 to VLAN 100 as an untagged member Assign GigabitEthernet 1/0/1 to VLAN 2, and VLAN 6 through VLAN 50 as a tagged member: Click Modify Port to enter the page for modifying the VLANs to which a port belongs.

  • Page 174: Configuring Switch B, Configuration Guidelines

    Figure 150 Assigning GigabitEthernet 1/0/1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Configuring Switch B Configure Switch B in the same way Switch A is configured. Configuration guidelines Follow these guidelines when you configure VLANs: •...

  • Page 175: Configuring Vlan Interfaces, Overview, Creating A Vlan Interface

    Configuring VLAN interfaces Overview For hosts of different VLANs to communicate at Layer 3, you can use VLAN interfaces. VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface. You can assign the VLAN interface an IP address and specify the IP address as the gateway address for the devices in the VLAN, so that traffic can be routed to other IP subnets.

  • Page 176

    Figure 151 Creating a VLAN interface Configure the VLAN interface as described in Table Click Apply. Table 43 Configuration items Item Description Enter the ID of the VLAN interface to be created. Before creating a VLAN interface, Input a VLAN ID: make sure that the corresponding VLAN exists.

  • Page 177: Modifying A Vlan Interface

    Item Description Configure the way in which the VLAN interface obtains an IPv6 Auto link-local address. These items Select the Auto or Manual option: are available • Auto—The device automatically assigns a link-local address for Configure after you the VLAN interface based on the link-local address prefix IPv6 Link select the Manual...

  • Page 178

    Table 44 Configuration items Item Description Select the VLAN interface to be configured. Select VLAN Interface The VLAN interfaces available for selection in the list are those created on the page for creating VLAN interfaces. DHCP Configure the way in which the VLAN interface gets an IPv4 address. Allow the VLAN interface to obtain an IP address automatically by selecting the DHCP BOOTP or BOOTP option, or manually assign the VLAN interface an IP address by selecting...

  • Page 179

    Item Description Auto Configure the way in which the VLAN interface obtains an IPv6 link-local address. Select the Auto or Manual option: • Auto—The device automatically assigns a link-local address for the VLAN interface according to the link-local address prefix (FE80::/64) and the link-layer address of Manual the VLAN interface.

  • Page 180

    For IPv6 link-local address configuration, manual assignment takes precedence over automatic • generation. If you first adopt the manual assignment and then the automatic generation, the automatically generated link-local address will not take effect and the link-local address of the interface is still the manually assigned one.

  • Page 181: Configuring A Voice Vlan, Overview, Oui Addresses

    Configuring a voice VLAN Overview The voice technology is developing quickly, and more and more voice devices are in use. In broadband communities, data traffic and voice traffic are usually transmitted in the network at the same time. Usually, voice traffic needs higher priority than data traffic to reduce the transmission delay and packet loss ratio. A voice VLAN is configured for voice traffic.

  • Page 182: Voice Vlan Assignment Modes

    Voice VLAN assignment modes A port connected to a voice device, an IP phone for example, can be assigned to a voice VLAN in one of the following modes: • Automatic mode—The system matches the source MAC addresses in the protocol packets (untagged packets) sent by the IP phone upon its power-on against the OUI list.

  • Page 183: Security Mode And Normal Mode Of Voice Vlans

    IP phones send tagged voice traffic • Table 46 Required configurations on ports of different link types for them to support tagged voice traffic Voice VLAN assignment mode Port link type supported for tagged voice Configuration requirements traffic Access In automatic mode, the PVID of the port cannot be the voice VLAN.

  • Page 184: Recommended Voice Vlan Configuration Procedure

    Normal mode—In this mode, both voice packets and non-voice packets are allowed to pass • through a voice VLAN-enabled inbound port. When receiving a voice packet, the port forwards it without checking its source MAC address against the OUI addresses configured for the device. If the PVID of the port is the voice VLAN and the port operates in manual VLAN assignment mode, the port forwards all received untagged packets in the voice VLAN.

  • Page 185: Configuring Voice Vlan Globally

    Recommended configuration procedure for a port in automatic voice VLAN assignment mode Step Remarks (Optional.) Configuring voice VLAN globally Configure the voice VLAN to operate in security mode and configure the aging timer (Required.) Configure the voice VLAN assignment mode of a port as automatic Configuring voice VLAN on ports and enable the voice VLAN function on the port.

  • Page 186: Configuring Voice Vlan On Ports

    Click the Setup tab. Figure 155 Configuring voice VLAN Configure the global voice VLAN settings as described in Table Click Apply. Table 49 Configuration items Item Description Select Enable or Disable in the list to enable or disable the voice VLAN security mode.

  • Page 187: Adding Oui Addresses To The Oui List

    Configure the voice VLAN function for ports as described in Table Click Apply. Table 50 Configuration items Item Description Set the voice VLAN assignment mode of a port to: • Voice VLAN port mode Auto—Automatic voice VLAN assignment mode • Manual—Manual voice VLAN assignment mode Select Enable or Disable in the list to enable or disable the voice VLAN function Voice VLAN port state...

  • Page 188: Voice Vlan Configuration Examples

    Click Apply. Table 51 Configuration items Item Description OUI Address Set the source MAC address of voice traffic. Mask Set the mask length of the source MAC address. Description Set the description of the OUI address entry. Voice VLAN configuration examples Configuring voice VLAN on a port in automatic voice VLAN assignment mode Network requirements...

  • Page 189

    Figure 159 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port: Select Device > Port Management from the navigation tree. Click the Setup tab. Select Hybrid from the Link Type list. Select GigabitEthernet 1/0/1 from the chassis front panel. Click Apply.

  • Page 190

    Figure 160 Configuring GigabitEthernet 1/0/1 as a hybrid port Configure the voice VLAN function globally: Select Network > Voice VLAN from the navigation tree. Click the Setup tab. Select Enable in the Voice VLAN security list. Set the voice VLAN aging timer to 30 minutes. Click Apply.

  • Page 191

    Select Enable in the Voice VLAN port state list. Enter voice VLAN ID 2. Select GigabitEthernet 1/0/1 on the chassis front panel. Click Apply. Figure 162 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: Click the OUI Add tab. Enter OUI address 0011-2200-0000.

  • Page 192: Configuring A Voice Vlan On A Port In Manual Voice Vlan Assignment Mode

    Verifying the configuration When the preceding configurations are completed, the OUI Summary tab is displayed by default, as shown in Figure 164. You can view the information about the newly-added OUI address. Figure 164 Displaying the current OUI list of the device Click the Summary tab, where you can view the current voice VLAN information.

  • Page 193

    The IP phone connected to hybrid port GigabitEthernet 1/0/1 sends untagged voice traffic. • • GigabitEthernet 1/0/1 operates in manual voice VLAN assignment mode and allows voice packets whose source MAC addresses match the OUI addresses specified by OUI address 001 1-2200-0000 and mask ffff-ff00-0000 to pass through.

  • Page 194

    Click the Setup tab. Select Hybrid from the Link Type list. Select the PVID box and enter 2 in the field. Select GigabitEthernet 1/0/1 from the chassis front panel. Click Apply. Figure 168 Configuring GigabitEthernet 1/0/1 as a hybrid port Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member: Select Network >...

  • Page 195

    Figure 169 Assigning GigabitEthernet 1/0/1 to VLAN 2 as an untagged member Configure voice VLAN on GigabitEthernet 1/0/1: Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab. Select Manual in the Voice VLAN port mode list. Select Enable in the Voice VLAN port state list.

  • Page 196

    Figure 170 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: Click the OUI Add tab. Enter OUI address 0011-2200-0000. Select FFFF-FF00-0000 as the mask. Enter description string test. Click Apply. Figure 171 Adding OUI addresses to the OUI list Verifying the configuration When the preceding configurations are complete, the OUI Summary tab is displayed by default, as shown in...

  • Page 197

    Figure 172 Displaying the current OUI list of the device Click the Summary tab, where you can view the current voice VLAN information. Figure 173 Displaying the current voice VLAN information Configuration guidelines When you configure the voice VLAN function, follow these guidelines: •...

  • Page 198: Configuring Mac Address Tables, Overview, How A Mac Address Table Entry Is Created

    Configuring MAC address tables MAC address configurations related to interfaces apply only to Layer 2 Ethernet interfaces. This document covers only the management of unicast MAC address entries, including static, dynamic, and blackhole MAC address entries. Overview To reduce single-destination packet floodings in a switched LAN, an Ethernet device uses a MAC address table to forward frames.

  • Page 199: Types Of Mac Address Table Entries, Displaying And Configuring Mac Address Entries

    Types of MAC address table entries A MAC address table can contain the following types of entries: • Static entries—Manually added and never age out. Dynamic entries—Manually added or dynamically learned, and might age out. • Blackhole entries—Manually configured and never age out. Blackhole entries are configured for •...

  • Page 200: Setting The Aging Time Of Mac Address Entries

    Figure 175 Creating a MAC address entry Configure a MAC address entry as described in Table Click Apply. Table 52 Configuration items Item Description Set the MAC address to be added. Set the type of the MAC address entry: • Static—Static MAC address entries that never age out.

  • Page 201: Mac Address Configuration Example

    Figure 176 Setting the aging time for MAC address entries Configure the aging time for MAC address entries as described in Table Click Apply. Table 53 Configuration items Item Description No-aging Specify that the MAC address entry never ages out. Aging time Set the aging time for the MAC address entry MAC address configuration example...

  • Page 202

    Figure 177 Creating a static MAC address entry...

  • Page 203: Configuring Mstp, Stp Protocol Packets, Basic Concepts In Stp

    Configuring MSTP As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and in the mean time, allows for link redundancy. Like many other protocols, STP evolves as the network grows. The later versions of STP are Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP).

  • Page 204: How Stp Works

    Root port On a non-root bridge, the port nearest to the root bridge is the root port. The root port communicates with the root bridge. Each non-root bridge has only one root port. The root bridge has no root port. Designated bridge and designated port Classification Designated bridge...

  • Page 205

    Root bridge ID—Consisting of the priority and MAC address of the root bridge. • • Root path cost—Cost of the path to the root bridge. Designated bridge ID—Consisting of the priority and MAC address of the designated bridge. • Designated port ID—Designated port priority plus port name. •...

  • Page 206

    Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be defined, and acts depending on the comparison result: • If the calculated configuration BPDU is superior, the device considers this port as the designated port, and replaces the configuration BPDU on the port with the calculated configuration BPDU, which will be sent out periodically.

  • Page 207

    Figure 179 STP network As shown in Figure 179, the priority values of Device A, Device B, and Device C are 0, 1, and 2, and the path costs of links among the three devices are 5, 10 and 4, respectively. The spanning tree calculation process is as follows: Device state initialization.

  • Page 208

    Table 57 Comparison process and result on each device Configuration BPDU on Device Comparison process ports after comparison • Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}. Device A finds that the configuration BPDU of the local port {0, 0, 0, AP1} is superior to the received configuration BPDU, and it discards the received configuration BPDU.

  • Page 209

    Configuration BPDU on Device Comparison process ports after comparison After comparison: • The configuration BPDU of CP1 is elected as the optimum configuration BPDU, so CP1 is identified as the root port, the • Root port CP1: configuration BPDUs of which will not be changed. {0, 0, 0, AP2} •...

  • Page 210: Rstp

    STP configuration BPDU forwarding mechanism The configuration BPDUs of STP are forwarded according to these guidelines: • Upon network initiation, every device regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval. If the root port received a configuration BPDU and the received configuration BPDU is superior to •...

  • Page 211: Mstp, Mstp Features, Mstp Basic Concepts

    MSTP MSTP overcomes the following STP and RSTP limitations: • STP limitations—STP does not support rapid state transition of ports. A newly elected port must wait twice the forward delay time before it transits to the forwarding state, even if it connects to a point-to-point link or is an edge port.

  • Page 212

    Figure 181 Basic concepts in MSTP Figure 182 Network diagram and topology of MST region 3 MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. All these devices have the following characteristics: A spanning tree protocol enabled.

  • Page 213

    Same VLAN-to-instance mapping configuration. • • Same MSTP revision level. Physically linked together. • Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region. In Figure 181, the switched network comprises four MST regions, MST region 1 through MST region 4, and all devices in each MST region have the same MST region configuration.

  • Page 214

    Port roles A port can play different roles in different MSTIs. As shown in Figure 183, an MST region has Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the common root bridge. Port B2 and Port B3 of Device B form a loop.

  • Page 215: How Mstp Works

    Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user • traffic. Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward user • traffic. Learning is an intermediate port state. Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or forward •...

  • Page 216: Mstp Implementation On Devices, Protocols And Standards, Configuration Restrictions And Guidelines, Recommended Mstp Configuration Procedure

    MSTP implementation on devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation. In addition to basic MSTP functions, the device provides the following functions for ease of management: Root bridge hold •...

  • Page 217: Configuring An Mst Region

    Step Remarks Required. Enable STP globally and configure MSTP parameters. Configuring MSTP globally By default, STP is disabled globally. All MSTP parameters have default values. Optional. Configuring MSTP on a Enable MSTP on a port and configure MSTP parameters. port By default, MSTP is enabled on a port, and all MSTP parameters adopt the default values.

  • Page 218: Configuring Mstp Globally

    Figure 185 Configuring an MST region Configure the MST region information as described in Table 59, and click Apply. Table 59 Configuration items Item Description MST region name. Region Name By default, the MST region name is the bridge MAC address of the device.

  • Page 219

    Figure 186 Configuring MSTP globally Configure the global MSTP configuration as described in Table 60, and then click Apply. Table 60 Configuration items Item Description Select whether to enable STP globally. Enable STP Globally Other MSTP configurations take effect only after you enable STP globally. Select whether to enable BPDU guard.

  • Page 220

    Item Description Set the operating mode of STP: • STP—Each port on a device sends out STP BPDUs. • RSTP—Each port on a device sends out RSTP BPDUs, and automatically migrates to STP-compatible mode when detecting that it is connected with a Mode device running STP.

  • Page 221: Configuring Mstp On A Port

    Item Description Select whether to enable TC-BPDU guard. When receiving topology change (TC) BPDUs, the device flushes its forwarding address entries. If someone forges TC-BPDUs to attack the device, the device will receive a large number of TC-BPDUs within a short time and frequently flushes its forwarding address entries.

  • Page 222

    Item Description Set the type of protection to be enabled on the port: • Protection Not Set—No protection is enabled on the port. • Edged Port, Root Protection, Loop Protection—For more information, see Table Set the priority and path cost of the port in the current MSTI. •...

  • Page 223: Displaying Mstp Information Of A Port

    Table 62 Protection types Protection type Description Set the port as an edge port. Some ports of access layer devices are directly connected to PCs or file servers, which cannot generate BPDUs. You can set these ports as edge ports to achieve Edged Port fast transition for these ports.

  • Page 224

    Figure 188 The port summary tab Table 63 Field description Field Description The port is in forwarding state, so the port learns MAC addresses and [FORWARDING] forwards user traffic. The port is in learning state, so the port learns MAC addresses but does not [LEARNING] forward user traffic.

  • Page 225: Mstp Configuration Example, Network Requirements

    Field Description Whether the port is connected to a point-to-point link: • Point-to-point Config—The configured value. • Active—The actual value. Transmit Limit Maximum number of packets sent within each Hello time. Protection type on the port,: • Root—Root guard • Protection Type Loop—Loop guard •...

  • Page 226: Configuration Procedure

    All devices on the network are in the same MST region. • • Packets of VLAN 10, VLAN 20, VLAN 30, and VLAN 40 are forwarded along MSTI 1, MSTI 2, MSTI 3, and MSTI 0, respectively. Switch A and Switch B operate at the distribution layer; Switch C and Switch D operate at the •...

  • Page 227

    Select Manual. Select 1 from the Instance ID list. Set the VLAN ID to 10. Click Apply. The system maps VLAN 10 to MSTI 1 and adds the VLAN-to-instance mapping entry to the VLAN-to-instance mapping list. Repeat the preceding three steps to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN-to-instance mapping entries to the VLAN-to-instance mapping list.

  • Page 228

    Figure 192 Configuring MSTP globally (on Switch A) Configuring Switch B Configure an MST region on the switch in the same way the MST region is configured on Switch Configure MSTP globally: From the navigation tree, select Network > MSTP. Click the Global tab.

  • Page 229

    Configuring Switch C Configure an MST region on the switch in the same way the MST region is configured on Switch Configure MSTP globally: From the navigation tree, select Network > MSTP. Click Global. Select Enable from the Enable STP Globally list. Select MSTP from the Mode list.

  • Page 230

    Figure 193 Configuring MSTP globally (on Switch D)

  • Page 231: Configuring Link Aggregation And Lacp, Overview, Basic Concepts

    Configuring link aggregation and LACP Overview Ethernet link aggregation bundles multiple physical Ethernet links into one logical link, called an aggregate link. Link aggregation has the following benefits: • Increased bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed across the member ports.

  • Page 232: Link Aggregation Modes

    Configuration classes Port configurations include the following classes: • Class-two configurations—A member port can be placed in Selected state only if it has the same class-two configurations as the aggregate interface. Table 64 Class-two configurations Type Considerations Whether a port has joined an isolation group, and the isolation group that the port Port isolation belongs to Permitted VLAN IDs, port VLAN ID (PVID), link type (trunk, hybrid, or access), IP...

  • Page 233

    exceeded, place the candidate selected ports with smaller port numbers in the Selected state and those with greater port numbers in the Unselected state. Place the member ports in the Unselected state if all the member ports are down. Place the ports that cannot aggregate with the reference port in the Unselected state, for example, as a result of the inter-board aggregation restriction.

  • Page 234: Configuration Procedures, Creating A Link Aggregation Group

    Configuration procedures Configuring a static aggregation group Step Remarks Create a static aggregate interface and configure member ports for the static aggregation group. Creating a link aggregation group By default, no link aggregation group exists. (Optional.) Displaying aggregate Display detailed information of an existing aggregation interface group.

  • Page 235: Displaying Aggregate Interface Information

    Figure 194 Create a link aggregation group Configure a link aggregation group. Click Apply. Table 65 Configuration items Item Description Assign an ID to the link aggregation group to be created. Enter Link Aggregation Interface ID You can view the result in the Summary area at the bottom of the page. Set the type of the link aggregation interface to be created: •...

  • Page 236

    Choose an aggregate interface from the list. The list on the lower part of the page displays the detailed information about the member ports of the link aggregation group. Figure 195 Displaying information of an aggregate interface Table 66 Field description Field Description Type and ID of the aggregate interface.

  • Page 237: Setting Lacp Priority, Displaying Lacp-enabled Port Information

    Setting LACP priority From the navigation tree, select Network > LACP. Click Setup to enter the page shown in Figure 196. Figure 196 The Setup tab In the Set LACP enabled port(s) parameters area, set the port priority, and select the ports in the chassis front panel.

  • Page 238

    Detailed information about the peer port will be displayed on the lower part of the page. Table 69 describes the fields. Figure 197 Displaying the information of LACP-enabled ports Table 68 Field description Field Description Unit ID of a device in an IRF. Port Port where LACP is enabled.

  • Page 239: Link Aggregation And Lacp Configuration Example

    Field Description States of the peer port: • A—LACP is enabled. • B—LACP short timeout. If B does not appear, it indicates LACP long timeout. • C—The sending system considers the link is aggregatable. • Partner Port State D—The sending system considers the link is synchronized. •...

  • Page 240

    Enter link aggregation interface ID 1. Select the Static (LACP Disabled) option for the aggregate interface type. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 on the chassis front panel. Click Apply. Figure 199 Creating static link aggregation group 1 Method 2: Create dynamic link aggregation group 1 From the navigation tree, select Network >...

  • Page 241

    Figure 200 Creating dynamic link aggregation group 1 Configuration guidelines When you configure a link aggregation group, follow these guidelines: In an aggregation group, t a Selected port must have the same port attributes and class-two • configurations as the reference port. To keep these configurations consistent, you should configure the port manually.

  • Page 242

    aggregation, make sure that the peer ports of the ports aggregated at one end are also aggregated. The two ends can automatically negotiate the aggregation state of each member port. Removing a Layer 2 aggregate interface also removes its aggregation group and causes all •...

  • Page 243: Configuring Lldp, Overview, Basic Concepts

    Configuring LLDP Overview In a heterogeneous network, a standard configuration exchange platform ensures that different types of network devices from different vendors can discover one another and exchange configuration for the sake of interoperability and management. The Link Layer Discovery Protocol (LLDP) is specified in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.

  • Page 244

    Field Description Data LLDP data. Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame. LLDPDUs encapsulated in SNAP Figure 202 LLDPDU encapsulated in SNAP Table 71 Description of the fields in a SNAP-encapsulated LLDPDU Field Description MAC address to which the LLDPDU is advertised.

  • Page 245

    LLDPDU TLVs include the following categories: basic management TLVs, organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs, and LLDP-MED (media endpoint discovery) TLVs. Basic management TLVs are essential to device management. Organizationally specific TLVs and LLDP-MED TLVs are used for enhanced device management;...

  • Page 246

    NOTE: HP devices only support receiving protocol identity TLVs. • Layer 3 Ethernet interfaces do not support IEEE 802.1 organizationally specific TLVs. • IEEE 802.3 organizationally specific TLVs Table 74 IEEE 802.3 organizationally specific TLVs Type Description Contains the rate and duplex capabilities of the sending port, support for MAC/PHY auto negotiation, enabling status of auto negotiation, and the current rate Configuration/Status...

  • Page 247: Operating Modes Of Lldp, How Lldp Works

    Type Description Software Revision Allows a terminal device to advertise its software version. Serial Number Allows a terminal device to advertise its serial number. Manufacturer Name Allows a terminal device to advertise its vendor name. Model Name Allows a terminal device to advertise its model name. Allows a terminal device to advertise its asset ID.

  • Page 248: Compatibility Of Lldp With Cdp, Protocols And Standards, Recommended Lldp Configuration Procedure

    The LLDP operating mode of the port changes from Disable/Rx to TxRx or Tx. • This is the fast sending mechanism of LLDP. With this mechanism, a specific number of LLDPDUs are sent successively at the 1-second interval to help LLDP neighbors discover the local device as soon as possible. Then, the normal LLDPDU transit interval resumes.

  • Page 249: Enabling Lldp On Ports

    Step Remarks (Optional.) LLDP settings include LLDP operating mode, packet encapsulation, CDP compatibility, device information polling, trapping, and advertisable TLVs. The default settings are as follows: Setting LLDP parameters on ports • The LLDP operating mode is TxRx. • The encapsulation format is Ethernet II. •...

  • Page 250: Setting Lldp Parameters On Ports, Setting Lldp Parameters For A Single Port

    Figure 204 The Port Setup tab Setting LLDP parameters on ports The web interface allows you to set LLDP parameters for a single port and set LLDP parameters for multiple ports in batch. Setting LLDP parameters for a single port Select Network >...

  • Page 251

    Figure 205 Modifying LLDP settings on a port Modify the LLDP parameters for the port as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 252

    Item Description Set the LLDP operating mode on the port or ports you are configuring. Available options include: • TxRx—Sends and receives LLDPDUs. LLDP Operating Mode • Tx—Sends but not receives LLDPDUs. • Rx—Receives but not sends LLDPDUs. • Disable—Neither sends nor receives LLDPDUs. Set the encapsulation for LLDPDUs.

  • Page 253: Setting Lldp Parameters For Ports In Batch

    Item Description Port VLAN ID Select to include the PVID TLV in transmitted LLDPDUs. Select to include port and protocol VLAN ID TLVs in transmitted LLDPDUs and specify the VLAN IDs to be advertised. Protocol VLAN ID DOT1 TLV If no VLAN is specified, the lowest protocol VLAN ID is transmitted. Setting Select to include VLAN name TLVs in transmitted LLDPDUs and specify the VLAN IDs to be advertised.

  • Page 254: Configuring Lldp Globally

    Click Modify Selected to enter the page for modifying these ports in batch. Figure 206 Modifying LLDP settings on ports in batch Set the LLDP settings for these ports as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 255

    Figure 207 The Global Setup tab Set the global LLDP setup as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 77 Configuration items Item Description LLDP Enable...

  • Page 256: Displaying Lldp Information For A Port

    Item Description Set the TTL multiplier. The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device. You can configure the TTL of locally sent LLDPDUs to determine how long information about the local device can be saved on a neighbor device by setting the TTL multiplier.

  • Page 257

    By default, the Local Information tab is displayed, as shown in Figure 208. Table 78 describes the fields. Figure 208 The Local Information tab Table 78 Field description Field Description Port ID representation: • Interface alias. • Port component. • MAC address.

  • Page 258

    Field Description Power supply priority on a PSE: • Unknown—Unknown priority • Power priority Critical—Priority 1. • High—Priority 2. • Low—Priority 3. Media policy type: • Unknown. • Voice. • Voice signaling. • Guest voice. Media policy type • Guest voice signaling. •...

  • Page 259

    Table 79 Field description Field Description Chassis ID representation: • Chassis component. • Interface alias. • Port component. Chassis type • MAC address. • Network address. • Interface name. • Locally assigned—Locally-defined chassis type other than those listed above. Port ID representation: •...

  • Page 260

    Field Description Power supply priority on a PD: • Unknown—Unknown priority. • Power priority Critical—Priority 1. • High—Priority 2. • Low—Priority 3. PD requested power value Power (in watts) required by the PD that connects to the port. PSE allocated power value Power (in watts) supplied by the PSE to the connecting port.

  • Page 261

    Field Description SerialNum The serial number advertised by the neighbor. Manufacturer name The manufacturer name advertised by the neighbor. Model name The model name advertised by the neighbor. Asset ID advertised by the neighbor. This ID is used for the purpose of Asset tracking identifier inventory management and asset tracking.

  • Page 262: Displaying Global Lldp Information

    Figure 211 The Status Information tab Displaying global LLDP information Select Network > LLDP from the navigation tree. Click the Global Summary tab to display global local LLDP information and statistics, as shown Figure 212. Table 80 describes the fields. Figure 212 The Global Summary tab...

  • Page 263: Displaying Lldp Information Received From Lldp Neighbors

    Table 80 Field description Field Description Chassis ID The local chassis ID depending on the chassis type defined. The primary network function advertised by the local device: • Repeater. System capabilities supported • Bridge. • Router. The enabled network function advertised by the local device: •...

  • Page 264: Lldp Configuration Examples, Lldp Basic Settings Configuration Example

    Figure 213 The Neighbor Summary tab LLDP configuration examples LLDP basic settings configuration example Network requirements As shown in Figure 214, configure LLDP on Switch A and Switch B so that the network management station (NMS) can determine the status of the link between Switch A and MED and the link between Switch A and Switch B.

  • Page 265

    Select port GigabitEthernet1/0/1 and GigabitEthernet1/0/2. Click Modify Selected. The page shown in Figure 216 appears. Figure 215 The Port Setup tab Select Rx from the LLDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 266

    Figure 216 Setting LLDP on multiple ports Enable global LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 267

    Configuring Switch B Enable LLDP on port GigabitEthernet 1/0/1. (Optional. By default, LLDP is enabled on Ethernet ports.) Set the LLDP operating mode to Tx on GigabitEthernet 1/0/1: Select Network > LLDP from the navigation tree. By default, the Port Setup tab is displayed. Click the icon for port GigabitEthernet1/0/1.

  • Page 268

    By default, the Port Setup tab is displayed. Click the GigabitEthernet1/0/1 port name in the port list. Click the Status Information tab at the lower half of the page. The output shows that port GigabitEthernet 1/0/1 is connected to an MED neighbor device. Figure 219 Viewing the status of port GigabitEthernet 1/0/1 Display the status information of port GigabitEthernet1/0/2 on Switch A: Click the GigabitEthernet1/0/2 port name in the port list.

  • Page 269: Cdp-compatible Lldp Configuration Example

    Figure 221 Viewing the updated port status information CDP-compatible LLDP configuration example Network requirements As shown in Figure 222, on Switch A, configure VLAN 2 as a voice VLAN and configure CDP-compatible LLDP to enable the Cisco IP phones to automatically configure the voice VLAN, confining their voice traffic within the voice VLAN to be separate from other types of traffic.

  • Page 270

    Figure 223 Creating VLANs Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports: Select Device > Port Management from the navigation tree. Click the Setup tab to enter the page for configuring ports. Select Trunk in the Link Type list. Select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel.

  • Page 271

    Figure 224 Configuring ports Configure the voice VLAN function on the two ports: Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab to enter the page for configuring the voice VLAN function on ports. Select Auto in the Voice VLAN port mode list, select Enable in the Voice VLAN port state list, enter the voice VLAN ID 2, and select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel.

  • Page 272

    Figure 225 Configuring the voice VLAN function on ports Enable LLDP on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. Skip this step if LLDP is enabled (the default). Set both the LLDP operating mode and the CDP operating mode to TxRx on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2: Select Network >...

  • Page 273

    Figure 226 Selecting ports Select TxRx from the LLDP Operating Mode list, and select TxRx from the CDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 274

    Figure 227 Modifying LLDP settings on ports Enable global LLDP and CDP compatibility of LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Select Enable from the CDP Compatibility list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 275: Lldp Configuration Guidelines

    Figure 228 Enabling global LLDP and CDP compatibility Verifying the configuration Display information about LLDP neighbors on Switch A after completing the configuration. You can see that Switch A has discovered the Cisco IP phones attached to ports GigabitEthernet1/0/1 and GigabitEthernet1/0/2 and obtained their device information.

  • Page 276: Configuring Arp, Overview, Arp Message Format, Arp Operating Mechanism

    Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP messages are classified into ARP requests and ARP replies. Figure 229 shows the format of the ARP request/reply messages.

  • Page 277: Arp Table

    Host A looks in its ARP table to see whether there is an ARP entry for Host B. If yes, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame. Then Host A sends the frame to Host B.

  • Page 278: Gratuitous Arp, Configuring Arp Entries, Displaying Arp Entries

    Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down. In addition, a dynamic ARP entry can be overwritten by a static ARP entry. Static ARP entry A static ARP entry is manually configured and maintained.

  • Page 279: Creating A Static Arp Entry

    Figure 231 ARP table configuration page Creating a static ARP entry From the navigation tree, select Network > ARP Management. The ARP Table page appears, as shown in Figure 231. Click Add. The New Static ARP Entry page appears. Figure 232 Adding a static ARP entry...

  • Page 280: Removing Arp Entries, Configuring Gratuitous Arp

    Configure the static ARP entry as described in Table Click Apply. Table 81 Configuration items Item Description IP Address Enter an IP address for the static ARP entry. MAC Address Enter a MAC address for the static ARP entry. Enter a VLAN ID and specify a port for the static ARP entry. VLAN ID Advanced IMPORTANT:...

  • Page 281: Static Arp Configuration Example, Network Requirements, Configuring Switch A

    Item Description Enable the device to send gratuitous ARP packets upon receiving ARP Send gratuitous ARP packets when requests from another network segment. receiving ARP requests from another By default, the device does not send gratuitous ARP packets upon network segment receiving ARP requests from another network segment.

  • Page 282

    Figure 235 Creating VLAN 100 Add GigabitEthernet 1/0/1 to VLAN 100: Click the Modify Port tab Select interface GigabitEthernet 1/0/1 in the Select Ports area. Select the Untagged option in the Select membership type area. Enter 100 for VLAN Ids. Click Apply.

  • Page 283

    Figure 236 Adding GigabitEthernet 1/0/1 to VLAN 100 Create VLAN-interface 100: From the navigation tree, select Network > VLAN Interface. Click the Create tab. Enter 100 for VLAN ID. Select the Configure Primary IPv4 Address box. Select the Manual option. Enter 192.168.1.2 for IPv4 Address, and enter 24 or 255.255.255.0 for Mask Length.

  • Page 284

    Figure 237 Creating VLAN-interface 100 Create a static ARP entry: From the navigation tree, select Network > ARP Management. The ARP Table page appears. Click Add. Enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC Address. Select the Advanced Options box. Enter 100 for VLAN ID.

  • Page 285: Configuring Arp Attack Protection, Overview, User Validity Check, Arp Packet Validity Check, Configuring Arp Detection

    Configuring ARP attack protection Overview Although ARP is easy to implement, it provides no security mechanism and thus is vulnerable to network attacks. The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides user validity check and ARP packet validity check.

  • Page 286

    Figure 239 ARP detection configuration page Configure ARP detection as described in Table Click Apply. Table 83 Configuration items Item Description Select VLANs on which ARP detection is to be enabled. To add VLANs to the Enabled VLANs list, select one or multiple VLANs from the Disabled VLAN Settings VLANs list and click the <<...

  • Page 287: Configuring Igmp Snooping, Overview, Basic Igmp Snooping Concepts

    Configuring IGMP snooping Overview IGMP snooping runs on a Layer 2 switch as a multicast constraining mechanism to improve multicast forwarding efficiency. It creates Layer 2 multicast forwarding entries from IGMP packets that are exchanged between the hosts and the router. As shown in Figure 240, when IGMP snooping is not enabled, the Layer 2 switch floods multicast packets...

  • Page 288

    Figure 241 IGMP snooping related ports The following describes the ports involved in IGMP snooping: Router port—Layer 3 multicast device-side port. Layer 3 multicast devices include designated • routers and IGMP queriers. In Figure 241, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are router ports.

  • Page 289: How Igmp Snooping Works

    NOTE: In IGMP snooping, only dynamic ports age out. Static ports never age out. How IGMP snooping works The ports in this section are dynamic ports. IGMP messages include general query, IGMP report, and leave message. An IGMP snooping-enabled switch performs differently depending on the message. General query The IGMP querier periodically sends IGMP general queries to all hosts and routers identified by the address 224.0.0.1 on the local subnet to determine whether any active multicast group members exist on...

  • Page 290: Protocols And Standards, Recommended Configuration Procedure

    An IGMPv2 or IGMPv3 host sends an IGMP leave message to the multicast router when it leaves a multicast group. When the switch receives an IGMP leave group message on a member port, the switch first examines whether a forwarding entry matches the group address in the message, and, if a match is found, determines whether the forwarding entry for the group contains the dynamic member port.

  • Page 291: Enabling Igmp Snooping Globally, Configuring Igmp Snooping In A Vlan

    Step Remarks Optional. Configure the maximum number of multicast groups and fast-leave processing on a port of the specified VLAN. Configuring IGMP snooping IMPORTANT: port functions • Enable IGMP snooping globally before you enable it on a port. • IGMP snooping enabled on a port takes effect only after IGMP snooping is enabled for the VLAN.

  • Page 292

    Figure 243 Configuring IGMP snooping in a VLAN Configure the parameters as described in Table Click Apply. Table 84 Configuration items Item Description Enable or disable IGMP snooping in the VLAN. IGMP snooping You can proceed with the subsequent configurations only if Enable is selected here.

  • Page 293: Configuring Igmp Snooping Port Functions

    Item Description Enable or disable the IGMP snooping querier function. In an IP multicast network that runs IGMP, a Layer 3 device is elected as the IGMP querier to send IGMP queries, so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries, ensuring correct multicast traffic forwarding at the network layer.

  • Page 294: Displaying Igmp Snooping Multicast Forwarding Entries

    Table 85 Configuration items Item Description Select the port on which advanced IGMP snooping features will be configured. The port can be an Ethernet port or Layer 2 aggregate interface. After a port is selected, advanced features configured on this port are displayed at the lower part of this page.

  • Page 295: Igmp Snooping Configuration Example

    Figure 246 Displaying detailed information about the entry Table 86 Field description Field Description VLAN ID ID of the VLAN to which the entry belongs. Multicast source address. If no multicast sources are specified, this field Source Address displays 0.0.0.0. Group Address Multicast group address.

  • Page 296

    Configuration procedure Configuring Router A Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1. (Details not shown.) Configuring Switch A Create VLAN 100: Select Network > VLAN from the navigation tree. Click the Create tab. Enter 100 as the VLAN ID.

  • Page 297

    Figure 249 Assigning ports to the VLAN Enable IGMP snooping globally: Select Network > IGMP snooping from the navigation tree. Select Enable. Click Apply. Figure 250 Enabling IGMP snooping globally Enable IGMP snooping and the function of dropping unknown multicast data for VLAN 100:...

  • Page 298: Verifying The Configuration

    Click the icon for VLAN 100. Select Enable for IGMP snooping. Select 2 for Version. Select Enable for Drop Unknown. Click Apply. Figure 251 Configuring IGMP snooping in VLAN 100 Verifying the configuration Select Network > IGMP snooping from the navigation tree. Click Show Entries in the basic VLAN configuration page to display information about IGMP snooping multicast forwarding entries.

  • Page 299

    Figure 253 Displaying detailed information about the entry The output shows that GigabitEthernet 1/0/3 of Switch A is listening to multicast streams destined for the multicast group 224.1.1.1.

  • Page 300: Configuring Mld Snooping, Overview, Basic Mld Snooping Concepts

    Configuring MLD snooping Overview MLD snooping runs on a Layer 2 switch as an IPv6 multicast constraining mechanism to improve multicast forwarding efficiency. It creates Layer 2 multicast forwarding entries from MLD messages that are exchanged between the hosts and the router. As shown in Figure 254, when MLD snooping is not enabled, the Layer 2 switch floods IPv6 multicast...

  • Page 301

    Figure 255 MLD snooping related ports The following describes the ports involved in MLD snooping: Router port—Layer 3 multicast device-side port. Layer 3 multicast devices include designated • routers and MLD queriers. As shown in Figure 255, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are router ports.

  • Page 302: How Mld Snooping Works

    Message received Action after the timer Timer Description before the timer expires expires When a port dynamically joins an IPv6 multicast The switch removes this group, the switch sets an Dynamic member port port from the MLD aging timer for the port. MLD membership report.

  • Page 303: Recommended Configuration Procedure, Protocols And Standards

    A switch does not forward an MLD report through a non-router port. If the switch forwards a report through a member port, the MLD report suppression mechanism causes all attached hosts that monitor the reported IPv6 multicast group address to suppress their own reports. In this case, the switch cannot determine whether the reported IPv6 multicast group still has active members attached to that port.

  • Page 304: Enabling Mld Snooping Globally

    Step Remarks Required. Enable MLD snooping in the VLAN and configure the MLD snooping version and querier. By default, MLD snooping is disabled in a VLAN. Configuring MLD snooping in a VLAN IMPORTANT: • Enable MLD snooping globally before you enable it for a VLAN. •...

  • Page 305: Configuring Mld Snooping In A Vlan

    Configuring MLD snooping in a VLAN Select Network > MLD snooping from the navigation tree. Click the icon for the VLAN. Figure 257 Configuring MLD snooping in a VLAN Configure the parameters as described in Table Click Apply. Table 87 Configuration items Item Description Enable or disable MLD snooping in the VLAN.

  • Page 306: Configuring Mld Snooping Port Functions

    Item Description Enable or disable the function of dropping unknown IPv6 multicast packets. Unknown IPv6 multicast data refers to IPv6 multicast data for which no entries exist in the MLD snooping forwarding table. • If the function of dropping unknown IPv6 multicast data is enabled, the switch forwards the unknown IPv6 multicast packets to the router ports instead of Drop Unknown flooding them in the VLAN.

  • Page 307

    Figure 258 Configuring MLD snooping port functions Configure the parameters as described in Table Click Apply. Table 88 Configuration items Item Description Select the port on which advanced MLD snooping features will be configured. The port can be an Ethernet port or Layer 2 aggregate interface. After a port is selected, advanced features configured on this port are displayed at the lower part of this page.

  • Page 308: Displaying Mld Snooping Multicast Forwarding Entries

    Item Description Enable or disable fast-leave processing on the port. When a port that is enabled with the MLD snooping fast-leave processing feature receives an MLD done message, the switch immediately deletes that port from the IPv6 forwarding table entry for the IPv6 multicast group specified in the message. When the switch receives MLD multicast-address-specific queries for that multicast group, it does not forward them to that port.

  • Page 309: Mld Snooping Configuration Example, Configuration Procedure

    Field Description Group Address IPv6 multicast group address. Router Ports All router ports. Member Ports All member ports. MLD snooping configuration example Network requirements As shown in Figure 261, MLDv1 runs on Router A and MLDv1 snooping runs on Switch A. Router A acts as the MLD querier.

  • Page 310

    Figure 262 Creating VLAN 100 Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: Click the Modify Port tab. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 in the Select Ports field. Select Untagged for Select membership type. Enter 100 as the VLAN ID. Click Apply.

  • Page 311

    Figure 263 Assigning ports to VLAN 100 Enable MLD snooping globally: Select Network > MLD snooping from the navigation tree. Select Enable. Click Apply. Figure 264 Enabling MLD snooping globally Enable MLD snooping and the function of dropping unknown IPv6 multicast data for VLAN 100: Click the icon for VLAN 100.

  • Page 312

    Select 1 for Version. Select Enable for Drop Unknown. Click Apply. Figure 265 Enabling MLD snooping in the VLAN Verifying the configuration Select Network > MLD snooping from the navigation tree. Click Show Entries in the basic VLAN configuration page to display information about MLD snooping multicast forwarding entries.

  • Page 313

    Figure 267 Displaying detailed information about the entry The output shows that GigabitEthernet 1/0/3 of Switch A is listening to multicast streams destined for the IPv6 multicast group FF1E::101.

  • Page 314: Configuring Ipv4 And Ipv6 Routing, Overview, Routing Table, Static Route

    Configuring IPv4 and IPv6 routing The term "router" in this document refers to both routers and Layer 3 switches. Overview A router selects an appropriate route according to the destination address of a received packet and forwards the packet to the next router. The last router on the path is responsible for sending the packet to the destination host.

  • Page 315: Default Route, Displaying The Ipv4 Active Route Table

    Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must modify the static routes manually. Default route A default route is used to forward packets that do not match any specific routing entry in the routing table. Without a default route, a packet that does not match any routing entries is discarded and an Internet Control Message Protocol (ICMP) destination-unreachable packet is sent to the source.

  • Page 316: Creating An Ipv4 Static Route

    Field Description Next Hop Next hop IP address of the IPv4 route. Output interface of the IPv4 route. Packets destined for the specified Interface network segment will be sent out of the interface. Creating an IPv4 static route Select Network > IPv4 Routing from the navigation tree. Click the Create tab.

  • Page 317: Displaying The Ipv6 Active Route Table

    Item Description Set a preference value for the static route. The smaller the number, the higher the preference. Preference For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes. Specifying different preferences enables route backup.

  • Page 318: Creating An Ipv6 Static Route

    Field Description Output interface of the IPv6 route. Packets destined for the specified network Interface segment will be sent out of the interface. Creating an IPv6 static route Select Network > IPv6 Routing from the navigation tree. Click the Create tab. The page for configuring an IPv6 static route appears.

  • Page 319: Ipv4 Static Route Configuration Example

    Item Description Set a preference value for the static route. The smaller the number, the higher the preference. Preference For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes. Specifying different priorities for them enables route backup.

  • Page 320

    Figure 273 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv4 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop.

  • Page 321

    Figure 274 Configuring a static route Enter 1.1.3.0 for Destination IP Address, enter 24 for Mask, and enter 1.1.5.6 for Next Hop. Click Apply. Configure a default route to Switch B on Switch C: Select Network > IPv4 Routing from the navigation tree of Switch C. Click the Create tab.

  • Page 322

    Figure 275 Configuring a default route Verifying the configuration Display the routing table. Enter the IPv4 route page of Switch A, Switch B, and Switch C to verify that the newly configured static routes are displayed as active routes on the page. Ping Host C from Host A (assuming both hosts run Windows XP): C:\Documents and Settings\Administrator>ping 1.1.3.2 Pinging 1.1.3.2 with 32 bytes of data:...

  • Page 323: Ipv6 Static Route Configuration Example, Network Requirements, Configuration Considerations, Configuration Procedure

    IPv6 static route configuration example Network requirements As shown in Figure 276, configure IPv6 static routes on Switch A, Switch B, and Switch C for any two hosts to communicate with each other. Figure 276 Network diagram Host B 2::2/64 Vlan-int400 2::1/64 Vlan-int200...

  • Page 324

    Figure 277 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv6 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1:: for Destination IP Address, select 64 from the Prefix Length list, and enter 4::1 for Next Hop.

  • Page 325

    Figure 278 Configuring a static route Enter 3:: for Destination IP Address, select 64 from the Prefix Length list, and enter 5::1 for Next Hop. Click Apply. Configure a default route to Switch B on Switch C: Select Network > IPv6 Routing from the navigation tree of Switch C. Click the Create tab.

  • Page 326

    Figure 279 Configuring a default route Verifying the configuration Display the routing table. Enter the IPv6 route page of Switch A, Switch B, and Switch C respectively to verify that the newly configured static routes are displayed as active routes on the page. Ping Host C from Switch A: <SwitchA>...

  • Page 327

    0.00% packet loss round-trip min/avg/max = 62/62/63 ms Configuration guidelines When you configure a static route, follow these guidelines: If you do not specify the preference, the default preference will be used. Reconfiguration of the • default preference applies only to newly created static routes. The Web interface does not support configuration of the default preference.

  • Page 328: Ipv6 Management, Enabling Ipv6 Service

    IPv6 management IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits. To configure basic IPv6 settings, enable the IPv6 service function first.

  • Page 329: Dhcp Overview, Dhcp Address Allocation, Allocation Mechanisms

    DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. DHCP uses the client-server model. Figure 281 shows a typical DHCP application. A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent.

  • Page 330: Dynamic Ip Address Allocation Process, Ip Address Lease Extension

    Dynamic IP address allocation process Figure 282 Dynamic IP address allocation process The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. A DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.

  • Page 331: Dhcp Message Format

    DHCP message format Figure 283 gives the DHCP message format, which is based on the BOOTP message format and involves eight types. These types of messages have the same format except that some fields have different values. The numbers in parentheses indicate the size of each field in bytes. Figure 283 DHCP message format op (1) htype (1)

  • Page 332: Dhcp Options, Common Dhcp Options, Relay Agent Option (option 82)

    DHCP options DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients. Figure 284 DHCP option format Common DHCP options Common DHCP options: Option 3—Router option.

  • Page 333

    The administrator can locate the DHCP client to further implement security control and accounting. The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients. Option 82 can include at most 255 sub-options and must have at least one sub-option. Option 82 supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID).

  • Page 334: Configuring Dhcp Relay Agent, Overview, Operation

    Configuring DHCP relay agent Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 287 shows a typical application of the DHCP relay agent.

  • Page 335

    Figure 288 DHCP relay agent operation Recommended configuration procedure Step Remarks (Required) Enabling DHCP and configuring advanced parameters for the Enable DHCP globally and configure advanced DHCP parameters. DHCP relay agent By default, global DHCP is disabled. (Required) To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface Creating a DHCP server group with the server group.

  • Page 336: Enabling Dhcp And Configuring Advanced Parameters For The Dhcp Relay Agent

    Enabling DHCP and configuring advanced parameters for the DHCP relay agent Select Network > DHCP from the navigation tree to enter the DHCP Relay page. Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration area. Figure 289 DHCP relay agent configuration page Enable DHCP service and configure advanced parameters for DHCP relay agent as described Table 94.

  • Page 337: Creating A Dhcp Server Group

    Table 94 Configuration items Item Description DHCP Service Enable or disable global DHCP. Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses. With this feature enabled, upon receiving a DHCP request, the DHCP relay agent will Unauthorized Server record the IP address of any DHCP server that assigned an IP address to the DHCP Detect...

  • Page 338: Enabling The Dhcp Relay Agent On An Interface

    Click Apply. Table 95 Configuration items Item Description Enter the ID of a DHCP server group. Server Group ID You can create up to 20 DHCP server groups. Enter the IP address of a server in the DHCP server group. IP Address The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent;...

  • Page 339: Configuring And Displaying Clients' Ip-to-mac Bindings

    Configuring and displaying clients' IP-to-MAC bindings Select Network > DHCP from the navigation tree to enter the DHCP Relay page shown in Figure 289. In the User Information area, click User Information to view static and dynamic bindings. Figure 292 Displaying clients' IP-to-MAC bindings Click Add to enter the page for creating a static IP-to-MAC binding.

  • Page 340: Dhcp Relay Agent Configuration Example, Network Requirements, Configuring Switch A

    DHCP relay agent configuration example Network requirements As shown in Figure 294, VLAN-interface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients reside. VLAN-interface 2 is connected to the DHCP server whose IP address is 10.1.1.1/24.

  • Page 341

    Figure 295 Enabling DHCP Configure a DHCP server group: In the Server Group area, click Add. On the page that appears, enter 1 for Server Group ID, and enter 10.1.1.1 for IP Address. Click Apply. Figure 296 Adding a DHCP server group Enable the DHCP relay agent on VLAN-interface 1: In the Interface Config field, click the icon for VLAN-interface 1.

  • Page 342

    On that page that appears, select the Enable option next to DHCP Relay and select 1 for Server Group ID. Click Apply. Figure 297 Enabling the DHCP relay agent on an interface and correlate it with a server group NOTE: Because the DHCP relay agent and server are on different subnets, you need to configure a static route or dynamic routing protocol to make them reachable to each other.

  • Page 343: Configuring Dhcp Snooping, Overview, Application Of Trusted Ports

    Configuring DHCP snooping DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes. DHCP snooping does not work between the DHCP server and DHCP relay agent.

  • Page 344: Dhcp Snooping Support For Option 82

    In a cascaded network as shown in Figure 299, configure each DHCP snooping device's ports connected to other DHCP snooping devices as trusted ports. To save system resources, you can disable the untrusted ports that are not directly connected to DHCP clients from generating DHCP snooping entries.

  • Page 345: Enabling Dhcp Snooping, Recommended Configuration Procedure

    Table 99 Handling strategy of DHCP snooping support for Option 82 Handling If a DHCP request has… The DHCP snooping device… strategy Drop Drop the message. Keep Forward the message without changing Option 82. Option 82 Forward the message after replacing the original Option 82 Replace with the Option 82 padded in normal format.

  • Page 346: Configuring Dhcp Snooping Functions On An Interface

    Figure 300 DHCP snooping configuration page Configuring DHCP snooping functions on an interface Select Network > DHCP from the navigation tree. Click the DHCP Snooping tab to enter the page shown in Figure 300. Click the icon for a specific interface in the Interface Config area. Figure 301 DHCP snooping interface configuration page Configure DHCP snooping on the interface as described in Table 100.

  • Page 347: Displaying Dhcp Snooping Entries

    Table 100 Configuration items Item Description Interface Name Displays the name of a specific interface. Interface State Configure the interface as trusted or untrusted. Option 82 Support Configure DHCP snooping to support Option 82 or not. Select the handling strategy for DHCP requests containing Option 82. The strategies include: •...

  • Page 348: Dhcp Snooping Configuration Example, Network Requirements, Configuring Switch B

    DHCP snooping configuration example Network requirements As shown in Figure 303, a DHCP snooping device (Switch B) is connected to a DHCP server through GigabitEthernet 1/0/1, and to DHCP clients through GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3. Enable DHCP snooping on Switch B and configure DHCP snooping to support Option 82. •...

  • Page 349

    Figure 304 Enabling DHCP snooping Configure DHCP snooping functions on GigabitEthernet 1/0/1: Click the icon for GigabitEthernet 1/0/1 on the interface list. Select the Trust option next to Interface State. Click Apply. Figure 305 Configuring DHCP snooping functions on GigabitEthernet 1/0/1 Configure DHCP snooping functions on GigabitEthernet 1/0/2: Click the icon for GigabitEthernet 1/0/2 on the interface list.

  • Page 350

    Figure 306 Configuring DHCP snooping functions on GigabitEthernet 1/0/2 Configure DHCP snooping functions on GigabitEthernet 1/0/3: Click the icon for GigabitEthernet 1/0/3 on the interface list. Select the Untrust option for Interface State, select the Enable option next to Option 82 Support, and select Replace for Option 82 Strategy.

  • Page 351: Managing Services, Overview

    Managing services Overview The service management module provides six types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services as needed. In this way, the performance and security of the system can be enhanced, thus secure management of the device can be achieved. The service management module also provides the function to modify HTTP and HTTPS port numbers, and the function to associate the FTP, HTTP, or HTTPS service with an ACL, thus reducing attacks of illegal users on these services.

  • Page 352

    Defines certificate attribute-based access control policy for the device to control the access right of • the client, in order to further avoid attacks from illegal clients. Managing services Select Network > Service from the navigation tree. The service management configuration page appears. Figure 308 Service management Manage services as described in Table...

  • Page 353

    Item Description Enable or disable the HTTP service. Enable HTTP service The HTTP service is enabled by default. Set the port number for HTTP service. You can view this configuration item by clicking the expanding button in front of HTTP. Port Number IMPORTANT: HTTP...

  • Page 354: Using Diagnostic Tools, Ping, Traceroute

    Using diagnostic tools Ping Use ping to determine if a specific address is reachable. Ping operates as follows: The source device sends ICMP echo requests (ECHO-REQUEST) to the destination device. The destination device responds by sending ICMP echo replies (ECHO-REPLY) to the source device after receiving the ICMP echo requests.

  • Page 355: Ping Operation, Ipv4 Ping Operation

    The source device sends a packet with a TTL value of 2 to the destination device. The second hop responds with a TTL-expired ICMP message. In this way, the source device gets the address of the second device. The above process continues until the packet reaches the destination device. The destination device responds with a port-unreachable ICMP message to the source.

  • Page 356: Ipv6 Ping Operation

    Figure 310 IPv4 ping operation result IPv6 ping operation From the navigation tree, select Network > Diagnostic Tools. Click the IPv6 Ping tab. The IPv6 ping configuration page appears. Figure 311 IPv6 ping configuration page Enter the IPv6 address or the host name of the destination device in the Destination IPv6 address or host name field.

  • Page 357: Traceroute Operation, Ipv4 Traceroute Operation

    Figure 312 IPv6 ping operation result Traceroute operation Before performing a traceroute operation, perform the following tasks: • Enable sending of ICMP timeout packets by executing the ip ttl-expires enable command on intermediate devices. Enable sending of ICMP destination unreachable packets by executing the ip unreachables enable •...

  • Page 358: Ipv6 Traceroute Operation

    Enter the IPv4 address or host name of the destination device in the Destination IP address or host name field. Click Start to execute the traceroute command. View the operation result in the Summary area. Figure 314 IPv4 traceroute operation result IPv6 traceroute operation From the navigation tree, select Network >...

  • Page 359

    View the operation result in the Summary area. Figure 316 IPv6 traceroute operation result...

  • Page 360: Configuring 802.1x, Overview, X Architecture, Access Control Methods

    Configuring 802.1X Overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for the security of WLANs. It has been widely used on Ethernet for access control. 802.1X controls network access by authenticating devices connected to the 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.

  • Page 361: Controlled/uncontrolled Port And Port Authorization Status, X-related Protocols

    Controlled/uncontrolled port and port authorization status 802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any packet arriving at the network access port is visible to both logical ports. • Controlled port—Allows incoming and outgoing traffic to pass through when it is in the authorized state, and denies incoming and outgoing traffic when it is in the unauthorized state, as shown Figure 318.

  • Page 362: Packet Formats

    Packet formats EAP packet format Figure 319 shows the EAP packet format. Figure 319 EAP packet format Code Identifier Length Data Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure • (4). Identifier—Used for matching Responses with Requests. •...

  • Page 363: Eap Over Radius, Initiating 802.1x Authentication

    Value Type Description The client sends an EAPOL-Logoff message to tell the network access 0x02 EAPOL-Logoff device that it is logging off. Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or • EAPOL-Logoff, this field is set to 0, and no Packet body field follows. Packet body—Content of the packet.

  • Page 364: X Authentication Procedures

    Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets. One example is the 802.1X client available with Windows XP. The access device supports the following modes: Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically •...

  • Page 365

    Comparing EAP relay and EAP termination When configuring EAP relay or EAP termination, consider the following factors: • The support of the RADIUS server for EAP packets. The authentication methods supported by the 802.1X client and the RADIUS server. • If the client is using only MD5-Challenge EAP authentication or the "username + password"...

  • Page 366

    Figure 325 802.1X authentication procedure in EAP relay mode When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. The network access device responds with an Identity EAP-Request packet to ask for the client username.

  • Page 367

    The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.

  • Page 368: X Timers

    Figure 326 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 369: Using 802.1x Authentication With Other Features

    Handshake timer—Sets the interval at which the access device sends client handshake requests to • check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.

  • Page 370

    Authentication status VLAN manipulation The device assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X No 802.1X user has users on this port can access only resources in the guest VLAN. performed authentication within 90 seconds after If no 802.1X guest VLAN is configured, the access device does not perform 802.1X is enabled any VLAN operation.

  • Page 371: Configuration Prerequisites, Recommended Configuration Procedure, Configuring 802.1x Globally

    NOTE: The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member. ACL assignment You can specify an ACL for an 802.1X user to control its access to network resources. After the user passes 802.1X authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the port to filter the traffic from this user.

  • Page 372

    Figure 327 802.1X global configuration In the 802.1X Configuration area, select the Enable 802.1X box. Select an authentication method from the Authentication Method list. Authentication Method list CHAP—Sets the access device to perform EAP termination and use CHAP to communicate with the RADIUS server.

  • Page 373: Configuring 802.1x On A Port, Configuration Guidelines, Configuration Procedure

    Table 104 Configuration items Item Description Specify whether to enable the quiet timer. The quiet timer enables the network access device to wait a period of time Quiet defined by the Quiet Period option before it can process any authentication request from a client that has failed an 802.1X authentication.

  • Page 374

    The Ports With 802.1X Enabled area displays the port-specific 802.1X configuration. In the Ports With 802.1X Enabled area, click Add. Configure 802.1X features on a port as shown in Figure 329, and then click Apply. Figure 329 Configuring 802.1X on a port Table 105 describes the configuration items.

  • Page 375: Configuring An 802.1x Guest Vlan, Configuring An Auth-fail Vlan

    Item Description Select the box to enable periodic online user re-authentication on the port. Periodic online user re-authentication tracks the connection status of online users Enable Re-Authentication and updates the authorization attributes assigned by the server, such as the ACL, and VLAN.

  • Page 376: Configuration Examples, Mac-based 802.1x Configuration Example

    Configuration examples MAC-based 802.1X configuration example Network requirements As shown in Figure 330, the access device performs 802.1X authentication for users that connect to port GigabitEthernet 1/0/1. Implement MAC-based access control on the port, so the logoff of one user does not affect other online 802.1X users.

  • Page 377

    Figure 331 Configuring 802.1X globally Configure 802.1X for GigabitEthernet 1/0/1: In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list, select the Enable Re-Authentication box, and click Apply. Figure 332 Configuring 802.1X for GigabitEthernet 1/0/1 Configuring a RADIUS scheme From the navigation tree, select Authentication >...

  • Page 378

    Configure the RADIUS primary and secondary authentication servers: Select the server type Authentication Server. Enter the IP address 10.1.1.1, enter the port number 1812, and select the primary server status active. Enter the IP address 10.1.1.2, enter the port number 1813, and select the secondary server status active.

  • Page 379

    Figure 334 Configuring a RADIUS scheme Configuring AAA From the navigation tree, select Authentication > AAA. The Domain Setup page appears. Enter test in the Domain Name field, and select Enable from the Default Domain list. Click Apply.

  • Page 380

    Figure 335 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select the authentication method RADIUS, select the authentication scheme system from the Name list, and click Apply. Figure 336 Configuring the AAA authentication method for the ISP domain A configuration progress dialog box appears, as shown in Figure 337.

  • Page 381

    Figure 337 Configuration progress dialog box After the configuration process is complete, click Close. On the Authorization tab, select the ISP domain test, select the Default AuthZ box, select the authorization method RADIUS, select the authorization scheme system from the Name list, and click Apply.

  • Page 382: X With Acl Assignment Configuration Example

    Figure 339 Configuring the AAA accounting method for the ISP domain After the configuration process is complete, click Close. 802.1X with ACL assignment configuration example Network requirements As shown in Figure 340, perform 802.1X authentication on port GigabitEthernet 1/0/1. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.

  • Page 383

    Enter the IP address 10.1.1.1, enter the port number 1812, and select the primary server status active. Click Apply. Figure 341 Configuring the RADIUS primary authentication server Configure the RADIUS primary accounting server: Select the server type Accounting Server. Enter the IP address 10.1.1.2, enter the port number 1813, and select the primary server status active.

  • Page 384

    Select the Accounting Server Shared Key box, and enter abc in the field next to the box and the Confirm Accounting Shared Key field. Select with-domain from the Username Format list. Click Apply. Figure 343 Configuring a RADIUS scheme Configuring AAA From the navigation tree, select Authentication >...

  • Page 385

    Figure 344 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select the authentication method RADIUS as mode, select the authentication scheme system from the Name list, and click Apply. Figure 345 Configuring the AAA authentication method for the ISP domain A configuration progress dialog box appears, as shown in Figure 346.

  • Page 386

    Figure 346 Configuration progress dialog box After the configuration process is complete, click Close. On the Authorization tab, select the ISP domain test, Select the Default AuthZ box, select the authorization method RADIUS, select the authorization scheme system from the Name list, and click Apply.

  • Page 387

    Figure 348 Configuring the AAA accounting method for the ISP domain After the configuration process is complete, click Close. Configuring an ACL From the navigation tree, select QoS > ACL IPv4. On the Create tab, enter the ACL number 3000, and click Apply. Figure 349 Creating ACL 3000 On the Advanced Setup tab, configure an ACL rule: Select 3000 from the ACL list.

  • Page 388

    Figure 350 ACL rule configuration Configuring the 802.1X feature Configure 802.1X globally: From the navigation tree, select Authentication > 802.1X. Select the Enable 802.1X box. Select the authentication method CHAP. Click Apply.

  • Page 389

    Figure 351 Configuring 802.1X globally Configure 802.1X for GigabitEthernet 1/0/1: In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list. Click Apply. Figure 352 Configuring 802.1X for GigabitEthernet 1/0/1 Verifying the configuration After the user passes authentication and gets online, use the ping command to test whether ACL 3000 takes effect.

  • Page 390

    The ping page appears. Enter the destination IP address 10.0.0.1. Click Start to start the ping operation. Figure 353 shows the ping operation summary. Figure 353 Ping operation summary...

  • Page 391: Configuring Aaa, Overview

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies users and determines whether a user is valid. Authorization—Grants different users different rights and controls their access to resources and •...

  • Page 392: Recommended Aaa Configuration Procedure

    Figure 355 Determining the ISP domain of a user by the username The authentication, authorization, and accounting of a user depends on the AAA methods configured for the domain that the user belongs to. If no specific AAA methods are configured for the domain, the default methods are used.

  • Page 393: Configuring An Isp Domain

    Step Remarks (Optional.) Configuring authorization Specify the authorization methods for various types of users. methods for the ISP domain By default, all types of users use local authorization. (Optional.) Configuring accounting methods Specify the accounting methods for various types of users. for the ISP domain By default, all types of users use local accounting.

  • Page 394: Configuring Authentication Methods For The Isp Domain

    Item Description Specify whether to use the ISP domain as the default domain. Options include: • Enable—Uses the domain as the default domain. Default Domain • Disable—Uses the domain as a non-default domain. There can only be one default domain at a time. If you specify a second domain as the default domain, the original default domain becomes a non-default domain.

  • Page 395: Configuring Authorization Methods For The Isp Domain

    Item Description Configure the default authentication method and secondary authentication method for all types of users. Options include: • HWTACACS—Performs HWTACACS authentication based on an HWTACACS Default AuthN scheme. The switch series does not support this option. Name • Local—Performs local authentication. •...

  • Page 396

    Figure 358 Authorization method configuration page Select the ISP domain and specify authorization methods for the ISP domain as described in Table 108. Click Apply. Click Close in the success message dialog box that appears. Table 108 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods.

  • Page 397: Configuring Accounting Methods For The Isp Domain

    Item Description Configure the authorization method and secondary authorization method for login users. Options include: • HWTACACS—Performs authorization based on an HWTACACS scheme. The Login AuthZ switch series does not support this option. Name • Local—Performs local authorization. • None—All users are trusted and authorized. A user gets the default rights of the Secondary Method system.

  • Page 398: Aaa Configuration Example, Network Requirements

    Item Description Specify whether to enable the accounting optional feature. With the feature enabled, a user who would otherwise be disconnected can use the network resources even when there is no accounting server available or when Accounting Optional communication with the current accounting server fails. If accounting for such a user fails, the switch no longer sends real-time accounting updates for the user.

  • Page 399

    Figure 360 Network diagram Configuration procedure Enable the Telnet server function, and configure the switch to use AAA for Telnet users. (Details not shown.) Configure IP addresses for the interfaces. (Details not shown.) Configure a local user: Select Device > Users from the navigation tree. Click the Create tab.

  • Page 400

    Figure 362 Configuring an ISP domain Configure the ISP domain to use local authentication: Select Authentication > AAA from the navigation tree. Click the Authentication tab. Select the domain test. Select Login AuthN and select the authentication method Local. Figure 363 Configuring the ISP domain to use local authentication Click Apply.

  • Page 401

    Figure 364 Configuration progress dialog box Configure the ISP domain to use local authorization: Select Authentication > AAA from the navigation tree. Click the Authorization tab. Select the domain test. Select Login AuthZ and select the authorization method Local. Click Apply. A configuration progress dialog box appears.

  • Page 402

    After the configuration process is complete, click Close. Figure 366 Configuring the ISP domain to use local accounting Verifying the configuration Telnet to the switch and enter the username telnet@test and password abcd. You should be serviced as a user in domain test.

  • Page 403: Configuring Portal Authentication, Overview, Extended Portal Functions, Portal System Components

    Configuring portal authentication Overview Portal authentication helps control access to the Internet. It is also called "Web authentication." A website implementing portal authentication is called a "portal website." With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website.

  • Page 404

    Figure 367 Portal system components Authentication client Security policy server Authentication client Portal server Access device Authentication/accounting Authentication client server Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. The client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.

  • Page 405: Portal System Using The Local Portal Server

    Security policy server A security policy server interacts with authentication clients and access devices for security check and resource authorization. The components of a portal system interact in the following procedure: When an unauthenticated user enters a website address in the address bar of the browser to access the Internet, an HTTP request is created and sent to the access device, which redirects the HTTP request to the Web authentication homepage of the portal server.

  • Page 406: Portal Authentication Modes, Portal Support For Eap

    Protocols used for interaction between the client and local portal server HTTP and HTTPS can be used for communication between an authentication client and an access device providing the local portal server function. If HTTP is used, there are potential security problems because HTTP packets are transferred in plain text.

  • Page 407: Layer 2 Portal Authentication Process

    The Extensible Authentication Protocol (EAP) supports several digital certificate-based authentication methods, for example, EAP-TLS. Working together with EAP, portal authentication can implement digital certificate-based user authentication. Figure 369 Portal support for EAP working flow diagram As shown in Figure 369, the authentication client and the portal server exchange EAP authentication packets.

  • Page 408: Layer 3 Portal Authentication Process

    the access port according to the authorized ACL. You must configure the authorized ACLs on the access device if you specify authorized ACLs on the authentication server. To change the access right of a user, you can specify a different authorized ACL on the authentication server or change the rules of the corresponding authorized ACL on the device.

  • Page 409

    Based on the security check result, the security policy server authorizes the user to access certain resources, and sends the authorization information to the access device. The access device then controls access of the user based on the authorization information. Authentication process with the local portal server Figure 372 Authentication process with local portal server With local portal server, the direct/cross-subnet authentication process is as follows:...

  • Page 410

    The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process. The portal server sends a portal authentication request to the access device, and starts a timer to wait for the portal authentication reply. The portal authentication request contains several EAP-Message attributes, which are used to encapsulate the EAP packet sent from the authentication client and carry the certificate information of the client.

  • Page 411: Recommended Configuration Procedure For Layer 2 Portal Authentication

    To implement extended portal functions, install and configure IMC EAD, and make sure the ACLs • configured on the access device correspond to those specified for the resources in the quarantined area and for the restricted resources on the security policy server. On the access device, the security policy server address is the same as the authentication server address.

  • Page 412: Configuring The Layer 2 Portal Service

    Step Remarks Optional. Configure a portal-free rule, specifying the source and destination information for packet filtering Configuring a portal-free A portal-free rule allows specified users to access specified external rule websites without portal authentication. Packets matching a portal-free rule will not trigger portal authentication and the users can directly access the specified external websites.

  • Page 413

    TIP: The portal service applied on an interface may be in the following states: Running—Portal authentication has taken effect on the interface. • Enabled—Portal authentication has been enabled on the interface, but it has not taken effect. • In the Portal Application: Layer 2 Interfaces area, click Add to enter the portal server application page.

  • Page 414: Configuring The Layer 3 Portal Service

    Item Description Set the Layer 2 portal user detection interval. After a Layer 2 portal user gets online, the device starts a detection timer for the user, and checks whether the user's MAC address entry has been aged out or the user's MAC Online Detection address entry has been matched (a match means a packet has been received from the Interval...

  • Page 415

    Figure 376 Applying a portal server to a Layer 3 interface Configure Layer 3 portal authentication as described in Table 111. Click Apply. Table 111 Configuration items Item Description Interface Select the Layer 3 interface to be enabled with portal authentication. Select the portal server to be applied on the selected interface.

  • Page 416

    Item Description Auth Network IP Enter the IP address and mask of the authentication subnet. This field is configurable when you select the Layer3 mode (cross-subnet portal authentication). By configuring an authentication subnet, you specify that only HTTP packets from users on the authentication subnet can trigger portal authentication.

  • Page 417: Configuring Advanced Parameters For Portal Authentication

    Figure 378 Configuring the local portal server Table 113 Configuration items Item Description Server Name Type a name for the local portal server. Type the IP address of the local portal server. You need to specify the IP address of the interface where the local portal server is applied.

  • Page 418

    Table 114 Configuration items Item Description Configure the Web proxy server ports to allow HTTP requests proxied by the specified proxy servers to trigger portal authentication. By default, only HTTP requests that are not proxied can trigger portal authentication. To make sure a user using a Web proxy server can trigger portal authentication, you need to add the port number of the proxy server on the device and the user needs to specify the listening IP address of the local portal server as a proxy exception in the browser.

  • Page 419: Configuring A Portal-free Rule

    Configuring a portal-free rule Select Authentication > Portal from the navigation tree Click the Free Rule tab to enter the portal-free rule list page. Figure 380 Portal-free rule list Click Add. The page for adding a new portal-free rule appears. Figure 381 Adding a portal-free rule Configure a portal-free rule as described in Table...

  • Page 420: Portal Authentication Configuration Examples, Configuring Layer 2 Portal Authentication

    Item Description Specify a source MAC address for the portal-free rule. IMPORTANT: Source MAC If you configure both the source IP address and the source MAC address, make sure the mask of the specified source IP address is 255.255.255.255. Otherwise, the specified source MAC address will not take effect. Specify a source VLAN for the portal-free rule.

  • Page 421

    Make sure the RADIUS server is correctly configured to provide authentication, authorization, and accounting functions. In this example, create a portal user account with the account name userpt on the RADIUS server. Perform the following configuration on the DHCP server: Specify the IP address ranges (192.168.1.0/24, 3.3.3.0/24, 2.2.2.0/24) for address allocation.

  • Page 422

    Figure 384 Configuring a RADIUS accounting server Configure RADIUS scheme system for information exchanges between the device and the RADIUS servers: Click the RADIUS Setup tab. Select extended as the server type. Select the Authentication Server Shared Key box, enter the key expert, and then enter the key again in the Confirm Authentication Shared Key field.

  • Page 423

    Figure 385 Configuring the RADIUS scheme Configure AAA: Select Authentication > AAA from the navigation tree. On the Domain Setup tab, enter the domain name test, select Enable for the Default Domain field, and click Apply.

  • Page 424

    Figure 386 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears, as shown in Figure 388.

  • Page 425

    Figure 388 Configuration process window On the Authorization tab, select the ISP domain test, select the Default AuthZ box, select RADIUS from the Default AuthZ list, select system from the Name list to use it as the authorization scheme, and click Apply. A configuration progress dialog box appears.

  • Page 426

    Figure 390 Configuring the accounting method for the ISP domain Configure DHCP relay: Select Network > DHCP from the navigation tree. Click the DHCP Relay tab. Select Enable for the DHCP Service field. Click Apply. Figure 391 Enabling the DHCP service In the Server Group area, click Add.

  • Page 427

    On the page that appears, enter the server group ID 1 and the IP address 1.1.1.3, and click Apply. Figure 392 Configuring a DHCP server group In the Interface Config area, click the icon for interface VLAN-interface 8. On the page that appears, select Enable for DHCP Relay and select 1 for Server Group ID. Click Apply.

  • Page 428: Configuring Direct Portal Authentication

    Figure 394 Applying the portal server to a Layer 2 interface Verifying the configuration Before accessing a Web page, user userpt is in VLAN 8 (the initial VLAN) and is assigned an IP address on subnet 192.168.1.0/24. When the user attempts to access a Web page on the Internet, the Web request is redirected to authentication page http://4.4.4.4/portal/logon.htm.

  • Page 429

    Figure 395 Network diagram Configuration prerequisites Make sure the IP address of the access device added on the portal server is the IP address of the interface connected to the host (2.2.2.1 in this example), and the IP address group associated with the access device is the subnet where the host resides (2.2.2.0/24 in this example).

  • Page 430

    On the RADIUS server configuration page, select Accounting Server as the server type, and enter the IP address 192.168.0.112 and port number 1813, select active from the Primary Server Status list, and click Apply. Figure 397 Configuring a RADIUS accounting server Configure RADIUS scheme system for exchanges between the device and the RADIUS servers: Click the RADIUS Setup tab.

  • Page 431

    Figure 398 Configuring the RADIUS scheme Configure AAA: Select Authentication > AAA from the navigation tree. On the Domain Setup tab, enter the domain name test, select Enable for the Default Domain field, and click Apply.

  • Page 432

    Figure 399 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.

  • Page 433

    Figure 401 Configuring the authorization method for the ISP domain On the Accounting tab, select the ISP domain test, select the Default Accounting box, select RADIUS from Default Accounting list, select system from the Name list to use it as the accounting scheme, and click Apply.

  • Page 434: Configuring Cross-subnet Portal Authentication

    Figure 403 Applying the portal server to a Layer 3 interface Configuring cross-subnet portal authentication Network requirements As shown in Figure 404, configure Switch A to perform cross-subnet portal authentication for users. Before passing portal authentication, the host can access only the portal server. After passing portal authentication, the host can access Internet resources.

  • Page 435

    Configuration prerequisites Make sure the IP address of the access device added on the portal server is the IP address of the interface connected to the host (20.20.20.1 in this example), and the IP address group associated with the access device is the subnet where the host resides (8.8.8.0/24 in this example).

  • Page 436

    Figure 406 Configuring a RADIUS accounting server Configure RADIUS scheme system for exchanges between the device and the RADIUS servers: Click the RADIUS Setup tab. Select extended as the server type. Select the Authentication Server Shared Key box, enter the key expert, and then enter the key again in the Confirm Authentication Shared Key field.

  • Page 437

    Figure 407 Configuring the RADIUS scheme Configure AAA: Select Authentication > AAA from the navigation tree. On the Domain Setup tab, enter the domain name test, select Enable for the Default Domain field, and click Apply.

  • Page 438

    Figure 408 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.

  • Page 439

    Figure 410 Configuring the authorization method for the ISP domain On the Accounting tab, select the ISP domain test, select the Default Accounting box, select RADIUS from Default Accounting list, select system from the Name list to use it as the accounting scheme, and click Apply.

  • Page 440

    Figure 412 Applying the portal server to a Layer 3 interface Configuring Switch B Configure a default route to subnet 192.168.0.0/24 with the next hop as 20.20.20.1. (Details not shown.)

  • Page 441: Configuring Radius, Overview, Client/server Model

    Configuring RADIUS RADIUS is a protocol for implementing Authentication, Authorization, and Accounting (AAA). For more information about AAA, see "Configuring AAA." Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments with requirements for both high security and remote user access.

  • Page 442: Security And Authentication Mechanisms, Basic Radius Message Exchange Process

    Security and authentication mechanisms A RADIUS client and the RADIUS server use a shared key to authenticate RADIUS packets and encrypt user passwords that are exchanged between them. The keys are never transmitted over the network. This security mechanism improves the security of RADIUS communication and prevents user passwords from being intercepted on insecure networks.

  • Page 443: Radius Packet Format

    The user accesses the network resources. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server. The RADIUS server returns an acknowledgement (Accounting-Response) and stops accounting for the user.

  • Page 444

    The Identifier field (1 byte long) is used to match request packets and response packets and to detect • duplicate request packets. Request and response packets of the same type have the same identifier. The Length field (2 bytes long) indicates the length of the entire packet, including the Code, •...

  • Page 445: Extended Radius Attributes

    Attribute Attribute Callback-ID Tunnel-Server-Endpoint (unassigned) Acct-Tunnel-Connection Framed-Route Tunnel-Password Framed-IPX-Network ARAP-Password State ARAP-Features Class ARAP-Zone-Access Vendor-Specific ARAP-Security Session-Timeout ARAP-Security-Data Idle-Timeout Password-Retry Termination-Action Prompt Called-Station-Id Connect-Info Calling-Station-Id Configuration-Token NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type...

  • Page 446: Recommended Radius Configuration Procedure, Protocols And Standards

    Vendor-Length—Length of the sub-attribute. • • Vendor-Data—Contents of the sub-attribute. Figure 416 Format of attribute 26 Protocols and standards RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support •...

  • Page 447: Configuring Radius Servers

    Configuring RADIUS servers Select Authentication > RADIUS from the navigation tree. The RADIUS server configuration page appears. Figure 417 RADIUS Server page Configure the RADIUS server parameters as described in Table 118. Click Apply. Table 118 Configuration items Item Description Specify the type of the server to be configured: Authentication Server or Server Type Accounting Sever.

  • Page 448: Configuring Radius Communication Parameters

    Item Description Specify the IP address of the secondary server. If no secondary server is specified, the field displays 0.0.0.0. Secondary Server IP To remove the previously configured secondary server, enter 0.0.0.0. The specified IP address of the secondary server cannot be the same as that of the primary server.

  • Page 449

    Figure 418 RADIUS Setup page Configure the RADIUS communication parameters as described in Table 119. Click Apply. Table 119 Configuration items Item Description Specify the type of the RADIUS server supported by the switch, including: • Extended—Specifies an extended RADIUS server (offered by IMC).

  • Page 450

    Item Description Specify the source IP address for the switch to use in RADIUS packets to be sent to the RADIUS server. Use a loopback interface address instead of a physical interface NAS-IP address as the source IP address. If you use a physical interface and it is down, the response packets from the server cannot reach the switch.

  • Page 451: Radius Configuration Example, Network Requirements, Configuration Procedure

    Item Description Specify the unit for data packets sent to the RADIUS server: • One-packet • Unit of Packets Kilo-packet • Mega-packet • Giga-packet Security Policy Server Specify the IP address of the RADIUS security policy server. Table 120 Relationship between the real-time accounting interval and the number of users Number of users Real-time accounting interval (in minutes) 1 to 99...

  • Page 452

    Select Authentication Server as the server type. Enter 10.110.91.146 as the IP address of the primary authentication server Enter 1812 as the UDP port of the primary authentication server. Select active as the primary server status. Click Apply. Figure 420 Configuring the RADIUS authentication server # Configure the RADIUS accounting server.

  • Page 453

    # Configure the RADIUS communication parameters. Select Authentication > RADIUS from the navigation tree and then click the RADIUS Setup tab. The RADIUS parameter configuration page appears. Configure the following parameters, as shown in Figure 422. Select extended as the server type. Select the Authentication Server Shared Key box and enter expert.

  • Page 454

    Select Enable to use the domain as the default domain. Click Apply. Figure 423 Adding an ISP domain # Configure the authentication method for the ISP domain. Select Authentication > AAA from the navigation tree, and then click the Authentication tab. Configure the following parameters, as shown in Figure 424.

  • Page 455

    Figure 425 Configuration progress dialog box # Configure the authorization method for the ISP domain. Select Authentication > AAA from the navigation tree, and then click the Authorization tab. Configure the following parameters, as shown in Figure 426. Select the domain name test. Select the Default AuthZ box and then select RADIUS as the authorization mode.

  • Page 456

    Select system from the Name list to use it as the accounting scheme. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Figure 427 Configuring the accounting method for the ISP domain Configuration guidelines When you configure the RADIUS client, follow these guidelines: The specified server status is dynamic information, which cannot be saved in the configuration file.

  • Page 457

    changes the primary server's status to active. To use the secondary server for communication, you need to manually change the status of the secondary server to active; otherwise, no primary/secondary server switchover will take place.

  • Page 458: Configuring Users And User Groups, Overview, Configuring A Local User

    Configuring users and user groups Overview You can configure local users and create groups to manage users on the switch series. A local user represents a set of user attributes configured on a switch (such as the user password, use type, service type, and authorization attribute), and is uniquely identified by the username.

  • Page 459

    Figure 429 Local user configuration page Configure the local user as described in Table 121. Click Apply. Table 121 Configuration items Item Description Username Specify a name for the local user. Specify and confirm the password of the local user. The settings of these two fields must be the same.

  • Page 460: Configuring A User Group

    Item Description Specify the VLAN to be authorized to the local user after the user passes authentication. VLAN This option takes effect on only LAN and portal users. Specify the ACL to be used by the NAS to restrict the access of the local user after the user passes authentication.

  • Page 461

    Table 122 Configuration items Item Description Group-name Specify a name for the user group. Select an authorization level for the user group: Visitor, Monitor, Configure, or Level Management, in ascending order of priority. Specify the VLAN to be authorized to users of the user group after the users pass VLAN authentication.

  • Page 462: Configuring Pki, Overview, Pki Terminology, Pki Architecture

    Configuring PKI Overview The Public Key Infrastructure (PKI) is a hierarchical framework designed for providing information security through public key technologies and digital certificates and verifying the identities of the digital certificate owners. PKI employs digital certificates, which are bindings of certificate owner identity information and public keys.

  • Page 463: Pki Applications

    Figure 432 PKI architecture • PKI entity—A PKI entity is an end user or host using PKI certificates. The PKI entity can be an operator, an organization, a device like a router or a switch, or a process running on a computer. CA—A CA is a trusted authority that issues and manages digital certificates.

  • Page 464: Pki Operation, Configuring Pki, Recommended Configuration Procedure For Manually Requesting A Certificate

    PKI operation The following describes how a PKI entity requests a local certificate from a CA, and how an RA is involved in entity enrollment: A PKI entity submits a certificate request to the CA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA The CA verifies the digital signature, approves the application, and issues a certificate.

  • Page 465

    Step Remarks (Required.) Create a PKI domain, setting the certificate request mode to Manual. Before requesting a PKI certificate, an entity needs to be configured with Creating a PKI domain some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications, and has only local significance.

  • Page 466: Recommended Configuration Procedure For Configuring Automatic Certificate Request, Creating A Pki Entity

    Step Remarks (Optional.) Destroy the existing RSA key pair and the corresponding local certificate. Destroying the RSA key pair If the certificate to be retrieved contains an RSA key pair, you need to destroy the existing key pair. Otherwise, the retrieving operation will fail. (Optional.) Retrieving and displaying a certificate...

  • Page 467

    Figure 433 PKI entity list Click Add. Figure 434 PKI entity configuration page Configure the parameters as described in Table 123. Click Apply. Table 123 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity.

  • Page 468: Creating A Pki Domain

    Item Description State Enter the state or province for the entity. Locality Enter the locality for the entity. Organization Enter the organization name for the entity. Organization Unit Enter the unit name for the entity. Creating a PKI domain Select Authentication > PKI from the navigation tree. Click the Domain tab.

  • Page 469

    Figure 436 PKI domain configuration page Configure the parameters as described in Table 124. Click Apply. Table 124 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility CA Identifier of certificate registration, distribution, and revocation, and query.

  • Page 470

    Item Description Select the authority for certificate request. • CA—Requests a certificate from a CA. Institution • RA—Requests a certificate from an RA. RA is recommended. Enter the URL of the RA. The entity will submit the certificate request to the server at this URL through the SCEP protocol.

  • Page 471: Creating An Rsa Key Pair

    Item Description Enter the URL of the CRL distribution point. CRL URL When the URL of the CRL distribution point is not set, you should acquire the CA certificate and a local certificate, and then acquire a CRL through SCEP. Creating an RSA key pair Select Authentication >...

  • Page 472: Destroying The Rsa Key Pair, Retrieving And Displaying A Certificate

    Destroying the RSA key pair Select Authentication > PKI from the navigation tree. Click the Certificate tab. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 439 Key pair destruction page Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.

  • Page 473

    Item Description Certificate Type Select the type of the certificate to be retrieved, which can be CA or local. Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means like Enable Offline FTP, disk, or email) and then import the certificate into the local PKI system. Mode The following configuration items are displayed if this box is selected.

  • Page 474: Requesting A Local Certificate

    Figure 441 Certificate information Requesting a local certificate Select Authentication > PKI from the navigation tree. Click the Certificate tab. Click Request Cert. Figure 442 Local certificate request page...

  • Page 475: Retrieving And Displaying A Crl

    Configure the parameters as described in Table 126. Table 126 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Select this box to request a certificate in offline mode, that is, by an out-of-band Enable Offline Mode means like FTP, disk, or email.

  • Page 476

    Figure 445 CRL information Table 127 Field description Field Description Version CRL version number Signature Algorithm Signature algorithm that the CRL uses Issuer CA that issued the CRL Last Update Last update time Next Update Next update time Identifier of the CA that issued the certificate and the certificate version X509v3 Authority Key Identifier (X509v3).

  • Page 477: Pki Configuration Example

    PKI configuration example Network requirements As shown in Figure 446, configure the switch that acts as the PKI entity, so that: The switch submits a local certificate request to the CA server, which runs the RSA Keon software. • The switch retrieves CRLs for certificate verification. •...

  • Page 478

    Figure 447 Creating a PKI entity Create a PKI domain: Click the Domain tab. Click Add. The page in Figure 448 appears. Enter torsa as the PKI domain name, enter myca as the CA identifier, select aaa as the local entity, select CA as the authority for certificate request, enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request (the URL must be in the format of http://host:port/Issuing Jurisdiction ID,...

  • Page 479

    Figure 448 Creating a PKI domain Generate an RSA key pair: Click the Certificate tab. Click Create Key. Enter 1024 as the key length, and click Apply to generate an RSA key pair. Figure 449 Generating an RSA key pair Retrieve the CA certificate: Click the Certificate tab.

  • Page 480

    Figure 450 Retrieving the CA certificate Request a local certificate: Click the Certificate tab. Click Request Cert. Select torsa as the PKI domain, select Password , and enter challenge-word as the password. Click Apply. The system displays "Certificate request has been submitted." Click OK to finish the operation.

  • Page 481

    Verifying the configuration After the configuration, select Authentication > PKI > Certificate from the navigation tree to view detailed information about the retrieved CA certificate and local certificate, or select Authentication > PKI > CRL from the navigation tree to view detailed information about the retrieved CRL. Configuration guidelines When you configure PKI, follow these guidelines: Make sure the clocks of entities and the CA are synchronous.

  • Page 482: Configuring Authorized Ip, Configuration Procedure

    Configuring authorized IP The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients. Only the clients that pass the ACL filtering can access the device. Configuration procedure Select Security > Authorized IP from the navigation tree. Click the Setup tab to enter the authorized IP configuration page.

  • Page 483: Authorized Ip Configuration Example, Network Requirements, Configuration Procedure

    Authorized IP configuration example Network requirements Figure 454, configure Switch to deny Telnet and HTTP requests from Host A, and permit Telnet and HTTP requests from Host B. Figure 454 Network diagram Configuration procedure Create an ACL: Select QoS > ACL IPv4 from the navigation tree. Click the Create tab.

  • Page 484

    Select 2001 from the ACL list, select Permit from the Action list, select the Source IP Address box and then enter 10.1.1.3, and enter 0.0.0.0 in the Source Wildcard field. Click Add. Figure 456 Configuring an ACL rule to permit Host B Configure authorized IP: Select Security >...

  • Page 485: Configuring Port Isolation, Overview, Configuring The Isolation Group

    Configuring port isolation Overview Layer 2 traffic isolation is typically achieved by assigning ports to different VLANs. To save VLAN resources, port isolation is introduced to isolate ports within a VLAN, allowing for great flexibility and security. The switch series supports only one isolation group that is created automatically by the system as isolation group 1.

  • Page 486: Port Isolation Configuration Example

    Table 129 Configuration items Item Description Specify the role of the port or ports in the isolation group: • Isolated port—Assigns the port or ports to the isolation group as an isolated port Config type or ports. • Uplink port—Assigns the port to the isolation group as the uplink port. This option is not available for the switch series.

  • Page 487

    Select 2, 3, and 4 on the chassis front panel. The numbers represent ports GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4, respectively. Figure 460 Configuring isolated ports for the isolation group Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Viewing information about the isolation group Click Summary.

  • Page 488: Configuring Acls, Overview, Acl Categories, Match Order

    Configuring ACLs Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering.

  • Page 489: Rule Numbering

    Table 130 Depth-first match for ACLs ACL category Sequence of tie breakers More 0s in the source IP address wildcard (more 0s means a narrower IP address range). IPv4 basic ACL Smaller rule ID. Specific protocol number. More 0s in the source IP address wildcard mask More 0s in the destination IP address wildcard IPv4 advanced ACL Narrower TCP/UDP service port number range.

  • Page 490: Implementing Time-based Acl Rules, Ipv4 Fragments Filtering With Acls, Configuration Guidelines, Recommended Acl Configuration Procedures

    For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is numbered 0.

  • Page 491: Recommended Ipv6 Acl Configuration Procedure, Configuring A Time Range

    Step Remarks Required. Adding an IPv4 ACL Add an IPv4 ACL. The category of the added ACL depends on the ACL number that you specify. Configuring a rule for a basic IPv4 ACL Required. Configuring a rule for an advanced IPv4 ACL Complete one of the following tasks according to the Configuring a rule for an Ethernet frame header ACL category.

  • Page 492: Adding An Ipv4 Acl

    Figure 462 Adding a time range Configure a time range as described in Table 131. Click Apply. Table 131 Configuration items Item Description Time Range Name Set the name for the time range. Start Time Set the start time of the periodic time range. Set the end time of the periodic time range.

  • Page 493: Configuring A Rule For A Basic Ipv4 Acl

    Figure 463 Adding an IPv4 ACL Add an IPv4 ACL as described in Table 132. Click Apply. Table 132 Configuration items Item Description ACL Number Set the number of the IPv4 ACL. Set the match order of the ACL. • Config—Packets are compared against ACL rules in the order that the rules Match Order are configured.

  • Page 494

    Figure 464 Configuring a basic IPv4 ACL Configure a rule for a basic IPv4 ACL as described in Table 133. Click Add. Table 133 Configuration items Item Description Select the basic IPv4 ACL for which you want to configure rules. Available ACLs are basic IPv4 ACLs.

  • Page 495: Configuring A Rule For An Advanced Ipv4 Acl

    Item Description wildcard mask, in dotted decimal notation. Source Wildcard Time Range Select the time range during which the rule takes effect. Configuring a rule for an advanced IPv4 ACL Select QoS > ACL IPv4 from the navigation tree. Click the Advance Setup tab. The rule configuration page for an advanced IPv4 ACL appears.

  • Page 496

    Configure a rule for an advanced IPv4 ACL as described in Table 134. Click Add. Table 134 Configuration items Item Description Select the advanced IPv4 ACL for which you want to configure rules. Available ACLs are advanced IPv4 ACLs. Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one automatically.

  • Page 497: Configuring A Rule For An Ethernet Frame Header Acl

    Item Description Select the operators and enter the source port numbers and Operator destination port numbers as required. Source These items are available only when you select 6 TCP or 17 UDP from the Protocol list. Port Different operators have different configuration requirements for the port number fields: Operator •...

  • Page 498

    Figure 466 Configuring a rule for an Ethernet frame header ACL Configure a rule for an Ethernet frame header IPv4 ACL as described in Table 135. Click Add. Table 135 Configuration items Item Description Select the Ethernet frame header IPv4 ACL for which you want to configure rules.

  • Page 499: Adding An Ipv6 Acl

    Item Description Select the action to be performed for packets matching the rule. • Action Permit—Allows matched packets to pass. • Deny—Drops matched packets. Source MAC Address Select the Source MAC Address box and enter a source MAC address and a mask. Source Mask Address Destination MAC...

  • Page 500: Configuring A Rule For A Basic Ipv6 Acl

    Table 136 Configuration items Item Description ACL Number Enter a number for the IPv6 ACL. Select a match order for the ACL. Available values are: • Config—Packets are compared against ACL rules in the order the rules are Match Order configured.

  • Page 501: Configuring A Rule For An Advanced Ipv6 Acl

    Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one automatically. Rule ID IMPORTANT: If the rule number you specify already exists, the following operations modify the configuration of the rule.

  • Page 502

    Figure 469 Configuring a rule for an advanced IPv6 ACL Add a rule for an advanced IPv6 ACL. Click Add. Table 138 Configuration items Item Description Select Access Control List (ACL) Select the advanced IPv6 ACL for which you want to configure rules. Select the Rule ID box and enter a number for the rule.

  • Page 503

    Item Description Select this box to apply the rule to only non-first fragments. Check Fragment If you do no select this box, the rule applies to all fragments and non-fragments. Select this box to keep a log of matched IPv6 packets. A log entry contains the ACL rule number, operation for the matched Check Logging packets, protocol number, source/destination address,...

  • Page 504: Configuring Qos, Introduction To Qos, Networks Without Qos Guarantee, Qos Requirements Of New Applications

    Configuring QoS Introduction to QoS Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an internet, QoS evaluates the ability of the network to forward packets of different services. The evaluation can be based on different criteria because the network provides various services. Generally, QoS performance is measured with respect to bandwidth, delay, jitter, and packet loss ratio during packet forwarding process.

  • Page 505

    Causes Congestion easily occurs in complex packet switching circumstances in the Internet. Figure 470 shows two common cases: Figure 470 Traffic congestion causes • The traffic enters a device from a high speed link and is forwarded over a low speed link. The packet flows enter a device from several incoming interfaces and are forwarded out of an •...

  • Page 506: End-to-end Qos, Traffic Classification

    End-to-end QoS Figure 471 End-to-end QoS model Traffic classification Traffic classification Traffic policing Traffic policing Traffic policing Traffic policing Congestion management Congestion management Congestion management Congestion management Congestion avoidance Congestion avoidance Congestion avoidance Congestion avoidance Traffic shaping Traffic shaping Traffic shaping Traffic shaping As shown in Figure...

  • Page 507: Packet Precedences

    When packets are classified on the network boundary, the precedence bits in the ToS field of the IP packet header are generally re-set. In this way, IP precedence can be directly used to classify the packets in the network. IP precedence can also be used in queuing to prioritize traffic. The downstream network can either use the classification results from its upstream network or classify the packets again according to its own criteria.

  • Page 508

    Table 140 Description on DSCP values DSCP value (decimal) DSCP value (binary) Description 101110 001010 af11 001100 af12 001110 af13 010010 af21 010100 af22 010110 af23 011010 af31 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000...

  • Page 509: Queue Scheduling

    Figure 474 802.1Q tag header Byte 1 Byte 2 Byte 3 Byte 4 TPID (Tag protocol identifier) TCI (Tag control information) 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID 5 4 3 2 1 0 7 5 4 3 2 1 0 5 4 3 2 1 0 7 5 4 3 2 1 0...

  • Page 510

    Figure 475 SP queuing A typical switch provides eight queues per port. As shown in Figure 475, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues strictly according to the descending order of priority. It sends packets in the queue with the highest priority first.

  • Page 511: Traffic Shaping

    A typical switch provides eight output queues per port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 Mbps port, you can set the weight values of WRR queuing to 50, 30, 10, 10, 50, 30, 10, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0, respectively).

  • Page 512: Rate Limit

    Figure 478 GTS application Device A Device B Physical link Rate limit Rate limit is a traffic control method using token buckets. The rate limit of a physical interface specifies the maximum rate for forwarding packets (including critical packets). Rate limit can limit all the incoming or outgoing packets of physical interface.

  • Page 513: Priority Mapping

    Burst size—The capacity of the token bucket, or the maximum traffic size permitted in each burst. It • is usually set to the committed burst size (CBS). The set burst size must be greater than the maximum packet size. One evaluation is performed on each arriving packet. In each evaluation, if the number of tokens in the bucket is enough, the traffic conforms to the specification and the tokens for forwarding the packet are taken away;...

  • Page 514: Introduction To Priority Mapping Tables

    The device provides the following priority trust modes on a port: • Trust packet priority—The device assigns to the packet the priority parameters corresponding to the packet’s priority from the mapping table. Trust port priority—The device assigns a priority to a packet by mapping the priority of the •...

  • Page 515: Recommended Qos Configuration Procedures

    Table 143 The default DSCP to CoS/DSCP to Queue mapping table Input DSCP value Local precedence (Queue) 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63 NOTE: In the default DSCP to DSCP mapping table, an input value yields a target value equal to it.

  • Page 516

    Table 144 Recommended QoS policy configuration procedure Step Remarks Required. Adding a class Add a class and specify the logical relationship between the match criteria in the class. Required. Configuring classification rules Configure match criteria for the class. Required. Adding a traffic behavior Add a traffic behavior.

  • Page 517: Adding A Class

    Recommended priority trust mode configuration procedure Step Remarks Required. Configuring priority trust mode on a port Set the priority trust mode of a port. Adding a class Select QoS > Classifier from the navigation tree. Click the Create tab to enter the page for adding a class. Figure 482 Adding a class Add a class as described in Table...

  • Page 518: Configuring Classification Rules

    Configuring classification rules Select QoS > Classifier from the navigation tree. Click Setup to enter the page for setting a class. Figure 483 Configuring classification rules Configure classification rules for a class as described in Table 146. Click Apply. Table 146 Configuration items Item Description Please select a classifier...

  • Page 519

    Item Description Define a rule to match DSCP values. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one. DSCP You can configure up to eight DSCP values each time. If multiple identical DSCP values are specified, the system considers them as one.

  • Page 520: Adding A Traffic Behavior

    Item Description Define a rule to match service VLAN IDs. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one. You can configure multiple VLAN IDs each time. If the same VLAN ID is specified multiple times, the system considers them as one.

  • Page 521: Configuring Traffic Redirecting For A Traffic Behavior

    Add a traffic behavior as described in Table 147. Click Create. Table 147 Configuration items Item Description Behavior name Specify a name for the behavior to be added. Configuring traffic redirecting for a traffic behavior Select QoS > Behavior from the navigation tree. Click Port Setup to enter the port setup page for a traffic behavior.

  • Page 522: Configuring Other Actions For A Traffic Behavior

    Configuring other actions for a traffic behavior Select QoS > Behavior from the navigation tree. Click Setup to enter the page for setting a traffic behavior. Figure 486 Setting a traffic behavior Configure other actions for a traffic behavior as described in Table 149.

  • Page 523: Adding A Policy

    Item Description Configure the action of marking IP precedence for packets. Select the IP Precedence box and then select the IP precedence IP Precedence value to be marked for packets in the following list. Select Not Set to cancel the action of marking IP precedence. Configure the action of marking 802.1p priority for packets.

  • Page 524: Configuring Classifier-behavior Associations For The Policy, Applying A Policy To A Port

    Click Create. Table 150 Configuration items Item Description Policy Name Specify a name for the policy to be added. Configuring classifier-behavior associations for the policy Select QoS > QoS Policy from the navigation tree. Click Setup to enter the page for setting a policy. Figure 488 Setting a policy Configure a classifier-behavior association for a policy as described in Table...

  • Page 525: Configuring Queue Scheduling On A Port

    Figure 489 Applying a policy to a port Apply a policy to a port as described in Table 152. Click Apply. Table 152 Configuration items Item Description Please select a policy Select an existing policy in the list. Set the direction in which the policy is to be applied. Inbound means to apply the Direction policy to the incoming packets of the specified ports.

  • Page 526: Configuring Gts On A Port

    Table 153 Configuration items Item Description Enable or disable the WRR queue scheduling mechanism on selected ports. The following options are available: • Enable—Enables WRR on selected ports. • Not Set—Restores the default queuing algorithm on selected ports. Select the queue to be configured. Queue A queue ID is in the range of 0 to 3.

  • Page 527: Configuring Rate Limit On A Port

    Item Description Options include: • Any—Shapes all packets on the port. Match Type • Queue—Shapes the packets of a specific queue. Queue Select a queue if you select Queue for Match Type. Set the committed information rate (CIR), the average traffic rate. Set the committed burst size (CBS).

  • Page 528: Configuring Priority Mapping Tables

    Figure 493 Configuring rate limit on a port Configure rate limit on a port as described in Table 155. Click Apply. Table 155 Configuration items Item Description Please select an interface type Select the types of interfaces to be configured with rate limit. Rate Limit Enable or disable rate limit on the specified port.

  • Page 529: Configuring Priority Trust Mode On A Port

    Figure 494 Configuring priority mapping tables Configure a priority mapping table as described in Table 156. Click Apply. Table 156 Configuration items Item Description Select the priority mapping table to be configured: • CoS to DSCP. • CoS to Queue. Mapping Type •...

  • Page 530

    Figure 495 Configuring port priority Click the icon for a port to enter the page for modifying port priority. Figure 496 The page for modifying port priority Configure the port priority for a port as described in Table 157. Click Apply. Table 157 Configuration items Item Description...

  • Page 531: Acl And Qos Configuration Example, Network Requirements, Configuring Switch

    ACL and QoS configuration example Network requirements As shown in Figure 497, the FTP server (10.1.1.1/24) is connected to the Switch, and the clients access the FTP server through GigabitEthernet 1/0/1 of the Switch. Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8:00 to 18:00 every day: Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.

  • Page 532

    Figure 498 Defining a time range covering 8:00 to 18:00 every day Add an advanced IPv4 ACL: Select QoS > ACL IPv4 from the navigation tree. Click the Create tab. Enter the ACL number 3000. Click Apply. Figure 499 Adding an advanced IPv4 ACL Define an ACL rule for traffic to the FTP server:...

  • Page 533

    Click the Advanced Setup tab. Select 3000 from the ACL list. Select the Rule ID box, and enter rule ID 2. Select Permit from the Action list. Select the Destination IP Address box, and enter IP address 10.1.1.1 and destination wildcard 0.0.0.0.

  • Page 534

    Click the Create tab. Enter the class name class1. Click Add. Figure 501 Adding a class Define classification rules: Click the Setup tab. Select the class name class1 from the list. Select the ACL IPv4 box, and select ACL 3000 from the following list.

  • Page 535

    Figure 502 Defining classification rules Click Apply. A progress dialog box appears, as shown in Figure 503. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

  • Page 536

    Figure 503 Configuration progress dialog box Add a traffic behavior: Select QoS > Behavior from the navigation tree. Click the Create tab. Enter the behavior name behavior1. Click Create. Figure 504 Adding a traffic behavior Configure actions for the traffic behavior: Click the Setup tab.

  • Page 537

    Figure 505 Configuring actions for the behavior Add a policy: Select QoS > QoS Policy from the navigation tree. Click the Add tab. Enter the policy name policy1. Click Add.

  • Page 538

    Figure 506 Adding a policy Configure classifier-behavior associations for the policy: Click the Setup tab. Select policy1. Select class1 from the Classifier Name list. Select behavior1 from the Behavior Name list. Click Apply. Figure 507 Configuring classifier-behavior associations for the policy Apply the QoS policy in the inbound direction of interface GigabitEthernet 1/0/1: Select QoS >...

  • Page 539

    A configuration progress dialog box appears. Click Close when the progress dialog box prompts that the configuration succeeds. Figure 508 Applying the QoS policy in the inbound direction of GigabitEthernet 1/0/1...

  • Page 540: Configuring Poe, Restrictions And Prerequisites, Configuring Poe Ports

    A PD can also use a different power source from the PSE at the same time for power redundancy. A 1910 switch has a build-in PSE to supply DC power to PDs over the data pairs (pins 1, 2 and 3, 6) of...

  • Page 541

    Figure 510 Port Setup tab Configure the PoE ports as described in Table 158. Click Apply. Table 158 Configuration items Item Description Select Port Select ports to be configured. They will be displayed in the Selected Ports area. Enable or disable PoE on the selected ports. •...

  • Page 542: Configuring Non-standard Pd Detection

    Item Description Set the power supply priority for a PoE port. The priority levels of a PoE port include low, high, and critical in ascending order. • When the PoE power is insufficient, power is first supplied to PoE ports with a higher priority level.

  • Page 543: Displaying Information About Pse And Poe Ports, Poe Configuration Example, Network Requirements

    Select Enable in the Non-Standard PD Compatibility column, and click Apply. • • Click Enable All. Disabling the non-standard PD detection function for a PSE Perform one of the following tasks on the PSE Setup tab to disable the non-standard PD detection function: •...

  • Page 544

    Figure 513 Network diagram Configuration procedure Enable PoE on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, and set their power supply priority to critical: Select PoE > PoE from the navigation tree. Click the Setup tab. On the tab, click to select ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel, select Enable from the Power State list, and select Critical from the Power Priority list.

  • Page 545

    Click Apply. Figure 515 Configuring the PoE port supplying power to AP After the configuration takes effect, the IP telephones and the AP are powered and can work correctly.

  • Page 546: Support And Other Resources, Contacting Hp, Subscription Service, Related Information, Documents, Websites

    Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers • Technical support registration number (if applicable) • • Product serial numbers Error messages •...

  • Page 547: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 548

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 549: Index

    Index Numerics configuration, 378, 802.1X ISP domain accounting methods configuration, access control methods, ISP domain authentication methods ACL assignment, configuration, architecture, ISP domain authorization methods authentication, configuration, authentication (access device initiated), ISP domain configuration, authentication (client initiated), RADIUS implementation, 428, authentication configuration, absolute time range configuration (ACL), authentication initiation,...

  • Page 550

    local user, ARP attack protection NMM local port mirroring local group, configuration, OUI address to OUI list, detection configuration, rules to SNMP view, packet validity check, address user validity check, DHCP allocation, assigning DHCP lease extension, 802.1X ACL, Address Resolution Protocol. Use VLAN (802.1X), advanced ACL voice VLAN assignment mode,...

  • Page 551

    Layer 2 portal configuration, BPDU Layer 2 portal service configuration, STP BPDU forwarding, Layer 3 portal authentication process, bridge Layer 3 portal service configuration, MST common root bridge, 200, local portal server, MST regional root, local portal server authentication process, STP designated bridge, portal client, STP root bridge,...

  • Page 552

    LLDP configuration (CDP-compatible), static routing, CIST configuration guidelines calculation, ACL, network device connection, configuration wizard class (Ethernet link aggregation port basic service setup, configuration), configuring class-two 802.1X ACL assignment, Ethernet link aggregation MAC address 802.1X Auth-Fail VLAN, learning configuration class, 802.1X guest VLAN, Ethernet link aggregation port isolation AAA, 378,...

  • Page 553

    guest VLAN (802.1X), port link type, history entry, 1 10 portal authentication, 390, 397, idle timeout period, portal-free rule, IGMP snooping, 274, port-based VLAN, IGMP snooping port function, PVID, IP routing (IPv4), RADIUS, 428, IP routing (IPv6), RADIUS common parameter, IP services ARP entry, RADIUS server, IPv6 management,...

  • Page 554

    voice VLAN globally, MST port, voice VLAN on port, STP bridge, voice VLAN on port in automatic voice VLAN STP port, assignment mode, destination voice VLAN on port in manual voice VLAN NMM port mirroring, assignment mode, destroying Web device configuration management, security RSA key pair, Web file management, detecting...

  • Page 555

    syslog configuration, Option #, 319, See also Option # system name configuration, Option 121, user management, Option 150, VCT configuration, Option 3;Option 003, Web common page features, Option 33;Option 033, Web configuration backup, Option 51;Option 051, Web configuration management, Option 53;Option 053, Web configuration reset, Option 55;Option 055, Web configuration restoration,...

  • Page 556

    NMM port mirroring (inbound), done message NMM port mirroring (outbound), IPv6 multicast MLD snooping, discarding downloading MST discarding port state, Web file, displaying dst-mac validity check (ARP), active route table (IPv4), dynamic active route table (IPv6), ARP table entry, all operation parameters for a port, DHCP address allocation, certificate, Ethernet link aggregation dynamic mode,...

  • Page 557

    IP multicast IGMP snooping (in a VLAN), aggregation group, IPv6 multicast MLD snooping (globally), basic concepts, IPv6 multicast MLD snooping (in a VLAN), configuration, 218, IPv6 service, dynamic group configuration, LLDP on ports, dynamic mode, PSE detect nonstandard PDs, group configuration, SNMP agent, group creation, encapsulating...

  • Page 558

    security 802.1X packet, Ethernet link static aggregation group configuration, forwarding NMM local port mirroring group monitor port, ACL configuration, NMM local port mirroring group port, ACL configuration (advanced), 482, NMM local port mirroring group source port, ACL configuration (basic), 480, NMM port mirroring group, ACL configuration (Ethernet frame header), NMM RMON,...

  • Page 559

    leave message, security ARP attack protection configuration, membership report, traceroute, protocols and standards, voice VLAN OUI address, related ports, IP routing implementing configuration (IPv4), MSTP device implementation, configuration (IPv6), NMM local port mirroring, displaying active route table (IPv4), inbound displaying active route table (IPv6), NMM port mirroring, routing table, initiating...

  • Page 560

    ACL configuration (IPv6), LACP active route table, configuration, 218, IPv6 service enable, Ethernet link aggregation, ping operation, 342, LACP-enabled port (Ethernet link aggregation), static route creation, static routing configuration, VLAN configuration, 146, traceroute operation, 344, Layer 2 IPv6 multicast Ethernet link aggregation and LACP configuration, configuring MLD snooping, Ethernet link aggregation group configuration,...

  • Page 561

    DHCP IP address lease extension, transmitting, leave message local IP multicast IGMP snooping, security PKI digital certificate, link local port mirroring aggregation, adding local group, link layer discovery protocol. See LLDP configuration, MSTP configuration, 190, 203, local group monitor port, RSTP configuration, local group port, STP configuration,...

  • Page 562

    security ARP attack protection gratuitous ARP configuration, configuration, gratuitous ARP packet learning, VLAN frame encapsulation, IP multicast IGMP snooping leave, MAC address table IPv6 multicast MLD snooping done, address learning, security ARP attack protection configuration, configuration, 185, 186, method displaying, 802.1X access control, dynamic aging timer, entry creation,...

  • Page 563

    portal authentication, configuring IGMP snooping, portal support for EAP process, displaying IGMP snooping multicast forwarding entries, security 802.1X EAP relay/termination comparison, enabling IGMP snooping (globally), security 802.1X multicast trigger mode, enabling IGMP snooping (in a VLAN), security 802.1X unicast trigger mode, IGMP snooping configuration, voice VLAN automatic assignment mode, IGMP snooping port function configuration,...

  • Page 564

    Ethernet link aggregation dynamic mode, STP algorithm calculation, Ethernet link aggregation LACP, STP designated bridge, Ethernet link aggregation LACP priority, STP designated port, Ethernet link aggregation LACP-enabled STP path cost, port, STP root bridge, Ethernet link aggregation modes, STP root port, Ethernet link aggregation operational key, VLAN type, Ethernet link aggregation static mode,...

  • Page 565

    IP routing configuration (IPv4), static routing default route, IP routing configuration (IPv6), STP configuration, IPv6 management, switching to management level, Layer 2 portal authentication configuration, syslog configuration, LLDP basic concepts, traceroute, LLDP basic configuration, upgrading software, LLDP configuration, 230, user management, LLDP configuration (CDP-compatible), VLAN configuration, 146, local portal server,...

  • Page 566

    ACL rule numbering, STP TCN BPDU protocol packets, ACL rule numbering step, packet filtering ACL configuration, ACL configuration (Ethernet frame header), operational key (Ethernet link aggregation), parameter (terminal), optimal peer FIB table optimal routes, security PKI digital certificate, option periodic time range configuration (ACL), DHCP field, ping Option 121 (DHCP),...

  • Page 567

    configuring MLD snooping, LLDP Tx operating mode, DHCP snooping trusted port, LLDP TxRx operating mode, DHCP snooping untrusted port, LLDPDU reception, 235, Ethernet link aggregation aggregate LLDPDU transmission, 234, interface, loopback test configuration, 97, Ethernet link aggregation and LACP MAC address learning, configuration, MAC address table configuration, 185, 186, Ethernet link aggregation configuration,...

  • Page 568

    mirroring group, priority recommended procedure, Ethernet link aggregation LACP, source, port LACP priority, terminology, procedure port security adding local user, 802.1X authentication configuration, adding NMM local port mirroring group, 802.1X authorization status, adding OUI address to OUI list, 802.1X configuration, 347, adding rules to SNMP view, 802.1X configuration (global), authenticating with security 802.1X EAP relay,...

  • Page 569

    configuring Ethernet link dynamic aggregation configuring PoE ports, group, configuring port link type, configuring Ethernet link static aggregation configuring portal authentication, group, configuring portal-free rule, configuring event entry, 1 1 1 configuring PVID for port, configuring gratuitous ARP, configuring RADIUS common parameters, configuring history entry, 1 10 configuring RADIUS server,...

  • Page 570

    creating security RSA key pair, displaying Web file, creating SNMP view, downloading Web file, creating static route (IPv4), enabling DHCP, creating static route (IPv6), enabling DHCP relay agent on interface, creating VLAN, enabling DHCP snooping, creating VLAN interface, enabling IGMP snooping (globally), deleting default username on Web interface, enabling IGMP snooping (in a VLAN), destroying security RSA key pair,...

  • Page 571

    setting super password, IGMP snooping general query, setting terminal parameter, MLD snooping general query, setting traffic statistics generating interval, switching to management level, testing cable status, security PKI architecture, testing connectivity with ping, 342, 342, security PKI certificate, upgrading software, RADIUS uploading Web file, AAA implementation, 428,...

  • Page 572

    Web file, static creation (IPv4), reporting static creation (IPv6), IGMP snooping membership, static route, MLD snooping membership, static routing configuration (IPv4), requesting static routing configuration (IPv6), local certificate, static routing default route, resetting router Web device configuration, IGMP snooping router port, resource access restriction (portal), MLD snooping router port, restoring...

  • Page 573

    ACL automatic rule numbering, protocols and standards (RADIUS), ACL automatic rule renumbering, RADIUS configuration, 428, ACL config match order sort, RSA key pair creation, ACL numbering step, RSA key pair destruction, ACL rule numbering, voice VLAN mode, time-based ACL rule, seleting running status VLAN,...

  • Page 574

    group configuration, displaying, manager, state mechanism, Ethernet link aggregation member port state, MIB, static NMM RMON configuration, 105, 1 17 ARP configuration, packet statistics displaying, DHCP address allocation, protocol versions, Ethernet link aggregation mode, SNMPv1 configuration, Ethernet link aggregation static mode, SNMPv2c configuration, Ethernet link static aggregation group configuration,...

  • Page 575

    MST regional root, configuration wizard, MSTI, creating admin user on Web interface, MSTI calculation, deleting default username on Web interface, MSTP, 198, See also MSTP device idle timeout period configuration, MSTP CIST calculation, device system name configuration, MSTP device implementation, IPv6 management, path cost, ping,...

  • Page 576

    displaying current system time, system maintenance, traffic ACL configuration, table ACL configuration (Ethernet frame header), active route table (IPv4), NMM RMON configuration, active route table (IPv6), transmitting ARP static entry creation, LLDPDUs, IP routing, type IP services ARP entry configuration, IP subnet VLAN, IP services ARP entry removal, MAC address VLAN,...

  • Page 577

    configuration, port type VLAN, Virtual Cable Test. Use port-based configuration, Virtual Local Area Network. Use VLAN port-based VLAN frame handling, VLAN protocol type VLAN, assignment (802.1X), PVID, Auth-Fail (802.1X), selection, configuration, 146, voice VLAN assignment mode, configuration guidelines, voice VLAN security mode, configuring, 146, VLAN interface configuring 802.1X Auth-Fail VLAN,...

  • Page 578

    deleting default username, system parameters configuration, device basic settings configuration, user level, device configuration backup, user management, device configuration management, VCT configuration, device configuration reset, Web-based NM functions, device configuration restoration, Web interface device configuration save, configuration, device idle timeout period configuration, device stack configuration, 42, device system name configuration, direct portal authentication configuration,...

Comments to this Manuals

Symbols: 0
Latest comments: